Centre for Internet and Society

CIS Cybersecurity Series (Part 10) - Lawrence Liang

purba — 2013-09-10T08:31:31Z

CIS interviews Lawrence Liang, researcher and lawyer, and co-founder of Alternative Law Forum, Bangalore, as part of the Cybersecurity Series.

"The right to privacy and the right to free speech have often been understood as distinct rights. But I think in the ecology of online communication, it becomes crucial for us to look at the two as being inseparable. And this is not entirely new in India. But, interestingly, a lot of the cases that have had to deal with this question in the Indian context, have pitted one against the other. Now, India doesn't have a law for the protection of whistle-blowers. So how do we now think of the idea of whistle-blowers being one of the subjects of speech and privacy coming together? How do we use the strong pillars that have been established, in terms of a very rich tradition that Indian law has, on the recognition of free speech issues but slowly start incorporating questions of privacy?" - Lawrence Liang, researcher and lawyer, Alternative Law Forum.

Centre for Internet and Society presents its tenth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Lawrence Liang is one of the co-founders of the Alternative Law Forum where he works on issues of intellectual property, censorship, and the intersection of law and culture. He is also a fellow with the Centre for Internet and Society and serves on its board.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-10-lawrence-liang

CIS Cybersecurity Series (Part 6) - Lhadon Tethong

purba — 2013-08-01T09:54:46Z

CIS interviews Lhadon Tethong, Tibetan human rights activist, as part of the Cybersecurity Series

"In authoritarian states, and in this case, in Tibet, I think that every person that we can teach and pass knowledge to, that can help them stay out of jail, stay in the streets, for one, two, three days longer, one week longer, that is a valuable time of time and resources. And I think we cannot rely on only tools and technology solutions to protect people. I think we can't just rely on government policies at the highest levels, and on export controls... the approach to digital security has to be comprehensive and we have to engage citizens. And not just in cases like the Tibetans or for activists or for people living under repression, but for people in free and open societies too." - Lhadon Tethong, Tibetan human rights activist.

Centre for Internet and Society presents its sixth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS interviews Lhadon Tethong, Tibetan human rights activist. Lhadon is the Director of the Tibet Action Institute, where she leads a team of technologists and human rights advocates in developing and advancing open-source communication technologies, nonviolent strategies and innovative training programs for Tibetans and other groups facing heavy repression and human rights abuses.

Link for Tibet Action Institute: https://tibetaction.net/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-6-lhadon-tethong

CIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC)

Arindrajit Basu — 2018-07-05T16:00:02Z

The Global Commission on the Stability of Cyberspace (GCSC) is an initiative of the Hague Centre for Strategic Studies and the East West Institute that seeks to promote mutual awareness and understanding among various cyberspace communities. It seeks to develop norms and policies that advance the stability and security of cyberspace.

Chaired by Marina Kaljurand, and Co-Chaired by Michael Chertoff and Latha Reddy, the Commission comprises 26 prominent Commissioners who are experts hailing from a wide range of geographic regions representing multiple communities including academia industry, government, technical and civil society.

As a part of their efforts, the GCSC sent out a call for proposals for papers that sought to analyze and advance various aspects of the cyber norms debate.

Elonnai Hickok and Arindrajit Basu’s paper ‘ Conceptualizing an International Security Architecture for Cyberspace’ was selected by the Commissioners and published as a part of the Briefings of the Research and Advisory Group.

Arindrajit Basu represented CIS at the Cyberstability Hearings held by the GCSC at the sidelines of the GLOBSEC forum in Bratislava-a multilateral conference seeking to advance dialogue on various issues of international peace and security.

The published paper and the Power Point may be accessed here.

The agenda for the hearings is reproduced below

GCSC HEARINGS, 19 MAY 2018

HEARINGS: TOWARDS INTERNATIONAL CYBERSTABILITY

Venue: “Habsburg” room, Grand Hotel River Park 15:00-15:15

Welcome Remarks by Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia 15:15-16:45

Hearing I: Expert Hearing

This session focuses on the topic Cyberstability and the International Peace and Security Architecture and includes scene settings, food-for-thought presentations on the new GCSC commissioned research, briefings and open statements by government and nongovernmental speakers.

“Scene setting: ”Cyber Diplomacy in Transition” by Carl Bildt, former Prime Minister of Sweden

“Commissioned Research I: Lessons learned from three historical case studies on establishing international norms” by Arindrajit Basu, Centre for Internet and Society, India

Commission Research II: The “pre-normative” framework and options for cyber diplomacy” by Elana Broitman, New America Foundation

“Some Remarks on current thinking within the United Nations”, by Renata Dwan, Director United Nations Institute for Disarmament Research (UNIDIR) (Registered Statements by Government Advisors) (Statements by other experts)

(Open floor discussion) 16:45-17:15

Coffee Break

For more details visit https://cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc

CII Conference on "ACT": Achieve Cyber Security Together"

kovey — 2013-07-26T08:17:40Z

The Confederation of Indian Industries (CII) organized a conference on facing cyber threats and challenges at Hotel Hilton in Chennai on July 13, 2013. Kovey Coles attended this conference and shares a summary of the event in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.

Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.

With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.

In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."

For more details visit https://cis-india.org/internet-governance/blog/cii-conference-on-act

CERT-In's Proactive Mandate - A Report on the Indian Computer Emergency Response Team’s Proactive Mandate in the Indian Cyber Security Ecosystem

tiwari — 2016-11-19T04:14:51Z

CERT-IN’s proactive mandate is defined in the IT Act, 2000 as well as in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Function and Duties ) Rules, 2013 (CERT-In Rules, 2013) both of which postdate the existence of the organisation itself, which has been operational since 2004.

Regarding the proactive mandate, the IT Act and CERT-In Rules include the following areas where CERT-In is required to carry out proactive measures in the interests of cyber security:

Forecast and alert cyber security incidents (IT Act, 2000) & Predict and prevent cyber security incidents (CERT-In Rules, 2013)
Issue guidelines, advisories and vulnerability notes etc. relating to information security practices, procedures, prevention, response and reporting (IT Act, 2000)
Information Security Assurance (CERT-In Rules, 2013)

This article will track and analyse the CERT-In’s operations in each of these areas over the past twelve years, by analysing the information available on CERT-In’s website as well as other media in the public domain.

The analysis will be carried out using a mixed methodology. The basic quantitative analysis of the information available on the CERT-In’ website will be carried out in the form of simple comparatives of updates, bulletins and other forms of publicly available interaction and critical information dispersal on CERT-In’s website. The qualitative sections, on the other hand, will contain a comparative analysis of the content present in the technical documents of the CERT-In with the equivalent documentation (where present) of similar bodies in the USA and EU. Each section will then illustrate normative suggestions as to how CERT-In’s performance of that respective obligation can be improved to better serve its cyber security mandate.

Read the full article

The image is published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document.

For more details visit https://cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem

Call for Comments: Model Security Standards for the Indian Fintech Industry

pranav — 2019-12-16T13:16:25Z

The Centre for Internet and Society is pleased to make available the Draft document of Model Security Standards for the Indian Fintech Industry, for feedback and comments from all stakeholders. The objective of this document which was first published in November 2019, is to ensure that the data of users is dealt with in a secure and safe manner by the Fintech Industry, and that smaller businesses in the Fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches.

We invite any parties interested in the field of technology policy, including but not limited to lawyers, policy researchers, and engineers, to send in your feedback/comments on the draft document by the 16th of January 2020. We intend to publish our final draft by the end of January 2020. We look forward to receiving your contributions to make this document more comprehensive and effective. Please find a copy of the draft document here.

For more details visit https://cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry

Budapest Convention and the Information Technology Act

vipul — 2018-11-20T16:18:51Z

The Convention on Cybercrime adopted in Budapest (“Convention”) is the fist and one of the most important multilateral treaties addressing the issue of internet and computer crimes.

Introduction
It was drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America.[1] The importance of the Convention is also indicated by the fact that adherence to it (whether by outright adoption or by otherwise making domestic laws in compliance with it) is one of the conditions mentioned in the Clarifying Lawful Overseas Use of Data Act passed in the USA (CLOUD Act) whereby a process has been established to enable security agencies of in India and the United States to directly access data stored in each other’s territories. Our analysis of the CLOUD Act vis-à-vis India can be found here. It is in continuation of that analysis that we have undertaken here a detailed comparison of the Information Technology Act, 2000 (“IT Act”) and how it stacks up against the provisions of Chapter I and Chapter II of the Convention.^{^[2]}

Before we get into a comparison of the Convention with the IT Act, we must point out the distinction between the two legal instruments, for the benefit of readers from a non legal background. An international instrument such as the Convention on Cybercrime (generally speaking) is essentially a promise made by the States which are a party to that instrument, that they will change or modify their local laws to get them in line with the requirements or principles laid out in said instrument. In case the signatory State does not make such amendments to its local laws, (usually) the citizens of that State cannot enforce any rights that they may have been granted under such an international instrument. The situation is the same with the Convention on Cybercrime, unless the signatory State amends its local laws to bring them in line with the provisions of the Convention, there cannot be any enforcement of the provisions of the Convention within that State.[3] This however is not the case for India and the IT Act since India is not a signatory to the Convention on Cybercrime and therefore is not obligated to amend its local laws to bring them in line with the Convention.

Although India and the Council of Europe cooperated to amend the IT Act through major amendments brought about vide the Information Technology (Amendment) Act, 2008, India still has not become a signatory to the Convention on Cybercrime. The reasons for this appear to be unclear and it has been suggested that these reasons may range from the fact that India was not involved in the original drafting, to issues of sovereignty regarding the provisions for international cooperation and extradition.[4]

Convention on Cybercrime

Information Technology Act, 2000

Article 2 – Illegal access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(a) accesses or secures access to such computer, computer system or computer network or computer resource

Section 66

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

The Convention gives States the right to further qualify the offence of “illegal access” or “hacking” by adding elements such as infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system.^{^[5]} However, Indian law deals with the distinction by making the act of unathorised access without dishonest or fraudulent intent a civil offence, where the offender is liable to pay compensation. If the same act is done with dishonest and fraudulent intent, it is treated as a criminal offence punishable with fine and imprisonment which may extend to 3 years.

It must be noted that this provision was included in the Act only through the Amendment of 2008 and was not present in the Information Technology Act, 2000 in its original iteration.

Convention on Cybercrime

Information Technology Act, 2000

Article 3 – Illegal Interception

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

Although the Information Technology Act, 2000 does not specifically criminalise the interception of communications by a private person. It is possible that under the provisions of Rule 43(a) the act of accessing a “computer network” could be interpreted as including unauthorised interception within its ambit.

The other way in which illegal interception may be considered to be illegal is through a combined reading of Sections 69 (Interception) and 45 (Residuary Penalty) with Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which prohibits interception, monitoring and decryption of information under section 69(2) of the IT Act except in a manner as provided by the Rules. However, it must be noted that section 69(2) only talks about interception by the government and Rule 3 only provides for procedural safeguards for such an interception. It could therefore be argued that the prohibition under Rule 3 is only applicable to the government and not to private individuals since section 62, the provision under which Rule 3 has been issued, itself is not applicable to private individuals.

Convention on Cybercrime

Information Technology Act, 2000

Article 4 – Data interference

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.

2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;

(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. (change vide ITAA 2008)

Section 66

Damage, deletion, diminishing in value and alteration of data is considered a crime as per Section 66 read with section 43 of the IT Act if done with fraudulent or dishonest intention. While the Convention only requires such acts to be crimes if committed intentionally, however the Information Technology Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

It must be noted that the optional requirement of such an act causing serious harm has not been adopted by Indian law, i.e. the act of such damage, deletion, etc. by itself is enough to constitute the offence, and there is no requirement of such an act causing serious harm.

As per the Explanatory Report to the Convention on Cybercrime, “Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.” Strictly speaking the act of suppression of data in another system is not covered by the language of section 43, but looking at the tenor of the section it is likely that if a court is faced with a situation of intentional/malicious denial of access to data, the court could expand the scope of the term “damage” as contained in sub-section (d) to include such malicious acts.

Convention on Cybercrime

Information Technology Act, 2000

Article 5 – System interference

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(e) disrupts or causes disruption of any computer, computer system or computer network;

Explanation - for the purposes of this section -

(i) "Computer Contaminant" means any set of computer instructions that are designed -

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

(iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

Section 66

The offence of causing hindrance to the functioning of a computer system with fraudulent or dishonest intention is an offence under the IT Act. While the Convention only requires such acts to be crimes if committed intentionally, however the IT Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

The IT Act does not require such disruption to be caused in any particular manner as is required under the Convention, although the acts of introducing computer viruses as well as damaging or deleting data themselves have been classified as offences under the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 6 – Misuse of devices

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.

This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing offences against the confidentiality, the integrity and availability of computer systems or data. While the IT Act does not by itself makes the production, sale, procurement for use, import, distribution of devices designed to be adopted for such purposes, sub-section (g) of section 43 along with section 120A of the Indian Penal Code, 1860 which deals with “conspiracy” could perhaps be used to bring such acts within the scope of the penal statutes.

Convention on Cybercrime

Information Technology Act, 2000

Article 7 – Computer related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

The acts of deletion, alteration and suppression of data by itself is a crime as discussed above, there is no specific offence for doing such acts for the purpose of forgery. However this does not mean that the crime of online forgery is not punishable in India at all, such crimes would be dealt with under the relevant provisions of the Indian Penal Code, 1860 (Chapter 18) read with section 4 of the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 8 – Computer-related fraud

a any input, alteration, deletion or suppression of computer data,

b any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

Just as in the case of forgery, there is no specific provision in the IT Act whereby online fraud would be considered as a crime, however specific acts such as charging services availed of by one person to another (section 43(h), identity theft (section 66C), cheating by impersonation (section 66D) have been listed as criminal offences. Further, as with forgery, fraudulent acts to procure economic benefits would also get covered by the provisions of the Indian Penal Code that deal with cheating.

Convention on Cybercrime

Information Technology Act, 2000

Article 9 – Offences related to child pornography

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:

a producing child pornography for the purpose of its distribution through a computer system;

b offering or making available child pornography through a computer system;

c distributing or transmitting child pornography through a computer system;

d procuring child pornography through a computer system for oneself or for another person;

e possessing child pornography in a computer system or on a computer-data storage medium.

2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:

a a minor engaged in sexually explicit conduct;

b a person appearing to be a minor engaged in sexually explicit conduct;

c realistic images representing a minor engaged in sexually explicit conduct.

3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.

4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, subparagraphs d and e, and 2, sub-paragraphs b and c.

67 B Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,

shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

The publishing, transmission, creation, collection, seeking, browsing, etc. of child pornography is an offence under Indian law punishable with imprisonment for upto 5 years for a first offence and upto 7 years for a subsequent offence, along with fine.

It is important to note that bona fide depictions for the public good, such as for publication in pamphlets, reading or educational material are specifically excluded from the rigours of the section, Similarly material kept for heritage or religious purposes is also exempted under this section. Such exceptions are in line with the intent of the Convention, since the Explanatory statement itself states that “The term "pornographic material" in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic.

Convention on Cybercrime

Information Technology Act, 2000

Article 10 – Offences related to infringements of copyright and related rights

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as define under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.

81 Act to have Overriding effect

The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970

The use of the term "pursuant to the obligations it has undertaken" in both paragraphs makes it clear that a Contracting Party to the Convention is not bound to apply agreements cited (TRIPS, WIPO, etc.) to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation under the present Convention.

The IT Act does not try to intervene in the existing copyright regime of India and creates a special exemption for the Copyright Act and the Patents Act in the clause which provides this Act overriding effect. India’s obligations under the various treaties and conventions on intellectual property rights are enshrined in these legislations.^{^[6]}

Convention on Cybercrime

Information Technology Act, 2000

Article 11 – Attempt and aiding or abetting

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c of this Convention.

3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article.

84 B Punishment for abetment of offences

Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.

Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.

84 C Punishment for attempt to commit offences

Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.

As can be seen, both attempts as well as abetment of criminal offences under the IT Act have also been criminalised.

Convention on Cybercrime

Information Technology Act, 2000

Article 12 – Corporate liability

1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:

a a power of representation of the legal person;

b an authority to take decisions on behalf of the legal person;

c an authority to exercise control within the legal person.

2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.

3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.

4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.

85 Offences by Companies.

(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.

(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Explanation-

For the purposes of this section

(i) "Company" means any Body Corporate and includes a Firm or other Association of individuals; and

(ii) "Director", in relation to a firm, means a partner in the firm.

The liability of a company or other body corporate has been laid out in the IT Act in a manner similar to the Budapest Convention. While, the test to determine the relationship between the legal entity and the natural person who has committed the act on behalf of the legal entity is a little more detailed[7] in the Convention, the substance of the test is laid out in the IT Act as “a person who is in charge of, and was responsible to, the company”.

Convention on Cybercrime

Information Technology Act, 2000

Article 14

1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.

2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to:

a the criminal offences established in accordance with Articles 2 through 11 of this Convention;

b other criminal offences committed by means of a computer system; and

c the collection of evidence in electronic form of a criminal offence.

3 a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20.

b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system:

i is being operated for the benefit of a closed group of users, and

ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications.

Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21.

This is a provision of a general nature that need not have any equivalence in domestic law. The provision clarifies that all the powers and procedures provided for in this section (Articles 14 to 21) are for the purpose of “specific criminal investigations or proceedings”.

Convention on Cybercrime

Information Technology Act, 2000

Article 15 – Conditions and safeguards

1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.

This again is a provision of a general nature which need not have a corresponding clause in the domestic law. India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India, 1950.^{^[8]}

In addition, India has enacted the Protection of Human Rights Act, 1993 for the constitution of a National Human Rights Commission, State Human Rights Commission in States and Human Rights Courts for better protection of “human rights” and for matters connected therewith or incidental thereto. Thus, there does exist a statutory mechanism for the enforcement of human rights^{^[9]} under Indian law. It must be noted that the definition of human rights also incorporates rights embodied in International Covenants and are enforceable by Courts in India.

Convention on Cybercrime

Information Technology Act, 2000

Article 16 – Expedited preservation of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Article 17 – Expedited preservation and partial disclosure of traffic data

1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:

a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and

b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

29 Access to computers and data.

(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (Amended vide ITAA 2008)

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary.

67 C Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011

3(7) - When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

It must be noted that Article 16 and Article 17 refer only to data preservation and not data retention. “Data preservation” means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to change or deteriorate. Data retention means to keep data, which is currently being generated, in one’s possession into the future.^{^[10]} In short, the article provides only for preservation of existing stored data, pending subsequent disclosure of the data, in relation to specific criminal investigations or proceedings.

The Convention uses the term "order or similarly obtain", which is intended to allow the use of other legal methods of achieving preservation than merely by means of a judicial or administrative order or directive (e.g. from police or prosecutor). In some States, preservation orders do not exist in the procedural law, and data can only be preserved and obtained through search and seizure or production order. Flexibility was therefore intended by the use of the phrase "or otherwise obtain" to permit the implementation of this article by the use of these means.

While Indian law does not have a specific provision for issuing an order for preservation of data, the provisions of section 29 as well as sections 99 to 101 of the Code of Criminal Procedure, 1973 may be utilized to achieve the result intended by Articles 16 and 17. Although section 67C of the IT Act uses the term “preserve and retain such information”, this provision is intended primarily for the purpose of data retention and not data preservation.

Another provision which may conceivably be used for issuing preservation orders is Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011 which requires intermediaries to provide “any such assistance” to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. However, in the absence of a power of preservation in the main statute (IT Act) it remains to be seen whether such an order would be enforced if challenged in a court of law.

Convention on Cybercrime

Information Technology Act, 2000

Article 18 – Production order

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and

b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a the type of communication service used, the technical provisions taken thereto and the period of service;

b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

Section 28(2)

(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-Tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act.

Section 58(2)

(2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely -

(b) requiring the discovery and production of documents or other electronic records;

While the Cyber Appellate Tribunal and the Controller of Certifying Authorities both have the power to call for information under the IT Act, these powers can be exercised only for limited purposes since the jurisdiction of both authorities is limited to the procedural provisions of the IT Act and they do not have the jurisdiction to investigate penal provisions. In practice, the penal provisions of the IT Act are investigated by the regular law enforcement apparatus of India, which use statutory provisions for production orders applicable in the offline world to computer systems as well. It is a very common practice amongst law enforcement authorities to issue orders under the Code of Criminal Procedure, 1973 (section 91) or the relevant provisions of the Income Tax Act, 1961 to compel production of information contained in a computer system. The power to order production of a “document or other thing” under section 91 of the Criminal Procedure Code is wide enough to cover all types of information which may be residing in a computer system and can even include the entire computer system itself.

Convention on Cybercrime

Information Technology Act, 2000

Article 19 – Search and seizure of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

a a computer system or part of it and computer data stored therein; and

b a computer-data storage medium in which computer data may be stored in its territory.

2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.

3 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:

a seize or similarly secure a computer system or part of it or a computer-data storage

medium;

b make and retain a copy of those computer data;

c maintain the integrity of the relevant stored computer data;

d render inaccessible or remove those computer data in the accessed computer system.

4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.

5 The powers and procedures referred to in this article shall be subject to Articles 14 and15.

76 Confiscation

Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation:

Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.

While Article 19 provides for the power to search and seize computer systems for the investigation into criminal offences of any type of kind, section 76 of the IT Act is limited only to contraventions of the provisions of the Act, rules, orders or regulations made thereunder. However, this does not mean that Indian law enforcement authorities do not have the power to search and seize a computer system for crimes other than those contained in the IT Act; just as in the case of Article 18, the authorities in India are free to use the provisions contained in the Criminal Procedure Code and other sectoral legislations which allow for seizure of property to seize computer systems when investigating criminal offences.

Convention on Cybercrime

Information Technology Act, 2000

Article 20 – Real-time collection of traffic data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party; or

ii to co-operate and assist the competent authorities in the collection or recording of,

traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned to it in section 43.

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Section 69B in the IT Act enables the government to authorise the monitoring and collection of traffic data through any computer system. Under the Convention, orders for collection and recording of traffic data can be given for the purposes mentioned in Articles 14 and 15. On the other hand, as per the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, an order for monitoring may be issued for any of the following purposes relating to cyber security:

(a) forecasting of imminent cyber incidents;

(b) monitoring network application with traffic data or information on computer resource;

(d) tracking cyber security breaches or cyber security incidents;

(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;

(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;

(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;

(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;

(i) any other matter relating to cyber security.

As can be seen from the above, the reasons for which an order for monitoring traffic data can be issued are extremely wide, this is in stark contrast to the reasons for which an order for interception of content data may be issued under section 69. The Rules also provide that the intermediary shall not disclose the existence of a monitoring order to any third party and shall take all steps necessary to ensure extreme secrecy in the matter of monitoring of traffic data.

Convention on Cybercrime

Information Technology Act, 2000

Article 21 – Interception of content data

1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party, or

ii to co-operate and assist the competent authorities in the collection or recording of,

content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -

(a) provide access to or secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

There has been a lot of academic research and debate around the exercise of powers under section 69 of the IT Act, but the current piece is not the place for a standalone critique of section 69.[11] The analysis here is limited to a comparison of the provisions of Article 20 vis-à-vis section 69 of the IT Act.

In that background, it needs to be pointed out that two important issues mentioned in Article 20 of the Convention are not specifically mentioned in section 69B, viz. (i) that the order should be only for specific computer data, and (ii) that the intermediary should keep such an order confidential; these requirements are covered by Rules 9 and 20 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, respectively.

Convention on Cybercrime

Information Technology Act, 2000

Article 22 – Jurisdiction

1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:

a in its territory; or

b on board a ship flying the flag of that Party; or

c on board an aircraft registered under the laws of that Party; or

d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.

3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition.

4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law.

5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

1. Short Title, Extent, Commencement and Application

(2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.

75 Act to apply for offence or contraventions committed outside India

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.

(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

The Convention provides for extra territorial jurisdiction only for crimes committed outside the State by nationals of that State. However, the IT Act applies even to offences under the Act committed by foreign nationals outside India, as long as the act involves a computer system or computer network located in India.

Unlike para 3 of Article 22 of the Convention, the IT Act does not touch upon the issue of extradition. Cases involving extradition would therefore be dealt with by the general law of the land in respect of extradition requests contained in the Extradition Act, 1962. The Convention requires that in cases where the state refuses to extradite an alleged offender, it should establish jurisdiction over the offences referred to in Article 21(1) so that it can proceed against that offender itself. In this regard, it must be pointed out that Section 34A of the Extradition Act, 1962 provides that “Where the Central Government is of the opinion that a fugitive criminal cannot be surrendered or returned pursuant to a request for extradition from a foreign State, it may, as it thinks fit, take steps to prosecute such fugitive criminal in India.” Thus the Extradition Act gives the Indian government the power to prosecute an individual in the event that such individual cannot be extradited.

International Cooperation

Chapter III of the Convention deals specifically with international cooperation between the signatory parties. Such co-operation is to be carried out both "in accordance with the provisions of this Chapter" and "through application of relevant international agreements on international cooperation in criminal matters, arrangements agreed to on the basis of uniform or reciprocal legislation, and domestic laws." The latter clause establishes the general principle that the provisions of Chapter III do not supersede the provisions of international agreements on mutual legal assistance and extradition or the relevant provisions of domestic law pertaining to international co-operation.^{^[12]} Although the Convention grants primacy to mutual treaties and agreements between member States, in certain specific circumstances it also provides for an alternative if such treaties do not exist between the member states (Article 27 and 28). The Convention also provides for international cooperation on certain issues which may not have been specifically provided for in mutual assistance treaties entered into between the parties and need to be spelt out due to the unique challenges posed by cyber crimes, such as expedited preservation of stored computer data (Article 29) and expedited disclosure of preserved traffic data (Article 30). Contentious issues such as access to stored computer data, real time collection of traffic data and interception of content data have been specifically left by the Convention to be dealt with as per existing international instruments or arrangements between the parties.

Conclusion

The broad language and wide terminology used IT Act seems to cover a number of the cyber crimes mentioned in the Budapest Convention, even though India has not signed and ratified the same. Penal provisions such as illegal access (Article 2), data interference (Article 4), system interference (Article 5), offence related to child pornography (Article 9), attempt and aiding or abetting (Article 11), corporate liability (Article 12) are substantially covered and reflected in the IT Act in a manner very similar to the requirements of the Convention. Similarly procedural provisions such as search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), interception of content data (Article 21) and Jurisdiction (Article 22) are also substantially reflected in the IT Act.

However certain penal provisions mentioned in the Convention such as computer related forgery (Article 7), computer related fraud (Article 8) are not provided for specifically in the IT Act but such offences are covered when provisions of the Indian Penal Code, 1860 are read in conjugation with provisions of the IT Act. Similarly procedural provisions such as expedited preservation of stored computer data (Article 16) and production order (Article 18) are not specifically provided for in the IT Act but are covered under Indian law through the provisions of the Code of Criminal Procedure, 1973.

Apart from the above two categories there are certain provisions such as misuse of devices (Article 6) and Illegal interception (Article 3) which may not be specifically covered at all under Indian law, but may conceivably be said to be covered through an expansive reading of provisions of the Indian Penal Code and the IT Act. It may therefore be said that even though India has not signed or ratified the Budapest Convention, the legal regime in India is substantially in compliance with the provisions and requirements contained therein.

Thus, the Convention on Cybercrime is perhaps the most important international multi state instruments that may be used to combat cybercrime, not merely because the provisions thereunder may be used as a model to bolster national/local laws by any State, be it a signatory or not (as in the case of India) but also because of the mechanism it lays down for international cooperation in the field of cyber terrorism. In an increasingly interconnected world where more and more information of individuals is finding its way to the cloud or other networked infrastructure the international community is making great efforts to generate norms for increased international cooperation to combat cybercrime and cyber terrorism. While the Convention is one such multilateral effort, States are also proposing to use bilateral treaties to enable them to better fight cybercrime, the United States CLOUD Act, being one such effort. In the backdrop of these novel efforts the role to be played by older instruments such as the Convention on Cybercrime as well as by important States such as India is extremely crucial.

[1] Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b.

[2] The analysis here has been limited to only Chapter I and Chapter II of the Convention, as it is only adherence to these two chapters that is required under the CLOUD Act.

[3] The only possible enforcement that may be done with regard to the Convention on Cybercrime is that the Council of Europe may put pressure on the signatory State to amend its local laws (if it is refusing to do so) otherwise it would be in violation of its obligations as a member of the European Union.

[4] Alexander Seger, “India and the Budapest Convention: Why Not?”, https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

[5] Explanatory Report to the Convention on Cybercrime, Para 50, https://rm.coe.int/16800cce5b.

[6] India is a party to the Berne Convention on Literary and Artistic Works, the Agreement on Trade Related Intellectual Property Rights and the Rome Convention. India has also recently (July 4, 2018) announced that it will accede to the WIPO Copyright Treaty as well as the WIPO Performances and Phonographs Treaty.

[7] The test under the Convention is that the relevant person would be the one who has a leading position within the company, based on:

a power of representation of the legal person;
an authority to take decisions on behalf of the legal person;
an authority to exercise control within the legal person.

[8]Vipul Kharbanda and Elonnai Hickock, “MLATs and the proposed Amendments to the US Electronic Communications Privacy Act”, https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act

[9] The term “human rights” has been defined in the Act as “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”.

[10] Explanatory Report to the Convention on Cybercrime, Para 151, https://rm.coe.int/16800cce5b. .

[11] A similar power of interception is available under section 5 of the Telegraph Act, 1885, but that extends only to interception of telegraphic communication and does not extend to communications exchanged through computer networks.

[12] Explanatory Report to the Convention on Cybercrime, Para 244, https://rm.coe.int/16800cce5b.

For more details visit https://cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act

Bangalore Chapter Meet of DSCI

sunil — 2015-09-09T01:40:56Z

The Centre for Internet & Society (CIS) will host the Bangalore Chapter Meeting of Data Security Council of India (DSCI) on September 26, 2015 at its Bangalore office in Domlur. The event will be held from 2.30 p.m. to 5.30 p.m.

After the Nasscom cyber security task force meeting held at Wipro in June, followed by DSCI Best Practices meet in July, we now have the next chapter meeting at CIS.

Speakers

The first speaker will be Melissa Hathaway, Commissioner, Global Commission for Internet Governance. She is an internationally distinguished cyber security expert and has worked as cyber security adviser in two US Presidential Administrations, and is the former acting Senior Director for cyberspace at the National Security Council in the US. The topic she will be speaking on is "Connected Choices".

The second speaker will be Sunil Abraham, Executive Director, CIS (Center for internet & Society). Sunil is a renowned thought leader when it comes to internet governance, cyber space & its interface with civil society and actively contributes to DSCI and other forums. He will be presenting on "Anonymity in Cyberspace" - the SIG that he led over last 8 months along with a diverse group of members from the industry in Bangalore.

Agenda

Time	Topic
2.30 p.m. - 2.45 p.m.	Recent Developments and Updates from DSCI
2.45 p.m. - 4.00 p.m.	Srinivas P. (Anchor): DSCI Bangalore Chapter
4.00 p.m. - 5.00 p.m.	Melissa Hathaway: Connected Choices
5.00 p.m. - 5.30 p.m.	Sunil Abraham: Anonymity in Cyberspace

This will be followed by High Tea & Networking.

For participation, please send your email confirmation to Rajesh of Infosys at Rajesh_K18@infosys.com

Since seats are limited, the participation will be restricted to first 50 confirmations. We had to organize it on a Saturday, due to Melissa’s availability – I’m sure many of you who know about her as expert security speaker, will not see weekend as a constraint to attend. Look forward to meeting you at CIS.

For more details visit https://cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015

Bali meet to discuss Internet governance issues

praskrishna — 2013-10-23T08:29:23Z

Four-day event hosted by Internet Governance Forum to also discuss Internet access and diversity, privacy, security.

This article by Moulishree Srivastava was published in Livemint on October 22, 2013. Sunil Abraham is quoted.

Representatives of governments around the world, technology executives and activists will discuss issues such as Internet access and diversity, privacy, security, inter-governmental corporation, and Internet governance at a four-day event hosted by the Internet Governance Forum (IGF) that begins on Tuesday in Bali, Indonesia.

J. Satyanarayana, secretary, ministry of communications and information technology, confirmed India’s participation in the forum and said the country would be represented by Dr Govind, a senior director and head of department, e-infrastructure and Internet governance division, department of information technology.

“We will also be taking part in a working group on Internet governance and enhanced cooperation, which will be convened by the United Nations Commission on Science and Technology for Development in November,” said Satyanarayana.

“IGF is a valuable learning forum wherein different stakeholders can discuss Internet governance policy issues without any antagonism. Other fora for Internet policy like ICANN, WIPO (World Intellectual Property Organization), ITU (International Telecommunication Union), etc., are places where international law and policy are developed, and do not allow for such learning because negotiations are always very acrimonious. Since IGF is only meant for learning, it does not directly address the global policy vacuum that exists for cyber crime, data protection and privacy,” said Sunil Abraham, executive director of Bangalore-based Centre for Internet and Society, who will be participating in the Bali event.

“Indian government, private sector, civil society, technical and academic community can become more competent and effective through such a dialogue in other multilateral and multi-stakeholder fora where international Internet standards, policies and laws are formulated. It also helps the stakeholders contribute to the development of internationally interoperable domestic policy,” he added.

In 2006, the UN secretary general established a small secretariat in Geneva to assist him in the convening of IGF. The first meeting was convened in October-November 2006 in Athens. In December 2010, IGF’s mandate was extended for five years.

In its eighth edition, IGF will have detailed discussions on issues such as free flow of information on the Internet, regulatory approaches to privacy, and protection of interests of individuals and communities in cyberspace, Internet surveillance and legal framework for cyber crime, said the forum in a statement on its website.

During the four-event, for instance, one of the workshops “will explore what core principles and strategies are needed to achieve a balanced and fair approach to data protection that is effective internationally and regionally”, according to IGF.

Some of the prominent speakers in the event include Jari Arkko, chairman, Internet Engineering Task Force, Finland; Virat Bhatia, president, South Asia, AT&T Inc.; Chris Painter, coordinator for cyber issues, US department of state; Karen Mulberry, policy adviser, Internet Society; and Matthew Shears, director of Internet policy and human rights, Center for Democracy and Technology.

According to industry estimates, over 2.5 billion Internet users interact in shared cross-border online spaces where they can post content potentially accessible worldwide.

“No clear frameworks exist yet to handle the tensions between these competing normative orders or values and enable peaceful cohabitation in cross-border cyberspace. This challenge constitutes a rare issue of common concern for all stakeholder groups,” said IGF on its website.

According to a UN estimate, nearly 40% of the world’s population will be online by the end of 2013. “The Internet has become an essential tool for the creation of jobs and the delivery of basic public services,” said the UN undersecretary-general for economic and social affairs, Wu Hungbo, in a statement, adding that it is also essential “for improving access to knowledge and education, for empowering women, for enhancing transparency, and for giving marginalized populations a voice in decision-making processes”.

For more details visit https://cis-india.org/news/livemint-moulishree-srivastava-october-22-2013-bali-meet-to-discuss-internet-governance-issues

Automated Facial Recognition Systems and the Mosaic Theory of Privacy: The Way Forward

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:12:38Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the third of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The Mosaic Theory of Privacy

Whether the data collected by the AFRS should be treated similar to face photographs taken for the purposes of ABBA is not clear in the absence of judicial opinion. The AFRS would ordinarily collect significantly more data than facial photographs during authentication. This can be explained with the help of the mosaic theory of privacy.

The mosaic theory of privacy suggests that data collected for long durations of an individual can be qualitatively different from single instances of observation. It argues that aggregating data from different instances can create a picture of an individual which affects her reasonable expectation of privacy. This is because a mere slice of information reveals a lot less if the same is contextualised in a broad pattern — a mosaic.

The mosaic theory of privacy does not find explicit reference in Puttaswamy II. The petitioners had argued that seeding of Aadhaar data into existing databases would bridge information across silos so as to make real time surveillance possible. This is because information when integrated from different silos becomes more than the sum of its parts.

The Court, however, dismissed this argument, accepting UIDAI’s submission that the data collected remains in different silos and merging is not permitted within the Aadhaar framework. Therefore, the Court did not examine whether it is constitutionally permissible to integrate data from different silos; it simply rejected the possibility of surveillance as a result of Aadhaar authentication.

Jurisprudence in other jurisdictions is more advanced. In United States v. Jones, the United States Supreme Court had observed that the insertion of a global positioning system into Antoine Jones’ Jeep in the absence of a warrant and without his consent invaded his privacy, entitling him to Fourth Amendment Protection. In this case, the movement of Jones’ vehicle was monitored for a period of twenty-eight days. Five concurring opinions in Jones acknowledges that aggregated and extensive surveillance is capable of violating the reasonable expectation of privacy irrespective of whether or not surveillance has taken place in public.

The Court distinguished between prolonged surveillance and short term surveillance. Surveillance in the short run does not reveal what a person repeatedly does, as opposed to sustained surveillance which can reveal significantly more about a person. The Court takes the example of how a sequence of trips to a bar, a bookie, a gym or a church can tell a lot more about a person than the story of any single visit viewed in isolation.

Most recently, in Carpenter v. United States, the Supreme Court of the United States held that the collection of historical cell data by the government exposes the physical movements of an individual to potential surveillance, and an individual holds a reasonable expectation of privacy against such collection. The Court admitted that historical-cell site information allows the government to go back in time in order to retract the exact whereabouts of a person.

Judicial decisions have not addressed specifically whether facial recognition through law enforcement constitutes a search under the Fourth Amendment or a “mere visual observation”.

The common thread linking CCTV footages and cellular data is the unique ability to track the movement of an individual from one place to another, enabling extreme forms of surveillance. It is perhaps this crucial link that would make ARFS-enabled CCTVs prejudicial to individual privacy.

The mosaic theory as understood in Carpenter helps one understand the extent to which an AFRS can augment the capacities of law enforcement in India. This in turn can help in understanding whether it is constitutionally permissible to install such systems across the country.

AFRS enabled-CCTV footages from different CCTVs. if viewed in conjunction could reveal a sequence of movements of an individual, enabling long-term surveillance of a nature that is qualitatively distinct from isolated observances observed across unrelated CCTV footages.

Subsequent to Carpenter, federal district courts in the United States have declined to apply Carpenter to video surveillance cases since the judgement did not “call into question conventional surveillance techniques and tools, such as security cameras.”

The extent of processing that an AFRS-enabled CCTV exposes an individual to would be significantly greater. This is because every time an individual is in the zone of a AFRS-enabled CCTV, the facial image will be compared to a common database. Snippets from different CCTVs capturing the individual’s physical presence in two different locations may not be meaningful per se. When observed together, the AFRS will make it possible to identify the individual’s movement from one place to another.

For instance, the AFRS will be able to identify the person when they are on Street A at a particular time and when they are Street B in the immediately subsequent hour recorded by respective CCTV cameras, indicating the person’s physical movement from A to B. While a CCTV camera only records movement of an individual in video format, AFRS translates that digital information into individualised data with the help of a comparison of facial features with a pre-existing database.

Through data aggregation, which appears to be the aim of the Indian government in their tender that links three databases, it is apparent that the right to privacy is in danger. Yet, at present, there does not exist any case law or legislation that can render such efforts illegal at this juncture.

Conclusions and The Way Forward

Despite a lack of judicial recognition of the potential unconstitutionality of deploying AFRS, it is clear that the introduction of these systems pose a clear and present danger to civil rights and human dignity. Algorithmic surveillance alters a human being’s life in ways that even the subject of this surveillance cannot fully comprehend. As an individual’s data is manipulated and aggregated to derive a pattern about that individual’s world, the individual or his data no longer exists for itselfbut are massaged into various categories.

Louis Amoore terms this a ‘data-derivative’, which is an abstract conglomeration of data that continuously shapes our futures without us having a say in their framing. The branding of an individual as a criminal and then aggregating their data causes emotional distress as individuals move about in fear of the state gaze and their association with activities that are branded as potentially dangerous — thereby suppressing a right to dissent — as exemplified by their use reported use during the recent protests in Hong Kong.

Case law both in India and abroad has clearly suggested that a right to privacy is contextual and is not surrendered merely because an individual is in a public place. However, the jurisprudence protecting public photography or videography under the umbrella of privacy remains less clear globally and non-existent in India.

The mosaic theory of privacy is useful in this regard as it prevents mass ‘data-veillance’ of individual behaviour and accurately identifies the unique power that the volume, velocity and variety of Big Data provides to the state. Therefore, it is imperative that the judiciary recognise safeguards from data aggregation as an essential component of a reasonable expectation of privacy. At the same time, legislation could also provide the required safeguards.

In the US, Senators Coons and Lee recently introduced a draft Bill titled ‘The Facial Recognition Technology Warrant Act of 2019’. The Bill aims to impose reasonable restrictions on the use of facial recognition technology by law enforcement. The Bill creates safeguards against sustained tracking of physical movements of an individual in public spaces. The Bill terms such tracking ‘ongoing surveillance’ when it occurs for over a period of 72 hours in real time or through application of technology to historical records. The Bill requires that ongoing surveillance only be conducted for law enforcement purposes and in pursuance of a Court Order (unless it is impractical to do so).

While the Bill has its textual problems, it is definitely worth considering as a model going forward and ensure that AFR systems are deployed in line with a rights-respecting reading of a reasonable expectation of privacy. Parsheera suggests that the legislation should narrow tailoring of the objects and purposes for deployment of AFRS, restrictions on the person whose images may be scanned from the databases, judicial approval for its use on a case by case basis and effective mechanisms of oversight, analysis and verification.

Appropriate legal intervention is crucial. A failure to implement this effectively jeopardizes the expression of our true selves and the core tenets of our democracy.

For more details visit https://cis-india.org/internet-governance/automated-facial-recognition-systems-and-the-mosaic-theory-of-privacy-the-way-forward

Automated Facial Recognition Systems (AFRS): Responding to Related Privacy Concerns

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:09:14Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the second of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The Supreme Court of India, in Puttaswamy I recognized that the right to privacy is not surrendered merely because the individual is in a public place. Privacy is linked to the individual as it is an essential facet of human dignity. Justice Chelameswar further clarified that privacy is contextual. Even in a public setting, people trying to converse in whispers would signal a claim to the right to privacy. Speaking on a loudspeaker would naturally not signal the same claim.

The Supreme Court of Canada has also affirmed the notion of contextual privacy. As recently as on 7 March, 2019, the Supreme Court of Canada in a landmark decision defined privacy rights in public areas implicitly applying Helena Nissenbaum’s theory of contextual integrity. Helena Nissenbaum explains that the extent to which the right to privacy is eroded in public spaces with the help of her theory of contextual integrity.

Nissenbaum suggests that labelling information as exclusively public or private fails to take into account the context which rationalises the desire of the individual to exercise her privacy in public. To explain this with an illustration, there exists a reasonable expectation of privacy in the restroom of a restaurant, even though it is in a public space.

In R v Jarvis (Jarvis), the Court overruled a Court of Appeal for Ontario decision to hold that people can have a reasonable expectation of privacy even in public spaces. In this case, Jarvis was charged with the offence of voyeurism for secretly recording his students. The primary issue that the Supreme Court of Canada was concerned with was whether the students filmed by Mr. Jarvis enjoyed a reasonable expectation of privacy at their school.

The Court in this case unanimously held that students did indeed have a reasonable expectation of privacy. The Court concluded nine contextual factors relevant in determining whether a person has a reasonable expectation to privacy would arise. The listed factors were:

“1. The location the person was in when he or she was observed or recorded,

2. The nature of the impugned conduct (whether it consisted of observation or recording),

3. Awareness of or consent to potential observation or recording,

4. The manner in which the observation or recording was done,

5. The subject matter or content of the observation or recording,

6. Any rules, regulations or policies that governed the observation or recording in question,

7. The relationship between the person who was observed or recorded and the person who did the observing or recording,

8. The purpose for which the observation or recording was done, and

9. The personal attributes of the person who was observed or recorded.” (paragraph 29 of the judgement).

The Court emphasized that the factors are not an exhaustive list, but rather were meant to be a guiding tool in determining whether a reasonable expectation of privacy existed in a given context. It is not necessary that each of these factors is present in a given situation to give rise to an expectation of privacy.

Compared to the above-mentioned factors in Jarvis, the Indian Supreme Court in Justice K.S Puttaswamy (Retd.) v. Union of India: Justice Sikri (Puttaswamy II) — the case which upheld the constitutionality of the Aadhaar project relied on the following factors to determine a reasonable expectation of privacy in a given context:

“(i) What is the context in which a privacy claim is set up?

(ii) Does the claim relate to private or family life, or a confidential relationship?

(iii) Is the claim a serious one or is it trivial?

(iv) Is the disclosure likely to result in any serious or significant injury and the nature and extent of disclosure?

(v) Is disclosure relates to personal and sensitive information of an identified person?

(vi) Does disclosure relate to information already disclosed publicly? If so, its implication?”

These factors (acknowledged in Puttaswamy II in paragraph 292) seem to be very similar to the ones laid down in Jarvis, i.e., there is a strong reliance on the context in both cases. While there is no explicit mention of individual attributes of the individual claiming a reasonable expectation, the holding that children should be given an opt out indicates that the Court implicitly takes into account personal attributes (e.g. age) as well.

The Court in Jarvis further (in paragraph 39) took the example of a woman in a communal change room at a public pool. She may expect other users to incidentally observe her undress but she would continue to expect only other women in the change room to observe her and reserve her rights against the general public. She would also expect not to be video recorded or photographed while undressing, both from other users of the pool and by the general public.

If it is later found out that the change room had a one-way glass which allowed the pool staff to view the users change — or if there was a concealed camera recording persons while they were changing, she could claim a breach of her reasonable expectation of privacy under such circumstances and it would constitute an invasion of privacy.

So, in the context of an AFRS, an individual walking down a public road may still signal that they wish to avail of their right to privacy. In such contexts, a concerted surveillance mechanism may come up against constitutional roadblocks.

What is the nature of information being collected?

The second big question — the nature of information which is being collected plays a role in determining the extent to which a person can exercise their reasonable expectation of privacy. Puttaswamy II laid down that collection of core biometric information such as fingerprints, iris scans in the context of the Aadhaar-Based Biometric Authentication (‘ABBA’) is constitutionally permissible. The basis of this conclusion is that the Aadhaar Act does not deal with the individual’s intimate or private sphere.

The judgement of the Supreme Court in Puttaswamy II is in a very specific context (i.e. the ABBA). It does not explain or identify the contextual factors which determine the extent to which privacy may be reasonably expected over biometrics generally. In this judgment, the Court observed that demographic information and photographs do not raise a reasonable expectation of privacy under Article 21 unless there exist special circumstances such as the disclosure of juveniles in conflict of law or a rape victim’s identity.

Most importantly, the Court held that face photographs for the purpose of identification are not covered by a reasonable expectation of privacy. The Court distinguished face photographs from intimate photographs or those photographs which concern confidential situations.

Face photographs, according to the Court, are shared by individuals in the ordinary course of conduct for the purpose of obtaining a driving license, voter id, passport, examination admit cards, employment cards, and so on. Face photographs by themselves reveal no information.

Naturally, this pronouncement of the Apex Court is a huge boost for the introduction of AFRS in India.

Abroad, however, on 4 September 2019, in Edward Bridges v. Chief Constable of South Wales Police, a Division Bench of the High Court in England and Wales heard a challenge against an AFRS introduced by law enforcement (see Endnote 1). The High Court rejected a claim for judicial review holding that the AFRS in question does not violate inter alia the right to privacy under Article 8 of the European Convention of Human Rights (‘ECHR’).

According to the Court, the AFRS was used for specific and limited purposes, i.e., only when the image of the public matched a person on an existing watchlist. The use of the AFRS was therefore considered a lawful and fair restriction.

The Court, however, acknowledged that extracting biometric data through AFRS is “well beyond the expected and unsurprising”. This seems to be a departure from the Indian Supreme Court’s observation in Puttaswamy II that there is no reasonable expectation of privacy over biometric data in the context of ABBA, and may be a wiser approach for the Indian courts to adopt.

Endnote

1. The challenge was put forth by Edward Bridges, a civil liberties campaigner from Cardiff for being caught on camera in two particular deployments of the AFRS a) when he was at Queen Street, a busy shopping area in Cardiff and b) when he was at the Defence Procurement, Research, Technology and Exportability Exhibition held at the Motorpoint Arena.

This was published by AI Policy Exchange.

For more details visit https://cis-india.org/internet-governance/automated-facial-recognition-systems-afrs-responding-to-related-privacy-concerns

A Critical Look at the Visual Representation of Cybersecurity

Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu — 2019-08-21T08:00:11Z

The Centre for Internet and Society and design collective Design Beku came together on the 15th of November for a workshop on Illustrations and Visual Representations of Cybersecurity. Images in the public sphere such as visuals in the media, Wikipedia commons, and stock images - play a vital role in the public’s perception of cybercrime and cybersecurity.

Edited by Karan Saini / Illustrations by - Paul Anthony George, and Roshan Shakeel

Download the file here

The existing imagery comprises of largely stereotypical images of silhouettes of men in hoodies, binary codes, locks, shields; all in dark tones of blue and green. The workshop aimed at identifying the concerns with these existing images and ideating on creating visuals that capture the nuanced concepts within cybersecurity as well as to contextualise them for the Global South. It began with a discussion on the various concepts within cybersecurity including disinformation, surveillance in the name of security, security researchers, regulation of big technology companies, gender and cybersecurity, etc. This was followed by a mapping of different visual elements in the existing cybersecurity imagery to infer the biases in them. Further, an ideation session was conducted to create alternate visualisations that counter these biases. A detailed report of the workshop can be read here.

The participants began by discussing the concerning impacts of present visualisations – there is a lack of representation and context of the global south. Misrepresentation of cybersecurity leads people to be susceptible to disinformation, treats cybercrime as an abstract concept that does not have a direct impact, and oversimplifies the problem and its solutions. The ecosystem in which this imagery exists also presented a larger issue. A majority of the images are created as clickbait alongside media articles. Media houses thus benefit from the oversimplification and mystification of cybersecurity in such images.

Through the mapping of existing images present online, several concerns were identified. The vague elements and unclear representation add to the mystification of cybersecurity as a concept. In present depictions, the use of technological devices and objects, leads to the lack of a human element, distancing the threat from any real impact to people using these devices. The metaphor of a physical threat is often used to depict cybersecurity using elements such as a lock and key. Recurring use of these elements gives a false idea of what is being secured or breached and how. Representations rely on tropes regarding the identity of hackers, and fail to capture the vulnerability of the system. The imagery gives the impression that systems which are breached are immensely secure to begin with and are compromised only as a result of sophisticated attacks carried out by malicious actors. The identity of hackers is commonly associated with cyber attacks and breaches, and the existing imagery reinforces this. Visuals showing a masked man or a silhouette of a man in dark background are the usual markers of a malicious hacker in conventional cybersecurity imagery. While there is a lack of representation of women in stock cybersecurity images, another trope found was that of a cheerful woman coder. There were also images of faceless women with laptops^{^[1]}. The reductive nature of these images point to deeper concerns around gender representation in cybersecurity.

The participants examined what the implications of such visual representation would be, and why there is a need to change the imagery. How can visual depictions be more representative? Can they avoid subscribing to a homogenised idea of an Indian context – specific without being reductive? Can better depiction broaden understanding of cybercrime and emphasize the proximity of those threats? With technology, concepts are often understood through metaphors – how data is explained impacts how people perceive it. Visual imagery can play a critical role in demystifying concepts when done well; illustrations can change the discourse. They must begin to incorporate intersecting aspects of gender, privacy, susceptibility of vulnerable populations, generational and cultural gaps, as well as manifestations of the described crimes to make technological laypersons more aware of the threat.

Potential new imagery would need to address aspects such as disinformation, the importance of privacy and who has a right to it, change representation of hackers, depict the cybersecurity community, explain specific concepts to both – the general user and to the people part of cybersecurity efforts in the country, the implications of cybercrime on vulnerable populations, and more in an attempt to deconstruct and disseminate what cybersecurity looks like today.

The ideation session involved rethinking specific concepts such as disinformation, and ethical hacking to create alternate imagery. For instance, disinformation was visually imagined as a distortion of an already distorted message being perceived by the viewer. In order to bring attention to the impact of devices, a phone was thought of as a central object to which different concepts of cybersecurity can be connected.

‘Fake News Cascade’ by Paul Anthony George

‘Fake News’ by Paul Anthony George

‘Disinformation/ Fake News’ by Roshan Shakeel; The sketch is about questioning the validity of what we see online, and that every message we see is constructed in some form or the other by someone else.

‘Disinformation/ Fake News’ by Roshan Shakeel; The sketch visualizes how the source of information ('the original') gets distorted after a certain point.

For ethical hacking, a visualisation depicting a day in the life of an ethical hacker was thought of to normalize hacking and to focus on their contribution in security research.

‘A Day in the Life of an Indian Hacker’ by Paul Anthony George

'Surveillance in the Name of Security' by Roshan Shakeel

Resources on ethical hacking (HackerOne)^[2] and hacker culture (2600.com)^[3] were also consulted as part of the exercise to gather references on the work done by hackers. This allowed a deeper understanding of how the hacker community depicts itself. Check Point Research^[4] and Kerala Police Cyberdome^[5] were also examined for further insight into cybersecurity. With regard to gender representation, sources that use visual techniques to communicate concerns and advocacy campaigns were also referred to. The Gendering Surveillance^[6] initiative by the Internet Democracy project^[7], which looks at how surveillance harms and restricts women, also offered insights on the use of illustrations supporting the case studies. Another reference was the "Visualising Women's Rights in the Arab World"^[8] project by the Tactical Technology Collective^[9]. The project aims to “strengthen the use of visual techniques by women's rights advocates in the Arab world, and to build a network of women with these skills”.^[10]

More visual explainers and animations^{^[11]} from the Tactical Technology Collective were noted for their broader engagement with digital security and privacy. A video by the Internet Democracy Project that explains the Internet through rangoli^{^[12]}, was observed specifically for setting the concept in Indian context through the use of aesthetics.

The workshop concluded with a discussion of potential visual iterations – imagery of cybersecurity that is not technology-oriented but focussed on the behavioural implications of access to such technology, illustrated public service announcements enhancing the profile of cybersecurity researchers or the everyday hacker. The impact of the discussion itself can indicate the relevance of such an effort. Artists and designers can be encouraged to create a body of imagery that shifts discourse and perception, to begin visualising for advocacy, demystify and stop the abstraction of cybercrime that can lead to a false sense of security, incorporate unique aspects of the debate within the Indian context, and generate new dialogue and understanding of cybersecurity. A potential step forward from this workshop would be to engage with the design community at large along with the domain experts to create more effective imagery for cybersecurity.

^{^[1]} https://www.hackerone.com/

^{^[2]} https://2600.com/

^{^[3]} https://research.checkpoint.com/about-us/

^{^[4]} http://www.cyberdome.kerala.gov.in/

^{^[5]} https://genderingsurveillance.internetdemocracy.in/

^{^[6]} https://internetdemocracy.in/

^{^[7]} https://visualrights.tacticaltech.org/index.html

^{^[8]} https://tacticaltech.org/

^{^[9]} https://visualrights.tacticaltech.org/content/about-website.html

^{^[10]} https://tacticaltech.org/projects/survival-in-the-digital-age-ono-robot-2012/

^{^[11]} https://internetdemocracy.in/2018/08/dots-and-connections/

^{^[12]} https://www.independent.co.uk/life-style/gadgets-and-tech/features/women-in-tech-its-time-to-drop-the-old-stereotypes-7608794.html

For more details visit https://cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu

50p and Digital Payments Masterclass Learning - CIS

Udbhav Tiwari — 2017-06-15T12:29:52Z

Sunil Abraham, Saikat Dutta and Udbhav Tiwari from the CIS team attended 50p on the 24 and 25 of January 2017 in Bangalore, India. We had the following learnings from the event, which will shape our work in the digital finance and payments space in the future.

Historical Developments of Digital Payments Regulation in India - The historical development of the digital payments ecosystem in India, starting with mobile/SMS banking around 2004, focusing mostly on high-end consumers. The widely varying implementations across banks led to the RBI taking an active regulatory approach, beginning with the introduction of compulsory two factor authentication in the form of mandatory PIN usage for credit and debit cards. This move helped secure “card not present” (CNP) transactions, which in turn allowed the e commerce, online streaming services and other digital services to rapidly gain customers. This serves as an example of how simple, targeted and uniformly imposed regulations can help secure widely used digital payment modes, securing customers while expanding opportunities for businesses. The Watal Committee report has also stressed on how the the industry and consumers alike, in the medium term, will benefit from focused sectoral regulation for the FinTech industry.

Expansion in the Modern Digital Payments Industry - The digital payments industry has expanded from having three main stakeholders (banks, card issuing agencies and customers) in mid 2000s to over eight distinct entities who take part in the same payments chain. These include Digital Wallet Providers, Payment Gateways, Payment Processors, Ticketing or Payment Service Providers Billers, all of which are operate with millions of transactions per day. This not only increases the potential attack surface for possible attempts at compromising them but also governance under traditional banking regulations difficult for the regulatory authority. The introduction of BBPS (Bharat Bill Pay System) to integrate the thousands of local utility bill payment system in India, into one centrally administered programme, is just one example of the vast amounts of data being generated (and integrated) by the digital payments industry. Therefore, the need for unique FinTech regulations and standards (maybe even a regulator) to handle the rapidly expanding and critical industry is quite strong in the booming space in India.

UPI - The Unified Payments Interface (UPI) is a set of standards that allow for a single application to connect to and control multiple bank accounts (of participating banks), allowing users to use several banking services such as funds transfer (P2P), merchant payments, etc. Initially launched in August, 2016 with support from 16 banks and is gaining rapid acceptance among users, businesses and payment providers alike. While built on the same technological underpinnings as the IMPS system, the UPI standard allows for a wide variety of data, including credit scores, Aadhaar numbers and geographical location to be transmitted. While the standard itself seems reasonably secure, its diverse and closed source implementation allow for the usual closed source development risks of security and unresolved bugs. It is stipulated to become the most widely used digital transaction protocol in India and the backbone of the FinTech industry due to its interoperability and regulatory acceptance. A set of security guidelines and practices that allow for a uniform, secure and auditable implementation of the UPI standard as well as its operational usage will aid in faster and more secure development of the standard while simultaneously protecting consumer interest.

Need for Consumer Advocacy - The need for educating consumers about the technical operations of the digital payments industry, best practices to maximise user facing security and strategies for effective dispute redressal were tagged as key focus areas by various groups. The inadequacy of the Consumer Protection Act to deal with the labyrinth of digital payments and the relative lack of liability and breach notification laws (especially in the non-banking finance companies sector) have lead to bargaining power in consumer contracts to fall in the favour of the digital payments industry. While initiatives such as Cashless Consumer are attempting to rectify this, sustained and well planned initiatives implemented in a diverse and multi-lingual manner will be needed to keep up with the rapid pace of expansion in the industry and is burgeoning user base. Incidental benefits of such programmes (an increase in the demand for data protection and privacy aware practices) will also serve to further consumer interest in a manner that will have a positive impact outside the FinTech industry.

USSD - The recent push towards USSD based banking, which allows banking transactions to be carried using feature phones, has led to various concerns regarding its security, reliability and implementation. The varying levels of GSM encryption in the providers in India, the lack of open standards (such as HTTPS for Internet Banking) that allow consumers to verify security and the rapid but untested implementation by most banks have led to some players raising doubts about the possibility of exploitation of the particularly vulnerable section of users that will use USSD banking. The need for a detailed investigation into current practices, open and auditable standards unique to USSD banking in India and regulations that mandate a minimum level of compliance was expressed by multiple stakeholders.

For more details visit https://cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis

11th India Knowledge Summit 2013

praskrishna — 2013-09-26T07:15:29Z

The Associated Chambers of Commerce and Industry in India (ASSOCHAM) is organizing the 11th Knowledge Summit 2013 in Hotel Shangri-La, New Delhi on October 14 and 15, 2013. The Centre for Internet and Society is supporting this event.

Click to read the original published by ASSOCHAM here , read the tentative agenda here and the event brochure here.

The lack of a national-level doctrine has created an environment where we are entirely reactive in our cyber posture. Indeed, battlefield transcends physical borders and boundaries. The power of a nation-state is not required to inflict widespread damage to critical infrastructure systems; a single malicious actor can wreak havoc. The starkest difference, however, is that today both the private sector and individual citizens have unprecedented access to a myriad of infrastructure systems that can provide entry into sensitive systems – yet they are largely unaware of, and unaccountable for, their responsibilities in defending them.

As cyber networks rapidly transition from a mere utility to the undercurrent of our entire societal infrastructure, this reliance becomes a vulnerability. The modern Cyber Era demands a national-level doctrine that can be adopted by government agencies, armed forces, private sector organizations and individual citizens alike to establish a collective sense of purpose for our Cyber Security.

The Chamber is providing a forum to bring executive leaders, policymakers and academia together with the scientists and practitioners that intimately understand cyber technology to collaborate and begin a debate about the complex issues.

The time has come when we should consider not only the military impact of the new cyber world, but also what role cyber defense will hold in shaping the future of our country’s economy, education, foreign affairs policies and critical infrastructure initiatives. Only then can our government, industry, and private citizens align under common goals to shape a safe and prosperous future.

ASSOCHAM India's Apex Chamber for Commerce & Industry was set up in 1920. Today the Chamber is proud to have more than 450,000 Companies as it's esteemed Member which includes many of the big global technology companies.

ASSOCHAM is privileged to be a Member of the “Cyber Regulation Advisory Committee” set up by Ministry of Communications and IT, and the Joint Working Group (JWG) on Cyber Security set up by the National Security Council Secretariat, Government of India.

The ASSOCHAM’s flagship program the Annual INDIA KNOWLEDGE SUMMIT, organized since 1999 has been Addressed in the past by Noble Laureates, as the Distinguished ‘Key Note Speaker’ including – Dr. Craig Venter, Sir Harry Kroto, Prof. Aaron Ciechanover, Dr. Raj Reddy, Dr. A P J Abdul Kalam, Dr. Kirsty Duncan, Prof. John A Pickett to name a few.

This year the 11th INDIA KNOWLEDGE SUMMIT is being organized from 14-15 October, 2013 in Hotel Shangri-La, New Delhi.

The Theme for this year’s Summit is “Cyber Era - Securing the Future”.

Registration Fees:

International Delegates: $ 200/- for both days
Indian Delegates: Rs. 5,000/- per day
Students: Rs. 2,000/- per day
The Delegate Registration Fee include:
Tea & Coffee
Copy of Background Paper /
Copy of Workshop Study Material

For more details please contact:

Ajay Sharma, Senior Director, M: 9899188488 , eMail: ajay.sharma@assocham.com
Varun Aggarwal, Joint Director, M: 9910613815 , eMail: varun.aggarwal@assocham.com
Himanshu Rewaria, Executive, M: 9654251077 , eMail: himanshu.rewaria@assocham.com
Sahil Goswami Executive, M: 9871962311 , eMail: sahil.goswami@assocham.com

Corporate Office
The Associated Chambers of Commerce and Industry of India
ASSOCHAM Corporate Office, 5, Sardar Patel Marg
Chanakyapuri, New Delhi – 110021
Phone: 46550555 (Hunting Line)
Fax: 01123017008/9

Email: assocham@nic.in

For more details visit https://cis-india.org/news/eleventh-india-knowledge-summit-2013

'Ethical Hacker' Saket Modi Calls for Stronger Cyber Security Discussions

kovey — 2013-08-05T13:11:08Z

Twenty-two year old Saket Modi is the CEO and co-founder of Lucideus, a leading cyber security company in India which claims to have worked with 4 out of 5 top global e-commerce companies, 4 out of 10 top IT companies in the world, and 3 out of 5 top banks of the Asia Pacific.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

At the Confederation of Indian Industry (CII) conference on July 13, titled “ACT – Achieving Cyber-Security Together,” Modi as the youngest speaker on the agenda delivered an impromptu talk which lambasted the weaknesses of modern cyber security discussions, enlightened the audience on modern capabilities and challenges of leading cyber security groups, and ultimately received a standing ovation from the crowd. As a later speaker commented, Modi’s controversial opinions and practitioner insight had "set the auditorium ablaze for the remainder of the evening". Since then the Centre for Internet and Society (CIS) has had the pleasure of interviewing Saket Modi over Skype.

It is quite easy to find accounts of Saket Modi's introduction into hacking just by typing his name in the search engine. Faced with the pressure of failing, a teenage Saket discovered how to hack into his high school Chemistry teacher’s test and answer database. After successfully obtaining the answers, and revealing his wrong doings to his teacher, the young man grew intrigued by the possibilities of hacking. "I thought, if I could do this in a couple hours, four hours, then what might I be able to do in four days, four weeks, four months?"

Nowadays, Modi describes himself and his Lucideus team as "ethical hackers", a term recently espoused by hacker groups in the public eye. As opposed to "hacktivists", who utilize hacking methods (including attacks) to achieve or bring awareness to political issues, ethical hackers claim to exclusively use their computer skills to support defenses. At first, incorporation of ethics into a for-profit organization’s game plan may seem confusing, as it leaves room for key questions, like how does one determine which clients constitute ethical business? When asked, however, Modi clarifies by explaining how the ethics are not manifest in the entities Lucideus supports, but instead inherent in the choice of building defensive networks as opposed to using their skills for attack or debilitation. Nevertheless, considerations remain as to whether supporting the cyber security of some entities can lead to the insecurity of others, for example, strengthening the agencies which work in covert cyber espionage. On this point, Modi seems more ambivalent, saying "it depends on a case by case basis". But he still believes cyber security is a right that should be enjoyed by all, "entitled to [you] the moment you set foot on the internet".

As an experienced professional in the field who often gives input on major cyber policy decisions, Modi emphasizes the necessity of youth engagement in cyber security practice and policy. He calls his age bracket the “web generation,” those who have “grown with technology.” According to Modi, no one over 50 or 60 years of age can properly meet the current challenges of the cyber security realm. It is "a sad thing" that those older leaders carry the most power in policy making, and that they often have problems with both understanding and acceptability of modern technological capabilities. For the public, businesses, and also government, there are misconceptions about the importance of cyber security and the extent of modern cyber threats, threats which Modi and his company claim to combat regularly. "About 90 per cent of the crimes that take place in cyber space are because of lack of knowledge, rather than the expertise of the hacker,” he explains. Modi mentions a few basic misconceptions, as simple as, "if I have an anti-virus, my system is secured" or "if you have HTTPS certificate and SSL connection, your system is secured". “These are like wearing an elbow guard while playing cricket,” Modi tells. “If the ball comes at the elbow then you are protected, but what about the rest of the body?”

This highlights another problem evident in India’s current cyber security scene, the problem of lacking “quality institutes to produce good cyber security experts.” For example, Modi takes offence at there not being “a single institute which is providing cyber security at the undergraduate level [in India].” He alludes to the recently unveiled National Cyber Security Policy, specifically the call for five lakh cyber security experts in upcoming years. He calls this “a big figure,” but agrees that there needs to be a lot more awareness throughout the nation. “You really have to change a lot of things,” he says, “in order to get the right things in the right place here in India.”

When considering citizen privacy in relation to cyber security, and the relationship between the two (be it direct or inverse), Saket Modi says the important factor is the governing body, because the issue ultimately resolves to trust. Citizens must trust the “right people with the right qualifications” to store and protect their sensitive data, and to respect privacy. Modi is no novice to the importance of personal data protection, and his company works with a plethora of extremely sensitive information relating to both their clients and their clients’ clients data, so it operates with due care lest it create a “wikileaks part two.”

On internationalization and cyber security, he views the connection between the two as natural, intrinsic. “Cyberspace has added a new dimension to humanity,” says Modi, and tells how former constructs of physical constraints and linear bounds no longer apply. International cooperation is especially pertinent, according to Modi, because the greatest challenge for catching today’s criminal hackers is their international anonymity, “the ability to jump from one country to the other in a matter of milliseconds.”

With the extent of the challenges facing cyber defense specialists, and with the somewhat disorderly current state of Indian cyber security, it is curious to see that Saket Modi has devoted himself to the "ethical" side of hacking. Why hasn’t he or the rest of the Lucideus team resorted to offensive hacking, since Modi claims the majority of cyber attacks of the world who are committed by people also fall between the ages of 15 and 24? Apparently, the answer is simple. “We believe in the need for ethical hacking,” he defends. “We believe in the purpose of making the internet safer.”

For more details visit https://cis-india.org/internet-governance/blog/saket-modi-calls-for-stronger-cyber-security-discussions