Nitin Desai: Internet security

Internet security cannot come from closing doors but from vigilance and co-operation.

About ten days ago a controversy erupted about a "We Hate India" site in the social-networking portal Orkut. The matter has reached the Bombay High Court, which has issued a notice to Google, which hosts the site. Should we be exercised about this sort of use of the Net?

If the site containing the offending material is hosted in another country, then there is little that we can do if what it says is not an offence in that country. However, there are some who argue that we should be looking at ways of policing the Net and preventing people in India from accessing such material by asking local Internet Service Providers to block such sites. This is not easy to do when the Internet service industry is broken up into nearly 200 ISPs, who can establish their own gateways to the global Internet.

Even if it could be done it would be an over-reaction in this case. The hate India group has less than a hundred members and Orkut includes many more hate groups, including one against waking up early, as also groups fond of Indian politicians (yes!), film stars and sports persons. As long as the material disseminated is not seditious, not libellous or not pornographic there really is no cause for action. As a country we must show a mature capacity to shrug off rudeness.

The Net is policed in some countries. But in a democracy with constitutionally guaranteed freedom of expression, "policing the Net" is a bad idea. The Net is not some den of vice that needs this. The bulk of the 60 million users in India and the billion or so internationally are decent citizens who are using the Net for legitimate purposes. The real challenge is to focus on cyber crimes, the activities on the Net that cause real harm to us by clogging up our e-mail with spam, spreading viruses that corrupt our computer systems, or stealing confidential information illegally and perpetrating frauds.

For most of us, the greatest menace comes from spam. It is estimated that over half of e-mail traffic consists of unsolicited e-mails. It can be traced""via aliases and addresses, redirects, and hosting locations of sites and domains""to some 200 spam operations (with 500-600 active spammers) who account for 80 per cent of spam mail. The global rogues list of major spammers includes only 176 names as of mid-October 2006, three of whom are in India. Spam uses up bandwidth and server capacity and costs time and money to remove. Spam is not like junk mail in normal post as the bulk of the cost of spam is borne by the receiver, not the sender. Globally, the cost of spam management, according to one estimate, is $20 billion.

Spam can and has been used by criminals and/or terrorists to take control of another person's computer by planting codes and programmes. The criminal activity conducted through this zombie computer is then attributed to the innocent victim of the act.

Unlike many other countries, India does not have a proper anti-spam law. Because of this, shady operators in India provide host facilities to major global spammers, besides being in the business themselves. We should be worrying about this flood of spam far more than some pathetic hate group.

Identity theft and fraud are linked to the ease with which spam can be sent. All of us who have received "phishing" messages, notices of winnings for lotteries we never entered for and Nigerians and others offering us huge rewards for helping them to get money out of the country know this. These activities are illegal per se and the real challenge is to catch the perpetrators who often reside in other jurisdictions. This is where the police administration nationally has to be trained to understand the modus operandi of these fraudsters and to co-operate with other countries to stop and catch the criminals.

Hacking attacks on vital computer installations, and a concerted denial of service by flooding a site or a mail box with messages are a more generalised threat to the Net. One can imagine worse""a concerted attack by an adversary to deliberately take down a country's Internet capacity.

Internet security depends on three things. First the adequacy of security arrangements at the level of each network in the system. There are a set of standards here, the best-known being ISO 17799, soon to be supplemented by a new one, ISO 27001. How many Indian companies, networks and government departments have tested their systems of security against these standards?

The next level of security is at the national level. The IT Act in India provides for a Controller. Under the Act, the Controller can "direct any agency of the Government to intercept any information transmitted through any computer resource". But this is like an authority to intercept mail and of little value when criminals can hide their tracks. Security requires vigilance and co-operation between law enforcement, the service providers and the community of users.

Internet security also requires global co-operation because of the borderless nature of the transactions. This is happening in a quiet way but more needs to be done. Security is one of the themes of the UN's Internet Governance Forum, which is meeting for the first time at the end of October in Athens.

The Internet is a very open space. Security cannot come from closing doors because there are many ways of bypassing the locked gates. It can only come from vigilance and co-operation between the participants in the network. The challenge of Internet governance at the national and international levels is to provide this without losing the great advantages that flow from the open character of the Internet.