It is a common adage to say that “Law is always behind the Technology” ..and also to add, “like the traditional Hindu wife”. But all of us know that the “Tradition” has changed. Modern wife drives the bike while the husband sits on the pillion. DPDPA refers to “She” and “her” instead of the traditional “he” and “him” when referring to an individual in terms of a pronoun. This is the indication that times have changed and we need to change with the times.
In the field of law, we used to recognize that “Ethics” comes first and is converted into “law” in due course. Today we have the concept of “Due Diligence” built into many laws which is nothing but “Ethics” as “Self adopted law”.
Partitioners of Technology however defy “Ethics” and support the concept of “Innovation” at any cost. Technologists want to be exempted from legal bindings so that they can “Innovate” without hindrance. This attitude breeds trouble which we have called “Technology Intoxication” in the past.
One compromise solution the industry that has developed at present to prevent the adverse effect of bad software release is to enable a “Sandbox” where a new software can be tested in controlled environment before it is released to the open.
Despite the availability of this “Sand Box” concept and “Beta Releases” which was a norm earlier, it is common to see that Software normally carry “Zero Day Vulnerabilities”.
Some organizations try to provide “Bug Bounty” programs so that vulnerabilities observed after release can be reported, rewarded and corrected. However there are many companies who donot show even this courtesy.
Also the rewards of Bug Bounty are not good enough to meet the competition from the hacking community where the vulnerability information is sold in dark web for much larger value than the Bug-bounty rewards.
In this context a time has come to discuss if there should be a mandatory sandbox routine before any software is released to the market for direct consumption by the consumers. “Beta Testing” cannot be an option and if so it will always be abused or neglected.
Hence we need to debate a suggestion to create a new “Sand Box Law” to mandate that every software has to go through a “Sand Box” cooling period. It will be necessary for this purpose to create the required infrastructure both by the Government and the industry.
In case of software which is used by the industry as a B2B product, the responsibility for vulnerabilities should be borne by the user (Buyer or licensee) who can get himself indemnified by the developers.
The Consumer protection laws need to be strengthened for this purpose if required.
Advent of AI
Now with the advent of AI, we are aware that all Cyber Crimes have started using AI for making the crime more sophisticated. The information on the Internet today has become completely unreliable since fake news is becoming extremely common. Whether it is political news or war news, nothing seems to be true unless otherwise proved. This is a very sad state of affairs.
India is now considering regulations of AI. Hence this is the right time to consider whether the concept of “Mandatory Sandboxing” is extended to the AI law.
The Government of India has already given an advisory that AI developers and users need to register with the MeitY. But probably this has been ignored by the industry.
The consequences of not complying with the advisory would become a “Lack of due diligence” and loss of “Section 79-ITA 2000” protection or “Non Compliance of the obligations of a data fiduciary” under DPDPA 2023.
To make the law more effective, the deterrence available under the laws need to be highlighted in such context. ITA 2000 has the criminal provisions and depending on the adverse consequence, an AI user organization and the AI developer organization may be liable for upto life imprisonment which can be extended to the executives of the organization. Simultaneously the civil penalties under both ITA 2000 and DPDPA 2023 may also become effective.
We suggest that instead of Naavi.org releasing the note of warning, CERT IN should release a notification in this regard. We can then expect that the industry takes note of this provision. People say, unless there is at least a few cases of imposition of penalties, industry will not respect law and therefore CERT In should order some prosecution in some cases so that people become aware of their responsibilities.
Call for a Debate
I therefore call upon a debate on how “Innovation Can be Bound within a mandatory Sandbox law” with severe penalties both civil and criminal for the consequences arising out of software.
I also call upon a debate on penalizing and punishing those security researchers who identify a vulnerability and sell it to the dark web instead of handing it over to the company simultaneously reporting to the authorities.
In such cases, the Government itself should impose penalties which should be shared with the security researchers as “Incentives” which should reduce the incentive for selling the same in the dark web.
I am certain that this thought is considered revolutionary and perhaps even revolting. But the need for ending the irresponsible behaviour of software developers who have today converted the internet into a large Fake Information factory, which is percolating into AI software because of machine Learning is urgent.
If this is not controlled, AI will kill whatever little trust remains on the Internet. Just as people deride the “WhatsApp University”, the time is not far off when people start deriding “Google University”.
Software industry should for their own existential reasons become more responsible and stop claiming that “Innovation is our job, Protecting the Society is somebody else’s job”.
Innovation that hurts the society has no place and has to be thrown out if not voluntarily, by a new set of laws.
Let’s Debate.
Naavi