In the US there is a real estate saying: The value of a home is based on "location, location, location." What is true of real estate is equally true of critical aspects of cyber security and computing services. It is an amazingly intricate task simply to determine whose law will apply in a dispute. Often the physical location of a piece of data or information is critical to determining which sovereign nation controls that data. Likewise the physical location of a criminal or a victim may determine the applicable law. And sometimes the laws will conflict, placing law-abiding citizens and corporations under inconsistent obligations. As a consequence, one significant need is for a coordinated approach to the law of cyber crime and cyber jurisdiction.
The increase of legal uncertainty and jurisdictional problems is, to some degree, inevitable. In these times of economic constraint, users around the globe will seek solutions that promise savings, low overheads and maintenance-free networks associated with remote data storage or access. But one cost is often overlooked―the uncertainty of law and jurisdiction. This uncertainty is inherent in the distributed nature of cloud-based service systems. Almost by definition, cloud-based adaptation takes advantage of the dispersed, globalised nature of the internet.
But the internet has a real world physical presence with its fiber optic transmission lines and server farms. Every data storage facility is located somewhere. And when that "somewhere" is not in the United States, Americans run the increased risk that the data stored overseas will be subject to the sovereign control of the country where it is located. Likewise for Indian companies whose data is stored overseas. If, as some say, geography is destiny, principles of good governance and caution require agreement between countries to better control their own destiny.
But today, there is no international standard that governs the question of data sovereignty. Nor is any multilateral institution likely to sponsor an agreement of this nature in the near future. Rather, disputes about the control of data are resolved on a case-by-case basis, often turning on geography and/or economic factors. Hence the time is ripe for an Indo-US dialogue on the definition of and jurisdiction over cyber crime.
To date, however, the legal frameworks of the US and India tend as much to diverge as they do to converge. While both see cyber intrusions as criminal in nature, their approaches differ and their assertions of jurisdiction will as often compete as they will cooperate.
The foundation of Indian criminal cyber law is the Information Technology Act of 2000 as amended in 2008. That law defines 'computer' broadly as virtually any electronic device with data processing capability, performing computer functions―such as logical, arithmetic and memory functions―with input, storage and output capabilities and therefore any high-end programmable gadgets like even a washing machine or switches and routers used in a network can all be brought under the definition. The 2008 amendments added "communications' devices" to the scope of the law to ensure that iPads or other similar devices on Wi-fi and cellular models are protected. Indian law, in contrast to American law, goes on to criminalise a series of particularised acts: offences such as the sending of offensive messages through communication service, misleading the recipient about the origin of such messages, dishonestly receiving stolen computers or other communication devices, stealing electronic signatures or identities such as using another persons' password or electronic signature, cheating by impersonation through computer resource or a communication device, publicly publishing the information about any person's location without prior permission or consent, cyber terrorism, acts of access to a commuter resource without authorisation, such acts which can lead to any injury to any person or result in damage or destruction of any property, while trying to contaminate a computer through any virus like Trojan, etc.
American law has similar broad coverage. The Computer Fraud and Abuse Act (CFAA) does not speak with such specificity. Instead, it makes it a crime to knowingly access a protected computer without authorisation or exceeding authorised access―a definition that more or less covers each of the areas specified under Indian law.
More interestingly, American law purports to have a wide jurisdiction. It begins by defining a protected device as any computer which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the US that is used in a manner that affects interstate or foreign commerce or communication of the US. In effect, virtually every computer is within the scope of the law because virtually all communications on the network are interstate in nature. Indeed, given the degree to which international traffic transits American servers, this jurisdictional grant covers many computers in India and elsewhere around the globe.
By contrast, under Indian law the scope of territorial jurisdiction is confused and not satisfactorily addressed. Jurisdiction grants are identified as part of the judicial process and in identifying police powers, but without defining clearly the locus of the offence.Since cyber crimes are essentially borderless, this may lead to competing assertions of jurisdiction within India and between India and other nations.
The core of the problem, then, is that cyber crime is geography-agnostic, borderless, territory-free and generally spread over territories of several jurisdictions. At a minimum, Indo-US cooperation should attempt to define mutually agreed upon criteria for addressing issues that are of potentially joint concern. More ambitiously, they should seek to harmonise the approach to cyber crime and other security-related issues and, in the end, create a joint task force structure for mutual assistance.
This article originally appeared in "Indo-US Cooperation on Internet Governance and Cyber Security", a joint research project of the Observer Research Foundation and the Heritage Foundation, published in October 2014.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
