NDTV INDIA BAN: A CASE OF REGULATORY OVERREACH AND INSIDIOUS CENSORSHIP?

In a highly contentious move, the Ministry of Information and Broadcasting (‘MIB’) issued an order banning the telecast of the Hindi news channel ‘NDTV India’ on 9th November, 2016. The MIB imposed this ‘token penalty’ on NDTV India following the recommendation of an Inter-Ministerial Committee (‘IMC’). The IMC had found the channel liable for revealing “strategically sensitive information” during the coverage of Pathankot terrorist attacks on 4th January, 2016. The ban has, however, been put on hold by the MIB after the Supreme Court agreed to hear a writ petition filed by NDTV India against the ban.

The order passed by the MIB raises some important legal issues regarding the freedom of speech and expression of the press. Since the news channels are constantly in the race for garnering Television Rating Points, they may sometimes overlook the letter of the law while covering sensitive incidents such as terrorist attacks. In such cases, regulation of the media becomes necessary. However, it is tricky to achieve an optimum balance between the various concerns at play here – the freedom of expression of the press and the people’s right to information, public interest and national security.

In this post, we discuss the background of the NDTV India case and the legal issues arising from it. We also analyze and highlight the effects of governmental regulation of the media and its impact on the freedom of speech and expression of the media.

NDTV Case – A Brief Background:

On January 29, 2016, the MIB had issued a show cause notice to NDTV India alleging that their coverage of the Pathankot military airbase attack had revealed vital information which could be used by terror operators to impede the counter-operations carried by the security forces. The notice also provided details regarding the alleged sensitive information revealed by NDTV India.

In its defence, the channel claimed that the coverage had been “balanced and responsible” and that it was committed to the highest levels of journalism. The channel also stated that the sensitive information allegedly revealed by the channel regarding critical defence assets and location of the terrorists was already available in the public domain at the time of reporting. It was also pointed out that other news channels which had reported on similar information had not been hauled up by the MIB.

However, the MIB, in its order dated January 2, 2016, held that NDTV India’s coverage contravened Rule 6(1)(p) of the Programme and Advertising Code (the ‘Programme Code’ or ‘Code’) issued under the Cable TV Network Rules, 1994 (‘Cable TV Rules’). In exercise of its powers under the Cable TV Networks (Regulation) Act, 1995 (‘Cable TV Act’) and the Guidelines for Uplinking of Television Channels from India, 2011, the MIB imposed a ‘token penalty’ of a day’s ban on the broadcast of the channel.

Rule 6(1)(p) of the Programme Code:

Rule 6 of the Code sets out the restrictions on the content of programmes and advertisements that can be broadcasted on cable TV. Rule 6(1)(p) and (q) were added recently. Rule 6(1)(p) was introduced after concerns were expressed regarding the real-time coverage of sensitive incidents like the Mumbai and Gurdaspur terror attacks by Indian media. It seeks to prevent disclosure of sensitive information during such live coverage that could act as possible information sources for terror operators.

Rule 6(1)(p) states that: “No programme should be carried in the cable service which contains live coverage of any anti-terrorist operation by security forces, wherein media coverage shall be restricted to periodic briefing by an officer designated by the appropriate Government, till such operation concludes.

Explanation: For the purposes of this clause, it is clarified that “anti-terrorist operation” means such operation undertaken to bring terrorists to justice, which includes all engagements involving justifiable use of force between security forces and terrorists.”

Rule 6(1)(p), though necessary to regulate overzealous media coverage especially during incidents like terrorist attacks, is vague and ambiguous in its phrasing. The term ‘live coverage’ has not been defined in the Cable TV Rules, which makes it difficult to assess its precise meaning and scope. It is unclear whether ‘live coverage’ means only live video feed of the operations or whether live updates through media reporting without visuals will also be considered ‘live coverage’.

Further, the explanation to Rule 6(1)(p) also leaves a lot of room for subjective interpretation. It is unclear whether the expression “to bring terrorists to justice” implies the counter operations should result in fatalities of the terrorists or if the intention is to include the coverage of the trial and conviction of the terrorists, if they were caught alive. If so, it would be highly impractical to bar such coverage under Rule 6(1)(p). The inherent vagueness of this provision gives wide discretion to the governmental authorities to decide whether channels have violated the provisions of the Code.

In this context, it is important to highlight that the Supreme Court had struck down Section 66A of the Information and Technology Act, 2000 in the case of Shreya Singhal vs. Union of India, on the ground of being vague and overboard. The Court had held that the vague and imprecise nature of the provision had a chilling effect on the freedom of speech and expression. Following from this, it will be interesting to see the stand of the Supreme Court when it tests the constitutionality of Rule 6(1)(p) in light of the strict standards laid down in Shreya Singhal and a spate of other judgments.

Freedom of Speech under Article 19(1)(a)

The right of the media to report news is rooted in the fundamental right to free speech and expression guaranteed under Article 19(1)(a) of the Constitution of India. Every right has a corresponding duty, and accordingly, the right of the media to report news is accompanied by a duty to function responsibly while reporting information in the interest of the public. The freedom of the media is not absolute or unbridled, and reasonable restrictions can be placed on it under Article 19(2).

In the present case, it can be argued that Rule 6(1)(p) fails to pass the scrutiny of Article 19(2) due to inherent vagueness in the text of the provision. However, the Supreme Court may be reluctant to deem the provision unconstitutional. This reluctance was demonstrated for instance, when the challenge to the constitutionality of the Cinematograph Act, 1952 and its attendant guidelines, for containing vague restrictions in the context of certifying films, was dismissed by the Supreme Court. The Censor Board has used the wide discretion available to it for placing unreasonable restrictions while certifying films. If the Supreme Court continues to allow such restrictions on the freedom of speech and expression, the Programme Code is likely to survive judicial scrutiny.

Who should regulate?

Another important issue that the Supreme Court should decide in the present case is whether the MIB had the power to impose such a ban on NDTV India. Under the current regulatory regime, there are no statutory bodies governing media infractions. However, there are self-regulatory bodies like the News Broadcast Standards Authority (NBSA) and the Broadcasting Content Complaint’s Council (BCCC).The NBSA is an independent body set up by the News Broadcasters Association for regulating news and current affairs channels. The BCCC is a complaint redressal system established by the Indian Broadcasting Foundation for the non-news sector and is headed by retired judges of the Supreme Court and High Courts. Both the NBSA and the BCCC regularly look into complaints regarding violations of the Programme Code. These bodies are also authorized to issue advisories, condemn, levy penalties and direct channels to be taken off air if found in contravention of the Programme Code.

The decision of the MIB was predicated on the recommendation made by IMC which comprises solely of government officials with no journalistic or legal background. The MIB should have considered referring the matter to a regulatory body with domain expertise like the NBSA that addresses such matters on a regular basis or at least should have sought their opinion before arriving at its decision.

Way Forward

Freedom of expression of the press and the impartial and fair scrutiny of government actions and policies is imperative for a healthy democracy. Carte blanche powers with the government to regulate the media as stipulated by Cable TV Act without judicial or other oversight mechanisms pose a serious threat to free speech and the independence of the fourth estate.

The imposition of the ban against NDTV India by the MIB under vague and uncertain provisions can be argued as a case of regulatory overreach and insidious censorship. The perils of such executive intrusion on the freedom of the media will have a chilling effect on the freedom of speech. This can impact the vibrancy of the public discourse and the free flow of information and ideas which sustains a democracy. Although the governmental decision has been stayed, the Supreme Court should intervene and clarify the import of the vague terms used in the Programme Code to ensure that the freedom of the press is not compromised and fair and impartial news reporting is not stifled under the threat of executive action.

Advertisements

News Alert: India gets 4 new IDN ccTLDs

By Aarti Bhavana

ICANN recently announced the successful evaluation of four additional proposed IDN (Internationalized Domain Names) ccTLD strings for India. This was done through a fast track process that was approved by the ICANN Board in 2009. After the successful evaluation of the four new IDN strings (Malayalam, Kannada, Bengali and Oriya), the next step will be string delegation, where requests can be made for the delegation of these strings.

IDNs are very useful in increasing access to Internet, especially in a linguistically diverse country like India. With this in mind, one of the main criteria for IDN ccTLD applications is that the script used to represent the string must be non-Latin. With these new strings, there are now a total of 11 ccTLDs in various Indian languages, such as Hindi, Urdu, Telegu, Gujrati, Punjabi, etc.

More information can be found here and here.

Cybersecurity Cooperation – India’s Latest Bilateral Arrangements

By Shalini S

The current Indian Government has continually offered significant strategic thrust to cybersecurity and related issues. In November 2015 alone, India established multiple collaborative partnerships that for cooperation in cybersecurity with various countries. This is a welcome move for the sector which continually presents advanced security challenges. There is a demonstrated interest in addressing this serious contemporary concern. In addition, efforts are being made to establish extensive cybersecurity cooperation to ensure protected cyber networks. The latest bilateral ties established by India to boost cybersecurity cooperation are elucidated below.

India and UK signed a first of its kind joint statement that will enable them to collaborate and jointly educate and train its cybersecurity professionals. Together, the countries are also slated to establish a cybersecurity training centre to enable dialogue and exchange of expertise. Additionally, the UK will also help setup a new cybercrime unit in India. This joint statement released after Prime Minister Narendra Modi’s visit to the UK closely follows the visit of UK’s first cybersecurity delegation to India in October 2015.

For the first time, India and China have also decided to establish ministerial mechanisms to effectively tackle transnational crime and specifically delineated cybercrime cooperation as a measure to boost security cooperation between the countries. The new high-level mechanism will be established under the home ministries of both the countries and will result in information exchange, law enforcement and technical capacity building to jointly combat cybercriminal activity. An official bilateral document endorsing this new security collaboration is yet to be signed.

A joint statement from Prime Minister Narendra Modi and his Malaysian counterpart released this week, revealed that their delegation-level consultations between the countries had resulted in the signing of a Memorandum of Understanding (MoU) aimed at strengthening cooperation on cybersecurity. As this MoU was signed between Indian Computer Emergency Team (CERT-IN) and CyberSecurity Malaysia (national cybersecurity agency), closer cooperation in cyber-policy evolution, technological expertise exchange and incident management can be expected.

Later in the same week, a similar agreement for bilateral cooperation and collaboration in cybersecurity measures was signed between CERT-IN and SingCERT (Singapore’s Computer Emergency Response Team). The MoU which envisions research collaborations, in the sector, between the two countries, also agreed to setup appropriate mechanisms to facilitate future dialogue on prevalent policies, best practice, bilateral consultations and real-time exchange of information and has established a broader framework of cooperation between the countries.

India’s recently established and renewed bilateral ties with these countries hinges on mutual sharing of information and best-practices, both critical in constructing a shared response to conspicuous cyber incidents. As these collaborations also come in the wake of joint commitment of India and US to strengthen cooperation on a range of cyber issues, India’s serious commitment in fostering multiple bilateral dialogues and cooperation on cybersecurity and related issues is apparent and must be lauded.

Cybersecurity in the Indian Banking Sector

By Shalini S.

The RBI governor, Raghuram Rajan, recently announced that the central banking institution is in the process of setting up an Information Technology (IT) subsidiary. The purpose of this IT subsidiary is to aid the RBI in effectively monitoring and supervising internet-based services offered by banks across the country.  This is a welcome move for the Indian banking sector and its customers who are threatened by systemic vulnerabilities, which enable technology related banking and financial frauds,[1] birthed primarily by the continued migration of services to internet and mobile platforms. This post examines the need for the announced subsidiary in the context of rising instances of cyber-attacks against the banking sector and proposes possible functions for the dedicated subsidiary to enhance cybersecurity in the rapidly digitizing banking sector.

While the adoption of IT for banking services offers unprecedented convenience, cost-effectiveness and speed of delivery, it is riddled with several external threats and suffers from lack of coordination.[2] With the significant operational risks of adopting information technology in the delivery of banking services, a significant rise in banking-related technology frauds has been reported, a cause for concern for customers, commercial banks and the RBI. Even though the advanced analytics on banking platforms attempt to prevent fraudulent transactions, such transactions continue, as several banks and telecom companies fail to comply with suggested and mandated safety norms. Major commercial banks have also been accused of not filing reports of suspicious transactions, an obligatory requirement when there has been an instance of unsatisfactory identification, which allows for speculation that more fraudulent transactions are attempted than are reported.

Currently, phishing, vishing, spyware or malware attacks, keylogging, data theft and other internet-based frauds have been reported to be the most common cyber-attacks against banks and its customers.[3] Despite these threats, there remains continued and even enthusiastic use of innovative, technology-backed financial services such as mobile banking and social media payment systems.

The RBI, which is the central banking institution of the country and responsible for the supervision and regulation of the finance sector, also bears the onus of evolving and enforcing parameters of banking operations. Noting the inevitability of increased digitization of traditional banking services and accompanying vulnerabilities, the RBI has previously attempted to address the issue of cybersecurity by evolving minimum standard cyber safety norms for banks and other providers of financial services. In 2010, the RBI set up a working group to examine issues arising out of IT penetration and use in the banking sector and directed banks to appoint a Chief Information Security Officer (CIO) and a steering committee on information security. Based on the report of the working group, it also issued a set of guidelines on information security, technology risk management and combating cyber fraud, in 2011. The guidelines provided detailed insight into building fraud risk perspective in banks, customizing audits to detect irregularities and vulnerabilities and even the appropriate reporting of fraud cases to law enforcement and other relevant stakeholders.[4] Even though the guidelines themselves dealt only cursorily with issues of data security and privacy, the Institute for Development and Research in Banking Technology (IDRBT), an IT institute set up by the RBI, released a handbook on information security governance to the banking sector, to act as a follow-up to the above-mentioned guidelines.

Unfortunately, these guidelines which were considered minimum best standards and slated to be implemented in a phased manner[5], have not been treated seriously and several banks have failed to implement these guidelines and carry out required cyber due diligence. The same year, RBI also released the Information Technology Vision Document 2011-2017 that highlighted its recognition of the enormity of the menace that is cyber-attacks and reiterated its commitment to mitigating IT fraud in the banking sector. In 2013, it also issued a circular on risk mitigations measures to be undertaken during e-payment transactions to help banks secure electronic payment transactions such as RTGS, NEFT and IMPS from cyber-attacks. Noting the significant increase in fraud in online banking transactions, RBI also advised banks to introduce two or three-stage authentication and transaction verification.[6] However, as telecom companies, whose services are used in authenticating transactions, continue to have fragile digital security and fail to follow minimum safety protocols, these transactions continue in high-risk environments[7] and are in desperate need of monitoring.

While it is clear from the measures outlined in paragraphs above that the banking industry has recognized the risks associated with the penetration of IT into financial services, the proposed IT subsidiary of RBI could prove to be a great institutional addition. The threat landscape highlighted in the paragraphs above, demonstrates the need for a dedicated IT subsidiary to evaluate technical capabilities of banks and provide support in beefing up cyber security in the sector. As the exact form and mandate for the IT arm of the RBI has not been set as yet, it can also be designed to act as an information sharing resource akin to the dedicated cell that was to be formed under the aegis of IDRBT[8] and additionally work towards ensuring compliance of commercial banks to RBI notifications, codes and rules pertaining to cybersecurity and data protection. Since banking, a finance sector function, potentially falls in the category of critical information infrastructure,[9] there needs to be constant security vigilance and cyber security measures on par with global standards. In addition to exploring methods in which the possibilities of IT can be harnessed for effective, cost-efficient, real-time delivery of banking services, it is also crucial for this proposed subsidiary to concentrate on evolving binding basic standards of data security, privacy which is currently, primarily driven by Information Technology Amendment Act, 2008 in the banking sector.[10] The subsidiary which currently aims to track evolving threats and vulnerabilities should also attempt developing real-time fraud prevention models and increase customer confidence by increasing effectiveness of independent financial IT controls.

[1] The Economic Times, Reserve Bank of India plans IT arm, to hire experts to work on banking technologies, 2015, http://economictimes.indiatimes.com/industry/banking/finance/banking/reserve-bank-of-india-plans-it-arm-to-hire-experts-to-work-on-banking-technologies/articleshow/49512043.cms (last visited Oct 26, 2015).

[2] Livemint, Banks bet big on technology to boost efficiency, curb fraud – Livemint (2011), http://www.livemint.com/Industry/8df71WBdwALasI5afwadUJ/Banks-bet-big-on-technology-to-boost-efficiency-curb-fraud.html (last visited Oct 26, 2015).

[3] The Economic Times, RBI asks banks to set up committees to protect IT data, 2011, http://articles.economictimes.indiatimes.com/2011-04-30/news/29490905_1_banking-and-mobile-banking-electronic-channels-frauds (last visited Oct 26, 2015).

[4] Amit Kashyap, Indian Banking: Contemporary Issues in Law and Challenges (2014).

[5] SearchSecurity, RBI guidelines focus on fortifying IT security by banks (2011), http://searchsecurity.techtarget.in/news/2240031005/RBI-guidelines-focus-on-fortifying-IT-security-by-banks (last visited Oct 26, 2015).

[6] The Economic Times, RBI for two-stage verification for online banking transactions, 2014, http://articles.economictimes.indiatimes.com/2014-04-22/news/49318793_1_cheque-truncation-system-authentication-transactions (last visited Oct 27, 2015).

[7] Sharad Vyas, Mumbaikars beware! Your bank details are being stolen and sold! Mid-ay (2015), http://www.mid-day.com/articles/mumbaikars-beware-your-bank-details-are-being-stolen-and-sold/16218163 (last visited Oct 28, 2015).

[8] See, Institute for Development and Research in Banking Technology, Consultancy Report on An initiative for research and intelligence gathering related to security incidents in financial services sector for analysis & sharing of insight (2012), http://www.idrbt.ac.in/PDFs/PT%20Reports/2012/RekhaAG_AnInitiative_2012.pdf (last visited Oct 27, 2015).

[9] See, DeitY, Cyber Security Strategy – Strategic Approach | Government of India, Department of Electronics and Information Technology (DeitY), http://deity.gov.in/content/strategic-approach (last visited Oct 26, 2015).

[10] PSA, Risk management in e-banking (2009), http://psalegal.com/upload/publication/assocFile/BANKING-LAWS-BULLETIN-ISSUE-II_1288782887.pdf (last visited Oct 26, 2015).

India’s Statements on Day 2 of the 2nd Preparatory Meeting of the WSIS+10 Review

India made two interventions in the morning session of day 2 of the 2nd Preparatory Meeting today. The first related to funding mechanisms and the second related to Internet governance. Below are summaries of the two Statements:

  1. On Financial Mechanisms- In a discussion related to the Digital Solidarity Fund, India stated that the Fund was never operationalized and it would hence be incorrect to characterize it as a failure. India went on to stress the need for capacity building as an important component of fulfilling the WSIS vision. India then called for a financial mechanism that could create an enabling environment in developing countries to bridge the digital divide.
  2. On Internet Governance- India reiterated its support for  multistakeholderism and stated that multistakeholderism  must embrace all societies and geographies. India also called for a new digital democracy that is plural, multi-layered and multistakeholder. India also recorded its support for the IGF, but called for it to be strengthened to make it more inclusive, transparent and accountable. India also stated that governments have a role to play in public policy issues especially, on national security issues withing multistakeholder fora. India stressed on enhanced cooperation as a means to facilitate discussions on internet related public policy issues. India called for an Inclusive dialogue on Enhanced Cooperation and called on CSTD to facilitate such dialogue

2nd Preparatory Meeting of WSIS+10 Review: Summary of Day 1

The 2nd Preparatory Meeting for the High Level Meeting of the WSIS+10 Review kicked off in New York today. A shortened first day in the morning session saw interventions from countries across the board. The statements on first day reflected the the starting positions of most governments on the Zero Draft with the afternoon session called off to facilitate conversations between countries on the outcome document. The meeting has already come under critical focus from civil society groups for not being participatory enough with meetings scheduled between 6-9 pm every evening behind closed doors for just country representatives.

Overall, there was broad support for linking the WSIS with the SDGs, and the role played by ICTs in bridging the digital divide. There was broad support for the IGF, with disagreements on the term and terms of the extension. The disagreements came on issues of human rights, security and the modalities for implementation and follow up.

Below is a summary of major interventions in the morning session.

European Union Position: The EU position supported by other countries such as the Netherlands, UK among others focused on the support for a multistakeholder approach to Internet Governance, focus on Human Rights and bridging the digital divide through capacity building. They also called for a stronger support for the IGF and a longer extension than 5 years in order to account for funding and planning. On a similar note, they asked for any Review of the WSIS to be put off till 2025 or be in line with the Sustainable Development Goals (SDG) Review in 2030. They also called for a stronger focus on Human Rights with a separate section on human rights in the outcome document. The EU and supporting countries disagreed with the need for an international legal framework for internet governance, citing the progress made by existing mechanisms. Instead, they called for more open, transparent and accountable processes in such mechanisms.

G-77 plus China: This group was represented by the South African representative and supported during the session by representatives from Sri Lanka, Pakistan, China and Egypt among others. They stressed the crucial role played by ICTs in furthering development goals and the need for greater security in this area to facilitate the fruition of these goals. They stressed the role of the government and the importance of sovereignty in the information society. While China pointed out that other human rights instruments deal with human rights issues and it is not necessary for the WSIS outcome document to do so, other G-77 members did not see the need for a separate section on human rights issues. They also called for an international legal framework on internet governance along with a legal instrument on cybercrime. Egypt also called for the development of indicators to assess the development goals outlined by WSIS.

United States of America: The United States called for the outcome document to refer to other documents in a holistic sense rather than cherry picking provisions, for better data to support its claims and to not make unsubstantiated assertions. The US also stated that the outcome document should illuminate different experiences of countries in similar situations as the experience with ICTs is not monolithic. The US also declared strong support for multistakeholderism and singled out the important role of non-governmental representatives in IG processes. The US also called for a stronger commitment to the IGF. Pointing out that the zero draft should be in line with the WSIS  vision, the US stated that security issues should not be in Zero draft. They stated that ICTs are not the cause of Human Rights violations. The Us stressed the need for enhanced cooperation, recognising efforts of other international organizations and organizations outside the UN. Finally, the US called for an evidence based review process that should be useful and lean. The US also stated that the regular review conducted by the CSTD and ECOSOC are sufficient and did not support another overall Review or Summit.

Community of Latin American and Caribbean States: Ecuador spoke on behalf of CELAC and stressed the role of ICTs as drivers of economic growth and sustainable development. They called for the UN Committee on Information and Communications Technology to be part of the WSIS process. They also stated that enhanced cooperation and Implementation are distinct issues and should be treated as such. They also called for the Internet to be recognised as a global public good and the centrality of net neutrality as an idea that supports this notion. They also called for the full involvement of all stakeholders to support the equitable distribution of resources to support the SDG and such an approach should take into account multilingualism. They called for full compliance with International Law with respect to sovereignty, human rights and privacy. They also called for stronger measures to protect children on the internet.

India: An overview of the Indian statement today can be found in a separate blogpost here.

More updates from days 2 and 3 will follow during the week.

Cyber Extortion: Ransom and Cyberspace

By Shalini S.

The past week has seen news reports in the Indian media, proclaiming the rise of a new computer-related crime, “cyber extortion”. Cyber extortion is a term generally understood to refer to a category of cyber crimes, where stolen, sensitive and private data is withheld or threatened to be exposed in order to extort money. In such attacks, while cybercriminals threaten to cripple websites or disclose sensitive data, the data itself (stolen or accessed without authorization) is not tampered with and is usually safely returned on demands of the cyber extortionists being met. Simply put, hackers are forcing companies to pay them to desist from impeding commercial operations – a fee to be left alone.

In a shocking revelation, two Indian companies conceded to having paid hackers money to the tune of $10 million, to protect sensitive information stolen from their compromised computer networks, from imminent exposure. As the stolen information was incriminatory in nature, the attacks which seems to have originated in the Middle East, went unreported by the companies’ even months after payments had been made and no case has been filed by either company. Nevertheless, the discovery has prompted an unprecedented interest in understanding cyber extortion, its operation and treatment in India. In yet another instance of cyber extortion, a businessman from Hyderabad recently found himself unable to access his company’s database as it had been encrypted by a hacker demanding payment for decryption.

In the recently reported cases of digital extortion in India, criminals have exploited the vulnerabilities of cyber space to extort money, by predominantly employing the following strategies:

  1. Gaining unauthorized access to a company’s secured data, strategy and trade secrets and threatening to make it public if demands of payment aren’t met.
  2. Encrypting data in order to disable primary owner’s access to it and demanding payment for decryption.

According to a recently released threat report by Trend Micro, India also encountered the highest number of ransomware infections in the second quarter of 2015 and has ranked 6th in the list of countries sending maximum spam. Ransomware refers to malicious software implanted in communication devices to take control of them and hold data hostage (usually by encrypting it). Rightful owners are forced to pay “ransom” to cyber criminals in order to regain access to their devices after it has been has subject to such attacks. However, in light of allegations of private reports perverting statistics that represent current threat landscape, it is crucial to note that the above-mentioned threat report was published by a private security software firm that potentially stands to benefit from such a scare by creating increased demand for its security solutions.

Regardless, it is evident that in the perpetration of an extortion attempt, information systems are capable of being employed by cyber criminals in one or more of the ways as elucidated below[1]:

  1. Information system as the medium for perpetration of the threat.
  2. Information system as the object of the threat itself.
  3. Payment to the extorter being facilitated through information systems.
  4. Information and communication systems used as the medium for exposure, if demands remain unmet.

Noticeably, extortion manifests in several ways and thus, the provisions of the Information Technology Act under which victims of cyber extortion attacks may claim recompense under varies. However, as unauthorized access to data is characteristic of these attacks, S.43 and S.66 of the Information Technology Act, provisions dealing with protection of data and hacking, may be invoked to deal with cyber extortionists.

Further, in order to avoid exposure, cyber extortionists widely resort to the use of ransomware and botnets – network of compromised computers that are under the influence of malware code and unwittingly controlled by a master spam/virus originator usually engaged to forward transmissions.[2] Oft times, cyber extortion attacks are carried out by organized cyber criminals who hedge their collective technical abilities to extract crucial private data and information. Additionally, payments are demanded in bitcoins in order to further preserve anonymity. In the case of the two Indian conglomerates mentioned above, extortionist hackers even avoided being reported as the information they accessed (and threatened to expose) could implicate their victims in wrongdoing, naturally prompting a silent payoff. Hence, even criminals engaging in digital extortion from within India, are likely to escape prosecution under existing laws due to the complexity of ascertaining identity of the perpetrators. However, if they are identified, they may be prosecuted for the offences of extortion and criminal intimidation under S. 383 and S. 503 of the Indian Penal Code in addition to being charged with offences under the Information Technology Act.

The nature of operation of cyber extortion hasn’t yet been fully understood or captured by existing definitions. For instance, even a DDOS (extortion) attack may be used by extortionists to make websites unusable, in effect coercing them to pay.[3] Further, payment demanded may not always be monetary in nature or even capable of being materially quantified. Victims are also faced with disbelieving police when they try to lodge a formal complaint as not many enforcement authorities are aware of cyber extortion.

With an exponential rise in cyber extortion attacks globally having been reported and legal recourses proving inadequate, corporate entities and individuals must privately protect their data from intrusion by using advanced anti-virus tools, firewalls, updated operating systems and conduct regular cyber security audits to ascertain their vulnerability and assess their risk preparedness.

(We were unable to source Trend Micro’s threat report for Q2 of 2015 discussed above and request anyone with a copy to share the same with us in order to enable continued, meaningful engagement with cybersecurity issues).

(Shalini is a Research Fellow at the Centre)

[1] Gregory Bednarski, Enumerating and Reducing the Threat of Transnational Cyber Extortion against Small and Medium Size Organizations, Information Security Policy and Management (2004).

[2] Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008, July). BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In USENIX Security Symposium (Vol. 5, No. 2, pp. 139-154).

[3] Mathieu Deflem & Brian Hudak, Internet Extortion and Information Securityin Organized Crime: From Trafficking to Terrorism (1 ed. 2008).