Mumbai High Court on Section 66A

Posted on August 20, 2013 by Vijayashankar Na

The Mumbai High Court has in a judgement opined that Section 66A can be applied even in the case of Websites.

According to this report in TOI, the High Court held

“Creating a website that may contain false or offensive information and facilitating its access to others would fall under the definition of ‘sending messages’ under section 66A of the IT Act ‘Inconvenience’ cannot be read in isolation and must be read as a whole under the definition of an offence under the section It is only false information that causes inconvenience”

The view however is open for debate and questioning since it does create certain conflicts.

Firstly, ITA 2000 addressed the issue of “Publishing” and “Transmitting” through Section 67. This section was restricted to obscenity issues and did not extend to “Defamation” or “Causing annoyance in general”.

At this time, “Defamation” was being addressed with IPC and even when “Defamation” occurred with electronic documents, they could still be covered under IPC.

However when offences such as “Cyber Stalking” and “Cyber bullying” started occuring, it was noticed that “Sending repeated messages/emails” was creating  a new situation which was not similar to “Static form of annoyance that could be alleged for a website publication”. A website could be ignored but a direct message could not since it intruded into the personal space of the addressee. Hence it had more capability to create annoyance of the addressee. At the same time “Website” was open to public view while email or SMS was not. Hence the “Publishing” activity on the website and the “Messaging” had to be considered as two different kinds of activities. The “Message” could not be considered as “Publishing” not “Distribution”.

The IPC laws of defamation was insufficient to tackle situations where the content of the message itself was not defamatory or threatening etc but the act of messaging was still causing annoyance. An example would be a message which states  “I hope all is well” sent to a girl at say midnight repeatedly when she is perhaps with her husband and sent in the name of a boy. This is sufficient to create annoyance of the level that could lead to disasters. Sec 66A was meant to address such situations.

The website activity can however be considered as “Publishing” and if any content is false and defamatory and also obscene, it can be taken up under the present Section 67/67A/67B. If it is not obscene but is defamatory, it can be considered under IPC.

Twitter and Facebook are also “Publishing” and not “Messages” though the term “message” is often used in such context. The main difference between a “message” and “what is not a message” is that “message” is pushed by the sender to the addressee. A published content reaches the destination only when he decides to pu;; it from cyber space to his attention.

It appears that the Mumbai High Court has failed to appreciate this vital distinction .

It is surprising that repeated mis-interpretations are occurring in Maharashtra about the implications of Section 66A. This judgement appears to support the contention of the Maharashtra police in the instances such as at Palghar when they invoked Section 66A on Facebook postings.

It would be necessary for this judgement to be reviewed and mis interpretation corrected.

Naavi

Posted in ITA 2008 | Leave a comment

HIPAA-US$1.2 m damage for not sanitizing photocopier hard disk

Posted on August 15, 2013 by Vijayashankar Na

A HITECH Act violation by a health plan in New York resulted in a potential data breach of 344,579 individuals has resulted in the HHS imposition of penalty of Rs $1,215,780 as a settlement.

The breach occurred when the Plan which had leased several photocopiers and used it during its operations decided to return the photocopiers to the lessors. The hard disks that are attached to the photocopier were not sanitized before being returned which resulted in an impermissible disclosure of PHI.

OCR had taken up an investigation of this breach which had been reported in April 2010 after a media disclosure. The settlement has also suggested a corrective action as follows.

 (1) conduct a comprehensive risk analysis of the Plan’s privacy and security risks and vulnerabilities and

(2) use best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the Plan that remain in the possession of the leasing agent and safeguard all electronic PHI contained therein.

Related Article 

The report of CBS News filed in April 2010 had indicated  that the agency purchased 4 used photocopiers from a warehouse in New Jersy and extracted thousands of documents from the hard disks which contained sensitive information from various agencies including the NY Police department and the previously referred Affinity Health Plan.

The incident highlights the need for all companies handling sensitive personal information realize that the Photocopying machines of current days carry a hard disk which copies every document that is photocopied in the machine and hence needs to be sanitized before the photocopier is discarded. If they fail to do the damages can be crippling.

Naavi

Posted in Cyber Law, HIPAA | Leave a comment

Indian Company causes HIPAA breach

Posted on August 10, 2013 by Vijayashankar Na

An Indian contractor of a medical transcription company (M2ComSys) is said to have caused a breach of  PHI belonging to 32000 patients of US based Cogent healthcare leading to data breach notification by the US company.

It is stated that the data was stored on Internet without adequate security and landed up in Google search.

Related Report

The incident underscores the need for Indian companies to get themselves HIPAA-HITECH compliant as business associates if they have not done so far.

Naavi

Posted in Cyber Law, HIPAA | 4 Comments

Cyber Crimes Increase all over India..except Karnataka

Posted on August 9, 2013 by Vijayashankar Na

In a reply given in Loksabha, the MOS for Communications and IT Mr Milind Deora submitted that Cyber Crimes in India are on the increase. According to the minister, 16035 instances of attacks of various kinds were reported only on Government assets upto June in the current calender year. This was in comaprision to 13301 instances in 2011 and 22060 in 2012. (See Report).

In sharp contrast the home minister of Karntaka recently made a statement in the Karnataka Assembly that in 2011 and 2012 only 74 cyber crime cases were registered in Karnataka.

Even in Tamil Nadu, the Police recently stated that they had registered  that 42 cyber crime cases were registered last year and 17 more in the current year.

The NCRB also states that in the entire country the number of cyber crime cases registered is in the order of around 4000.

From the above reports, it is clear that there is a serious mismatch in what the industry considers as “Security Breaches” or “Cyber Attacks” and what the Police record as “Cyber Crimes” though the two should be considered as one and the same. The objective of recording Cyber Crimes is not to estimate how efficient is the Police in solving the crime but to understand the impact of the crime in the society so that the Governments can provide the necessary support to the Police to fight the menace. By grossly under reporting the crime, the Police are doing a disservice to themselves since they cannot justify either better training or forensic facilities to be provided for fighting the crime.

In Karnataka where there is a good infrastructure for Cyber Crime investigation, the facility will remain grossly under utilized if it has to deal with just 30 to 40 cases in an year. Reluctance of Police in certain places to file FIRs for Cyber Crimes ensures that FIRs are not registered in most cases and hence criminals see a very bleak chance of them being punished.

There is a need to change this practice. We need an online cyber crime registration facility which automatically registers all complaints and generates complaint acknowledgements. The acknowledgements can be confirmed later by the Police in the form of FIRs after primafacie investigation.  If complaints are not converted into FIRs there has to be a specific justification provided by the Police.

Only when we have such a rigorous system of recording the crime statistics we will have a ground for Cyber Crime mitigation investment including Cyber Crime insurance.

The situation in Karnataka is the worst in the country. Here the Police and the Judiciary conspire to make the state a safe haven for Cyber Criminals. While the Police like the rest in the country are not eager to register complaints from the public, the Adjudicator is not keen to receive complaints from the public despite goading by the State Human Rights Commission.

To top it all the Karnataka High Court has also by its own judgement effectively barred filing of complaints either by companies or on companies for financial remedy as provided in the Information Technology Act 2008. It appears that the Karnataka High Court has not even recognized that it has itself created a huge void in the delivery of Cyber Crime justice in Karnataka. Though this matter has been brought to the notice of all authorities, there is either a reluctance to make necessary changes or complete ignorance.

I hope the honourable Chief Justice of Karnataka will personally examine why a citizen of Karnataka is making a statement that Karnataka High Court is itself the cause of obstruction of justice delivery and take steps to rectify the system.

I also hope that the honurable Chief Minister of the State also recognizes his responsibility in ensuring that Karnataka does not get a tag as the “Cyber Crime Haven of India”.

Naavi as a Citizen of Karnataka

Posted in Cyber Crime | 1 Comment

ISI Penetrates BSNL?

Posted on August 8, 2013 by Vijayashankar Na

This report in Mint suggests an intelligence report that ISI might have planted a trojan in the BSNL network to enable it spy on the database. It is interesting to note the social engineering methods used by ISI to get the trojans planted.

Mint reports the following modus operandi.

“ISI spoofed a landline number (011-23016782) so that the call would appear to originate from Indian Army HQ in Delhi, and called up a BSNL executive on his mobile phone.

Posing as Major Vijay, the ISI officer claimed that the Indian Army was unable to access BSNL’s subscriber base from its website, and also sent the BSNL employee a “test mail” on his Gmail address. The BSNL employee replied to this email by sending three online links, believing that he was helping the Army. The ISI officers then got back claiming they were unable to open the links. Besides, they (ISI) sent some links to the BSNL employee who opened the same on his computer thus enabling the Pakistani agency to allegedly install the malware in the state-owned telco’s systems. “

The incident should be a good lesson to other people employed in sensitive organizations.

Naavi

Posted in Cyber Law | Leave a comment

Shobha De and Telengana

Posted on August 4, 2013 by Vijayashankar Na

The tweet of Shobha De on Telengana has created a huge backlash in the form of protests from Shivsena. This has given raise to yet another debate on the influence of Cyber Space on physical society.

The protests give a larger than life importance to tweets and create a controversy out of nothing. In fact the controversial tweet says just the following.

“Maharashtra and Mumbai??? Why not? Mumbai has always fancied itself as an independent entity, anyway. This game has countless possibilities.”

Obviously the tweet did not deserve the massive protests that followed. Just as in the case of the Palgahar arrests, Shivsena has given more publicity to the event than the tweet could have ever created.

Without deviating into a debate on Telangana or Mumbai as a Union Territory both of whom deserve a much elaborate debate on other platforms, I would like to reflect on the behaviour of the sections of physical society which appears to be over reacting to the known influence of the cyber society.

We must understand that Digital Society has its own spread and culture. Tweets and Facebook postings are part of this culture. This is shared by a certain community. Normally these discussions are like passing comments in a party. They come and go as a thought. It is rare that the thoughts that come up on such tweets snow ball into a firm opinion even amongst the Netizens, let alone the Citizens who are not Netizens. The incidents in Egypt and other places where revolutions in physical space have been credited to the Cyber society are more a reflection of the power of Cyber space as a means of contact rather than as a means of creating new opinions.

For a passing comment to gather steam and become an opinion that can affect the physical society, there must be a “felt need” in the society and the tweet should have triggered a reaction. In both the Palghar incident and the Shobha De incident the reaction did not come from anti-Shivasena persons who agreed with the opinion expressed in the cyber space. We can interpret this as lack of sufficient momentum for the cause for the comment to take a snow balling effect. (We must admit that the counter reaction was immediate and hence there was no time for the tweets to really reach to a larger set of people)

The reactions came from those in the part of the physical society who opposed the expression and assumed that the expressions had a huge impact that required a counter reaction.

It is a reasonable guess that most of the protestors are not “Netizens” and did not have a first hand experience of the tweet/facebook comment. Some body in the party saw the tweet/facebook post and triggered the protests. These “Triggering persons” seem to have acted with no sense of proportion. They have created a panic amongst the ordinary workers in the party and given out an impression as if a “Campaign for Independent Mumbai” had been started by Shobha De. The workers who did not know what is a “tweet”, “Who reads the tweets”, “What is the tweet culture” etc., simply accepted the suggestion made by the “Triggering person” and started the protests.

The end result is that now more people will think about the “culture of intolerance” that the protestors represent and perhaps see some value in the argument that Mumbai needs to be liberated from the control of such biased elements. The end result is that Shiv sena must have made more enemies than friends because of the protests.

The “Lack of Restraint” shown by the Cyber literate persons within a community dominated by Cyber illiterate majority, who have triggered the backlash, appears to be a behavioural trait that needs to be recognized and studied. The trait represents a desire to show that “I am Cyber literate” and “I claim leadership in the cyber literate group of my community”. It is a method by which some persons try to create a niche market for themselves within the community (In this case the Shivsena party) and become “niche leaders”.

This trait is similar to the behaviour of leaders who create an identity for themselves by creating divisions in the society by caste, sub caste, region etc. In fact this is the same trait that drives the demand for Telengana or Ghorkhaland or Bodo land. As long as we Indians donot develop the ability to control such trait, the country cannot unite. It is ironic that at one time there was a fight for “United Andhra” and now there is a fight for “Divided Andhra”. If there is a logic in dividing each state into multiple states, then why not each district or taluk be an independent “State”? In fact one time in history (“ondaanoMdu Kaaladalli”),there were perhaps Paleyagars who controlled small units of the community.  It was however found undesirable that the community is so divided and the concept of aggregation came into practice. It is in the same manner that Sardar Patel could argue for Akhanda Bharath/United India. It is the desire of regional leaders to create a political space for themselves that is today creating a demand for smaller state.  It has no economic logic or community interest in such moves.

At this point of time Cyber Space is more united than the physical space. There is no caste, creed, or geographical boundaries. But as we move from the “Anonymous Digital Society” to “Identified Digital Society”, the digital society is also getting divided into the same small sub sets that the physical societies are used to. There is a demand for Indian Twitter and Indian Facebook. Tomorrow there will be a demand for Telengana Twitter and Bodoland Facebook. This will kill the good things that Internet has brought to the society and the bad things of the physical society gets transferred to the digital society.

In order to preserve the integrity of the Cyber Space there is a need for all of us to think how we can ensure that “Free Internet” survives even during the increasing domination of the “Commercial Internet” which requires “Identity dominated Internet”.

The demand for “Regulated Anonimity” therefore emerges as one likely solution.

The other solution is for celebrities to  rethink on their “Tweet Strategy” and consider if it is necessary for them  to remain anonymous in cyber space if they need to build opinions that bring beneficial change in the community. Perhaps celebrities need to keep two channels of tweeting running parallel to each other and use their real identities only sparingly.

This discussion will gather more momentum as we near the next election when there will probably be a twitter war between political parties in India. At such a time, the essence of every tweet will be lost by the information on who made the tweet. For example while discussing politically sensitive topics say such as the “Gujarat Model of Development”, it is essential for the tweeter to focus on the topic without the readers trying to interpret the essence of the tweet with the colour of the political affiliation of the tweeter. I suppose both the BJP and  Congress will keep this in mind during their cyber campaigns.

Naavi

Posted in Cyber Law | Leave a comment