Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Traffic Light Protocol

Posted by Vijayashankar Na on December 30, 2016
Posted in Cyber Law  | No Comments yet, please leave one

Classification of documents before distribution is one of the important activities of data managers in organizations. The better part of Information Security lies in properly classifying a document and tagging them properly for every end user to understand what he can do or not do with the document in his hands.

In this connection, it is interesting to observe the document tagging protocol used by US Cert named appropriately as the “Traffic Light Protocol (TLP)“.

Attention to this protocol was drawn with the Obama Government in USA publishing an FBI investigation document that probed into the hacking of e-mails of the Democratic National Committee by suspected Russian hackers which helped expose many of the secrets of Mrs Hillary Clinton and perhaps contributed decisively to the victory of Mr Donald Trump.

While the Obama administration has been livid with the hacking and revelations, and also taken action against many Russians being expelled and agencies being closed down, the information security observers note that the FBI document was released under the TLP as a “White” Document indicating that it can be distributed widely.

The TLP uses colour codes and nomenclatures to designate the documents and define the sharing boundaries.

There are four colour codes under the protocol and they indicate as follows:

“TLP:WHITE” indicates “Unlimited” boundaries for distribution.

“TLP:GREEN”: indicates that the information is meant for limited disclosure restricted to the community.

TLP:AMBER” indicates that the information is meant for limited disclosure restricted to the participant’s organizations

“TLP RED” indicates  “Not for disclosure”, and restricted only to the participants.

The complete definitions are found in the following table (Source: US CERT)

 

Color When should it be used? How may it be shared?
 TLP:RED 
Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
 TLP:AMBER 
Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.
 TLP:GREEN 
Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.
 TLP:WHITE 
Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

 

More details of the protocol can be found on the website of US CERT. Probably Indian corporates may also use similar tagging protocol for tagging their documents.

Naavi

I refer to the article “Here is how the Currency Shortage can vanish in a jiffy with “Digi-Real Currency” in which a solution to meet the current crisis of shortage of currency notes was discussed.

One of the amendments that RBI has announced on the Prepaid Cards appears to make the suggestion even more viable than what had been earlier.

In my earlier suggestion, I had preferred that the “Digi-Real Notes” which are paper instruments issued as “Zero Value” and with monetary value loadable by transfer of money to a digital account mapped to the instrument, be issued by Banks using their current infrastructure for printing cheque leaves. One of the reasons for this was to provide a sense of respectability to the paper notes which will obviously look less valuable than currency notes.

Now RBI has issued an amendment to its master circular on Prepaid cards vide its circular dated 27th December 2016 which appears relevant to our discussions.

According to the circular, the para 7.9 of the  master circular dated July 1, 2016 on Prepaid payment instruments has been amended.

The amendment is as follows:

i. Banks may extend the provisions of paragraph 7.9 of Master Circular on PPIs dated July 01, 2016 to include other entities / ‘employers’ such as unlisted corporates / partnership firms / sole proprietorship / public organizations like municipal corporations, urban local bodies, etc. (employers) for onward issuance to their staff / employees / contract workers, etc.
ii. Banks shall extend this facility only to those entities / ‘employers’ that have a bank account with them and after obtaining an undertaking that they are not availing of this facility from any other bank.
iii. Verification of the identity of the staff / employees / contract workers, etc. shall be the responsibility of the concerned ‘employer’. The bank should put in place proper systems to capture and maintain details of the employees to whom the cards are issued by the ‘employer’ along with copies of photograph and identity proof of such employees. The ‘employer’ is also required to make available details of bank accounts (if any) of the employees to the bank.
iv. Banks shall load/reload PPIs after obtaining necessary authorisation and above mentioned details of the employees/staff/contract workers, etc. from the ‘employers’.
v. Extant instructions of paragraph 7.9 (d), (e), (f) and (g) continue to be applicable.

 The above changes shall come into effect from the date of this circular.

With this amendment it is now possible for a number of Companies including unlisted companies and even the proprietary concerns to issue “Prepaid Cards” co-branded with their Banks by identifying their employees. It will be as simple like issuing identity cards. Once issued, the participating Bank can allow loading of money into the prepaid card.

As a result of this amendment, the burden of issuing KYC based prepaid cards by Banks will be delegated to a number of employers.

The “Digi-Real Notes ” as suggested is also a similar instrument (though it is not a card) and may be termed as a “One time use prepaid instrument” that is actually handed over by the transferor to the transferee. Now such instruments can be issued not only by Banks but also by other agencies.

However for the instrument to be widely accepted, the issuing company needs to have some respectability and the look and feel of the instrument has project a sense of confidence.

This circular will enable many Companies to issue such prepaid instruments/cards to their employees and relieve the problem of currency shortage.

We may however reiterate that if the Companies only issue “Cards” as per the circular, the holders will only be able to use it as a “Digital payment” under say RuPay network. The card remains with the employee and can be used for payment to merchants. It will not substitute currency.

But if the suggestion of the undersigned is accepted, the “Digi Real Notes” can be “One time use prepaid cards” that can be used as a substitute for currency of any denomination such as Rs 100 or Rs 500/- or Rs 1000/- and will completely eliminate the need for the actual currency. At a cost of issuing the plastic cards, employers need to issue  “Coupons” with their logo with whatever security feature they can accommodate within their budget. Employees can also be given an option to either pick up the “Cards” or “Digi-Real Notes”. A small charge can also be made to cover the cost.

I hope companies will consider this suggestion now that the legal aspect has been cleared. Even if private sector fails to respond quickly, public sector companies may move in quickly and create the precedence that can be taken up by others. This should meet the salary day rush for cash coming up in the next three days.

Naavi

P.S: At the request of some of my friends, I have elaborated here the concept of Ze-Mo coupons I referred to in my previous article as a possible solution to the post-demonetization measure where there is a shortage of currency in the market. This solution was part of the patent applied solution titled “Digital Value Imprinted Instrument System” applied in 2003 and subsequently not pursued for various reasons. Presently the copyright is still with Naavi. However in the interest of the needs of the country at this point of time, I am publishing this solution with the hope that it can be exploited by either the Government owned Banks or any FinTech Company. There are a few more security aspects that can be incorporated in the solution beyond what is presented here to make the solution more robust….. Naavi

I present here a solution to the post demonetization problem that we are facing in India today where there is a serious shortage of currency notes. It is stated that the printing capacity of RBI indicate that it will take some more time for the withdrawn notes to be replaced fully.

The solution presented here is an adaptation of Naavi’s “Digital Value Imprinted Instrument System (DVIIS) as a “Digi-Real Currency” which will look as under. (May be printed on the security paper used in cheques)

This will be a form of a  hybrid instrument which uses the “Brick and Click” technology. It is a digital currency with a physical existence. People can hold it, feel it and hand it over to another person as they do now using a currency note.

However, there is no monetary value written on the instrument. The monetary value can be found by either checking the serial number on a website or on a mobile app. Persons with QR code reader or bar code reader can use them with or without the app .

The basic instrument is issued by a Bank in the form of books with “Zero Value” on the instrument.

The holder can then use the App/website, enter the serial number and load an amount on the instrument such as Rs 50,Rs 100, Rs 500 or Rs 2000 or for that matter any other amount also by transferring the value from his account to the digireal cheque. In this aspect it will be similar to a “pre-paid card” but the difference is that the Digi Real coupon is actually handed over to the person to whom the holder wants to pay some money and the receiver has the psychological satisfaction of holding the instrument with monetary value embedded inside.

Compared to the completely digital system that the “Mobile Wallets” etc represent, this Digi Real Currency is like filling up the missing link between the purely physical instrument based currency system as we use today and the  proposed digital payment system. Ideally this should have come first before the introduction of the pure digital systems but currently we have moved ahead by leaping across. Those who donot have the strength to leap fully are the people who will benefit by this intermediary solution that enables transformation in easy to digest steps.

This system is different from the Sodexo type of coupons where the value is printed on the instrument because it is easy to duplicate. By not indicating the value on the instrument, the acceptor is forced to “Verify” the value. If he so desires, he can note the value as read by him on the back of the instrument where there will be space for keeping notes.

Verification of value can be done by several alternate means of entering the number into an SMS, or read a QR code or read a Bar code. Even IVR system can be configured for the purpose.

It is also different from any instruments issued by the Banks today against payment since in such instruments similar to DDs or Certified Cheques or Cash Cards,  the customer has to first block his funds to get the pre-paid instruments where as in this instrument he can keep the blank instruments with him and use it for any denomination and commit his funds only at the time of use.

The holder will be given the option to

a) Extinguish the instrument by transferring the money to any bank account through the App

b) Hand over the instrument to another person without himself encashing it

c) Disable further transfer permanently or temporarily by locking the instrument ( preventing theft)

The current printing capacity for cheques by Banks should be sufficient to print required number of this instrument which will be about half or one fourth the size of a current account cheque book. This will reduce the cost of paper used. Also part of the back of the instrument can be used for advertisement to subsidize the cost.

It can be supplied to the customers and delivered at their homes so that they need not que up at the Banks. Each book can be used in any denomination of currency so that the shortage of one or other denomination does not arise. Eventually this instrument can enable the “Cashless Society” that we are dreaming off.

The system will prevent hoarding of this currency by putting an expiry date on the instrument after which it can only be transferred to the Bank account and extinguished. The instrument will therefore be in circulation all the time.

The system has many hidden security features all of which I have not discussed here. It will be more tamper proof than the currency except for the need for people to understand the use of App. In this respect it is not different from the Mobile Wallets, USSD codes or UPI apps. But it should be easier to understand and use than these apps. The only necessary operation that an ordinary man on the street needs to know is “How to Verify the value”. The other aspect is transfering the value to his account for which he can use assistance of other knowledgeable persons if required or the Bank itself where he can deposit the instruments like any other cheque.

The only risk that will remain will be “Hacking of the server” in which the value of the instrument is maintained. But if we today trust the Banks for our money in their core banking software, we should trust them also for this data base of digit-real currency. The need for strengthening the security in this system as well as the need for protective measures such as Cyber Insurance etc will continue.

The possibility of a “Denial of Access” is also a risk that frustrates the system. This has to be tackled by proper distributed system of authentication that can be configured by the Banks. The load on the system is of course not high since compared to the current transaction authentication related system load, query authentication involved in this instrument has a lower load on the systems and bandwidth. The “Query” received would be to validate a given number of the instrument and return the value recorded against it. There is no need to authenticate the transferor, transferee and initiating a transfer instruction from one bank account to another.

I am presenting this commercially valuable suggestion here so that the Government/NPCI/Banks can make use of it if it desires.

If any FinTech company intends to develop this product, I will be able to assist them in developing the solution with appropriate modifications as may be required.

Naavi

(Comments are welcome)

A report in the times group of papers today, it was stated that the Government has mandated that Banks need to report “Breaches” in their systems within 2 hours to the Government.

TOI in its article titled “Government asks banks to share IT breach info within 2 hrs” reported that the Government had sounded alert to all the top banks that any breach in their IT systems need to be informed to the Government. The report was attributed to IT Secretary Ms Aruna Sundararajan.

The secretary  reportedly made a statement that “More regulation is needed to make the laws tougher, especially to fix liabilities and responsibilities of the service providers towards their customers,”

She seems to have also stated that “Stringent penal provisions will be mandated for any breach, and steps have been initiated to overhaul the IT Law of the country to make provisions in tune with the present-day requirements. The review is being undertaken in consultation with the Finance and Home Ministries.”

These tough looking statements are welcome.

However, the approach of the  Government to bring in new law is un-necessary and  time consuming and will not address the immediate requirement.

Presently, the key to protecting the consumers from any digital transaction related frauds and simultaneously also instilling a sense of responsibility in the Banks lies with the RBI in the simple solution of confirming its “Draft Circular” of August 11, 2016 as “Final operative circular.”

But, as always, RBI is dragging its feet perhaps unable to counter the pressures from the major Banks such as SBI, ICICI Bank, HDFC Bank , Axis Bank and PNB for abandoning the circular altogether.

The key I am referring to is the issue of the Limited Liability Circular of August 11, 2016” which was first issued in draft form and should have been re-issued by this time as an operative instruction.

The undersigned has sent many letters to the Governor of RBI and other executives as well as the Prime Minister Mr Modi and Finance Minister Mr Arun Jaitely.

Unfortunately, neither Mr Modi nor Mr Jaitely seem to have been properly advised about the power of this circular or donot still feel that the push is called for and hence they are not focussing on this simple requirement that can go a long way in protecting the public who are being thrust into the digital payment system.

Despite a personal request from the undersigned, the Governor of RBI, Mr Urjit Patel, as well as their officials have failed to provide a satisfactory reply to my letter nor give an appointment to meet them personally and explain to them the urgency in this regard.

After several reminders and an RTI application, I have received a reply from Mr P.K. Mehrotra, Assistant General Manager, Department of Banking Regulation, Central Office, RBI, dated 23rd December 2016, stating as follows.

Quote:  

Please refer to your letter dated December 1, 2016 on the captioned subject.

In this connection, we advise that we are in the process of finalization of the circular taking into account the feedback received from public and banks.

 Unquote

 The public comments for the circular closed on August 31, 2016 and we are almost into the new year.  Hence the answer given by RBI can only considered as unsatisfactory and evasive.

It is clear that RBI, as always is unable to push through its regulatory measures on the influential Banks. In the meantime, Cyber Crime victims are waiting endlessly for justice when their hard earned money is siphoned off by fraudsters some of them exploiting the technical inadequacies in the system and some of them colluding with the Bankers.

The recent incidents where Bank employees have colluded with the black money operators in several parts of the country is a clear indication that Bank employees of today donot have the honesty which was once attributed to them by the public. If they can make money by laundering currency, it is eminently possible that many of them may be hand in glove with the fraudsters who commit cyber crimes. They are therefore not in favour of measures like the “Limited Liability for frauds for the customer”.

I have personal experience of Banks such as ICICI Bank, SBI, AXIS Bank and PNB supporting their fraudulent customers instead of the Cyber crime victims when they encounter a cyber crime.

The names of the three lady Chair Persons of prominent Banks such as Ms Arundathi Bhattacharya or Shika Sharma or Chanda Kochhar or the past Chairperson of PNB, Mr Kamat who became the head of IBA look responsible when they speak on CNBC TV.

But what public may not know is that all these Chair persons  have shown scant respect for Cyber Crime victims of their bank and donot deserve to be called “responsible”.

They seem to forget that the victims of bank frauds are their valued customers. On the other hand, they all seem to be more in favour of the “other” customer who has siphoned the money away from the victim and transferred it to their account. In most cases Banks have opened accounts for them  without following the KYC norms.

I urge Mr Arun Jaitely and Mr Modi to just check in how many cases of Bank frauds involving negligence of the Banks, these Chair persons have launched lengthy litigations to prolong justice to the victims. With the Government and CJI contributing to the delay in justice by closing down the Cyber Appellate Tribunal (CyAT), and the IT department floating fancy ideas of changing IT law and merging CyAT with TDSAT, there appears to be no room for optimism that the Cyber Crime victim’s plight will be addressed even by Mr Modi.

In this background the talk of  “Report incidents within 120 minutes” appear to be just a joke.

I wish the IT ministry or the RBI or even the FM and PM to challenge me on these comments and prove me wrong by doing the simple thing of getting the RBI’s draft “Limited Liability Circular of August 11” confirmed.

Can there be anything simpler than this in protecting the public from Cyber Frauds?

If you cannot do even this, how can we trust you will be able to implement the larger issues such as the “Cyber Security Framework” or “Security Operating Centers”?

…..The Nation wants to know..

Naavi

 

Around 2003, the undersigned had come up with a solution named “Digital Value Imprinted Instrument System” (DVIIS). This was a “Brick and Click” solution to many of the problems of physical instruments which have a monetary value including “Currency”, “Stamps”, “Tickets” etc. (One of the representative solutions is available here). The system could not be commercialized by the undersigned since proper support could not be gathered. At least two major IT companies who were privy to the idea could not see the commercial prospect and failed to take it up for implementation.

One of the implementations of the DVIIS was in what was called “ZE-MO Cards/Coupons”  (named as such because it was a Zero Memory smart instrument replacing the smart cards with larger memory).

It appears now that the idea was a little too early for the market at that time. But now when the country is struggling to find a solution to the currency shortage after demonetization, it appears that the Ze-Mo coupons are ideally suited to resolve many of the practical problems that we face today.

The essence of the Ze-Mo  system was that there would be a Zero Value physical instrument which would carry its value on the digital server mapped to the instrument. The instrument would be used to transfer value from one to other and could be used for “Digital Stamps”, “Tickets” and also as a “Currency Substitute”. When this concept was being discussed, we did not have the concept of “Pre paid, refillable” cards as we have today.

The “Ze-Mo” cards were promoted as thick paper labels with almost zero material cost (compared to smart cards which were expensive ) which would be distributed free by sponsorers who will have advertisement space on the label (Like UNO cards?) and let people fill it up with money before being handed over to the next person. The value would be verifiable at the server with reference to some code imprinted on the instrument. (It was suggested that this could include an invisible hidden code in addition to a visible code.)

At that time I had also suggested Ze-Mo coupons as a “Verifiable Currency” particularly of high value and repeated the suggestion in 2014 in my article “Black Money Policy of Narendra Modi.. Here is My Idea”This was also published in naavi.org. At that time nothing was known about the demonetization that occurred on November 8, 2016.

Presently, we are struggling to ensure that the shortage of cash that has resulted from the demonetization does not derail the economy more than what we can bear comfortably. The opposition parties are doing their bit to not only create panic in the minds of the public so that they will hoard available new currency notes but also encouraging all kinds of malpractices in converting black currency stocks to new currency stock with the help of Banks and political party donations etc.

There is therefore an urgent need to energize  the system of “Digital Payment Infrastructure” and make it more efficient and secure.

It appears that the Ze-Mo system was well designed for this purpose and even now is well suited to quickly replace the withdrawn currency provided we pep up the earlier suggested instrument with

a) KYC back up

b) Slightly better security than what was envisaged.

One implementable solution is to permit all Banks to print of Ze-Mo slips/coupons like the Cheque leaves in all the security printers available which will look better than the simple labels that I had proposed earlier and sell/distribute it only to identified individuals who provide their Aadhaar number or their Bank number. (Cost of Ze-Mo coupons can be about 20-25% of the cost of printing of a cheque leaf even if similar security printing technology is used).

Banks can issue books of 100 such leaves to their customers which will be equivalent to any currency they wish to hold in any denomination as long as they have the funds in the back end account. (P.S: It may look similar to the Sodexo Coupons but the value would not be printed on the instrument and would only be available for online verification). Customers can use the 100 leaves as different denominations of currency in any mix as they like. Hence the question of shortage of any particular denomination does not arise at all.

The coupons will remain zero value until it is filled up by transfer from the account like charging a prepaid instrument. The difference between a Prepaid card and this coupon is that this would be handed over by the person making the payment to the person to whom the payment is being made.

Holders of these Ze-Mo Coupons would use either a mobile app or internet to transfer money from their existing bank account to the Ze-Mo coupons using the serial number as the mapping. Any person to whom it is handed over can simply check the same App or on the internet, what is the value of the coupon before he accepts it.  The query could be made available both on smart phones and on USSD codes so that the recipient gets an SMS as soon as he sends the number of the coupon to the server.

The coupons can later be either used as such for further transfer or extinguished. It is one of the suggestions that the coupons will have a validity period for transfer which will be short (say one month) so that it cannot be used for hoarding cash but has to be in circulation or extinguished.

Compared to the current system such as the mobile wallets, the UPI and USSD, the Ze-Mo system has a significant advantage in the sense that it gives a “Feel of Currency”. Most people would be very comfortable holding the coupon that looks like a bank cheque than nothing at all as in the case of pure digital wallet transaction.

Ze-Mo coupons also reduces the transaction load on the server at the time of transaction since the process of transaction validation by the recipient has to just verify a static data on the server  such as  (the hash value of the input) instead of validating a payment instruction on the fly and transferring the money from one account to another.

The actual money transfers occurs at a time different from the time of the transaction both for loading and unloading the money to the coupon from a bank account (at the payer’s end )and from the coupon to a bank account at the recipient’s end. This would address the problem of “Transaction peaking” at different points of time during the day creating server crashes.

Additionally, Ze-Mo coupons would reduce the number of digital transactions by at least a factor of two or three if we presume that the coupon is used for payment by the first recipient to at least one other person before it is extinguished.

The only risk is that some may forget to credit the coupon to his bank account and allows it to expire.

In such cases, an exceptional system can be made for the holder to go over to a Bank, submit his identity and get the money credited to his account. Obviously he will be answerable to the tax authorities if required.

Thus the Ze-Mo coupon system if introduced can quickly address the issue of shortage of currency which will be a huge political issue after 31st December 2016.

Naavi

More information on how ZeMo system can be adopted to banks (ppt prepared in 2003)

 

Does DMCA pose a risk to Indian hosting companies also?

Posted by Vijayashankar Na on December 23, 2016
Posted in Cyber Law  | No Comments yet, please leave one

When a hosting company hosts user content, there is always a risk of the hosting company being charged for abetting the copyright infringement if any by the user. In India, intermediaries are subject to the “Due Diligence” requirement under Section 79 of ITA 2008 which inter-alia requires them to respond to a notice such as a “Take down notice” within 36 hours.

This “Act within 36 hours” does not mean that the hosting company needs to take down any content for which he has received a notice of objection from a member of public. It applies when a competent Court issues an order. There could be some doubt as to an action required when a notice comes directly from the police without a Court order. Normally the Police should respect the tradition of getting a Court order in case of either a suspected defamatory post or a copyright infringement. Neither the Police nor a complaining individual nor even the hosting company has the right to take a judgmental view about any content as to whether it is defamatory or infringing any copyright.  However, it would be necessary for the hosting company to reach out to the accused person who has posted a disputed content and initiate a “Show Cause” process followed by a mediation or arbitration before the next level of action is contemplated. In the meantime, a “Notice” may be displayed that the content is disputed so that visitors are informed and put on notice.

Obviously, copyright owners would not be satisfied with any half measures and would not only require a take down but also further action both civil and criminal on the person who infringed. As regards the hosting company, most copyright owners would be satisfied if a  quick action is taken to take down the offending content.

Under DMCA, four safe harbors have been provided for the service providers according to which the liability of the intermediary would be limited if certain precautions are observed. They are

a) Transitory digital network communications (eg:Network service providers who only transmit data)

b) System caching (eg: ISPs who cache content temporarily)

(c) Information residing on systems or networks at the direction of users

d) Information location tools (eg: Search Engines)

Each of the above have a set of particular conditions, all of which must be met to enjoy the protection of that safe harbor. Each safe harbor addresses a different aspect of potential copyright liability, and meeting the conditions of any one is sufficient to receive protection for the acts included in that safe harbor.

In order to address the concern of the copyright owners, Congress instituted a “Voluntary” notice and take down system so that the allegedly infringing material is removed quickly and then any infringement can be adjudicated in a copyright infringement suit. This system of “notice and take down” starts with a service provider designating an agent to receive notices by filing a form with the copyright office. Then copyright owners who believe that their works are available on a service provider’s system can send a notice to that service provider at the address available in an online database on the Copyright Office’s Web site.

Recently the copyright authorities have simplified the system by introducing an online facility to designate an agent and also reduced the fees for the registration.

Once a service provider wanting to avail itself of the safe harbors knows that its system has infringing material, that service provider must expeditiously remove or block access to the allegedly-infringing material. That knowledge can come from a proper notice from the copyright owner, or when the service provider is aware of facts or circumstances from which infringing activity is apparent. It is not necessary for a service provider to police its users, or guess that something may be an infringement.

In a case in which the notification that is provided to the service provider’s designated agent fails to provide the necessary knowledge, the service provider needs to promptly attempts to contact the person making the notification or takes other reasonable steps to assist in the receipt of notification that substantially complies with all the provisions.

Further, a service provider shall not be liable to any person for wrongful deletion of the content done in good faith when a proper notice has been received.

The service provider must notify the subscriber of any take down, and if the subscriber contests the take down, must restore the material within 14 business days. That provides the copyright owner time to file an infringement suit and get a temporary injunction ordering the continued removal of, or blockage of access to, the alleged infringing material.

There are some legal experts in USA suggesting that DMCA provisions need to be honoured by all service providers who may be serving content to US citizens. If this is true, then there will be need for affected Indian content providers to register their “DMCA agents” with the DMCA authorities.

Generally the provisions of DMCA also constitute the “Due Diligence” under Section 79 of ITA 2008. However, in the case of websites where the content is available to global audience, the risk of DMCA exercising its jurisdiction on Indian service providers is a cause of worry. There have been atleast two instances where DMCA has struck on people outside India. First was the case of a Russian programmer who was a project lead of a product infringing DMCA which was developed in Russia and distributed through a website in which the programmer was arrested while on a tour of USA. Second was a professor working in Japan who was extradited by the friendly Government to face the trial in USA. There is no reason to believe that such things would not recur in future also.

Hence the Indian copyright authorities need to ensure that DMCA is not applied to Indian conent providers bypassing the local laws.

For this purpose, it is necessary for the Indian Copyright Authorities to declare that “No action will be initiated against Indian constituents under any copyright law except through the Indian copyright authorities”.

Simultaneously the CERT IN should coordinate with the Indian Copyright Authorities in ensuring that those who follow ITA 2008 should not be harassed under the Copyright Act with “Take down notices” and “Penal action for not adhering to take down notices”.

This point had been made here several years back but the need for such “Indian Safe harbor” has not been addressed so far.

Naavi

Close It