India’s National Cyber-Security Policy: preliminary comments

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymouswhich carried out a series of attacksincluding the website run by Computer Emergency Response Team India (CERT-In), which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

It is therefore a great risk we run if we leave air-traffic controldefense resources or databases containing several citizens’ personal data vulnerable.  It follows that efforts towards better cyber-security are needed. The cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. However the manner in which the government handles cyber-security must be examined carefully, both to see whether it will be effective and to ensure that it does not have too many negative spillovers.

It is important to bear in mind that the National Cyber-Security Policy is merely a statement of intention in broad terms. Much of real impact will be ascertainable only after the language to be used in the law is available.   The scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.  For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security: depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete.  The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them.

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, this policy is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive action may be taken. A ‘Cyber Crisis Management Plan’ is also contemplated, to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’.

This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.  This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared.


Many of the details of this policy will only become clear as the terms governing its various parts emerge. It is to be hoped that the parts of it requiring internal direct action to ensure the government agencies’ information networks are secure are already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

Cross-posted from the Free Speech Hub at the Hoot


News Post: 22 January, 2013

  • Speaking at a conference organized by the Institute of Mass Communication, the Chairman of the Press Council repeated his well known stance that Indian media should be subject to external forms of regulation (see here and here). This comes in sharp contrasts to views of government officials who still seem to favour self-regulatory models for the media.
  • The Observer Research Foundation recently organized a conference in New Delhi dealing with the question “Media regulation: Is status quo the answer”. Participants were in agreement that regulatory dialogue around the media, must also pay closer attention to regional and local media. A brief account of the conference can be seen here and here. Pictures of the even may be viewed here.
  • The Ministry of Information and Broadcasting has sought the opinion of the Telecom Regulatory Authority of India (TRAI) regarding issues surrounding the ongoing digitization process, and the functioning of Multi-system Operators (MSO’s) and Local Cable Operators (LCO’s) has (see here and here).
  • The Ministry of Information and Broadcasting has recently banned certain private T.V. Channels for broadcasting explicitly material that was allegedly in violation of broadcasting guidelines.

News Post: January 13, 2013

  • A fact finding team of the Press Council of India has claimed that there were rampant instances of paid news during the recently concluded Gujarat State Election. The news reports indicate that the formal report is still being finalized, and will be submitted to the Election Commission of India upon completion.
  • In light of the approaching general elections in 2014 the Press Council of India has taken suo motu cognizance of the issue of paid news. It had constituted a committee to draft fresh guidelines for journalists and media organization (see here and here).
  • On January 8, the magistrate currently hearing the trial of the 5 accused in the Delhi gang rape case has ordered an in camera trial, citing security reasons. Journalists have approached the Delhi High Court against this order, claiming their fundamental right to report on these judicial proceedings. The High Court has issued notice to the relevant police authorities and stated that a delicate balance between a fair trial and free speech rights, would have to be struck in this case (see here and here).
  • The Government is proposing that all electronic hardware be accompanied with a security manual, in order to improve cyber security.

2nd NLSIR Public Law Symposium on Delimiting Media Freedoms: Some Reflections

[I recently had the pleasure of attending a conference organized by the National Law School, Bangalore on Delimiting Media Rights. The conference was structured along two panels – one dealing with privacy issues involved in media reporting and the second dealing with regulation of media reporting of judicial proceedings. The following post is not a summary of the deliberations, but merely a brief discussion of some of the observations of the speakers that stood out in my mind. Readers are welcome to point out any mistakes.]

The conference began with a speech by Justice Muralidhar of the Delhi High Court. Justice Muralidhar is celebrated for his strong commitment to human rights and most notably his agreement with Justice A.P. Shah in decriminalizing consensual homosexuality in Naz Foundation v. N.C.T Delhi. Justice Muralidhar began his discussion on privacy by stating that he viewed privacy rights as a means of enforcing personal dignity, whether in a personal space, decisions or relationships. He also correctly drew attention to the historical fact that privacy jurisprudence took root very modestly through a dissent in Kharak Singh, which was later read into Article 21 of the Constitution. He was also candid in stating that legal responses to privacy violations are mostly reactive, instead of deliberating these issues before egregious violations actually take place. A consequence of this delayed manner of thinking about and enforcing privacy rights was a disjoint and underdeveloped understanding of privacy.

Ms. Geetha Seshu (a journalist with the media watch dog organization The Hoot) provided an insight on the relationship between privacy rights and journalistic practices. She stated that journalists in the 1980’s and 1990’s had no conscious awareness of privacy rights, and as a result would often compromise the identity of vulnerable people or communities. She also acknowledged that some media organizations have recently begun to be sensitive towards privacy interest, but on the whole, journalists remain ignorant about privacy rights. She attributed this to two broad causative factors. First, she stated that journalists are under immense pressure from editors to capture the news with the greatest detail and in the least amount of time. This professional obligation to “get the story first” in large part clarifies the reason why journalists often violate the privacy of the subjects they report on. Furthermore, she stated that employment conditions of journalists are extremely adverse, in that most journalists are not hired permanently but are mostly engaged on a contract basis. Second, she was very critical of Press Council of India and its complete failure in developing robust guidelines for journalists and lacking any real authority to impose any sanctions on erring journalists or media organizations.

Mr. Apar Gupta (A Delhi based lawyer and blogger about law and technology issues) spoke on the second panel dealing with regulation of media reporting of judicial proceedings. He dealt primarily with the recent decision of the Supreme Court in Sahara v. SEBI (popularly known as the media guidelines judgment). He was critical of the opinion and characterized it is as vague, unsubstantiated and unnecessary. According to Mr. Gupta, the vagueness in the judgment permeated not only the reasoning (by virtue of loose references to principles of proportionality and necessity) but also in the final remedy of this opinion. He also stressed that the judgment is not a welcome development, as it does not provide adequate safeguards against the option of prior restraint through a postponement order, and may lead to unconstitutional regulation of speech. His final critique related to the normative justification for the opinion, as it was unclear whether the central concern of the judges was contempt of court or whether it was concerns of a fair trial. If the concern was contempt of court, this decision was completely unnecessary since the Contempt of Courts Act already provides for civil and criminal remedies. Mr. Gupta concluded by noting that although the decision has been characterized, as a restatement of law as laid down in Mirajkar, there was one significant difference. The Sahara judgment unlike Mirajkar created a writ remedy for prejudicial reports of judicial proceedings. In doing so, the judgment created a questionable exception to the procedure as contemplated under the Contempt of Courts

News Post: January 8, 2013

  • The Government of West Bengal is considering appointing a private agency to carry out its surveillance functions in respect of media reports of the government appearing in all forms of media, including social media. The agency would be expected to submit daily reports to the Chief Minister. This disturbing move comes after the government has charged several political dissenters with claims of sedition and Section 66A of the IT Act.
  • In what could be the most serious privacy right violation, the Government of India is planning to compile a database of people convicted of the offence of rape on government websites (see here and here). This proposal comes in relation to the recent incidents of aggravated sexual assault in New Delhi.
  • More than 500 independent Internet Service provides who had been granted licenses, have returned their licenses and have shut down their business. Experts believe the reason for the same are poor government policies resulting in high prices.
  • In a welcome move, the Telecom Regulatory Authority of India (TRAI) has recently recommended that the government should not be involved in either setting up or distributing T.V. Channels. The report cites free speech issues as a reason for non-involvement of the government in T.V. broadcasting. The original report can be accessed here.

The Journey of Online Censorship: A recent timeline of Section 66A

[Section 66A of the IT Act, 2000 has been widely discussed and debated owing to a spate of recent events. The provision is clearly problematic, and is currently being challenged in two High Courts and the Supreme Court. In order to provide context to the ongoing commentary on the issue, I have listed below a series of events concerning Section 66A. I apologize for the descriptive nature of this post, but hope that this information can inspire more enlightened conversations about the many problems with the IT Act and manner in which the state seeks to control online speech. If readers find any discrepancies in the details or dates, please feel free to leave a comment. The details listed below are not exhaustive, and are merely illustrative instances which have brought the Section into public scrutiny.]

September 10, 2012 – Cartoonist Aseem Trivedi is arrested on sedition charges along with 66A, for allegedly posting objectionable content on his website. The arrest has been made pursuant to a private complaint by a lawyer.

October 31, 2012 – An industrialist in Puducherry is arrested under Section 66A for comments on twitter against the son of Union Home Minister P. Chidambaram.

November 9, 2012 – The Constitutional validity of the Section 66A is challenged before the Madurai bench of the Madras High Court.

November 19, 2012 – Two girls are arrested in Palghar, Maharastra for questioning the shut down of the city after the death of Bal Thackeray under Section 66A of the IT Act and Section 295 of the Indian Penal Code.

November 20, 2012 – The Chairman of the Press Council of India, writes to the Maharashtra Chief Minister questioning the legal validity of the arrest of the two girls under Section 66A. The letter(s) may be accessed here.

November 21, 2012 – The division bench of the Madras High Court issues notice to the State in the pending PIL concerning Section 66A.

November 21, 2012 – A division bench of the Lucknow High Court accepts a PIL questioning the constitutional validity of Section 66A.

November 23, 2012 – Two Air India employees have been detained under Section 66A for offensive content posted on a Facebook group against certain Congress leaders.

November 29, 2012 – A Supreme Court bench consisting of the Chief Justice of India Altamas Kabir and Justice Jasti Chelameswar accept a PIL questioning the validity of Section 66A.

November 29, 2012 – Union Telecom and IT Minister Kapil Sibal issued guidelines for the better enforcement of Section 66A. Under these new guidelines cases under Section 66(A) can only be registered if prior approval has been sought by DCP rank officers in urban areas and IG rank officials in rural areas.

November 30, 2012 – The cyber hacktivist group Anonymous hacks Union Ministers Kapil Sibal’s website in protest over the misuse of Section 66A.

November 30, 2012 – The Supreme Court seeks the opinion of the Attorney General regarding the status of Section 66A. Mr. Vahanvati reiterates the need for retaining the provision, while indicating that the government intention to enforce the relevant guidelines, for more tailored implementation. The court issues notices to the Centre, Maharashtra, Puducherry, Delhi, Tamil Nadu and West Bengal.

December 8, 2012 – A 20 year old man was arrested in Rourkela for uploading communally sensitive pictures on his Facebook account. Officials claim that the picture contained a Hindu god atop a Mosque, was allegedly uploaded on the anniversary of the Babri Masjid demolition.

December 14, 2012 – The cyber hacktivist group Anonymous defaces the BSNL website in protest over the misuse of Section 66A. They have uploaded images of cartoonist Aseem Trivedi, drawing attention to his imprisonment earlier this year.

December 14, 2012 – The Issue of the misuse of Section 66A by state governments was raised in Rajya Sabha, with members urging a reconsideration of the provision. Some members of Parliament also directly questioned the constitution validity of  Section 66A and demanded its suitable amendment. In response to these concerns the Union Minister for Telecom and IT has suggested advisory guidelines for the implementation of Section 66A to circumvent misuse by state governments.

December 15, 2012 – Cartoonist Aseem Trivedi ends his 8 day fast against Section 66A in Delhi.

December 18, 2012 – The Maharashtra Police drop all charges against the women who were arrested in Palghar after their Facebook comments. A closure report has also been filed before the magistrate.

Thursday, November 16, 2012

  • November 16 is celebrated as National Press Day in India. At a conference organized by the Press Council of India, the Prime Ministers was quoted as favoring self regulation of the media as opposed to any form of state censorship. Speaking at the same meeting, Congress Member of Parliament Manish Tewari spoke about the delicate balance involved in maintaining the freedom of the press.
  • As reported earlier the full report of the Group of Experts on Privacy is available here. Useful summaries of the report can be read here and here.
  • The Google India Transparency Report has been published and is available here.
  • Google India has apparently been fined by the Income Tax Department, for improper accounting standards resulting in reporting of deflated income.