How Do you React to a Sec 79 Notice if you are an intermediary?
Naavi's Theory of Regulated Anonymity
Sec 43A Compliance Framework
Arise, Awake and Stop Not until
Indian E Banking is made Safe
Misconceptions About Electronic Signature
April 30: During the recent discussions with several informed
members of the public, there appeared to be widely prevailing
misconception about the provision of Section 3A of ITA 2008 regarding
"Electronic Signatures".
It appears that people have misinterpreted the term
"Electronic Signature" to mean any form of authentication other than
"Digital Signatures". Some are speaking as if "Click Wrap" agreements
will now be recognized. Some Bankers are on the prowl to seize any
opportunity to get the 2-Factor authentication itself recognized as
digital signature as they tried during the G Gopalakrishna Working Group
discussions.
Let's therefore explore this new section
introduced in ITA 2008 a little more in detail...Details
Zero Value Statistics on Cyber Crimes!
April 30: In replying to a query in the
Parliament the Minister has indicated that there were 966 cases booked
in India in 2010 as "Cyber Crimes" some under IPC and some under ITA
2000. These are the records from
NCRB
report which showed an increase of cases registered from 420 to 966
between 2009 and 2010. 153 of these cases were registered in
Karnataka,148 in Kerala and 142 in Maharashtra. These statistics are
however relevant only to study the number of cases registered and donot
reflect the status of Cyber Crimes in India. Huge number of Bank fraud
cases have not been registered and hence the statistics has no real
value for analysing the Cyber Crime status in India. Naavi.org has
therefore been proposing setting up of a "E Banking Emergency Response
Team" to receive information about E Banking frauds directly from the
public, report it on a public website, offer legal assistance to E
banking victims, develop security norms for the Banks who are interested
in making E Banking safer. Eventually this exercise would lead to safer
E Banking in India.
Internet Censorship in India
April 30: Here is an
article on Internet Censorship which may be of interest to people
following the debate on the unconstitutionality of Sec 79 rules.
Naavi.org points out that spineless intermediaries are also to blame for
the lack of application of their minds when a content objection is
received. Recently Mr Ajit Balakrishnan of Rediff.com stated on a TV
program that Rediff.com does not blindly follow the take down notice and
will examine the request properly. This approach is what has been
suggested by Naavi.org.
Basic Security Flaws in Aadhar Enrolment exposed
April 29: After the bizarre revelation about
"Coriander" being issued an Aadhar identity, more frauds have come to
light in the enrolments in Hyderabad. It is stated that over 30000
fraudulent enrolments have occured. One the flaws that has been revealed
is that when an agent tries enrollment and the biometric fails on two
occassions, in the third occassion the system proceeds with the default
biometric.
In otherwords, after two unsuccessful log in
attempts, instead of the system being locked up, it opens up without
biometric authentication. Such a system is never heard of in any
security scenario. This is a clear indication that the Aadhar security
does not meet even the most basic requirements to qualify the system as
acceptable. Add to this frequent loss of laptops with data the system
appears to have been compromised to the core and Mr Nandan may not have
any control over the project being useful. It is time that the
Government scraps the enrolment process forthwith.
We may recall that in one of the very first meetings
with the Aadhar team in Bangalore, the security requirements had been
raised by the group of specialists to whom Mr Nandan had presented the
action plan. We were assured that there is adequate attention given to
the security issues and he does not have any apprehensions. This
confidence has been proven wrong.
Related Article
SC acquits Mr Avnish Bajaj
April 28: The historic Baazee.com case in
which the CEO Mr Avnish Bajaj was facing the charges under Section 67 of
ITA 2008 for liabilities arising out of the posting of obscene video for
sale by one of the members was finally disposed off after 7 years with
the Supreme Court dismissing the charges under both IPC and ITA 2000. It
is to be noted that the acquittal appears to be based on a technical
irregularity in pressing of the charge. According to the
report in indiatimes.com , a three-judge bench of justices Dalveer
Bhandari, S J Mukhopadhyaya and Dipak Mishra quashed the cases
registered against Bajaj under Section 292 (sale etc of obscene
material) IPC and various provisions of the Information Technology Act
on the ground that the company was not made a party to the case and
only the Director of the company was roped in for the said alleged
commission offence.
The prosecution appears to have erred on the fact
that first Section 67 offence should have been charged against the
Company and then with the operation of Section 85 of ITA 2000, it would
have flowed onto the Director. Without making the Company a party to the
offence Section 85 does not become operative. By not including the
Company as "Accused", prosecution appears to have committed a technical
mistake.
Why Russians are considered masters of cyber
crimes
April 26: According to this report from
Forbes, the share of Russians in the global cyber crime earnings of
US$12.5 billion is around US$ 4.5 billion.
Related Article:
Some Stats
DIT's incapability to manage Cyber Laws
April 26: Repeated incidents of misuse of ITA
2008 highlights the inadequacies of the laws or bad framing of the laws.
The responsibility for this has to lie squarely on the DIT.
Unfortunately DIT does not have a good consultative process and relies
on some chosen favourite advisers to draft the laws and regulations. The
proof is that the constitutionality of regulations are being repeatedly
questioned. If DIT can come down from its pedestal and is ready to
listen to wiser counsel from a large section of the society, perhaps the
errors could have been reduced. This article in Indian Express captures
the observations of experts from the field.
A report in IE
I would like to add the following points to the
article.
1. The system of adjudication managed by IT
Secretaries in States under the guidance of DIT is also in doldrums
because of the lack of understanding of law by the IT Secretaries.
2.The system of Cyber Appellate Tribunal has been kept deactivated
by DIT probably lead by vested interests who donot like this forum
to be active.
I would like to add a clarification that CRAC under
Sec 88 was formed and notified on 17th October 2000 but is being
sidelined by DIT. Even the amendments of 2008 are therefore ultravires
the act since it was not vetted by CRAC.
Bank Inspection Reports to come under RTI
April 26: In what could be considered as a
significant and people friendly development, the Central information
Commissioner has held that inspection reports of Banks should be made
available under RTI. So far Banks have been avoiding sharing information
about frauds under the argument that it would undermine the confidence
of the public. RBI has also been avoiding any release of documents
pertaining to Bank frauds in India. The absence of data on Bank frauds
has created hurdles in the possibility of insurance companies coming up
with products for insuring the banks against fraud losses. Phishing
victims are being stone walled by Banks stating that their security is
impregnable and to support this myth are not releasing any fraud related
information to the public. Now this decision of the CIC should enable
RTI applications to be filed on every Bank to find out the extent of
Phishing frauds reported and how the Banks have disposed of each of
them.
Related Report :
In a similar case J& K Information Commissioner has
also held that J& K Bank is a public authority and has to share
information under STI.
Report regarding J&K IC
Do We need anti virus for TVs?
April 23: It appears that
vulnerabilities have been found in Samsung and Sony TVs which can be
exploited to cause disruptions and shutting off the TV. Hope the
manufacturers take note.
Related Article
Has the time come to work on amendments to ITA
2008?
April 23: Civil activists alarmed by the
misuse of ITA 2008 by politicians to curb any writings on the Internet
perceived to affect the reputation of the ruling government, and by some
business interests to protect their business interests, have started
asking for the withdrawal of the rules notified by DIT on April 11, 2011
particularly under the "Intermediary Rules" under Section 79 of ITA
2008.
Naavi.org strongly recommends that even the
"Reasonable Security Practices" notification under Section 43A which was
notified along side the Intermediary rules need to be scrapped as it
unashamedly promotes one particular security framework involving
enormous outgo of funds out of India. The Section 79 rules are linked to
Section 43A rules and makes it mandatory for all intermediaries to
undergo ISO 27001 audits or be damned. This is an unconstitutional
promotion and a scam bigger than 2G scam.
Further the unconstitutional nature of Section 79
actually flows from the amended Section 79 which gives the executive
powers to curb the constitutional right granted under Article 21 without
judicial intervention. The amendment itself was introduced without due
process of consultation with Cyber Regulations Advisory Committee
constituted under Section 88 of ITA 2000 by DIT.
It is therefore necessary that the entire amendments
of 2008 be considered as unconstitutional and re-worked. I request MPs
Mr P. Rajeeve and Rajeev Chandrashekar to take note of this and move the
motion in the Parliament accordingly.
I was one of the supporters of ITA 2008 amendments
when it was enacted because certain provisions were considered necessary
from the point of view of national Security. However politicians have
interpreted “National Security” mean security of the politicians in
power and hence the provisions are being repeatedly misused. It has
therefore become difficult to trust the commitment of the Government to
democratic principles and there is therefore a need for strong checks
and balances in the Act. This can be achieved by a complete overhaul of
ITA 2000 by a major amendment now.
Activists Demand Scrapping of ITA 2008 rules
April 22: Free speech activists held a
demonstration in Bangalore demanding the withdrawal of ITA 2008 rules as
it is opposed to Free Speech principles. The main contention is that
under the Section 79 rules, an intermediary is forced to remove content
without judicial intervention and based only on the complaint of a
victim.
Naavi has however pointed out that it is only a
"tendency to crawl when asked to bend" of the intermediaries that has
resulted in such a situation and also suggested a "Due Process" to deal
with demand for removal of content. (Ref:
How Do you React to a Sec 79 Notice if you are an intermediary?).
If we have spineless intermediaries, it will only encourage Government
to be more repressive. It is therefore necessary for Intermediaries to
rethink on their content regulation policies. They can be law compliant
without being subservient to political interests if they have the will.
Related Article in DH :
Report in ET
A discussion had also been organized by CIS (Center for Internet
Society) on the same subject in which Naavi also had participated.
Game Theory to Predict when Cyber Criminals Start
Striking
April 22: According to Game Theory analysts,
the reason why malware for Apple systems are on the increase from near
zero in 2003 to around 250 per month at present lies in the possibility
that effectiveness of anti virus systems have improved in recent times.
It is estimated that at present the Windows Essentials is capable of
detecting upto 93% of malware variants while other softwares claim upto
99.7%. It is the theory of some observers that with the decrease in the
probability of successful attacks on Windows PCs, cyber criminals have
shifted attention to Mac which may have only around 11% market share but
the probability of success of planting a malicious code is already
beyond the break even level for Windows PC. As the market share of Apple
increases it is estimated that more and more malicious codes for Apple
would be created.
Related Article :
latest antivirus comparative :
Related Research Paper
War on Internet
April 22: It appears that for the last several
days, DIT is working overtime to get the Abhishek Manu Singhvi's
controvertial videos removed from Internet. This explains why DIT is not
finding time to address issues such as appointment of CAT chair person.
While the GOI has taken control of mainstream
internet media such as You Tube and ensured that the Video is removed,
many persons continue their attempt to reach the video to people through
other means. In fact it appears that this could test the relative
strength of the Government which wants to block some information
from publication and the power of Internet as the voice of the people
who want to defeat the Government intention.
While it may be debated whether the current cause of
these activists is noble or otherwise, the developments are throwing
light on what may happen in future if there is a political battle
between the Government and the common people and the Government becomes
repressive of public expression.
In the meantime, the decision of the Court to grant a
permanent injunction on the publication means that Courts are responsive
to the demand for blocking sex related content, particularly when the
content relates to an influential politician . Had it been a
common man in similar circumstances, it would have been difficult to
convince the Court that there was any reputation to be protected in such
cases. But it would be interesting to observe if the same Courts
also support other assaults on freedom of expression when the content is
related to political dissent. This will also determine if obscene
content, defamatory content , Cartoons, and political dissent are
considered different forms of speech and deserve different treatment in
law regarding the guaranteed constitutional right to "Freedom of
Expression".
Ravi Belegere Fined
April 21: The famous public speaker Mr Ravi
Belegere is reported to have been fined Rs 35 lakhs for an article
published in a tabloid "Hai Bangalore" in 2003 criticizing the "Play
Win" lottery. Play Win not only operates online but also engages
services on the physical space for selling its lottery tickets.
In most states in India including Karnataka, Lottery
is banned. It is prima facie considered as anti social. It is therefore
surprising that a journalistic article in public interest should invoke
the wrath of a Court to the extent of fining such a large amount.
It is also not possible to judge whether the lottery systems run on the
Internet are run on fair terms since their software is not subject to
scrutiny of a source code audit by a reputed organization and can
therefore be unreliable. Though Playwin declares that its systems are
audited by E&Y, unless a copy of the audit report is made public,
we cannot find out the scope of the audit and if it suffices to meet the
expectations of the public. though the lottery is perhaps licensed in
Sikkim, it is not clear how it can operate online and offer its services
to states where lottery is banned.
If any reader has a copy of the judgment and copy of
the said article, I request them to send it to me so that we can analyze
and understand under what circumstances, criticizing a business which is
popularly considered immoral by the society becomes a "Defamation".
Related Article
GPS Coordinates in iPhone photo nets a hacker
April 21: A hacker who posted an objectionable
photograph was traced by FBI and arrested using the GPS coordinates
embedded in the photograph taken in an iPhone. Earlier there are reports
about a print out being used to track the printer. It is said that all
colour laser printers print yellow dots as code in the background which
may be used to match the printer in forensic investigations.
(refer article here)
It is not clear if this is also possible in a black and white print out.
Related Article1
Related Article 2
If you want to check if your colour laser prints such
codes, you can visit
http://dotspotter.ultrasec.de/
US Court rules "No Data theft" if access is
authorized
April 21: A US Court of Appeals has ruled in a
case that an employee with valid access cannot be held liable when he
downloads data. This is an interpretation of the Computer Fraud and
Abuse Act regarding unauthorized downloading of a list of names and
contact information in a recruitment firm. This is an interesting
judgement which has relevance to India also. It is interesting to note
that under Section 43 in ITA 2000, India has separate provisions
under Section 43(a) for unauthorized access and 43(b) for unauthorized
downloading. Such a provision should have held the download as a
contravention even if the access is authorized. But the Judge appears to
have interpreted the legal provisions from the point of view of
"legislative intent" and held that a "Corporate Policy" that contains
unrealistic impositions are not fit to be supported in law. This is like
the "Standard form Contract" with all legal jargons thrown into the
Policy whether they are contextually relevant or not. The ruling can
provide relief to many cases even in India where the employers have
tried to institute false cases against employees only because they had
resigned.
Related Article
Call for Scrapping April 11 Rules
April 21: The rules notified by DIT under
Section 43A and 79 on April 11, 2011 have been a subject matter of
controversy ever since the rules were notified. Naavi.org raised serious
objections to Section 43A rules dubbing it as a scam bigger than the 2G
Scam in view of the promotion of ISO 27001 audit through legislation.
Section 79 rules have been objected to because of the apparent power
given to any perceived victim of defamation to get a web content
blocked. Additionally Section 66A misuse by Mamta Bannerjee and the move
of DIT against Face Book et a on political cartoons, has raised further
questions on the integrity of the Government in applying the provisions
in a fair manner. Sec 69,69A as well as Sec 66F hold further threats for
ordinary citizens if the Government wants to misuse their provisions.
66F can impose "Life Imprisonment" for "Cyber Terrorism" and the section
is so drafted that it can be invoked against political opponents at the
drop of the hat. There is therefore no surprise that there are talks of
the rules being questioned as "Unconstitutional" and demands have been
raised for scrapping of the rules.
Hindu in its article today has advocated a National Consultation on
such anti democratic legislation. We look forward to such a process
being initiated by a credible body of the public.
Status of CAT
April 20: Naavi.org has been reporting on the
status of CAT for quite some time now and Naavi has personally taken up
the cause of the public and the difficulties experienced by Cyber Crime
victims due to the non appointment of the presiding officer of CAT at
all levels. However there seems to be no urgency on the part of the
Government of India to re-activate CAT. After a long time a major
publication like ET seems to have thought it fit to carry a small
article on the subject. Hopefully this will wake up the officials into
some kind of action soon.
Article
Hacking a Hotel System to access customer
information
April 20: Researchers have exposed a case
where a trojan package that can infect hotel management software with an
ability to steal the credit card information of clients was being sold.
This represents a strategy to access the customer
credentials through indirect means without hacking into customer's own
machines which might have been well protected. It is necessary for IN
CERT to take up suitable security audits of hotels in India and other
establishments where similar vulnerabilities may exist. The incident
also highlights how purchse of a software needs to be screened for
security issues by IS teams in organizations.
Report
Security Expert exposes Banking Vulnerabilities in
Iran
April 20: A security expert in IRAN exposed
vulnerabilities in the Banking system by demonstrating how the
credentials of the customers can be compromised by hacking into 3
million accounts in 22 different Banks though the information was not
misused by the expert. The expert had before the disclosure reported the
vulnerabilities to the Banks who ignored the vulnerability. The Central
Bank of Iran maintained even after the exposure, that the threat is not
serious.Hope RBI acts differently if a similar situation develops in
India.
Report
US$ 1 million hacked in Brokerage Firm
April 20: Hackers in USA have been reported to
have hacked into retail accounts of a brokerage firm and initiated false
transactions to siphon off over US $ 1 million. A Russian residing in
New York has been arrested. Though similar frauds might not have been
reported in India, risk of such frauds are also relevant and SEBI should
undertake a customer survey to identify "Suspicious" transactions which
could be indicative of such frauds.
Report
GOI issues "Advisory" to State Governments on
Cyber Crimes against Children
April19: In an unusual move, an advisory
appears to have been issued by Government of India to State Governments
regarding handling of Cyber Crimes against Children. The advisory talks
of undercover operations and action to be taken under Sec 69A etc. The
implications of the advisory are many and needs detailed examination.
The advisory
Privacy Bill Panel to submit its report by June
2012
April 14: The panel formed by the Planning
Commission to study the Privacy Bill and give its recommendations to the
DIT is expected to give its reprot by June 2012. Headed by a retired
Delhi High Court Judge Ajit P Shah the committee has a sub group headed
by Som Mittal of NASSCOM which will submit its recommendations to the
Committee.
Report
Six Firms Remain in the Content blocking
Litigation
April 14: Out of the 22 firms which were
originally named in the suit in Delhi High Court regarding the
responsibility for removal of "Objectionable content" hosted on their
resources, all but 6 firms have been taken out of the purview of the
litigation. The six firms remaining are, Facebook (India and US), Google
Inc, Orkut, Youtube and Blogspot (through Google Inc CEO Larry Page).
Related Article
Why Mobile Devices are inherently unsafe for
Banking
April 14: It is always a matter of pride and
joy to take note that technology in the form of mobiles has
revolutionalized life on earth. However when it comes to secure
transactions on the virtual world, we need to remember that mobiles were
not built for secure communications. Unless special efforts are taken by
the users to impart encryption over and above what the service provider
provides, mobile communication should be considered vulnerable from
security point of view for applications such as Banking.
This article highlights the point
While individuals may overlook these considerations,
the regulators should not. Hope the message is reaching the right
persons.
Politicians discredit ITA 2008
April 13: By misusing the provisions of ITA
2008, and using it mainly to curb political criticism, political parties
appear to be discrediting the law itself. When it comes to genuine
action required under the Act such as activating the CAT, there is no
hurry on the part of the Government. However when it comes to muzzling
the expression of criticism of the politicians, there appears to be a
sudden realization that there is Cyber Law in India. Right thinking
persons need to get together and discuss how this issue can be resolved.
If this trend is not curbed we will be seeing a replay of the Emergency
days.
Joint Data Base to prevent Mobile thefts
April 13: US mobile operators are reported to
have agreed to create a joint data base of mobile phones to pevent
stolen mobile phones from being used. This is an urgent requirement in
India also since this will be a great disincentive for mobile phone
theft. In India, using a stolen mobile phone is an offence under Section
66B of ITA 2008 and carries a 3 year impriosnment. The offence is
considered as cognizable. There are hundreds of such offences being
committed each day in different parts of the country. Hence there is an
urgent need for action to trace and block stolen mobiles across India.
This will also help in anti terrorist/Naxalite activities of the law
enforcement.
The WSJ report
Mr Kothimeer gets and Aadhar Number !!!
April 13: It is reported that an Aadhar card
number 4991 1866 5246 has been issued to Mr Kothimeer S/o Mr Palav
(Biryani), Mamidikaya Vuru (Village Raw Mango), of Jambuladinne in
Anantapur district. For the sake of clarification, "Kothimeer" is
"Coriander" (Kottambari). The photograph is said to be of a "Mobile
Number". The incident indicates how the Aaadhar enumerations are
happennign across the country. In the informed circles, there is little
respect for Aadhar and the Government is spending crores of rupees of
public money for a cause which appears to have no sanctity left. What
credibility does the system has if such instances are being reported.
The DH report
"Cutting Edge Technologies"..and Rs 11
lakhs lost!
April 9: In yet another Phishing Fraud and
involving Axis Bank, a customer in Kerala lost Rs 11.14 lakhs.
The fraud involved the fraudster obtaining a duplicate SIM card and
defeating the two factor authentication. Axis Bank as expects claims
that they have implemented "Cutting Edge Technologies" and hence not
responsible for the fraud. Only Courts need to tell if the claim of
cutting edge technologies is true or is only a fraudulent claim...
Report in IE
How Much Money is lost through Phishing in
India?
March 31: Today is the end of a financial year
for Indian Banks. It is time for them to draw their annual reports and
submit it to both RBI and its shareholders. One essential information
missing from Bank reports it the extent of loss in E Banking frauds. RSA
recently stated that the losses suffered by Indian enterprises in 2011
through Phishing was of the order of Rs 172 crores. In an RTI based
information releassed by RBI by DNA, Mumbai, it was stated that during
2010-11, the losses on E Banking were Rs 467 crores in Citi Bank, Rs 298
crores in SBI, Rs 112 crores in ICICI Bank and Rs 39 crores in HSBC. (See
here) According to another rough estimate by Symantec, phishing
related losses in India
was of the order of Rs 6500 crores.
Naavi.org has been fighting for "Safe E Banking" and
advocating that Banks which cannot provide safety in Internet Banking
should be barred from providing Internet Banking service. In this
connection demand has been already made on RBI to cancel the licenses of
one branch each of ICICI Bank and Punjab National Bank. However RBI has
maintained a royal silence.
Naavi has also brought to public attention the
continued vulnerabilities in E Banking as
demonstrated by Mr K S Yash, a
security consultant in Bangalore. The videos of a live demonstration
before a group of experts have also been submitted to CERT IN and
informed to RBI. Invitations have been sent to both RBI and CERT IN
to take the demonstration directly and initiate action to restore the
confidence of the public in E Banking. ... We are awaiting a positive
response from both of them.
Under this background, one must question the wisdom
of Banks and RBI in hiding the real information of how much money is
being lost by Indian Banks through Phishing and any form of E Banking
frauds, whether they are being reported to RBI as per the RBI's Fraud
reporting guidelines?, Whether the losses are recovered out of insurance
as per the RBI's Internet Bankign guidelines of June 14, 2001? If not
why RBI is silent on the Bank's recovering the money from the hapless
customers?, Why DIT is barring legal remedies in such cases by not
appointing a chair person for Cyber Appellate Tribunal since last June?,
Why DIT and the Government of Karnataka has not been able to address the
anomalous situation created by the IT Secretary of Karnataka deciding
that no cases can be brought before him against any Banks?, Why RBI is
tolerating the rogue behaviour of Banks in ignoring its guidelines both
of June 14 2001 and the more recent Gopala Krishna Committee report? Why
RBI is unable to notify the recommendations of the Damodaran Committee
report?, Why RBI is silent on our request to apply KYC failure fines to
create an E Banking insurance Fund?, Why our Ministers Kapil Sibal, Mr
Sachin Pilot as well as the PM are unable to respond to our complaints?
etc.
Naavi.org vows to start a fresh campaign on
"Protecting E Banking Customers" and invites Consumer activists all over
India to join in this campaign. I invite support and comments at
naavi@vsnl.com.
![[Valid RSS]](../../image/valid-rss.png "Validate my RSS feed"){kind=small}
![[Valid RSS]](http://www.naavi.org/image/valid-rss.png "Validate my RSS feed"){kind=small}
