One of the key questions Presented by the Supreme Court in yesterday’s hearings on the Aadhaar case was on the Possession of the source code behind the CIDR.
Lacking ownership over this crucial infrastructure may have serious consequences. One such effect is that this affects the capacity of the government to declare it like a ‘protected system’, a crucial factor for ensuring the protection of the CIDR. There is, however, a lack of clarity on the dilemma of ownership of the CIDR code, since data on the CIDR isn’t in the public domain for national security reasons.
Just government owned software can be a ‘protected system’
The question raised by the Supreme Court about the ownership of this source code behind the CIDR draws focus to how this critical resource is fundamentally software, subject to the very same laws that are applicable to non-critical software. ‘s copyright is known…”. Given in 2006, this judgment ruled that unless the copyright over a computer software is possessed by the Government, it can’t announce it to be a ‘protected system’ under the Information Technology Act, 2000.
The importance of being a ‘protected system’
The declaration of a computer source – that may refer to a computer, a database, information, software, etc. — as a protected system, grants it a higher level of protection under Sections 66F, 70 and 70A of the IT Act. Being a support to some Critical Information Infrastructure or CII of the country, an assault on a protected platform amounts to an act of cyberterrorism, which can be punishable with life imprisonment. Mere unauthorized access to it also attracts a higher punishment of 10 decades of imprisonment, instead of 3 years for accessing a non-critical resource. Moreover, this may also be protected by institutions such as the NCIIPC, created specifically for the security of CII.
The announcement of the CIDR as a ‘protected system’ comprises the CIDR’s ‘facilities, Information Assets, Logistics Infrastructure and Dependencies’ as a protected platform. It is not clear if this includes the source code as an ‘information advantage’, a ‘dependence’ or ‘centre’. It must be noted here that other resources that have been declared to be a secure system, like the information resources in the shape on people’s data stored in the CIDR, will continue to be protected.
What shortage of ownership over the code suggests
Lack of control over the software behind the CIDR, however, means that the code use belongs to someone else, which person has the freedom to reuse the code, let it anyone else or perhaps sell it. It follows that keeping the confidentiality of the code supporting the CIDR, an essential factor for better protection, is influenced.
For instance, looking at software today, its development frequently involves the use of multiple components, which might be proprietary, open source or free, together with new code that is written by the programmer. In the realm of applications, use of a tried and tested software element is normal, and in fact, fantastic practice. This lowers the chance of unforeseen results in the kind of a flaw or vulnerability in the code, which is much more likely when code has been manufactured from scratch. Therefore, developing a great, secure piece of software can frequently involve a trade-off between having a tested, protected element and retaining ownership of this program.
This use of multiple and diverse parts, thus, can result in significant issues with establishing ownership on the copyright above a bit of software. By way of instance, open source software elements occasionally require the derived product to be relicensed under the same open source license requirements. A developer may use a part composed of pre-written code on which he owns the copyright. These elements, whether open source or proprietary, which form a part of the software, can be reused for other purposes.
The government does not automatically own applications developed for this
Thus, when considering a critical part of software like the source code supporting the CIDR, it is unknown just how much of it is not under the control of the UIDAI, and maybe available for reuse. The terms under which the program was developed plays an important part. A ‘government work’ under the Copyright Act, refers to a work that is made under the management or management of the Indian government. The copyright in such a work vests with the authorities under Section 17(d), but that can be subject to an arrangement to the contrary.
A software developed for the government, or even a software being used by the authorities, thus doesn’t automatically belong to the authorities. Thus, when the petitioners assert that the ownership of the code supporting the CIDR does not vest with the authorities, this is very much possible.
The authorities must retain control over its crucial applications
One key consideration is that the BN Firos instance was decided back in 2006, also with regards to some far less critical software compared to CIDR. The applications in issue there was an e-government program, made for the payment of bills, taxes, etc. to the government and governmental authorities. It might need to be seen if another stance will ensue in the Courts using a crucial software like that behind the CIDR.
Regardless of this, the major issue is that the principle requiring that the government to own the software before it acknowledges it as a secure system is vital for the government to retain control over the resource. Taking a look at the ubiquitous use of technologies now, computer resources are now increasingly essential to a country’s security. It is very important that the authorities retain control over the code it uses within such critical systems to make sure their security and avoid these troubles.