Some of the key questions Presented by the Supreme Court at yesterday’s hearings about the Aadhaar Event was on the ownership of the source code behind the CIDR.
Surprisingly, the response of the petitioners was that this was proprietary code, and neither the authorities nor the UIDAIpossessed it.
Lacking possession over this crucial infrastructure may have serious impacts. One such effect is that impacts the capacity of the government to declare it like a ‘protected system’, a vital factor for ensuring the protection of the CIDR. There is, though, a lack of clarity on the issue of possession of the CIDR code, because data on the CIDR isn’t in the public domain for national security reasons.
The question raised by the Supreme Court about the possession of the source code supporting the CIDR brings focus to the fact that this crucial resource is essentially applications, subject to the same laws that are applicable to non-critical software. ‘s copyright is recognized…”. Launched in 2006, this ruling ruled that if the copyright on a computer software is possessed by the authorities, it cannot declare it for a ‘protected platform’ under the Information Technology Act, 2000.
The importance of being a ‘protected system’
The statement of a computer resource – that can refer to a computer, a database, information, applications, etc. — as a protected system, grants it a higher level of protection under Sections 66F, 70 and 70A of the IT Act. Being a service to some Critical Information Infrastructure or CII of the country, an attack on a protected system amounts to an act of cyberterrorism, which can be punishable with life imprisonment. Mere unauthorized access to it also brings a higher punishment of 10 decades of imprisonment, as opposed to 3 years for obtaining a non-critical resource. Moreover, this will also be protected by institutions such as the NCIIPC, created especially for the protection of CII.
The announcement of the CIDR as a ‘protected system’ includes the CIDR’s ‘facilities, Information Assets, Logistics Infrastructure and Dependencies’ as a protected system. It isn’t clear if that includes the source code as an ‘information advantage’, a ‘dependence’ or ‘facility’. It has to be mentioned here that other sources which were declared to be a protected system, such as the information resources in the shape on people’s data saved in the CIDR, will continue to be protected.
What lack of ownership over the code implies
Deficiency of control over the program behind the CIDR, but means that the code use belongs to someone else, which person has the liberty to reuse the code, license it to anyone else or even sell it. This means that maintaining the confidentiality of the code supporting the CIDR, an important element for much better security, is affected.
For instance, looking at software today, its own development often involves the use of numerous components, which might be proprietary, open source or free, together with new code that’s written by the programmer. In the world of applications, use of a tried and tested software element is ordinary, and in fact, good practice. This lowers the possibility of unforeseen consequences in the form of a defect or vulnerability in the code, which will be much more likely when code has been manufactured from scratch. Therefore, creating a good, secure piece of software can often involve a trade-off between using a tested, secure component and keeping ownership of the program.
This usage of numerous and diverse components, thus, may lead to significant issues with establishing possession on the copyright over a piece of software. For example, open source software components sometimes need the derived item to be relicensed under the identical open source license requirements. A programmer may use a part consisting of pre-written code where he owns the copyright. These components, whether open source or proprietary, which form a portion of the program, may be reused for different purposes.
A man goes through the procedure of eye scanning for Unique Identification (UID) database system. Reuters
The government doesn’t automatically own software developed for this
Thus, when thinking about a important piece of software like the source code supporting the CIDR, it’s unknown how much of it is not under the control of this UIDAI, and possibly available for reuse. The terms under which the program was designed plays an important part. A ‘government work’ under the Copyright Act, ” describes a work that is created under the direction or management of the Indian authorities. The copyright in such a work vests with the authorities under Section 17(d), but that can be subject to an agreement to the contrary.
A software developed for the government, or even a software in use by the government, thus does not automatically belong to the authorities. Thus, when the petitioners assert that the possession of the code supporting the CIDR does not vest with the government, this is extremely much possible.
The government must retain control over its critical software
One key consideration is that the BN Firos case was picked back in 2006, also with respect to some far less crucial software compared to CIDR. The applications in issue there has been an e-government software, created for the payment of taxes, invoices, etc. into the authorities and governmental authorities. It will have to be seen in case a different stance will ensue from the Courts using a crucial software similar to that behind the CIDR.
Regardless of this, the major issue is that the rule requiring that the authorities to own the applications before it declares it as a secure system is vital for the government to retain control over that resource. So far as the CIDR is concerned, more clarity on the extent of the government’s control over the code behind it may be obtained while the state presents its arguments before the Supreme Court. Taking a look at the ubiquitous use of technologies now, computer resources are now increasingly essential to a country’s security. It’s very important that the government retain control over the code it uses in these critical systems to ensure their safety and avoid these troubles.