At a time the MeitY is finalizing the rules to be notified under DPDPA 2023, we need to flag some of the erroneous practices of e-mail providers and domain name registrants that gives raise to Cyber Security concerns under the false pretext of “Privacy”.
It is well known that WhoIs data of domain name registrants are mostly blocked under the pretext of “Privacy” which prevents or at least delays any investigation about cyber crimes committed with the use of fraudulent domain names.
Similarly e-mail providers donot reveal the originating IP address and substitute it with a proxy IP address. As a result any investigation requires the service provider such as GMail to be contacted for knowing the originating IP address. The service provider in such circumstances refuses to provide the information and a long legal process making the service provider liable under Section 79 of ITA 2000, is involved to get the details.
The e-mail service providers also quote “Privacy” as a reason for withholding the information.
We need to point out that “WhoIs” information is about maintaining a domain name visible to the public and posting content of any type which includes legal and illegal activities. This is not involving “Personal” activity and has to be classified as a “Publishing” activity and a “Business”. As a result the concept of “Privacy” of an individual under the “Right to Privacy as a fundamental Right” does not apply to domain name registration service.
Hence MeitY has to declare that all Domain Name Registrars are “Intermediaries” under ITA 2000 and the practice of hiding the name and address of registrants is unacceptable. Further, registration of any domain name under a false name is an act of “Impersonation” which violates ITA 2000 as well as the DPDPA 2023 and hence makes the registrar liable for any crimes committed with the publication.
As a part of “Due Diligence” of Domain Name registrars, Government should introduce a notification declaring that the registrars are required to verify the e-mail address and mobile number of the Registrant, Admin and Technical contact of every registered domain name. In the event that any of the details provided are “False” and the fact is brought to the notice of the registrar, the domain name must be immediately notified for de-activation within 48 hours and if no response comes forth from the registrar or the registrant/admin contact of the domain, the domain activity must be suspended.
Similarly, service providers like Gmail need to accept that the “Recipient” of an e-mail particularly if he is also using the gmail ID, is a customer of Google and if a sender of an e-mail is a fraudulent person or a terrorist, Gmail has no business to assist such fraudster or terrorist to hide his originating IP address and use the services in a manner which is considered as an “Offence”.
Hence under the Section 79 due diligence, MeitY has to issue a notice to Google that for all gmail recipients, Gmail should either drop the substitution of the originating IP address or introduce a one click access to the originating IP address from the menu bar of the e-mail inbox.
The same procedure should be made mandatory to all e-mail service providers including the Proton mail and other service providers who are assisting Criminal syndicates around the world to commit Cyber Crimes with impunity. Service providers like Protonmail as well as Topmail which served terror threat emails to Bangalore schools recently must be declared as “Terror Abettors” and charged accordingly under terrorist acts. Such services need to be black listed and blocked under Section 69 of ITA 2000.
There is no “Free Speech” rights for either the criminals who use E-mail as a tool of threat and a tool of spreading fear in the community with bomb threats under a fake ID and this must be made known to all the service providers.
India being a country ruled by Supreme Court, any directions in this regard by Meity as an executive wing of Governance or even the Parliament as a legislative wing of Governance under the Constitution, will be challenged in the Supreme Court. Hence, in the end it would be the responsibility of the Supreme Court to determine what is more important…the rights of a criminal or the rights of a victim/potential victim of a cyber crime. Let the Supreme Court take the responsibility for prevention of Cyber Crimes on its decision.
It is unfortunate that the law enforcement often does not initiate action against e-mail service providers and it emboldens them to indulge in such activities and claim protection under “Privacy”.
After the recent CERT IN Guidelines, many of the VPN service providers who did not want to abide by the Indian laws have moved out of India. This is more a loss to them though it is also a small irritant to many genuine users of the service.
India today has services such as e-mail and chat services such as LegerMail or LedgerChat that are a replacement of G mail and WhatsApp providing both security and privacy and more such service providers will come in India to replace Proton mail and others who are “Law Compliant secure email providers”.
The suggestions made here on invoking ITA 2000/DPDPA 2023 also may raise some objections including from Google/Gmail who are perhaps drafting the DPDPA 2023 rules on behalf of the Meity in the backrooms, but in the interest of Cyber Security of India, Government must introduce the recommended measures.
I request the MeitY/CERT-IN and NiXi to take the necessary measures.
Naavi
