Thursday, February 04, 2010

BEGINNING AND END OF PRIVACY


Evolving Strategies for the Enforcement of Cyber Laws

The storming of the Bastille from Wikipedia
( Text of talk delivered by JusticeYatindra Singh, Judge High Court, on 'Launching of Cyber Law Enforcement Programme, National Consultation Meeting' at AP Shinde Hall NASC complex New Delhi on 31.01.2010. 
A pdf format of the article may be downloaded from here.)

With due apologies to Charles Dickens, it is the time when boundaries are zealously guarded: it is the time that boundaries have become meaningless; it is the age of reality: it is the age of virtuality; it is the beginning of privacy: it is the end of privacy. This paradox not only shows the difficulty in enforcing cyber laws but also explains the genesis of cyber crimes. People are emboldened to commit a cyber crime because they mistakenly assume that they are anonymous but nothing can be farther than this. There is nothing private in the cyber space: it is the end of privacy.

Before we talk about evolving strategies, some words about cyber laws, importance of safeguarding integrity of Internet and cyber space.

CYBER LAWS
Inventions, discoveries, and new technologies widen the scientific horizon but pose new challenges for the legal world. The information technology brought about by computers, Internet and cyber space has opened new dimensions but has also created problems in all aspects of law. We are finding solutions for them. These solutions―statutory or otherwise―providing answers to the problems are loosely referred to as ‘Computer Laws’ or ‘Information Technology Laws’ or simply ‘Cyber Laws’.

We have enacted a few statutory provisions. The problems (due to the information technology) in the field of Intellectual Property Rights (IPRs), have been sorted out by amending the Copyright and the Patents Act. However the most important legislative measure is the Information Technology Act, 2000 (the IT Act). It has also amended the following four Acts.
  1. The Indian Penal Code, 1860;
  2. The Indian Evidence Act, 1872;
  3. The Bankers’ Book Evidence Act, 1891;
  4. The Reserve Bank of India Act, 1934.

Communication Convergence Bill
Another Act, titled Communication Convergence Bill is in the pipeline. It is to fully harness the benefits of the converged and the converging technologies of the future namely―the Telecom, Information Technology, and Broadcasting.

A committee was set up to consider the Communication Convergence Bill. It recorded sharply divided opinion of the experts about the desirability of having such enactment. This may be the reason that the Bill is still not passed by the Parliament. Perhaps, it may not be enacted in the near future. However, some of its provisions have been incorporated by an amendment in the IT Act.

Amendments in the IT Act
An expert committee was set up to consider the amendments in the IT Act. It has made its recommendations and proposed amendments. The amendments were proposed in 2005. They were introduced in modified form as the Information Technology (Amendment) Bill 2006. The 2006 Bill was further modified and passed by the Parliament on 23.12.2008. After the assent of the President, it was notified on 5.2.2009 as the Information Technology (Amendment) Act 2008 (Central Act no. 10 of 2009). It has been enforced from 27.10.2009. This amending Act has incorporated some important provisions of the Communication Convergence Bill.

Previously mentioned four Acts were amended by Section 91 to 94 of the IT Act. These sections have been omitted by the amending Act but in view of Section 6A of the General Clause Act  (see End Note-1) these amendments in the respective Acts will continue. The first two Acts have been further amended by the amending Act.

IMPORTANCE OF SAFEGUARDING―INTERNET, CYBER SPACE
The integrity and protection of the internet and Cyber space is important. In case of any compromise, not only banking sector, sensitive government data, trading on line may be seriously jeopardised but personal transactions will also go haywire: the result will be disastrous.

CYBER LAWS VIOLATIONS
The Cyber law violations may be broadly divided into two fields,
  1. Intellectual Property Right (IPR);
  2. Other than IPR.

IPR Violations
The Cyber law violations in the field of IPR may be categorised as:
  1. IPRs problems in Cyber space. This includes Copyright and Trademark infringement on the internet, domain name dispute etc (For details see here);
  2. Illegal copying and distribution of computer software;
  3. Problems relating to reverse engineering (decompilation ), Trade Secret, and patents in the computer software. (For details see here and here)

The first two arise in relation to Copyright and Trademarks; they are often resorted to by the corporations. The courts have been traditionally handling Copyright and Trademarks disputes. They often issue John Doe or Anil Kumar orders (as has been renamed by the Indian courts) but practical problems in enforcing them still remain.

Reverse Engineering Decompilation, Trade Secret, and Software Patents
The third aspect of this category is not only complicated but difficult too. This problem is in the developed countries and has yet, not come to our country.

Reverse engineering means ‘starting with the known product and working backward to derive the process which aided in its development or manufacture.’ In other words reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. In the context of a computer programme, it is also referred to as decompilation or disassembly. There is some difference among the three but the word reverse engineering is a general word and is broader than the other two. This is broadly dealt in section 52 (aa) and (ad) read with section 23 of the Contract Act.

Article 39 of the TRIPS talks about Protection of Undisclosed Information (Trade Secret). There is no specific statute dealing with the protection of undisclosed information in our country. We have Official Secrets Act, 1923; it protects information given to or with the government. One can also file a suit for breach of trust or confidence.

Under our laws, computer programme per se or algorithm is not an invention under section 3(k) of the Patents Act and cannot be patented. In the US the law for granting software patents is broader. As held there in State Street Bank vs. Signature Financial Group (149 F, 3d 1352 Decided on 23.7.1998) (the StateStreet case), patents have been granted in business methods if algorithm is applied to produce a useful, concrete, and tangible result. Japan and Australia follow the US pattern. The European law is similar to the Indian law but because of law prevailing in the US, there is variation in its application in Europe.

The Federal Court 'In re Bilski case' (US 545 F 3 d 943, 88 US PQ 2d 1384) has modified the principle in the StateStreet case. An appeal has been filed before the US Supreme Court. The judgement has been reserved. This judgement may change the law in US and the other countries may follow the same. Perhaps we should wait for the future to unfold.

Violations―Other than IPR: Cyber Crimes
The cyber laws violations in the field other than IPR is broadly referred to as Cyber Crimes. They can be divided into two categories.
  1. Crime where the computer or server is the object/ target. For example hacking a computer or a website or a server, sending a virus, Denial of Service (DOS) attack etc.
  2. Crimes other than those where computer or server is the object/ target but computer is used as an instrument for committing the offence. For example credit card fraud, spam, Phishing, Pornography.

STRATEGIES
Prevention: Public Education and Vigilance
The best strategy for any crime, be it be cyber crime or other, is prevention. The obvious measure is to improve security measures, enhance public education and vigilance.

One of the objectives of the legal authorities is to raise legal awareness. Public Education and vigilance part can be taken up by them. Frequently asked questions (FAQ) and their answers may be on their website and a pamphlet or information regarding the same may be circulated by them in their programmes. A list of tentative questions is mentioned in Appendix-1.

The information should also be in Hindi as well as in other regional languages so that the general public may find it easy to read and understand. The information in Hindi or other regional languages should be in Unicode. This is the character encoding in which these scripts are being globally standardised.

Skilled Investigators
Cyber crime cannot be investigated by everyone. A person should have special knowledge in order to investigate it. There is lack of skilled police personnel to deal with the Cyber crime. In our State, there was one Cyber cell at Agra. In other districts there may not be any qualified personnel to investigate a cyber crime. It is advisable to have atleast one skilled police personnel in every district to deal with the Cyber crime.

Training―Judges
While deciding a cyber crime case, one may not be computer savvy but should have basic idea about the computers. In this regard Judicial training Institutes can play a leading role.

The Supreme Court in All India Judges Association and other vs. Union of India (2002) 4 SCC 247 (paragraph 32) recommended one year training for fresh recruits in the judicial service. A consultation meeting was held at National Judicial Academy, Bhopal. It made certain recommendations for the training. Considering the number of the recruits and availability of infrastructure at the Judicial Training Institute Lucknow, the Allahabad High Court adopted a pattern of giving training in three parts:
  1. Three months training at the Institute;
  2. Six months field training;
  3. Three months training at the institute again.

The relevant portion of part I and III of the training is appended as Appendix-2. Part-I includes training on 'Science and computers' including forensics: a subject that includes computer forensics. It also recommends holding workshop on 'Cyber laws' as well on 'IPR' in the first as well as the third part. In case the other training institutes have not included similar topics in their training then the same may be included.

Remove Mental Block
The judicial officers should be comfortable with the computers. They should know its working: unfortunately it is not true with many. The e-committee has provided a laptop to every judicial officer in the country with Linux operating system. It is a good decision.
Linux is open source;
  1. It has least IPR problems; and
  2. There is almost no virus problem in it.
  3. The adoption of open standards, open formats is always better in the longer run.

Nevertheless, there is a kind of mental block to operate Linux laptop. It is enhanced by the fact that laptops are specially programmed. It takes time to decrypt the data as it boots and then takes time to encrypt the data when it shuts down. It also does not have programmes that make a computer interesting to use. Perhaps a policy decision should be taken to make the laptops user friendly and interesting to use. The laptops may have some interesting programmes to use (see Appendix-III).

Adopt Open Standards
All judicial training institutes have computer training centres. There is a dichotomy, the judicial officers have laptops on Linux but the most of the Judicial training institutes have computers on windows. It will be good idea to have computers on Linux in the judicial training institutes―the same

The Judicial Training Institutes organise different workshops and refresher courses. Every judicial officer attending a workshop or a refresher course should be asked to bring his laptop. He should be required to submit a report of the workshop from the laptop electronically. This will encourage the officers to use their laptops more often and they will become computer literate.

International Cooperation
As the Internet has no boundaries, greater international cooperation is required not only between the law enforcing agencies but perhaps in law too:
  • A website may be accessed or its services may be taken from any part of the world. There may be conflict in laws: what may be legal in one country may be illegal in the other country. The Yahoo case (see Appendix-4) is an example.
  • There are practical problems too. A person in any part of the world may commit a cyber crime in India. He has to be extradited before he is tried. But this process is lengthy and difficult: global or bilateral treaties are the solution to this.

Efficient Enforcement―Improve Confidence
Not all cyber crimes are reported than there are in the society. This is not only true in the case of individuals but also in the case of the corporations. This could be because of lack of the confidence in the people. Skilled police personnel, quick, and satisfactory resolution of the cyber law crime will boost the public confidence. This will bring forward more people with their problems.

CONCLUSIONS
The paradox in Dicken's, 'A Tale of Two Cities', is the epitome that led to storming of Bastille and the French revolution. We must take precautions lest, the paradox of Internet and cyberspace may lead to banking/ financial trade on line catastrophe or compromise in the national security or personal lives.

End Note-1: Section 6A of the General Clause is entitled 'Repeal of Act making textual amendment in Act or Regulation'. It states that in such a situation unless different intention appears, the repeal does not effect the continuance of any amendment made by the enactment so repealed. In view of this, the amendments in the aforesaid Acts will continue. Notes on the clauses along with the 2006 Bill also state that sections 91-94 are being omitted for the reason that these provisions have become redundant as necessary modifications have already been carried out in the enactment

Appendix-1
(Questions for the legal awareness programmes)
Why is there a need for Cyberlaw?
What is Cyberlaw?
What is the importance of Cyberlaw?
Does Cyberlaw concern me?
What is the general awareness about Cyberlaw today?
Is Cyberlaw constantly evolving?
Why is it important to protect cyberspace?
How can I protect my children work from viewing adult material on the Internet?

What is Cybercrime ?
What are the various categories of Cybercrimes ?
What is their normal modus operandi?
How can they be avoided?
Is there any comprehensive law on Cybercrime today ?
Why do we need to fight Cybercrime ?
What should be done in case one becomes victim of the same.
I get unnecessary emails? How can it be stopped? What can be done about it?
I get obscene email? What should I do?
I get unnecessary sms on my mobile? How can it be stopped? What can be done about it?
How do I report an online crime or identity theft?
I believe an organisation is misusing my personal information; who can help?


What is an IP address?
What is a Domain Name?
What are the components of a Domain Name?
What are the categories of Top Level Domain Names (TLDs)?
Who registers Domain Names? 
What is the unique feature of Domain Names?
How are Domain Names different from Trade Marks ?
What is Cybersquatting ?
Is there any remedy against Cybersquatting ?

Appendix-2
PART- I: Three Months' Training at the Institute of Judicial Training and Research, Lucknow (JTRI)
...
3. Science and Technology
(i)Computer hardware
(ii)Computer software: Open Source Software, Linux, Open Office, Thunder Bird, Firefox, Sunbird
(iii)Communication: Internet & NICNET,
(iv)District Court Information System (DCIS),
(v)JUDIS Case Law Searching
(vi)Forensic and medical jurisprudence
(vii)Handwriting, Fingerprint, and DNA fingerprinting
...
Note: Forensics means the use of science and technology to investigate and establish facts in (criminal or civil) courts. Traditionally it was confined to ballistic and fire arms but today it includes a computer forensic too.

Computer forensic is usually applied to an investigation after a system has been cracked. It also includes investigations to find evidence for legal purposes. Illegal possession of trade secrets or intellectual property or child pornography, insurance fraud, insider trading, counterfeiting, criminal or sexual harassment—any of these could require a forensic investigation of a hard drive, removable media, or network.

Part II: Six months Field Training
...
PART-III: Three months' Training at the JTRI
1. Workshops: The Civil Judge (JD) should have knowledge about interaction between the law and the society. This may be achieved by conducting one/two days weekly workshop on any particular theme and may be held at the discretion of the Director in the first or third part of the training. Experts may be invited on these days. Some example of the themes are as follows however they are neither exclusive nor exhaustive.
...
(xxiv) Cyber laws
(xxv) Intellectual Property Rights
...

Appendix-3
Lap top for the Subordinate Judiciary
The laptop for the lower judiciary may simply be on Linux (without asking for the password at the boot time, without encrypting and decryption of data every time). It may have with the following programmes.
  1. Firefox web browser with Flash plugin;
  2. Thunder bird (for email);
  3. Sunbird as E-manager. It may be merged with Thunderbird;
  4. Openoffice.org (office suite);
  5. VLC media player or Mplayer with MP3 plugin;
  6. Audacity (Audio editor software) with MP3 plugin;
  7. GIMP (Photo editing software).
This can be done without extra cost.

Appendix-4
The Yahoo case
Yahoo is a site, which provides services. It is a US based company and has subsidiaries in other countries. Its American website, www.yahoo.com, targets US users and provides many services, including auction sites, message boards, and chat rooms, for which Yahoo users supply much of the content. Nazi discussions have occurred in Yahoo’s chat rooms and Nazi-related paraphernalia have appeared for sale on its auction website. Under the French law, the display of Nazi material or sale of Nazi-insignia is illegal.  Yahoo’s subsidiary, Yahoo France, operates www.yahoo.fr in France; it has no Nazi material or insignia on its website in accordance with French law. However the French users can still access the American Yahoo website that carries the Nazi-related discussions and purchase auction items including Nazi paraphernalia.

Two French civil liberty groups filed a case in France requiring Yahoo to remove all Nazi material and paraphernalia. Yahoo challenged the jurisdiction of the French court but it was denied. The French court issued an injunction order on 22-5-2000. It was confirmed on 20-11-2000. The order required Yahoo to,—
  • Destroy all Nazi-related messages, images, and text stored on its server, particularly any Nazi relic, object, insignia, emblem, and flag on its auction site;
  • Remove any excerpts from Mein Kampf and Protocole des Sages de Sion, books promoting Nazism;
  • Remove from its browser directories, which are accessible in France, the headings ‘Negationists’ and any equivalent category under the heading ‘Holocaust’;
  • Take all necessary measures to prohibit access to the Nazi artefacts on its site and to warn that viewing such material violates French law.

The French court gave three months time to Yahoo to comply with the order/ failing which it was required to pay a fine of 100,000 Francs (approximately $13,300) per day. Yahoo did not file any appeal in France and has partly complied with the French orders. It has,
Modified its hate-speech policy to preclude use of its services to promote groups that are known for taking violent positions against others because of race or similar factors; and
Removed Protocole des Sages de Sion from its site.
However, Yahoo’s US website still exhibits Nazi material (such as copies of Mein Kampf, coins, and stamps) and auctions Nazi insignia.

Yahoo filed a case before the US District court for a declaration that the French court's order was not enforceable in the US. According to Yahoo,
There was threat as fines were accruing for each day that it failed to comply with the French orders.
The fines would only be collectable in the US since the French court had prohibited collection from Yahoo French subsidiary and Yahoo has no other assets in France.
The orders of the French courts were not enforceable in the US as they were in violation of the First Amendment of the US Constitution.

The District Court held (reported in169 F. Supp. 2d 1181, 1194) that:
  • It could properly exercise jurisdiction over the two French civil liberty groups and denied their motion to dismiss the case.
  • There was an actual controversy causing a real and immediate threat to Yahoo.
  • Enforcement of the French orders in the US would violate the First Amendment of the US constitution and they were unenforceable in the US.

The two French civil liberty groups filed an appeal. This appeal has been allowed. The court by two is to one majority held,
‘France is within its rights as a sovereign nation to enact hate speech laws against the distribution of Nazi propaganda in response to its terrible experience with Nazi forces during World War II. Similarly, LICRA and UEJF [the two French civil liberty groups] are within their rights to bring a suit in France against Yahoo! for violation of French speech law. The only adverse consequence experienced by Yahoo! as a result of the acts with which we are concerned is that Yahoo! must wait for LICRA and UEJF to come to the United States to enforce the French judgment before it is able to raise its First Amendment claim. However, it was not wrongful for the French organizations to place Yahoo! in this position.
Yahoo! obtains commercial advantage from the fact that users located in France are able to access its website; in fact, the company displays advertising banners in French to those users whom it identifies as French. Yahoo! cannot expect both to benefit from the fact that its content may be viewed around the world and to be shielded from the resulting costs – one of which is that, if Yahoo! violates the speech laws of another nation, it must wait for the foreign litigants to come to the United States to enforce the judgement before its First Amendment claim may be heard by a U.S. court.’

However, the appellate court recalled the three-judge panel ruling and has heard it again by a full court consisting of 11-judges. In the review (reported in 433 F.3d 1199) the court has dismissed the suit on the following grounds:
'An eight-judge majority ... holds ... that the district court properly exercised specific personal jurisdiction over defendants ... A three-judge plurality of the panel concludes, as explained in Part III of this opinion, that the suit is unripe for decision ... When the votes of the three judges who conclude that the suit is unripe are combined with the votes of the three dissenting judges who conclude that there is no personal jurisdiction ... there are six votes to dismiss Yahoo!’s suit.
We therefore REVERSE and REMAND to the district court with instructions to dismiss without prejudice.'
The court has refused to decide the question whether the decision of the French court can be voided by the US courts or not. It has left the question open; it may be decided when the decree of the French court is executed in US.

No comments:

Post a Comment

Naked In The Khan Market

Judiciary must change its mindset. With lifting veil on collegium recommendation it has started but a lot is yet to be done. It should cont...