Landmark cyber law - IT Act, 2000 case law - judgement from India -Maharashtra

If a employer gets his employees or ex employees bank statement without his knowledge it amounts to DATA THEFT . This cannot be produced even in a Court of LawThis is a landmark judgement(order) delivered by Maharashtra Adjudicator in Our clients favour this will prevent misuse of an individual’s bank statement in India. The judgement has ruled that this amounts to Data Theft of Sensitive Personal Information under Section 43(b) Read with Section 66 of the Information Technology (IT) Act, 2000(INDIA). I had represented and argued this matter for my client Amit Patwardhan-CEO of Heko Chains in India (a German Company)
Case Details :Amit Patwardhan Vs Rud Indiia & Vipin Rao - 1 of 2013Case Details :Amit Patwardhan Vs Rud Indiia & Vipin Rao - 1 of 2013Case Details :Amit Patwardhan Vs Rud Indiia & Vipin Rao - 1 of 2013This judgement could be downloaded at following link of Maharashtra Government Website - DIThttp://it.maharashtra.gov.in/SITE/Upload/ACT/AmitPatwardhanVsRudIndiaVipinRao%2015Apr%202013%20Rajesh%20Aggarwal.pdf

A New Virus Warning in Indian Cyber Space - -

Warning of A NEW VIRUS 

A new virus or variant has been found to be "spreading fast" in the Indian cyberspace which cleverly steals bank account details and passwords of the user once it is clicked.It is the new and suspected variant of malware family called 'Win32/Ramnit'.
Ramnit worm spreads by infecting or modifying files existing on target systems such as (EXE, dll or html) and creating a newsection so as to modify the entry point to that section.
This virus, "steals credentials like file transfer protocol passwords, bank account logins, infects removable media, changes browser settings and downloads and executes arbitrary files".The virus is so potent, that it has ability to hide itself from anti-virus solutions and acquires various aliases to attack a genuine system or Internet-based connection which works to play emails and other user services.
The virus is such lethal in its operations that it "infects the removable media by copying itself to its recycle bin and creates an autorun.Inf file".

Once the system is infected, the malware injects its malicious code into windows executables, html files or dlls to communicate with its command and control server, thereby compromising the security of the online system.

Counter Measures in this regard.
1. users should not download and open attachments in emails received from untrusted users or unexpectedly received from trusted users, one should exercise caution while visiting links to web pages and users should not visit untrusted websites.

2. Enable firewall at desktop and gateway level and disable ports that are not required, avoid downloading pirated software, keep up-to-date patches and fixes on the operating system and application softwares and keep up-to-date anti- virus and anti-spyware signatures at desktop and at gateway level.

Law Perspective: If gross negligence or guilty mind is found then Spreading of Virus is a cognizable crime under the section 43(c) read with section 66 of The IT Act,2000 in India. It attracts upto 3 Years of imprisonment or upto Rs. 5Lakhs of fine or both. 

5 things you should consider removing or not posting to Facebook

5 things you should consider removing or not posting to Facebook and/or other social networks.

1. You or Your Family's Full Birth Dates and Address
We all love getting happy birthdays from our friends on our Facebook wall. It makes us feel all warm inside knowing that people remembered and cared enough to write us a short note on our special day. If you are having a private party, leave the address off Facebook, unless you are in a public place. We have all seen what happens in the media, when you or your friends privacy settings are compromised. The problem is when you list your birthday and your address, you are providing identity thieves with 2 of the 3 or 4 pieces of personal information that is needed to steal your identity. It's best to not list the address or the birth date at all, but if you must list the birth date, at least leave out the year. Your real friends should know this info anyway.

2. Your Relationship Status
Whether you are in a relationship or not, it may be best not to make it public knowledge. Stalkers would love to know that you just became newly single. If you change your status to "single" it gives them the green light they were looking for to resume stalking now that you're back on the market. It also lets them know that you might be home alone since your significant other is no longer around. Your best bet is to just leave this blank on your profile.

3. Your Current Location
There are a lot of people who love the location tagging feature on Facebook that allows them to let people know where they are 24/7. The problem is that you have just told everyone that you're on vacation (and not at your house). If you add how long your trip is then thieves know exactly how much time they have to rob you. My advice is not to provide your location at all. You can always upload your vacation pictures when you get home or text your friends to let them know how jealous they should be that you're sipping an umbrella drink while they toil away at work.

4. The Fact That You Are Home Alone
It is extremely important that parents make sure their children never put the fact that they are home alone in their status. Again, you wouldn't walk into a room of strangers and tell them you are going to be all alone at your house so don't do it on Facebook either.

We may think that only our friends have access to our status, but we really have no idea who is reading it. Your friend may have had their account hacked or someone could be reading over their shoulder at the library. The best rule of thumb is not to put anything in your profile or status that you wouldnot want a stranger to know. You may have the most stringent privacy settings possible, but if your friends account gets compromised than those settings go out the window.

5. Pictures of Your Kids Tagged With Their Names
We love our kids. We would do anything to keep them safe, but most people post hundreds of tagged pictures and videos of their kids to Facebook without even giving it a second thought. We even go so far as to replace our profile pictures with that of our children.

Probably 9 out of 10 parents posted their child's full name, and exact date and time of birth while they were still in the hospital after delivery. We post pictures of our kids and tag them and their friends, siblings, and other relatives. This kind of information could be used by predators to lure your child. They could use your child's name and the names of their relatives and friends to build trust and convince them that they are not really a stranger because they know detailed information that allows them to build a rapport with your child.

If you must post pictures of your children then you should at least remove personally identifying information such as their full names and birth dates. Untag them in pictures.Your real friends know their names anyway.

I would be a hypocrite if I said that I have completely removed all tagged pictures of my kids on Facebook. It is a daunting task given the amount of pictures that we take as proud parents, but I have started on it and I'll do a little bit each day until it's finished.

Lastly: think twice before you tag pictures of the children of friends and relatives. They might not want you tagging their kids for the reasons mentioned above. You can send them a link to the pictures and they can tag themselves in place of their children if they want to.

Think twice before you tag photos of your friends or relatives, ask them first, they might not want you tagging them for security reasons as mentioned above.

Now A Handbook on Laws of Cyber Warfare by NATO

A handbook by Nato's Co-operative Cyber Defence Centre of Excellence (CCDCOE), located in Tallinn, Estonia is released. The centre was established in 2008 after Estonia suffered massive cyber attacks which wreaked havoc on the country's network infrastructure.

The guidelines include a provision for states to respond with conventional force if cyber attacks by another state resulted in death or significant damage to property. It also states that hackers who take part in online attacks during a war can be legitimate targets even though they are technically civilians and not soldiers.

Some rules that cover conventional warfare such as the Geneva Convention have been adapted to the internet. For example, attacks on certain key civilian sites are outlawed.

In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber attacks against works and installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, as well as installations located in their vicinity. Hospitals and medical units are also to be protected.

Another interesting point is that launching an attack from a neutral country's computer network is forbidden in much the same way that conventional armies aren't allowed to march through a neutral country's territory to attack another country.

The handbook, which is published by Cambridge University Press, is neither an official Nato document nor is it Nato policy. It is merely an advisory manual. Nevertheless, it is a landmark development as it represents the first-ever attempt to codify how international law applies to online attacks. 

You can read it at www.ccdcoe.org/249.html

prashant.mali@cyberlawconsulting.com

Chinese Hardware - A Cyber Security Threat to India

Chinese Hardware - A Cyber Security Threat to India

I remember when I was a child and use to ask questions to self, if Japanese wants to revenge on USA then are they putting some kind of Trojan bombs activated remotely in various televisions, music systems, Water Heaters, emergency lights and cars they export heavily and cheaply to the USA. Japanese could in the long awaited need of revenge and what could worst then detonating multiple bombs in the television sets across American cities and causing panic with havoc without any atom bomb.

These Chinese have resident revenge in their minds because of India being towering in the Asian region with IT revolution and largest English speaking population. Indians also always keep china scratching them wrongly by exhibiting His Holiness Dalai Lama.

Now let’s look at how cyber security critical items are being used by Indian companies in the pretext of cost cutting and Chinese executives who serve majorly there state are fully aware the “kanjusi“ or more white collar word “value for money” buying psyche of Indians. Many a times to please higher up bosses all executives have this mantra of getting cheap things which look overtly technologically advance but covertly are security wise harmful and dangerous to security posture of the organization and the country.

Items being used, bought or I say covertly forced to buy are

1. Routers

2. Switches

3. Devices & Chips used for data transmission

4. Mobile phones

5. Cameras

India has load of Cheap Routers from Huawei and ZTE and according to a U.S. Congressional intelligence committee report made public on October 8 2012.Chinese routers from Huawei and ZTE are "a threat" for the United States, or even the world, The committee suspects that these machines, which transmit Internet communications, could be working for the Chinese government. These two Chinese telecom firms, already singled out by the U.S. Department of Defense, as well as, in France, by Senator Jean-Marie Bockel.

The American authorities have suspected for a long time that chips, routers, and other digital equipment from China could be equipped with "back doors," hidden access that would allow an ill-intentioned remote user to connect, giving the Chinese government the chance to access sensitive information as it passes through the machines.

Chinese made pen drives specially unbranded or pirated are now considered threat world over due to firmware present in the pen drive which can be vary of harping data from millions of machines to which it is attached. According to Chief of Army Staff General Bikram Singh, restricting the use of pendrives and PowerPoint presentations is the key to preventing cyber invasion against India. Analysis of Indian cyber breaches have shown that over 70 percent have been caused by the use of USB Pen drives. General Singh has also ordered that all sensitive war plan meetings be done paperless and that PowerPoint use is to be restricted. His he even suspecting Microsoft?

This is not the first time that the two Chinese manufacturers have been under fire. In August 2012, Felix Lindner and Gregor Kopf, computer security specialists at Recurity Labs, criticized the vulnerability of Huawei's machines. According to Felix Lindner, Huawei routers are actually dangerous. Even earlier, the alarm was sounded by Jean-Marie Bockel, a centrist French senator and former secretary of state for defense. On July 19, the senator presented a report on French cyber-defense. It proposed "banning at-risk routers and other core network equipment." On his short list of brands to ban: Huawei and ZTE.

According to the Bockel report, "There is nothing to prevent a country that produces network routers from inserting devices for surveillance or interception, or even a system that completely interrupts all communication at any time." Bock also asked for a ban on the sale or use of Chinese equipment to companies that manage Internet communications.

I feel greatest threat to the world from Chinese manufacturers are from mobile phone devices, even leading brands manufacture from cheaper Chinese companies. The amount of malware on mobile platforms and dependency on mobile phones by individuals and corporate have both increased exponentially across the world.
Mounting worries that smartphones and tablets represent the next frontier for malware, security researchers have discovered a vast botnet on over a million devices in China. The Chinese news agency Xinhua and the BBC report that the botnet makes it so that smartphones can be hijacked remotely, potentially for DDOS attacks  or other malevolent purposes. As recently as September of 2011, it was big news to find 20,000 Android devices communicating with known criminal command and control networks on a given week. One of the worst Android botnets to date was called Rootstrap; it was reported to have reached 100,000 compromised devices about a year ago. 

I strongly feel android users while accessing Chinese apps on even Indian phones (if there exists any?) should be very cautious and avoid getting into the great data mining trap set up by Chinese app makers.

Finally, china has made art of camera making a joke, today in only hundreds of rupees you get filthy branded Chinese cameras which are used for various espionage related operations. Majority of IP cameras are imported from china in throw away rates with no or very little certification, I see CCTV cameras been widely put up by municipalities and police for increased surveillance. Now the billion dollar question who is surveilling who?

OMG are we using thermal cameras or night vision cameras on our defence equipments on old our pricey birds  or on LOC, Time save us from china coz everything seems to be Made in China except our babies..

Adv Prashant Mali is a Cyber Security & Cyber Law Expert in India

prashant.mali@cyberlawconsulting.com

Note: While writing this to various material available on Internet was made referred also

Intermediary (ISP,Website Hosters,Facebook,Google,Banks,Stock Exchanges) Law in India

Who is an Intermediary in India ?
Ans: As per Section 2(1)(w) of the IT Act, 2000 (Indian Cyber Law) "Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes;
1. All Banks ,Insurance & Finance companies
2. All Stock Exchanges(NSE,BSE,MCX etc)
3. All ISP's(BSNL,MTNL,SIFY,Tikona etc)
4. All Telecom Companies(Airtel, Vodafone, Aircel, Reliance etc)
5. All Auction Sites(ebay.in,Quickr,mybid.in,Auto auction sites etc)
6. All ecommerce sites(flipkart,myntra,jabong,amazon etc)
7. All Payment gateways
8. Search Engines 
9. cyber cafe(Any place where public surfing on internet is allowed)
10. to be interpreted an case to case basis

Responsibility of an Intermediary

6. 

The intermediary or person in-charge of computer resource shall be responsible for the actions of

their employees also, and in case of violation of the provision of the Act and rules made 

there under pertaining to maintenance of secrecy and confidentiality of Information or any 

unauthorised  monitoring or collection of traffic data or information, the intermediary or 

person in-charge of computer resource shall be liable for any action under the relevant provision 

of the laws for the time being in force.

(Under Clause 6 0f THE INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARD FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009

        Intermediary to ensure effective check in handling monitoring or collection of traffic data or information.

  The Intermediary or person in-charge of computer resources shall put in place adequate and effective

         internal checks to ensure that unauthorised  monitoring or collection of traffic data or information does not take 

         place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of monitoring or 

         collection of traffic data or information as it affects privacy of citizens and also that this matter is handled only 

         by the designated officer of the intermediary or person in-charge of computer resource.

        Destruction of records by Intermediary

       (1) Every record, including electronic records pertaining to such directions for monitoring or collection of traffic 

data shall be destroyed by the designated officer after the expiry of a period of nine months from the receipt 

        of direction or creation of record, whichever is later, except in a case where the traffic data or information is, or likely to be, required for  functional requirements.

         (2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal 

        proceedings the intermediary or the person in-charge of computer resource shall destroyed records 

        pertaining to directions for monitoring or collection of information within a period of six months of 

        discontinuance of the monitoring or  collection of traffic data and in doing so they shall maintain extreme secrecy.

         Due diligence to be observed by intermediary in India

The intermediary shall observe following due diligence while discharging his duties, namely : ―

(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access or usage of the intermediary’s computer resource by any person. 

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that —

(a) belongs to another person and to which the user does not have any right to;

(b) is grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, pedophilic,  libelous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever; 

(c) harm minors in any way;

(d) infringes any patent, trademark, copyright or other proprietary rights;

(e) violates any law for the time being in force; 

(f) deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(g) impersonate another person;

(h) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(i)   threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.

(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):

Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as specified in sub-rule (2) ―

(a) temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;

(b) removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.

(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information..

(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7)  When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

      (10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force:

   Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

   (11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

Credit Cards to be More Secure Now But is your Personal Data Secure?

After Shouting and advocating for Chip & Pin cards for more than two years in various National TV Channels and demonstrating loop holes and easy cloning process of currently employed Magnetic strip debit and credit cards, finally RBI has woken now and has asked banks to change the Cards technology to embed Chips & make entering of pin number compulsory by June 2013.
One more thing i have advocating further that is sharing of client/customer data by bank to its subsidiaries or different legal entities like credit card division is blatant violation of Indian Cyber Law aka The IT Act,2000. Banks can be hammered with crores of rupees in damages and compensation for the very act. Every Bank customer should know this that if bank has to share his data with other legal entity then Bank should take (written/email/electronic) permission.