5 October 2004--In an ugly case that highlights the difficulties of preventing intellectual property theft in India, a small U.S. software firm has filed a lawsuit against police in Mumbai (formerly Bombay) for failing to investigate a complaint against an employee at its Indian subsidiary. Police fired back calling the firm, Jolly Technologies, in San Carlos, Calif., "bogus" and founder Sandeep Jolly a "cheat." Jolly Technologies is a provider of software for bulk printing of labels, bar codes, and ID cards. (Jolly claims the U.S. military as a big ID card customer.) The firm accuses one of its engineers of stealing the source code and other confidential information for a key product.
"We haven't even gotten the local police to register a complaint," said Sandeep Jolly, the firm's founder and chief executive. "For us, as a small company, doing business in India is pretty risky." His allegations come as more and more overseas firms--among them dozens of Silicon Valley start-ups--are moving research and development and other high-end operations to India. While weak enforcement of protection laws is not yet scaring away investors, the high-tech industry is scrambling to maintain the country's image as a safe place to do business. Reports in non-Indian media about the risks of outsourcing software code and other protected information to India have prompted Indian firms to assert that they use the best safety standards found anywhere.
Jolly Technologies' version of the story goes like this: the company alleges that on 19 July a rogue trainee--a 25-year-old female engineer, Sudha Iyer--compressed the source code for software that prints ID badges and other material and uploaded it from her office computer to her Yahoo! e-mail account. She was caught in the act and fired on the spot. When company officials tried to register a complaint at the Mumbai police's Cyber Crime Investigation Cell, they were allegedly turned away. The Mumbai police told IEEE Spectrum it could not comment on the charge against its officers as the matter is in court.
But the police did have a lot to say last August. A senior police official quoted on Mumbai on the Web [http://web.mid-day.com/] accused the software firm of refusing to co-operate with the investigation, saying that the owner is a cheat. Jolly said he is paying the price for publicly speculating that the police would not act on his complaint unless they were bribed. He approached the National Association of Software and Service Companies (NASSCOM), the leading voice for outsourcing firms in India, but said the group was not at all helpful. Jolly Technologies is not a member.
NASSCOM said it conducted a preliminary investigation along with the Mumbai police and believed the software firm "has not even furnished any basic evidence of any crime." The industry body told the San Jose Mercury News that Jolly did not use standard safety procedures at its research center, so that intellectual property theft was impossible to prove.
A company official disputed this saying that Jolly Technologies had obtained a log of the accused thief's e-mail correspondence through temporary Internet files found on an office computer. This information will be used against the former employee, if charges are eventually filed.
The allegations and counter-allegations highlight long-standing problems. Indian laws do provide protection against IP theft but enforcing them is a huge challenge. Law enforcement agencies lack awareness about cyber crimes, while more often than not, officials are not trained to tackle them. The Web site of the Mumbai police's cyber crime unit, for example, does not mention the theft of intellectual property in the list of crimes it is supposed to address.
In India, individual states are responsible for law enforcement, so each police department has a different setup. While every major city may have a cyber crime cell, not every cell may have the mandate or experience to tackle intellectual property theft. India's legal system is notoriously slow, and courts have not awarded heavy damages against those convicted of stealing protected information.
Earlier this year, U.S. Trade Representative Robert B. Zoellick placed India on a list of 15 countries that "do not provide an adequate level of [intellectual property] protection or enforcement, or market access for persons relying on intellectual property protection." India did not figure in the list of worst offenders. But Zoellick's report noted that the country's Copyright Act "has three overly broad exceptions, which together weaken protection of software." This act is just one of several laws used in the absence of a single statute protecting intellectual property.
Could India's lack of will to go after cyber thieves start to scare away firms that want to save money by outsourcing work to India? Kanwar S. Chadha, a director at Compro Technologies, a software firm in New Delhi, says the fact that companies continue to come to the country "in droves" speaks for itself. "The short-term benefits outweigh the perceived risks."
Because of its rough experience with law enforcement officials, Jolly Technologies has decided to shut down its research and development facility in Mumbai. It will continue to have a presence in India, but only to do "tech support and other low end work," says Jolly. "Doing high end or confidential work is very risky at this point."
In fairness to the industry, the sort of security breach alleged by Jolly Technologies cannot happen at most larger firms, because they do not give workers access to the Internet. Other safety measures companies use include surveillance cameras; computers that cannot record files onto disks; keystroke logging; pat-down searches; and bans on cell phones, pens, and any other recording devices.
As is the practice elsewhere, all Jolly Technologies employees sign a confidentiality agreement. But there is a growing number of cases--especially now that more and more workers in India's dynamic IT industry change jobs every few years--in which employees have broken their pledges. What allows such people to have no fear of punishment? Chander Lall, managing partner at the New Delhi law firm of Lall and Sethi, said that while U.S. courts recognize the seriousness of intellectual property theft, "here the court system is not sensitive to damages at all." In India, the crime has "never been punished heavily. That's the problem."
More than half a dozen software IP thefts have been reported in recent years. Among the more prominent of these is the theft more than two years ago of source code for a three-dimensional computer-aided design product from SolidWorks, a Connecticut firm. After a joint sting operation by the FBI and its Indian counterpart, the CBI, in August 2002, an employee of Mumbai-based Geometric Software Solutions was charged under a civil theft law. The high profile arrest, in which the employee was caught selling secrets to a fake buyer, received widespread publicity. Charges were filed against him, but the case has yet to go to trial.