Naavi.org

The recent circular from the Maharashtra Government explaining the law of “Sedition” as mentioned in Section 124A of IPC has opened up a debate rightly in how the law can be misused.

Refer here for more information

For records the section states as follows:

Section 124A in The Indian Penal Code
124A. Sedition.—Whoever, by words, either spoken or written, or by signs, or by visible representation, or otherwise, brings or attempts to bring into hatred or contempt, or excites or attempts to excite disaffection towards, 102 [***] the Government estab­lished by law in 103 [India], [***] shall be punished with im­prisonment for life, to which fine may be added, or with impris­onment which may extend to three years, to which fine may be added, or with fine.

Explanation 1.—The expression “disaffection” includes disloyalty and all feelings of enmity.

Explanation 2.—Comments expressing disapprobation of the meas­ures of the Government with a view to obtain their alteration by lawful means, without exciting or attempting to excite hatred, contempt or disaffection, do not constitute an offence under this section.

Explanation 3.—Comments expressing disapprobation of the admin­istrative or other action of the Government without exciting or attempting to excite hatred, contempt or disaffection, do not constitute an offence under this section.

Following a direction from Mumbai High Court to the Government of Maharashtra that a proper instruction be given to the field level Police so that the section 124A is not misapplied, some official of the Government has issued a circular in Marathi. The press has indicated that the circular has tried to explain the views of the High Court but in the process has stated that any criticism of a Government official which word includes representatives of the Government such as the MLAs, Zilla Parishad members etc will also come under this section.

It is obvious that for the Police in Maharashtra which interpreted a “Like” of a face book posting to “Any message sent from a communication device” and arrested a lady, this circular gives a free license to arrest persons under Sc 124A which  may result in “Life imprisonment” and is therefore cognizable and non bailable.

There is therefore no two opinions that Maharashtra Government should not only withdraw the circular but also get an undertaking from every policeman in the State that he will not use SEC 124A IPC against any criticism of a Government representative unless it is accompanied with a threat of breaking the country like what LTTE elements in Tamil Nadu or the Terrorist and some political elements in Kashmir indulge in.

Why I insist on such an undertaking is that Police either are too naive or some times crooked and apply non existent laws to harass people. We have seen that in two recent cases one in Tamil Nadu and another in Maharashtra, cases have been booked under Section 66A which has been scrapped by Supreme Court (albeit for wrong reasons).

We have extensively discussed in these columns why Supreme Court was wrong to just believe that whatever Police constables interpret is the law and therefore if they make a mistake, it is attributed to the law itself being bad rather than the policemen being bad interpreters of law.

I expect that the circular on Sedition once issued will therefore be used by the Police even after it is withdrawn to harass people. Hence a mere administrative withdrawal or clarification by another circular will not suffice. We need a more visible action by none other than the Chief Minister of Maharashtra to reduce the possibilities of misuse of the circular. It would be better if the clarificatory circular states that the erring Policemen will be booked for malicious mis-use of law.

In the meantime, if some capable person such as Shreya Singhal 3 can move the Supreme Court and ensure that a bench consisting of Honourable Justices Nariman and Chelmeshwar hear the case, then it may be possible to get Section 124A to be struck down. Never mind the genuine cases where it would be required. It is not the responsibility of the Supreme Court to ensure that there are stringent legal provisions in our law as long as they can draw a link between Freedom of Expression and an errant police action.!

Naavi

There are no two opinions on the fact that the stake of society in general and corporate entities in particular on data is on the increase. Companies are investing a lot of their money to create data assets and part of this data is “Sensitive” in the sense that its loss or compromise can cause huge damage to the Company and its customers.

In a recent limited study done in India, it was estimated that average cost of data breach in a Company is around Rs 8.3 crores. This would be much higher if the Customers of data lost had invoked legal compensation for breach of data.

Companies need to think if they are willing to absorb such risks or take suitable steps to counter these risks.

Unfortunately, the financial risks are easily understood by the CFOs and CEOs but not the CTOs or CISOs. At the same time, it is the CTOs and CISOs who report to the CFO/CEO, the level of technical risks as they perceive.

Unless the CFO/CEO understands the technical aspects of risk or the CTO/CISOs are able to make a financial assessment of the technical risks, neither of them can match the risks to the risk appetite of the Company.

There is also another psychological problem in CTO/CISOs sharing their real risk perceptions with the CFO/CEOs because any report of unmitigated risk reflects on the efficiency of the CTO/CISO himself and it will be self incriminating.

There is therefore a tendency for the CTO/CISO to underestimate reported risks to the CFO/CEO. Since the CFO/CEO who is not adequately informed about the technical aspects of risk cannot challenge the views of CTO/CISO on the extent of risks faced by the Company and whether it is being underplayed by the CTO/CISO, the Company ends up under securing its data assets.

In certain cases, the CFO/CEO may also be guilty of putting off required security activities for reasons of financial constraints in the hope that their company will be lucky enough to avoid any major losses.

Both the groups namely the CFO/CISO on the one hand and the CTO/CISO on the other hand will therefore be trading on probability that threats may not materialize in their environment.

This tendency has been observed  in interaction with the IS professionals in general and has been corroborated in the Cyber Insurance Survey 2015 that we are presently undertaking. It is amusing to see that many in the technical community are shying away from even providing their response to the survey since the questions raise unpleasant memories of possible ways by which the company may lose money.

This is a classic problem of all  insurance agents when they meet a prospective customer and try to convince him that his life is fragile and he needs insurance. At least Life insurance is avoidable since once a person dies, the problems are for the survivors. However in the case of Health Insurance, people are slowly realizing  that living without a Health Insurance Cover is dangerous since they may incur expenses on health and survive to meet the debt liabilities.

The dilemma which Companies need to resolve is precisely that. Should I under secure my assets and face the challenge when it comes? or Should I spend today’s profits to cover the fear of a data breach which may never materialize?

Some executives may however feel that Cyber Insurance is like life insurance, if my company dies, so be it. I will go over to some other Company and survive. Unfortunately this logic does not apply to the Promoters and to some CEOs. For them death of the Company is the end of a life’s ambition.

Both the CEO/Promoter as well as the CXOs should realize that some times the escape will not be smooth enough to say, “let the company die, I will survive elsewhere” because the law may catch up with them where they may have to pick up criminal liabilities of negligence.

In this context, it is time for the Promoters of Companies  or the Board of Directors of a Company who have to take the bull by the horn and question the CFO/CEO/CTO/CISO as a group and ask them tough questions on how they have evaluated the risks, how they have valued the risks and what is the unabsorbed value of risks for which the Company should be prepared to write a cheque in case of a data breach.

It is only then that the Company will realize that if risks absorbed are greater than their capacity for risk appetite, they need to call in a Cyber Insurer and negotiate a “Risk Transfer” contract.

I urge the Directors of all Companies to start thinking in this direction now rather than thinking of wriggling out of a data breach situation after it occurs.

I welcome the comments of CXOs and Directors of Companies on these views.

Naavi

Police in the field seems to be the most effective teachers for the Supreme Court. When Police in Maharashtra and Pondicherry booked cases under Section 66A (of ITA 2000/8) for publishing content on FaceBook and Twitter, Supreme Court judges learnt that Section 66A was meant for banning “Any Information” and hence an infringement of the Constitution.

The Supreme Court judges did not learn from other experts in the field who were telling them that Section 66A is not meant for regulating content on Face Book and Twitter but only to regulate messages sent from one person to another privately through E Mail or SMS causing harassment or fear to the receiver or attempting to commit a fraud. For them listening to experts or exercising their own intelligence was not required when Police had decided that Section 66A was applicable to such cases. Police were therefore considered the best teachers who know law better than any body else and if they book a case under a specific section, then it must be correct. If the Supreme Court which is powerful in law feels that arrests made were not good, then it was necessary to remove the law under which the case was booked rather than finding out if the Police had correctly applied law.

This is the jurisprudence that has come out of the Shreya Singhal judgement by a bench of the Supreme Court consisting of Justices Nariman and Chelmeshwar.

Now we understand  that Chennai Police have filed a case under the scrapped Section 66A against an employee of Jaya TV who released a video clipping shot by the channel showing the Chief Minister visiting  Cho Ramaswamy who was in hospital and enquiring about his health.

See the report here

The case has been booked under Section 66A and Section 66B of ITA 2000/8 along with Section 408 f IPC.

Will the Supreme Court judges consider this as another lesson in Cyber Law which they should learn? that  Section 66A can still be applied along with Section 66B in such cases?

In our humble opinion which the wise judges may kindly ignore,

The content which was released by the Jaya TV staffer was not defamatory by any standards. At best it would have “Diminished the value of information” which was the asset of the Jaya TV as a company. It was violation of Section 66 and employee contractual terms. Section 66B should be considered as applicable to use of stolen hardware device and not stolen content.

Hence in our opinion the Police were wrong in filing the case both under Section 66A and 66B.

There does not appear to be any malicious intention in the release of the information and the most appropriate action for the “Security Breach” could have been as per the Information Security policy of the company perhaps resulting in a warning to the employee.

What the police have done is a misapplication of law and indicates operation of political influence.

The arrest therefore is not in accordance with the law represented by the sections 66A (Which is no longer in existence) and 66B (Which some Shreya Singhal-2 can now ask the Supreme Court to scrap for upholding the constitutional right of Free Speech of Indian Citizens).

Perhaps the Supreme Court may Suo Moto take action to scrap 66B and/or move an action against the Chennai Police for Contempt of Court.

If however, the Chief Justice and some other Judges of the  Supreme Court who have a better understanding of Cyber Law  are committed to upholding the reputation of the Supreme Court, they should Suo Moto review the Shreya Singhal Judgement and withdraw the scrapping of Section 66A.

……It is a dream (or is it a delusion?) under which an eternal optimist like me would  prefer to  live with.

Naavi

The new cyber crime reported from UK where a women has complained of unsolicited obscene image being flashed on her iPhone has once again highlighted why the scrapping of Section 66A was an erroneous judgement of the Supreme Court of India.

The case reported here by BBC may still come under Section 67 of ITA 2008 since the image can be considered as “Obscene”. However if the same technology is used for any sending any image which is not considered “obscene”, it would be considered as “Free Speech”, thanks to the judgement in the Shreya Singal case. Despite whatever adverse impact the image may have on the recipient including he or she going into depression and committing suicide, it would still be defendable as “Free Speech”.

The Supreme Court may say that they have no responsibility on the after effects of any of their decisions and it is for the Government to take corrective action. Perhaps they are right in legal terms but the fact that the Court was not in a position to understand the impact of their decision and why Section 66A was not required to be scrapped to provide justice against its misuse by Police on several occasions cannot be denied.

Instead of the Court waiting for the Government to bring back Sec 66A in a re drafted form, it would be good if the Supreme Court suo moto admits its mistake and recalls its own order and modify it suitably.

But will any Court have the courage to admit its mistake? on its own?..

Naavi

Yesterday, there were preliminary reports about the Cyber Crime statistics released by NCRB for 2014. This is a set of statistics gathered by collating the data from different state level police. Today some enthusiastic journalists have started writing their analytical articles commenting on what the statistics indicate.

Yesterday we briefly indicated that the statistics are misleading but dismissed it as indicative of the ignorance of police in classifying complaints based on whatever suggestions they receive from the public prosecutors. Today when we see media doing its bit to add their ignorance, it is time to once again remind the public that the inferences suggested by some of the media today are like the blind leading the blind. It is directing the society to complete untruth.

Our experience earlier indicates that such misdirections affect even Supreme Court judges and erroneous judgement are delivered because even judges tend to believe what the ignorant media flashes in big head lines particularly in Delhi.

I therefore pick up the report of Hindustan Times today which is titled “Stats from 2014 reveal horror of scrapped section 66A of IT Act”. The article is credited to Mr Aloke Tikku of Hindustan Times and I would like to address this article directly to him. Those of you who know him personally ensure that this article is forwarded to him so that he can publish a rejoinder if he should not cause further damage with wrong analysis.

The article quotes Shreya Singhal as saying “These statistics are shocking. I had assumed there may be a few hundred cases, at worst……It validates the judgment even more than when it was delivered,”

I completely disagree with this view which further highlights the fact that Ms Shreya Singhal supported by some high profile advocates of Delhi created a web of misperception that Section 66A was used repeatedly to curb the right to freedom of expression guaranteed by the Indian Constitution and needed to be scrapped. The honourable judges lapped up the argument and scrapped the section and cried “Victory for Democracy”. Now the same band wagon is quoting the NCRB statistics to say ” How good it was that the section 66A was scrapped”.

There have been a detailed discussion of Section 66A in these columns earlier and there is no need to reiterate the views once again. However, it is necessary to remind the Section 66A baiters that the section was meant to address the harmful effects of messages sent through e-mail and SMS/MMS systems and not for face book, twitter or other social media publications. Police made the mistake of adding this section to book political opponents of ruling party. They would have added any other section if necessary as long as they could please their political masters. Scrapping of the section 66A solely based on such cases booked by police under the section was a betrayal of ignorance all round.

Now, let us look at the NCRB statistics. What excites the Scrap 66A lobby is that 1196 cases were pending under Sec 66A and 4192 more added in 2014. Obviously this looks alarming if it is a true reflection of offences under the section. The same statistics indicates that no cases were booked under Section 66. To any body who is familiar with ITA 2008, Section 66 is an omnibus section which can bring any offence involving a computer under its ambit. If police report zero cases under this section and book 4192 cases under Section 66A, it appears that they consider Section 66A is a sub section of Section 66. There are 1294 cases booked under Section 66B, 66C and 66D which should have automatically attracted section 66 as well.  The statistics donot therefore add up.

Similarly I can see other inconsistencies in booking of cases under Section 67C or 68 and “others”. Without going into individual case facts it is difficult to understand how the cases were booked under the specific sections as indicated.

I want the journalists to take a relook at how they report Section 66A issues since it has been flogged for all the wrong reasons.

Naavi

According to the recent NCRB data on cyber crimes released, Bangalore is reported to be the leading metro with 675 cases being registered under ITA 2008.

Refer article in Hindu

Hyderabad stood second with 386 cases followed by Jaipur and Lucknow.

We must however not read too much into this city leadership. This only indicates that Police in Bangalore and Hyderabad  are more aware of the Cyber Crimes and hence there will always be more cases filed here under ITA 2008.

Detailed report is available on NCRB site here:

The number of cases under different sections on an all India basis are as follows.

It is interesting to observe the motives of criminals as recorded by the Police in the above cases. 2363 cases booked during the year represented financial greed or extortion or fraud as motives. However the value of money involved is not known. Around 808 cases appeared to be related to defamation.

If we take a deeper look at the way the reported offences have been classified, it is clear that even after 15 years of ITA 2000 and 7 years of ITA 2008, the Police are yet to understand the purpose of different sections and keep booking offences under wrong sections.

I am sure that Police think Section 67C is an obscenity related offence. They may not be able to  distinguish Section 66 from Sec 66A.

While statistics are very important for planning  for future, I hope NCRB ensures that Police are trained to classify crimes properly.  Most of the cases, Police are mislead by the PPs and the errors in classification may therefore be attributed to lack of understanding of ITA 2008 by PPs. I hope state governments do address this issue seriously.

Naavi