another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Wednesday, June 29, 2005

Brijesh Kumar to the Rescue of Indian BPOs

CHINA HAPPY ABOUT INDIA's BPO WOES.
By SarbaJit Roy: Now its the turn of Chinese News Agency Xinhua to gloat over India's BPO woes whilst India's Top IT Bureaucrat Mr. Brijesh Kumar issues pathetic little statements saying that "the law will take its course". That is exactly the sort of dynamic sound byte needed to reassure foreigners that all is well in India. BPOs OUT !!! Take off to CHINA -- PLEASE !!


NEW DELHI, June 29 (Xinhuanet)--The Indian Government said Wednesday that it was looking into the issue of alleged leakage of data from a web marketing company employee to an undercover reporter of a UK daily in a sting operation and asserted that guilty would not be spared.

"We are finding out the truth. The case is being looked into by us relating to the allegation of 'classified' data leakage. After inquiry if anybody is found guilty, existing law will take its own course. Nobody would be spared... But we would not do anything prematurely... Let the inquiry be over," Brijesh Kumar, India's Informational and Technology Secretary said.

However, he did not specify any time-frame for the on-going investigation.

Karan Bahree, an employee of the India-based web marketing firm,was at the center of a storm involving leakage of credit card information, after he admitted to handing over a CD to the reporter of the British tabloid The Sun, but claimed he did not know that the information contained in the CD was classified.

His company Infinity e-search, which has already sacked him in the wake of the controversy, said that Bahree, in his explanation letter, had said he was offered a job and 5,000 US dollars by the UK daily in return of a presentation information contained in a CD.

The local police are also looking into the case.

Data theft, the Indian legal position (a primer)

A good primer article on the state of Indian Laws concerning BPOs, data theft etc. Some glaring flaws are evident, but this story is a decent starting point for anyone interested in examining laws of India on data privacy and sharing.

A suitable law is not ready as yet

Incorporate issues under contractual, IT and criminal legislations

CHETAN NAGENDRA
Posted online: Tuesday, June 28, 2005 at 0006 hours IST

The issue at hand is the state of readiness of the Indian legal framework in coping with the increasing multitude of data security and privacy threats. Though there is no specific data protection statute in India, the existing legal framework can be utilised for data security and privacy.

In India, the Indian Contract Act, 1872, and the Specific Relief Act, 1963, provide the framework for legal agreements. Agreements may be used to contractually enforce data security. Almost all entities outsourcing to third party outfits in India prefer to do so within a contractual framework, employing a combination of strict confidentiality and non-disclosure agreements. Most outsourcing entities (OEs) enter into service- level agreements (SLAs) to ensure prescribed quality levels by the service provider (SP). SLAs often prescribe monetary damages and proffer at-will agreement termination clauses that try to ensure SPs adhere strictly to data security and privacy norms.

The Contract Act recognises a contract as a civil obligation, non-compliance of which may lead to compensatory, not penal, damages. While courts are loath to enforce large sums of liquidated damages or unlimited penalties, reasonable compensation for loss or damage, as laid down by the parties in the contract, are usually enforceable. Consequential damages, if detailed in the contract, are required to be reasonably computed. Penalties in the form of higher interest rate computations in the event of default are usually disregarded or recomputed by the court at reasonable rates.

OEs may also utilise the Specific Relief Act. This is particularly useful to enforce provisions in outsourcing contracts against SPs. For example, in the event the latter is required to destroy all traces of data imported post-processing and neglects to do so, the OE may sue for specific performance to ensure compliance under the contract.

OEs may also resort to other remedies, in the form of temporary/permanent injunctions restraining SPs, in the face of imminent data security or privacy threats by the latter.

OEs also favour shifting jurisdiction and governing law of the outsourcing contract to more favourable locations than India. For example, some plaintiff-friendly US states do not recognise limitation of liability clauses on the part of SPs. Therefore, the tab for non-compliance of contracts containing such clauses can be heavy on Indian SPs. On the other hand, there is a practical difficulty in enforcing such decrees by foreign courts in India. Enforcement of foreign decrees will require a fresh application before Indian courts, if those were awarded by courts in territories not considered reciprocal for this purpose (such as the US).

Utilising a contractual framework for protecting data and ensuring privacy is an effective choice for OEs interested in outsourcing data that requires high-level legal compliance. Examples are medical histories of patients, processing of financial information requiring utilisation of personally identifiable information, like social security numbers, or areas prone to identity theft, like credit card transaction processing. However, approaching the courts here may mean a long battle, due to the backlog of prior litigation. OEs should, instead, opt for other means of dispute resolution, such as arbitration.

The IT Act has several provisions on data security and privacy. Some of the penal provisions include Section 43 (penalty for damage to computer, computer system, etc), Section 65 (tampering with computer source documents) and Section 66 (hacking with computer system). Most prosecutions under the Act commence under these provisions.

It has been reported that an expert committee, constituted for an in-depth review, favours widening the ambit of computer offences in the wake of rapid technological advancements. Although there is no lack of statutory support for prosecuting crimes within the Act’s ambit, there is a distinct lack of sensitisation of the police. For instance, a CEO of a reputed online auction company was arrested for an arguable offence under Section 67 (publishing of obscene information in electronic form). The enforcing authority’s policy seems to be to act first and review at leisure.

The fundamental rights enshrined in Article 19 (the right to freedom of speech and expression of an individual) of the Constitution come closest to protecting an individual’s privacy and his freedom of expression. The two rights are two sides of the same coin. One person’s right to know and be informed may violate another’s right to be left alone.

Though the Constitution and interpreted case laws enumerate upon the rights of privacy, speech and expression to be enjoyed by citizens, these may be invoked only in disputes between a citizen and the state.

As for criminal law, the possibilities of prosecution of offences emanating from actual breach of data security and privacy under the Indian Penal Code, 1860, are bleak. For instance, forgery, cheating or criminal breach of trust, have been interpreted as an offenses against corporeal property. However, ‘data’ being incorporeal, may not fall within the interpretation of ‘property’ under the IPC.

In sum, the current legal system does not provide a strong legal framework for companies willing to outsource work here. A new data security and privacy statute is proposed to be enacted shortly. It will need to incorporate various issues under the contractual, IT and criminal law frameworks. Unless the legal regime is made to suit new types of threats against privacy and confidentiality, and unless such a regime is implemented effectively, India’s position as an important outsourcing destination may be threatened.

The writer is an associate at Amarchand Mangaldas

Foreign foxes raid Indian chicks.

Investigators foxed by lack of evidence in BPO case
SUDIPTO DEY

TIMES NEWS NETWORK[ WEDNESDAY, JUNE 29, 2005 01:18:58 AM]

NEW DELHI: Investigating agencies are in a quandary over the probe in the alleged leakage of confidential data by an Indian BPO worker, in the absence of hard evidence. Awaiting a formal nod from Interpol, senior police officers point out that it has to be first established whether there was a theft of data.

“The British financial institutions, who are supposed to have suffered the loss of confidential data, have to establish that the body of data resides with an ITeS company in India,” said a senior official from the Delhi Police crime branch.

“They will either have to hand over the entire body of evidence for us to corroborate, if there has been any theft of data, or give us specific instructions about the help they need on the case,” an official added.

As per procedure, the Interpol generally alerts the CBI, who then takes a call on whether to probe the matter itself or pass it on to some other agency.

In this case, as the Gurgaon police has already begun preliminary investigations into the issue based on media reports, the likelihood of the same agency being asked to undertake the probe is high.

In some cases, Interpol gets in touch with state police directly. Till date, neither Haryana or Delhi police, nor the CBI has received any intimation from Interpol to probe the issue. A spokesperson of the London police told ET that the agency has already forwarded a request for probe to Interpol.

The claims and counter-claims by parties involved have further confounded the agencies. Oliver Harvey, the undercover Sun reporter, continues to stand by his story, and refutes claims by accused Karan Bahree that he was a mere conduit in the whole incident.

“I have evidence in the form of video, and e-mail, in which Bahree is clearly seen peddling confidential data,” Harvey told ET from London. Bahree, in a statement issued through his former employer, Gurgaon-based Infinity eServices, has pleaded ignorance about the contents of the CD, while conceding that he did meet the undercover reporter and gave him a CD for $5,000 and promise of a job.

In a queer twist, some of the banks who are supposed to have suffered loss of confidential data are maintaining a stony silence. Some of them have even said that there they do no outsource their processes to any Indian agency.

What makes matters more difficult for Indian agencies is that under the IT Act, 2000, theft of data is not treated as a punishable offence with no clear-cut guidelines as to what constitutes data theft. Legal experts claim that the incident will be treated as a case of “hacking” and is punishable with a three-year jail term and a fine of up to Rs 2 lakh. Moreover, each of the affected parties can also claim statutory damage to the tune of up to Rs 1 crore, under Indian laws.

The Indian IT industry is already treating this scam as a “one-off” incident. “We will nevertheless push for more stringent laws for data theft by amending the IT Act,” Nasscom president Kiran Karnik said.

A industry-government committee set up by the IT ministry is already looking at updating the IT Act. Whatever the outcome of the scam, it may well expedite the move to revamp the Act and give it more teeth to deal with such issues, feel most industry players.

How the BPO Sting Data was faked ??

Devangshu Datta: Bahree versus keystroke loggers
WORM`S EYE VIEW
Devangshu Datta / New Delhi June 29, 2005
The episode could happen anywhere. So far, Indian BPOs haven’t suffered hacker attacks so common elsewhere

The Sun sting operation proves nothing security specialists didn’t know. There are forums on the Net where you can buy larger, more comprehensive lists. Crackers barter personal details harvested off computers penetrated with keystroke loggers, remote administration tools and assorted spyware.

If, instead of trolling the Net, somebody walks upto a cyber-savvy man and offers large sums for sensitive data, the youth in question may be tempted to supply it. If he’s a lazy chap, he will do a version of the following:

1. Go to online telephone directories and download every 30th name at random, to create primary entries for the “database” he intends to sell.

2. Then, write a program to generate random 13-digit or 15-digit numbers, based on the length of the standard credit card series in the target country.

3. Link the random numbers generated in 2. to the names in 1. Voila! We have a database, which looks and feels real and stands up to preliminary check.

It is an entirely different matter that transactions utilising this “data” would be impossible. The seller might not even be legally liable since he would not be hacking or trading sensitive information. I don’t know if Karan Bahree was smart enough to do this or if he went out and acquired real data. But it is a tempting thought to “sting the stinger”.

The Sun’s main tack was its anti-outsourcing stance. This is also old hat. It is merely a racist variant of the linguistic discrimination advocated by so many Indian regional parties. To say British jobs must be done in the UK by British citizens is exactly the same in principle as demanding that Maharastrian jobs must be done by Marathi-speakers based in Maharashtra.

It is no more and no less offensive for somebody to be at the receiving end of either opinion. The existence of a right-wing, anti-BPO lobby doesn’t affect the pro-BPO case one whit more than the existence of the Shiv Sena alters the case for Mumbai businesses to employ the best people they find, regardless of ethnicity.

Oddly enough, the Bahree sting and the scam at Mphasis that preceded it, offer several positives for the Indian IT industry. For one thing, no Indian BPO operation has thus far been electronically hacked. Both these incidents depended on social engineering — which is the art of persuading individuals to voluntarily offer sensitive data.

One can easily make the case that Indian software/ ITES / BPO operations are more secure than their rivals because major global credit card and bank databases in the US are electronically hacked on a daily basis.

In terms of comparative security, India is, therefore, a better environment than most of the first-world nations to which it provides outsourcing services. It is unquestionably a better security environment than competing east Europeans and east Asian nations.

However, it is high time that the global personal finance industry re-examined its own value and service-delivery chains in the light of growing incidences of electronic fraud. Credit cards were invented in the 1950s and seamlessly integrated into the electronic environment of the mid-1990s.

The crooks have caught up and in order to stay ahead, the financial industry must change its modes of operation. For one thing, a customer is now at risk if he simply offers his credit card at a restaurant and a waiter with an eidetic memory files away the number for electronic use.

One way forward is the virtual credit card (VCC), which some banks now offer. A VCC generates a ID number valid for one electronic transaction only with a defined credit limit. This limits damage from a possible hack.

Another way is to leverage MMS-SMS for automated verification of transactions though this method fails in cases of identity theft where contact details and photo IDs have been changed. There are also biometric options such as fingerprint and retina scans.

Perhaps identity-broking could also be a route to greater security. Nothing and nobody will ever totally eliminate hacks via social engineering but better modes of e-commerce could certainly limit the damage.

trackback: Devangshu Datta

Police fail to act in BPO Sting

Police could have acted before formal complaint
SUDIPTO DEY

TIMES NEWS NETWORK[ SUNDAY, JUNE 26, 2005 11:21:35 PM]

NEW DELHI: Even as London police was caught up over the issue of jurisdiction while probing the case of alleged theft of financial data by an Indian IT worker, their counterparts in India could have, on their own, initiated preliminary investigation on the basis of media reports, without waiting for a formal complaint.

Gurgaon police on Saturday formally began investigating the issue, nearly 48 hours after a British tabloid broke the news about alleged sale of confidential information by accused Karan Bahree, an employee of a Gurgaon-based web development company.

Section 80 of IT Act, ’00, gives power to police officials - of the rank of Deputy Superintendent of Police (DSP) or above - to enter any public place, search and arrest without warrant any person suspected of committing any offence under the IT Act. The term “public place” includes any public conveyance, hotel, shop or any other place intended for use by, or accessible to the public.

Legal experts point out that Indian police need not have waited for any formal complaint but could have initiated an inquiry on their own.

Karan Bahree loses BPO job

Bahree loses job, dad says it’s a conspiracy
Pragya Singh

New Delhi, June 25: Nearly three days after a UK tabloid revealed that Karan Bahree, 24, had exchanged cash for confidential BPO data, his folks insist he is the victim of a conspiracy.

Karan’s father, S K Bahree, answers the doorbell. ‘‘We’re very concerned. I’m worried about my son. Is there news of what is happening outside (in London)?’’ he asks through a crack in the door.

Advertisement
‘‘My son is an unlucky victim of some conspiracy. He is innocent, the poor thing,’’ says Bahree Sr.

Bahree is anxious for details about the ‘‘case’’ against Karan. ‘‘Please courier me all the papers you have on what London is saying,’’ he says. However, he does reveal his residence telephone number.

But the Bahrees, along with the BPO industry, the government, Gurgaon police and Karan’s employers Infinity e-Search, seem to forget that Karan is free. Others in his position were not so lucky.

Remember Bazee.com? As per cyber laws police have the right to ring the same doorbell, seize all computer systems and haul them back to the police station for scrutiny as evidence. It can even arrest Karan, though no complaint has been filed against him.

‘‘The provision is draconian, as we saw in the Bazee case. But it’s 65 hours — the world wants to know what India is doing about this case? Will any action be taken under the IT Act or not, after all, hasn’t Bahree triggered something that will affect the interests of the BPO industry?’’ asks advocate Pawan Duggal.

London police have said they can’t get cracking because the matter is out of their jurisdiction. But it has requested Interpol to seek help from Indian authorities and perhaps make an arrest or two.

CBI sources said they had been alerted about the request through Interpol channels. The agency is gearing up to investigate the case once a formal request is made.

Meanwhile Karan, who is ‘‘away,’’ lost his job today.

‘‘We have terminated his services. Since he was on probation there was no need for a notice period. We have done this in the interests of the company,’’ said Infinity eSearch’s lawyer Deepak Masih.

Section 66 of the IT Act, which covers hacking in its widest definition, can fetch Bahree, if he is found guilty, three years in prison plus a Rs 2 lakh fine. It also makes him liable to civil suits for damages up to Rs 1 crore for every count he is found guilt of.

‘‘Around six sections of the Indian Penal Code also appear to apply to his case,’’ said Duggal.

Urvashi Kaul on Indian BPO websites Blocking

Complaint filed against Sun’s online edition
- By Urvashi Kaul



New Delhi: A complaint has been filed under the Information Technology Act with adjudicating officer Prakash Kumar, in which RBI stands as one of the respondents, asking the government to block the Sun’s online website for attempting to cause damage to India’s economy by "defaming the legitimate Indian BPOs".

The complaint is a part of the ongoing matter pending with the government relating to the hacking of 8 million credit card accounts (including 12 lakh Indian accounts), involving a British Bank in August 2000.

While the CD, which the Sun reporter claims to possess, is crucial for forensic examination, the complainant in capacity of a qualified computer engineer wants it to be examined whether the CD was a re-writeable CD, and also if it has been "finalised" at the time of burning, an information necessary to determine maintainability of this issue under the IT Act 2000.

The complainant in his complaint, a copy of which lies with this newspaper, alleges that the sensitive data that Mr Oliver Harvey, the Sun reporter, projects as having originated from Delhi, India (as hacked data from the Indian BPOs), may have been sold data provided by the British Banks that freely circulate in India.

Informed sources claim that the CDs containing hacked confidential data like credit card particulars and mobile phone billings data’s and addresses are freely sold all over Delhi in places like Palika Baazar, Nehru Place, and Janakpuri District Centre without fear of the law. The complainant alleges that it is quite possible that the CD was sold containing data freely available in Delhi, which are being used by direct sales agents of banks, telecom companies and credit bureaus of banks.

While there are no immigration records of Mr Oliver’s visit to India on a journalistic visa, official sources said that if he intended to do his business of reporting on a tourist visa, which doesn’t go with his tourist status, then the reporters act needs to be dealt with harshly under the Foreigners Act. The complainant also alleges that the visit might have been undertaken with an aim to "defame" India as there are no laws in India concerning data protection and privacy for foreigners in India. Repeated attempts by the complainant to get a response in the matter by Mr Oliver Harvey, via email, failed.

For all you know Karan Bahree, the eye of the "BPO scandal" storm, cannot be booked under the IT Act, as Indian laws are applicable for data protection and privacy of data for Indian citizens only and that he may not have broken any laws including the Indian Penal Code.

trackback : Asian Age Delhi Karan Bahree

Data Security Indian BPOs Karan Bahree

BPO sting: IT Act petition asks Govt to get cracking
Petition calls for roping in cyber response team, CERT-IN.

Pragya Singh

New Delhi, June 28: KARAN Bahree sold data hacked from Indian call centres to The Sun’s reporters. Or did he? To find out, wait another week.

A petition filed with the Delhi government today requests that law enforcement agencies access the CD and ‘‘dossier’’ prepared by The Sun reporter Oliver Harvey, investigate their contents and block the tabloid’s website in India.

Advertisement
The petition, filed by Sarbajit Roy, has been presented to the Adjudication Officer under the Information Technology Act, 2000, in the Delhi government to which, the government hasto respond within a week.

It also calls for roping in cyber enforcement authorities like the Computer Emergency Response Team, India (CERT-IN) to dredge out the truth.

The government, the petition says, must examine if the data allegedly sold by Bahree was made accessible by the British banks themselves.

‘‘It is entirely possible that Respondent No. 5 (Harvey) may have been sold data provided by the British Banks itself, which he is proclaiming abroad to be hacked data from Indian BPOs and thereby defaming legitimate Indian BPOs and our nation and damaging India’s economy,’’ says the petition.The truth will emerge only if a forensic examination of the CD is conducted.

Roy’s petition is the first that can put the IT Act in motion.In the investigations so far, none of the Indian law-enforcement agencies have contacted the London Police, which has already registered a case.

Speaking to The Indian Express over the phone, London Police’s spokesperson Orna Joseph said,‘‘Any Indian authorities wanting to contact us over the case can do so.’’ (With inputs from Raghvendra Rao)

trackback: Delhi Newsline Karan Bahree