Author Archives: Praveen Dalal

Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Praveen-DalalInternet of things (IoT) is the new buzz word these days. Everybody is talking about IoT because it has great business, commercial and personal use potential. IoT combines software, hardware and a communication infrastructure so that systems/devices can contact and communicate with each other in a non intrusive and automatic manner.

Like any other technology, IoT has its own used and challenges.  For instance, IoT can be used for smart grids, smart cities,  e-health, etc and thereby reduce their cost of operation and improve their productivity. However, IoT also has civil liberties and cyber security challenges to manage. Cyber criminals have already started abusing IoT controlled devices for launching malicious cyber attacks. As the technology protocols for IoT are still evolving, it is very difficult to avoid such cyber attacks.

Similarly, on the legal framework front, IoT has yet to be suitably regulated around the world. India has no dedicated law for IoT and some guidance can be found from the Information Technology Act, 2000 (IT Act, 2000). Indian government has issued the draft IOT Policy of India (pdf) and Revised Draft IOT Policy of India (pdf) but they are not sufficient to manage the complicated techno legal issues of IoT.

IoT is essential part of Digital India project of Indian government that is already heading towards rough waters in the absence of adequate cyber security and civil liberties protections. For instance, ensuring of cyber security for smart grids and smart cities is still a distant dream for Indian government. Similarly, IoT and Smart cities have to manage civil liberties issues as well that are presently ignored by Indian government.

Perry4Law Organisation (P4LO) has launched a dedicated and exclusive techno legal centre of excellence (CoE) for Internet of things (IoT) in India. We have covered many techno legal issues there that Indian government is required to manage in near future. We have been managing these issues for long and we would discuss the same at our CoE-IoT website in more details in our subsequent posts.

P4LO would help national and international IoT stakeholders in formulation and implementation of techno legal frameworks so that adoption and use of IoT can be as smooth and hassle free as possible.

Proposed National Telecom Security Policy Of India 2014 Must Be Balanced And Constitutional

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe Telecom Security Policy of India 2014 was originally discussed by the Congress led Government. However, the Congress Government faced a defeat in the elections and now it is for the Narendra Modi led BJP Government to come out with a Telecom Security Policy for India. The Telecom Security Policy declared by Congress was defective on numerous counts and now we have to see what BJP led Government would do in this regard.

If we consider the media reports, the Central Government has proposed a new Telecom Security Policy of India. It has made few changes to the Policy declared by Congress Government. The National Telecom Security Policy is unlikely to include measures on standards that would protect public health and safety. The Government authorities have deleted the portion that emphasised rules regarding “public health and safety” in the revised draft of the Telecom Security Policy. The issue of radiations from mobile towers in India is a controversial one and the proposed Policy seems to be ignoring that aspect.

The proposed Policy has made it sure that Law Enforcement Agencies of India would be allowed to request interceptions and e-surveillance activities. Of course, in order to exercise this power, there is a dire need to modernise the Police force of India. Similarly, a lawful and constitutional interception law in India is also needed to make such requests immune from legal attacks. With the proposal to allow satellite based mobile services in India, a “Techno Legal Framework” must be formulated by the Government as soon as possible. Such a Legal Framework must be “Constitutionally Sound” and not just a collection of “Legal Jargon” as was done during the Congress Government time.

Recently Vodafone declared that Indian Government has been using Secret Wires to indulge in e-surveillance. This approach of Indian Government is definitely violation of Fundamental Rights of Indian Citizens. Realising the gravity of the situation, the Department of Telecommunication (DOT) has been ordered to investigate the issue. However, the stand of Narendra Modi Government regarding e-surveillance projects like Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India is still not clear. This would create troubles for the Government as well as for the Telecom Security Policy in the near future.

For instance, the draft Telecom Security Policy prescribes that cellular operator will mandatorily have to allow Law Enforcing Agencies to intercept calls, messages, and any other communications and the access to monitor it in real time, while keeping the communications secured. However, there is no Constitutional Lawful Interception Law in India as on date and this requirement would be a violation of Fundamental Rights of Indian Citizens.

The revised draft Policy also states that telecom service providers should endure that user data is not revealed or duplicated or copied or shared with recipients other than those designated by the sender, and should ensure that user data is not being routed outside the infrastructure within India when the end points of communication are inside Indian territory. This requirement would strengthen the Privacy Rights in India of the Indian Citizens. Privacy Rights in India in the Information Era require a totally different strategy and this provision would strengthen the same. This provision is also required to comply with the provisions of the Public Records Act, 1993.

Telcos will also be required to ensure authentication of end user, authorised access to services and attribution of activities and payloads to end users. However, this is not an easy task especially when Authorship Attribution in Transborder Cyber Crimes cases is very difficult to maintain. India is not very good at use of Cyber Forensics Practices. There is an urgent need to develop Cyber Forensics Investigation Solutions in India that are missing as on date. Indian law Enforcement Agencies must also understand that an IP Address should not be the Sole Criteria for Arrest and Conviction in India. The Cyber Forensics Trends and Developments in India (PDF) do not support the type of responsibilities attributed to Law Enforcement Agencies by the propose Telecom Security Policy. Even Regulations and Guidelines for Effective Investigation of Cyber Crimes in India are missing.

The proposed policy also directs that the attribution in the form audit, forensic and tracking mechanisms should ensure tracking of inappropriate use, criminal activities and enforcement of IT and cyber security laws of the Government. Earlier, the Government had differences with Blackberry over the encrypted message and email services the firm provides to customers. Fearing that such encrypted services can be used to plan and execute terrorist strikes, India had also threatened to ban the providers of such services if they failed to accommodate the legitimate demands of Law Enforcement Agencies.

It has been claimed that Silent Circle can provide safe, secure and encrypted electronic and wireless communications to its clients and Law Enforcement agencies may find it difficult to crack its encryption. However, we cannot effectively tackle encryption related issues till we have Encryption Policy of India (PDF) in place that must be based upon a dedicated Encryption Law of India. We also need dedicated Cyber Security Laws in India to manage cyber security relate issues. The Cyber Security Trends in India (PDF) have proved that India has a Poor Cyber Security Infrastructure. Intelligence Agencies Reforms in India must also be undertaken as soon as possible.

The proposed Telecom Security Policy of India must address all these issues in order to be “Balanced and Constitutional”. However, from media reports it is not clear whether the proposed Policy covers all these issues or not.

Telecom Commission Approves Satellite Based Mobile Services In India

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe Telecom Commission is an essential and core segment of Indian Department of Telecommunications (DoT). It has been playing a major role in bringing order to the chaotic telecom situation existing in India. The Commission along with the DoT manages the policy formulation, licensing, wireless spectrum management, administrative monitoring of PSUs, research and development and standardization/validation of equipment etc.

The Telecom Commission was constituted by the Government of India vide Notification dated 11th April, 1989 with administrative and financial powers of the Government of India to deal with various aspects of Telecommunications. The composition of the Commission consists of a Chairman, four full time members, who are ex-officio Secretary to the Government of India in the Department of Telecommunications and four part time members who are the Secretaries to the Government of India of the concerned Departments.

One of the areas covered by the Commission pertains to satellite based services management in India. The Satellite phones are permitted in India only with specific permission from DoT. Presently use of specific types of International Mobile Satellite Organisation (INMARSAT) terminals is only permitted as per details available under the link INMARSAT.

In a welcome move, the Telecom Commission has given the approval for introducing satellite based mobile services in India. The approval comes after a recommendation from the Telecom Regulatory Authority of India (TRAI) to introduce a regulatory mechanism to govern satellite phones. Initially, the services will be offered by Bharat Sanchar Nigam Ltd through a partnership with INMARSAT. INMARSAT provides its satellite services with a constellation of four satellites which are located in the Geo-stationary earth orbit.

Currently, in India, the satellite services of INMARSAT are used by maritime users through the Tata Communications Ltd under its international long-distance licence. Some limited numbers of users of land mobile have also been permitted by the DoT on a case-to-case basis.

Satellites provide telephone and broadcasting services, covering large geographical areas. A satellite-based communication system provides an ideal solution for connecting remote and inaccessible areas. In addition, satellite communication is widely used for the transmission of emergency traffic, such as distress and safety messages, to and from vessels at sea or remote locations.

While the INMARSAT services cater to maritime communication, the Government had envisaged satellite services, namely, Global Mobile Personal Communication by Satellite (GMPCS) in the new telecom policy 1999. Under this licence, satellite-based communication services were permitted. However, establishment of GMPCS Gateway in India by the licensee was a mandatory license condition, which dampened interest from potential investors. This required substantial financial expenditure which was not feasible to be recovered from the limited number of users.

Now the regulatory environment for telecom sector of India has changed and there is good sense in making such expenditure. The FDI Policy in telecom sector of India 2014 (PDF) is also conducive for investment purposes. Indian government has also given approval to establish two semiconductor wafer fabrication manufacturing facilities in India (PDF). This is in conformity with the policy of India government to encourage electronic system design and manufacturing in India. The new merger and acquisition (M&A) guidelines issued by Indian government is also seen as a pro active step by many telecom stakeholders. These developments would encourage establishment of GMPCS Gateway in India by the concerned licensee and widespread use of Satellite Based Mobile Services in India.

Until now, DoT was giving permission to procure the INMARSAT handsets and taking services from a foreign service provider was given to meet the requirement of paramilitary forces and disaster management. However, there are security related limitations in this arrangement.  There is a possibility of monitoring of calls outside the country as the earth station is located outside the country. In view of the above drawbacks, the Defence forces have not procured these handsets. They are continuing to use the old terminals. However, as declared by the INMARSAT, some of these old terminals will cease to be supported by their satellites from September. Thus, the decision by the Telecom Commission to permit BSNL to offer satellite services could help tide over the problems.

Indian Department Of Telecommunications Would Investigate Govt Snooping Allegations By Vodafone

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIt is no more a secret that Governments across the world are indulging in e-surveillance and eavesdropping using technology and telecom infrastructures. India is no exception to this practice. Rather India is one of the most endemic e-surveillance nations in the world. The draconian laws like Telegraph Law and Indian Cyber Law are helping Indian government and intelligence agencies to indulge in unreasonable and unfettered e-surveillance at anytime and at any place. There is also an urgent need to bring intelligence agencies reforms in India as the intelligence infrastructure of India is in big mess.

Recently, the telecom giant Vodafone revealed existence of secret wires to facilitate e-surveillance by various Governments. It has been reported that even India has been using this service to indulge in e-surveillance. We have no constitutionally sound e-surveillance laws in India (PDF) as on date. Even e-surveillance policy of India is missing and there is a complete chaos in this regard. We have no telecom security policy of India as well that can prevent unauthorised e-surveillance and security threats against telecom infrastructure of India.

India has become notoriously infamous for her e-surveillance exercises and India cannot afford to maintain this negative image any further. This is the reason why Narendra Modi Government may be analysing the e-surveillance projects like The Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India.

In line of this approach, the Communications and Information Technology Minister Ravi Shankar Prasad on Tuesday said the Department of Telecommunications (DoT) would look into allegations made by Vodafone regarding use of secret wires by India along with other countries.

The Congress led Government was well known for its “Anti Constitutional and Pro Surveillance” approach. Only time would tell whether Narendra Modi led Government would continue this approach or bring order in the chaos created by the Congress led Government.

Whatever the case may be, we need to ensure civil Liberty Protection in Cyberspace for Indian Citizens “At All Costs and By All Means”. The digital life of Indian citizens is not at all safe and is open to various forms of e-surveillance and eavesdropping. In the absence of support form Indian Government, Self Defence is the only viable option left before Indian Citizens to safeguard their digital lives. The initiatives titled PRISM Break and Reset the Net are worth exploring in this regard as a “Starting Point”.

Vodafone Confirms Existence Of Secret Wires For Government E-Surveillance And Eavesdropping Worldwide

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBFrom time to time media has reported that intelligence agencies around the world are using backdoor access to computers, servers and telecom infrastructures. Special equipments and arrangements have been made to grant intelligence agencies direct access to various infrastructures so that they can indulge in e-surveillance at will.

The Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India are the Indian versions of this practice. This is possible as we have no dedicated privacy laws in India. There is also no need to get a court order or warrant to tap telephone in India as it is purely an “executive act”. This result in illegal phone tapping and e-surveillance activities at mass scale in India that cannot be reported or ascertained due to limitations placed under various Indian laws.

We need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc and come up with better laws so they remain Constitutional. These laws have become an instrumentality to violate Civil Liberties in Cyberspace of Indian Citizens by both our politicians and intelligence agencies of India. Further, there is an urgent need to maintain a “balance” between law enforcement requirements and civil liberties protection in India.

In United States (U.S.), James Clapper had confirmed that NSA has been targeting foreign citizens for surveillance. Radio waves and Malware have also been used by NSA for world wide e-surveillance. Malware like FinFisher are increasingly being used for global electronic spying, e-surveillance and eavesdropping. Further, GCHQ and NSA have intercepted and stored webcam images of millions of innocent Internet users.

While the White House has limited options in this regard yet courts in different States of U.S. have shown their sensitivity towards e-surveillance and privacy violation issues. In fact, U.S. government has been seeking an order from FISA court for extended storage of telephone metadata and call records.

Although this practice of intelligence agencies of various nations was well known yet no company or individual came forward for long to expose the same. Edward Snowden came forward with the largest disclosures about illegal e-surveillance by intelligence agencies around the world. Now Vodafone has made some disclosures about the dark side of e-surveillance by intelligence agencies.

Vodafone, one of the world’s largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond. The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people. The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a “nightmare scenario” that confirmed their worst fears on the extent of snooping.

Direct-access systems do not require warrants, and companies have no information about the identity or the number of customers targeted. Mass surveillance can happen on any telecoms network without agencies having to justify their intrusion to the companies involved. Industry sources say that in some cases, the direct-access wire, or pipe, is essentially equipment in a locked room in a network’s central data centre or in one of its local exchanges or “switches”. Government agencies can also intercept traffic on its way into a data centre, combing through conversations before routing them on to the operator.

Vodafone’s group privacy officer, Stephen Deadman, said: “These pipes exist, the direct access model exists. “We are making a call to end direct access as a means of government agencies obtaining people’s communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used”.

Telecom Security Policy Of India 2014 And Unconstitutional E-Surveillance Issues

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndia literally borrows a majority of Security and Intelligence related ideas from United States (U.S.). This creates many unique problems for India. Firstly, these projects and ideas are meant for western countries and they are not at all suitable for a country like India. Secondly, if something goes wrong with the U.S. model, the “Infirmity and Irregularity” automatically creeps into Indian Projects and Initiatives as well.

In U.S., Civil Liberty Activists have started challenging U.S. Government’s E-Surveillance Projects and Policies. Even U.S. Courts have started taking a strict note of these E-Surveillance Activities of U.S. Agencies. Recently, the Massachusetts Supreme Judicial Court declared that phone users have Legitimate Expectation of Privacy while using their phones. Similarly, the Texas Appeals Court ruled that law enforcement officials do need a warrant to search an arrested person’s cell phone he/she has been jailed.  The U.S. Government is also facing many lawsuits regarding illegal and excessive gathering and retention of phone details and metadata. The White House is also facing limited and difficult options to restructure National Security Agency’s phone surveillance program.

Now let us come to India that “Dedicatedly and Blindly Follows” these U.S. Models. The Cell Site Data Location Laws in India and Privacy Issues are still ignored by Indian Law Makers. The Cell Site Location Based E-Surveillance in India is rampant “without any Regulatory Checks and Judicial Scrutiny”. We have no dedicated Data Protection and Privacy Rights Laws in India.  Even the Fifty-Second Report of Standing Committee on Information Technology (2013-14) titled Cyber Crime, Cyber Security and Right to Privacy (PDF) has slammed Indian Government for poor Privacy Laws in India. The Cyber Law of India and the Indian Telegraph Act, 1885 also deserve an “Urgent Repeal”.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

Now it has been reported that Indian Government plans to put in place systems and regulations that will allow Law Enforcement Agencies to trace cellular phone users and provide access to targeted communication, text messages, information data and even value added services on a real-time basis, according to the draft guidelines of the country’s Telecom Security Policy.

The Department of Telecommunication (DOT) has proposed comprehensive norms in the draft policy after the Ministry of Home Affairs expressed strong reservations since the department had not created provisions for law enforcement agencies to intercept communication.

In a version of the draft policy that addresses National Security concerns, the DOT has said that the policy would “put in place effective systems, processes and regulations to ensure the traceability of telecom users or devices in terms of identity, permanent address and current location with specified accuracy and resolution in the case of need”. India intends to deal with Telecom Security issues in an in-depth manner as the open telecom environment has made it easier to intrude on networks and cause damage to information they contain. The recent allegation of hacking by Huawei of Indian Telecom Infrastructure proves this point. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission’s cellular loop’s proposal would strengthen Mobile Based Surveillance in India on National Security Grounds.

Techno Legal Compliances like Privacy Law Compliances, Data Protection Requirements (PDF), Cloud Computing Compliances, Encryption Related Compliances, Cyber Law Due Diligence (PDF), etc are not followed by the Law Enforcement Agencies of India. The Telecom Security Policy of India must address all these issues while keeping in mind the Telecom and National Security of India. Further, India must Reconcile Civil Liberties and National Security Requirements as well.

The proposed policy also envisages providing analysis of information and data including decrypted messages, flowing through the telecom network, stored in systems and devices. Abilities of security agencies to analyse information quicker will be enhanced by making latest technology and systems available which will cut down delays and minimise information leakage.

However, security agencies will uphold privacy rights of Indian citizens, the draft norms said. This is difficult to believe as the proposed Privacy Law of India is already facing Intelligence Agencies Obstacles. Even the National Cyber Security Policy of India has failed to protect Privacy Rights in India.

A Telecom Security Directorate (TSD) has been proposed for implementing and updating the proposed Telecom Policy. Meanwhile, security certification centre for testing telecom equipment, centralised monitoring system for interception and monitoring and emergency response team for detecting and analysing cyber attacks, internet traffic hijacks and telecom sectoral frauds would be created.

DOT is of the opinion that the sector requires a separate security policy since the cybersecurity policy is not sufficient to deal with security issues specific to the telecom industry that has created critical information infrastructure.

The Government will largely depend on mobile phone companies that will implement the security instructions as a key stakeholder and also share the cost with the government. Telecom operators would have to build systems, procedures and methods to make their network resilient so that any damage has a minimum impact on the network and it can be revived quickly.

Telcos would have to share information on attacks on their networks, intrusion and frauds with Government agencies, including telecom sectoral CERT, the national CERT and the National Cyber Coordination Centre, that may monitor all web traffic passing through internet service providers in the country and issue ‘actionable alerts’ to government departments in cases of perceived security threats. Indian Government is also planning a legislation mandating strict Cyber Security Disclosure Norms in India.

These Proposals, Policies and Initiative are not only “Controversial and Unconstitutional” in nature but they are also far from being actually implemented. At the time of their implementation, they must be supported with “Constitutionally Sound Laws” to avoid “Constitutional Attacks”. Otherwise this would only increase unnecessary and unproductive litigations in India.

Electronic System Design And Manufacturing (ESDM) Policy And Regulations In India 2014

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLBElectronic System Design and Manufacturing in India is the upcoming field for telecom and electronics companies’ world over. The Department of Electronics and Information Technology (DeitY), India has formulated many pro active and reformative policies and strategies in this regard.

The laws, rules and regulations in India are also reformulated to accommodate the growing demands of ease of doing business in India and foreign direct investments (FDI) in Indian telecom sector. For instance, the FDI Policy in Telecom Sector of India 2014 (PDF) has allowed 100% FDI subject to FIPB approval and other national security requirements. Similarly, approval to establish two semiconductor wafer fabrication manufacturing facilities in India (PDF) has also been granted by Indian Government.

Both domestic and international telecom companies and electronic system design and manufacturing (ESDM) stakeholders must comply with national security and cyber security laws, policies and regulations of India in order to do business in India. The National Cyber Security Policy of India 2013 (NCSP 2013) was recently declared by Indian Government. Indian Government is also planning a legislation mandating strict cyber security disclosure norms in India. Indian Government is also investigating the alleged breach of national security of India by Huawei by hacking base station controller in AP.

Of late, Huawei and ZTE are in telecom security tangle of India and other nations like United States. India even made telecom security a part and parcel of its national telecom policy of India 2012. Other nations are also restricting market access to Chinese telecom equipments and India is not alone. The cyber security concerns excluded Huawei from Australian broadband project. Further, the US house intelligence committee is investigating Huawei cyber espionage angle. Media reports have also speculated that ZTE facilitated e-surveillance in Iran. Now Huawei is trying to inculcate trust among US government over telecom security issues. Companies like Huawei and ZTE are also in constant talks with other nations, including India, in this regard. More such companies can be brought under the legal and national security scrutiny in the near future.

The merger and acquisition rules and regulations in India for telecom sector of India have also been streamlined to provide a level playing field for both national and international telecom companies and ESDM stakeholders. The Guidelines for Merger and Acquisitions of Telecom Companies in India 2014 (PDF) have also been issued and many international telecom companies have shown their interest in this regard.

The estimated production of electronic products will reach USD 104 billion by the year 2020. However, the supply part would not be able to meet this demand curve as domestic companies and stakeholders alone cannot meet this demand. Thus, foreign companies and stakeholders dealing in ESDM have golden chance to capatilise this opportunity.

In fact, the Indian Government has already initiated several initiatives for the development of electronics sector in the country. The Government has recently approved National Policy on Electronics (NPE) 2012 (PDF). One of the important objectives of the NPE is to achieve a turnover of about USD 400 Billion by 2020 involving investment of about USD 100 Billion and employment to around 28 million by 2020. This interalia, includes achieving a turnover of USD 55 Billion of chip design and embedded software industry, USD 80 Billion of exports in the sector. Moreover, the policy also proposes setting up of over 200 Electronic Manufacturing Clusters. Another important objective of the policy is to significantly upscale high-end human resource creation to 2500 PhDs annually by 2020 in the sector.

Several other policy initiatives have been approved in last few months. These include providing very attractive financial investment in electronics manufacturing and providing preference to domestically manufactured electronic goods in all Government procurement as well as all those electronic goods whose use has security implications for the country.

While the opportunities are ample yet techno legal compliances cannot be ignored by both domestic and international telecom players and ESDM stakeholders. Issues like cyber security due diligence, cyber law due diligence (PDF), technology related due diligence, etc cannot be ignored by these stakeholders if they wish to do hassle free business in India.