Let's Build a Responsible Cyber Society

When Your ISP makes you a Criminal !

In India, introduction of a virus is a contravention of Section 43 of ITA-2000 and could result in a liability upto Rs 1 crore to each of the persons affected. It can also be an offence under Section 66 under which the originator of a Virus can be imprisoned upto 3 years.

Our laws are so strict that if occurrence of the offence traceable to a person  is proved, the perpetrator can be arrested immediately and it would be his responsibility to prove his innocence. Under such  circumstances if an ISP out of its negligence causes virus to be sent in the names of their clients  it is putting their clients to a huge legal risk. Of course if the customer wants, he can file a legal suit on the ISP itself and clam damages for his negligence.

I have recently come across two instances of this kind in which VSNL is involved as an ISP which I would like to place before the public. One involves myself and the other involves my good friend Mr K.Srinivasan, founder of PR Point Foundation.

Incident 1: naavi @ vsnl . com

I was today (September 9,2006) informed that a mail was sent to one of the e-groups in my name and was waiting for moderation. When I checked up, the following mail was seen.  (Click Here for a bigger picture)


 

The mail did show the originating address as  naavi@vsnl.com, on September 19 2006 at 11.21 am. It contained an attachment which probably had a virus.

Since I donot use VSNL (Tata Indicom) network for internet access, I also donot use the SMTP server of VSNL and hence I cannot send any mail in the name ..@vsnl.com.

When the header information was checked, it showed (Click Here for a larger file) the senders IP address as 61.11.88.16.

 

 

This IP address was traced to VSNL  Mumbai. It was a static IP address. The e-mail was addressed to cysi@yahoogroups.com showing the return path as cysi@yahoogroups.com.

It therefore appears that the Virus/Trojan has generated a mail from the VSNL computer  to a yahoo group from the e-mail address naavi@vsnl.com. It is to be noted that the return path was shown as cysi@yahoogroups.com so that replies will not reach the apparent originating mail address. Perhaps the Trojan  runs a script on all yahoo group accounts and sends the mail in the name of the administrator to the group itself.

Incident 2: prpoint @ vsnl. com

I was also informed by Mr Srinivasan who holds the  e-mail address prpoint @vsnl .com that during a time he was away from his  computer due to illness, he had encountered many complaints from e- groups that virus and pornographic mails had appeared to originate from his address. He wondered if it was a similar flaw in the VSNL server which appeared to suggest that the user was active and sent several e-mails containing virus.

Responsibility and Liability of VSNL

It is clear that there must be innumerable instances of the above type where the e-mail identity of persons are being "Defamed" through the negligence of VSNL. In the process  some over zealous policeman may even  book a case and arrest the customers since apparently the mail seem to originate from him. (Remember many cyber cafe owners who are arrested because some users open adult websites).

It is necessary for VSNL to take note that in view of the clear case of "lack of due diligence" in such cases, VSNL cannot claim any refuge under Section 79 of ITA-2000 and at the same time the company and its executives may be held liable under Section 85 for both Section 43 and Section 66 contravention/offences.

This of course is not the only occasion that I have observed virus activities from VSNL e-mail system. It appears that VSNL serves  not only require  spam filters but also  better virus filters. As long as their are financial incentives for ISPs in charging their customers (Trojans must constitute to a significant percentage of bandwidth usage of VSNL customers),  there appears to be no possibility of ISPs taking any effective pro-active action from their end.

It is therefore the responsibility of the Ministry of Communications and Information Technology to ensure that ISPs tune up their security systems.

Or else, legal action should be brought on them under the ISP licensing provisions to pay suitable compensation to the customers who lodge complaints in this regard. The adjudicators in each state should also open up an e-mail complaint box to receive such complaints and quickly pass compensation orders.

It must be remembered that the adjudicators have the powers to even take Suo moto action when they observe such mass scale contraventions  perpetrated by ISPs and we can hope some adjudicator would be having sufficient public concern as to start an investigation on "whether ISPs are carrying known system risks by using less than optimal security measures to enable them make an unfair gain.

It is time that ISPs realize the need for Cyber Law Compliance or face the consequences of their negligence.

Naavi

September 19, 2006

(comments welcome)