Naavi.org

Information Security auditors are some times required to conduct a “Software Source Code audit” to find out if the software is reliable and does not have any malicious codes embedded there in which may violate the privacy of the user or commit any other frauds.

While such audits are normally  conducted with the permission of the software supplier, many software vendors donot permit such audits since according to them it may compromise the intellectual property rights associated with the software. The software vendor may claim that the code is “Proprietary” and is subject to protection of copyright.

While some users may obtain and rely on the appropriate warranties and indemnities from the vendor and use the software in good faith, their faith has now been shaken by the Volkswagen fraud that has revealed that even reputed companies may resort to organized cheating if there are opportunities presented to them in the form of  “Copyright protected software codes”.

The unsavory incident in which the Company manipulated the software element (More details on the modus operandi available here) to cheat “Emission Tests” has made it necessary for all software users and regulators to distrust the vendors of proprietary software and look for some means to conduct software code audits in the interest of its own security, even when the vendor does not permit it .

However there is one catch here. If a company wants to conduct a software source code audit despite the vendor not permitting it in the end user agreement, there could be not only violation of the contractual terms to contend with but also possible violation of the copyright Act.  Contractual violation is easier to handle since there may be a protective clause in the same contract which may entitle the user to protect his own Privacy Rights. But violation of Copyright law is a sensitive issue and needs a deeper look.

Proprietary software is protected by copyright laws and any attempt to unravel  the code could be treated as an offence under the Amended Indian Copyright Act or DMCA . The owners of such software zealously protect the secrecy of the code and may invoke these provisions if necessary. At the same time this right to secrecy may be used for incorporating back doors to extract data from the user end without his consent as well as to commit frauds like what Volkswagen did. In a software scenario, this may make the end user liable to some of its clients also. We can recall that some time back there was a report of some software manufacturer incorporating a bitcoin mining code in the software to produce bitcoins for the benefit of the software vendor at the expense of the user’s resources.

While Volkswagen type of frauds are punishable offences in India as “introduction of computer contaminants”, copyright is still a sacred cow and the last amendments to copyright act  protect  “Digital Rights Management” along with the right to introduce measures to prevent circumvention.

Under Section 65A of the amended Copyright Act,

“Any person who circumvents an effective technological measure applied for the purpose of protecting an of the rights conferred by this Act with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable for fine.”

Any attempt to unravel the source code would also attract Section 65B which says

“Any person who knowingly, (i) removes or alters any rights management information without authority …… shall be punishable with imprisonment which may extend to two years and shall also be liable for fine.”

Hence an attempt to peek into the raw source code contained in an executable software may attract the penal provisions of the Copyright Act.

Though there are exemptions of this provisions for certain reasons such as “National Security”, which includes “Doing anything referred to therein for a purpose not expressly prohibited by this Act”,  it is  not clear if the exemptions cover the unpacking of the code for the purpose of identifying whether or not it contains any “Computer Contaminant” as defined under Section 43 of ITA 2000/8 which would also be a cognizable offence under Section 66 of ITA 2000/8.

However, a logic can be claimed that if there is any prima facie reason to suspect that the software is violating any provisions of law, then “For reasons of preventing commission of any cognizable offence”, a software source code audit/research can be done without attracting any adverse effect of the copyright Act.

It is possible that any software contract may provide a condition that the “Software shall not violate any provisions of ITA 2000/8”. If therefore there is a suspicion that there could be a possibility of such violation, we are actually having a legitimate reason for conducting a software source code audit.

It may however be necessary that the Company may have to build up some evidence to “Prove the Suspicion” before proceeding with such audits and also ensure that the audit is only to secure its interest and not to copy the proprietary information contained within the code.

Now that it is public knowledge that even a reputed auto manufacturer of the status of Volkswagen can incorporate “Trojans” and “Computer Contaminants” in proprietary software, users of any proprietary software have an immediate reason to check if the proprietary software they are using are bound by proper contracts of indemnity and right to conduct a source code audit.

If there is a reason to believe that any malicious code in the software could violate their own privacy or may impose legal liabilities on itself, the company can consider conducting software source code audit and defend against any challenge that can be launched under the Copyright Act. It is however necessary to document the reasons in a “Pre-Audit Study” and appropriate measures to ensure that the information is not misused either by itself or its employees in future.

If a company does not want to be that aggressive, it is necessary to identify the Volkswagen fraud as an indication of a “Threat” and as a compliance measure it may be worthwhile to get additional written assurances from the proprietary software vendors that the software does not contain any “Computer Contaminants as defined under Section 43 of ITA 2000”.

Naavi

In a strange corporate offence committed by Volkswagen, 11 million cars are set to be recalled and the Company is set to face a penalty of around $37500 per car for failing the emission norms. The CEO obviously has resigned. Company shares are down by over 40% and the entire Stock markets across Europe and even India has dipped causing heavy losses to millions of investors. The Company is reported to have set aside US $6.5 billion for recall of cars but may fall well short of meeting the total liability estimated to be over $18 billion.

Unless some compromise is worked out, the company may go into liquidation inflicting losses to many lenders and equity investors.

It is interesting to analyse the cause of this catastrophic incident and whether it fits into a definition of a Cyber Crime. (Based on news paer reports)

The issue involves a software that the Company has installed in the Car. This software recognizes when the Car is put through an “Emission Test”. If it recognizes the emission test, it tweaks the emissions so that it falls within the permitted levels. In other times, the emission levels are at normal levels which is said to be 40 times beyond the permitted limits.

It is stated that if the Company has to bring down the emission levels to acceptable levels, there could be a need for more investment and it may also reduce the mileage. So the Company thought of this innovative method by which it could save on manufacturing cost, keep the mileage at required levels and also cheat the emission testing process. A truly innovative strategy in which the entire Company must have been involved.

However this is nothing but cheating of the customers and the regulatory requirements. Since it is done with the malicious intention of increasing the profit of the Company, it is a “Fraud” by definition. Since a “Software” is used in commission of the crime, we can term this as a Cyber Crime. In fact, the behaviour of this software is like a typical Trojan set for a “Man in the Middle Attack” under some specific conditions.

The nature of the offence is a little complicated and while it may contravene the emission regulations and also be a fraudulent misrepresentation to the customers, it would be interesting to debate if it is a Cyber Crime under the Indian laws.

The behaviour of the software that detects an emission test and modifies the normal behaviour of the vehicle so that the testing computer gets a “manipulated data” qualifies it to be called a “Computer Contaminant” under section 43 (c) of ITA 2008 since the owner of the vehicle is not aware of this deceptive behaviour and has not authorized it. . The modification of data is also an offence under Section 43(i) separately. Being a contravention of Section 43, it is also an offence under Section 66 involving criminal prosecution. With Section 85, the CEO and other officials in charge of the business as well as the Directors will also be criminally liable.

Related Articles:

abc.net

The Telegraph

home.bt.com

It is regrettable that a reputed company like Volkswagen should have indulged in such an unethical practice which is also a Cyber Crime. If the case is pursued to its logical end, it is not only the CEO but also several of the Board members and other executives who may find themselves cooling their heels in prison.

This should be a wakeup call to Indian Auto manufacturers like Maruti who are also incorporating several electronic circuitry into the management of the car and each such component would be like a “Computer”. They can be hacked by outsiders or mis used by the company itself if it does not realize the impact of the relatively less known law called Information Technology Act 2000/8.

Naavi

According to latest information,  the Government has completely withdrawn the draft Encryption policy announced last week and put up for public comments.

A new policy may be drafted and released in due course.

Hopefully, this time it will consult the right persons before the policy is publicized.

Naavi

P.S: It would be interesting to know who owns the responsibility for the badly drafted policy which was under gestation for nearly six years from the day ITA 2008 was notified on 27th October 2009. (Observe that the policy is not on a letterhead and not signed. The addendum is just a note on a piece of paper again unsigned), It has given an opportunity for certain opposition political parties to score brownie points. Was it the hidden agenda?…. Otherwise it is difficult to imagine if such policy documents can be written by an IAS cadre officer.

The honourable minister Mr R S Prasad needs to conduct an enquiry since this is not the first time the Minister has been painted in bad light because of thoughtless policy announcements. There is a possibility that some body in the department is working at cross purposes with the Minister. If this is not properly addressed now, there will be many more occasions in future where the Minister will have to take the blame for inefficient departmental work. 

Naavi

@17.30

After criticism that emanated over the week end on the draft National Encryption Policy that the Government released last week, Government has quickly made some clarifications.

The original policy is available here

We had provided our comments and suggestions on the draft policy in our earlier post.

We had requested the Government to exempt the individuals from the responsibilities of being bound by this encryption policy and enforce it only through the intermediaries. Others have highlighted the fact that “need to preserve encrypted information for 90 days” is an additional security risk and privacy invasion.

Keeping the upcoming US visit of Mr Modi and possible repercussions if the privacy issue is left un-attended, Government has moved fast to issue a “Clarification”.

The clarification reads as follows:

PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY

By way of clarification, the following categories of encryption products are being exempted from the purview of the draft national encryption policy:

1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp,Facebook,Twitter etc.

2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India

3. SSL/TLS encryption products being used for e-commerce and password based transactions.

(Copy of the clarification text issued. It is unsigned and has not on a letterhead, just like the policy itself)

It is unfortunate that clarification became necessary so soon after the issue of the draft NEP policy. At the same time it should be appreciated that releasing the draft policy for public comments and reacting to it quickly was good. Atleast we can say that the department has been responsive.

Some in the media are however misrepresenting the clarification and stating that “E Banking is exempted from Encryption Policy”. 

This is however not the correct interpretation. E Banking is already been under the guidance of RBI and the G Gopalakrishna Working group has already given elaborate guidelines on E Banking security. Additionally there is an industry level information security standard already in place. The clarification only means that the security need not be limited to what is mentioned in the encryption policy and could be different.

The same interpretation holds for other sensitive departments of the Government which are exempt from this policy. They (such as the Military and Police) need to keep the information encrypted at levels better than what is suggested in this policy.

It should also be remembered that this is only a policy guideline which is subordinate to the law contained in Information Technology Act 2008. It cannot be ultra vires the Act.

The ITA 2008 already has a provision under Section 69 that the Government (through CCA) has the power to demand decryption of any communication. There is no need for this policy to demand decrypted message from WhatsApp or other message systems.

Under Section 67C, there is a provision for data retention norms being set. Government may set here any time limit for retention of data by any intermediary.

Further, any information that becomes “Potential Data related to a cognizable offence” becomes an “Evidence”  and has to be retained for an indefinite period, failure of which can become a contravention of Section 65 of ITA 2008.

These sections 67C and 65 carry 3 years imprisonment and Section 69 carries 7 year imprisonment if the IT user/intermediary does not comply.

For some data to be treated as “Potential Evidence”, notice from law enforcement is not mandatory. Knowledge that the data may hold evidentiary value is sufficient. A notice will however seal the status of some data changing its status to “Potential Evidence” which need to be preserved.

This is part of the ITA 2008 compliance that every IT user need to follow at present and this would continue.

Hence, media should not proliferate the incorrect view that “E Banking” and “E Commerce” is exempt from the encryption policy and inter alia the need to retain data particularly what is suspected to be an “Evidence”.

In the past media by its ignorance created a situation where Section 66A was wrongly painted as unconstitutional and even the Supreme Court Judges were rendered blind to reality and scrapped the section just to correct a false perception. In the last few days, we have also pointed out how Karnataka Government, in its ignorance of Cyber Law has passed a Bill which is ultra vires the ITA 2008 and how the Adjudicator of Karnataka in the past has created an untenable legal situation out of his ignorance of ITA 2008. Now the media highlighting “E Banking exempted from Encryption Policy” will be another mis-perception that would be circulating and will gain acceptance by uninformed.

We need to ensure that this mistake does not happen.

The Government when it issues the final policy should therefore clarify that E Banking and E Commerce are expected to use encryption systems commensurate to what can be considered as “Reasonable Security Policy” under ITA 2008. This will be another Suggestion that we would like to make to the department on the policy.

Naavi

The Registration (Karnataka Amendment Bill 2015) was passed by the Karnataka Legislative Assembly on 30th March 2015.  On the same day, it was also passed by the Legislative Council. Since the matter involved partial amendment of Indian Registration Act 1908, it has been been sent to the Central Government for the assent of the President of India.

If there is no objections from any of the departments of the Central Government, the Bill will be automatically assented to by the President and would become an Act.

As has been pointed out in detail in our earlier post,the bill is in direct violation of Information Technology Act 2000 (ITA 2000). The ITA 2000 does not provide legal recognition to electronic documents which transfers title in an immovable property as well as a Power of Attorney document.

The Karnataka Bill is meant to introduce e-Governance in the registration department and provides for electronic documents to be presented online for registration. Since there is no recognition for such documents, the provision should be considered as unconstitutional.

It is regrettable that the e-Governance department of the Karnataka Government has not done proper consultation before pushing the Bill. The legislators obviously have no knowledge to check if the Bill is consistent with other laws of the country or not. If the President passes the bill in the normal course, the dubious distinction of passing an invalid legislation will fall on the honorable President of India.

The issue needs to be taken note of seriously by all the people concerned and accountability fixed for such an irresponsible action by the officials.

 It may be recalled here that Karnataka already has the dubious distinction where by one previous IT Secretary in 2011 acting in his capacity as an Adjudicator that the term “Person” in Section 43 of ITA 2000 means only an individual and does not include a Body Corporate. To this we now have another dubious feather in the cap for the Government of the Silicon City of India. (Refer an earlier post : Will the CM of Karnataka respond?)

I urge the IT Ministry in Government of India to take necessary steps so that the e-Governance and IT Secretaries in all the States are adequately trained on Cyber Laws. Also they need to ensure that similar faulty laws are not passed by other States also in a bid to push use of technology in Governance.

Naavi

Today, Times of India has reported a Cyber Extortion attack on the Managing Director of a Company in Hyderabad. Typically in such cases, the data of the Company is hacked and encrypted. The authorized persons who try to access would be confronted with a message to pay a ransom for getting the decryption password. In this particular case, the ransom amount demanded is $1000/-

Refer Article here

Let us pick up this case as a hypothetical case study by assuming that  this Company had obtained Cyber Crime Insurance.  We shall then discuss some of the possible developments.

I request readers to send their views on “If you are the MD who is the victim of the Hyderabad incident, and your company has a Cyber Insurance policy, what would you do now”.

(Of course if you donot have a Cyber Insurance, then you may take a different set of actions since you have no obligations.)

(…To Be continued..on cyberinsurance.org.in )

Naavi