Tuesday, April 20, 2010

EVERY FORT CAN BE BREACHED

Still from the film 'Independence Day'
(Summary: This post explains  policy issues and emerging trends in field of Cyber Laws.



It was delivered delivered by Justice Yatindra Singh, Judge Allahabd High Court, on 'Cyber Law: Policy Issues & Emerging Trends' at Dr. Ram Manohar Lohiya National Law University on Lucknow 27.03.2010. 

A pdf format of the talk can be downloaded from here) .


In my school-days, there was a popular Walt Disney film (1961), 'The Absent-Minded Professor'. It was based on the story 'A Situation of Gravity', by Samuel W Taylor. 'Son of Flubber' (1963) was its sequel.  In recent times (1997), 'Flubber' is a remake of the original film. It is about an absent-minded professor, who discovers a substance flubber (flying rubber) that defies gravity and in the excitement forgets his wedding day. The story revolves around his adventures with flubber and winning back his love. The title and the picture of my presentation should not mislead you in thinking that I am an absent minded Judge: I have purposely  chosen the title and the picture from the film 'Independence day' for this seminar on Cyber Laws.  Let me explain the reason, why I chose them. 

Towards the end of the nineteenth century, mathematicians started having doubts about the foundations of their subject.  They started searching rigorous proofs of their fundamentals.  One area related to the paradoxes around self-referencing. The most famous of all, is Epimenides or liar's paradox?  Epimenides (ऍपीमेनेडीज़) was the 6th century Greek philosopher. He was a Cretan. He made an immortal statement:
‘All Cretans are liars’.
Try deciphering this - if you think it is true, it boomerangs with the notion that it is false. If you take it to be false, it backfires  with the idea that it is true.

In the recent times, the paradox was reformulated by Bertrand Russell as barber or Russel paradox:
'The only barber in the village declared that he shaves only those who do not shave themselves'.
There was no problem with it, till the question is asked,
‘who shaves the barber?’
Russell and Whitehead tried to sort it out in ‘Principia Mathmatica’ a giant opus published in 1913. They thought that they solved it but alas they did not. 

Kurt Godel (कोर्ट गर्डल) wrote a paper in 1931. It was in German and the English translation was  titled 'On formally Undecidable Proposition of Principia Mathematica and Related Systems'.  It solved such paradoxes forever. He proved that it cannot be solved:
'Proof of arithmetic consistency is not possible—every system is incomplete.'

Its implications are, there is no shield that cannot be pierced; there is no fort that cannot be breached; and there is no computer that cannot be hacked—every system, every computer can be hacked.

It was this idea that was subtly applied in the film, 'Independence Day' to introduce a virus in the computer of the alien ship to let down its protective shield so as to make an opening and insert a bomb inside it.

In substance, irrespective of the security measures there is always room for improvement. Security measures are to be backed up with legal sanctions. The experts from the technical as well as law enforcement field are important. It is to emphasise this point that I chose this title and the picture for this presentation. 

I am glad that Dr. Ram Manohar Lohiya National Law University has organised this national seminar on 'Cyber Laws: Policy Issues and Emerging Trends' consisting of these groups. This will help us in understanding its problems, implications, and solutions. 

Before we talk about policy issues, emerging trends, some words about cyber laws.

CYBER LAWS
Information Technology Act, 2000 (IT Act)
Inventions, discoveries, and new technologies widen the scientific horizon but pose new challenges for the legal world. The information technology (brought about by computers, Internet and cyberspace) has opened new dimensions but has also created problems in all aspects of law. We are finding solutions for them. These solutions―statutory or otherwise―providing answers to the problems are loosely referred to as ‘Computer Laws’ or ‘Information Technology Laws’ or simply ‘Cyber Laws’.

We have enacted a few statutory provisions.  The problems (due to the information technology) in the field of Intellectual Property Rights (IPRs), have been sorted out by amending the Copyright and the Patents Act. However the most important legislative measure is the Information Technology Act, 2000 (the IT Act). It has also amended the following four Acts.
  1. The Indian Penal Code, 1860;
  2. The Indian Evidence Act, 1872;
  3. The Bankers’ Book Evidence Act, 1891;
  4. The Reserve Bank of India Act, 1934.

Communication Convergence Bill
Another Act, entitled Communication Convergence Bill 20011 was in the pipeline. It was to fully harness the benefits of the converged and the converging technologies of the future namely―the Telecom, Information Technology, and Broadcasting.

A committee was set up to consider the Communication Convergence Bill. It recorded sharply divided opinion of the experts about the desirability of having such enactment. This may be the reason that the Bill is still in the cold storage. It may not be enacted in the near future. However, some of its provisions have been incorporated in the IT Act by an amendment.

Amendments in the IT Act
An expert committee was set up to consider the amendments in the IT Act. It has made its recommendations and proposed amendments. The amendments were proposed in 2005. They were introduced in modified form as the Information Technology (Amendment) Bill 20062. The 2006 Bill was further modified and passed by the Parliament on 23.12.2008. After the assent of the President, it was notified on 5.2.2009 as the Information Technology (Amendment) Act 2008 (Central Act no. 10 of 2009)3. It has been enforced from 27.10.2009. The amending Act has incorporated some important provisions of the Communication Convergence Bill.

Previously mentioned four Acts were amended by Section 91 to 94 of the IT Act. These sections have been omitted by the amending Act but in view of Section 6A of the General Clause Act4 these amendments in the respective Acts will continue. The first two Acts have been further amended by the amending Act.

EMERGING AREAS, POLICY ISSUES―CYBER LAWS
Broadly, the following areas of Cyber laws are important:
  1. Violation―Intellectual Property Right (IPR) and remedies;
  2. Violation Other than IPR―Cyber crimes and remedies;
  3. Interception, Banning, and Monitoring—Freedom ;
  4. Intermediary liability,
  5. Computer forensics;
  6. Evidence—Admissibility;
  7. Awareness, Training and Enforcement;
  8. International cooperation.

IPR VIOLATIONS
The Cyber law violations in the field of IPRs may be categorised as:
  1. IPRs problems in the Cyberspace. This includes Copyright and Trademark infringement on the Internet, Domain name dispute, Cyber Squatting, Framing, Metatag and key word disputes. peer to peer file sharing etc.
  2. Illegal copying and distribution of computer software;
  3. Problems relating to Trade secret, Reverse engineering (Decompilation),and Patents in the computer software.

First Two Categories
The first two arise in relation to Copyright and Trademarks; they are often resorted to by the corporations. The courts have been traditionally handling Copyright and Trademarks disputes. They often issue John Doe or Anil Kumar orders (as has been renamed by the Indian courts) but practical problems in enforcing them still remain.

There are civil as well as criminal remedies. They are dealt with in the Copyright Act, Trademarks Act and IT Act.

The Third Category
The third aspect of this category relates to 'Reverse Engineering or Decompilation', 'Trade Secret or Undisclosed Information', and 'Software Patents'. This area is debatable, complicated, and difficult. This problem is in the developed countries and has yet, not come to our country.

'Trade secret or undisclosed information' is a secret that offers an opportunity to obtain an advantage over competitors who do not have knowledge about it. Source code—one of the ingredient of computer software is often (in proprietary software generally) protected as trade secret. Source code Article 39 of the TRIPS talks about Protection of Undisclosed Information (Trade Secret). There is no specific statute dealing with the protection of undisclosed information in our country. We have Official Secrets Act, 1923; it protects information given to or which is with the government. One can also file a suit for breach of trust or confidence.

'Reverse engineering' means ‘starting with the known product and working backward to derive the process which aided in its development or manufacture.’ In other words reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. In the context of a computer programme, it is referred to as decompilation or disassembly. There is some difference among the three but the word reverse engineering is a general word and is broader than the other two. This is broadly dealt with in section 52 (1) (aa) and (ad) read with section 23 of the Contract Act.

'Patents' are granted for inventions that is new and useful. It could be a process, or an article, or a product or any new and useful improvement in them. Under our laws, computer programme per se or algorithm is not an invention under section 3(k) of the Patents Act and cannot be patented. In the US the law for granting software patents is broader.  As held there in State Street Bank vs. Signature Financial Group (149 F, 3d 1352 Decided on 23.7.1998) (the StateStreet case)5, patents have been granted in business methods if algorithm is applied to produce a useful, concrete, and tangible result.  Japan and Australia follow the US pattern.  The European law is similar to the Indian law but because of law prevailing in the US, there is variation in its application in Europe.

The Federal Court 'In re Bilski case' (US 545 F 3d 943, 88 US PQ 2d 1384) has modified the principle in the StateStreet case.  An appeal has been filed before the US Supreme Court. The judgement has been reserved. This judgement may change the law in US and the other countries may follow the same. The remedies are dealt in copyright Act, Patents Act, Contract Act and Common Law. 

VIOLATIONS―OTHER THAN IPR: CYBER CRIMES
The cyber laws violations in the field other than IPR is broadly referred to as Cyber Crimes. They can be divided into two categories.
  1. Crime where the computer or server is the object/ target. It includes hacking a computer or a website or a server, sending a virus, Denial of Service (DoS) attack, Adware and Spyware, Data protection, etc.
  2. Crimes other than those where computer or server is the object/ target but computer is used as an instrument for committing the offence. It includes example credit card fraud, Phishing, Pornography, identity, theft, violation of privacy, spam, spim, Cyber stalking, cyber bullying, Cyber terrorism etc. 

There are civil remedies and criminal proceeding can be taken as well. Section 43 of the IT Act (Chapter IX) imposes 'penalties and compensation for damage to computer system etc. Section 66 of the IT Act (Chapter XI) criminalises these acts  Section 43A provides compensation for failure to protect data.

Chapter IX and X deal with the civil remedies. These disputes are not dealt by the civil courts but are entrusted to adjudicating officers having experience in the field of Information Technology.  Appeal lies against their decisions to an Appellate Tribunal and then to the High Court;

The offences are dealt with in Chapter XI of the IT Act.
  1. Virus, DoS, Adware spyware (amended section 43 and 66), Cyber stalking, Cyber bullying, Spin, Spam, Identity theft, Violation of privacy, Cyber terrorism (newly added sections 66 A to 66F Chapter XI) are now covered after the amendments in the IT Act;
  2. Publishing and transmitting obscene, sexually explicit material is punishable under sections 67 and (newly substituted) 67A and 67 B;
  3. Disclosure of information in breach of lawful contract is punishable under section 72A
  4. The Investigation of the criminal case is to be done under Criminal Procedure Code (with some modifications) and cases are to dealt by the criminal courts.

INTERCEPTION, MONITORING, AND BANNING—FREEDOM
Interception, monitoring, decryption of information; or blocking public access of any information; or monitoring, collecting data—through any computer resource is dealt with in Chapter XI {Sections 69 (substituted), 69A and 69B (added)} of the IT Act. This curtails the freedom of expression and impinges upon right of privacy. It should be observed in that light.

INTERMEDIARY LIABILITY

This is dealt with in Chapter XII Section 79 of the IT Act. It absolves intermediaries from any liability for third party information if the conditions mentioned therein are satisfied.

An intermediary is to preserve and retain information for the period specified (newly added section 67C). But is it liabile to disclose information in a civil action. This is a debatable point and lies in the realm of common law.

COMPUTER FORENSICS
Forensics means the use of science and technology to investigate and establish facts in (criminal or civil) courts. Traditionally it was confined to ballistic and fire arms but today it includes a computer forensic too.

Computer forensic is usually applied to an investigation after a system has been cracked. It also includes investigations to find evidence for legal purposes. Illegal possession of trade secrets or intellectual property or child pornography, insurance fraud, insider trading, counterfeiting, criminal or sexual harassment—any of these could require a forensic investigation of a hard drive, removable media, or network.

This seminar is co-sponsored by Department of Higher Education UP, Department of Information Technology UP, and UPTEC Lucknow. They may consider introducing a diploma course in computer forensics.

EVIDENTIAL ISSUES
Generally evidence is these case is in digital form. The courts have traditionally being dealing with evidence in tangible form or hard copies. The evidence in this case is digital form and can be changed. How to preserve and prove it in court is an area of some difficulty. This is broadly been taken care of in Chapter XII A of the IT Act and amendments in the Evidence Act.

AWARENESS, TRAINING, AND ENFORCEMENT
Awareness: FAQ
The best strategy for any crime, be it cyber crime or other, is prevention. The obvious measure is to improve security measures, enhance public education and vigilance.

Public education and vigilance can be effectively enhanced with the help of Frequently asked questions. This can be part of the website of Ram Manohar Lohia National Law University.

The information should also be in Hindi as well as in other regional languages so that the general public may find it easy to read and understand. The information in  Hindi or other regional languages should be in Unicode. This is the character encoding in which these scripts are being globally standardised.

Skilled Investigators
Cyber crime cannot be investigated by everyone. A person should have special knowledge in order to investigate it. There is lack of skilled police personnel to deal with the Cyber crime. To best of my information there is not a single Cyber cell in our State. There should be atleast one skilled police personnel in every district to deal with the Cyber crime.

Trained Judges
While deciding a cyber crime case, one may not be computer savvy but should have basic idea about the computers. Some steps have been taken. Every judge has been provided with a laptop and Computer Forensics is part of curriculum of every judicial training institute in the country. In the Institutes, during training period of the officers, one of the seminar is always on Cyber laws. 

Efficient Enforcement―Improve Confidence
Not all cyber crimes—that there are in the society—are reported. This is not only true in the case of individuals but also in the case of the corporations. This could be because of lack of the confidence in the people. Skilled police personnel, quick, and satisfactory resolution of the cyber law crime will boost the public confidence. This will bring forward more people with their problems.

INTERNATIONAL COOPERATION
As the Internet has no boundaries, greater international cooperation is required not only between the law enforcing agencies but perhaps in law too:
  1. A website may be accessed or its services may be taken from any part of the world. There may be conflict in laws: what may be legal in one country may be illegal in the other country. The Yahoo case is an example.
  2. There are practical problems too. A person in any part of the world may commit a cyber crime in India. He has to be extradited before he is tried. But this process is lengthy and difficult: global or bilateral treaties are the solution to this.

CONCLUSIONS
I started my talk with reference to a paradox. Let me finish with it. 'A Tale of Two Cities', a classic by Charles Dickens (7.2.1812-9.61870), revolves around the French revolution. Its starts with a paradox of those times. With due apologies to Dickens, the present is the time when boundaries are zealously guarded: it is the time that boundaries have become meaningless; it is the age of reality: it is the age of virtuality; it is the beginning of privacy: it is the end of privacy. This is the paradox of Internet; it is the paradox of Cyberspace. It not only shows the difficulty in enforcing cyber laws but also explains the genesis of cyber crimes. People are emboldened to commit a cyber crime because they mistakenly assume that they are anonymous but nothing can be farther than this. There is nothing private in the cyber space: it is the end of privacy.
Cartoon picture from Wikipedia

Peter Steiner published a cartoon in the New Yorker on 15th July 1993. Two dogs with the computer. The dog sitting in front of the computer keyboard telling the other,
'On the Internet, nobody knows that you are a dog'
Well, the truth is, on the Internet, everybody knows that you are a dog.

The paradox in 'A Tale of Two Cities', was the epitome that led to storming of Bastille and the French revolution. And if we don't take precautions then the paradox of Internet and cyberspace may lead to banking/ financial trade on line catastrophe or compromise in the national security or our personal lives.

I am glad that this national seminar has been organised. It will help in understanding its problems and will guide us in taking adequate precautions to avoid them. 

Enhanced by Zemanta

No comments:

Post a Comment

Adopt More Active Role

This is the fourth post of the series 'Advice to Young Judges'. It invites them to adopt more active role like King Solomom in decid...