Tag: Cyber Law

Analysis of the Pegasus case

Posted on

Introduction

Spyware has always been a murky subject in terms of spying between governments. Spyware has been viewed as a critical component since it is thought critically to monitor and identify individuals who may be involved in illegal or terrorist activities. On the other hand, it is hugely controversial because, while ostensibly targeting criminal activity, such organizations or businesses may attack civil citizens or protestors in any region. This is an important point to remember since such meddling might result in a cyberwar or cyberattack, which could affect the political system of a country like Estonia. The Pegasus case has served as a forewarning of forthcoming cybersecurity concerns and the legislation that is required to address them.

Facts

  • NSO group technologies is an Israeli firm that specializes in the investigation. This firm developed the spyware known as ‘Pegasus.’ It is a commercial company that monitors terrorists, drug traffickers, and other criminals, supporting government intelligence and law enforcement in overcoming encryption and technical hurdles.
  • WhatsApp, which is owned by Facebook Inc., filed a lawsuit against NSO Group Technologies in California court on October 29th, 2019.
  • According to WhatsApp, the malware ‘Pegasus’ deployed by the corporation compromised the phone systems of 1,400 users from all over the world. Users included civil society members, journalists, and Human Rights defenders from nearly twenty nations, according to the report.
  • Because NSO Group was unable to respond or attend in court, the court issued a notice of default.
  • It was claimed that the corporation used computer infrastructure and remote monitoring to insert spyware into customers’ devices via WhatsApp, causing a dangerous code to establish a connection between the users and the company without the consumers’ knowledge.
  • NSO groups claimed that they were not properly served with notice of the action in a timely manner, in violation of international law.
  • According to WhatsApp, multiple attempts were made to serve the notification on the firm.
  • On March 6, 2020, NSO filed an application with a California court to have the previous decision overturned because the notice was not served on time, which is a violation of The Hague Convention due to WhatsApp’s incomplete service.
  • NSO filed a separate case against WhatsApp in Israel on November 26th, stating that Facebook had disabled their private accounts. Facebook responded by stating that they had done so for security concerns.

Argument and Decision

NSO stated that the petitioner had breached international law by failing to provide legal notice of the action filed in a California court of law. They further claimed that they were just targeting the customer’s database provided to them and that they had no intention of targeting WhatsApp users. Furthermore, they asserted that the company’s customers are foreign sovereigns and that as a private agent for such users and of a foreign state, they are entitled to immunity under US law. It was also maintained that because they were acting as a supplier and were following the orders of their customers or the government, they could not be held accountable. WhatsApp contended that the NSO’s action was purposeful and intended to spy on those involved in social causes or other civil society members. It requested a permanent order from the court to prevent NSO from interfering with WhatsApp and Facebook’s computer systems. It claimed that NSO had broken the California Comprehensive Computer Data Access and Fraud Act and had trespassed on WhatsApp’s premises without permission. The District Court of California ruled in favor of WhatsApp in July 2020, and the litigation will move forward.

What is Pegasus

NSO, an Israeli cyber arms outfit, developed spyware to track a user’s mobile device. A link is provided to the user or targeted person in this spyware, and as soon as the targeted person opens the link, malware is injected into the device, allowing surveillance of the target. A new version of the same is said to be more powerful and destructive, and it doesn’t even need the user’s help. This spyware was produced by the organization to keep an eye on terrorists and
other criminals. To carry out such actions, the NSO collaborates with other governments and law enforcement agencies.

Effects

The charges stated by WhatsApp in its court application are extremely serious. According to WhatsApp, once this malware has been downloaded to a user’s smartphone, it can access emails, SMSs, passwords, location, network information, browser history, and device settings. The Citizen Lab claims that in addition to contact lists and emails, it has access to the device’s camera and microphone, allowing it to record all calls and messages. Pegasus has also allegedly used WhatsApp’s video and voice call functions, allowing the spyware to infiltrate the smartphone without the user’s knowledge.

Indian Laws governing Spyware Attacks

In India, the Pegasus case served as a wake-up call. Many Indian activists and civil society members were allegedly spied on by this spyware, according to WhatsApp. This calls into doubt India’s data protection and privacy laws. The ‘Right to Privacy’ was recognized as a fundamental right in the case of Justice Puttaswamy v. Union of India, and like any other fundamental right, it is subject to some limitations. There are four tests that can be utilized in privacy cases, according to Justice Chelameshwar:
Under Article 14, arbitrary state action may be subject to a reasonableness inquiry. The verdict makes it apparent that privacy, as a basic right, is a private aspect of citizens’ lives that must be preserved as a right under Article 21, which guarantees the right to life and personal liberty. Even when certain limits are imposed for the sake of public order or national security, people’s fundamental rights should not be violated. The Pegasus case demonstrated how spyware can compromise a user’s privacy and personal information. As a result, it is critical to analyze and implement a solid data privacy policy.

Conclusion

Spyware incidents like Pegasus represent the beginning of a new era of digital warfare. Such situations are likely to become more common as technology advances. It is critical that there are strict rules in place in the event of foreign unauthorised access to devices and spyware control limitations. The Pegasus case also emphasized the necessity for spyware regulation, as the goal of targeting users who are criminals or suspicion of criminal activity might extend to spying on persons like activists and protestors, threatening democracy and individual privacy in the long run.

References
1. The Pegasus case and the laws concerning spyware in India – iPleaders

This article is written by Vidushi Joshi student at UPES, Dehradun.

Protection of “Non- Personal Data” in India: Need of the Hour

Posted on

INTRODUCTION

We can see the continuous usage of the term “non-personal data” (aka NPD) in the article. Hence, the definition of the term should be known. According to a report submitted by PRS Legislative Research, “non-personal” data can be referred to as “any data which is not personal data (data pertaining to characteristics, traits or attributes of identity, which can be used to identify an individual) is categorised as non-personal data”[1]. Such data does not possess any kind of information that would lead to the identification of a person. NPD can be any sort of data, for example, it might be something that is not all related to an individual, or it can be personal data that had been anonymised later[2]. Discussions regarding the protection of “non-personal data” began very late. This article deals primarily with “non-personal data” and the reasons to protect them. The importance of “non-personal data” had also been mentioned in this article.

IMPORTANCE OF “NON-PERSONAL DATA”

“Non-personal data” has significant importance. These uses can be political, economic, or security-related. The key to expanding India’s economic opportunities is to strike the right balance between effective information privacy, security, and development[3]. Today’s world is very much technology-oriented. Hence, it can be concluded that in near future almost everything will be data-based. In such a situation, “non-personal data” would come to great use.

TYPES OF “NON-PERSONAL DATA”

NPD can be divided into sub categories like “public non-personal data”, “community non-personal data”, “private non-personal data”. “Public non-personal data” is referred to those data which is obtained by a government or governmental agencies during public-funded works. Anonymised data from land records, vehicle license data, and so on are examples. “Private non-personal data” are obtained from private sources (just like the name suggests), and the “community non-personal data” are obtained from community of natural persons[4]. Examples of private NPD include data/insights derived through the use of algorithms, and data sources collected by municipal authorities, other database systems, and so on are examples of community NPD. In the year 2019, an expert committee[5] was constituted in order to address the issues related to “non-personal data”. The abovementioned divisions have been made by the committee itself.

WHY DOES “NON-PERSONAL DATA” NEED PROTECTION

Although technically, no private information can be disclosed under “non-personal data”, there are some matters of concern. Often there is an overlap between personal and “non-personal data”[6], and this overlap is quite inevitable at times. The importance and vulnerability of data cannot be overstated. The time for data governance has arrived, just as the “Internet and cloud computing” had become accepted parts of doing business in the past. While customers’ personal data is protected by a lot of privacy laws around the world, “non-personal data” (NPD) is totally untapped. “Non-personal data” has financial value, which should be capitalised on by Indian businesses. These data can also be used to improve governance. For example, traffic patterns compiled by commercial vehicles can aid in better traffic control. This proves how important regulation of NPD can be.

INDIA’S LATEST FRAMEWORK ON “NON-PERSONAL DATA”

An expert committee is known as the “Gopalakrishnan committee” was formed by “Ministry of Electronics and Information Technology”, in the year 2020 in July. The main objective of this committee was to study and address the issues regarding “non-personal data”.

The following observations were made by this expert committee: “NPD should be regulated to enable a data-sharing framework to tap the economic, social, and public value of such data, and to address concerns of harm arising from the use of such data.

The abovementioned expert committee had also suggested that the PDP or the “Personal Data Protection Bill” should be amended. According to the committee, the rules regarding NPD should be scraped off from this bill and should be incorporated under a separate one. This was recommended in order to avoid any kind of overlaps.

As per Amar Patnaik, a member of the “Joint Parliamentary Committee” (JPC) on “Personal Data Protection” (PDP), rules to regulate non-personal data are essential, but at the same time, the Indian market should be given chances to grow. JPC has come up with some recommendations regarding the PDP Bill 2019. These recommendations would be discussed in the Parliament in the approaching winter session[7]. One of the major recommendations had been that the term “personal” should be removed, and both personal data, as well as NPD, should be regulated using the same regulator.

CONCLUSION

It can be concluded that it is extremely important to safeguard the “non-personal data”. At the very least, the NPD landscape in India is perplexing. There is little clarity about how “non-personal data” regulations and regulators would interact with personal data regulations and regulators. This article has also talked about how important NPD can be. It holds economic, as well as security-related importance. Unlike personal data, NPD hardly had any kind of regulations, hence, a solid set is absolutely necessary. Artificial intelligence has become a major thing these days. Therefore, it can be accomplished that NPD needs to be regulated largely. Proper full-fledged regulation of non-personal data in India has a long way to go.

ENDNOTES

  1.  “Non-Personal Data Governance Framework”, https://prsindia.org/policy/report-summaries/non-personal-data-governance-framework.
  2.  “India: Revamped framework proposed for non-personal data regulation”, [January 2021], https://www.dataguidance.com/opinion/india-revamped-framework-proposed-non-personal-data
  3. Piyush Sharma, “Non-personal data: Unlocking value for public good”, [July 27, 2020], https://www.fortuneindia.com/opinion/non-personal-data-unlocking-value-for-public-good/104665.
  4. Supra note 1.
  5. Tanmay Mohanty, “India: Non-Personal Data Governance Framework”, [September 16, 2020], https://www.mondaq.com/india/privacy-protection/985574/non-personal-data-governance-framework.
  6. Vidushi Marda, “Non-personal data: the case of the Indian Data Protection Bill, definitions and assumptions”, [October 15, 220], https://www.adalovelaceinstitute.org/blog/non-personal-data-indian-data-protection-bill/.
  7. Sreenidhi Srinivasan and Anirudh Rastogi, “Why non-personal, what’s critical … & snooping? JPC report on data protection raises questions for privacy, business & regulation”, [November 26, 2021], https://timesofindia.indiatimes.com/blogs/toi-edit-page/why-non-personal-whats-critical-snooping-jpc-report-on-data-protection-raises-questions-for-privacy-business-regulation/.

This article is written by Aaratrika Bal student at National Law University Odisha

Cyber Pornography and Laws regulating it

Posted on

This post is written by Anushree Tadge, a 3rd-year law student of ILS Law College, Pune, explaining the topic considered to be a taboo but still dealt with, through legislations- Cyber Pornography.

Introduction

Cyber Pornography is a global problem now. The government has been taking crucial steps to ban websites possessing pornographic content following the Courts. However, people have found ways and means like VPN, DNS Server Change, downloading search engines with inbuilt VPN activation, to continue watching cyberporn. Now, this becomes a very controversial issue because can there be any decision as to if a person should be punished for watching such content? Or are the service providers to be held responsible for possessing pornographic content? Are the laws stringent enough to regulate cyberporn? 

Meaning of ‘Pornography’

‘Pornography’ is a Greek origin word, this can be divided into two “Porne” meaning prostitute and “graphos” meaning description. Pornographic content includes any video, pictures or other media that generally contain sexually loud acts considered to be indecent by the public.

The term pornography is used for the publication of the act instead of the act itself, and therefore, this does not cover the ambit of sex shows or striptease. People all over the world have been debating over whether pornographic content is just an artistic expression of the human body and sex as an act or is it an immoral act hurting people’s religious sentiments.

Concept of pornography has never been so broad as it is at this point of time. Pornography as a topic now been divided into softcore and hardcore pornography. The point of difference between the two being the depiction of penetration.

Cyber Pornography as a term means the publication, distribution and designing of pornographic content by using the medium of cyberspace. It is a product of the advancement of technology. Since the Internet has become so easily available in the modern times, people can view different porn on their devices, and even upload such content online. 

Cyber Pornography

Internet covers pornography as much as 30 per cent of its total content. But the catch here is only 10% of this content is on the web, rest can be found on dark work and the deep web. According to the statistics of the year 2005, there were almost 2 billion searches for porn, the revenue generated through this industry is also quite a lot, it is the fastest growing industry and is estimated to generate approximately $60 billion in the year 2007.  The U.S stands as a first ranker in the entire pornography industry. Almost  $12 billion of the U.S revenue is spent on porn followed by the country, Australia, which extracts a total of $1.5 billion revenue from the industry. The easy availability to the Internet has helped a lot of people to view pornographic content even without any hindrance to their privacy and without even disclosing their identity to the site developers.

Legal Aspect

Various legislations are enacted so as to regulate Cyber pornography in our country, India, this includes the Information Technology Act of 2000, the Indian Penal Code, the Indecent Representation of Women’s Act and Young Person’s (Harmful Publication) Act. These are explained briefly below-

Information Technology Act, 2000

Cyber Pornography is not legitimised or even banned under the IT Act of 2000.

  • The IT Act restricts the production and even distribution of cyber pornography but it does not prohibit the viewers to view or download any pornographic content excluding child pornography.
  • Section 67 of the IT Act, 2000 makes the below listed acts punishable, the punishment being imprisonment for a term of three years and fine up to Rs. 5 lakhs

Publication, Transmission, Causing to be published or transmitted

The Intermediary Guidelines provided under the Information Technology Act put the burden on the Intermediary or the Service Provider to exercise accurate due diligence so as to ensure that their portal/ site is not being misused.

So, viewing Cyber pornography is legitimised in India as merely downloading and viewing of content does not lead to an offence. Although publication of such content online is illegal storing the same is not an offence but again, transmitting such cyber pornography via messaging, emails or any other kinds of digital transmission is an offence.

According to Section 67 (B) of the IT Act, 2000, any individual not attained the legal age- 18 years is a child. Child pornography is illegal and below listed acts are considered as an offence-

  • Publication or transmission of any material through electronic means that depict children engaged in a sexually explicit act or similar conduct.
  • Depiction of children in an obscene act or similar in a sexually explicit manner.
  • Normalising and encouraging child abuse online.

Although exceptions like media for religious education, for the study of sexology or even if a photograph of a child is utilised so as to explain the anatomy of a child won’t be considered as an offence.

Indian Penal Code, 1860

Section 292 of the Indian Penal Code, 1860 prohibits the sale of any obscene material or any sexually explicit content. 

Section 292(1) states the meaning of “obscenity” and also states that any content will be deemed as obscene in case it is lascivious or as prurient or even if any part of such content has the intention to probably corrupt people.

Whereas Section 292(2) briefly explains what will be the punishment for sale, distribution, such materials. This would be applicable to any person who sells, distributes, hires, exhibits publicly or puts any obscene material into circulation. This will also cover the imports or exports of such obscene material. A person involved in receiving profits or advertising content from any such business shall also be held responsible. Offers to do or attempts to do any act which is prohibited under the section.

  • On the first conviction, a person may face rigorous imprisonment that may be up to 2 years and a  fine up to  ₹2,000.
  • On the second conviction of such person, he/ she shall be awarded imprisonment for 5 years along with a fine that may extend to ₹5,000.

Section 293 of the Indian Penal Code, 1860, provides for the punishment of a person who is involved in selling, hiring or distributing any obscene material to any other person who is of age below 20 years.

  • On the first conviction, a person shall be imprisoned for 3 years along with the fine up to ₹5,000, and
  • On the subsequent second conviction, imprisonment may extend to 7 years with a fine up to ₹5,000.

Indecent Representation of Women’s Act, 1986

Indecent Representation of Women’s Act, 1986 is a legislation which seeks to prohibit the representation of any women or any of her body part in an indecent manner such that any such representation will hurt the public morality on grounds like indecency, hurting of religious sentiments etc. 

POCSO (The Protection of Children from Sexual Offences) Act, 2012

The latest and very popular ‘POCSO Act’ also regulates cyber pornography effectively. Actually, The POCSO Act, 2012 was specially enacted so as to prevent children from any kind of sexual offences. But the act also protects children from crimes such as sexual assault, sexual harassment, and child pornography. This act aims and works so as to protect the interests and well-being of minor children. The Act is gender-neutral and considers any individual below 18 years to be protected as a ‘child’ under this legislation. The provisions relating to ‘Cyber Pornography’ listed under the POCSO Act are explained below:

Section 13 of the POCSO (The Protection of Children from Sexual Offences)  Act, 2012, defines the offence of ‘child pornography’, and explains it as whosoever, uses any child in any type/kind/ form of media for purposes of sexual gratification shall be considered as guilty of the offence of child pornography. Also, Section 14 of the same,  POCSO Act, 2012, states the punishment for a person guilty of using any child for pornographic purposes.

Punishment for using a child for pornographic purposes in both POCSO Act, 2012 and the bill of 2018 is listed under-

Offence related to Punishment under POCSO, 2012 Punishment under the 2018 Bill
Child PornographyMaximum – 5 YearsMinimum – 5 Years
Child Pornography with sexual assault, penetrative, etc Minimum – 10 Years; Maximum – Life Same as Act
Child Pornography with extreme and harsh penetrative and sexual assault Only Life ImprisonmentMinimum – 20 Years;
Maximum – Life Imprisonment, Death Penalty
Child Pornography with other sexual assaultsMinimum – 6 Years;
Maximum – 8 Years		Minimum – 3 Years;
Maximum – 5 Years
Child Pornography with extreme sexual assaults other than above mentioned Minimum – 6 Years;
Maximum – 10 Years		Minimum – 5 Years;
Maximum – 7 Years

According to Section 15 of the POCSO (The Protection of Children from Sexual Offences) Act, 2012, provides punishment for a person involved in storing pornography that involves a child, in any kind of form, in that case, he shall be awarded imprisonment up to a period of 3 years or fine or with both.

Conclusion

The regulations in India for cyber pornography are mediocrely stringent and readers should understand that such punishments are fine as ‘porn’ is still a very controversial topic, the most effective and safe method to curb such menace of cyber pornography and the other vices on the Internet is an attempt by the state so as to achieve social maturity by making people aware through education and even after so we live in a state where individual’s choice cannot be controlled, as to what a person wishes to see. Although child pornography resulting in sexual assaults is serious and cannot be neglected no matter what. Parents should be friendly and educate their children the same, that will be the best for under-aged kids curiosity to watch such content.

References

  • https://www.psychologytoday.com/us/blog/all-about-sex/201611/dueling-statistics-how-much-the-internet-is-porn.
  • https://pdfs.semanticscholar.org/d5ac/9d42834942df20b7224d4c45831cd487ce91.pdf
  • https://indiankanoon.org/doc/1318767/
  • https://www.itlaw.in/section-67b-punishment-for-publishing-or-transmitting-of-material-depicting-children-in-sexually-explicit-act-etc-in-electronic-form/
  • https://indiankanoon.org/doc/776798/
  • https://indiankanoon.org/doc/776798/
  • https://www.advocatekhoj.com/library/bareacts/childrenprotection/13.php?Title=Protection%20of%20Children%20from%20Sexual%20Offences%20Act,%202012&STitle=Use%20of%20child%20for%20pornographic%20purposes
  • The Protection of Children from Sexual Offences (Amendment) Bill, 2019; The Protection of Children from Sexual Offences Act, 2012: PRS
  • https://www.advocatekhoj.com/library/bareacts/childrenprotection/15.php?Title=Protection%20of%20Children%20from%20Sexual%20Offences%20Act,%202012&STitle=Punishment%20for%20storage%20of%20pornographic%20material%20involving%20child

Latest Posts