21 Nov 2015

Microsoft Adopts The Robust ISOIEC 27018 Standard For Cloud Privacy But Challenges Continue In India

Privacy is a cherished human rights that needs to be protected at global level. Right now the mentality of governments around the world is that privacy rights are dependent upon charity of government and only to the extent permitted by the government. But privacy is the human right of every individual and is not a government charity. Similarly, privacy rights cannot be taken away by citing some vague and invented national security requirements.

Privacy protection in the information era is not easy to manage. Even our governments are not at all interested in protecting privacy rights of their citizens. They are not interested in reconciling the conflicting ideals of civil liberties and national security requirements. This is the reason why human rights protection in cyberspace must be internationally recognised by United Nations.

It is also the duty of technology companies to safeguard the data and information provided to them by various individuals and companies from unreasonable and illegal e-surveillance activities. These companies held the personal data of their users in fiduciary capacity and they can be held liable for violating the laws of various countries if they start sharing the data with law enforcement agencies on the drop of a hat.

Cloud computing is increasingly being used by individuals and companies to store their information, data and personal information. It is of utmost importance that cloud storage must not only be cyber secure but they must also be civil liberties compliant. In India, there are certain legal and regulatory issues that all cloud computing providers must comply with. However, most of the businesses and entrepreneurs of India are not complying with these laws and regulations. They are miserably poor in the fields of privacy and data protection (PDF) and very few of them are complying with cyber law due diligence (PDF) requirements.

It has been reported that Microsoft has adopted a new standard for cloud privacy that commits the company to protect the privacy of customers’ data, not to use it for advertisement purposes, and to inform the customer of legal requests for personal data. Google along with other companies has been fighting against e-surveillance activities of U.S. agencies. In the past, FBI’s National Security Letters (NSLs) with gag orders were declared unconstitutional by a U.S. District Judge. However, this order was subsequently narrowed down by the Judge and allowed the U.S. Department of Justice to appeal the decision to the United States Court of Appeals for Ninth Circuit.

Microsoft has declared that it would adopt the ISO/IEC 27018, published last year by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which outlines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a processor of personally identifiable information. This initiative of Microsoft would help in strengthening users’ privacy around the world.

However, there are many issues that have to be managed by Microsoft despite its latest declaration. For instance, the ISO/IEC 27018 standards provides that although law enforcement requests for disclosure of personally identifiable data must be disclosed to enterprise customers yet gag orders may prohibit such disclosures. Similarly, Microsoft has to manage conflict of laws in cyberspace as what is legal in U.S. may not be legal in India. In fact, if we go by the trends in India, cyber litigations against foreign websites would further increase in India and companies like Google, Microsoft, Facebook, etc must be well prepared for the same in advance.

Online Card Games Websites May Be Legally Risky If Not Properly Drafted And Managed

At Perry4Law we are frequently approached by online cards and non cards games providers to ascertain the legality of their business models. We guide them as per their business models and requirements but there cannot be a single solution for various gaming stakeholders. This is because different states have different laws regarding online gaming and gambling in India.

Some stakeholders have already approached the Supreme Court of India to get clarity on the legality of online games like rummy, poker, etc. In response of the same, the Supreme Court asked the opinion of Central Government in this regard but the same has been informally denied by the Central Government.  This means that till the time Supreme Court actually says that online rummy, online poker and online card games are legal in India, majority of these gaming stakeholders may be exposing themselves to legal risks and civil and criminal liabilities.

Another problem related to this litigation is that this is an issued between parties to the litigation alone and other cannot derive benefit out of this litigation even if the ultimate decision allows online poker and rummy in India. This is the reason that many gaming companies have approached the Supreme Court to implead them as necessary party to this litigation. While this may be beneficial to clarify the position regarding these additional parties as well yet it would also make them bound the decision of Supreme Court. If an adverse decision is given by the Supreme Court, that would be binding on them as well.

Another related problem with the proceedings taking place at the Supreme Court is that till the time Supreme Court decides this issue, various High Courts would not touch the games with stakes issue at all. This is more so regarding online poker and rummy legal issues as the matter is pending before the Supreme Court.

This is exactly what is happening in India as on date. It has been reported that the Hyderabad High Court has refused to grant relief to clubs in the city who wanted the Hyderabad police prevented from interfering or obstructing in any manner from running card rooms on club premises where members and guests are allowed to play rummy with stakes.

Justice Vilas V. Afzulpurkar was dealing with a petition by the managements of Chiran Fort Club and nine others challenging the action of the police in closing their card rooms. The petitioners contended that in view of the declaration of the Supreme Court in the case of Kishan Chander versus state of Madhya Pradesh, the game of Rummy is not entirely a game of chance and is a game of skill. So the closure of card rooms by the police was illegal.

While refusing interim relief, the judge said in view of new findings in a similar case by the SC and the Madras HC, the case needs a detailed examination to determine whether playing Rummy with stakes will attract provisions under the Gambling Act or not. This is a logical conclusion as the issue of playing poker or rummy with stakes is still not clear despite the contrary beliefs. It is certainly very risky when it comes to online poker and online rummy in India.

Online card games websites may be legally risky if not properly drafted and managed. In fact a majority of online poker and rummy websites are flouting laws of India and they can be punished any time by the Government.

Perry4Law strongly recommends that till the time Indian Supreme Court or Central Government clarifies the legal position regarding online gaming in India, the online gaming/gambling stakeholders must comply with existing and applicable techno legal requirements of Indian laws.

20 Nov 2015

Google Services Temporarily Cut Off Due To Hathway’s Incorrect Traffic Routing

The original design of Internet and its protocols presupposes existence of mutual trust and this at times also cause troubles. In the initial age of Internet, there were very few Internet protocol addresses and they use to communicate with each other directly. There was little reason for abuse or distrust among these IP addresses and their owners. There were also no fears of impersonation and IP spoofing as well.

However, as the Internet and these protocols grew, they became more unstable and untrustworthy. Now if we send something in plain text, chances are great that such plain text information maybe intercepted and misused. Nevertheless, networks and systems still need to trust each other to make the Internet function in a speedier manner. If one system or service provider falters, the services of other may be hampered.

In one such incidence, users around the world were not able to access Google’s service for a short period of time due to a technical glitch. Users were cut off due to the routing leak from Indian broadband Internet provider Hathway. The leak is similar to a 2012 incident caused by an Indonesian ISP, which took Google offline for 30 minutes worldwide.

Routing leaks occur when a network provider broadcasts all or part of its internal routing table to one or more peered networks via the Border Gateway Protocol (BGP) causing network traffic to be routed incorrectly. In the present case Hathway’s boundary router incorrectly announced routing data for over 300 network prefixes belonging to Google to the Internet backbone via its provider Bharti Airtel. Bharti in turn announced these routes to the rest of the world and a number of international ISPs accepted these routes.

Now why would Google rely upon Hathway for its services? This is because Hathway peers with Google to provide better speed to Google’s cloud, directing traffic to the closest Google data centers. That peering is a private network connection. As a result, when the routing table was accidentally broadcast to the world instead of just to Hathway’s customers, much of the world was trying to access Google via Mumbai, through Hathway, instead of over the public Internet.

By design users cannot access Google services with incorrect route information till it is rectified or routed correctly.

2 Nov 2015

RBI Decides To Set Up An IT Subsidiary To Deal With Cyber Crimes And Cyber Security Related Issues

India is treading on the digital highway and very soon most of the public services would be delivered through use of information and communication technologies (ICT). This is clear from the enthusiastic implementation of Digital India project that needs some fine tuning to get the best results. Nevertheless there is no escape from the reality that Digital India would be the face of Indian economy and culture very soon.

With this increased and omnipresent digital culture, cyber crimes and cyber security breaches would be the norm in future. This is the reason why the Delhi Police has decided to launch a mobile application that would help in filing of online FIR for economic frauds and cyber crimes. Now the Reserve Bank of India (RBI) has also showed its commitment to fight against cyber crimes and financial frauds by declaring that an information technology driven subsidiary would be established by it to deal with cyber nuisances. This IT subsidiary of RBI would also deal with cyber security and related issues with a special focus upon banking related technology issues. The IT subsidiary of RBI would also evaluate the technical capabilities of banks that is almost missing as on date.

We at Perry4Law Organisation (P4LO) welcome this move of RBI and extend our full techno legal support and expertise in this regard. As per the cyber security trends of India 2015 by P4LO cyber security related issues must be taken care of by various stakeholders including banks in India. Although RBI has announced many effective cyber security related initiatives for banks in India yet cyber security for banks in India is still not in good shape. Some of the initiatives already undertaken by RBI in this direction include formulation and implementation of Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also prescribed establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far. As on date there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. This gives little incentive to the banks to ensure cyber security of online banking system of India. On top of it, banks in India are not following cyber security due diligence and cyber law due diligence (PDF) despite RBI’s directions.

If we take the example of western countries, sophisticated malware are targeting banks of these countries. These countries are heavily relying upon ICT for their functioning and this makes them vulnerable to cyber crimes and cyber attacks. India has not faced this heat so far because till now India did not adopt technology to that extent. However, after the adoption of Digital India, cyber security and cyber crimes investigation would become major issues for not only the law enforcement agencies but also banks of India. RBI seems to be aware of this reality and has taken a good step by deciding to establish an IT subsidiary that would take care of all these issues. However, we at P4LO believe that this IT subsidiary of RBI should not be a mere paper tiger but must actually work towards establishing a robust and resilient cyber security environment for banks of India.

Sophisticated botnet and malware like Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

In these circumstances we must consider the proposal of India to adopt and use mobile banking, Internet banking and other online banking and financial transactions methods. So far India and RBI has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc. In these circumstances, Indian online banking transactions are vulnerable to cyber attacks.

The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. These are some of the suggestions that P4LO has shared with Indian Government and RBI through this platform. More detailed suggestions would also be shared by P4LO at appropriate stage and platform.