The unabated proliferation of Information Technology has had significant impact on the manner in which organizations conduct their business, effectively rendering geographical boundaries redundant. This impact has been particularly notable in developing countries such as India, which has witnessed a meteoric rise in the use of Information Technology and Information Technology services over the past few years. While immensely contributing to the nation’s economy, this growth has unfortunately also served as an invaluable tool for terrorism and other anti-national activities. Consequently, citing the best interests of the security and safety of its citizens, the government of India has amended its Information Technology Act (2000), which has recently passed into law.
Provisions within these amendments allow for unrestricted e-surveillance and lawful interception of data, regardless of encryption, and facilitates the blocking of content deemed disrespectful or objectionable towards national sentiments, at the discretion of government personnel appointed for the purpose. The amendments also make it mandatory for organizations in India to maintain reasonable security practices for protection of third-party data from unauthorized access, non-adherence would attract severe monetary penalties. While freeing organizations from any responsibility regarding third-party data on their websites, the amendments enlist data retention requirements for such third-party data.
The necessity of e-surveillance to ensure information security and keep unlawful activities conducted via the virtual world in check cannot be argued. However, excessive reliance on e-surveillance and lawful interception to check the misuse of Information Technology is akin to addressing just the symptoms, rather than the disease itself. Instead, robust forensic analysis and information security capabilities, would serve the purpose better. The recent controversy in India regarding the decryption of data of Research In Motion’s (RIM) Blackberry service, serves as a perfect illustration. A second example involves a directive issued to ISPs in India, which requires all subscribers who have deployed wireless networks within their premises to register their wireless equipment with the ISP. While the security concerns in both of these cases may be justified, the same cannot perhaps be conclusively said about the demands put forth to alleviate these concerns. Additionally, a clear definition for reasonable security practices to ensure the security of third-party data must exist, taking into account the criticality of the third-party data. The mechanisms and practices to ensure security in the case of financial institutions would completely differ from the mechanisms and practices in the case of institutions dealing with less critical third-party data.
The practice of utilizing e-surveillance as the sole means of ensuring information security is debatable. For instance, social networks, blogs, and forums are built and thrive exclusively on third-party data. Retention of data for lawful interception and surveillance in such cases could be both infeasible and impractical, considering the volume of data involved. Further, there appears to be a lack of understanding on the exact conditions that constitute disrespectful, objectionable, or against national sovereignty, which has led to situations like the unintended blocking of the entire blogspot.com domain in 2006. Sections of Indian media also appear to question the qualification of authorities responsible for the blocking of objectionable content and the implications of these amendments on end-user privacy. It must be noted that even when content that is deemed objectionable is blocked, information to bypass such blocking is readily available on the Internet, which may render the amendment pointless.
E-Surveillance is an integral part of ensuring the safety and security of any nation. However, its true benefits can only be realized when used in conjunction with strong forensic capabilities, a solid security architecture, qualified Information security personnel, and well-defined laws to prevent the misuse of Information Technology. With ubiquitous Internet connectivity on its way to becoming a reality in the near future, comprehensive, practical, and well-balanced Information Security Acts assume paramount importance in ensuring the safety and security of any nation.
The amendments to the India’s Information Technology Act may bring about a greater overall awareness towards information security in the country. The enforcement of directives to ensure reasonable security practices may result in local Indian businesses allocating increased budgets towards complying with these directives, thereby ensuring adequate security. Global Organizations with a presence in India may have to re-evaluate their business strategies, placing greater onus on data security, rather than business expansion. The amendments on the whole, do not appear to have any significant impact on global organizations doing business in India, apart from allowing the government greater regulatory control over such businesses. While these amendments may be drastic or impractical in some cases, the updated Information Technology Act appears to focus on changing the largely reactive approach towards information security into a proactive approach. Some amendments, however, would need to be further clarified so that global organizations conducting business in India can implement adequate and satisfactory security measures for the same.