Naavi.org

The recent spate of fake Bomb threats to different Airline companies and an open advisory from a Khalistani Terrorist not to travel in Air India are acts of terrorism that fit well into the definition of Cyber Terrorism under Section 66F of ITA 2000.

It is surprising that the Ministry of Aviation seems to be searching for ways to strengthen the aviation laws to make such threats punishable. I request the Civil Aviation Minister Ram Mohan Naidu Kinjarapu to take note that there is already a law in India under Section 66F of ITA 2000 which states inter-alia as follows.

“Who ever “with an intention to strike terror in any section of the people”, accesses a computer resource exceeding authorised access and by mens of such conduct is likely to cause disruption of services essential to the life of the community, shall be punishable with life imprisonment”

Hence there is no need for a separate law and tweaking of Airlines Rules to file a case of terrorism against those who send the fake emails either to Airlines or to schools etc with bomb threats. Once such cases are filed, they are recognized across the globe and can be taken to Interpol for investigation if required.

The reason why these threats are proliferating and will continue to proliferate is that it is child’s play to get an email account in Proton Mail or similar email services which provide an anonymous E Mail account from which such threats can be sent. There are proxy servers which provide services to hide the IP addresses also. It is therefore near impossible for the investigating agencies to quickly decypher the identity of the sender.

While it costs almost nothing for the attacker to send an email, it costs in the range of Rs 25 lakhs for airlines to divert flights in mid air for security reasons, conduct a security drill before it is released once again. In view of the ease and economy of such cyber attacks, these will continue and a solution has to be found by the Government as otherwise the asymmetric attack will cause huge damage to the country.

The solution to this lies in getting the cooperation of the service providers like Proton Mail or the VPN service providers to get the identity of those who use the facilities for committing international terrorism. The contracts of such providers always indicate that the services shall not be used for terrorism.

For example the terms of service of Proton Mail indicate as follows:

Any Account found to be committing the listed unauthorized activities will be immediately suspended.

2. Authorized use of the Services

You agree not to use your Account or the Services for any illegal or prohibited activities. Unauthorized activities include, but are not limited to:

1. Disrupting the Company’s networks and Servers in your use of the Services;
2. Accessing/sharing/downloading/uploading illegal content, including but not limited to Child Sexual Abuse Material (CSAM) or content related to CSAM;
3. Infringing upon or violating the intellectual property rights of the Company or a third party;
4. Harassing, abusing, insulting, harming, defaming, slandering, disparaging, intimidating or discriminating against someone based on gender, sexual orientation, religion, ethnicity, race, age, nationality or disability;
5. Trading, selling or otherwise transferring the ownership of an Account to a third party (with the exception of Lifetime Accounts, which can be sold or traded exclusively through the Company);
6. Promoting illegal activities or providing instructional information to other parties to commit illegal activities;
7. Having multiple free Accounts (e.g. creating bulk signups, creating and/or operating a large number of free Accounts for a single organization or individual);
8. Paying for your subscription with fraudulent payment means, such as a stolen credit card;
9. Engaging in spam activities, which are defined as the practice of sending irrelevant or unsolicited messages or content over the internet, typically to a large number of recipients, notably for the purposes of advertising, phishing, or spreading malware or viruses;
10. Sending junk mail, bulk emails, or mailing list emails that contain persons that have not specifically agreed to be included on that list. You agree not to use the Services to store or share content that violates the law or the rights of a third party;
11. Abusive registrations of email aliases for third-party services;
12. Attempting to access, probe, or connect to computing devices without proper authorization (i.e. any form of unauthorized “hacking”);
13. Referring yourself or another one of your accounts to unduly benefit from our referral program’s benefits (see section 9 for discretionary benefits of the program).

Similar conditions will be available in all VPN services as well as all domain name services.

The first requirement for our law enforcement is therefore to quote these terms and demand that the service provider disclose the identity details of the account holder who is committing a terror activity. This can be supported with a Court order.

In case these service providers refuse to abide by the request, it can be escalated into a notice alleging an attempt to shield the perpetrator of the crime and make the service provider a c0-accused for conspiracy. This will provide power for the law enforcement to take direct action against the service provider in an Indian Court and later enforce it in the relevant country in which the service provider is registered. They will not be eligible for protection under Section 79 of ITA 2000 if they donot cooperate with the information sought with a due process of law.

In the meantime, the law enforcement can also take action to block the domain such as “Protonmail.com” from India along with the associated VPN services ignoring the cries of the digital andolan jeevies.

I request the MHA and MeitY to immediately initiate action to co-operate with the Ministry of Civil Aviation in initiating an action in the above direction.

Naavi

In a recent meeting of the officials of MeitY with the ministry, it is reported that the officials suggested the industry to get cracking on the implementation of DPDPA 2023 without waiting for publication of the rules.

This suggests that the MeitY is still not clear on some of the aspects of the law and how it has to be implemented.

In this context the DGPSI which was developed as a “Framework for Implementation” of DPDPA 2023 assumes a much bigger role as a document that would be the codification of the interpretation of DPDPA 2023 for the implementation by the industry.

DGPSI is therefore the “Jurisprudence” for DPDPA 2023. It indicates how the DPDPA 2023 can be interpreted and implemented. The legal basis is implementation as “Due Diligence” under ITA 2000.

Watch out for more in a series of posts here.

Yesterday we had a very useful discussion on whether there is a need to regulate the Dark Web and whether it is desirable and whether it is feasible.

As expected one school of thought was of the firm view that “Dark Web” cannot be regulated and if you try to bring down one Tor Site, another will come up and so on. There are no two opinions that hackers who function in the Dark Web are confident that the law enforcement cannot catch them. There are law enforcement persons as well as security professionals who simply are happy observing the dark web. In fact many security professionals make a living out of monitoring the dark web.

The fact that dark web is thriving because of the presence and availability of crypto currencies like Bitcoins and Monero is well known.

One common view of the professionals was that even politicians are having a cut in cyber crime proceeds and in Crypto Form and hence they are not interested in taking any action against them. It was however noted that regulation of Crypto currencies in India has been effective and Indians are using Dubai as the center for exchange of their black wealth to Crypto currencies and back. Havala operations are also in place between India and Dubai so that ransom money payments demanded in crypto currencies can be carried out.

At the end of the discussions, it was clear that the need for regulation of Dark Web and Crypto Currency is very much needed unless we want a “Digital Jungle Raj” in Digital India.

However there is no consensus on whether any regulation is feasible on Dark Web in India. Many are obviously against such regulation since their lively hood could be affected. They belong to that school of thought that let there be Crimes, Let there be victims of Cyber Crimes. We shall make our money through legitimate business surrounding dark web.

At Naavi.org we believe that “Impossibility of regulating Dark Web” is only an excuse not to try.

In fact we have not prevented road accidents but we have laws for traffic management. We have similarly laws on drug abuse or gun selling or terrorism but we are not able to eliminate them. What we as a society need to do is to take a position to declare that we would not support the Dark Web and the Dark Currency come what may.

It does not matter we shrink our Web space by creating an “Iron Curtain” and restrict use of Internet, ban the domains such as proton mails and continue to ban any substitutes that may come up.

If we cannot ban Tor browser because it is required for any reason, then make it’s possession subject to registration of a person as a “Registered Ethical Hacker” and bring accountability to the use of the Tor browser.

Under Section 67B of ITA 2000, any person  who creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner.

A similar law should be considered for restricting the use of Dark Web.

Under Section 84 C of ITA 2000, Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed is also punishable.

Dark Web which is an instrument of crime along with Tor browser, Proton mail (and other similar services) as well as the Bitcoin type of Private Crypto Currency are all therefore classified as instruments which “Causes such offences…..defined under ITA 2000” . Hence there is already a law that can be used against the use of Criminal Instruments.

Any person in possession of dangerous weapons in the physical world is looked upon as a potential threat to the society and Police maintain a register of such persons as “Rowdie Sheeters”. At the same time we allow police, security agencies and celebrities including people like actor Govinda to possess revolvers for their own safety or for other purposes.

Similarly, we can mandate that any person who wants to use any of the dark web tools should be registered with the national security agency as a “Registered Ethical hacker” and report his activities periodically in the form of an audit report. This will bring accountability to the use of dark web by security persons and segregate them from “Unregistered ethical hackers” who can be classified as “Black hat hackers”.

We advocate MHA to bring in an explanation to the existing laws at appropriate places to state “Possession of dark web tools …as per a list to be published … will require mandatory registration failing which the possession itself will be punishable.

We agree that a section of the society will ignore the law. It does not matter. Let us at least give an opportunity to the “Friends of the digital society” to declare their honesty in good faith by registering themselves as persons who possess ability to wade into criminal space but use it responsibly.

Naavi

October 17, 2000 was the day when Information Technology Act 2000 (ITA 2000) became effective. The essence of ITA 2000 was the legal recognition for binary documents and authentication with the use of PKI based Digital signatures. Together, legally valid digital contracts became feasible and E Commerce and E Governance got a foothold. This should be considered as the birth of “Digital Society of India”. This digital society has now developed and become “Digital India”.

Let us therefore remember this day as the “Digital Society Day”.

In order to celebrate the day, we at Naavi.org and FDPPI are having a discussion on “Taming of the Dark Web”. It is a short virtual Round Table discussion on Zoom and all are invited.

In order to preserve the benefits of Technology to the society, we need to curb the activities of Cyber Criminals. The presence of “Dark Web” and the “Dark Currency” in the form of private Crypto currencies enable criminals to continue their criminal activities. Criminals reside in Dark Web and come out from time to time to attack the Netizens on the surface and vanish back into the Dark Web.

The entry door for moving in and out of the dark web is the Tor browser and the currency for living in the dark web is the PCC (Private Crypto Currency). The communication tool for Dark Netizens to communicate with surface Netizens is the mail services like the “Proton Mail” which is used for sending not only the bomb threats but also the ransomware demands.

Despite knowing the adverse impact on the society from Cyber Crimes, we have allowed free conversion of PCC like Bitcoins to legacy currency so that all earnings in the dark web can be used in the civil society. We also encourage use of Tor browsers in young technology users as a part of security training. Many of the VPN services like the Proton Mail are used by security professionals to have anonymous existence.

It is however necessary to recognize that the Dark Web eco system is killing the society for the benefit of the criminal. We need to recognize this and put a stop to it.

The regulators are currently unable to reduce Cyber Crimes and the society is moving into an era where Cyber Crime is becoming an acceptable way of life.

Our own Government is hesitant to curb Bit Coins and is shamelessly happy to make money through taxation of Bitcoin transactions. Our security experts are unconcerned about the adverse impact of technology crimes on the society. Given an opportunity wee would try to take the benefit of Cyber Crimes by creating products for handling the adverse impact rather than preventing the adverse impact.

It is time that we realize that we as a society need to go for a direct attack on the crime syndicates by attacking the Dark web entry tools and dark web benefit exploitation tools. We therefore need to introduce strict regulations on the use of Tor Browser, VPN mail services like Proton Mail and the Private Crypto Currencies like Bitcoin.

Let us by law make it difficult for the Tor Browser and Proton Mail to be used by criminals with following steps.

1.Let us ban Proton Mail and all other mail services that donot cooperate with the law enforcement agencies in identifying the senders of email.

2.Let us make all Tor browser installations “licensable”

3.Let us mandate that all Tor users need to be registered as “Ethical Hackers”.

4.Let us mandate that use of Bitcoins (PCCs) is an offence and considered as an attempt at money laundering.

I suppose we can discuss all these in today’s discussion on “Taming the Dark Web”

Naavi

In October 2023 when Mr Rajeev Chandrashekar was the minister of IT, a draft national strategy on Robotics had been released for public consultation. In July 2024, Government announced that 5576 responses were received and closed. Since then no further news is there about the adoption or implementation of the draft policy.

A copy of the draft rules is available here.

A National Strategy for Artificial Intelligence which was published by NITI Ayog way back in 2018. Now an AI & Emerging Technologies Group has been set up by the MeitY to promote adoption of new technologies. Several reports have been issued by this committee from time to time. Government has also launched an India AI mission to propel innovation.

There is a need to follow up on these initiatives and its integration with the developing regulations. FDPPI would like to pursue this during the IDPS 2024.

Naavi

The Dark Web by definition is different from the legal “Deep Web” which is hidden from access through publicly accessible search engines like Google. Deep web is a space controlled by individual entities for their legitimate use and not illegal use. It is like a company’s premises where the entry is limited to authorized persons only.

On the other hand, by definition, the “Dark Web” is a “Zone of Illegal Virtual Operations”. It is in the dark web that criminals exchange crime tools, sell and buy drugs, weapons etc.

Having defined the “Dark Web” as the Criminal’s work place, there is no need to discuss if Dark Web needs to be allowed to exist. Without doubt it has to be eliminated though we may be incapable of doing it. Our incapability to fight the dak web is no justification not to declare it illegal and look at every body entering the dark web with an eye of suspicion.

The “Dark Web” thrives on a legitimate need for “Privacy” but the problem is “Privacy” is misused by criminals to hide their identity and run their business. The crimes have a reward in financial terms which are supported by the Crypto Currencies which act as the “Bankers to the criminals”. Hence Crypto Currencies (Privately managed) like Bitcoin are the support base for dark web apart from the Tor browser that enables access to the dark web.

If Dark Web has to be outlawed, we need to outlaw “Private Crypto Currencies” as well as the “Tor” browser or any other system that is used to access the dark web.

While “Privacy” is a legitimate right, “Confidential Banking is a legitimate right”, “Encryption for security” is a legitimate right, “Anonymity for security” is a legitimate right, these rights are bounded by the need not to cross the border of legality and cause harm to another individual.

This is a fundamental principle that every one agrees but is not able to support when the push comes to shove. The society is now at a time when we should bite the bullet and “Outlaw the Dark Web along with its components such as Bitcoin/private Crypto currencies and the Tor Browser”.

Just as Crypto Currencies may still exist like the Digital Rupee, or Guns in private hands may exist under a licensing system, we may still retain Tor as a “Licensed Software” to be used only by the law enforcement or registered security agencies who are committed to the legal activities.

Many may feel that this is impossible just as we cannot eliminate drugs, smoking or prostitution by just making laws against them. However it does not mean that the society should express passive support to any activity that is harmful to its larger good .

It is true that the existing laws itself make “Dark Web” and use of “Bitcoins” or “Use of Tor” illegal and punishable either as a crime or an attempt to commit a crime. Both DPDPA and ITA 2000 are laws which try to regulate and punish misuse of electronic information and are supported by BNS 2023. Section 15 of DPDPA 2023 imposes a duty on a data principal not to “Impersonate”. Section 66C and 66D of ITA 2000 makes “Impersonation” a cognizable offence. Section 4 of DPDPA 2023 prohibits illegal processing of personal data and ITA 2000 imposes criminal penalties for causing harm due to such processing.

Despite these laws, the society will not appreciate the need to keep Dark Web at a distance unless the Government comes out with a declaration that “Dark Web use is unlawful”. If any person is seen entering the Criminal’s Adda, it is his responsibility to explain to the law enforcement that his visit was for a legitimate purpose. More appropriately, any visitor to the criminal’s den has to take prior permission of the law enforcement.

I therefore call upon law makers in India to specifically pass directions to outlaw Dark Web, Private Crypto Currencies and Tor Browser and make their use subject to a strict licensing system.

This means that “Possession of Tor browser” should be considered as a “Prima Facie Evidence” of an intention to commit a crime and subjected to prior licensing just like the Gun licensing law. No organization should be able to sell tools that facilitate entry to Dark Web except under license.

I am aware that this suggestion may be radical but it is essential to protect the integrity of the digital society.

Those who agree or not agree are invited to participate in the virtual round table organized by Naavi.org and FDPPI on 17th October 2024, in commemoration of the “Digital Society Day” . You are invited to join the Zoom meeting between 6.30 pm and 8.00 pm in the link given above.

Naavi

P.S: Naavi.org urges the specialists to refrain from educating our youngsters on how to enter Dark Web. This is a promotion of crime. (Attention: Content Writer)

Also refer: Report on FBI strategy to disrupt Illegal Dark Web activities