NDTV India Ban: A Case of Regulatory Overreach and Insidious Censorship?

By Kasturika Kaumudi 

In a highly contentious move, the Ministry of Information and Broadcasting (‘MIB’) issued an order banning the telecast of the Hindi news channel ‘NDTV India’ on 9^th November, 2016. The MIB imposed this ‘token penalty’ on NDTV India following the recommendation of an Inter-Ministerial Committee (‘IMC’). The IMC had found the channel liable for revealing “strategically sensitive information” during the coverage of Pathankot terrorist attacks on 4^th January, 2016. The ban has, however, been put on hold by the MIB after the Supreme Court agreed to hear a writ petition filed by NDTV India against the ban.

The order passed by the MIB raises some important legal issues regarding the freedom of speech and expression of the press. Since the news channels are constantly in the race for garnering Television Rating Points, they may sometimes overlook the letter of the law while covering sensitive incidents such as terrorist attacks. In such cases, regulation of the media becomes necessary. However, it is tricky to achieve an optimum balance between the various concerns at play here – the freedom of expression of the press and the people’s right to information, public interest and national security.

In this post, we discuss the background of the NDTV India case and the legal issues arising from it. We also analyze and highlight the effects of governmental regulation of the media and its impact on the freedom of speech and expression of the media.

NDTV Case – A Brief Background:

On January 29, 2016, the MIB had issued a show cause notice to NDTV India alleging that their coverage of the Pathankot military airbase attack had revealed vital information which could be used by terror operators to impede the counter-operations carried by the security forces. The notice also provided details regarding the alleged sensitive information revealed by NDTV India.

In its defence, the channel claimed that the coverage had been “balanced and responsible” and that it was committed to the highest levels of journalism. The channel also stated that the sensitive information allegedly revealed by the channel regarding critical defence assets and location of the terrorists was already available in the public domain at the time of reporting. It was also pointed out that other news channels which had reported on similar information had not been hauled up by the MIB.

However, the MIB, in its order dated January 2, 2016, held that NDTV India’s coverage contravened Rule 6(1)(p) of the Programme and Advertising Code (the ‘Programme Code’ or ‘Code’) issued under the Cable TV Network Rules, 1994 (‘Cable TV Rules’). In exercise of its powers under the Cable TV Networks (Regulation) Act, 1995 (‘Cable TV Act’) and the Guidelines for Uplinking of Television Channels from India, 2011, the MIB imposed a ‘token penalty’ of a day’s ban on the broadcast of the channel.

Rule 6(1)(p) of the Programme Code:

Rule 6 of the Code sets out the restrictions on the content of programmes and advertisements that can be broadcasted on cable TV. Rule 6(1)(p) and (q) were added recently. Rule 6(1)(p) was introduced after concerns were expressed regarding the real-time coverage of sensitive incidents like the Mumbai and Gurdaspur terror attacks by Indian media. It seeks to prevent disclosure of sensitive information during such live coverage that could act as possible information sources for terror operators.

Rule 6(1)(p) states that: “No programme should be carried in the cable service which contains live coverage of any anti-terrorist operation by security forces, wherein media coverage shall be restricted to periodic briefing by an officer designated by the appropriate Government, till such operation concludes.

Explanation: For the purposes of this clause, it is clarified that “anti-terrorist operation” means such operation undertaken to bring terrorists to justice, which includes all engagements involving justifiable use of force between security forces and terrorists.”

Rule 6(1)(p), though necessary to regulate overzealous media coverage especially during incidents like terrorist attacks, is vague and ambiguous in its phrasing. The term ‘live coverage’ has not been defined in the Cable TV Rules, which makes it difficult to assess its precise meaning and scope. It is unclear whether ‘live coverage’ means only live video feed of the operations or whether live updates through media reporting without visuals will also be considered ‘live coverage’.

Further, the explanation to Rule 6(1)(p) also leaves a lot of room for subjective interpretation. It is unclear whether the expression “to bring terrorists to justice” implies the counter operations should result in fatalities of the terrorists or if the intention is to include the coverage of the trial and conviction of the terrorists, if they were caught alive. If so, it would be highly impractical to bar such coverage under Rule 6(1)(p). The inherent vagueness of this provision gives wide discretion to the governmental authorities to decide whether channels have violated the provisions of the Code.

In this context, it is important to highlight that the Supreme Court had struck down Section 66A of the Information and Technology Act, 2000 in the case of Shreya Singhal vs. Union of India, on the ground of being vague and overboard. The Court had held that the vague and imprecise nature of the provision had a chilling effect on the freedom of speech and expression. Following from this, it will be interesting to see the stand of the Supreme Court when it tests the constitutionality of Rule 6(1)(p) in light of the strict standards laid down in Shreya Singhal and a spate of other judgments.

Freedom of Speech under Article 19(1)(a)

The right of the media to report news is rooted in the fundamental right to free speech and expression guaranteed under Article 19(1)(a) of the Constitution of India. Every right has a corresponding duty, and accordingly, the right of the media to report news is accompanied by a duty to function responsibly while reporting information in the interest of the public. The freedom of the media is not absolute or unbridled, and reasonable restrictions can be placed on it under Article 19(2).

In the present case, it can be argued that Rule 6(1)(p) fails to pass the scrutiny of Article 19(2) due to inherent vagueness in the text of the provision. However, the Supreme Court may be reluctant to deem the provision unconstitutional. This reluctance was demonstrated for instance, when the challenge to the constitutionality of the Cinematograph Act, 1952 and its attendant guidelines, for containing vague restrictions in the context of certifying films, was dismissed by the Supreme Court. The Censor Board has used the wide discretion available to it for placing unreasonable restrictions while certifying films. If the Supreme Court continues to allow such restrictions on the freedom of speech and expression, the Programme Code is likely to survive judicial scrutiny.

Who should regulate?

Another important issue that the Supreme Court should decide in the present case is whether the MIB had the power to impose such a ban on NDTV India. Under the current regulatory regime, there are no statutory bodies governing media infractions. However, there are self-regulatory bodies like the News Broadcast Standards Authority (NBSA) and the Broadcasting Content Complaint’s Council (BCCC).The NBSA is an independent body set up by the News Broadcasters Association for regulating news and current affairs channels. The BCCC is a complaint redressal system established by the Indian Broadcasting Foundation for the non-news sector and is headed by retired judges of the Supreme Court and High Courts. Both the NBSA and the BCCC regularly look into complaints regarding violations of the Programme Code. These bodies are also authorized to issue advisories, condemn, levy penalties and direct channels to be taken off air if found in contravention of the Programme Code.

The decision of the MIB was predicated on the recommendation made by IMC which comprises solely of government officials with no journalistic or legal background. The MIB should have considered referring the matter to a regulatory body with domain expertise like the NBSA that addresses such matters on a regular basis or at least should have sought their opinion before arriving at its decision.

Way Forward

Freedom of expression of the press and the impartial and fair scrutiny of government actions and policies is imperative for a healthy democracy. Carte blanche powers with the government to regulate the media as stipulated by Cable TV Act without judicial or other oversight mechanisms pose a serious threat to free speech and the independence of the fourth estate.

The imposition of the ban against NDTV India by the MIB under vague and uncertain provisions can be argued as a case of regulatory overreach and insidious censorship. The perils of such executive intrusion on the freedom of the media will have a chilling effect on the freedom of speech. This can impact the vibrancy of the public discourse and the free flow of information and ideas which sustains a democracy. Although the governmental decision has been stayed, the Supreme Court should intervene and clarify the import of the vague terms used in the Programme Code to ensure that the freedom of the press is not compromised and fair and impartial news reporting is not stifled under the threat of executive action.

Kasturika Kaumudi is a Programme Officer with the Centre for Communication Governance at National Law University Delhi

News Alert: India gets 4 new IDN ccTLDs

By Aarti Bhavana

ICANN recently announced the successful evaluation of four additional proposed IDN (Internationalized Domain Names) ccTLD strings for India. This was done through a fast track process that was approved by the ICANN Board in 2009. After the successful evaluation of the four new IDN strings (Malayalam, Kannada, Bengali and Oriya), the next step will be string delegation, where requests can be made for the delegation of these strings.

IDNs are very useful in increasing access to Internet, especially in a linguistically diverse country like India. With this in mind, one of the main criteria for IDN ccTLD applications is that the script used to represent the string must be non-Latin. With these new strings, there are now a total of 11 ccTLDs in various Indian languages, such as Hindi, Urdu, Telegu, Gujrati, Punjabi, etc.

More information can be found here and here.

Cybersecurity Cooperation – India’s Latest Bilateral Arrangements

By Shalini S

The current Indian Government has continually offered significant strategic thrust to cybersecurity and related issues. In November 2015 alone, India established multiple collaborative partnerships that for cooperation in cybersecurity with various countries. This is a welcome move for the sector which continually presents advanced security challenges. There is a demonstrated interest in addressing this serious contemporary concern. In addition, efforts are being made to establish extensive cybersecurity cooperation to ensure protected cyber networks. The latest bilateral ties established by India to boost cybersecurity cooperation are elucidated below.

India and UK signed a first of its kind joint statement that will enable them to collaborate and jointly educate and train its cybersecurity professionals. Together, the countries are also slated to establish a cybersecurity training centre to enable dialogue and exchange of expertise. Additionally, the UK will also help setup a new cybercrime unit in India. This joint statement released after Prime Minister Narendra Modi’s visit to the UK closely follows the visit of UK’s first cybersecurity delegation to India in October 2015.

For the first time, India and China have also decided to establish ministerial mechanisms to effectively tackle transnational crime and specifically delineated cybercrime cooperation as a measure to boost security cooperation between the countries. The new high-level mechanism will be established under the home ministries of both the countries and will result in information exchange, law enforcement and technical capacity building to jointly combat cybercriminal activity. An official bilateral document endorsing this new security collaboration is yet to be signed.

A joint statement from Prime Minister Narendra Modi and his Malaysian counterpart released this week, revealed that their delegation-level consultations between the countries had resulted in the signing of a Memorandum of Understanding (MoU) aimed at strengthening cooperation on cybersecurity. As this MoU was signed between Indian Computer Emergency Team (CERT-IN) and CyberSecurity Malaysia (national cybersecurity agency), closer cooperation in cyber-policy evolution, technological expertise exchange and incident management can be expected.

Later in the same week, a similar agreement for bilateral cooperation and collaboration in cybersecurity measures was signed between CERT-IN and SingCERT (Singapore’s Computer Emergency Response Team). The MoU which envisions research collaborations, in the sector, between the two countries, also agreed to setup appropriate mechanisms to facilitate future dialogue on prevalent policies, best practice, bilateral consultations and real-time exchange of information and has established a broader framework of cooperation between the countries.

India’s recently established and renewed bilateral ties with these countries hinges on mutual sharing of information and best-practices, both critical in constructing a shared response to conspicuous cyber incidents. As these collaborations also come in the wake of joint commitment of India and US to strengthen cooperation on a range of cyber issues, India’s serious commitment in fostering multiple bilateral dialogues and cooperation on cybersecurity and related issues is apparent and must be lauded.

Cybersecurity in the Indian Banking Sector

By Shalini S.

The RBI governor, Raghuram Rajan, recently announced that the central banking institution is in the process of setting up an Information Technology (IT) subsidiary. The purpose of this IT subsidiary is to aid the RBI in effectively monitoring and supervising internet-based services offered by banks across the country.  This is a welcome move for the Indian banking sector and its customers who are threatened by systemic vulnerabilities, which enable technology related banking and financial frauds,[1] birthed primarily by the continued migration of services to internet and mobile platforms. This post examines the need for the announced subsidiary in the context of rising instances of cyber-attacks against the banking sector and proposes possible functions for the dedicated subsidiary to enhance cybersecurity in the rapidly digitizing banking sector.

While the adoption of IT for banking services offers unprecedented convenience, cost-effectiveness and speed of delivery, it is riddled with several external threats and suffers from lack of coordination.[2] With the significant operational risks of adopting information technology in the delivery of banking services, a significant rise in banking-related technology frauds has been reported, a cause for concern for customers, commercial banks and the RBI. Even though the advanced analytics on banking platforms attempt to prevent fraudulent transactions, such transactions continue, as several banks and telecom companies fail to comply with suggested and mandated safety norms. Major commercial banks have also been accused of not filing reports of suspicious transactions, an obligatory requirement when there has been an instance of unsatisfactory identification, which allows for speculation that more fraudulent transactions are attempted than are reported.

Currently, phishing, vishing, spyware or malware attacks, keylogging, data theft and other internet-based frauds have been reported to be the most common cyber-attacks against banks and its customers.[3] Despite these threats, there remains continued and even enthusiastic use of innovative, technology-backed financial services such as mobile banking and social media payment systems.

The RBI, which is the central banking institution of the country and responsible for the supervision and regulation of the finance sector, also bears the onus of evolving and enforcing parameters of banking operations. Noting the inevitability of increased digitization of traditional banking services and accompanying vulnerabilities, the RBI has previously attempted to address the issue of cybersecurity by evolving minimum standard cyber safety norms for banks and other providers of financial services. In 2010, the RBI set up a working group to examine issues arising out of IT penetration and use in the banking sector and directed banks to appoint a Chief Information Security Officer (CIO) and a steering committee on information security. Based on the report of the working group, it also issued a set of guidelines on information security, technology risk management and combating cyber fraud, in 2011. The guidelines provided detailed insight into building fraud risk perspective in banks, customizing audits to detect irregularities and vulnerabilities and even the appropriate reporting of fraud cases to law enforcement and other relevant stakeholders.[4] Even though the guidelines themselves dealt only cursorily with issues of data security and privacy, the Institute for Development and Research in Banking Technology (IDRBT), an IT institute set up by the RBI, released a handbook on information security governance to the banking sector, to act as a follow-up to the above-mentioned guidelines.

Unfortunately, these guidelines which were considered minimum best standards and slated to be implemented in a phased manner[5], have not been treated seriously and several banks have failed to implement these guidelines and carry out required cyber due diligence. The same year, RBI also released the Information Technology Vision Document 2011-2017 that highlighted its recognition of the enormity of the menace that is cyber-attacks and reiterated its commitment to mitigating IT fraud in the banking sector. In 2013, it also issued a circular on risk mitigations measures to be undertaken during e-payment transactions to help banks secure electronic payment transactions such as RTGS, NEFT and IMPS from cyber-attacks. Noting the significant increase in fraud in online banking transactions, RBI also advised banks to introduce two or three-stage authentication and transaction verification.[6] However, as telecom companies, whose services are used in authenticating transactions, continue to have fragile digital security and fail to follow minimum safety protocols, these transactions continue in high-risk environments[7] and are in desperate need of monitoring.

While it is clear from the measures outlined in paragraphs above that the banking industry has recognized the risks associated with the penetration of IT into financial services, the proposed IT subsidiary of RBI could prove to be a great institutional addition. The threat landscape highlighted in the paragraphs above, demonstrates the need for a dedicated IT subsidiary to evaluate technical capabilities of banks and provide support in beefing up cyber security in the sector. As the exact form and mandate for the IT arm of the RBI has not been set as yet, it can also be designed to act as an information sharing resource akin to the dedicated cell that was to be formed under the aegis of IDRBT[8] and additionally work towards ensuring compliance of commercial banks to RBI notifications, codes and rules pertaining to cybersecurity and data protection. Since banking, a finance sector function, potentially falls in the category of critical information infrastructure,[9] there needs to be constant security vigilance and cyber security measures on par with global standards. In addition to exploring methods in which the possibilities of IT can be harnessed for effective, cost-efficient, real-time delivery of banking services, it is also crucial for this proposed subsidiary to concentrate on evolving binding basic standards of data security, privacy which is currently, primarily driven by Information Technology Amendment Act, 2008 in the banking sector.[10] The subsidiary which currently aims to track evolving threats and vulnerabilities should also attempt developing real-time fraud prevention models and increase customer confidence by increasing effectiveness of independent financial IT controls.

[1] The Economic Times, Reserve Bank of India plans IT arm, to hire experts to work on banking technologies, 2015, http://economictimes.indiatimes.com/industry/banking/finance/banking/reserve-bank-of-india-plans-it-arm-to-hire-experts-to-work-on-banking-technologies/articleshow/49512043.cms (last visited Oct 26, 2015).

[2] Livemint, Banks bet big on technology to boost efficiency, curb fraud – Livemint (2011), http://www.livemint.com/Industry/8df71WBdwALasI5afwadUJ/Banks-bet-big-on-technology-to-boost-efficiency-curb-fraud.html (last visited Oct 26, 2015).

[3] The Economic Times, RBI asks banks to set up committees to protect IT data, 2011, http://articles.economictimes.indiatimes.com/2011-04-30/news/29490905_1_banking-and-mobile-banking-electronic-channels-frauds (last visited Oct 26, 2015).

[4] Amit Kashyap, Indian Banking: Contemporary Issues in Law and Challenges (2014).

[5] SearchSecurity, RBI guidelines focus on fortifying IT security by banks (2011), http://searchsecurity.techtarget.in/news/2240031005/RBI-guidelines-focus-on-fortifying-IT-security-by-banks (last visited Oct 26, 2015).

[6] The Economic Times, RBI for two-stage verification for online banking transactions, 2014, http://articles.economictimes.indiatimes.com/2014-04-22/news/49318793_1_cheque-truncation-system-authentication-transactions (last visited Oct 27, 2015).

[7] Sharad Vyas, Mumbaikars beware! Your bank details are being stolen and sold! Mid-ay (2015), http://www.mid-day.com/articles/mumbaikars-beware-your-bank-details-are-being-stolen-and-sold/16218163 (last visited Oct 28, 2015).

[8] See, Institute for Development and Research in Banking Technology, Consultancy Report on An initiative for research and intelligence gathering related to security incidents in financial services sector for analysis & sharing of insight (2012), http://www.idrbt.ac.in/PDFs/PT%20Reports/2012/RekhaAG_AnInitiative_2012.pdf (last visited Oct 27, 2015).

[9] See, DeitY, Cyber Security Strategy – Strategic Approach | Government of India, Department of Electronics and Information Technology (DeitY), http://deity.gov.in/content/strategic-approach (last visited Oct 26, 2015).

[10] PSA, Risk management in e-banking (2009), http://psalegal.com/upload/publication/assocFile/BANKING-LAWS-BULLETIN-ISSUE-II_1288782887.pdf (last visited Oct 26, 2015).

India’s Statements on Day 2 of the 2nd Preparatory Meeting of the WSIS+10 Review

By Puneeth Nagaraj

India made two interventions in the morning session of day 2 of the 2nd Preparatory Meeting today. The first related to funding mechanisms and the second related to Internet governance. Below are summaries of the two Statements:

1. On Financial Mechanisms- In a discussion related to the Digital Solidarity Fund, India stated that the Fund was never operationalized and it would hence be incorrect to characterize it as a failure. India went on to stress the need for capacity building as an important component of fulfilling the WSIS vision. India then called for a financial mechanism that could create an enabling environment in developing countries to bridge the digital divide.
2. On Internet Governance- India reiterated its support for multistakeholderism and stated that multistakeholderism  must embrace all societies and geographies. India also called for a new digital democracy that is plural, multi-layered and multistakeholder. India also recorded its support for the IGF, but called for it to be strengthened to make it more inclusive, transparent and accountable. India also stated that governments have a role to play in public policy issues especially, on national security issues withing multistakeholder fora. India stressed on enhanced cooperation as a means to facilitate discussions on internet related public policy issues. India called for an Inclusive dialogue on Enhanced Cooperation and called on CSTD to facilitate such dialogue.

Puneeth Nagaraj is a Project Manager at the Centre for Communication Governance at National Law University Delhi

2nd Preparatory Meeting of WSIS+10 Review: Summary of Day 1

By Puneeth Nagaraj

The 2nd Preparatory Meeting for the High Level Meeting of the WSIS+10 Review kicked off in New York today. A shortened first day in the morning session saw interventions from countries across the board. The statements on first day reflected the the starting positions of most governments on the Zero Draft with the afternoon session called off to facilitate conversations between countries on the outcome document. The meeting has already come under critical focus from civil society groups for not being participatory enough with meetings scheduled between 6-9 pm every evening behind closed doors for just country representatives.

Overall, there was broad support for linking the WSIS with the SDGs, and the role played by ICTs in bridging the digital divide. There was broad support for the IGF, with disagreements on the term and terms of the extension. The disagreements came on issues of human rights, security and the modalities for implementation and follow up.

Below is a summary of major interventions in the morning session.

European Union Position: The EU position supported by other countries such as the Netherlands, UK among others focused on the support for a multistakeholder approach to Internet Governance, focus on Human Rights and bridging the digital divide through capacity building. They also called for a stronger support for the IGF and a longer extension than 5 years in order to account for funding and planning. On a similar note, they asked for any Review of the WSIS to be put off till 2025 or be in line with the Sustainable Development Goals (SDG) Review in 2030. They also called for a stronger focus on Human Rights with a separate section on human rights in the outcome document. The EU and supporting countries disagreed with the need for an international legal framework for internet governance, citing the progress made by existing mechanisms. Instead, they called for more open, transparent and accountable processes in such mechanisms.

G-77 plus China: This group was represented by the South African representative and supported during the session by representatives from Sri Lanka, Pakistan, China and Egypt among others. They stressed the crucial role played by ICTs in furthering development goals and the need for greater security in this area to facilitate the fruition of these goals. They stressed the role of the government and the importance of sovereignty in the information society. While China pointed out that other human rights instruments deal with human rights issues and it is not necessary for the WSIS outcome document to do so, other G-77 members did not see the need for a separate section on human rights issues. They also called for an international legal framework on internet governance along with a legal instrument on cybercrime. Egypt also called for the development of indicators to assess the development goals outlined by WSIS.

United States of America: The United States called for the outcome document to refer to other documents in a holistic sense rather than cherry picking provisions, for better data to support its claims and to not make unsubstantiated assertions. The US also stated that the outcome document should illuminate different experiences of countries in similar situations as the experience with ICTs is not monolithic. The US also declared strong support for multistakeholderism and singled out the important role of non-governmental representatives in IG processes. The US also called for a stronger commitment to the IGF. Pointing out that the zero draft should be in line with the WSIS  vision, the US stated that security issues should not be in Zero draft. They stated that ICTs are not the cause of Human Rights violations. The Us stressed the need for enhanced cooperation, recognising efforts of other international organizations and organizations outside the UN. Finally, the US called for an evidence based review process that should be useful and lean. The US also stated that the regular review conducted by the CSTD and ECOSOC are sufficient and did not support another overall Review or Summit.

Community of Latin American and Caribbean States: Ecuador spoke on behalf of CELAC and stressed the role of ICTs as drivers of economic growth and sustainable development. They called for the UN Committee on Information and Communications Technology to be part of the WSIS process. They also stated that enhanced cooperation and Implementation are distinct issues and should be treated as such. They also called for the Internet to be recognised as a global public good and the centrality of net neutrality as an idea that supports this notion. They also called for the full involvement of all stakeholders to support the equitable distribution of resources to support the SDG and such an approach should take into account multilingualism. They called for full compliance with International Law with respect to sovereignty, human rights and privacy. They also called for stronger measures to protect children on the internet.

India: An overview of the Indian statement today can be found in a separate blogpost here.

More updates from days 2 and 3 will follow during the week.

Puneeth Nagaraj is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Cyber Extortion: Ransom and Cyberspace

By Shalini S.

The past week has seen news reports in the Indian media, proclaiming the rise of a new computer-related crime, “cyber extortion”. Cyber extortion is a term generally understood to refer to a category of cyber crimes, where stolen, sensitive and private data is withheld or threatened to be exposed in order to extort money. In such attacks, while cybercriminals threaten to cripple websites or disclose sensitive data, the data itself (stolen or accessed without authorization) is not tampered with and is usually safely returned on demands of the cyber extortionists being met. Simply put, hackers are forcing companies to pay them to desist from impeding commercial operations – a fee to be left alone.

In a shocking revelation, two Indian companies conceded to having paid hackers money to the tune of $10 million, to protect sensitive information stolen from their compromised computer networks, from imminent exposure. As the stolen information was incriminatory in nature, the attacks which seems to have originated in the Middle East, went unreported by the companies’ even months after payments had been made and no case has been filed by either company. Nevertheless, the discovery has prompted an unprecedented interest in understanding cyber extortion, its operation and treatment in India. In yet another instance of cyber extortion, a businessman from Hyderabad recently found himself unable to access his company’s database as it had been encrypted by a hacker demanding payment for decryption.

In the recently reported cases of digital extortion in India, criminals have exploited the vulnerabilities of cyber space to extort money, by predominantly employing the following strategies:

1. Gaining unauthorized access to a company’s secured data, strategy and trade secrets and threatening to make it public if demands of payment aren’t met.
2. Encrypting data in order to disable primary owner’s access to it and demanding payment for decryption.

According to a recently released threat report by Trend Micro, India also encountered the highest number of ransomware infections in the second quarter of 2015 and has ranked 6^th in the list of countries sending maximum spam. Ransomware refers to malicious software implanted in communication devices to take control of them and hold data hostage (usually by encrypting it). Rightful owners are forced to pay “ransom” to cyber criminals in order to regain access to their devices after it has been has subject to such attacks. However, in light of allegations of private reports perverting statistics that represent current threat landscape, it is crucial to note that the above-mentioned threat report was published by a private security software firm that potentially stands to benefit from such a scare by creating increased demand for its security solutions.

Regardless, it is evident that in the perpetration of an extortion attempt, information systems are capable of being employed by cyber criminals in one or more of the ways as elucidated below[1]:

1. Information system as the medium for perpetration of the threat.
2. Information system as the object of the threat itself.
3. Payment to the extorter being facilitated through information systems.
4. Information and communication systems used as the medium for exposure, if demands remain unmet.

Noticeably, extortion manifests in several ways and thus, the provisions of the Information Technology Act under which victims of cyber extortion attacks may claim recompense under varies. However, as unauthorized access to data is characteristic of these attacks, S.43 and S.66 of the Information Technology Act, provisions dealing with protection of data and hacking, may be invoked to deal with cyber extortionists.

Further, in order to avoid exposure, cyber extortionists widely resort to the use of ransomware and botnets – network of compromised computers that are under the influence of malware code and unwittingly controlled by a master spam/virus originator usually engaged to forward transmissions.[2] Oft times, cyber extortion attacks are carried out by organized cyber criminals who hedge their collective technical abilities to extract crucial private data and information. Additionally, payments are demanded in bitcoins in order to further preserve anonymity. In the case of the two Indian conglomerates mentioned above, extortionist hackers even avoided being reported as the information they accessed (and threatened to expose) could implicate their victims in wrongdoing, naturally prompting a silent payoff. Hence, even criminals engaging in digital extortion from within India, are likely to escape prosecution under existing laws due to the complexity of ascertaining identity of the perpetrators. However, if they are identified, they may be prosecuted for the offences of extortion and criminal intimidation under S. 383 and S. 503 of the Indian Penal Code in addition to being charged with offences under the Information Technology Act.

The nature of operation of cyber extortion hasn’t yet been fully understood or captured by existing definitions. For instance, even a DDOS (extortion) attack may be used by extortionists to make websites unusable, in effect coercing them to pay.[3] Further, payment demanded may not always be monetary in nature or even capable of being materially quantified. Victims are also faced with disbelieving police when they try to lodge a formal complaint as not many enforcement authorities are aware of cyber extortion.

With an exponential rise in cyber extortion attacks globally having been reported and legal recourses proving inadequate, corporate entities and individuals must privately protect their data from intrusion by using advanced anti-virus tools, firewalls, updated operating systems and conduct regular cyber security audits to ascertain their vulnerability and assess their risk preparedness.

(We were unable to source Trend Micro’s threat report for Q2 of 2015 discussed above and request anyone with a copy to share the same with us in order to enable continued, meaningful engagement with cybersecurity issues).

(Shalini is a Research Fellow at the Centre)

[1] Gregory Bednarski, Enumerating and Reducing the Threat of Transnational Cyber Extortion against Small and Medium Size Organizations, Information Security Policy and Management (2004).

[2] Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008, July). BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In USENIX Security Symposium (Vol. 5, No. 2, pp. 139-154).

[3] Mathieu Deflem & Brian Hudak, Internet Extortion and Information Security, in Organized Crime: From Trafficking to Terrorism (1 ed. 2008).

US-India Cyber Dialogue 2015

Following India’s splash in the global internet governance scene with the statement made by the Hon’ble IT Minister at ICANN53, the recently held 4^th United States – India Cyber Dialogue is yet another key event in India’s internet governance landscape.

India and the United States have committed to strengthen their cooperation on “a range of cyber issues including cyber threats, enhanced security information sharing, cyber incident management, cybersecurity cooperation in the context of Make in India, efforts to combat cybercrime, Internet governance issues, and norms of behaviour in cyberspace”.

The following is the text of the Joint Statement:

“To increase global cybersecurity and promote the digital economy, the United States and India have committed to robust cooperation on cyber issues. To that end, the United States and India met at the U.S. Department of State in Washington, DC on August 11 and 12 for the 2015 US-India Cyber Dialogue.

The whole-of-government Cyber Dialogue, fourth in the series, was led by the U.S. Cybersecurity Coordinator and Special Assistant to the President Michael Daniel and by India’s Deputy National Security Advisor Arvind Gupta. The Department of State Coordinator for Cyber Issues Christopher Painter and the Ministry of External Affairs Joint Secretary for Policy Planning, Counterterrorism, and Global Cyber Issues Santosh Jha co-hosted the Dialogue. U.S. whole-of-government participation included the Departments of State, Justice, Homeland Security, Treasury, and Commerce. The Indian government was represented by the National Cyber Security Coordinator at the National Security Council Secretariat, the Ministry of External Affairs, the Ministry of Home Affairs, and the Ministry of Communication and Information Technology.

The delegations discussed a range of cyber issues including cyber threats, enhanced cybersecurity information sharing, cyber incident management, cybersecurity cooperation in the context of ‘Make in India’, efforts to combat cybercrime, Internet governance issues, and norms of state behavior in cyberspace.

The two delegations identified a variety of opportunities for increased collaboration on cyber security capacity-building, cyber security research and development, combatting cybercrime, international security, and Internet governance, and intend to pursue an array of follow-on activities to bolster their cyber security partnership and achieve concrete outcomes.

In addition to the formal Dialogue, the delegations met with representatives from the private sector to discuss issues related to cybersecurity and the digital economy. The Indian delegation also met with Deputy Secretary of State Antony Blinken and Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco.

The two countries decided to hold the next round of the Cyber Dialogue in Delhi in 2016.”

With India’s vision to transform the country into a digitally empowered society and knowledge economy through the Digital India programme, the support of strong cybersecurity infrastructure becomes essential. Bilateral, multilateral and multi-sectoral cooperation in this area will be a space to watch out for.

Full Text of statement by South Africa on behalf of G77 and China at the 1st Preparatory Meeting for UNGA’s overall review of the implementation of the WSIS Outcomes

Co-facilitators,

The Group of 77 and China would like to express its gratitude for the proficient manner in which you are handling this process. We would also like to express gratitude for the due consideration that has been given to the group’s inputs thus far.

With regards to the matter at hand, the Group would like to point out that the mandate for the overall review of the implementation of the WSIS is clearly spelt out in Operative Paragraph 4 of the Modalities Resolution, which says:

“Decides that the overall review by the General Assembly shall take stock of the progress made in the implementation of the outcomes of the World Summit on the Information Society and address potential information and communications technology gaps and areas for continued focus, as well as addressing challenges, including bridging the digital divide, and harnessing information and communications technologies for development;

We would propose that the following eight (8) areas are important for fulfilling the task set forth in OP4.

1. Implementation of the Vision of the Tunis Agenda

It is imperative that, as per the modalities resolution, the focus of this review is anchored in the vision of the Tunis Agenda. There is no need to renegotiate or re-invent the Tunis Agenda.

Central to this vision is the emphasis on the use of ICT’s for development and for the benefit of developing countries.

Moreover, the review process presents a significant opportunity to critically consider the progress made on the implementation of the Tunis Agenda under the 11 Action Lines, and to update these actions lines to make necessary course-corrections to ensure that the target populations of these action lines in developing countries attain maximum growth and benefit from the use of ICTs for development.

2. Bridging the Digital Divide

The express WSIS Vision to bridge the digital divide remains unfulfilled. A large majority of the over 3 billion people that still continue to be denied access to the Internet live in the developing world. These populations have been marginalized and sidelined in the spread of ICTs, and the review must focus on addressing this grave issue.

Within the larger context of the digital divide, the gender digital divide has become a growing concern. Women are being left further and further behind in developing countries and this is creating a new digital divide where men are twice as likely to have access to the Internet as women. This is particularly true in low-to-medium income countries, which, as we have said before, are already facing a large digital divide and a lack of access to ICTs. The WSIS+10 review process must factor in this growing problem, and heed the call by developing countries to double the number of women with online access within the next three years. Most importantly, women have to be prioritized in getting access to education that will enable them to acquire technical competencies to play a central role in developing ICT applications and ICT policies that can address the various socio-economic challenges rather than being relegated to consumers and users of ICT.

3. Funding Mechanism for ICTs

The review must focus on and rectify the lack of follow up on the funding mechanisms for ICTs, particularly under para 9 of the Tunis Agenda. There has been too little progress on capacity building for ICTs in developing countries, and on the transfer of technology to developing countries by those nations which have mastered ICT technologies, so as to assist developing countries in their pursuit of development. These funding mechanisms are central to the effective implementation of ICTs for development, and the review should emphasize the need for such mechanisms to be implemented in the outcome document.

4. Linkage with Post 2015

We recognize that this review process overlaps with another extremely important intergovernmental process, which is the transition from the Millennium Development Goals to the Sustainable Development Goals. Just as the MDGs were linked to the Tunis Agenda in 2005, the outcome document of this review process must also recognize the obvious and explicit synergies between the Vision of utilizing ICTs for Development and the newly crafted SDGs.

There is already widespread recognition that ICTs are enabling tools in the implementation of these goals, and this recognition must be further pronounced through this review process. The WSIS+10 Overall Review outcome document must recognize these interlinkages and synergies between ICTs and the ongoing discussions at the United Nations, and ensure that document is drafted with the larger context of the post-2015 Development Agenda. A useful matrix in this regard has already been provided by the ITU and could be referred to.

5. Right to Privacy

This review needs to establish a common understanding on the applicability of international rights, ethics, freedom of expression and norms to activities in cyberspace.

It also presents a unique opportunity for all member states to create conditions that can prevent violations of international rights online and to curb activities that may pose a threat to the democratic stability of other member states.

We need to ensure better protection of all citizens online.

6. Internet Governance

The review must take stock of the progress made on the issue of internet governance and make it more representative than it has been thus far.

It is important for governments, alongside relevant WSIS stakeholders, to play a role in international public policy issues pertaining to the internet.

7. Enhanced Cooperation

It is unfortunate that the mandate of the Tunis Agenda has been implemented selectively to suit the narrow interests of a few influential players in the multi stakeholder community.
It is critical that this review process commit steps to fulfill the yet unfulfilled mandate of Para 69 of the Tunis Agenda on Enhanced Cooperation.

The Tunis Agenda called for Governments to, on an equal footing with each other, carry out their roles and responsibilities on international public policy issues pertaining to the Internet.

However, ten years later, tangible progress on this specific mandate of Enhanced Cooperation, which would allow developing nations with important ideas to contribute to Internet policy, has been blocked. It is imperative that this important issue be resolved, so that all nations have an equal say in the public policies affecting the Internet.

8. Net Neutrality

The Group of 77 and China would like express its strong support for the principles of net neutrality. To ensure equal access for all and preserve the notion of the Internet as a public good, all internet traffic must be treated on equal parity, and the key tenets of net neutrality must be recognized as tools to ensure to ensure equal access for all.

9. Maintenance of Cyber Security

It is necessary to prevent the use of the internet for criminal and terrorist purposes. The international community should promote cooperation on combating cyber-crime, address the threat of cyber terrorism, and foster a global culture of cyber security.

In maintaining cyber security, States should abide by the following principles: sovereign equality; the settlement of international disputes by peaceful means without jeopardizing international peace and security, and justice; consistency with the principles of the United Nations; and non-intervention in the internal affairs of other States.

Thank you.

Wire Trap: Net neutrality and India’s long history of controlling Technology

The post originally appeared on Caravan on 1st June 2015.

Students access the internet at an event in Bengaluru, in 2003. Contrary to popular belief, the internet is one of the world’s most heavily policed public resources.

IN 1989, the International Science Policy Foundation hosted a three-day symposium on “Scientific Temper and National Development” in Delhi. Prime Minister Rajiv Gandhi—whose hand-picked team of technocrats were promising messianic solutions to India’s fledgling IT sector—delivered the opening remarks. All technology, Gandhi declared, was “value neutral.” Those who opposed technology transfer from the West simply did not understand that it could be “injected with proper values” at home.

The prime minister’s words generated much controversy, with one commentator in the Economic and Political Weekly accusing his government of social engineering through technology. In his rush to embrace digital development, Gandhi had unwittingly courted the idea that the digital medium was somehow especially pliable to what the Indian government perceived as core national values.

For the better part of two decades, this idea has remained largely unchallenged, and in their relentless march on the digital frontier, government agencies have tried to capture the internet, too. A consultation paper on “Over-The-Top” services—or OTTs, an umbrella term for all internet applications—released in March by India’s telecom watchdog is only the latest attempt by the Indian state to satisfy its regulatory appetite. In it, the Telecom Regulatory Authority of India, or TRAI, suggests that OTTs have been “overwhelming” telecom service providers, presenting “cybersecurity threats,” and could even “cause disturbance and affect the social fabric.” TRAI predicts that YouTube and other video content hosts will clog India’s poor network infrastructure within five years, even as applications such as WhatsApp may be used to foment mischief, not unlike how messages were circulated across Bengaluru in 2012 “targeting students from the North East.”

But by recommending that internet applications share revenue and information with telecom operators, TRAI would be putting paid to net neutrality—the principle that all digital content should pass unhindered from one end of a network to another. Given a free hand to discriminate between the data that passes through their servers, telecom giants could determine which applications are allowed to work faster, and which ones see their data delivered at all. They could enter into “zero-rating” agreements with successful apps, to subsidise limitless access of their data to consumers. To sift data from applications that facilitate voice-calling over the internet, telecom companies may use Deep Packet Inspection, a filtering technology that allows ISPs to gauge not only the volume of data being transferred, but also the content of online conversations. In other words, the telecommunications industry could become the arbiter of Indian citizens’ rights to digital access, information and privacy; and of emerging internet ventures’ ability to innovate and compete with established players.

There has been a tide of popular support for net neutrality in the wake of the consultation paper. TRAI, nevertheless, has stood its ground, declaring that “shrill voices” won’t “win the debate.” On the other hand, the department of telecommunications, led by the minister Ravi Shankar Prasad, has defiantly announced its support for “non-discriminatory” internet access.

Whether the minister’s posturing or TRAI’s persistence carries the day, ordinary internet users have been edged out of consideration in these policy debates. And despite the enormity of the questions of public interest involved—some of which go well beyond their mandates—TRAI and the telecom department seem to have relegated net neutrality itself to a footnote within the larger story of regulation.

The internet, despite its enduring reputation as a virtual badlands, is among the most tightly controlled public resources in the world. Few functional or technical aspects of cyberspace today are outside the purview of regulation, be they the rights to domain names, access to online content, or even the number of internet protocol, or IP, addresses that can be allocated to a country. The political economy spawned by the internet requires a sophisticated regulatory framework: one that can reconcile the rights of end users, the pressures of the market, and the responsibility of governments to maintain national security.

Most countries are yet to strike a balance between these forces. In the United States, for instance, the internet was incubated on university campuses across the West Coast in the 1970s, without government strictures or bureaucratic intervention. Today, security concerns dominate debates on the country’s cyber norms, reflecting how regulation has been influenced by the fallout of the terrorist attacks of September 2001. In Brazil, on the other hand, where decades of dictatorship before 1985 had strengthened the hands of security forces, a surprisingly robust civil rights movement recently pulled off the seemingly impossible: the enactment of a “Marco Civil,” a Brazilian constitution for the internet.

In independent India, the growth of technology—specifically of the computing industry, IT services, telecommunications and, finally, the internet—has been symbiotic with the country’s politics. A succession of leaders, beginning with Jawaharlal Nehru, situated technology within a deeply political agenda that fed the state’s regulatory impulse. The desire to inject it with political values, which Rajiv Gandhi let slip at the ISPF symposium, required a new bureaucratic apparatus. The telecom department is at the core of that bureaucracy; TRAI, an independent regulator on paper but tethered to the state in practice, is simply an extension of it. To understand these two agencies’ oppositional overtures on net neutrality requires contextualising them in the Indian state’s historic role as regulator for the digital medium.

Bureaucratic control over technology took root through Nehru’s Second Five Year Plan, which was in effect between 1956 and 1961 and aimed to promote industrialisation. Pursuant to the Plan, parliament passed the Scientific Policy Resolution of 1958, which sought “large scale development” of technology to “reduce the drain on capital” through imports. Indigenous computing systems, despite being carefully nurtured by Nehru’s aides Homi Bhabha and PC Mahalanobis, failed to take off, resulting in the capture of the Indian market by the US giant International Business Machines Corporation. IBM’s domination set the cat among the pigeons, prompting the parliament to declare in 1966 that “India should participate in the ownership and control of foreign computer subsidiaries in the country.”

If the Nehru regime invoked the mantra of “self-reliance” in computing, Indira Gandhi sought to promote home-grown technology through nationalisation. For nearly a decade, IBM resisted government attempts to wrest ownership of its Indian subsidiary, until the passage of the Foreign Exchange Regulation Act made it difficult for the company to manage one at all. Reluctant to cede control to an Indian counterpart, IBM left the country in 1978, setting the use of computers for both civilian and research purposes back by years. Indian businesses, too, were hurt in this regard by labour laws requiring “prior agreement” from trade unions before introducing computers on their premises.

Regulations were eased during Rajiv Gandhi’s term. Software and computer imports were liberalised in 1984. The Education and Research Network, or ERNET, a precursor to the internet in India, was set up with assistance from the United Nations Development Program. Telephone services were “corporatised” with the setting up of MTNL and VSNL as public-sector units. The Centre for Advanced Computing was created in 1988. For a while, it seemed civilian and commercial users would have a say in the growth of digital networks.

The institutional and policy changes in India’s IT landscape during this period were, nevertheless, engineered to realise Gandhi’s goal of a technological “revolution.” The government added a new layer of bureaucracy to the sector with the creation of the department of telecommunications in 1989. The National Informatics Centre, or NIC, formerly under the department of electronics, was placed under the planning commission for greater coordination with Gandhi’s political goals.

Despite the rhetoric of modernising governance, few ministries were actually plugged into the NIC’s mainframe database to make use of its volumes of data. The running of ERNET, technically a research network linking India’s premier scientific institutions, was supervised by bureaucrats close to Gandhi. The “License Raj” of previous regimes continued, leaving entrepreneurs at the mercy of regulators. The National Association of Software and Service Companies successfully navigated this space by creating institutional links between the bureaucracy and the industry, a practice that continues to this day. But lost in the melee of reform was any serious evaluation of the rights of a growing community of consumers—both software and internet users.

TRAI, too, was born out of political exigency. The balance of payment crisis in the 1990s resulted in a clamour, both at home and abroad, for private investment in telecommunications. Ahead of a crucial prime ministerial visit to the United States, the Narasimha Rao government hastily drafted the National Telecom Policy of 1994, which acknowledged the need for privatisation. Although several government advisory committees had mooted the idea of a telecom regulator, the NTP stopped short of creating one in the face of staunch resistance from the department of telecommunications. But the following years saw the department embroiled in corruption—the telecom minister Sukh Ram Singh eventually resigned—leaving the government with no option but to set up TRAI in 1997.

Of the scramble to draft the TRAI statute, one consultant involved said that “to suggest, even indirectly, that the government had, at that time, a clear idea of what it was that it wanted the TRAI to achieve, is stretching credibility.”

The telecom department’s attempts to protect its turf are singularly responsible for TRAI’s peculiar present existence as an intermediary between telecom operators and the government. TRAI’s formative years were marked by legal and political battles with the telecom department, in which it invariably took up cudgels on behalf of private operators. An alliance developed between the regulator and industry associations as they found common cause in dismantling the state monopoly on telecommunications. But, at the end of a protracted dispute in court, TRAI was left with nothing but recommendatory powers, while the telecom department—despite its conflicting positions as both a licensor and provider of services—remained the supreme policy-making authority.

TRAI’s emergence as a reactionary to the telecom department’s policies defined its institutional role, effectively making it an echo chamber for the concerns of private service providers. Subsequent policy instruments, such as the National Telecom Policy of 1999, the Internet Policy of 1998, and the Information Technology Act of 2000, all focused on the relationship between telecom companies and internet service providers and the state, and broadened TRAI’s capacities. A small group of industry representatives emerged as the most vocal participants in the body’s consultative processes, which became inaccessible to most consumer-rights activists and ordinary citizens. It should be no surprise that TRAI has now thumbed its nose at net neutrality in its consultation paper on OTTs. The regulator is merely leaning back on a decades-old institutional culture of voicing the concerns of its most powerful constituency: private industry.

That the telecom department is appearing to bat for net neutrality should offer little relief to Indian internet users. The truth is that the raison d’être of internet regulation continues to exist, and the telecom department’s ongoing exchange with TRAI is just an extension of a long-running turf battle. The government remains keen to harness the internet to serve its political goals, be they censorship or constituency mobilisation.

The real scandal lies in how all of this is ceding control over a matter of genuine public interest to the regulatory machine. A system hardened by years of politicking has left little room for democratic interventions in digital policies. The public has been left to fight poorly crafted laws—of which Section 66A of the IT Act was until recently the poster child—that have, for years, been taking a toll on fundamental constitutional guarantees. Indian internet users have been gradually disempowered by a regulatory leviathan. To rein it in may require a grassroots movement that resets the digital agenda.

(Arun Mohan Sukumar is a Senior Fellow at the Centre)