Featured Post

Trust: Missing in action where it counts

Whom do you trust? That's a big, loaded question. And at least one organisation has been putting out a Trust Barometer for 14 years now...

Thursday, April 01, 2010

Source code theft may blight BPO bubble

India is at present, a favoured haven for outsourcing. Whether it is data or software research, here brilliant minds come with a cheap price tag. This is where every foreign company wants to move its back office or its services end of their business to save on costs.

While everybody is celebrating India’s great outsourcing success, there is a darker side to this sunny, happy ever after picture. What do you do when the product you spent years and money researching on, is stolen and sold with effortless ease on the internet and having stolen your cyber - identity, the criminal roams free on the streets, while the law stands and gapes in amazement.

The Managing Director of Geometric Software Solutions, Manu Parpia said, "The source code is a readable blueprint copy of any software. Anyone who has access to the source code can alter the software dramatically and the dangers of it falling into the wrong hands are great."

A source code looks like a string of letters and numbers jumbled up. Get your hands on the code and you can easily make a lookalike copy of the Adobe Pagemaker software and print identity cards for high security firms. A source code holds the key to a product, that could give any software firm the upper hand in the market and change the security dynamics of a nation. Today, stealing these lines of code is also the latest buzzword in the world of computer crimes.

CNBC-TV18 reports on this darker side of the world of outsourcing. The seamier story of what sometimes occurs in swank looking buildings with their laptops and blinking monitors and as more and more international companies furiously outsource their core functions to India, along with critical products, India is also fast becoming a haven for source code theft.

In August 2002, a former employee of software firm Geometric Software Solutions Ltd, GSSL, was caught red-handed trying to sell a data source code. It was the property of GSSL’s American client Solidworks. The employee had demanded a price of $240,000 for the code. It was the first reported case of data source code theft in India.

During his tenure at GSSL, Ashok Mehta left to go home like his other colleagues. He was frisked by the security guards but no one noticed an innocent CD that he carried on his person. On that CD was the data source code, for a product that GSSL was developing for Solidworks. The product accounted for sales between $60 to $90 million.

Mehta left the company under mysterious circumstances but he was not finished yet. A a year later, in 2002, someone from India contacted a firm in the US, offering to sell the source code for a Solidwork product. With this, Mehta was back in business. The company got suspicious and informed Solidwork and GSSL. They got in touch with the Central Bureau of Investigation, CBI, and the Federal Bureau of Investigation, FBI.

In August of that year, Mehta set up a rendezvous for a buyer at a five star hotel in New Delhi. No sooner was the transaction through, that the CBI moved in and arrested Mehta for attempting to sell the code. The buyer was an FBI agent Nanette Day. He had offered to sell the code for $200,000 to Nanette Day.

However, it was not the price that had GSSL worried. Says Manu Parpia, "I cannot say exactly what it was worth, but the product was getting Solidworks sales of around $90million every year at that time."

While the CBI and the FBI celebrated, Solidworks had more worries on their mind. While a case had been filed, the trial was nowhere in sight. It was a long wait. One that lasted two entire years and in the meantime Mehta was out on bail. All Solidworks could do was pray that there were no more copies available for prospective buyers.

Meanwhile, GSSL is still recovering from an immediate loss in business and probably loss in prospective clientele. Parpia said, "There were many American firms who were in touch with GSSL but after the incident, they vanished. I don’t know if it was the incident that scared them away but they never came back to India for any projects. I think GSSL and India lost a lot of business.

Then two months later, in November, the biggest hit-of-them all occurred. Cisco, admitted that they were looking into a source code theft. A group called the Source Code Club, SCC, claimed they had the code and demanded a price of $240,000 for it.

A Cisco employee on the condition of anonymity said, "My friend used to find means of cheating company security systems. He used to use his bluetooth enabled devices to upload the source code files to the internet, and then sell it to other companies or pretend it was his own work and get better jobs with other companies."

Sources say the Cisco code has allegedly been stolen by former employees based in India. If that is confirmed, then this would go down as the third high profile source code theft in the country to have been reported in the last two years, all within a span of four months.

Sources told CNBC-TV18 that after initial investigations were through, the leads are now pointing towards India. How groups like the SCC get their hands on a data source code is not so easy to trace but there are employees who are on the constant lookout for a buyer.

A huge faction of the foreign media and many American firms are now branding India as every outsourcers nightmare, in terms of security and the enforcement of Intellectual Property Rights, IPR.

Some players feel it is too early to call the thefts in India, a rising trend. What is worrying however is the way the Indian judiciary has responded to such cases and that is what differentiates the US from India.

Parpia added, "The essential difference is in the enforceability. In the US, people are more relaxed because they know the law will take its course. But the judiciary in India works on a precedent and there are none right now. The outcome of the GSSL case will be of great importance to the IT industry in India, in that sense."

Another situation which came to light is of Sandeep Jolly, the owner of Jolly Technologies. He was operating from San Carlos in the US. Then in 2004, he decided to cash in on the hottest outsourcing destination - India. He began research and development for his products in Mumbai, from an apartment in Powai. His products included identity cards for security firms in the United States including the US army.

He hired a group of young enthusiastic software engineers and began operations in March 2004. A few months into the operations, Jolly’s executives say they noticed one of their recruits spending a lot of time on the internet. Taking precautions, he moved her to a different department but according to him, the damage had already been done. His investigations revealed that the employee had been uploading several source codes to an unknown e-mail account. Gathering further evidence, Jolly and his employees restored deleted files. He took these to the cyber crime department, but he says they took no interest.

Sandeep said, "They (the police) were not of too much assistance. They told us that property enforcement rights are not there in India and they cannot do too much about it." He adds that the links in the case are details of the files that were uplinked by the employee to various mail IDs. He approached Yahoo for the details but was asked to get a letter from the local police. Jolly claims this has not been done yet.

While the police refused to comment officially, sources in the cyber-crime wing told us that they did not believe the Jolly case was genuine. The company had not kept records of computers on which their employees were working and as a result it could not be ascertained if there was source code theft or not.

Jolly Technologies has sued the Mumbai Police. But the police have their own version of this case. They say that the employee alleges that Sandeep Jolly sexually harassed her and persistently asked her out to movies and dinner. Apparently it was not anything overt but but there was something happening here, which has led the police to believe that Sandeep was making a preemptive move.

In a recent hearing, the high court has asked the Mumbai Police to file an affidavit of what actions they have taken so far. Jolly fears it may be too late. The FBI officials say that since the matter has already been reported to the local police, it would not be proper for them to investigate. Jolly has pulled out of its operations in Mumbai.

Those directly affected by such thefts, say that many major firms in the US are watching these cases and will act depending on the outcome of the trial.

Vice President of Zinnov Technology, Vamsee Tirukalla said, "Every client meeting I go to, they ask me what has happened in the GSSL case. Every major player in the US wants to know what the outcome of the case will be and here in India the case has only just gone to trial. I guess in the US, when someone is arrested for a source code theft, the organization knows the law will take its course. However in India, people think they can steal a source code and get away with it."

Analysts however say that the benefits of outsourcing are too many, for an international company to pull out of India entirely.

Written for www.moneycontrol.com

4 comments:

Anonymous said...

Hello

Can I link to this post please?

Manali said...

Hi,

Sure you can.

Cheers

Manali

Anonymous said...

This is very inspiring work you have created for us. Some people need to know that these things can ensue to anyone. You have shown me a better view now.
I also strongly recommend to watch Source Code online, it's awesome movie, rating A+

Anonymous said...

India is such a corrupt country and pretty much everyone you deal with is a thug, it is very unrealistic to expect staff to be ethical and loyal, while their entire life they have to lie, deceive, cheat to get by and survive. The story about Jolly Technologies is repeated everyday, if you take an honest path, you will get mud splashed in your face, that is just Indian culture. And you are in big trouble if you report a female of wrongdoing, as the default weapon is to make false claims of harassment, hence even society usually ignores all wrongdoings by females to avoid to get into such a mess.