Naavi.org

The multiplicity of frameworks trying to compete with each other on how “Privacy” of an individual has to be protected has created a web of confusion in the Corporate circles since all managements ultimately have limited resources and has to balance their compliance activities in the form of audits, generation of reports etc with their commercial limitations.

If there is an Indian Company having 10% of its business in EU data processing, 10% of business from HIPAA entities and balance in India, and would use cloud services of Amazon, they need to address the questions such as

– Should I opt for compliance of ISO 27001/ 27018, HIPAA-HITECH Act, GDPR or ITA 2008?

-besides other security frameworks such as PCI DSS which may also be applicable to them?

-How practical is it to consider compliance of all regulations concurrently,… which is of course the ideal approach?

I am sure that the Privacy Professionals attached to these companies will be scrambling to develop excel sheets showing the mapping of controls meant for one framework with the other.  They will try to prove that if I am ISO 27001 certified, I am already deemed to have been compliant with ITA 2008 or HIPAA or a EU data protection requirement.

However since most frameworks are also insisting on “Certifications” from an “Accredited” “Certification Agency”, the plight of an organization does not end with “Being Compliant” and would require “Documenting that it is Compliant”.

This is certainly good for agencies that provide “Certifications”, “Conduct Seminars/Training Programs”, “Sell Compliance Manuals” etc, (and also for consultants), one needs to pause and think if we are going overboard with the proliferation of regulations to the extent that one day organizations will revolt ignoring compliance.

It could then be the field day for Dispute Resolution Managers, (which includes the undersigned who proposes to manage an online dispute resolution mechanism under odrglobal.in) and the legal firms who specialize in such matters.

But in the interest of the industry in general we need to see how we mitigate the “Privacy Regulation Proliferation Risk”.

At the end of the day, the end objective of all Privacy Regulations is to ensure that an individual’s identity information is protected from the time it is collected by an organization, through the life cycle of its usage and until it is destroyed.

The key instruments of such protection are “Disclosure”, “Consent”,”Security”,”Destruction” and above all “Ethical Usage”.

The different frameworks may differ in the detailing of how these objectives are met and how the measures of compliance are documented, audited and reported.

If therefore there is a strong common framework that addresses the principles of Privacy protection, it should suffice.

We must recognize that no framework is in a position to completely deny the powers of an authority to demand information for national security reasons.

Hence the principle of “Privacy Right subject to reasonable Regulations” will continue to rule. The problems of the empowered law enforcement authorities themselves not following the laid down principles is a risk that no framework can address effectively.

Currently, the emphasis of privacy regulation appears to be veering towards strict enforcement with hefty fines. The GDRP proposition of 4% on global turnover appears insane.

The fines that are being contemplated and imposed under HIPAA and EU guidelines will all be transferred to the Business Associates in India through the Business Associate Contracts. Validity of such contracts are further fortified by the ITA 2000/8. Therefore these penalties need to be taken note of by the Indian companies who have a stake in the Data Processing Business.

But it is clear that the million and billion dollar penalties which are being brandished about in the US and EU market can only be indemnified by Indian companies on paper and never fulfilled without simply closing down its business. Even if they are to be insured, the insurance will be expensive and the insurers will limit their own liabilities by various means.

If therefore, one takes the penalties seriously, tries to comply and obtain coverage of Cyber Insurance to meet the contingencies, then these regulations are having such devastating effect on the Indian outsourcing industry that the costs are going to increase astronomically. The increasing costs will only make the competitive edge to vanish and harm even the US and EU companies.

It is therefore the responsibility of NASSCOM and other industry organizations to deliberate how this competing and potentially crippling privacy regulations could affect our industry in general and what steps need to be taken to provide a protective umbrella to Indian companies so that they are not dragged to international arbitration for billion dollar penalties at the drop of the hat.

On the other hand the Companies have to also organize their own compliance activities in such a manner that they try to address the compliance efforts proportionate to the risk of penalties. In this context, the managements need to realize that if they are operating in India, then they are exposed to the requirements of the Information Technology Act 2000/8 where the penalties for non compliance are “Unlimited” in civil terms and could also result in the imprisonment of the CEO and top executives for 3 to 7 years or more for non compliance.

Prudent managements realize that a “Law is as effective as its enforcement machinery”. Some times this is interpreted that they can always manage the Indian law enforcement even if they are caught in a non compliant state.  However we need to realize that Indian law has the immediate jurisdiction to enforce where as the international regulations have to hit through arbitration on contractual agreements and further through international treaties. In this aspect we can say that Indian laws are more threatening to Companies in India than the international laws.

Remember that the local police station where an inspector has a jurisdiction to strike is only across the road and some times non compliance of Indian laws may easily make him come hunting. Hence compliance of Indian laws cannot be ignored though for many organizations, it is fashionable to be compliant with international regulations and ignore local laws. This is clear from the fact that there may be more companies in India which are “Patriot Act Compliant” than “ITA 2008 compliant”.

While the industry should continue to deliberate on the methods for “Mitigation of Privacy Regulation Proliferation” there are certain initiatives that are required to be taken by the Government and the organizations such as NASSCOM and STPI if they need to provide a sense of security to businesses in India. I will try to bring it up for discussion some time later.

I hope sufficient attention would be given to this aspect in the coming days by the Government.

Naavi

Naavi.org has been working in the area of Cyber Law Compliance in various forms. While Naavi.org focuses on building awareness of Cyber Law, Cyber Law College focuses more on formal corporate training and educational programs.

ITA2008.in provides the basic information on ITA 2000/8. Cyber Lawguru.com and the android app “Cyberlawguru” provide interaction with the public for clarifying issues related to Cyber Law.

The services such as ceac.in, odrglobal.in, cyber-notice.in are focussing on different aspects of resolving issues arising out of non compliance of Cyber Laws such as ITA 2000/8.

Cyberinsurance.org.in and ujvala.in are other related web initiatives to build awareness about different related issues. Lookalikes.in and domaineering.org are other initiatives on resolving domain name disputes.

Yesterday, there was an important conference in Bangalore organized by Indian Bar Association (INBA) and International Association of Privacy Professionals (IAPP) where the challenges of the emerging global privacy compliance scenario arising out of the new regulations from the EU community were discussed. As a followup of the deliberations, it appears that there is a need for a focussed dissemination of Privacy related information relevant to India on the lines similar to how Naavi.org emerged under the needs to build awareness about ITA 2000.

Naavi has already been working in the area of HIPAA compliance as a compliance consultant along with similar consultancy regarding data protection aspects involved in ITA 2008 compliance. Naavi.org has been an instrument of building awareness of ITA2008 compliance as well as HIPAA compliance.

In the light of the new developments in the EU privacy scenario which will have a ripple effect across the globe, it is felt that India needs to take up fresh initiatives in the area of compliance to the emerging global data protection regulation regime.

While India may or may not pass a separate Privacy Protection law, the need to comply with the regulations as existing as a “Standard” or as a “Best Practice” in the global scenario is critical for the Indian IT/BPO industry.

In order to contribute towards this goal of better Privacy Compliance in India, Naavi.org now has decided to present relevant information related to “Privacy with special reference to India” through its new web site www.privacy.ind.in. (Privacy Knowledge Center)

Presently, privacy.ind.in will host information and articles on the privacy protection regime as collated and presented by Naavi. It may therefore start as a blog with the views of Naavi.

However, as and when other interested professionals contribute their views it is expected that this would become a platform for expression of all information related to Privacy Protection in India and assume the nature of a portal.

I invite Privacy professionals in India to contribute to this initiative and make it a success in the general interest of the Indian IT/BPO industry.

Naavi

From the 1st of August 2016, the new Privacy Shield regime in  US-EU  data market space has come into operation. This has replaced the “Safe Harbor” regime that was declared as ineffective by the Court of Justice of EU (CJEU) in October 2015.

This new Privacy Shield will provide the framework for EU-US personal data transfers from now on and will work concurrently with the alternatives such as the BCR (Binding Corporate Rules), SCC (Standard Contractual Clauses of EU) and the CBPR (Cross Border Privacy Rule).

Relevance to Indian IT Companies

These EU-US developments will also apply to the data processing that happens in India either because the data transfering customer is an EU country or that these will emerge as general standards of the industry. Hence a general understanding of these principles is essential for Indian companies engaged in data processing activities involving “Personal Data” of non Indian Citizens.

As regards the data of the Indian Citizens, the ITA 2000/8 imposes its own obligations under Section 43A (For sensitive personal information), Section 72A (For all personal information) besides other provisions that apply to “Data” in general. The key aspect of the Indian law is that it provides legal backing to the contractual agreements between an Indian data processor and the foreign data vendor. Hence whether it is the Privacy Shield obligations or the BCR/SCC/CBPR obligations, they all get extended to Indian processors and become enforceable under the Indian law.

Indian companies therefore have to be completely alert to the developments in the EU-US data exchange scenario and follow it in India as the best Privacy practice particularly when processing of international data is involved. Since it is impractical to maintain one set of privacy standards to data of foreign nationals and another to Indian nationals, companies need to adopt the international standards for all personal data irrespective of whether it is pertaining to an Indian citizen or a foreign citizen.

This should establish the relevance of the new US-EU Privacy Shield regimes and the other frameworks to the Indian context.

What is Personal Information?

In Indian law, the rules under Section 43A define personal information as

” any information that relates to a natural person,which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. “

In comparison, the “Sensitive Personal Information” is such personal information that contains any of the following type of information.

(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:

In contrast the EU definition of Personal Information is contained in the following form

“‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”

The EU definition appears broader than the Indian definition but we can assume that for practical purposes both mean the same. (Refer for details here)

However, it must be remembered that under  European law, data is considered ‘transferred’ when it is either physically transferred to another country (i.e. to be stored in a data centre on that territory) or when a person residing in another country accesses the data from that country. It is therefore an extremely broad concept that may apply even if personal data is technically stored within the EEA.

Hence the EU guidelines will become applicable in all cases where data is actually transferred to servers outside EU or when access is provided.

Essence of Privacy Shield

Privacy Shield principles are not much different from the general principles which are being followed in Safe harbor principle, there are a few significant differences that we need to take note of mainly in the enforcement of the provisions.

Stronger Supervision:

The intent of Privacy Shield is to transform the oversight system from self-regulating to one that is more responsive and proactive. The certification and annual re-certification process will remain unchanged, but the Department of Commerce will actively monitor compliance through detailed questionnaires, among other things.

Additionally, the FTC will maintain a “wall of shame” for companies that are subject to FTC or court orders in Privacy Shield cases.

Redressal Mechanism

Any EU citizen who believes that his or her data has been misused will have several redress possibilities under Privacy Shield. Among them, EU citizens will be able to report complaints directly to their local Data Protection Authorities. Redress mechanisms include established timelines for responses by a subject company. Privacy Shield also creates a new arbitration right for unresolved complaints.

Limitations imposed on US public bodies

There will be clear limitations, safeguards, and oversight mechanisms for access by public authorities for law enforcement and national security purposes. A new redress mechanism will inform a complainant whether an access or surveillance matter has been properly investigated and that either U.S. law has been followed or has been remedied in the case of non-compliance.

Steps to Certify

The subject Company should firstly develop and maintain a Privacy or Privacy Shield policy based on the following principles of certification under the EU-U.S. Privacy Shield, which includes

1. Notice: Privacy Shield Companies must update or prepare a global or EU applicable privacy policy or EU notice statements for the data subject of the certification to ensure such policy or notice is accurate, comprehensive, and visible to data subjects.
2. Choice. The policy will also cover areas where consent, permission, data use limitations or opt-out strategies, and special treatment for “Sensitive Personal Data” are applicable.
3. Access, Data Integrity, and Redress. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity, and Redress requirements needed to cover a Privacy Shield election.

A Privacy Shield company must maintain adequate and reasonable administrative, technical, and physical safeguards and controls designed to address appropriate security requirements for U.S. and EU applications that capture or process data within the scope of the certification.

Following a review of existing contracts, the contracts with the downstream Business Associates  must be updated to  addresses the specific Privacy Shield wording requirements.

Training of manpower to update them on the requirements of the Privacy Shield requirements need to be undertaken.

Documentation supporting the company’s Privacy Shield certification (e.g., policies and procedures, gap assessment report, and contract addendum) should be prepared/compiled and included in a compliance binder.

Registration

Companies who decide to adopt the Privacy Shield must register themselves with the International Trade Administration of the US department of Commerce and subject themselves to the self certification process involving completion of the required questionnaires.

Presently it is reported that 200 companies have signed up for the process in the first month when the registration started. Others may be weighing the need for registration vis a vis their present privacy practices which may have incorporated other measures such as BCR, SCC or CBPR.

Alternatives to Privacy Shield

BCR:

BCR or Binding Corporate rules are internal rules adopted by multi national group companies which define the global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.  Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities (“DPA”).   BCR does not however provide a basis for transfers made outside the group.

EU Standard Contractual Clauses

The Council and the European Parliament have given the EU Commission the power to decide, that certain standard contractual clauses offer sufficient safeguards as required.

The Commission has so far issued three sets of standard contractual clauses

• two sets for transfers from data controllers in EU to data controllers outside EU/EEA
• one set for the transfer from EU data controller to processors established outside the EU/EEA.

Adoption of these standard clauses could be considered if found suitable.

CBPR (Cross Border Privacy Rules of APEC)

The APEC Cross Border Privacy Rules (CBPR) system helps bridge the differences in privacy rules between different countries by providing a single framework for the exchange of personal information among participating economies in the APEC region.There are currently three participating APEC CBPR system economies: USA, Mexico and Japan, with more expected to join soon.

The APEC Electronic Commerce Steering Group (ECSG) and the EU Article 29 Working Party have produced a common referential for the requirements of the APEC CBPR system and the EU Binding Corporate Rules.

Participating companies are required to adhere to the standards established by the APEC CBPR system. All APEC CBPR system certified companies have their privacy policies and practices evaluated by an approved independent third party verifier (known as an “Accountability Agent”). Accountability Agents monitor and enforce companies’ compliance with the APEC CBPR program requirements. In appropriate cases, they are also required to report non-compliance to Privacy Enforcement Authorities.

Final Word

The mechanisms such as the Privacy Shield, BCR, SCC or CBPR  are different framework approaches to manage the privacy concerns when data from one country flows across to another and there could be differences in privacy laws between the two countries. Some of these frameworks differ in the system of enforcement and grievance redressal mechanism. While Privacy Shield is totally a self declaration based certification system, CBPR tries to bring in the Accountability Agent to certify at the first place. BCR may be for intra group data transfers in multi national companies and may not apply as a comprehensive approach. SCC framework is a good indicator and needs to be explored while drafting the Business Associate Contracts where data is transferred to sub contractors.

While these frameworks are essentially for the participating economies such as the EU-USA data transfers or within the CBPR signatories etc, Indian companies need to recognize the endorsement of ITA 2000/8 to these frameworks and the possibility that the vendors of USA or EU or any other country who transfer data for transfer to Indian companies may have incorporated a fine print clause in the SLAs or the Business Associate contracts and try to enforce indemnity clauses for any intended or negligent contravention of the privacy obligations.

It is time companies in India audit their privacy policies and its implementation status within the company to ensure that they are within manageable levels of deviation if any.

Naavi

One of the concerns of arbitrators intending to use ODR facilities provided by www.odrglobal.in is the doubt about how the Courts may interpret the “Seat of Arbitration” and apply relevant laws.

The applicable law in the case of an arbitration is relevant for seeking any interim relief during the process of arbitration as well as for appeals after the arbitration besides for interpreting the law related to the dispute.

The choice of the applicable law may depend on the residence of the disputing parties as well as the place where the underlying contract was performed. Ideally, the parties to a contract should chose the applicable law within their contract which will apply to interpretation of the legal issues involved in the performance of the contract.

This may however be insufficient to determine the law applicable to the conduct of the arbitration proceedings which is initiated as a dispute resolution mechanism.

Where no mention has been made about the applicable law for the arbitration proceeding, the convention has been to take the reference of the place where the arbitration is held as the basis for applying the procedural law regarding the conduct of the  arbitration. This is normally referred to as the “Seat of Arbitration”.

It is necessary for us to appreciate that the “Seat of Arbitration” may be different from the “Venue of the Arbitration” if the parties so chose to describe.It is possible that an arbitration proceeding can be held at multiple venues though the designated seat of arbitration could be the place where the Courts will apply their jurisdiction to the procedural aspects of the arbitration.

In India the law of arbitration has to be viewed as “Pre-Amendments of 2015” (Before Amendments or BA) and “Post amendments of 2015” (After Amendments or AA).

In the BA period, the guiding principle was the Supreme Court decision on BALCO Vs Kaiser Aluminium Technical Service Inc where it was held that ” the choice of another country as the Seat of Arbitration inevitably imports an acceptance that the law of that country relating to the conduct and supervision of Arbitrations will apply to the proceedings.”

According to this, if the Arbitration agreement was found or held to provide for a Seat / place of Arbitration outside India, then even if the contract specified that the Indian Arbitration Act shall govern the arbitration proceedings, Indian courts could not exercise supervisory jurisdiction over the Arbitration or the award.

It is an established principle of law (Delhi High Court, in the case of PCP International Limited (“Petitioner”) v. Lanco Infratech Limited (“Respondent”), OMP (I) No. 350/2015) that parties by consent cannot confer jurisdiction on a court which does not have jurisdiction. The choice of parties with respect to conferring exclusive jurisdiction on a particular court is limited to the courts that hold concurrent jurisdiction in accordance with the principles contained in Section 20 of the Code of Civil Procedure, 1908 (“CPC”).

The Delhi High Court in the above case of PCP International also held ” that the seat of arbitration refers to the legal localization of the arbitration whereas the venue refers to the appropriate or convenient geographical locality for hearings of the arbitration”. When the petition came up for review, the Court accepted the Supreme Court interpretation in the BALCO case, “concurrent jurisdiction vests in the court which would have jurisdiction where the cause of action is located and the courts where the arbitration takes place”

Hence when parties use a Cyber Venue for arbitration like ODR on ODRGLOBAL.IN, it does not in anyway affect the “Seat of Arbitration” that may be agreed upon by the parties in any of the places where there is concurrent jurisdiction.

In the case of a Virtual ODR, the arbitration is deemed to be held in Cyber Space. Cyber Space does not belong to anybody since it is an “Imaginary transaction space created by binary documents”. If therefore a dispute on a cyber space transaction has to be adjudicated by the physical judicial authorities, we need to agree upon the appropriate method to chose the jurisdiction of the Courts.

Since it is natural for parties to a contract to agree upon the “Seat of Arbitration” either as a part of the contract or when they try to fix a venue for an arbitration, the best option for parties accepting the virtual ODR process of dispute resolution is to state upfront in the contract whether the applicable jurisdiction will be that of the any one of the contracting parties.

Since ODRGLOBAL.IN is an Indian venture, the default jurisdiction by implication (if nothing else to the contrary is indicated), could be considered as India. As regards the domestic arbitration, there is no issue since all the contracting parties are in India and the difference of opinion if any is between one High Court or the other. In the case of any international arbitration, it is open to the parties to agree upon a non Indian country as the jurisdiction for any procedural disputes by stating that country as the seat of arbitration.

In India, the law that defines Cyber Transactions is contained in ITA 2000/8 (Information Technology Act 2000/8). The Arbitration Amendment Act of 2015 (Effective from 23rd October 2015) has specifically accepted “Electronic Communications” for formation of an Arbitration Contract [Section 4(b)] (Though it was always available by the interpretation of Section 4 of ITA 2000/8). Further ITA 2000/8 recognizes the “Place of Usual Residence” of a person sending an electronic communication as the “Place from which an electronic message is sent. Hence, an electronic message that forms a contract is deemed to have been executed from the place from which the acceptance is deemed to have been sent. Thus if the Virtual ODR room is set up under the instruction of the person who starts the ODR process, his place can be considered as the place in which the Cyber Facility gets established as a virtual place of arbitration. If the ODR is invoked by a person from a foreign country, it may therefore be possible to consider his country as the country defining the seat of arbitration.

Apart from this, it may be noted that the Amended Arbitration Act provides under section 2, that

“… that subject to an agreement to the contrary, the provisions of sections 9, 27 and clause (a) of sub-section (1) and sub-section (3) of section 37 shall also apply to international commercial arbitration, even if the place of arbitration is outside India, and an arbitral award made or to be made in such place is enforceable and recognised under the provisions of Part II of this Act.”.(Amendment effective from 23rd october 2015)”

Section 9 refers to the interim measures in which a Court can intervene. Section 27 refers to assistance of court for taking evidence and section 37(1)and 37 (3) refers to appeals.

In view of the above, in a virtual ODR process, the parties are free to declare a specific seat of arbitration or proceed with the implied seat as India.

Virtual ODR process of Odrglobal.in also makes use of rendering a recording of the arbitration proceedings with a certification under Section 65B of Indian Evidence Act. In Indian Courts this should have automatic admissibility though in other countries it is open to the Court to admit it as submitted or ask for further affidavit etc.

Odrglobal.in however suggests that the “Arbitration Clause may itself be used to define the seat of arbitration if the virtual ODR facility is used”.

Since the Cyber space will be just another venue, parties are also free to use Virtual ODR of odrglobal.in for some hearings and physical hearings for some others. This will not adversely affect the validity of the proceedings.

Once the UNCITRAL Model Law on ODR is released in its final recommendatory form, ODRGLOBAL will be considered as an “ODR Administrator” and subject to the following of the prescriptions of the model law (Which Odrglobal.in is already following in substantive measure) and hence even in international arbitrations, the use of cyber space will become acceptable.

I suppose this clears the concerns that some may have on the use of Virtual ODR.

Naavi

The unfortunate terror attack in Uri in which about 20 Indian soldiers were martyred should open the eyes of our defense strategists to plug our weaknesses and strengthen our defenses.  There is no doubt that the incident highlights negligence on the part of the local unit in Uri which failed to assess the risk and take sufficient steps to stop such an attack. Like the US twin tower attack, the terrorists can gloat over their success for a long time to come and use it to motivate their force. We need to counter this with an appropriate counter attack that can have a long term impact on our defense systems.

We are sure that unlike the previous Congress Government which was more sympathetic to Pakistani terrrorists and even went to the extent of shedding tears when terrorists were killed and also provided shield to terrorists by taking a stand that Ishrat Jehan was not a terrorist, Modi Government is more determined to provide a tough counter response.

The debate however is “What should such tough Counter response be?”.  Since yesterday, we are seeing many experts suggesting different options. Some have suggested that India should raise a “Non State Actor Force” which can undertake covert operations to hurt Pakistan. A formal strike on terror hideouts is another suggested response. Economic blockade on Pakistan and its known sympathizers like China is another strong response suggested.

While political efforts to isolate Pakistan in the international scenario and obtain sanctions on them is overdue, it should start with India itself. We need to immediately put an embargo on all trade and people to people relations with Pakistan and ignore opposition from people like Salman Kurshid and Mani Shankar Iyer. We should also immediately act in J&K and declare Governor’s rule with Army in complete control. All Government expenditure on securing the separatist leaders and their security should be immediately withdrawn and they should be put in proper jails outside Kashmir. This is meant to hurt Pakistan psychologically.

Simultaneously, economic blockade of red flagging countries and companies dealing with Pakistan and putting barriers on their business with India must begin.

Beyond these Psychological and Economic measures, leaving the military options to the experts, there is a need for the Government to focus on the long standing demand for setting up the “Cyber Command” to take up “Electronic Warfare”. This has been discussed for over a decade now and I presume that some where in our defense systems some silent work is being done. But it is evident that we are not able to see the effect of this in either reducing terrorist attacks or in inflicting damage on the Pakistan economy through electronic warfare.

I think the time has come now for the Modi Government to take show case its resolve to fight Pakistani proxy war through terrorism by its own brand of Cyber War Fare.

India may require lot of investment in its defense which has been systematically weakened by the corrupt UPA Government in the past, in the form of Aircrafts, Submarines etc. But amidst such investments in military hardware, substantial investments in electronic warfare is also required. I presume that electronic warfare will eventually not as expensive as conventional warfare is.

To begin this exercise, Government has to first set up a Cyber Command or if one has already been in existence, start some action to develop a few thousand cyber warriors properly recruited directly off the colleges. The strategy and scope of operations of such command is not a subject matter of public discussion.

I look forward to some concrete action from the defense minister  immediately so that the Indian Cyber Command not only strengthens our intelligence capabilities but also the capabilities to launch strikes on Pakistan military. This should be the one single difference between India before Uri attack and India after Uri attack.

Naavi

Related Article:

The Cyber Command: Upgrading India’s national security architecture

orf special report

New Indian Cyber Command Urged Following Recent Attacks

Indian National Cyber Security Challenges

The Electronic Frontier Foundation (EFF) which fights for the rights of Netizens has opened up an interesting debate on evidence collected during FBI’s investigation of a Child Pornography operation. (Refer Article here for details on the case)

To explain the context briefly, FBI received a tip about a site called “Playpen” hosting child pornography from the LEA of another country. During preliminary investigations, it was found that the IP address of the server could be identified due to some technical misconfiguration of the site. The IP addresses were located within the US jurisdiction. Using this information, FBI obtained a search warrant and seized the server.

However, instead of shutting down the server, FBI maintained the server under its supervision for another two weeks collecting evidences of different kinds. In the process, FBI also installed malware of its own called NIT (Network investigative technique) on the computers of the visitors to the site. This could collect the identity information of the users.

It is reported that FBI has charged and arrested hundreds of persons based on this investigation.

Naturally, this operation has given raise to a debate on the rights of the LEA s in violating the privacy of individuals during an investigation and there after.

One interesting issue that unfolds here is that in the incidents, there were offences committed before FBI took over the Playpen site and during the time when it was operating the site. There were also evidences collected before FBI took over and during the time it ran the server.

There is also illegal activities committed by the FBI itself to trap continuing users of the site and new users.

The issue is complicated and views of how the evidences would be admitted in the Court may differ. However it appears that in respect of persons who started using the site during the time FBI was in charge of the site, any evidence collected may be considered as “Collected through an illegal process” and may not be admitted by Courts.

However, if offences were committed earlier and only the identification details were collected during the investigation process by planting of the NIT, perhaps the Courts may accept the identification and the evidence of crime prior to FBI take over and continue the prosecution.

I hope new case laws will come to be recognized when the cases pertaining to this investigation are analyzed by the Courts in USA and will set a trend in interpreting evidence collected by the LEA through intelligence operations.

Naavi