Mis-perceptions about Section 66A

Posted on January 24, 2013 by Vijayashankar Na

Section 66A of ITA 2008 has been one of the most abused sections of the Act in recent days. There is also a discussion about the constitutional validity of this section on  whether this section infringes on the constitutional “Right to Freedom of Expression” as provided in Article 19(1) (a) of the Constitution. The discussion has arisen due to the filing of criminal cases in recent days in the case of Ravi Srinivasan of Pondicherry over a tweet, and two ladies in Palghar over postings in Facebook,

Article 19(1)(a) of the constitution is subject to “Reasonable Restrictions” as mentioned in Article 19(2) which provides discretion for any Government to frame and implement laws  infringing on the freedom of expression under the following condition namely,

“in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence”

The question therefore is whether Section 66A of ITA 2008 is a legislation framed under the exceptions provided under Article 19(2) of the Constitution.

This discussion would be relevant only if there is an impact of this section 66A on the “Freedom of Expression” under Article 19(1) in the first place. The perception of the community is of course that section 66A does infringe on the “Freedom of Expression” as otherwise the police action in the case of Ravi Srinivasan and the Palghar ladies were unwarranted.

However when we analyze the situation we need to also consider  whether the action of the Police in the above two cases were in fact because the Police considered that Section 66A was an exception under Article 19(1) or simply because they misread the law.

If the Police had misread the law the remedy is not in removing the section but in punishing the Police for “Human Rights Violation” and providing such clarifications as would ensure that in future similar mistakes would not be done.

In this context it becomes necessary to discuss if Section 66A of ITA 2008 was indeed meant to address the situation where a Facebook post or a Twitter post could cause annoyance to another individual and that the person who had expressed the objectionable view could not be protected under Article 19(1).

Section 66A has three parts.

It is reproduced below for immediate reference.

Section 66A: Punishment for sending offensive messages through communication service, etc

Any person who sends, by means of a computer resource or a communication device,-

a) any  information that is grossly offensive or has menacing character; or

b) any   information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently  by making use of such computer resource or a communication device,

c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages

shall be punishable with imprisonment for a term which may extend to two three years and with fine.

Explanation: For the purposes of this section, terms “Electronic mail” and “Electronic Mail Message” means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message

This section  applies to “Any Person” who “Sends” by means of a computer resource or a communication device, “any Information” or “Electronic Mail” or “Electronic Mail Message”.

It may be noted that this section is applicable to “Messages” and not for “Publishing” a content on a web platform. Under ITA 2008 offenses related to “Publishing” were covered under Sections 67, 67A and 67B and were restricted to content which was “Obscene”.

Then does it mean that ITA 2008 did not address situations where “Defamation” could occur through non obscene content being published on the web as in the case of the above cases?. The clear indication in the legislation is “Yes”. ITA 2008 did not try to address “Defamation” in electronic space except where the content was obscene.

The perception that Section 66A addressed defamation arose from the fact that it referred to “Information that is grossly offensive or menacing” under Section 66A(a)  as well as “information” that could cause “annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will” under Section 66A(b) and “Causing annoyance” under Section 66A(c).

The first time the section was invoked to address defamation was in the Delhi High Court case of E2labs Vs Zone-H.org. In this case the remedy sought was shutting down of a website which allegedly hosted some defamatory content. Since the defendant in this case was a foreigner and chose not to respond to the notices of the Court for reasons of his own, the Court passed an interim order blocking the website which has remained in place permanently since the defendant will never contest the injunction.

The interim judgement has therefore created a perception that the Court agrees that “Defamation” was caused by the publication and hence the site was blocked. This perception provides a sort of legitimacy to the claim that “Section 66A can be invoked when defamatory content is published on the web platform and it does not get restricted by the constitutional rights of freedom of expression”.

It must however be noted that Section 66A was meant to address “Information” that can be “Sent” and not “Information which is static”. Information which is “Sent” is a “message” and is sent from one person to another. It is “Pushed” . On the other hand a content which is “Posted” is  not directed at any person. It is only “Pulled” by persons who have become part of a “Community” who have agreed to exchange information with other members of the community.

A “Facebook” post or a “Twitter Post” falls into this category of “Hosted content” and does not fall into the category of “messages”. They can be dealt with under the Section 499 of IPC and there is no need to invoke Section 66A.

The fact that Section 66A was meant for “messages” is also evident from the fact that Section 66A(b) used he word “Persistently”. This means that if a person is again and again sending a message (which he knows to be false and is sending it with the malicious intention of causing annoyance etc). In a website posting, the content is posted and not sent again and again to another person.

Section 66A(a) does not use the word “Persistently” but it applies only to such messages which can be considered as “Grossly offensive or Menacing”.

Section 66A(c) also does not use the word “Persistently” but it is specifically mentioned that it is addressed to an “Electronic Mail”.

Thus it can be inferred that Section 66A was meant only for “messages” and not for “Content”. This is justifiable since Section 499 may not be apt for “letters sent from one person to another” and also that the web presented the possibility of a higher level of annoyance than the physical equivalent of “Bulk letter mailing” since “Bulk email bombardment” is more likely.

Section 66A addressed the message because there were offences such as Cyber bullying and Cyber Stalking as well as “Spam” which could not be effectively dealt with under Section 499.

In view of the above we can conclude that Section 66A ITA 2008 was never meant to address “Defamation” and never meant to overlap Section 499 of IPC but was meant to address situations which in the cyber space were significant threats and were not addressed effectively by the physical world equivalent addressed by IPC.

If therefore we come to the conclusion that “No change is required in Section 66A” it will be because the section was never meant to address “Defamation” and  exclusions under Article 19(2) of the constitution and not because we endorse the view that Section 66 A is within the constitutional validity of Article 19(2).

Media needs to understand the issues involved and does not misinterpret the views that may be expressed by the Court in this regard.

Naavi

Posted in Cyber Law, Netizen's Forum | Leave a comment

Silicon India interview

Posted on January 22, 2013 by Vijayashankar Na

Naavi was recently interviewed by Silicon India. The interview is available in the community page of Silicon India. A link is available here.  The interview is presented in the physical society identity of Naavi.

The theme of the interview is basically my views on “Leadership”.

Naavi

Posted in Uncategorized | Leave a comment

RBI’s responsibility in preventing Aadhar Misuse for Bank Frauds

Posted on January 22, 2013 by Vijayashankar Na

I refer to the news report in Midday indicating a new modus operandi in the commission of a Bank fraud in India. This fraud has been committed as a combination of “Phishing”, “Security lapses at the victim’s Bank”, “Compromise of KYC by the mobile operator” and “Compromise of KYC by the collecting Bankers”. The compromise of KYC at the fraudster’s bank has been caused by the use of Aadhar identities.

So far we have seen the  first generation Bank frauds of this nature consisting of “Phishing” associated with the opening of fraudulent accounts at receiving branches. To complete this fraud the fraudster had to steal the password of the customer and then also use several recipient accounts. To open such accounts he normally used fake PAN card or other strategies. Opening and maintenance of such accounts as well as inability to spot the unusual nature of transactions during the fraud amounted to “Negligence” of the collecting Banker and failure of KYC process. This made the collecting bankers liable for the fraud along with the victim’s bank where the authentication system used passwords instead of the legally mandated “Digital Signature”. As a result, the victim’s bank as well as the banks where the fraudster’s accounts were held vicariously liable for the fraud.

This aspect has been brought to the attention of RBI and RBI has been issuing periodical guidelines to the Banks. Banks, on the other hand have formed a cartel to oppose any moves by RBI to secure the Bank transactions by improving the security. On the other hand they have pushed RBI to introduce more of insecure technology such as Mobile Banking. RBI has been a mute spectator to this technology invasion and gradual erosion of Bank security.

It is not out of place here to mention that the Ministry of Communication and Information Technology has been procrastinating on the appointment of the Presiding Officer of Cyber Appellate Tribunal and preventing legal remedies to be available for the victims of cyber crimes.

RBI has to take the responsibility for having made the Bank security dependent first  on the OTP system and now on the Aadhar system. The linking of Aadhar to ban accounts was suggested by the UPA Government as a means of transferring certain subsidies directly to the beneficiaries. What this has achieved is a dilution of KYC at the bank level and dependence on Aadhar as the sole KYC to open the accounts. These Aadhar account holders have now become the facilitators of the fraud and have to face jail prospect. They can thank UPA for this favour!.

There is an immediate need for RBI to re consider its wisdom of linking Aadhar to the opening of Bank accounts and alert all the Banks to the possibility of Aadhar being misused.

 naavi

Posted in Bank, Cyber Crime | Leave a comment

Donot link Aadhar to your Bank account

Posted on January 22, 2013 by Vijayashankar Na

I observed during the Aadhar registration process in Bangalore that by default the registrar was encouraging registrants to link their Bank accounts to the Aadhar application. Risk associated with such process has been highlighted by the fraud reported in Midday

According to this report a fraudster operating from China had used the information to open fake accounts in the name of several Aadhar card holders in six different locations and transfer about Rs 1.75 lakhs to those accounts from the account of the victim.

This is an indication that the bank which opened the fake accounts was grossly negligent in opening the accounts using the Aadhar linkage as a KYC process.

Of course the case also involves fraudulent access at the Bank where the account was kept and the failure of the OTP system relied upon by the RBI is also indicated. The fraudster seems to have blocked the SIM card of the bank customer and diverted the SMS messages as well as probably the OTP messages. The mobile company also appears to be at fault in the process.

Though legally the Bank where the account was kept, the Mobile Company and each of the Banks where the fake accounts are opened are all liable for both civil and criminal consequences and liability to compensate the victim, the process of initiating suitable action in this regard and recovering the amount requires efforts. ..More so since Bankers act as rogues and bully the customers into absorbing the liability themselves or persuade them to follow up with the Police.

Naavi has been pursuing several cases of this sort and found that Banks have friends in many places to delay delivery of justice. Hope RBI will wake up to recognize its folly to depend on OTP in the first place and then on the Aadhar in the second place. These strategies have subordinated Bank security to the security of the Mobile and Aadhar systems. Since these are weak at present, Bank systems have also been rendered weak. This is a serious policy lapse. In future cases of such nature, I will not be surprised if RBI is also made a party to the fraud for its own negligence.

Naavi

Posted in Bank, Cyber Crime, Cyber Law, Uncategorized | Leave a comment

Cloud Computing and ITA 2008

Posted on January 22, 2013 by Vijayashankar Na

Though “Cloud Computing” has been on discussion for the last 4 to 5 years, the rate of adoption is considered slower than expected. One of the main reasons is that during this period while there are new developments in the cloud computing arena, the cyber law regime has also made progress and is becoming more and more stringent. This has put spanner in the growth of Cloud computing by raising increased Information Assurance barriers.

In a recent survey of 2,000 CIOs, a Gartner report has reportedly revealed that the execs’ top tech priorities for 2013 include cloud computing in general, as well as its specific types: software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). No surprise there. (Infoworld)

In this context we can look at the Indian scenario and examine the legal structure to understand whether it is supportive of Cloud Computing either for Indian corporates to use or to offer as service.

The legal background for cloud computing in India is provided by ITA 2008 (Information Technology Act 2000 as amended in 2008). There are also administrative policies of the Government of India issued from time to time as when the controversy over the Blackberry service broke out.

ITA 2008 incorporates some data protection aspects and under Sections 43A and 72 A provide for contractual bindings to be placed between contracting parties who may share sensitive and other data, failure of which could lead to civil and criminal liabilities. However the “Deterrence impact” of these sections is low. Section 43A has been diluted by the April 11, 2011 notification on “reasonable Security Practice” since holding an ISO 27001 audit certificate has been equated to sufficient security. Such security is completely unreliable for Cloud users.

Additionally, the department of IT has increased the confusion on cloud security by the ISP guideline which restricts the encryption of data transmitted over the ISP network to 40 bits. Naavi has been of the opinion that this is only an ISP guideline and hence affects the intra ISP data transfer and does not impose legal restriction on client to ISP transmission. While this could be the legal reality, the Government can always push its own interpretation if necessary through a retrospective legislation and hence remains a Damocles sword for the Cloud users intending to use higher levels of encryption.

Some times Government of India tries to bypass the law with administrative guidelines with legal backing drawn out of “need to protect the interest of sovereignty and integrity of the country” etc. Such arguments have been used by the Government on many occasions including for protection of politically powerful personalities as was evident in the Section 66A related controversies in the country in recent days. As a result the “National Interest” clause has been significantly diluted. Irresponsible utterances of the Home Minister of the country in the recent days on terrorism has also further diluted the concept of “National Interest” and subordinated it to the interests of the ruling political party.

We therefore face a grim situation where international users of Cloud services are unable to trust the Indian legal system.

If India has to adopt Cloud Computing either as a tool of more efficient and economical deployment for Companies or for enabling it as a “Service” and harness the growing global opportunities, there is therefore a need to create a “Trusted Data Management Regime” in India. According to some estimates, by 2020, one-third of the global data will move to the cloud. Such a development would mean that India’s pre-eminent position in the IT industry cannot be sustained unless we make significant progress towards setting up Cloud supporting data centers in India which inter-alia depends on what assurances we can provide for data security under law and how we can create a trust for non political interference in the legal regime.

In our opinion, this is a huge opportunity in IT dependent on developing a trusted secure data management regime and in the interest of our economic development we need to do whatever is required to develop such “Trusted Secure Data management Regime” in India. This may ideally be achieved through a new law or a major amendment to ITA 2008.

I invite discussions from the public on this aspect.

Naavi

Posted in Information Assurance, Privacy, Uncategorized | Tagged , , | Leave a comment

Risk Assessment, the ISO maze

Posted on January 21, 2013 by Vijayashankar Na

Extensive promotion has made ISO 27001  the key recall when we think of “Risk Assessment”. No doubt ISO 27001 is the most popular ISMS framework. The fact that it lends itself to certification makes it attractive to organizations which want the certificate to plug in some compliance requirements.

However ISO is a maze. It is an excellent strategy for ISO to make money creating numerous documents and specifications sold at fancy prices. But for the users, the multiple frameworks with overlapping provisions make it increasingly difficult to cut through this maze and find out what is good for an organization.

While many are still confused with ISO 9000 series and 27000 series itself, of late more terminologies are coming out into the open. For example what is ISO 31000? What is ISO-2000-1 ? What is ISO 22301? how are they related to ISO 27001? are questions that often arise in the minds of corporate executives who need to take decisions about budgeting the ISO audits.

ISO 27001 is an ISMS standard focused on the keyword “information” protection. Information asset is ‘anything that has a business value”. In other words if an organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant based on a formal asset-wise risk assessment. ISO 27001 certification involves 133 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and personnel controls.

On the other hand, ISO 31000 standard aims to cover almost all areas of organization risk. So it covers personnel, operations, information, and financial. It is however a generic standards and does not cover the specifics. This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. In comparison ISO 27001 addresses specifics and requires asset-wise risk valuation which should clearly articulate the state of an asset and its control environment.

The latest in the standard family (in terms of inclusion of the word ‘risk’) is ITSM – ISO 20000 certification which is aimed at making traditional IT organization/department free from service risk. It is aimed at making IT as a ‘service’ department and the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives.

Further, ISO 22301 – ‘societal’ business continuity management system is upgraded version of BS 25999 and gives more meaning to the scope of business continuity. ISO 22301 certification showcases the ability of an organization to demonstrate its ability to deliver in case of a disaster.

Within ISO 27000 family, every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc. There is a logic for the multiplicity though it is rather convoluted.

If we look through the above standards, it is clear that ISO is creating more confusion in the IS implementation community and trying to offset competition from other frameworks such as COSO or COBIT by creating multiple standards within its own fold.

It must be noted that most organizations have used and continue to use ISO 27001 to show their continuity maturity. It is not clear if the ISO organization expects corporates to implement ISO 31000 or 2000-1 for building a security culture and certify with ISO 27001 and ISO 22301 so that ISO gets multiple revenues. This also results in a multiple cost burden on the organizations which will certainly hurt the brand ISO.

One would not be surprised if this strategy borne out of a typical brand marketing exercise used in the marketing of consumer products such as soaps and shampoos with adjectives such as “New”, “New and Improved” etc backfires in the more informed Information Security market. Companies would soon find it more comfortable to back other frameworks which are sure of what they are doing.

I hope the Government of India (DIT) which has given an unfair, unconstitutional, misleading parliamentary endorsement for ISO 27001 in its “Reasonable Security Practices” notification of April 29, 2011, takes note of this situation and understands that it is backing up the wrong horse.

Naavi

Posted in Information Assurance, Uncategorized | Leave a comment