Author Archives: PTLB

Illegal International Racket Using Unauthorised Gateways To Divert The VOIP Calls Landing In India Busted

Illegal International Racket Using Unauthorised Gateways To Divert The VOIP Calls Landing In India BustedTelecom related issues faced many challenges in the past. However, the regulatory environment for telecom sector of India is fast changing now.  Telecom security policy of India is also in pipeline that may streamline many telecom related issues in India.  The Telecom Commission has also approved satellite based mobile services in India. Satellite phones may also be allowed to be used by adventure tourists where no telecommunication connectivity is available in India.

Few areas in the field of telecom sector are still problematic in nature. For instance, Voice over Internet Protocol (VOIP) has always been a problematic aspect in India. Intelligence agencies of India have been insisting that Internet Telephony and VOIP service providers must establish servers in India. Further, Intelligence Bureau (IB) of India is also expediting the testing of VOIP interception system in India.

Meanwhile, crackdowns on illegal VOIP activities continue in India. In one such latest crackdown, the cyber crime wing of Cyberabad police arrested six persons on the charge of running an illegal international racket by setting up unauthorised gateways to divert the VOIP calls landing in India. The accused were using illegal VOIP gateways and diverted the international calls originating from cheap network providers in Pakistan, Middle East, US and UK.

According to the Police, those who receive such calls will have to pay lesser charges as against what the actual provider charges and will also not come under the government scanner.

The international VOIP grey traffic is purchased as per the daily prevailing rates from international carriers. The modus operandi used by illegal grey operators includes arranging international traffic from various VoIP operators across the globe and terminating it on their own illegal VoIP gateways using broadband connections. This traffic is then distributed to the domestic destination numbers using GSM SIMs, CDMA RUIMs and Public Switched Telephone Network (PSTN) connections.

Encryption Laws In India

Encryption Laws In IndiaEncryption has become an indispensable technology these days. Whether it is online banking, e-commerce or e-governance services, encryption is commonly used in all these services. Encryption ensures authenticity and legality to various transactions provided the same is done within permissible limits and in accordance with the applicable laws of India.

Unfortunately, we have no dedicated encryption law of India and encryption policy of India (PDF) as on date. This has made the entire scenario very complicated. In fact, as on date most of the online service providers in India are in active violations of the encryption related laws, regulations and compliance requirements.

Cloud computing and virtualisation service providers are also violating the laws of India relating to encryption and cyber law due diligence (PDF) requirements. Even the telecom security policy of India has failed to address the encryption related issues properly. The cyber security trends of India (PDF) have also highlighted the inadequacies of cyber security of India and a part of the same is attributable to inadequate encryption and decryption capabilities of India.

Provisions pertaining to encryption usages in India can be found in the by license conditions (PDF) of telecom service providers. Thus, telecom companies and internet service providers (ISPs) cannot used more than the prescribed limits of encryption in India unless certain regulatory conditions are duly complied with. Similarly, the Information Technology Act, 2000 (IT Act 2000) also incorporates some provisions pertaining to encryption but they have remained dormant and ineffective till date.

Any individual or company that wishes to deploy encryption levels beyond the permitted ones would be potentially making himself/itself liable to legal action in India. It would be a good idea to ensure techno legal compliances in this regard before launching a project based upon encryption in India.

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And Broadband

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And BroadbandRouter and modems insecurity is a major cause of concern for governments around the world. Cyber criminals are targeting routers and modems used by home users’ for a broadband connection. In most of the case the routers and modems come with standard login and password credential for practical reasons and convenience. The manufacturers of routers and modems expect the end user to change their login credentials and password. However, a majority of home users do not change such crucial information and this make the routers and modems vulnerable to various cyber attacks.

Amid growing threats of cyber attacks and hacking of websites, the Department of Telecommunications (DoT) has prescribed the security measures to be adopted in ADSL Modems to safeguard against misuse (PDF). These security measures must be adhered to by internet service providers (ISPs) of India within 60 days of the formulation of these measures. This is asking too little from the ISPs as there are other major telecom security issues in India that are still not redressed properly. The truth is that Indian telecom networks are highly vulnerable to cyber security threats.

DoT has noted that crackers have been exploiting vulnerabilities in the asymmetric digital subscriber line (ADSL) modems. The ADSL modems are usually installed by broadband service providers at homes and offices. DoT has written to all ISPs to “assist customers to change the password, including by physical visits”. It has also come out with a new set of guidelines for ISPs that must be implemented by May 2014 to ensure security of almost 1.5 crore fixed-line broadband users.

The ADSL modems are presently supplied by vendors with default set up of user ID and password as “admin’. The default password needs to be changed to a strong password by customer at the time of installation of modem to avoid unauthorised access to modem. The ISP executive visiting customer for installation of modem should ensure this.

The protocol ports in ADSL modem on WAN side [for example, FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP] be disabled. These ports may be used by the hackers to enter into the ADSL modem to misuse/compromise the ADSL modems by way of implanting the malware, changing the DNS entries in the modem.

In other instructions, the ISPs have been asked to devise a “mechanism to upgrade the firmware of the ADSL modems remotely by ISPs”. For this, the ISPs need to have separate login password, which is not possible in the present system of ADSL modem design. The DoT has asked the ISPs to tell their customers to check their online daily usage, and if any unexpected high usage of data is noticed, they may bring it to the notice of the ISP concerned. Customers should also be advised to switch off their modem when not in use. Readers of this blog may see the document (PDF) for a detailed analysis.

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom Networks

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom NetworksGovernments around the world are stressing upon stringent cyber security breach disclosures norms but telecom companies are opposing the same on cost and other burdensome regulatory reasons. Nevertheless the governments across the globe are working in the direction of forcing the telecom companies to disclose the cyber security breaches.

There is no universally acceptable international cyber security treaty (PDF) and countries across the globe have adopted a national approach toward cyber security. However, the way sophisticated malware are developed by nations as a cyber warfare and cyber espionage weapon, this national approach is of little help and significance.

India has also decided to formulate a cyber security breach disclosure norm in the past. However, keeping in mind the slow pace at which Indian government works in the field of cyber security, this may take few more years before this much required security practice is actually implemented in India.  The cyber security trends in India 2013 (PDF) have underlined many crucial cyber security lapses of India.

Indian government has already formulated the cyber security policy of India that intends to cover some of the crucial cyber security aspects of the nation. However, the cyber security policy has not been implemented till now and it may take few more years before some action can be expected in this regard from Indian government.

Indian government has also tried to spread cyber security awareness in India. It has mandated that a cyber security brochure must be essentially supplied along with hardware to spread cyber security awareness among Indian consumers. However, telecom and hardware vendors are not happy with this direction and they are postponing this requirement for one reason or other.

Meanwhile, the National Security Council Secretariat (NSCS) has urged the Reliance Jio Infocomm to become part of an industry platform which shares information with the government on potential cyber security threats to the country’s telecom networks. The NSCS says “it is important to involve Reliance Jio in sharing information on potential cyber threats, trends and incidents to enable the government to take suitable counter measures”.

The matter was recently discussed at an internal meeting of the Joint Working Group on cyber security chaired by NSCS secretary and Deputy National Security Advisor Nehchal Sandhu. The NSCS is the apex agency looking into India’s political, economic, energy and strategic security concerns and works closely with the Prime Minister’s Office (PMO).

India’s security establishment wants regular leads on potential cyber security threats from Reliance Jio as it is the sole holder of a pan-India 4G permit and is slated to roll out high-speed broadband services later this year on the long term evolution (LTE) technology standard. Last month, Jio also entered the voice segment by buying 1800 MHz band spectrum in 14 regions for nearly Rs 11,000 crore as a precursor to launching 4G services on the frequency band.

In the meeting, the telecom department’s security chief Ram Narain said that Jio is mandated by license conditions (PDF) to share information on potential cyber threats. Besides, the national telecom security policy of India 2014 may impose more stringent obligations than the licence conditions. As the foreign telecom companies are facing the heat of cyber security and telecom security in India, this is a good opportunity for Indian telecom companies to extend their commercial base in India. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission Cellular Loop’s Proposal would also strengthen mobile based surveillance on national security grounds in India.

Clearly, the intentions to ensure critical infrastructure protection in India (PDF) are taking a concrete shape. The National Technical Research Organisation (NTRO) has been assigned the task of protecting the critical infrastructure of India.

As Reliance Jio is still not part of any of the telecom industry bodies like the GSM’s Cellular Operators Association of India or the CDMA’s Association of Unified Telecom Service Providers of India (Auspi) who have both supported creation of the Information Sharing and Analysis Centre (ISAC), the agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

The latest developments come at a time when the telecom department is framing testing standards for telecom gear to shield networks from potential cyber attacks. India is also readying a cyber security framework, a cyber security policy and a National Cyber Coordination Centre (NCCC) that will monitor metadata on cyber traffic flows.

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security Grounds

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security GroundsRecently the National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was released by Department of Electronics and Information Technology (DeitY). However the same was not made part and parcel of the National Security Policy of India. Further, the cyber security policy of India itself was insufficient and weak on many counts including lack of privacy safeguards. The cyber security policy is also not at all framed to cover the telecom security aspects as well.

India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. It would also be interesting to see what types of telecom security policies would be implemented for border regions of India. Telecom security in India is not in a good shape and Indian telecom infrastructures are vulnerable to numerous cyber attacks. Recently it was reported that Huawei was accused of breaching national security of India by hacking base station controller in AP.

We have no implementable cyber attacks crisis management plan of India. The critical ICT infrastructure of India (PDF) is in a poor shape.  The cyber security trends of India 2013 (PDF) proved that India has still to cover a long field before cyber security can be effectively implemented in India. Thus, telecom infrastructures and equipments located at borders of India would be more vulnerable to cyber attacks than general telecom infrastructures of India.

The Telecom Commission may clear an Rs 7,103-crore rollout of Greenfield 2G networks in regions close to the Chinese and Bangladesh borders. These regions are presently outside the mobile loop. There are 8621 villages in locations of strategic importance across the northeast that are proposed to be brought under the cellular loop for the first time to bolster mobile-based surveillance on national security grounds.

Universal Services Obligation Fund (USOF), which will fund the project, will shortly invite bids from telcos for rolling out nearly 6,700 base stations in these regions. The USOF is the Department of Telecommunication’s (DOT) rural network infrastructure financing arm.

But it remains to be seen whether USOF will tweak tender norms to ensure any future cost escalations triggered by India’s spectrum reframing policy are shouldered by telecom operators. It would also be relevant to observe how the telecom security and cyber security aspects would be managed by Indian government in the near future.

Foreign Telecom Companies May Face Opposition And Lesser Market Share In India

Foreign Telecom Companies May Face Opposition And Lesser Market Share In IndiaThe heat is growing against foreign telecom equipments makers. Those on the list include the Chinese companies like Huawei and ZTE that are increasingly seen as a potential national security and cyber security threat to India and other jurisdictions. Recently, the Indian Electrical and Electronic Manufacturers’ Association (IEEMA) suggested that Indian government should consider banning imports of equipment related to power generation and telecom from China. This has come after the intelligence agencies of India expressed similar opinion.

Similarly, the increasing targeting of foreign nationals by intelligence agencies like National Security Agency (NSA) of U.S. and Government Communications Headquarters (GCHQ) of United Kingdom has also badly shaken the trust upon telecom companies operating from these jurisdictions.

For instance, Cisco, IBM, Microsoft and Hewlett-Packard have reported declines in business in China since the NSA surveillance program was exposed. Similar treatment is expected in India as India has already justified its Preferential Market Access (PMA) Policy for domestic telecom equipments manufacturers. India is also considering formulating norms for import and testing of telecom equipments in India. The security agencies of India have even suggested use of indigenously made cyber security softwares.

Recently the Telecom Merger and Acquisitions (M&A) Guidelines 2014 of India were announced by Indian government. The FDI policy for telecom sector of India 2014 (PDF) has also been revised to espouse greater interest of foreign telecom stakeholders. However, various telecom policies of India are subject to clear cut exception of national and cyber security compliances on the part of foreign and domestic telecom companies. In the present circumstances, companies like Huawei, ZTE, Cisco, IBM, Microsoft, Hewlett-Packard, etc would be required to ensure techno legal telecom due diligence compliances in India before their offers and proposals are accepted in India.

To control the damage these companies have started exploring mechanisms to inculcate trust among users and governments of foreign nations. Some of them have even embraced the idea of developing surveillance free products to keep praying eyes and ears at minimum.  These include use of sophisticated encryption technology and development of self destruction products in case of possible breach of security. However, encryption laws of India and cloud computing legal risks in India are still not considered by these foreign companies.

We at Perry4Law believe that all Subsidiary/Joint Ventures of Foreign Companies in India, especially those dealing in Information Technology and Online Environment, must mandatorily establish a server in India. Otherwise, such Companies and their Websites should not be allowed to operate in India. The Ministry of Home Affairs, India and Intelligence Bureau (IB) are already exploring this possibility.

A “Stringent Liability” for such Indian Subsidiaries dealing in Information Technology and Online Environment must be established by Laws of India. More stringent online advertisement, e-commerce, telecom security and cyber security provisions must be formulated for such Indian Subsidiary Companies and their Websites.

Due Diligence In Telecom Mergers And Acquisitions (M&A) In India

Due Diligence In Telecom Mergers And Acquisitions (M&A) In IndiaWith the announcement of merger and acquisition (M&A) guidelines for telecom sector of India 2014, negotiations and dealings in the telecom sector have significantly increased. While these negotiations and dealings are at the infancy stage yet they have indicated how things would take a shape in the near future.

As on date memorandum of understandings (MOUs) and letter of intents (LOIs) are being signed by various stakeholders. The next stage would be conducting of due diligence exercise for various fields like management, finance, legal, etc that are essential part of any business including telecom business.

The legal due diligence exercise may involve examination of the legal structure of business, contracts, potential regulatory issues and impact on the business, statutory clearances made till date, list of legal cases filed by and against the Company and the current status. Partner agreements, DOT license Agreements, VAS Services, liquidated damages, if any levied by licensor and list of all IPR Audits and IPR regulation issues could also be analysed during the legal due diligence exercise.

The primary regulators governing M&A activity in India are the Securities and Exchange Board of India (“SEBI”), the Reserve Bank of India (“RBI”) the Foreign Investment Promotion Board (“FIPB”) and the Competition Commission of India (“CCI”). The provisions of Indian Companies Act, 2013 (PDF), Income Tax of India, 1961, Foreign Exchange Management Act, 1999 (FEMA), The Competition Act, 2002, etc have to be duly complied with in this regard.  Further, telecom stakeholders exploring the M&A route must also comply with the Internet intermediaries requirements and cyber law due diligence requirements (PDF) as prescribed by the Information Technology Act, 2000 (IT Act 2000).

The Securities and Exchange Board of India (SEBI) has announced that it would release corporate governance rules for the listed entities in India. Further, the Parliament of India passed the Indian Companies Act, 2013 (PDF) to improve the corporate culture in India. Powers of Serious Fraud Investigation Office (SFIO) were also enhanced so that they can effectively deal with corporate frauds and crimes in India.

The Ministry of Corporate Affairs (MCA) has also issued some Rules under Chapter XIV of Indian Companies Act, 2013 pertaining to Inspection, Inquiry and Investigation by Indian Authorities and Serious Frauds Investigation Office (SFIO). The Suggestions Regarding Rules Pertaining to Inspection, Inquiry and Investigation (SFIO) by Perry4Law (PDF) has already been provided by us in this regard.

Taxation issues have been at the core of dispute between big telecom companies and Indian Government. For instance, companies having commercial presence in India were accused of violating the transfer pricing laws of India. Transfer pricing orders have already been issued against Vodafone and Shell India and Nokia has been accused of violating the income tax and transfer pricing laws of India.

There are provisions under the Income Tax Act for avoidance of tax by certain transactions in securities and avoidance of income-tax by transactions resulting in transfer of income to non residents. To further curb income tax avoidance and to check black money accumulation in foreign jurisdictions, Income Tax Overseas Units (ITOUs) of India in foreign countries would also be established.

With the advance in information technology, costs pertaining to sharing and storing of information, details and data of the merging company can be significantly reduced as all information can be stored in a secured online environment known as data rooms. The virtual legal due diligence in India has already taken a shape and many companies are using the same to ensure economy and a timely legal due diligence.

Perry4Law wishes all the best to all the stakeholders who are exploring M&A in telecom sector and contemplating engaging in electronic system design and manufacturing (ESDM) business in India.

Merger And Acquisitions (M&A) Policy And Guidelines 2014 For Telecom Sector Of India

Merger And Acquisitions (M&A) Policy And Guidelines 2014 For Telecom Sector Of IndiaThe regulatory environment for telecom sector of India is fast changing to the betterment of various stakeholders. Foreign companies have been demanding a liberal telecom policy before they invest in India. Indian government started accepting these demands one by one.

The first assurance in this regard can be found in the form of the FDI policy for telecom sector of India 2014 (PDF). Indian government has liberalised and enhanced the FDI limit with FIPB approval. Similarly, Indian government has also given approval to establish two semiconductor wafer fabrication manufacturing facilities in India (PDF). This would benefit companies of Japan and Korea in expanding their bases in India. The electronic system design and manufacturing (ESDM) policy of India has also been streamlined by Indian government.

The guidelines for merger and acquisitions of telecom companies in India 2014 (PDF) have also been issued and many international telecom companies have shown their interest in this regard. The M&A policy for the telecom sector is likely to be presented before the cabinet for approval by 27 February 2014.

However, companies like Tata Tele and Aircel, which carry non-auctioned spectrum in their fold, may not be benefited much by this policy. All companies that are purely targeting spectrum acquisition would prefer to avoid the M&A route as it involves debt intake and risks, heavy costs and regulatory approvals. Rather they would opt for engaging in spectrum trading or sharing, policies for which are on the anvil. The M&A route would be generally preferred by those who wish to improve and enhance their subscriber base or infrastructure.

The new M&A guidelines prescribes that an acquirer will have to pay market price for spectrum of an acquired company in case of non-auction airwaves and came in with entry fee along with the licence. This has to be paid on a pro-rata basis for the remaining period of the licence. The guidelines are also liberal and pro active in the sense that they have removed the condition of a three-year lock-in period before any new spectrum can be sold. The guidelines also allow a higher 50% combined market share for the merged entity instead of the 35% proposed earlier, making it easier for bigger companies to engage in M&As.