Flexible Storage Business and other implications of the E-Crimes Bill 2007

Professionals and professional bloggers are doing their most to scare the “working wits” out of you in order to raise awareness regarding the proposed ECrimes Bill 2007.

To give you a brief rundown, it is a poorly constructed bill which is being sent for approval in the National Assembly, the misinterpretation of which under law could have serious implications on the lives of everyday citizens.

Starting from an awareness session at T2F Karachi, an email by Sabeen Mahmud, the activism has now resulted in a series of short videos on the subject, Rs.30 dvds covering the topic (available only in Karachi it seems), and also appearances of P@SHA members and Barrister Zahid Jamil on Dawn News, PTV and also coverage on Newsline, Spider and The Friday Times… not to mention the bloggers that are scared out of their wits.

OK… we get it, we’re all scared. I thought I’d take a minute to think (perhaps a bit more rationally) about how this bill could change part of the way this industry does business — there’s actually new opportunities for business in this, as well as the introduction of “new” ground realities.

1- Flexible Storage to support Outsourcing is about to become a huge business opportunity for this region.

Let’s be realistic — outsourcing as we know it wont shut down overnight, but a lot of small IT business will finally start to take client-data storage seriously.

Think of this idea as the “Amazon S3 Service for Outsourcers” — while the larger IT companies will just move their storage tiers to their international offices, smaller companies participating in international projects will now need to offload or outsource their actual data storage out of the country. Here’s a great business opportunity for someone who can execute on this quickly:

i- Rent out server-farm space in Dubai or some other country with an accessible legal infrastructure.

ii- Offer a piece of software that essentially provides a virtual hard-disk on your PC, but which is actually connected to an synced over the cloud to that warehouse in dubai.

iii- Offer this premium service at nominal cost. I think something reasonable even for the smallest IT fish here is $100 / 20GB / month.

That’s a very small price to pay for the ability to tell your clients that their data is secure, and in “neutral” ground where both you or them can have some legal protection of that data, especially if this company has an office in Pakistan as well (so you have the option to pursue legal actions against them in case they cannot store your data securely.)

(Side note: Ofcourse, you’d have to hope that software doesn’t have any bugs of that lands that company in jail under this law).

Candidate companies that could easily offer this:

- Clearcube via FiverRivers Technologies — they already have a best-in-class thin-client solution where your entire PC essentially resides in a server farm, and each workstation is just a monitor, a mouse and a keyboard… everything you use is coming down from the cloud.

- NCR Teradata — Although NCR has only been focused on the biggest-of-the-big enterprises as customers (namely, storing data for banks, telecos etc) they may want to consider building a hosted infrastructure to tap into this (soon to be real) opportunity.

- Some storage startup looking to compete with Amazon S3 — rather than compete directly, supporting the outsourcing niche will quickly help them build a bread-and-butter business.

2- IT and Telecom professional salaries are likely to take a 15-25% dive.

Now before all of you start chanting the “companies should take care of their employees” rants, listen up carefully.

If this law passes, business and professional work wont be a simple game anymore — there will be very serious consequences of a person’s actions both to the employee AND the employer. From all the talk I’ve seen of the bill, 7 years in prison and Rs.1Million in fines seems to be a standard penalty no matter how serious your crime.

So how are companies going to protect and continue to run their businesses? They will get very serious very quickly about implementing a sound legal infrastructure that governs employment.

No more offer letters made on a napkin or a simple employment letter with a company stamp — expect to sign extensive Non-disclosure, non-compete agreements with your employer. Expect to sign an IT&Communications Accepatable Usage policy with your employers. Expect to see a “No expectation of Privacy” clause on such policies.

Expect system administrators to becoming big brothers — installing traffic monitors, very strong email and data filters, expect them to be in your face and demanding about how and when and why your use the machine in your office. Expect them to check it daily with all means at their disposal.

Expect companies to seriously consider hiring “security experts” whose job will be to read every email, monitor every chat conversation, research on any part-time work you do at night, and expect the company to hire stronger beefier lawyers. Expect them to take you — their employee — to court or fire you whenever they see a potential violation of policy.

It’s nothing personal — its just that you’re not worth the 1Million and 7 years in prison they could suffer because of you.

Overall, its not a game anymore, and people and companies together will begin growing up to the process (although this draconian law would require them to age too much I think).

So how would companies pay for all of the extra logistics overheads caused by the bill? I dont think Pakistani IT companies in the outsourcing industry can compete effectively internationally if they raise their prices further (to cover the increase in logistics costs).

I think you’re likely to see (1) more companies looking to set up business centers in smaller cheaper cities and (2) the overall salaries given to IT Professionals to go down by 15-25% in order to make up for the addition in logistics costs.

What impact this (soon to be) “new” ground reality could have on the industry as a whole (where will the talent go if IT and telecom salaries come down as a whole?) is a question left for the comments.

3- Companies will (finally?) begin to take data storage seriously.

This isn’t meant to be support of the ugly, evil, bad bill.

However, I have seen a number of companies who are storing confidential client data (that was received under a strict NDA) openly in a shared CVS system that everyone in the company has access to.

So anyone can practically walk into the lobby with a laptop, connect over the unsecured wireless network to the local CVS system (which will be conveniently called “CVS-System”) and either be able to log in anonymously or otherwise use a standard password (e.g. “CompanyName123″) to log in, get the data and leave.

This is already happening, and is perhaps a secret kept well-away from international clients.

However, the Bill could prove to be a serious wakeup call for companies to think carefully about where bits are stored — if they dont store client-date with a trusted third-party as in (1), those that can afford it will certainly get security companies wiht the country to take a thorough look at their systems and process. Good news for security companies like Net Access I suppose? Maybe Faisal can add his thoughts here.

OR better yet — a great way for companies like Net Access to build good will and brand equity would be to hold free seminars on IT insfrastructure security around the country, over the web (webinars) or as youtube clips. Its time to step up and help this industry grow up.

4- We’re about to open Pandora’s box on the protection of rights in new media and the knowledge-industry

Bloggers should start practicing their typing speed because this law is just the beginning of the complex world of law that governs information-workers and new-media participants.

E.g., I’m embedding a picture with this post that is actually linked to and being downloaded from Teeth Maestro’s blog, which is in turn probably hosted outside the country. From a technical point of view, this post, and my host and my system never even see a bit of that image — that image only exists on Teeth’s server, and then on your machine as the browser downloads it.

What happens if, not known to me, Teeth had actually used a copyright protected image of a dog to make it — who gets impacted in the aftermath of it? Would I also be caught in the act, even though my hardware or software didn’t really see that image, and even though I’d have no way of double-checking the source of images that someone else made available publicly? Would you be caught in it because your browser happened to automagically download that image when you opened the page?

If I have to then ask everyone who ever put up a public image, or a public piece of text (such as this blog post) for permission before linking to it, new media essentially dies and we build up silos for no reason and for nobody’s benefit. So how does a copyright protection model look like that supports new-media?

I’ll give you a bigger example to chew on — recently the Federal Election Commission in the USA ruled that blogs would be considered a type of “media” for the purpose of federal political campaign finance regulation under an exemption filed in 1974 (before computers in general). So in our turf, what if after this law PEMRA decides to declare all blogs as media that must be regulated? How would even the structure of such a regulation look like? Would we have to get a license from PEMRA to operate a blog on wordpress? Really?!

The world at large is talking about this actively, and it seems we are about to be thrown head-first in the deep end of the pool as well.

Conclusions and After-thoughts

I’ll leave this to four intentionally so that other bloggers can hopefully pick up on this thread and add more actual implications and their expert points-of-view.

Infact, what I’d really be interested in seeing is people discussing actual specific scenarios which are common in their industry that could pit companies or people in an unfair dangerous sitaution because of this bill if it were passed.

No more of this “They’ll come in, take my stuff, and can do anything” — lets have BPO people talk about what specific risks would be created in their industries because of their unique hiring and people management strategies, have software professionals talk about added risks that results from the SDLCs they follow, marketing professionals talk about how lying would land them in jail, etc.

In fact more generally, I think the best form of activism is for us — the professional information-worker industry — to create and propose ammendments or changes that reflect the ground-realities of our businesses (something like “We’d like to see  employers have the option of showing evidence that an employee acting with mal-intent did so as his or her own independent decision in such-and-such way with so-and-so process”), rather than just talk about how bad, evil, yucky, polluting,
filthy that bill is (e.g. “It allows the govt to steal ice-cream away from your children”).

Lets do it like experts too — build use-cases for our industries and start talking about what a better bill SHOULD look like.

(P.S. the bill makes the global carbon emissions and energy crisis look like a puff of smoke — go ask your nearest politician to try and stop it).