Naavi.org

In what should be an eye opener to the Corporate Sector, Law Enforcement and the Government, it is reported that two Indian conglomerates were forced to pay $5 million each to hackers who blackmailed them.

Refer Report in ET

Refer Report in businessinsider.in

Refer Report in track.in

The report hides the names of the conglomerates but states that the payments were made in May. It appears that the hackers collected series of email correspondence between the employees of the company and some other entity which revealed illegal activities and blackmailed the companies to pay the ransom.

Though the report names some hacker groups from Middle East, the possibility that the employees themselves have raised the demand through others cannot be ruled out.

It is stated that the Companies appointed “Private Detectives” to check the incident and did not report it to the authorities. Such Cyber Experts have also passed on their comments to the news reporters and these news agencies now have the identity of both the companies as well as the cyber experts who also have the knowledge of the incident.

So far so good. $ 10 million is lost and probably the two companies are large enough to absorb this loss and move on.

But the story does not end here. In fact another story has just begun and I want the law enforcement to move in and investigate. It is possible that the law enforcement also may be sucked in to this “Hiding of Information” and the companies may pay silence money to them. I therefore call the attention of the Central Government which is concerned about the “Black Money” and initiate a larger probe to bring the offence to full light and let the public know what really happened and where.

The fact that the two companies have paid a ransom of US $ 5 million each (Rs 30 crores each) indicate that the value of the offence which they had committed earlier about which the hackers successfully collected the ransom must of of the order of at least Rs 100 crores each. This must be a cognizable offence which the companies as well as the Cyber experts and the media have kept under the wraps. Neither the news paper nor the Cyber Experts involved have the right to hide a cognizable offence which may have ramifications including “Financing of Terrorists”.

Also if the Companies have paid the ransom to the Middle East entities, the payment itself will be in black money possibly in the form of bitcoins. Payment in black, buying Bitcoins both could be considered as additional offences committed today by these companies to hide their previous offences. The Companies therefore have committed further crimes to cover their earlier crimes.

Also, it cannot be ruled out that the hackers may make further claims perhaps through different entities and demand further ransom since for them these companies will be an eternal milchcow.

Now it is necessary to recognize that these two sets of offences and the potential loss in future will have adverse impact on e Investors in the Company and Banks who have lent to the conglomerate.

I therefore call upon SEBI and RBI to clarify to the public what action they are going to take in this news report.  If SEBI and RBI keep quiet, it would only indicate that they have been silenced too.

Probably the Courts also can take suo moto action and launch some proceedings. At least I hope the news channels who crave for such crime stories to pick up the incident and explore for the nation to know the truth.

Let us wait for some time for RBI and SEBI to clarify and then start the next level of questioning these agencies if they fail to act.

At the same time, I would have preferred the two companies to have surrendered to the authorities instead of paying the ransom and requested the Government to pardon them. If they failed to do so earlier for whatever reasons, they should do so at least now.

Naavi

The recent faux pas committed by the Department of IT, Government of India in publishing a half-baked policy as the “Draft National Encryption Policy” created a needless controversy on the topic of “Encryption Policy” itself and whether it was required or not. Once the dust settled down, we need to think with clear minds, whether “Encryption” (in the context of data or information) is important for us and whether it needs to be regulated in the form of a “National Policy” and if so how.

We must admit that subjects such as Encryption which is linked not only to technology but also to concepts such as “Privacy” are sensitive and complicated from the point of view of regulation. Privacy itself is also related to national security on one hand and Freedom of Expression on the other.

Hence, any attempt to regulate “Encryption” will affect “Right to Privacy”, “Right to Freedom of Expression”, “National Security”. As a result the regulation will have to find a balance with provisions of Indian Constitution, the existing laws such as ITA 2008 or Indian Telegraph Act and also the proposed “Right to Privacy Bill”. A minor irritant will be the views and attitude of the Supreme Court as exhibited in the Shreya Singhal Case which lead to the scrapping of Section 66A  of ITA 2008.

If the DeitY wants to develop a revised draft Encryption Policy, it needs to take into consideration all these aspects.

Since the subjects of “Right to Privacy” and “Right to Freedom of Expression” are subjects dear to non technology people such as the Media and law Fraternity and also that many of them are human right activists, any perceived infringement to these rights will generate a disproportionate counter reaction that will be used as tools of political criticism by issue starved opposition parties.  The Government will therefore be pushed to a corner and is likely to panic and take wrong decisions. This happened in the Section 66A case where the Government failed to properly defend and let the section be scrapped.

The activists who donot understand technology and the political activists who neither understand not want to understand technology need to be first made to commit on the fact whether we need “Security of the State”. Information is the lifeblood of the current generation and securing its integrity and availability is an issue which is beyond debate. In the process of ensuring availability and integrity, confidentiality is also a necessity. Encryption comes into discussion because “Confidentiality” of information is achieved through the “Encryption Process”.

Way back in 2000, India adopted the Digital law called Information Technology Act 2000 (ITA 2000) which recognized the use of asymmetric crypto system for the purpose of authentication of electronic documents with the use of digital signatures. The technology was adopted as was considered the best available in the form of accredited algorithms such as the RSA public key system supported by hashing algorithms such as MD5 and SHA1. Over a time the hashing algorithms have been reviewed and presently SHA2 algorithm is recommended. In due course the encryption algorithm may also be reviewed and alternatives to RSA may be considered.

While digital signature was normally used for authentication, it was not used for data encryption in general. Whenever data had to be encrypted either in transit or at rest, the “Symmetric Key Encryption” system was being used . These systems were either embedded in other applications such as the e-mail or internet data transmissions, document management systems or used as a standalone application.

Since US had a policy of not allowing export of encryption products beyond a certain level of security (40 bit key strength in symmetric key system), it became a de-facto standard in India also. With the gradual availability of stronger products with the revised encryption export policy of the US  and entry of other countries such as Israel as leaders in information security products, gradually stronger end encryption entered the Indian scene also.

The Law enforcement has been facing challenges of decryption communication used by criminals and terrorists and have been in the forefront of engineering a policy change that makes it easy for them to snoop on the conversation of suspected criminal activities. While the right of the law enforcement in this regard cannot be denied, if the security is reduced to accommodate easy snooping, it can also be misused for breach of privacy. Breach of Privacy is not only a human rights issue but also leads to “Identity theft” which is again a law enforcement headache.

It is therefore necessary for the Law Enforcement Agencies (LEA) to realize that it is not in their own interest to force the community not to use encrypted communications of their choice. If they do, there would be a huge increase of Identity theft incidents followed by financial frauds that will destroy the concept of Digital India.

ITA 2000 provided the leverage to LEAs through Section 69 to demand decryption from the users of communication failing which there could be 7 years imprisonment. This is should be considered as adequate legal support to LEA as regards the use of encryption to hide communication from LEAs.

We are however aware that  criminals will continue to use Strong Encryption because they are any way challenging the law. They will also use the excuse of available protections not to cooperate with the LEAs . Even if 7 year imprisonment is a deterrant for ordinary citizens, it may not be so for criminals.

But  normal citizens who are concerned about privacy and use strong encryption for privacy protection can always be convinced to part with the unencrypted data when there is a suspected criminal activity. What they are vary of is that this process of forced disclosure should follow a “Due Process” since public donot trust the LEAs not to leak the information given for a specific purpose for some other purpose detrimental to the interest of the data subject. Presently such practices are there under Indian Telegraph Act and snooping of telephone conversation is authorized from time to time under a due process. (though abused from time to time).

The Government should therefore understand that Criminals will continue to encrypt their data exchange whether India has an encryption policy or not and honest Citizens would not mind sharing the data when demanded provided they are given the confidence that data would be used responsibly by the Government.  Here there is a need for a due process of law to be adopted and universally accepted principles of  Privacy such as minimal and purposeful collection, consent, disclosure, security etc are followed.

Encryption of data is an essential part of Information Security and at a time where “Cloud Storage” of data  has become a norm imposing artifical restrictions on the strength of encryption is impractical and undesirable. In fact we need to encourage Netizens and E Commerce/E Governance to use strong data encryption so that information security is maintained at a high level and criminals are challenged to the extent possible. Encryption is therefore a necessity and has to in place.

The objective of Section 84A of ITA 2008 was to enable notification of  the minimum acceptable encryption standards and methods that can be used by the public. It need not have been used to restrict the upper end of encryption strength. Section 84A was also not meant to define data retention standards for which there was section 67C separately. There was Section 69 already available to ensure that decryption can be forced. Hence the law permitted encryption of data in storage and transmission and if some body is cooperative with LEA, there is no reason why he should not use the strongest encryption. In fact if the upper end of security is freed, there could be innovation and research in India to find more secure forms of encryption. Any person of ordinary prudence would have realized that if there was a need for the Encryption Policy, it was required to encourage innovation and indigenous research and not to restrict the uage.

Imposing export restrictions is another aspect that is to regulate the misuse of encryption by those who are not within the jurisdiction of the exporting country. If India is a manufacturing country for cutting edge encryption products then it makes sense in imposing export restrictions.  Again whether this has to be in the form of export-ban or export licensing is a matter that can be considered.

For records, my view is that if “Make in India” reaches that level where we can export information security products and encryption products, there can be a strict export licensing to track the use of such products by people outside India.

My recommendation to the Government is to think innovatively on thoughts such as “Regulated Anonymity”, allow licensed “Anonymizer Services” who provide anonymization service and encryption support but remain cooperative with LEAs.  This will serve the purpose of both the LEAs as well as meet the demands of the Privacy Activists.

Several years back, I had proposed a structure for Regulated Anonymity. It can be suitably revised to develop a  structured plan of action to be a bridge between the proposed encryption policy and the proposed Privacy Bill. (The earlier recommendations can be found here). 

The concept of “Regulated Anonymity” and the “Licensed Anonymizers” will be new innovative E Commerce business thoughts that can be commercially feasible.

It therefore did not make sense to say that “Users should maintain data in plain text form for 90 days” as the draft policy tried to say. This was foolish and exposed the utter incompetence of those who wrote and approved the policy. We cannot trust national information security with such incompetent persons. Some people have claimed that the policy was drafted by a group of “Experts”.  

I would like the Government to reveal the name of those “Experts” and give a commitment to the public that these experts are thrown out of the system that is entrusted with national security.

My demand that the Minister should order an enquiry to find out if there was an attempt to sabotage the reputation of the Government stands.  I look forward to necessary action.

Naavi

Related information on Encryption Export Policy of US

Comparative Evaluation of US and EU

The recent issue of a draft encryption policy caused acute embarrassment to the Government of India and had to be withdrawn almost instantly because of the immediate opposition it raised.  Commenting on its withdrawal,  we had suggested that an enquiry should be ordered on how such a shoddy policy document was released to the public and whether it was done to embarrass the Minister.

We now understand that an enquiry has indeed been ordered to identify the individual responsible for the release of the shoddy draft and to give him an “orientation” on how to communicate on such issues.

In the meantime, the report also quotes S.D.Saxena, former finance director of BSNL that the document was prepared by a team of officials and bureaucrat.

I suspect that this is an attempt to defuse the blame and protect a mole who could be a mischievous person wanting to discredit the present IT minister and probably even Mr Modi who was about to embark on his US trip. There is distinctly a reason to suspect Conspiracy by a team of officials owing loyalty elsewhere. This is what the enquiry needs to find out, namely the political orientation of the person who was responsible.

One reason why I suspect that everything is not normal in this case is the way the notifications are presented including the latest withdrawal note

The copies of these three notes are available  here.

1. Encryption policy
2. Clarification
3. Withdrawal

All three notes are supposed to be official documents from the Government of India. But they have not been issued on a letter head or a typed mast-head in the name of the department. There is no signature in any of these notes. (Obviously there is no digital signature on the electronic copy as well”. If the policy was attributed to a “High level Expert Committee”, then the secretary of the committee or its chairman should have signed the document. The posting on the deity website and the presence of a contact email ID in the draft policy are the only indications that this is an official communication.

This is not the way we know the Government functions. The policy must have been drafted and forwarded to the IT Secretary who should have approved it. At least a Director of the department ought to have owned up the note and signed. The clarification and the withdrawal note appear to be simply photocopy of a chit of paper on which some typewritten notes are scribbled.

The fact that unsigned documents are being released on official websites itself is highly objectionable. Tomorrow any hacker can post such documents on the Government websites and further embarrass the Government.

Hence the responsibility should be fixed in the department not only for the content of the note but also on the manner in which a global communication was released through an unauthenticated letter.

I wish that the issue should not be closed just by finding a scapegoat at a lower level bureaucrat but identify the real mole who could be behind a conspiracy and who may not after all be a junior scientist.

The enquiry should therefore be conducted by a trusted team of appropriate officials from outside the DeitY and cover the entire department.

Naavi

The International Association of Privacy Professionals (IAPP) and the Indian Bar Association (IBA) organized a conference in Bangalore on 23rd September 2015 and discussed several aspects related to Privacy in the emerging Digital India. Eminent speakers from the industry participated and interesting and useful information was exchanged.

The undersigned was part of a panel which discussed the theme “Privacy in Doldrums-Adapting to the Information Age”. The panel was moderated by Mr V.Rajesh Kumar of Infosys and consisted of the following members apart from Naavi.

Indranil Choudhary, Founder & CEO, Lexplosion Solutions, N.S.Nappinai, Advocate & Founder Technology law Fortum, Kavita Babu, Senior Attorney, Microsoft India and Suchanto Chatterji, Advocate & Cross Border Transaction Advisory, 5E Legal.

The panel was presented with several issues and Naavi’s views on the same are presented here for general information and academic debate. Some of these views were expressed during the panel discussion while some were answered by other members on the pane.l.

The views expressed here are Naavi’s personal views and not of the panel as a whole.

Naavi

1.Is Adhaar a well-conceived initiative?

How can we bring more trust within its implementation?

How to bring accountability and transparency within its overall working?

Aadhar was conceived as a National ID program where the data about an individual along with his biometrics would be stored on a database and users would be able to query on individual parameters based on a biometric input and get a “Yes” or “No” answer. The scheme envisaged collection of data by authorized agents in a control environment and did not envisage transmission of the adhar linked information across the network.

There have been many issues in the registration process where information was compromised, aadhar numbers were issued to fake persons etc. Apart from these, presently, Aadhar is being used in a manner different from what it was conceived. UIDAI is sending a Aadhar letter with a perforation for cutting out a portion and making it into a “Card”. Also eadhaar is being issued online containing all the information except the biometric data. Many users are using aadhar for KYC purpose.

In view of the fact that e-aadhar information can be downloaded easily , we may consider that the aadhar information has already been compromised. We can do little about it. The problem therefore is not in how the scheme was conceived. But in how it is being used now.

We know that in India we donot have protection of Privacy as a a concept that Human Right Activists believe is a need of a democratic society. We  try to provide indirect support to Privacy Right Concept through “Data Protection or Data Privacy”.
We try to protect the privacy of an individual in physical space by controlling the data available in the cyber space. Hence the link between the data and the identity of the person becomes the key to “Privacy”.

Aadhar being an identity instrument, it has an impact on Privacy since the aadhar data is  identifyable to a living person in physical society. Hence protecting aadhar information from being accessed without appropriate control is necessary for Privacy protection. This however is not being done effectively at present.

What we can do however is that all intermediary users such as Banks should be mandated to use the biometric as the end point verification instead of the photograph.  Also downloading of the entire aadhar particulars should not be allowed except to the aadhar holder and with the biometric.

This may not protect the privacy of Personal Information but may prevent identity theft possibilities to some extent.

2. How can we balance freedom of expression (Section 66A) guaranteed under the Indian Constitution with the growing thrust from government to sneak into every dataset created, shared and deleted?

 Section 66A in my opinion did not address “Freedom of Expression”. It only addressed one to one communication through SMS and E Mail and was wrongly applied to cases of Facebook and Twitter posting. It was unfortunate that Supreme Court scrapped it since along with it offences such as phishing, spamming, Cyber Stalking, Cyber Bullying etc were also dropped.

Freedom of Expression is related to Right to Privacy.   As between Right to Privacy and Freedom of Expression, Freedom of Expression has a higher value as protector of Democracy. However the real conflict is between Right to Privacy and the Need for Security. We need to balance between these two.

3. What are the current gaps that exist in the IT Act and IT Rules? 

IT Act addresses protection of Personal data and Sensitive Personal data and treats the contract between the data supplier and the data processor as the basis of control. The IT rules generally follow the internationally accepted principles of Privacy protection though implementation is still at a low level. Companies tend to focus more on compliance of  Best practices such as ISO standards rather than liability preventing ITA 2008 compliance.

4. Can privacy right become a means to achieve the balance between expression and encryption? What about anonymity? 

It is not a question of “Can”. We should conceive the system in such a manner that Privacy and Security co-exist.

If we pitch Privacy Right directly against Need for National Security, Privacy will always lose out since individual right is always subordinate to community right. Hence if we want Privacy, we need to learn how we can build a system where the Privacy and Security coexist.

I have therefore been advocating the concept of “Regulated Anonymity” where “Anonymity” is provided to an individual as a protection to his privacy but will be regulated through a system which will ensure that national security will not be compromised.

This requires “Trusted Intermediaries” to hold the anonymizer data and a system to monitor the “Due Process” through which the identity may be revealed in times of necessity.

The system can ensure that the “Trusted Intermediaries” can be a combination of multiple entries so that no single person has access to the de-identification data.

The “Due Process Committee” needs to have public-private participation so that if this committee is convinced of national security needs then the identification of a person can be revealed.

What this system requires is therefore

a) Licensed Anonymizers
b) A Due Process Committee with right constitution
c) Data Distribution system which spreads control across multiple countries.

Now a word about this “Encryption Policy” or a draft which was put up for public comments. It has been withdrawn and is therefore only an issue for academic debate.

What the published draft policy indicated was that the departmental officials did not understand Section84A requirements. The section only wanted modes and methods of encryption to be indicated. CCA had already defined the modes and methods for asymmetric cryptosystem and if the “Notification” was at all necessary, it could have confined to stating that the algorithms to be used in any symmetric systems shall not be weaker than …..

There was no need to state that it should not be stronger than ….. and people should preserve plain text copy etc….. ITA 2008 already provides powers under Sec 69 to demand decrypted copy and ensure compliance. It could have reiterated this aspect and left it to the market players to use their own means to archive data for compliance of Section 69.

What may be more relevant is to take a second look at the procedures prescribed under Section 69 and refine it.

The MCIT has forgotten that there is a Cyber Regulatory Advisory Committee which has to mandatorily pass such modifications to ITA 2008 and could have cushioned the PR impact of this bad decision.

Hope they learn their lessons now.

5. Every business wants to create personalized experiences for their customers by ‘targeting’ and stalking them throughout their browsing sessions. May be its an acceptable way of doing business in many countries. What about the profiling that results due to such invasive data collection? There are many identifiers collected when Internet sessions are stalked. What can be done to tame the overzealous ambitions of such data brokers? Can self-regulation within Indian legal system be achieved? 

The pull of business profit is too strong and policy cannot swim against this tide. The Big Data Industry is conceptualized on obtaining as much data as possible whether identified or otherwise and try to identify them in the back end and convert it into value propositions.

Privacy is a lost cause in this business dominated world. More than for security reasons privacy gets compromised for such profit considerations.

Solution is to tighten the screws on data breach and also protect the Netizens for identity theft consequences through a mandatory Cyber Insurance scheme.

6. Right to Privacy may soon become a court pronounced fundamental right. Till then, and even after that, will there ever be a statutory Right to Privacy? Technology is taking giant leaps forward while laws are crawling behind. Doesn’t this impede our efforts towards preparedness against a foreseeable cyber warfare? What will Digital India stand upon? 

As I already said, Privacy cannot win the fight against National Security because we exist as individuals in a democratic society only if the society is healthy. In this matter, Privacy Right is different from Freedom of Expression right. Freedom of Expression is required to protect democracy. Privacy right abrogation may also be required for preserving democracy.

7. Our efforts towards gaining ‘adequacy’ of data protection law under the EU standards have been minimal. While the world waits for and anticipates a tougher GDPR, is India ready to showcase itself as a ‘safe’ country? While other Asian countries have already taken positive steps in this direction, what would India need to gain acceptance globally? 

India is a country where if personal information is not protected as agreed to under a contractual agreement, the CEO of the data recipient company may go to jail for 3 years under Section 72A of ITA 2008. If out of the negligence of the recipient company security of PI or SPI is breached, there is financial compensation unlimited and 3 year jail under section 66.

Right to erasure is inbuilt in information security principles subject to the exception of law enforcement needs and data retention needs under Section 67C and 65 of ITA 2008.

We therefore have the necessary legal foundation to be a safe county.

What we lack is implementation and communication. If we all strive for ITA 2008 compliance more than what we do for ISO 27001 compliance, or PCI DSS Compliance, data in India would be safer.

8. Though the EU BCR and APEC CBPR have many things in common, will there be an even ‘better than good’ solution to the varying data protection rules and regulations? Can ‘Corporate Privacy Rules’ be standardized to make it easier for MNCs to apply single set of policies across different jurisdictions? What are the challenges? 

Probably industry bodies may work towards standards which work for their specific industry based on ITA 2008. If a company is exposed to data security compliance requirements from other countries, the standards  already implemented under iTA 2008 can be mapped to the other specific requirements.

Information Security auditors are some times required to conduct a “Software Source Code audit” to find out if the software is reliable and does not have any malicious codes embedded there in which may violate the privacy of the user or commit any other frauds.

While such audits are normally  conducted with the permission of the software supplier, many software vendors donot permit such audits since according to them it may compromise the intellectual property rights associated with the software. The software vendor may claim that the code is “Proprietary” and is subject to protection of copyright.

While some users may obtain and rely on the appropriate warranties and indemnities from the vendor and use the software in good faith, their faith has now been shaken by the Volkswagen fraud that has revealed that even reputed companies may resort to organized cheating if there are opportunities presented to them in the form of  “Copyright protected software codes”.

The unsavory incident in which the Company manipulated the software element (More details on the modus operandi available here) to cheat “Emission Tests” has made it necessary for all software users and regulators to distrust the vendors of proprietary software and look for some means to conduct software code audits in the interest of its own security, even when the vendor does not permit it .

However there is one catch here. If a company wants to conduct a software source code audit despite the vendor not permitting it in the end user agreement, there could be not only violation of the contractual terms to contend with but also possible violation of the copyright Act.  Contractual violation is easier to handle since there may be a protective clause in the same contract which may entitle the user to protect his own Privacy Rights. But violation of Copyright law is a sensitive issue and needs a deeper look.

Proprietary software is protected by copyright laws and any attempt to unravel  the code could be treated as an offence under the Amended Indian Copyright Act or DMCA . The owners of such software zealously protect the secrecy of the code and may invoke these provisions if necessary. At the same time this right to secrecy may be used for incorporating back doors to extract data from the user end without his consent as well as to commit frauds like what Volkswagen did. In a software scenario, this may make the end user liable to some of its clients also. We can recall that some time back there was a report of some software manufacturer incorporating a bitcoin mining code in the software to produce bitcoins for the benefit of the software vendor at the expense of the user’s resources.

While Volkswagen type of frauds are punishable offences in India as “introduction of computer contaminants”, copyright is still a sacred cow and the last amendments to copyright act  protect  “Digital Rights Management” along with the right to introduce measures to prevent circumvention.

Under Section 65A of the amended Copyright Act,

“Any person who circumvents an effective technological measure applied for the purpose of protecting an of the rights conferred by this Act with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable for fine.”

Any attempt to unravel the source code would also attract Section 65B which says

“Any person who knowingly, (i) removes or alters any rights management information without authority …… shall be punishable with imprisonment which may extend to two years and shall also be liable for fine.”

Hence an attempt to peek into the raw source code contained in an executable software may attract the penal provisions of the Copyright Act.

Though there are exemptions of this provisions for certain reasons such as “National Security”, which includes “Doing anything referred to therein for a purpose not expressly prohibited by this Act”,  it is  not clear if the exemptions cover the unpacking of the code for the purpose of identifying whether or not it contains any “Computer Contaminant” as defined under Section 43 of ITA 2000/8 which would also be a cognizable offence under Section 66 of ITA 2000/8.

However, a logic can be claimed that if there is any prima facie reason to suspect that the software is violating any provisions of law, then “For reasons of preventing commission of any cognizable offence”, a software source code audit/research can be done without attracting any adverse effect of the copyright Act.

It is possible that any software contract may provide a condition that the “Software shall not violate any provisions of ITA 2000/8”. If therefore there is a suspicion that there could be a possibility of such violation, we are actually having a legitimate reason for conducting a software source code audit.

It may however be necessary that the Company may have to build up some evidence to “Prove the Suspicion” before proceeding with such audits and also ensure that the audit is only to secure its interest and not to copy the proprietary information contained within the code.

Now that it is public knowledge that even a reputed auto manufacturer of the status of Volkswagen can incorporate “Trojans” and “Computer Contaminants” in proprietary software, users of any proprietary software have an immediate reason to check if the proprietary software they are using are bound by proper contracts of indemnity and right to conduct a source code audit.

If there is a reason to believe that any malicious code in the software could violate their own privacy or may impose legal liabilities on itself, the company can consider conducting software source code audit and defend against any challenge that can be launched under the Copyright Act. It is however necessary to document the reasons in a “Pre-Audit Study” and appropriate measures to ensure that the information is not misused either by itself or its employees in future.

If a company does not want to be that aggressive, it is necessary to identify the Volkswagen fraud as an indication of a “Threat” and as a compliance measure it may be worthwhile to get additional written assurances from the proprietary software vendors that the software does not contain any “Computer Contaminants as defined under Section 43 of ITA 2000”.

Naavi

In a strange corporate offence committed by Volkswagen, 11 million cars are set to be recalled and the Company is set to face a penalty of around $37500 per car for failing the emission norms. The CEO obviously has resigned. Company shares are down by over 40% and the entire Stock markets across Europe and even India has dipped causing heavy losses to millions of investors. The Company is reported to have set aside US $6.5 billion for recall of cars but may fall well short of meeting the total liability estimated to be over $18 billion.

Unless some compromise is worked out, the company may go into liquidation inflicting losses to many lenders and equity investors.

It is interesting to analyse the cause of this catastrophic incident and whether it fits into a definition of a Cyber Crime. (Based on news paer reports)

The issue involves a software that the Company has installed in the Car. This software recognizes when the Car is put through an “Emission Test”. If it recognizes the emission test, it tweaks the emissions so that it falls within the permitted levels. In other times, the emission levels are at normal levels which is said to be 40 times beyond the permitted limits.

It is stated that if the Company has to bring down the emission levels to acceptable levels, there could be a need for more investment and it may also reduce the mileage. So the Company thought of this innovative method by which it could save on manufacturing cost, keep the mileage at required levels and also cheat the emission testing process. A truly innovative strategy in which the entire Company must have been involved.

However this is nothing but cheating of the customers and the regulatory requirements. Since it is done with the malicious intention of increasing the profit of the Company, it is a “Fraud” by definition. Since a “Software” is used in commission of the crime, we can term this as a Cyber Crime. In fact, the behaviour of this software is like a typical Trojan set for a “Man in the Middle Attack” under some specific conditions.

The nature of the offence is a little complicated and while it may contravene the emission regulations and also be a fraudulent misrepresentation to the customers, it would be interesting to debate if it is a Cyber Crime under the Indian laws.

The behaviour of the software that detects an emission test and modifies the normal behaviour of the vehicle so that the testing computer gets a “manipulated data” qualifies it to be called a “Computer Contaminant” under section 43 (c) of ITA 2008 since the owner of the vehicle is not aware of this deceptive behaviour and has not authorized it. . The modification of data is also an offence under Section 43(i) separately. Being a contravention of Section 43, it is also an offence under Section 66 involving criminal prosecution. With Section 85, the CEO and other officials in charge of the business as well as the Directors will also be criminally liable.

Related Articles:

abc.net

The Telegraph

home.bt.com

It is regrettable that a reputed company like Volkswagen should have indulged in such an unethical practice which is also a Cyber Crime. If the case is pursued to its logical end, it is not only the CEO but also several of the Board members and other executives who may find themselves cooling their heels in prison.

This should be a wakeup call to Indian Auto manufacturers like Maruti who are also incorporating several electronic circuitry into the management of the car and each such component would be like a “Computer”. They can be hacked by outsiders or mis used by the company itself if it does not realize the impact of the relatively less known law called Information Technology Act 2000/8.

Naavi