another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Friday, July 01, 2005

Brilliant Article by Urvashi Kaul. Govt. soft on cyber crime

This blogger is very stingy with praise generally. BUT, this is a brilliant article that nails Dr. K.K.Bajaj (Dy Controller of Certifying Authorities and Director CERT-IN), the head cyber crime honcho for India. All ManMohan Singh's empty rhetoric can't disguise that our cyber enforcement sucks BIG TIME !! Sarbajit Roy

Cyber crime: PM wants strict laws
- By Urvashi Kaul

New Delhi, June 30: Whether or not Mr Karan Bahree, who was involved in UK tabloid sting, has committed a criminal offence is a hard question to answer.

It becomes even harder to initiate prosecution by the specialised cyber enforcement and investigating authorities (like controller and adjudicating officer), when no Cyber Regulations Appellate Tribunal has been constituted to try cyber crime cases, as required under the Indian Information Technology Act 2000.

Prime Minister Manmohan Singh on Wednesday had directed the Union information technology ministry to make changes in cyber laws to make illegal transfer of data a punishable offence. Prime Minister Manmohan Singh’s directive comes in the wake of a recent media sting operation by a British newspaper involving the employee of a private data processing company where allegation of breach of data secrecy have been levelled.

The IT Act, which came in to existence in October 2000, required the Central government to establish an appellate tribunal headed by a nominated presiding officer.

While details about presiding officer’s term in office, salary, removal procedures and other conditions have been duly notified in the Act, the government, so far, has not appointed the presiding officer.

Confirming that no tribunal has been formed, a senior officer in the IT ministry said, "If at all a presiding officer is nominated, he would sit in the Electronics Niketan."

While the adjudicating officer of a particular state, takes decisions on whether a particular case relates to cyber crime, he forwards the case to the tribunal only after determining the maintainability of the case under the IT Act. The case is then transferred to the magistrate through the tribunal’s presiding officer. In the absence of the presiding officer and the tribunal, cyber crime cases cannot ordinarily be transferred to the magistrate. Prosecution becomes impossible when the adjudicating officer, too, derives his power from the tribunal.

Highly-placed sources in the BPO industry are aggrieved about government’s soft approach to cyber crimes.

"Government is not serious about cracking cyber crimes," said a source in the BPO industry.

Under the IT Act, the only criminal offence under which Mr Bahree can be booked by the police is the one mentioned under Section 66 relating to hacking with computer system.

Section 66 of the Act requires the investigating officers to prove that "the wrongful act was done with an intent to cause loss or damage to the public or any person, damage or destroy or alter any information residing in a computer resource or diminish its value or utility or affect it injuriously by any means, commits hacking." Official sources in the industry point out that in the particular case of Mr Bahree, the police cannot issue an arrest warrant in Mr Bahree’s name unless they obtain the CD, which the Sun reporter claims to possess.


trackback : Government soft on cyber crime india

BPOs, BS7799 IT Act 2000 Hacking

Cyber crimes: Can the West trust Indian BPOs
KAUSHIK DEKA

INDIATIMES NEWS NETWORK[ FRIDAY, JULY 01, 2005 03:32:30 AM]

The latest sting operation by UK's Sun on a BPO executive in India leaves an impression that getting classified information out of a call centre is just a matter of few bucks and greedy youngsters are always eager to part with it. However, the moot question here is: is that so simple? Can a call centre executive access your confidential information such as credit card numbers or bank account number?

Industry insiders seem to be divided over the issue. Many feel that data security breaches are quite prevalent in call centres , while others think it's next to impossible.

There is no doubt that unless fully convinced of the vendors' capability in data confidentiality, clients do not outsource. Some common information security management standards like ISO 17999 and BS 7799 are strictly adhered to by most BPOs.

"We apply adequate security measures in our call centres and our executives cannot carry any data outside the office premises. They are not allowed to carry cell phones, paper, pen, digital diary or even a wallet to their work-stations. If they are handling sensitive issues like financial matters, insurance, etc they cannot even access the internet. There is no hard drive or floppy disk on their computers. Having said that, you must know a hacker can hack into even Nasa. So, if someone is bent on committing a crime, how can you stop that person?" says Amit Agarwal, senior vice president, vCustomer, a Delhi-based BPO.

On the other hand some young BPO executives feel otherwise. According to them, there are enough opportunities to take a peek at the personal data and information of customers. Many believe that although there are lots of firewalls and technical barriers, it's quite easy to manipulate the system if one has good software skills.

"One must realise that despite the complex and detailed fraud tracking units, if a bunch of employees collude and indulge in wrongful activities, it becomes extremely hard to stop it. Though it's do-able, it's also easily traceable," says Anupam Sharma, a BPO executive.

"The customer's identification number is confidential, but can be accessed if given a try," says Anjali Dubey, a call centre executive from Gurgaon.

On being probed on these issues, Vipul Agarwal, manager operations, Convergys says, "It's very unfair to blame BPOs only for the frauds happening around. The clients also have to take proper security measures. There are chances of security breaches when it comes to web-enabled data. Maximum one can know is the credit card number or the date of birth, which are required for verification. Besides, a fraud will always be caught, sooner or later; no one can get away with it."

Mumbai-based security expert Vijay Mukhi, however, does not subscribe to this view. He feels that though BPO centres in India are mushrooming and they are hiring people at random, they ignore a very serious issue -- the requirement of security experts in BPOs.

"I still have to come across an advertisement by a BPO seeking security experts to monitor the process inside the BPO. Unless they pay heed to security, these frauds will keep happening," says Mukhi.

However, the Indian BPO industry is putting their best efforts to counter emerging security challenges. In most of the BPOs the contract with the appointment letter itself prohibits the employee from leaking out information to anybody. To be on the safe side many BPOs even install hidden cameras to keep vigil on the activities of their employees. Earlier sensitive information like credit card numbers of the clients were available to employees, now technology has been upgraded. Everything is now encrypted.

Why do frauds happen?

Is it because of sheer greed? Or do young BPO executives get carried away by the fact that they can sneak into their customers' private domain?

"Greed is one of the primary driving instincts behind most crimes, so it would be unfair to single out the BPO sector here. But the feeling of power over another person's innermost secrets and the power to possibly make big bucks without the 'risk' of getting caught are two unique determinants here," says Sanjay Chugh, founder chairman, International Institute of Mental Health, Delhi.

s there any way to check these frauds?

"I think prevention is the best measure. Before hiring an executive we do a thorough verification including his residence proof, educational qualification and previous work experience. After that we give proper training and from time to time we sensitise them on the ethics of data security," says Vipul Agarwal.

Experts believe that as BPO executives deal with many sensitive data and they join work at a very early age, it's imperative on the recruiters to do a psychological evaluation before hiring. This kind of evaluation can work as a very effective deterrent to fraudulent activities.

"There are some wonderful psychometric tools that we routinely use to assess a person's temperament and character traits and to assess the likelihood of a particular behaviour coming up in particular circumstances. Psychological intervention/training ought to be made compulsory in all corporate set ups except for the fact that the decision makers in such set ups are completely naive, ignorant or blind to this need," says Chugh.

"Though these tests are very effective, however, they are not entirely foolproof. The BPOs have to apply supporting security measures as well," adds eminent psychologist, Dr. Samir Parikh.

Where does the law stand?

Some experts believe that the Indian IT Act 2000 does not have enough teeth to tackle cyber crimes related to BPOs. "The Indian IT law is primarily an e-commerce enabling legislation and does not specifically deal with the issue of online fraud. It also does not have adequate data protection measures. We need a distinct overhaul of the IT Act since its cyber crime provisions do not deal with emerging BPO-related crimes and frauds," says Pavan Duggal, Delhi-based cyber law expert.

Not everyone would agree with Duggal. Says Na. Vijayashankar, an e-business consultant based in Chennai, "Many persons in the industry and eminent lawyers have not observed that ITA-2000 can be used for data protection through section 66 and section 43. These two clauses make me feel that the law is adequate as it is."

"India has a sound cyber law regime and both paper-based and electronic data can be effectively and legally protected in India. The TRIPS Agreement (Agreement on Trade-Related Aspects of Intellectual Property Rights) and the Copyright Act, 1957 provides sufficient safeguards for preventing violations of databases. The data provided by the clients will get the protection of "Data Property" if the same involves intellectual creations within the meaning of Article 10(2) of the TRIPS Agreement. If they fail to satisfy the requirement of Article 10(2), still they will be protected as copyright," says Praveen Dalal, advocate, Delhi High Court.

What puts the industry at grave risk is also the practice of the BPO outfits further subletting contracts to small-time players. Many Indian companies transfer a part of the job to smaller outfits to complete the job faster. The subletting of contracts, often without taking the original client into confidence, further exposes the BPO industry to the risk of frauds.

"All Indian BPO companies are network service providers under section 79 of the IT Act. They are made liable for all third party data or information made available by them. As the law requires due diligence to be done in order to escape such liabilities, it is imperative for all the BPOs and also their clients to insist that there is appropriate documented cyber-legal due diligence," says Duggal.

Cyber crime incidents are not India-specific. In 2004, the UK lost about £3 bn to unauthorised access, penetration into computer systems, data theft, virus attacks and financial frauds. FBI chief Chris Swecker reported to the US Senate Judiciary Committee that he '"opened 1,081 investigations of identity thefts" and was carrying out over 1,600 "active investigations".

In India these kinds of cyber crimes are still in a nascent stage. With proper implementation of the law, these crimes can be easily curbed.