AS home to the world’s second largest Internet user base, India is fertile ground for both victims and perpetrators of malicious cyber activity. Diversity is an overused word in descriptions of India, and yet appears apt when describing the country’s cyber landscape. It describes the users themselves, but also their means of Internet access and the range of activities they conduct online. For everything from banking to dating, Indians are turning to desktops, laptops, tablets and, of course, mobile phones, which connect them not only to other Indians, and Indian businesses and services, but those based around the world.

The goal of ‘going digital’ – increasing access and internet penetration, creating digital identities, building smart cities and developing interconnected machine and human networks – has sometimes left security agencies and cyber policies bobbing in its wake. The unbridled growth of the Internet is complicated for law enforcement agencies by the advancement of technology and the international character of the ‘network of networks’.

The range of abuses facilitated by the Internet includes the relatively innocuous (the streaming of online content) and the potentially calamitous (attacks on critical infrastructure). Regardless of the intent behind or actual outcome of these activities, it is clear that they are on the rise.

The National Crime Records Bureau (NCRB) under the Ministry of Home Affairs (MHA) has published an annual report on crime statistics in the country since 1953. Not long after the introduction of the Information Technology Act, 2000, the NCRB annual statistics report acquired a new chapter on cyber crimes. It records offences under the IT Act, the Indian Penal Code (IPC) and a smaller percentage of offences under other legislation like the Copyright Act, 1957. The latest edition of the NCRB statistics report shows that nearly 12,000 cyber crimes were reported across the country in 2015, an increase of just over 20% from the year before.¹ In 2002, when the chapter on cyber crimes was added, there were only around 800 cyber crimes reported, of which less than 10% were recorded under the IT Act.²

Similar increases in activity can be found in the annual reports of the Indian Computer Emergency Response Team (CERT-In). The number of ‘security incidents’ handled by the team in 2015 was 49,455³ – which is nearly five thousand more incidents than in 2014.⁴ In the year CERT-In was formed, the number of incidents handled was a paltry 23.⁵

 

An explosion in the number of Internet users is one way to explain the increase in cyber crimes and security incidents. In 2000 when the IT Act became law, only 0.5% of India’s population was online. By the time CERT-In was created in 2004, that percentage had increased to nearly two. Today the more generous estimates suggest that around 25% of India’s population uses the internet in some form.⁶ With India’s population of over a billion, a huge number of users are online by any estimate. Consider then that many users lack even basic cyber hygiene and that the scope, scale and number of cyber crimes are increasing worldwide⁷ and the statistics from CERT-In and the NCRB are unsurprising.

Not all wrongs committed on or facilitated by the Internet necessarily create thorny jurisdictional problems. In the NCRB statistics, more than half of all the crimes registered under the IT Act were ‘computer related offences’ under the now defunct Section 66A.⁸ The Supreme Court struck down that section of the act in early 2015 when it was judged to be adversely affecting the rights of Indian citizens to freely express themselves.⁹ The most prominent cases registered under Section 66A were by Indians against other Indians in India.

 

So what crimes are international in character? By far the most common type of offences in the NCRB statistics, both under the IT Act and the IPC, are fraud related. These include cheating, identity theft and impersonation. The bulk of incidents reported to CERT-In were spam incidents or website defacements. Anecdotal evidence, at least, suggests that many of these cases originate abroad. The most popular example may be the mythical Nigerian prince, notorious perpetrator of advance fee fraud. When Indian government websites are defaced or otherwise tampered with, many assume that unfriendly elements from just across India’s borders are responsible – quite possibly aided and supported by government agencies. Unfortunately, statistics back up some of these assumptions.

From the beginning of 2016, India has been in the top five countries by percentage of users affected by phishing and fraud.¹⁰ India is also one of the top five countries listed as sources of spam. This suggests that fraudulent cyber activities and spam are a key challenge for law enforcement and cyber security agencies in India. Attacks tracked by CERT-In have been attributed to users across five continents.¹¹

 

Individuals who are victims of cyber crimes that fall under provisions of either the IT Act or the IPC can turn to the cyber cells of their local or state police departments and/or directly report incidents to the emergency response team. The concerned department then faces the challenge of tracing the crime back to its source, a task that can be complicated by relatively simple technological developments; the use of temporary email servers to send phishing emails before being erased and the spoofing of internet protocol addresses to hide a user’s location are two such examples.

Between local police departments and the CERT lie many other Indian agencies which can become involved in cyber investigations. Critical infrastructure has its own nodal agency, the National Critical Information Infrastructure Protection Centre (NCIIPC), research is conducted by the Centre for Development of Advanced Computing (CDAC), and there are plans to establish a National Cyber Crime Coordination Centre.

The question of jurisdiction to investigate and prosecute cyber crimes is one that endures. Normal Internet traffic can be routed through several different countries, and many of the advantages and opportunities provided by the Internet exist because it is a global network. The spread of the Internet has allowed corporations to become multinational, and users to enjoy services they might not otherwise be able to in their home countries. The uses of the Internet – both good and bad – continue to expand, and the laws and mechanisms used by investigating agencies have to play catch-up.

 

Establishing jurisdiction over cyber cases may not seem like a simple prospect. There is no map of the Internet with territory demarcated by country. However, if the victim or perpetrator of a cyber offence resides within the territory of a particular country, that is sufficient to at least begin an investigation. The obstacles emerge when the investigation has to move beyond a country’s borders, particularly when time-sensitivity is a concern, as it often is with cyber cases.

The basic starting point for law enforcement agencies seeking information from their counterparts abroad is the mutual legal assistance treaty (MLAT). These agreements between governments are meant to make cross-border investigations easier by formalizing requests for intelligence and evidence and channelling them to the right agencies. Data from the CBI shows that India has signed MLATs with nearly 40 countries.¹² Between India and the United States of America, requests for information through the MLAT system take more than three years to come through,¹³ which means the waiting time could be even longer for ‘less efficient’ countries.

Growing Internet activity in India suggests that the number of multiple jurisdiction cases will increase, and with them requests for data stored outside India. An understanding of the correct MLA procedures is, therefore, critical for all law enforcement agencies in the country. Officers with agencies like the CBI already have access to networks of their counterparts around the world, in addition to relationships established as part of India’s membership of Interpol. These informal arrangements can be used for intelligence sharing, but for the execution of warrants and gathering of evidence, a more rigorous process has to be followed.

 

Depending on whether the request for information pertains to a criminal or civil matter, the nodal ministry in India is the MHA or the Ministry of Law and Justice, respectively. As may be expected in cases with an international character, the Ministry of External Affairs can also become involved.¹⁴ Indeed, the use of diplomatic channels can be one way to speed up a process which might otherwise be mired in bureaucracy for extended periods of time.

Most MLATs work around the principle of reciprocity, with signatories broadly agreeing to respect the judicial processes of others. Investigating agents must obtain a court order in India, which is then sent to the MHA to be processed further and sent abroad as appropriate. Acknowledging the time involved in the process, the MHA has in the past issued guidelines for streamlining mutual legal assistance requests. MLAT signatory countries are bound to ‘consider serving’ legal documents received by them from other signatories. Non-signatory countries may consider doing so, but are not in any way bound to.¹⁵

 

Bilateral agreements like MLATs can be tailored to suit India’s needs depending on its level of cooperation and areas of mutual interest with other countries. Many of the popular Internet services used by Indians are headquartered in the USA, heightening the importance of the India-US bilateral relationship on cyber issues. The recently concluded Framework for the US-India Cyber Relationship mentions the MLA process explicitly as one of the main areas of cooperation for the two countries.¹⁶ Specific steps to be undertaken include:

* Improving the capacity of law enforcement agencies through joint training programmes, including equipping them to draft appropriate requests for electronic evidence in accordance with the respective laws and regulations of the United States and India.

* Continuing to promote cooperation between law enforcement agencies to combat cyber crime including through training workshops, enhancing dialogue and processes and procedures, and setting up consultations as needed.

* Undertaking skill development and capacity building programmes jointly in the fields of cyber security, efforts to combat cyber crime, digital forensics, and legal frameworks.

* Sharing information on a real time or near real time basis, when practical and consistent with existing bilateral arrangements, about malicious cyber security threats, attacks and activities, and establishing appropriate mechanisms to improve such information sharing.

* Committing to voluntary norms under which a state should cooperate, in a manner consistent with its domestic law and international obligations, with requests for assistance from other states in investigating cyber crimes, collecting electronic evidence and mitigating malicious cyber activity emanating from its territory.

 

An additional goal for India could be to emulate the agreement that the US is finalizing with the United Kingdom, which would allow UK law enforcement agencies to request data from companies directly, bypassing the MLAT regime.¹⁷ Indian law enforcement agencies can already make requests directly to US companies for certain types of information, namely metadata.¹⁸ However, there is no obligation upon the companies to share data. Requests for content data are more sensitive, and require a government to government approach. Differing standards around the protection and use of personal data are one reason for this sensitivity. A treaty making such direct cooperation part of Indian and US law could potentially remove a significant roadblock to cyber crime investigation.

India does not currently have a separate treaty that regulates data sharing for commercial or legal purposes. Something similar to the agreement between the European Union and the US – the Privacy Shield – could also help in these matters by setting out clearly how and when user data can be accessed and used.¹⁹

 

Complicating matters is India’s stance on data localization. For a variety of reasons, from promoting local content to protecting user data, India has from time to time supported the idea of mandated data localization.²⁰ The argument has also been made that data localization would greatly aid law enforcement efforts, since data stored on servers in India would be more easily accessible by authorities in the country. The European Union and countries like the US have expressed concern about data localization and the deterrent effect it could have on the digital economy. Streamlining MLA processes, or creating alternative means of data sharing for law enforcement purposes, could alleviate concerns on both sides.

The pursuit of data localization could lead to the fragmentation of the Internet, with the proliferation of closed networks contradicting the idea of an open, truly global Internet. Others could emulate successful bilateral arrangements by influential countries, but this would still be a piecemeal approach to harmonizing cross-border data flows and law enforcement cooperation where the Internet is concerned. Another option would be a comprehensive, multilateral treaty on the same issues; successfully crafting one, however, would present its own challenges.

 

The Budapest Convention on Cyber-crime was the first international treaty that addressed cyber crime. To date, it has been signed by 50 countries.²¹ One of its stated objectives is to pursue ‘a common criminal policy aimed at the protection of society against cyber crime’ including by ‘adopting appropriate legislation and fostering international cooperation.’²² Rather than set aside existing mechanisms like MLATs, the Budapest Convention was designed to build upon them, but within a single, harmonized framework.

Being drafted by the Council of Europe (CoE), the Budapest Convention had an inbuilt support base – more than half of the signatories to the convention are CoE countries. Outside the CoE, signatories include the United States, Australia and South Africa, but there are some key players missing. The fact that they were not included in the drafting process was one of the reasons that India, China, Russia and Brazil did not sign on to the convention. While this is a drawback, it also indicates that politics, rather than any strong disagreement on the text of the convention, is the main reason it is not as inclusive as it could be. What this also means is that there is scope for those political concerns to be addressed or overcome.

The political establishment in India may have been clear about its stance on the Budapest Convention, but analysts in the country suggest that it may be advantageous for India to sign onto it. Rather than an outright refusal to participate, the best way forward might be to suggest improvements to the convention; this would also send a signal to other countries that India is willing to cooperate, which could be politically advantageous for the country in its own way.²³ Joining an existing treaty and framework for cooperation would also be a more practical option than trying to create a new agreement.

 

The BRICS (Brazil, Russia, India, China and South Africa) grouping offers an opportunity for India to cooperate on cyber crime and cyber security with some of the other countries that did not sign onto the Budapest Convention. The Internet policies of the BRICS countries have often aligned, and the countries include large numbers of users who are both victims and perpetrators of cyber crime. Though geographically separated, the BRICS countries may be uniquely suited to drafting a treaty to address cooperation on cyber issues.

Efforts to tackle cyber crime cannot be made in isolation from other cyber policies. The inculcation of good cyber hygiene for all users of the Internet in India – from consumers, to businesses, law enforcement and the government – is a necessary prerequisite. With fraud dominating the cyber crime that affects India, educating users about how to protect themselves and their data is an important first step. Users at the ‘bottom of the pyramid’, for whom access is a priority rather than device and information security, are particularly vulnerable. They are also the focus of government programmes to promote financial inclusion and e-governance, among other services; increasing awareness and education about the risks inherent in digital transactions is a must.

 

Developing the digital economy and encouraging international Internet companies can also help address concerns about cyber crime. Providing legitimate access to media content, for example, could discourage users from relying on pirated sources which can expose them to cyber criminals. Moving Internet traffic towards legal sources would also reduce the pressure (often from content holders abroad) on law enforcement to monitor and trace infringers.

While new modes of international cooperation are being developed, it is also critical to train law enforcement officials to efficiently use the processes that are currently in place. Since there can be an overlap between different types of cyber crime, cooperation among agencies within India should also be prioritized so that threats can be addressed by the appropriate bodies. A centralized database recording cyber crimes – building on the NCRB statistics – would also aid in identifying the types of crimes on which Indian law enforcement should focus. Such a database would also identify Internet wrongs which could potentially be decriminalized, such as defamation, further freeing up judicial and administrative resources. India’s Internet growth shows no signs of slowing, and international cooperation and law enforcement must grow with it to prevent cyber crime from becoming rampant.

 

Footnotes:

1. ‘Crime in India – 2015’, Chapter 18, National Crime Records Bureau, Ministry of Home Affairs, Government of India.

2. ‘Crime in India – 2002’, Chapter 18, National Crime Records Bureau, available at: http://ncrb.nic.in/StatPublications/CII/CII2002/cii-2002/C-CHAP18.htm

3. ‘Annual Report – 2015’, Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology, Government of India.

4. ‘Annual Report – 2014’, Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology, Government of India; number excludes incidents identified as ‘spam’.

5. ‘Annual Report – 2006’, Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology, Government of India.

6. See ‘Percentage of Individuals Using the Internet’, ICT Facts and Figures 2016, International Telecommunications Union, available at: http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx

7. ‘Internet Security Threat Report’, Volume 21, April 2016, Symantec Corporation, available at: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

8. See note 1.

9. ‘Five Key Observations of the Supreme Court Judgment on Section 66A of the IT Act’, The Indian Express, 24 March 2015, available at: http://indianexpress.com/article/india/five-key-observations-of-the-supreme-court-judgment-on-section-66a-of-it-act/

10. ‘Spam and Phishing in Q1 2016’, Kaspersky Lab, available at: https://securelist. com/analysis/quarterly-spam-reports/74682/spam-and-phishing-in-q1-2016/

11. ‘Government Says Most Cyber Attacks on India are from Pakistan, China’, Press Trust of India, 7 August 2015, available at: http://indiatoday.intoday.in/technology/story/government-says-most-cyberattacks-on-india-are-from-pakistan-china/1/457046.html)

12. ‘MLATs’, Central Bureau of Investigation, available at: http://cbi.nic.in/interpol/mlats.php

13. N. Alawadhi, ‘CBI and FBI Join Hands to Reduce Time Required to Fulfil Requests on Information and Evidence’, The Economic Times, 7 December 2015, available at: http://economictimes.indiatimes.com/news/politics-and-nation/cbi-fbi-join-hands-to-reduce-time-required-to-fulfil-requests-on-information- and-evidence/articleshow/50069794.cms

14. ‘Mutual Legal Assistance Requests’, Ministry of External Affairs, Government of India, available at: https://www.mea.gov.in/mlatcriminal.htm

15. ‘Comprehensive Guidelines Regarding Service of Summons/Notices/Judicial Process on the Persons Residing Abroad’, No. 25016/17/2007, Legal Cell, Ministry of Home Affairs, Government of India, available at: http://cbi.nic.in/interpol/mha_circ_service_ process.pdf

16. ‘Fact Sheet: Framework for the US-India Cyber Relationship’, Office of the Press Secretary, The White House, available at: https://www.whitehouse.gov/the-press-office/2016/06/07/fact-sheet-framework-us-india-cyber-relationship

17. J. Daskal, ‘A New UK-US Data Sharing Agreement: A Tremendous Opportunity, if Done Right’, Just Security, 8 February 2016, available at: https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

18. E. Hickok and V. Kharbanda, ‘Cross Border Cooperation on Criminal Matters – A Perspective from India’, 10 July 2016, available at: http://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

19. See https://www.privacyshield.gov/welcome and http://ec.europa.eu/justice/data-protection/reform/index_en.htm

20. N. Mishra, ‘Data Localization Laws in a Digital World’, The Public Sphere Journal, London School of Economics, available at: http://publicspherejournal.com/wp-content/uploads/2016/02/06.data_protection.pdf

21. ‘Chart of Signatures and Ratifications of Treaty 185’, Council of Europe, available at: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures? p_auth=ig6XzXUB

22. ‘Convention on Cybercrime’, Council of Europe, European Treaty Series – No. 185, available at: https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680081561

23. A. Kovacs, ‘India and the Budapest Convention: To Sign or Not? Considerations for Indian Stakeholders’, Internet Democracy Project, 31 March 2016, available at: https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/