Judicial arrears and case pendency are not a new problem. We have been dealing with these issues and problems for some time now. The setting up of quasi-judicial tribunals was seen as one way of reducing this pendency. Here tribunals would adjudicate disputes based on their thin and defined areas of competence and achieve efficiency in disposal and accuracy in rendering decisions. India’s experience with quasi-judicial tribunals in its introductory stage was with labor and service laws. Hence the Central Administrative Tribunal (CAT) which deals with these disputes was founded in 1985 and was considered one of the initial flag bearers of administrative law in India. With the increased focus on sectoral adjudication there has been a mushrooming of quasi-judicial tribunals which deal with disputes in their specific domains. A tribunal which has been receiving its fair amount of the press is the Competition Appellate Tribunal (CAT) headed by former Supreme Court Justice Hon’ble Arijit Pasayat.

The latest CAT is the Cyber Appellate Tribunal. Even though the Information Technology Act had clear provisions on the establishment of the Cyber Appellate Tribunal way back in 2000 when it the enactment was notified, till recently the seat remained vacant. Only on July 27, 2009 was Hon’ble Justice Rajesh Tandon appointed as the Chairperson of the tribunal and it was christened (Hon’ble Justice R.C. Jain was appointed as the presiding officer way back in 2007 however no decisions came out till recently). A reason for the delay in appointment may have been the absence of litigation in this area of law. However, with the Tribunal releasing some decisions, it seems that litigation on the Information Technology is finally hotting up.

There are a total of 7 decisions rendered by the Cyber Appellate Tribunal which have been posted on the Ministry of Information Technology website (caveat – 6 of the 7 arise from the same bundle of facts). These decisions reveal certain trends and projections which may define the scope of adjudication in this young and growing tribunal. As most tribunals even the Cyber Appellate Tribunal seems to be going through its teething phases, tasting, chewing and rejecting various claims as to the extent of its jurisdiction. All the 7 decisions released have arguments and contentions which have arguments on jurisdiction contained in them. Out of the 7 appeals, 1 is remanded back to the adjudicating officer and the other group of 6 are dismissed for lack of jurisdiction. They are dismissed on the ground that the Appellants filed an original complaint with the tribunal, when the tribunal sits only as a court of appeal. Another issue which comes out quite glaringly is that the Appellate tribunal seems to be quite particular as to the parties which are arraigned. Most of these issues should be decided through discussion with the legal counsel at the stage of filing of the original complaint itself (original complaints are filed with the Adjudicating Officer which has been appointed in each state). Another issue with the 6 appeals which were dismissed was that some of them made the Controller of Certifying Authorities a party even though there were no complaints relating to electronic signatures.

I fail to gather how they can make such a complaint when the function of the controller is limited to regulating other certifying authorities and electronic signatures. I have prepared a table containing the decisions, which list the facts, issues and decisions of all the 7 appeals. They are available at the following link. You can download it here.

p.s. I have not written on the blackberry story because of the complete lack of clarity on it. Everyday there are conflicting media reports and statements by the government regarding the device. I promise to go fishing when the storm dies down.

This is the first of my two part blogpost’s on the proposed ban on blackberry services in India. These series discusses the demand for establishing a blackberry server in India for the interception of communications. I argue that this an indicia of a gradual increase in national security regulation since the Mumbai terror attacks. This post also seeks to examine the privacy concerns and whether the actions and the seemingly inflexible demands of the Indian government are justified. The first blog post does not discuss the blackberry ban specifically but introduces the reader to the causes as well as the gradual trend towards the heightened security climate in India, with regards to telecommunication regulations. It also broadly introduces the legal limits placed on the right of personal privacy. The second part will discuss the technological structure of the blackberry device, the device specific concerns and the developments on this controversy which is developing daily.

For all the unsavory things Henry Kissinger has said to Nixon about Indians and Indhira Gandhi in the past, his 1994 book, “Diplomacy” has its highs of eloquence and levels of reason. He uses concepts such as realpolitic and raison d’ etat to explore international relations of countries through the ages and posits his realist analysis on them. The recent controversy of a, “blackberry ban” brings to focus the concept of raison d’ etat. The concept evolved in 17th century France which can be roughly translated to, “for reasons of state” and in Kissinger’s words, it asserts, “that the well-being of the state justified whatever means were employed to further it; national interest supplanted the medieval notion of a universal morality”.

I cannot agree with this completely, for a crude application of this principle, would reduce many a country to a totalitarian regime (remember the perpetual state of war maintained by Oceania in 1984). However, at the same time there is much sense in the “national interest” argument. What makes the concept more relevant to the present discussion is the increased use of technology by terrorists. Recent terrorist attacks in India have revealed an increased dependence by terrorists on emails, mobile and satellite phones to plan, coordinate and execute terrorist attacks.

Parallel to this there is also a growing sense of privacy in India. With higher disposable income and ownership of more material possessions there is growing sense of “my property” from our traditional views of “our property”. There is also a growing penetration of broadband and blogs which highlight these issues increasingly. Whatever be the sources, it is undeniable that modern middle class Indians have a sense of personal privacy. In this background the blackberry issue symbolizes more than just a mere “security issue”, it represents the tension between the competing interests of the state and the individual. First lets examine what has been the trigger of this controversy.

Apprehension and actual harm

Security concerns over blackberry devices were first aired in the corridors of power in 2008. In April I even wrote a short post on the wrangling between the government and the makers of blackberry devices due to the inability of security agencies to intercept some types of traffic data on the device. This is because of the triple DES level encryption employed by blackberry devices. I suggested a key escrow as a way out. My suggestion was more in the domain of a legal solution to any privacy concerns which could be there for Blackberry users. In retrospect it would seem, (if we go by blackberry’s description of its technology) technically impossible (discussion on the technological architecture in part 2).

Then the Mumbai Terror Attacks happened. These were one of the most horrific terror attacks on Indian soil. What differentiated these attacks from previous ones was the level of coordination and damage wrought by 10 terrorists and their handlers. There were news reports that these attacks were planned, coordinated and executed by a reliance on consumer technologies. A post by security expert, Noah Shachtman who writes the popular, “Danger Room” column at wired.com stated that,

“As they approached Mumbai by boat, the terrorists “steered the vessel using GPS equipment,” according to the Daily Mail. A satellite phone was later found aboard. Once the coordinated attacks began, the terrorists were on their cell phones constantly. They used BlackBerries “to monitor international reaction to the atrocities, and to check on the police response via the internet,” the Courier Mail reports. The gunmen were able to trawl the internet for information after cable television feeds to the two luxury hotels and office block were cut by the authorities. The men looked beyond the instant updates of the Indian media to find worldwide reaction to the events in Mumbai, and to keep abreast of the movements of the soldiers sent to stop them. Outside of Leopold’s Cafe, “one of the gunmen seemed to be talking on a mobile phone even as he used his other hand to fire off rounds,” an eyewitness told The New York Times.”

The attacks changed our lax attitude towards national security. I have commented before how the attacks were termed “India’s 9/11”. The comparison was not totally misplaced.  After the attacks both countries discovered their appalling lack of clear command and control structures, information gathering and sharing. Something needed to be done. Our Lok Sabha responded like the US Senate did, rushing through enactments to “strengthen” national security. For reasons of state, new laws were created, old ones were amended, the ones which remained were enforced.

Security regulatory overhaul

This legal upheaval was most visible with regards to telecommunications and internet regulations. The Information Technology Act, 2000 was finally amended and the amended act was notified in late 2009. Along with the amendments came regulations on interception of online communications. I have written on these topics at length in my article balancing online privacy in India which can be accessed at the following link.

Alongwith these amendments there also came regulations on authentication of the identity of the person availing the telecommunication or the internet services. First came regulations on the secure use of WiFi access points. These were issued by the Department of Telecommunications (DoT), on February 23, 2009. The regulations applied to all ISPs serving leased line subscribers, home users, and WiFi hotspots in public places. The objective of the regulation was to prevent misuse of WiFi Internet access and to be able to track the perpetrator in case of abuse. This made it necessary for any internet access provider to enforce a centralized authentication using LoginID and a password for each user. After this, on September 3, 2009 came the regulations on the authenticity of IMEI numbers. The IMEI number which is unique to each cellular handset is paired with a network on activation. This IMEI number is also matched against each handset in an international database. When combined with a local register maintained by the telecom company containing the details of its subscribers, the cellphone was irretrievably linked to a person.

More recently there were regulations made on the sourcing of telecom equipment. These regulations were made due concerns that the equipment which was usually sourced from abroad could have embedded backdoors which could be used for counter intelligence by foreign countries. These regulations established a approval based process where a security clearance would have to be obtained by a telecommunications service provider. Here a pro-forma with details of the name, source and country of the manufacture of the equipment would have to be submitted to the DoT for approval before it could be sourced. A New York Times article examined this issue from the perspective of telecommunication companies which were unhappy with the regulations citing that it would cause delays as well as increase costs (as Chinese telecommunication equipment constitutes the bulk of the sourcing due to the low costs and it would be the most natural suspect class hit by delays in approvals and even rejections). Another story also highlighted a, “memo posted on its Web site on March 18, the Telecommunications Department clarified its security clearance rules, stating that the “operation and maintenance of telecom networks should be entirely by Indian engineers” and adding that the “dependence on foreign engineers should be minimal” within two years from a purchase.” The recent blackberry controversy is only the latest in the  continuous regulatory efforts by the Indian government to strengthen national security. Its not the first and definitely not the last. However, the blackberry controversy in my view is serving an extremely important function.  The privacy argument which has always been generally latent, discussed by academics and staunch civil libertarians, is now ripe for widespread  national discussion.  In the end I see this debate as defining a lot of ground rules on privacy, security policy as well as encryption technologies.

To kick of the next part I discuss why there is such an inexorable demand by the Indian government on blackberries specifically. What makes the technical architecture of the blackberry so difficult to crack? And is there truth to RIM’s (research in motion, the makers of the handset) defenses of “we would (comply), if only we could”!

Concerns related to Blackberry    

BlackBerry’s server is based in Canada where the encryption level is very high and extremely difficult to crack. Any message going through the Canadian server is encrypted and, therefore, cannot be accessed by intelligence agencies of UAE, Saudi Arabia and India.

Concerned officials in this states have argued that the continuation of BlackBerry services posed danger to the country. They pointed out that security agencies were finding it difficult to intercept or decipher messages sent through these phones, which use codes with high encryption.

How does it works

“The BlackBerry security model is very different from other phones,” said Kevin Mahaffey of Lookout mobile security firm. “It is end-to-end and the encryption is so strong nobody knows how to monitor it.”

Makers of BlackBerry, Canada based Research in Motion (RIM) uses the level of encryptions for BlackBerry email messages and routes them in a way that keeps the data off limits from even telecom firms that carry the transmissions. According to RIM they “transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data,”

RIM uses a special layer of coding to shield email as it is routed to the company’s servers and then on to intended recipients. BlackBerry also uses encrypted validation to identify handsets connecting to the network.

In normal smart phones transmits data through telecom Service providers which are generally owned by the state or the state has the authority or jurisdiction to intercept messages from there where in case of Blackberry it cannot.

Concerns are justified or not

The UAE has said that BlackBerry services including messenger, web browsing and email will be suspended because they “allow individuals to commit violations” that the country cannot monitor.

We are also aware that the intercepting messages in the State of J & K is a necessary security arrangement to thwart any security threat. We also agree that there has certain case of misuse by the State. To address the concerns of the citizens and to protect their privacy the state should enact a legislation which balances the requirement for national security and should not infringe upon the individual’s right to privacy. The procedures for intercepting messages needs to be more transparent than the existing form.  

Excuse 1 : Shhhhh is the Security

The first part of this post alluded to the simple technological structure of the Indian EVM’s. The structure to a large part is due to a desire to avoid large lines of code which run encrypted programs usually prone to bugs and errors. Beyond directly burning a simple read only software onto the memory of the EVM there is no technological protection. The additional layers of protection are in the nature of social security.  Here EVM’s are securely stored, access is restricted and an elaborate system of seals and stickers are pasted on them to ensure they have not been tampered with. An essential ingredient of this social security system is keeping the design, code and structure of the device secret. Hence, it cannot be supplied to a research scientist and ethical hacker for testing its vulnerability. Since there are no results to prove that the EVM is vulnerable the EVM is perfect. While we cannot thank such logic for inspiring voter confidence, we can thank it for inspiring great fiction such as Catch-22.

Excuse 2: Pirates without markets

Another excuse which is supplied by the Election Commission is that since the machines have been jointly developed by ECIL and Bharat Electronics Limited BEL providing them for vulnerability testing would involve reverse engineering and would violate the companies copyright and patents. Going beyond the hyper legal arguments I examine the effects of the violation of the Intellectual Property rights in EVM’s. The principal rationale behind the copyright and the patent enactments is economic remuneration to the author and the inventor. Here the market composes of a monopolistic consumer, i.e. the Election Commission which exclusively sources its demand (I am unaware whether it’s a licensing agreement or an outright sale) from the rights holders. Hence in the absence of a parallel market or another consumer there is no utility for the piracy of an EVM. I am not disregarding that the EVM technology developed may be used in union elections etc. but then there are sufficient safeguards and remedies present in the enactment for the rights holders. In the absence of any economic harm the excuse of intellectual property protection is merely a thicket which has been created to resist demands for EVM examination.

Reason 1: onerous election laws

The first reason why I support examination of EVM’s are the electoral laws which impose onerous burdens on defeated candidates when they seek to question the election results. These challenges must be in the form of election petitions which should clearly specify the electoral malpractice with conclusive evidence. The reason behind this is that there should be determinacy in the election process and the pendency of a case should not clog up an election result.

However, this is not any standard of proof which a petitioner has to demonstrate to succeed in a election petition. It is an extremely high standard of proof. The Hon’ble Supreme Court has put it across clearly in Shiv Charan Singh’s Case (cited as (1988) 2 SCC 12), “The legislature has, as noted earlier, placed a difficult burden on the election petitioner to prove that the result of the election was materially affected by reason of improper acceptance of nomination paper of a candidate (other than the returned candidate) and if such burden is not discharged the election of the returned candidate must be allowed to stand as held by this court….. It is true that the burden placed on the election petitioner in such circumstances is almost impossible to discharge.” Now when an EVM is used the votes are entered electronically and then they are automatically tabulated by the machine. Any manipulation which happens, happens electronically and there is no paper trail or physical evidence, save catching the perpetrator during the commission of the manipulation. When the technology is combined with our electoral laws it becomes next to impossible for a candidate to challenge the result of an election when there has been technological manipulation of the EVM. This underscores the need for the device and the process to be certifiably secure and impenetrable.

Reason 2 : A Technological Precautionary Principle

Implementations of new technologies often result to be glitch prone and have security vulnerabilities. Even if they are not obvious and certain they may be latent and indeterminate. These latent and indeterminate risks are magnified once there is a considerable public harm in the eventuality of the occurrence of the of the glitch or security breach. This is not a novel argument. It has roots in the environmental jurisprudence and is termed as the precautionary principle and is applied to suspend activities which may cause a deleterious effect on environment. Recently even in the BT-Brijnal Decision Hon’ble Minister Jairam Ramesh when imposing a moratorium cited scientific indeterminacy and the precautionary principle as reasons. Despite the confident and unequivocal press releases and statements of the functionaries of the Election Commission recent impartial scientific studies point to vulnerabilities in EVM’s. Certainly there is a public interest involved, there is also an overarching risk of vote fraud, here it will be well placed to invoke the precautionary principle and at the least adopt policies for EVM examination and vulnerability testing.

Conclusion: the chastity of sita and the loaded dice

Often a creeper finds its way to the root of a tree. When it does, it intertwines itself from the tow to the tip, not leaving breathing space for the principal. The hapless farmer who enjoys the shade of the tee has two options, both which involve considerable pain to his shelter from the sun gods. Uproot the vine and damage the roots or slowly watch the creeper subsume the tree itself. Do we face a similar problem with Electronic Voting Machines? Some would have us believe that. With the last two elections being conducted by EVM’s questioning the security of the EVM would be the same as questioning the results of the elections! If you think the language above is hyperbolic sample this blurb in 2009 from the head of Election Commission’s experts, Professor PV Indiresan, “This is like asking Sita to prove her chastity by giving agni pariksha. That is all I can say,”. In the absence of transparency and vulnerability testing of EVM’s, I would put it that a character from another epic is closer to situation at hand. The character is Shakuni and the epic is Mahabharata.

Veerendra Pratap’s Paranoia

One of movies that I watched recently was the political drama Rajneeti. Towards the end I was disappointed having expected more from Prakash Jha. However, the individual performances of veteran actors Manoj Bajpai and Nana Patikar were consistently excellent. Manoj Bajpai when playing Veerendra Pratap, a political scion seeking to inherit his father’s legacy superbly portrayed a man drunk on ambition and scotch.  Veerendra Pratap’s end is portrayed in the climax of the movie when he is snared by a political rival on the eve of election results and then subsequently executed. When the election results start coming in against his political party Veerendra Pratap is unable to accept them. He becomes suspicious and paranoid and feels himself to be the victim of a conspiracy. Here is when the trap is laid. It involves drawing out Veerendra Pratap to an abandoned warehouse by leaking information of a vote fraud being done remotely on electronic voting machines (EVM’s). Even though the movie portrayed the electoral results as an actual victory and the vote fraud as a pure play on the mind of Veerendra Pratap, issues of security and integrity of EVM’s are increasingly being thought about today.

India’s experience with EVM’s

EVM’s have been deployed on a large scale in India and the ballots in the last two general elections have been exclusively cast and counted on these EVM’s. Given this large scale deployment there have been reasonable apprehensions as to the security and the authenticity of holding entire elections by EVM’s. This is in keeping with a global trend of reproach and reexamination of EVM’s where several European countries have subsequently withdrawn EVM’s after enthusiastically embracing them initially. In India there have been longstanding demands by Politicians, Electoral Analysts and technologists to examine EVM’s. However, this has not been made possible due to the stringent legal regulations which mandate absolute secrecy as to the architecture of EVM’s in India.

The Indian EVM’s have been indigenously developed by Electronics Corporation of India (ECIL) and Bharat Electronics Limited (BEL) and are distinct in their architecture from EVM’s which have been developed and deployed abroad. The machines are relatively simpler and do not use cryptography for protection. On the contrary they utilize a system where simple software is burned directly on the chip of the machine (the micro-controller) and it cannot be read, updated, modified or deleted without physically removing the chip (which would destroy the machine). Further layers of security are in terms of seals and stickers on the machines as well as a chain of trust which is sought to be created by involving multiple electoral officers. However, it should be noted that in terms of the architecture of the machines they are relatively simple. The reason for this is the cost of the EVM’s ends up being lower as well as the absence of complex coding makes the operation less error prone. In a country such as India where large scale balloting is held in remote areas, these are definitive necessities. However there is a growing disquiet on EVM’s in India. It is only to grow with the paper authored by Hari K. Prasad, J. Alex Haldermany and Rop Gonggrijp titled as, “Security Analysis of India’s Electronic Voting Machines”. The authors have also put up a video for making their findings more accessible. Before this paper due to the strict legal regulations surrounding EVM’s its structure and architecture could never be independently examined. Requests to the Election Commiseration of India (ECI is the body which conducts polling in India) for providing the EVM’s were resisted on grounds that the security of the devices lay largely in the secrecy of its design. Legal Regulation which mandated absolute secrecy helped this posture of the ECI. Some of these requests were made by Mr. GVL Narasimha Rao who has published a book and runs a campaign against EVM’s at a website maintained by him.

Legality of  EVM’s

The first case to challenge the validity of electronic voting machines was that of A.C. Jose v. Sivan Pillai. The case which was decided by the Supreme Court in 1984 held that since the Election Commission did not have any legal rules to implement an election by EVM’s it was without jurisdiction and bad in law. It is pertinent to note that the Supreme Court made no observation of on the efficacy of EVM’s and its merits/demerits. However much changed with time, technology slowly started to emerge as the panacea to India’s problems. Rules were made to enable the election commission to hold polls through EVM’s and subsequent legal measures to challenge their legality failed. In-fact in the recent case of Michael B. Fernandes vs C.K. Jaffer Sharief And Ors., the Court has given a glowing tribute to EVM’s when it stated that,“[t]his invention is undoubtedly a great achievement in the electronic and computer technology and a national pride.” The latest in these line of cases is the writ petition filed by Shri. V.V. Rao in the Supreme Court of India being Writ Petition (C) No. 292/2009. The petition was disposed off by the Supreme Court with the observation that the petitioner would be at liberty to pursue the matter with the Election Commission of India. Thereafter a chain of correspondences were exchanged between the petitioner and the ECI. The petitioner continued to claim that the EVM’s were susceptible to fraud and manipulation and the ECI continued to deny them on various grounds which included, (a) secrecy as a security procedures; (b) patent rights of ECIL and BEL as well as, (c) previous examinations of the EVM’s by two separate expert committees. ECI’s reply dated 29th March, 2010 sets this out fully. The latest in this line of correspondence is the letter dated 16th July 2010 from the Petitioner (V.V. Rao) to the ECI. What is curious is that throughout this correspondence the ECI seems to be agreeable only till the point of granting a hearing and soliciting views,  it voices its strong and unequivocal resistance towards the petitioners demand for examination of the EVM unit on grounds that this would constitute reverse engineering.

It is evident that there is a cloud over the integrity and security of EVM’s. What is compounding this problem of trust is the posture of the ECI when it seeks to make statements to the effect that the machines are “perfect” and “infallible” and at the same time refuses to provide them for the purposes of independent verification. We as a nation are proud of the fact that we are the worlds most populous democracy and do not miss an occasion to remind our friends abroad of this neat number. However, before we proceed to boast we must examine and inspect our electoral processes. This becomes more pertinent given the recent ruling of the German Courts that EVM’s are unconstitutional. We also, finally have a scientific study on the security of EVM’s which casts suspicion on their security.This suspicion should be avoided by heightened examination and independent verification, for we are concerned with Ceasar and not merely Ceasar’s wife.

In part 2 I will discuss the law on election petitions which makes it imperative for the examination of EVM’s as well as the legal excuses used by the ECI to hold back EVM examination.

Image via Wikipedia

The Indian Journal of Law and Technology (IJLT), arguably the one of the best journals on law and technology published in India in its latest issue has published my article on Balancing Online Privacy in India.  Leaving aside my visible bias for the journal, the article examines how courts have responded in cases of state intrusion. To make sense of the law of privacy in India I utilize Daniel Solove’s taxonomy of privacy. One of the points argued, is that courts have molded a procedure for privacy interference rather than a substantive right to privacy itself.  These procedures contain safeguards which seek to protect privacy. However, as it is demonstrated there is a lack of incentive for obeying these procedural safeguards.  In the end I make a case that for all the noise around privacy, a state instrumentality for a privacy breach, rarely faces the music. The complete article may be found on the following link.

1)      One of the crucial aspects that the bill tries to address is related to the protection of an individual’s privacy. Section 9 of the proposed bill specifies that the Authority would not require any individual to disclose information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health. Which indeed reduces the apprehension of individual profiling raised by the members of the Civil Society groups.

2)      The bill establishes Central Identity Depository Receipt centralized databases in one or more location containing all Aadhar Numbers issued to Aadhar number holders along with the corresponding demographic information and biometric information of such individual. But it also specifies other information of an individual apart from biometric and demographic can also be stored at CIDR. Now about the nature of other information related the bill relatively lacks clarity.

3)      The bill prescribes stringent penalties in Chapter VII like impersonation using Aadhaar data can lead to a three-year jail term and a fine of Rs10,000. Also any unauthorized person collecting data can invite three-year jail term and a fine of Rs10,000.  Unauthorized collection or dissemination of identity information will also receive a three-year jail term and a fine of Rs10,000, in case a company commits these offences the fine will raise uptoRs1 lakh..

In case of unauthorized access to the Central Identity Depository Receipt penalty prescribed is three years of imprisonment and at least Rs 1 crore as fine.

4)      The bill establishes National Identification Authority as a statutory body having the power to draft regulations with the approval from Parliament. The Authority will comprise of a Chairperson and two part-time members to be appointed by the Central Government. It would also have a CEO (not below the rank of the Additional Secretary to the Government), who will be the member secretary of the authority. Section 28 of the bill also specifies about the three members Identity Review Committee, which will ascertain the extent and pattern of usage of Aadhar numbers across the country and prepare a report annually to be submitted to the Central Government.

5)      The bill also proposes that special measures should be adopted by the authority to issue Aadhar number to women, children, senior citizens, person with disability, migrant unskilled and unorganized workers, nomadic tribes or to such other persons who donot have permanent dwelling house.