Structuring a National Strategy to secure Cyberspace:

Solutions for India

Netsecure Technologyhttp://ww.netsecure.in

Part 1 - The need for a national strategy• Examining national objectives

• Structuring a policy

• Current law in India

Part 2 – Case Study: Data Privacy and National Compliance [Challenges and Strategies]

• Data Protection legislation around the world

• European Commission Directive and the UK Act

• Data Protection model: the United States

• Balancing Privacy and Security

Opportunities for India

Speed and Convenience Mobile access Personalised and tailored Data mining

sophistication Loss of control Insecurity Lack of confidence Increased scepticism Low uptake of

eCommerce

• Technological advances in data storage and transmission

• Globalisation of communications - the internet

• Convergence and standardisation of technologies

• Increasing importance of data processing

Cyberspace> as introduced by William Gibson [A place governed by its own laws] - “a consensual hallucination” [William Gibson, Neuromancer]

A contradiction? Greek <kybernetes> means ‘steersman’ of a ship

“Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review]

Benkler’s layers – the physical, the code and content [in communications theory]

Lessig <Code and other laws of Cyberspace>

Securing “Indian” Cyberspace [regulations and the history of trade – towards pax mercatur]

The basic premise: the machine or the medium Adaptability and Enforcement of Indian law –

lessons from the American experience [Adobe Systems v. Dmitry Skylarov]

Systematic collaboration between vendors and customers to secure interoperable government and industry enterprise information systems

Enhance collaboration between law enforcement and industry to prevent and prosecute cyber crimes

Understanding the role of the medium – incidental [blackmail, stalking]; content [obscene or sensitive material]; integrity [unauthorised access and/or modification]

The criminal act – discovery [detection] and analysis

The Cybercrime Manual – fostering preparedness Focussing on ‘relevant’ issues and appropriate

classification of offences Cyber forensics and the collection of evidence Crisis management [internal and external]

The Team [Member of the Board, Human Resources Manager, Chief Information Officer, Legal Counsel, E-Risk Management Consultant, Internet Security Expert, Cyberinsurance broker]

Utilising and factoring security tools – Digital signatures are a ‘sign of our times’

Understanding and evaluating risks [internal and external] Allocating roles and responsibilities - Structuring the audit process

[examining use and abuse] Ten Tips – [i] Firewalls with secure passwords; [ii] correct installation

and maintenance [the human angle]; [iii] encryption; [iv] assign network administrators a security role; [v] External consultants and auditors; [vi] periodic security audits; [vii] do not ignore ‘small company’ security needs; [viii] limit access to the computer room; [ix] educate employees about the dangers of social engineering; [x] educate employees on potential threats.

A training process for law enforcement The Basics: the “machine” and the “medium” –

What is a Cybercrime? Develop programs that promote a culture of

security within and across enterprises, including corporate governance, integration of physical and cyber security, and cyber ethics from school to the office

Engage with industry, academia and government in both countries to foster research and development and collaborative education efforts in information security

Stake your territory: the applicable law Have the final say: the invitation to treat On your own terms Is it secure? The customer is always right! Privacy policy and data protection Protecting your brand: Domain names and trademarks

in general The copyright ‘catch’ Chat online [Bulletin Board/Service Provider Liability]

Data Privacy and Indian Law

A fundamental human rightthe right of the individual to be let alone

• Information Privacy (data protection) - personal data

• Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc

• Communications Privacy - mail, telephone, e-mail etc

• Territorial privacy - domestic privacy; CCTV; ID checks etc

“Public” aspects - surveillance, police powers and national security

“Private” aspects - commercial use of data

Overview - major International and US regulations

1948 UN Universal Declaration of Human Rights

1970 US Fair Credit Reporting Act

1974 US Privacy Act

1976 International Covenant on Civil and Political Rights

1980 OECD Guidelines on Protection of Privacy

1980 US Privacy Protection Act

1995 European Commission Directive on Data Protection

1994 US Communications Assistance to Law Enforcement Act

1996 US Health Insurance Portability and Accountability Act

1998 US Children's Online Privacy Protection Act

1998 European Member States implement Directive

1999 US Financial Services Modernization Act

BUSINESS ISSUES

HUMAN RIGHTS

There is no general privacy or data protection law in India:

• Constitution Article 21

Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone”

• International Covenant on Civil and Political Rights 1966 Article 17:

No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

• Law of privacy (Tort Law) – Action for unlawful invasion of privacy

Information Technology Act 2000

• Section 43 (a)

Penalty for unauthorised access to a computer system

• Section 43 (b) -

Penalty for unauthorised downloading or copying of data without permission

• Section 72 -

Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned, disclosing such information to another person

• Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions

• ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications

• A general data protection law in India?

National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date

Data Protection Worldwide

AFGHANISTANALBANIAALGERIAAMERICAN SAMOAANDORRAANGOLAANGUILLAANTARCTICAANTIGUA AND BARBUDAARGENTINAARMENIAARUBAAUSTRALIAAUSTRIAAZERBAIJANBAHAMASBAHRAINBANGLADESHBARBADOSBELARUSBELGIUMBELIZEBENINBERMUDABHUTANBOLIVIABOSNIA AND HERZEGOVINABOTSWANABOUVET ISLANDBRAZILBRITISH INDIAN OCEAN TERRITORYBRUNEI DARUSSALAMBULGARIABURKINA FASOBURUNDICAMBODIACAMEROONCANADACAPE VERDECAYMAN ISLANDS

CENTRAL AFRICAN REPUBLICCHADCHILECHINACHRISTMAS ISLANDCOCOS (KEELING) ISLANDSCOLOMBIACOMOROSCONGO

COOK ISLANDSCOSTA RICACOTE D'IVOIRECROATIACUBACYPRUSCZECH REPUBLICDENMARKDJIBOUTIDOMINICADOMINICAN REPUBLICEAST TIMORECUADOREGYPTEL SALVADOREQUATORIAL GUINEAERITREAESTONIAETHIOPIAFALKLAND ISLANDS (MALVINAS)FAROE ISLANDSFIJIFINLANDFRANCEFRENCH GUIANAFRENCH POLYNESIAFRENCH SOUTHERN TERRITORIESGABONGAMBIAGEORGIAGERMANYGHANA

GIBRALTARGREECEGREENLANDGRENADA

GUADELOUPEGUAMGUATEMALAGUINEAGUINEA-BISSAUGUYANAHAITIHEARD ISLAND AND MCDONALD ISLANDSHOLY SEE (VATICAN CITY STATE)HONDURASHONG KONGHUNGARYICELANDINDIAINDONESIAIRANIRAQIRELANDISRAELITALYJAMAICAJAPANJORDANKAZAKSTANKENYAKIRIBATIKUWAITKYRGYZSTANLAO PEOPLE'S DEMOCRATIC REPUBLICLATVIALEBANONLESOTHOLIBERIALIBYAN ARAB JAMAHIRIYALIECHTENSTEIN

LITHUANIA OURG

LUXEMBOURG MACAUMACEDONIAMADAGASCARMALAWIMALAYSIAMALDIVESMALIMALTAMARSHALL ISLANDSMARTINIQUEMAURITANIAMAURITIUSMAYOTTEMEXICOMICRONESIA, FEDERATED STATES OFMOLDOVA, REPUBLIC OFMONACOMONGOLIAMONTSERRATMOROCCOMOZAMBIQUEMYANMARNAMIBIANAURUNEPALNETHERLANDSNETHERLANDS ANTILLESNEW CALEDONIANEW ZEALANDNICARAGUANIGERNIGERIANIUENORFOLK ISLANDNORTH KOREANORTHERN MARIANA ISLANDSNORWAYOMAN

PAKISTANPALAUPALESTINIAN TERRITORY, OCCUPIEDPANAMAPAPUA NEW GUINEAPARAGUAYPERUPHILIPPINESPITCAIRNPOLANDPORTUGALPUERTO RICOQATARREUNIONROMANIARUSSIAN FEDERATIONRWANDASAINT HELENASAINT KITTS AND NEVISSAINT LUCIASAINT PIERRE AND MIQUELONSAINT VINCENT AND THE GRENADINESSAMOASAN MARINOSAO TOME AND PRINCIPESAUDI ARABIASENEGALSEYCHELLESSIERRA LEONESINGAPORESLOVAKIASLOVENIASOLOMON ISLANDSSOMALIASOUTH AFRICASOUTH GEORGIASOUTH KOREA SPAINSRI LANKASUDAN

SURINAMESVALBARD AND JAN MAYENSWAZILANDSWEDENSWITZERLANDSYRIAN ARAB REPUBLICTAIWANTAJIKISTANTANZANIA, UNITED REPUBLIC OFTHAILANDTOGOTOKELAUTONGA

TONGATRINIDAD AND TOBAGOTUNISIATURKEYTURKMENISTANTURKS AND CAICOS ISLANDSTUVALUUGANDAUKRAINEUNITED ARAB EMIRATESUNITED KINGDOMUNITED STATES (safe harbor)US MINOR OUTLYING ISLANDSURUGUAYUZBEKISTANVANUATUVENEZUELAVIET NAMVIRGIN ISLANDS, BRITISHVIRGIN ISLANDS, U.S.WALLIS AND FUTUNAWESTERN SAHARAYEMENYUGOSLAVIAZAMBIAZIMBABWE

South KoreaeCommerce ActIn force January 1999

New ZealandPrivacy ActIn force 1 July 1993

United States (includes)CPP Act 1984VPP Act 1988COPP Act 1998In force 21 April 2000HIPA ActIn force 14 April 2001GLB ActIn force 1 July 2001‘General’ ActUnder consideration

FinlandPersonal DP ActIn force 1 June 1999

DenmarkAct on Processing f PDIn force 1 July 2000

Luxembourg -

NetherlandsLaw on Protection PD ctIn force 1 Sep 2001

GreeceProtection Processing In force 10 April 1997

Ireland-

Eastern EuropeEstonia (96) Poland (98) Solovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00)

PortugalPersonal DP ActIn force 27 October 1998

SpainData Protection ActIn force 13 January 2000

CanadaPIP&ED ActCommenced 1 Jan 2001

United KingdomData Protection ActIn force 1 March 2000

France -

AustraliaPrivacy ActIn force 21 Dec 2001

SwedenPersonal Data ActIn force 24 October 1998

BelgiumData Protection ActIn force 1 Sep 2001

NorwayPersonal D Reg ActIn force 14 April 2000

ItalyData Protection ActIn force 8 May 1997

AustriaData Protection ActIn force 1 January 2000

GermanyData Protection ActIn force 23 May 2001

SwitzerlandData Protection ActIn force 1 June 1999

TaiwanComputer Processed DPIn force 11 August 1995

Hong KongPersonal Data (Privacy)In force 20 Dec 1996

MexicoeCommerce ActIn force 7 June 2000

Data Protection in Europe

• Directive 95/46/EC of the European Commission

• Now implemented in almost all Member States

e.g. UK

previously - UK Data Protection Act 1984

now - UK Data Protection Act 1998 (in force March 2000) (“DPA”)

1. Personal data must be processed fairly and lawfully

2. Personal data must be collected and used only for notified purposes.

3. Personal data must be adequate, relevant and not excessive.

4. Personal data must be accurate and, where necessary, kept up-to-date.

5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected.

6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act.

7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place.

8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.

The Eighth Principle

Personal information must not be transferred out of the European

Economic Area ("EEA") unless the receiving country ensures "an

adequate level of protection" for the rights and freedoms of the data

subjects vis-à-vis the processing of personal data.

Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if:

There is sufficient protection for individual data subjects

Having regard to: - nature of data being transferred;

- purposes for processing;

- security measures in place;

- individual rights to redress if things go wrong

Note - all of these could be covered in a Seventh-Principle type contract

Data Protection in the USA

United States (Federal)Fair Credit Reporting Act 1970Privacy Act 1974Family Educational Rights and Privacy Act 1974Cable TV Privacy Act 1974Right to Financial Privacy Act 1978Privacy Protection Act 1980Cable Communications Policy Act 1984Electronic Communications Privacy Act 1986Video Privacy Protection Act 1988Employee Polygraph Protection Act 1988Telephone Consumer Protection Act 1991Driver’s Privacy Protection Act 1994Communications Assistance to Law Enforcement Act 1994Health Insurance Portability and Accountability Act 1996Children's Online Privacy Protection Act 1998Deceptive Mail Prevention and Enforcement Act 1999Financial Services Modernization Act 1999‘General’ Act Under consideration?

Safe Harbor In effect 2001

• Self certified compliance with ‘adequate’ principles

• Regulatory enforcement of trade practices legislation

However, only 356 companies in the whole of the United States have current Safe Harbor registrations

This raises questions as to the credibility of the safe harbor regime

Safe Harbor also only addresses transfers of data from abroad, and does not offer comprehensive protection for US citizens

Antiterrorism Acts: USA <the Patriot Act>

26 October 2001 Canada 16 October 2001 India <Prevention of Terrorism

Act> easier to use electronic

surveillance continue and clarify the mandate

of the law enforcement to collect foreign communications

requires individuals who have information related to a terrorist groups to appear before a judge to provide that information

extending DNA data bank to include terrorist crimes

Issues enhanced investigative powers will governments enforce privacy

laws? US, Canada, UK, EU, Australia

Thoughts data protection enforcement is

generally complaint based public continually stress privacy

concerns good privacy is good business erosion of privacy is a win for

terrorism

The Best Solution?

• Comprehensive Laws governing collection, use and dissemination of personal data

• Sectoral laws - piecemeal rules for particular industries, types of information or technologies - piecemeal protection

• Self-regulation - e.g. Safe Harbor - mostly disappointing to date

• Technological solutions - physical and logical security, encryption, etc - must be combined with legislative protections

• To remedy past injustices (e.g. C.Europe, S.America, S.Africa)

• To create confidence and promote e-commerce, m-commerce, ITES and bioinformatics sectors

• To remove barriers to data transfers from Europe, by ensuring India is granted “adequate” status

• To ensure enforceability, through a central oversight agency

• Because effectiveness of self-regulation is limited

• Because State governments are already recognising need and considering own data protection legislation

Technology, Media and Communications