The recent episode involving an Indian BPO centre should serve as a wake-up call to IT companies to tighten their security environment.
THE business process outsourcing (BPO) industry was just recovering from the fallout of the MphaSis call centre fraud in Pune when news came that a worker at Delhi-based Infinity E-search had allegedly sold sensitive customer information to a reporter of the British tabloid Sun. The latter was possibly engaged in a sting operation to prove that outsourcing IT work to India was risky and inexpedient. Who set him up is anybody's guess. In any case, that is irrelevant. If Sun's story is true, it will take a lot of explaining to foreign customers to establish that the two recent incidents, which showed the Indian BPO structure somewhat in poor light, were just an aberration in an otherwise high security environment. Viewed together, they will certainly give a lot of ammunition to the anti-outsourcing lobby in many parts of the Western world, especially those in the United States and the United Kingdom.
As I write this column, a clear picture of the Delhi happening is yet to emerge. Actually, Infinity's Managing Director has vehemently denied the allegation saying that the employee in question, Karan Bahree, was just a junior content writer who did not have any access to the company's confidential or sensitive information. Further, the company did not deal with any U.K. bank but was engaged merely in web development. Let us hope that Infinity is being truthful. But one press report refers to Karan's admission that he did hand over a compact disc to the Sun reporter. How did the two come into contact? We are yet to know what that CD contained. If it carried customer data, how did Karan come by it? Did he pick it up from a friend or did he hack into a system belonging to some other company? There are several such issues that should nag people who are passionately interested in the future of our IT industry.
HERE is something for those of you who are not quite familiar with the nuances of how a call centre works. Employees of reputed centres are chosen with some care after a background check. Such vetting focusses essentially on whether a person recruited has any criminal or otherwise dubious background. Where a recruit has held a job previously, the task is relatively easy. But when he is a fresher, there is a problem, because the verification is entrusted to a private security agency. My experience is that many such agencies - there are thousands of them - are ill-equipped to do a thorough job. An informal interaction with the local police after an under-the-table payment to them is all that they do, in the absence of a reliable data base in the country. A cursory record check at a police station alone comes out of this absolutely unreliable interaction. Not many agencies bother to do an elaborate field verification which would unearth all the required information on a prospective employee's past. This is because such a process is time-consuming and expensive. When massive numbers are involved, there is a trade-off. Background checks are hurried and superficial.
Many top IT companies, however, are more sensitive to the task and report very few bad inductions of personnel. They have a fairly sound procedure of getting referee letters, either from the previous employer or from the college where an applicant had studied. They also insist on the latter obtaining a passport from the Government of India and producing it at the time of recruitment. This may not be the best of arrangements. But it is far superior to the hurried process on which most BPOs base their inductions.
Meanwhile, the National Association of Software and Services Companies (NASSCOM), the premier service agency for IT industry, has showed commendable sensitivity. It has understood the value of a good database of IT employees that will sharpen verification when the latter move from one company to another. The credibility of this database will again depend on the response from individual IT companies. If they withhold information or are slow in sharing information, we could again have a problem.
The call centre itself is a highly protected area. Access is restricted to employees who carry an ID that is checked by security guards. In many centres, each employee is frisked to make sure that he does not carry any laptop computer, cell phone or camera-phone or any writing material. Many centres monitor telephonic conversations between employees and the customers with whom they interact over telephone so that no needless conversation is carried on. The employee is expected to concentrate on the information sought by a customer and not engage in any chit-chat.
In the MphaSis case, a group of the Pune call centre workers won customer confidence over a period of time, extracted vital information, committed the Personal Identification Number (PIN) of a few Citibank clients to memory and later worked on it in a cyber cafe in order to transfer illegally customer money to their own personal bank accounts. The victims were Citibank customers in the U.S. My own enquiry has not revealed that any in the gang had a criminal background. Here is a case where even a sound background check process could not have helped. This is described as a case of "social engineering" where technology is irrelevant and security is defeated by greed and deceit, two human failings that are universal and not the characteristics of Indian workers alone. This is why it has been possible to explain the MphaSis episode to foreign customers with some degree of conviction. Nevertheless, the image of an industry that has to tighten up protective measures to guard the inestimably valuable data received from clients will linger for quite some time.
The Infinity case is a different kettle of fish. While the organisation has washed its hands of the matter, there is considerable doubt about the bona fides of its employee, Karan Bahree. If he has been dishonest, the point for investigation is, from where did he get the data that he allegedly sold to the Sun reporter? Also, what is the worth of the data that he purveyed to a total stranger? I see here shades of the Tehelka operation. There is every reason the whole of IT industry should gird up its loin to get at the bottom of the episode.
There are many issues here. Is the existing law in India and the U.K. adequate to meet the situation? While the U.K. has sound data protection and privacy law, we are still only talking about it, much to the chagrin of our foreign customers. In any case, we have to wait and see whether the facts around the Infinity episode make out a criminal case or only a breach of contract. Also, what are the jurisdictional issues? Section 75 of the Information Technology Act, 2000, gives Indian courts external jurisdiction as long as the computer system involved is located in India. In the present context, the U.K. police may not be competent to probe into the episode.
As I write this column, the Gurgaon police does not seem to have received any complaint. Sun has handed over a dossier to the City of London Police giving details, including the names of banks whose customer information may have been compromised. Assuming the Sun report makes out a crime, there are two aggrieved parties; the company in India from which the data had been stolen and the banks/individuals in the U.K. to whom the data pertained. On the face of it and going by the skimpy facts available, it will be the Gurgaon police that will set the law in motion. The City of London Police has reportedly expressed its inability to act in the matter and is possibly in the process of invoking the services of Interpol to pass on the information it has to Indian authorities. It looks as if the ball will be in the court of the Indian police.
Further progress will depend on whether the material received from the U.K. makes out an offence either under the Indian Penal Code or the IT Act. If it does not, there will be an all-round loss of face. Karan Bharee may have to be thoroughly questioned, after a formal case is registered. Without his cooperation, there will be no headway. This is because his current employer is categorical that the information supposedly sold for a price did not belong to the Infinity system. The CD that Karan passed on to the Sun reporter will give more than an idea as to where the data in question originated. I suppose the CD does exist and that it has not been tampered with. There are so many conjectures at this stage that it is difficult to look upon Karan as a cyber criminal.
While we may await the conclusions of the police investigation, all IT companies, especially BPOs run by them or others, will have to do a soul search. They owe it to the whole industry to ensure that they take all possible security precautions, however expensive they may be. Any reluctance to spend on security and consequent loopholes would further damage the image of a robust IT savvy nation built over decades.
THERE are three other issues relevant to breaches of IT security. The IT Act is an evolving legislation. It was brought on the statute book mainly to facilitate e-commerce. It has an incidental chapter on cyber crime that lists some offences (Sections 65 to 78) along with references to penalties and jurisdiction. Tampering with computer source documents, hacking and publishing obscene information are the main delinquencies covered. As each day passes, new forms of crime in the cyberspace are being reported. One criticism is that stalking (harassment of another individual) and spamming (unleashing of unsolicited mail) which many other countries recognise are yet to find favour with Indian lawmakers. The IT Ministry is conscious of this and has already initiated a study in the area. The silver lining is that where the IT Act is inadequate, the Indian Penal Code (IPC) fills in admirably well. This is why we find that a majority of cyber offences are still registered under the IPC. I would, therefore, not make a song and dance about the imperfections of the law in the area.
The second area of concern is the quality of cyber investigation. The police in some places, particularly in the four metropolises, have shown commendable anxiety to upgrade their skills. The NASSCOM has also chipped in. IT firms in their individual capacity may have to be more munificent. There are signs of this happening. In spite of all these positive trends, police heavy-handed approach is evident from time to time. The Bazee.com case in which a CEO was arrested a few months ago by the Delhi Police caused a lot of concern, both at home and abroad. Indiscriminate arrests when material evidence is already available with the investigator can hardly be justified.
Finally, instances like Infinity highlight the need for administering ethical inputs to software employees in a systematic manner. A bulk of employees are those who have just come in from colleges where there is only modest attention to computer security or to the importance of ethics while surfing the cyber space. If IT trainers do not catch them young, there is every chance they will not only be lax in their routine but may succumb to temptations. The others, who are experienced resources in their mid-career, will also benefit from some mentoring. Training in ethics of those in the software industry may sound outlandish. In the context of recent happenings all over the world, this seems absolutely necessary. Major IT companies may be doing this already. There is a case for greater visibility of value-based training programmes. If Indian IT majors show the way, the lesser players will emulate them. Together, they will enhance customer confidence in the ability of Indian industry to protect data, an essential condition for the growth of outsourcing.