Cyber Appellate Tribunal may become active once again

Visitors to this site are aware of the several approaches the undersigned has made regarding the delayed appointment of the Chair person for Cyber Appellate Tribunal. (CAT)

The CAT which is the body which has to adjudge appeals against the decisions of Adjudicators in each State and Union Territory of India has been without a chair person since June 2011.

Today, I am in receipt of a communication from the Ministry of Communications and IT that the Chair person has been identified and recommended for confirmation on 29th September 2015, to the CJI.

We hope that soon the CJI’s approval will be received and the Cyber Judicial system becomes active once again.



Share Button
Print Friendly

Is it a WhatsApp Moment or Napster Moment for Indian Financial System?

I refer to the earlier post on “WhatsApp moment in Indian Financial Services”  in which the views of Mr Nandan Nilekani on how the financial services market in India is transforming.

One of the changes that the new mobile payment systems such as Paytm has done is that a user gets on to this system merely by downloading the app and identifying himself with the mobile number. In a way the mobile service provider completes the KYC process which identifies the customer. If the KYC  verification system of the Mobile Service Providers (MSP) is deficient, the deficiency will reflect as a security vulnerability in the financial system. There have been many instances where SIM cards have been issued to fraudsters with the use of fake ID instruments and therefore there is a serious concern if the financial services system becomes dependent on the MSPs for its security.

Mr Nandan Nilekani has indicted two other means of ID verification that is likely to support the Indian Financial system embracing the mobile payment systems. One is the e-KYC using Aadhaar and the other is using of the e-sign system.

Aadhaar based e-KYC System

The e-KYC system means, submit the Aadhaar number to UIDAI and obtain a copy of any Aadhaar holder. In practice most service providers donot make a query to the Aadhaar data base using biometrics of the person to be verified. They simply take a photo copy of the Aadhaar certificate and keep it along with the other documents.

This system deserves to be banned. If the Aadhaar based KYC is done on the basis of a real time verification of the biometrics with the Aadhaar data base, then the system would be more reliable. However, the Aadhaar based KYC  may still be subject to risks such as the MIM attack and the confirmation received from the Aadhaar server lacks acceptable authentication.

e-Sign System

e-Sign system is being presently used in the DigiLocker system but in future could be used by others. This is a system where a user obtains digital certificate for one time use at a cost much less than obtaining the normal digital certificate valid for one year or more which is used for other purposes.

 DigiLocker is a system introduced by the Government of India where a user can open the account quoting his Aadhaar number.  The account can be used to store documents and shared with other authorized agencies whenever required with an authentication in the form of e-Sign.

Since opening of the DigiLocker account is based only on the quoting of aadhaar number and confirmation through OTP,  the system is dependent on the mobile service provider’s KYC process. (DigiLocker provides for biometric based authentication but it is not mandatory).

Errors in the System

In order to verify the e-sign process, I applied  e-sign on a document earlier uploaded to the store and then downloaded it. But the signature on the document stated “validity unknown”. When I explored the signature properties,it stated that “The signer’s identity is unknown because it has expired or is not yet validated”. The certificate itself showed validity for 30 minutes and the certificate was issued by e-Mudhra. However the revocation was not checked and showed up as an error. In other words, the e-sign on the document was not in a status to be relied upon.

Since this is an issue with the Digi Locker system, if a similar error is observed by a service provider relying on the e-Signed document submitted to him, he is likely to ignore the error.

We can however justify the errors as teething problems in a  system under implementation, (or because the system is only on a test bed at present). But  there is a deeper problem with the legal validity of of e-Sign system itself and if the Indian Financial Services system has to rely upon the DigiLocker system as Mr Nandan Nilekani expects lot of ground is yet to be covered.

Legal Validity of e-Sign System

The validity of the e-Sign system is supported by the notification dated 28th January 2015  which added a new item into the Schedule 2 of ITA 2008. This notification should be read with guidelines issued by CCA in June 2015 on the e-Sign process.

I have made an attempt here to decypher these two documents and understand the legal implications. It is possible that the intention of the Government might have been different and it might not have been properly worded in these documents. We may therefore  be coming to an incorrect evaluation. But it is necessary for us to debate this issue since e-Sign process is likely to become the backbone of Digital India in due course and it needs to be legally on a sound footing.

We therefore look forward to receiving clarifications from relevant authorities to ensure that public have a correct understanding of the legal position of e-Sign as a valid authentication of digital documents under Section 3A of ITA 2008.

Notification of 28th January 2015:

The notification of 28th January 2015 under ITA 2008 states as follows.


e-authentication technique using Aadhaar e-KYC service

Authentication of an electronic record by e-authentication Technique which shall be done by-

(a) the applicable use of e-authentication, hash, and asymmetric crypto system techniques, leading to issuance of Digital Signature Certificate by Certifying Authority

(b) a trusted third party service by subscriber’s key pair-generation, storing of key pairs on hardware security module and creation of digital signature provided that the trusted third party shall be offered by the certifying authority. The trusted third party shall send application form and certificate signing request to the Certifying Authority for issuing a Digital Signature Certificate to the subscriber.

(c) Issuance of Digital Signature Certificate by Certifying Authority shall be based on e-authentication, particulars specified in Form C of Schedule IV of the Information Technology (Certifying Authorities) Rules, 2000, digitally signed verified information from Aadhaar e-KYC services and electronic consent of Digital Signature Certificate applicant.

(d) The manner and requirements for e-authentication shall be as issued by the Controller from time to time.

(e) The security procedure for creating the subscriber’s key pair shall be in accordance with the e-authentication guidelines issued by the Controller.

(f) The standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 shall be complied with, in so far as they relate to the certification function of public key of Digital Signature Certificate applicant.

(g) The manner in which information is authenticated by means of digital signature shall comply with the standards specified in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 in so far as they relate to the creation, storage and transmission of Digital Signature Certificate.”


The key points noted in this notification are:

1) e-authentication, hash and asymmetric crypto systems are three elements to be used.

2) Key pair to be stored on a hardware security module

3) Trusted third party shall be offered by the Certifying Authority which shall send the application form and certificate signing request to the Certifying authority

4) Issue of digital certificate shall be based on e-authentication

5) Form C information to be digitally verified from Aadhaar e-KYC service

6) Electronic consent of the Digital Signature Certificate to be obtained from the applicant

7) e-authentication guidelines to be issued by the CCA

Validating Aadhaar through ITA 2008

The first thing we observe in this notification is that the notification issued as a part of statutory law and added as a schedule to the ITA 2000/8 relies on Aadhaar e-KYC service. While the Supreme Court is yet to validate the legality of the UIDAI itself, the Government has already validated the Aadhaar e-KYC service for issue of Digital Certificate by a licensed Certifying Authority.

Use of HSM

The second key factor in this notification is a reference to a system of generation of the Key Pair on a HSM maintained by the Certifying Authority and not under the control of the digital certificate holder.

Both the above aspects need to be discussed in detail to assess the legal validity of the e-sign system.

Other observations

The  notificadigi_locker_cert1tion envisages that there would be a trusted third party who would be “offered” by the Certifying Authority but would be a different entity which would send the application form and certificate signing request to the Certifying Authority. The word “offered” may actually mean “appointed” or “sub licensed” but there is a clear indication that the trusted third party mentioned here has to be an entity different from the Certifying authority. In other words, a “Registration Authority” has to be licensed as a “Trusted Third Party” to operate the system including the HSM.

In the e-sign system in DigiLocker, there is no party other than the Certifying Authority apart from DeitY which should be considered as owning the system. Since the notification itself was issued by DeitY, it can be presumed that it cannot be the trusted third party envisaged in this notification.  From the copy of the digital certificate shown here, it appears that the digital certificate is issued by the Certifying Authority itself  as a “Sub CA”. This does not seem to be in tune with the intention of the notification.

Circumstances indicate that the DigiLocker itself operates as the agency that submits the application form to the Certifying authority and is therefore the “Registration Agency”.

DeitY which operates as a part of the Government which has appointed the CCA and has a division namely NIC which itself is a licensed Certifying authority, being a Registrar for e-Mudhra appears to be a strange public private partnership.

Verification of Information in Application Form

The information in the digital certificate application needs to be verified from Aadhaar e-KYC service. We may note that we are talking of an application form to be submitted before the e-Signing certificate is to be issued to the aadhaar holder. Also the notification indicates that the information has to be “digitally verified”. It does not say “information should be authenticated”. In other words, the notification is suggesting that the application form need not be “Digitally Authenticated” either by the applicant or the Registrar such as the DigiLocker. In practice, the application form may get filled up directly from the aadhaar information already available with the DigiLocker. It is not completed by the applicant and verified by any trusted third party. This again appears to be a violation of the intention of the notification.

Electronic Consent for Digital Certificate

The notification also envisages that the Certificate should be “Consented” to by the applicant. This is equivalent to “acceptance” and “Publishing” of digital certificate as referred to under “Duties of the Subscriber” in ITA 2008.

However, the e-signing process in the Digi Locker does not (presently) go through the process of obtaining the consent of the applicant either with or without digital signature.

Inherent Contradiction

Since both the application for digital signature certificate as well as consent for digital certificate has to be “Digitally Signed” according to ITA 2008,  the current process adopted by Digi Locker does not meet the requirements of law. These requirements cannot be met in future as well (without amendment to ITA 2008) since  these are requirements prior to the activation of e-signing powers of the customer and cannot be authenticated by e-signing.

CCA Guidelines

The issue of digital certificates under the e-sign system is mandated to use “e-authentication” process which is described more fully in the CCA document on e-authentication. There is no indication that existing digital certificates of a subscriber (if any) can be used for e-sign process and the existing process is not enabled for the use of digital certificates already issued. The e-authentication process is therefore mandated on all users of DigiLocker.

The CCA’s document needs to be separately vetted for security considerations by Information Security professionals in detail and I invite the readers to submit their views for publication here. My own preliminary views on the guideline more from the ITA 2008 perspective is provided below.

Legal Validity of the CCA Guidelines

The CCA guideline identifies the trusted third party referred to in the notification as the eSign Service Provider or ESP. It also uses a term “Application Service Provider”. There is no clarity whether the Application Service Provider (ASP) and ESP are same or different. We can presume that ASP should be approved by the ESP through an approval process. There is a mention “agreement” (Refer para 2.1) without specifying between whom. We presume it is the agreement between the ASP and the ESP. Additionally there is a mention of an AUA (Authentication user Agency) and e-KYC agent of UIDAI. The ESP will be the AUA and e-KYC agent of UIDAI. In the Digi Locker case, there needs to be clarity on whether DigiLocker (or DeitY) is the ASP or ESP or both?

The CCA guideline says (Para 2.2.1) that the mode of e-authentication should be in accordance with Aadhaar e-KYC Services.

It appears that the Aadhaar  e-KYC services envisaged in this guideline is different from what is otherwise defined by UIDAI. According to UIDAI, a KYC query is one where the information submitted by a user for verification which is queried with the UIDAI data base (preferably using the biometric) and obtaining the information which can be compared with what is submitted.

If the query is responded to based on OTP and not on biometric request, the system will in turn be dependent on the KYC of the MSP. Banks have adapted e-KYC system as detailed in the RBI Circular which envisages downloading of e-Aadhaar and using it as KYC document.

However, it appears that while making e-authentication subordinate to the Aadhaar e-KYC services, CCA presumed that e-authentication is some thing  more than merely checking the information with the data base.

According to para 2.2.2 of the guideline, Aadhaar e-KYC service should provide digitally signed information which is also fulfilled when an e-aadhaar copy is downloaded.

What is additionally required under the e-authentication is perhaps the issue of a “Response Code” which should be recorded on the e-signing certificate application and should be preserved for 6 months online and further 2 years offline.

The application form should be electronically generated and programmatically filled up and submitted to the ESP.

According to para 2.2.3., the application form should be “authenticated by Aadhaar e-KYC services”. Aadhaar e-KYC service does not envisage digital signing of any content. It is only provision of confirmation of information available in the Aadhar records of a person. So what the guideline mean by “authenticated by Aadhaar e-KYC services” is difficult to understand.

Further the consent of the subscriber for getting a digital signature certificate should be obtained electronically. Currently the process of e-signing a document uploaded on DigiLocker indicates that  no consent is sought from the document holder for the digital certificate.

The digital certificate issued for e-Sign is issued with a validity of 30 minutes but otherwise it is similar to the digital certificates that are issued for other purposes and valid for 1 or 2 years. If a user has to apply e-sign on a document, he has to first get the e-sign digital certificate. For this he has to first make an application to the ESP. It is obvious that any application made in the form of an electronic document needs to be authenticated by a digital/electronic signature. Hence unless a person already has a digital certificate, he cannot make an application for e-signature online. This is a fundamental flaw in the design of the e-sign system.

From the system as designed, it appears that the e-Sign digital signature application is submitted by the DigiLocker authorities and not the applicant. The locus-standi of the DigiLocker authorities to submit an application on behalf of the digital certificate applicant is questionable. The e-sign digital certificate would therefore be considered as “issued” without a valid application from the applicant and hence it would be not in accordance with ITA 2008.

Why CCA gave permission to the system as presently being suggested is intriguing and we need more clarification from CCA on their logic why they consider that the system is compliant with Indian law.

The legal validity of the HSM system

According to para 2.3 of the CCA guidance, the ESP should facilitate generation of key pairs on their Hardware Security Module and the Private key will be destroyed after one time use.

So far under the Digital Signature system, the generation of the private key-public key pair was done solely under the control of the subscriber and the Certifying authority would not have access to the private key even at the time of key pair generation. It was for this reason that the digital signature was considered “Non Repudiable” in law.

In the e-sign system, the HSM is maintained under the control of the ESP. Hence it is impossible for judiciary to consider that the private key was always under the control of the subscriber. Hence the non repudiable nature of the e-sign is not sustainable on a Court of law.

e-Sign is therefore an inferior form of authentication and cannot be equated to digital signature in terms of evidence in a Court of law. In a way the introduction of such a system by the Government actually dilutes the credibility of the digital signature system in general and Courts may decide to question the non-repudiable nature of the digital signature system in India.

The provision on destruction of private key after every use is also little suspect in law.  Obviously it has been suggested as a measure of security. However, “Private Key” belongs to the subscriber and the ESP has no right either to create it nor to destroy it.

According to Section 43 of ITA 2008, it is the duty of the subscriber to  exercise reasonable care to retain control of the private key  and take all steps to prevent its disclosure. Also, If the private key has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority .

Further without the private key it is difficult to understand how the e-sign can be verified subsequently.

The CCA guideline is therefore directly in conflict with ITA 2008 and has no legal validity.

In fact, the system as suggested may impose criminal liabilities under ITA 2008 on the innocent subscriber of e-sign merely because the private key compromise is not reported and revoked. If any fraud occurs with the use of e-sign, the primary liability of the fraud would be on the ESP.

It is surprising that CCA should have over looked this provision of law.

Security Requirements

The CCA guidance lists certain essential security requirements under para 2.7.

I request my friends from IS community to analyze and comment on the same.

I look forward to CCA providing necessary clarifications or withdrawing the e-sign notification. CCA should also immediately revamp is advisers who are giving them wrong advises which are contrary to ITA 2008 .

Coming back to Mr Nandan Nilekani’s prediction that we are in a WhatsApp moment in Financial services, I would rather say that we may be in a Napster moment where the business may pick up fast only to be shot down because the foundation may collapse due to legal considerations. Just as Napster collapsed because of Copyright violations, systems built on e-Sign validation may collapse because Courts may hold it illegal sooner or later.

I wish Digital India managers recognize that DeitY is making mistake after mistake, identify who is responsible for series of mistakes  and take corrective steps.


The concept of e-sign as a low cost option to digital signatures available on call is good. But the way it is suggested to be implemented is incorrect and ultra-vires the ITA 2008.

I am not discussing here what could be an ITA 2008 compliant system which meets the requirements of e-Sign but if any Certifying Authority is interested in developing such a system, I would be willing to discuss the structuring of such a system.




Share Button
Print Friendly

What should be the policy on Crypto Coins in Digital India ?

One of the issues that the Government of India is now trying to address is reduction in Black Money in the system.

E Banking and Mobile Banking are expected to assist in the reduction of use of cash in the economy as record keeping becomes easier for the Government. In fact it has become easier for the Income Tax department to keep a tab on transactions when they are done through e-banking. Extending the same logic, the use of “Crypto Currencies” which can replace the physical currency should not be harmful to the economy as long as the regulator can keep a watch on its usage.

One issue that bothers the regulators on the Crypto Currency system is that it tries to create a mining environment where non Government persons will become owners of the currency. This concern needs to be addressed.

I would like Regulators to exercise a thought… “In what way mining of Crypto Currency different from manufacture of a commodity like say a new mobile phone?

For example, I manufacture a mobile phone and sell it to those who want. I make a profit and pay tax to the Government.

The buyer may use it or re-sell it at either a profit or a loss and account for it in his tax payment. For manufacturing, I may obtain some kind of license so that Government knows what I am doing, how many mobile phones I am manufacturing, how much profit I am making etc.

In a similar scenario, If there is a crypto currency mining system in which Government (say RBI) knows who is mining, how much he is mining, what is he doing with his stocks, is he paying his taxes etc., why should any Government or a regulator have objection to such a system?

Whenever we think of Crypto Currency, we always think of Bitcoin. No doubt Bitcoin is important because it represents 95% market capital of Crypto Coins and is widely held, very popular, already recognized by a few , already banned by many Governments etc. But there could be a world beyond Bitcoin.

Bitcoin has already penetrated deep into the Crime syndicates and it is difficult to retrieve it from its taint. But it is definitely possible for us to think of a new Crypto Currency which is designed to ensure that RBI retains control on its gross stock and encourage public to use it, then we can reduce the printing and management of physical currency.

I am sure that there are pros and cons of introducing a new currency which is mined (or printed) by the public and mining of such crypto coin itself becomes a “Vocation”. Government can even consider legislating that all Crypto Coins are deemed to be owned by the Government though stocked by the miners.

Since the Government knows exactly how much of currency is there in the system and what is happening to it during transactions, it can have its monetary control exercised directly. Presently RBI controls inflation in the economy by regulating liquidity or  money availability in the market through its banking regulations such as CRR and SLR.

If Government wants to reduce Crypto Currency availability, it can use measures such as “Deposits out of every transaction” so that those who actually use Crypto Currency and disturb the liquidity alone are taxed for increasing the liquidity when the economy wants it to be reduced. At the same time,  if more liquidity is required, stocking may be penalized to discourage hoarding and transactions can be eased.

Today currency is printed by RBI and gets accumulated with the public who “Earn” it through various services they render either to the Government or others who already have earned it. Like the Bitcoin stock, this stock of currency already has a fair share of unaccounted and criminally gained wealth as well as fake currencies.  One way of reducing this is by “Demonetizing” certain currency denominations. This however creates needless inconvenience to genuine people who hold the demonetized currency.

Introducing a “RBI regulated Crypto Currency” on the other hand will start from a clean slate where every bit of the currency is accounted right from its creation through its  use and re-use.

The issue to be discussed however is whether a suitable system can be built which cannot be cheated in such a manner that currency is created without the knowledge of the regulator, which is similar to the issue of fake currency printing. Secondly, whether the system is secure enough that it cannot be hacked and misused. Technology experts need to answer this question and also whether the peer controlled approval mechanism can be good enough to secure misuse.

Look forward to more debate on this issue.


Share Button
Print Friendly

Can Encryption be considered as a “Right of Self Defense” ?

Speaking on a program on BBC, Edward Snowden the well known security specialist who brought to open the US spying on Internet across the globe has  highlighted the risk of Smart Phone hacking through a simple SMS message. He says that UK intelligence agency has a suite of products identified as “Smurf suite” which has different tools that can enable switching on a phone and listening in without the knowledge of the user.

Article in

It is interesting to note that Mr Snowden has expressed a view that iPhone has a special software that can activate itself without the owner having to press a button and gathering information and hence he prefers not to use an iPhone.

The issues that Snowden has brought to light is a result of inherent technical issues in the mobile system according to experts and cannot be easily secured except by the use of proper encryption when the instrument is used. The “Laws on Encryption” therefore become important.

According to technologists smart phones work on two sets of software one being the “Baseband Computer” which controls the radio communication and the other the smart phone computer. The Baseband computer follows the communication standards by the network such as GSM and are amenable for hacking.  (See the technical explanation here).

While for many snooping by Government agencies is not a real concern, the possibility that the malicious code used for snooping can leak out of the security agencies or can be developed in the underworld separately (If not already done) and hence it can be misused by fraudsters. Here in lies the risk of using Smartphones particularly for critical financial uses such as banking.

The revelation throws up an important question on the right of people to use “Encryption”. Recently India tried to formulate an encryption policy which envisaged that text messages in unencrypted form should be stored by the user for at least 90 days and shared on demand with the security agencies. However, the revelations which indicate a “Security Risk” in not encrypting changes the logic for the use of encryption. In fact it appears that mobile users can exercise a “right of self defense”  to secure their instrument and communications must be recognized.


Share Button
Print Friendly

E Commerce taxation.. a comment from an official from Andhra

In response to the previous post “Is Karnataka Government hitting NASSCOM through E Commerce taxation?”, the following comment has been received from Mr G.D, Thakur, Assistant Excise and Taxation Commissioner, Hyderabad. Since the response is exhaustive, it has been published here as an independent post. We thank Mr Thakur and also invite others to provide such useful content for publication.

E-Commerce  Taxation Issue:

The e-commerce is a way of doing business only distinct from traditional methods of business.The taxation is not different to the e-commerce than the traditional business.Rather it is more convenient to the Taxing Authorities to collect tax from the E-Commerce Business than the traditional business.The e-commerce turnovers and classification of goods for tax schedules is available on a system software than the traditional business which is a mixed maintenance of accounts containing several issues on which the present day taxing authorities are spending their whole time.
In the e-commerce the business turnover,which cannot be suppressed or misappropriated and item schedules can be managed very easily and accordingly the actual tax liability can be worked out on the same system software and the tax payments can be made online into the Govt Treasuries instantly.
The present system of the e-commerce is engineered on the Sales and Purchase Agreements with the online sellers and buyers ,which decides the Point of Vat Incidence  and collection and further depositing with the respective Governments.Whatever the Agreements which I have gone through,it is reflected as the seller and buyers other than the Online Market Places[ Viz Flipcart,Snap Deal].The e-commerce majors treat their platforms as the Online Market Place only and they have designed their Sale and Purchase Agreements ,which puts the Liability to collect VAT on the online sellers only.The e-commerce majors charges some market fees,facility charges and commission on the sale value of the products traded through their Platform from the online sellers registered with their online platform[ viz flipcart or the snapdeal].
In nut shell the e-commerce present scenario ,which appears to me:

1.The E-commerce companies calls the online sellers and register them .They register both types of dealers registered with the State VAT departments and unregistered dealers also.Having TIN is not mandatory for them in all cases.
2. Under the VAT regimes ,the tax is always collected by the seller only i.e.the seller state viz the Sale Invoice Issuing State.The VAT will be collected by the state issuing invoice and charging VAT thereon.
3.Under the VAT ,s basic principles are uniform throughout the country.The e-commerce revenue is being collected by the selling states only and the consuming states definitely loosing their Tax Revenues.In e-commerce it is a golden chance for those states to attract the e-commerce majors  for doing the neat and clean business.The general approach of the E-Commerce majors is to effect supplies from the vicinity of the consumers to bring down the logistics charges.
4.The Value addition chain is depleted by the e-commerce.As all the chain of distribution from the distributor,sub distributor,dealership,wholeseller and the retailer chain is totally absent, and this was the need of the traditional business.The e-commerce do not require this chain mechanism and the ultimate gainer is the end customers.The online business will bring down the market of black money as the e-commerce business is totally through the Banks and other online Pay portals which are easy to track down and regulate than the cash money flow.
5.In the e-commerce only three trading entities are exiting.1. E-commerce Shopping Platforms 2. Online sellers 3.Online Buyers[ mostly are end customers]
6.The Ecommerce major stress upon to shift the onus of VAT Collection and its deposit on the online sellers and to be paid by the end customers only.
7.The e-commerce majors claims to charge Commission of certain percentage of the sale value of the goods sold through their platform and some facility and market charges from the online sellers.If this commission or incidental turnover part is inclusive in the sale price decided by the online sellers,then the liability of the e-commerce majors to pay VAT on the value addition nullifies.
8.The commission or the incidental charges received by the E-commerce majors are the component of the sale value ,which is arrived at by the online sellers after determining all the charges in addition to the purchase price of the said commodity.The sample agreements as being followed by these e-commerce majors shows that the commission is charged @ of certain percentage of the sale price from the online sellers,on which VAT is inclusive by the Online seller.
9.The VAT is paid by the seller on the price,which includes the basic purchase price,his profit margin,incidental charges and commission paid to the E-commerce major or packing or any other logistics charges.The state government ,when received all the due amount of VAT including the component of turnover involved paid to the –Ecommerce majors, no other VAT liability arises on the E-Commerce Major.This is based on the Terms and Conditions of the  Sample Agreement signed by a e-commerce major with the Online seller.The sale price when decided at the point of the seller and the goods are directly transferred to the end-customer ,the VAT applies on the sale value.If this sale value is determined after summing up all the prices involved [ basic procurement price of the item +incidental charges incurred by the seller +charges paid to the packing and storage + charges paid to the E-commerce majors as a commission or in any form for making the item marketable and transportation and handling charges]and VAT is paid on this turnover to the respective state government,and the goods are sold to the end customer,then no other VAT liability arises on the E-Commerce Major[ viz. FLIPCART or SNAPDEAL].For the services provided by them ,they may be accountable for any service taxes if their service qualifies that liability,but not VAT.
10.In otherwise ,if the state authorities want to collect tax from the e-commerce majors ,that is restricted to the ‘Component of Value Addition Part Only’.When this value addition part turnover is already suffered VAT by the online seller to online buyer,then there lefts no turnover with the E-Commerce major to pay any value addition VAT.
11.However,the responsibility of the maintenance of the details Accounts  of the online sale and purchase,online sellers to the state govt or online access for exercising administrative control over the online sellers,is must if the proper VAT realization is to be achieved by the state governments.
12. Therefore E-commerce is not difficult to tax.Rather is is very convenient to tax provided our taxing authorities steps along with the technology .It will prove a boon to the technology updated states and will certainly  adv-affect the tax collections of those states who will lag behind in welcoming this e-commerce.
13.The e-commerce is a neat and clean ,and environmental friendly business and makes available the commodities at the doorstep of consumers at very cheap rates.
14.This documents is based on the typical online sale and purchase agreement.For any e-sales business,the   cyber contract as mutually signed between the contracting partners in lawful obligation to the Indian Contract Act 1872 as amended on date in India and as per the International treaties on trades and business to which  India is party  ,are the determining factors to decide the incidence of VAT.
15.There is strong need to familiarize the State Taxation Machinery about the e-taxation and to address their apprehensions about the mis-conceptions.The E-commerce will increase the VAT revenues with ease of doing business for the entire society.
16.The e-commerce majors should not apprehend about the clarity of Taxation Laws .The law is already explicit.The VAT s basic fundamentals like incidence of taxation ,and definitions  and sales concept are uniform throughout the country. The federal structure of VAT and Ecommerce is based on the foundations of the CST Act -1956, the Sales of Goods Act-1930,The Indian Contract Act-1872 and the IT Act-2000/2008 (e-commerce).

[The views expressed are my own ]

G.D.Thakur-Assistant Excise and Taxation Commissioner

Naavi adds:

The E Commerce platform works as an agent of both the seller and the buyer and recovers a service charge as a facilitator which is for convenience recovered from the seller from the proceeds. Unless the market place owner buys from the seller and re-sells it under his own invoice, he is neither the buyer nor the seller. At best the service charge levied can be subjected to the service tax though I prefer it to be waived. The State Government should not intervene and try to recover a “Withholding tax” as Karnataka Government appears to be aiming at. 
Also from the technical perspective, this requires a change of the software process handling the payment and introduces a complication. We should remember that there are other service intermediaries such as the courier or the payment gateway and each one of them gets their share. These may also be directly distributed from the sale proceeds and are income of each of these agencies and are subject to taxation in their respective states. For convenience, the market place may maintain an account and credit the entire sale proceeds to one account and make on account payments from such an account. Different companies may adopt different practices.

We also need to recognize that the market place operates in “Cyber Space” and the buyer and the seller are residents of different states . ITA 2008 has a means of defining where the contract is concluded and accordingly the location of the “Sale” has to be determined.

If a seller is from Delhi, there is no need for him to pay tax in Karnataka. (Any inequalities between predominantly selling states and predominantly buying states is being addressed in the GST scheme which we expect to be operative in the next year.

Karnataka Government is therefore harassing the E Commerce players just because they have chosen to open their head office in this State Even where there is a ware house, the correct interpretation is that the ware house is rented to the seller to enable efficient distribution. Any other interpretation is convoluted and mischievous.

Karnataka Government made the same mistake in respect of “Aggregators” of Taxi service and failed to recognize “Aggregation” as a “Service”. Though the Ubers and Olas have accepted this for the time being, this is a a dangerous precedent. If the same principle is extended, “Make My Trip” will require air line operating license before booking airline tickets and Book My Show would be liable for the entertainment tax payable for the movie. 

I hope people in the Government donot think of E Commerce only as a milch cow and try to extract as much of money as possible. They should look at the overall impact on the economy that the decisions leave. At present it appears that the Government is unfriendly to E-Commerce Business and is driving businessmen out of the State. If this is not checked, E-Business in Bengaluru including the “Start Up Business” will dry up.

I wish some official from the Karnataka Commercial Taxes department responds to this.


P.S: Kindly read this along with the earlier post : “Is Karnataka Government hitting NASSCOM through E Commerce taxation?

Share Button
Print Friendly

Is Karnataka Government hitting NASSCOM through E Commerce taxation?

During the recent visit of Prime Minister Modi and German Chancellor Angela Merkel to Bengaluru, the Chief Minister Mr Siddaramaiah and more so his party was unhappy that NASSCOM did not invite him for the interaction with the industrialists. It appears that this displeasure is now playing itself out in the form of policy implementations designed to hurt the IT and E Commerce industry in Karnataka.

For some time Congress is taking various steps to discredit the Modi Government and one part of this strategy is to ensure that no cooperation is given to the Center on its economic initiatives. It is possible that the Modi team would have felt that Karnataka politicians could even try to put spokes in the wheels on Modi’s initiatives and decided to keep the State Government at a distance during the Anela Merkel meet.

Some time back Karanataka lost one expansion plan of Infosys and possibly from Tata Motors. Recently  flipkart chose Hyderabad as the location to open its biggest warehouse and fulfillment center.  (See report here) . In April  Amazon India’s had announced that it was putting all future investments in Karnataka on hold due to the state government’s “non-cooperative attitude.” Announcing the setting up of its FC in Telangana, Amazon company said the policy parameters in Karnataka were not in sync with e-commerce industry demands. 

It is clear that neighboring Andhra and even Telengana are actively poaching on projects both in IT and non IT and Karnataka is slipping in its development curve. It is only the momentum of the past that is keeping the state afloat.

One of the recent studies by KPMG indicate that E Commerce gives a boost to the SMEs. There are many success stories of SMEs making it a big success with the help of the online stores. (See report here)At such a time when E Commerce needs to be encouraged, the Government has taken yet another step in down grading its status for “Ease of Doing Business” particularly in the E-Commerce area by proposing a “Value Added Tax Deduction At Source”.

See Report in ET here

It is stated that the Government is proposing a 1 per cent levy on payments by buyers to sellers on e-commerce sites, a move that could encourage other states to follow suit.  If put in place, e-commerce companies will have to deduct 1 per cent of payments made to vendors before passing the money on, making goods costlier for consumers.

The state says the levy will help keep tabs on the revenue of sellers, who would be able to claim credit for the tax. The authorities feel this will ensure that disclosures are accurate and companies are paying the right amount of tax.

However one can visualize that  this move will introduce more hurdles in the operation of E Commerce in Karnataka and would be construed as a retrograde step which could have been prompted by the recent face off with the NASSCOM.

I hope that wiser counsels in the Government would sense that there is a gradual erosion of the credibility of the Government in business circles which is not good for the economic development in the State. Sooner this is realized and corrective steps taken, better it is for the State.

For this purpose, it is necessary for Mr Siddaramaiah to break himself out of the policy bind dictated by his high command which is interested in taking the Indian economy backwards lest Modi may claim credit.  Siddaramaiah should try to emulate Devraj Urs and consider the betterment of the State ahead of other political game plan. It is true that  Devraj Urs lost out politically because Indira Gandhi was too strong but the current Congress high command is more dependent on Karnataka and Siddaramaiah may have a good chance to win his way of he shows some courage and conviction to restore the pride of Karnataka in Congress circles by taking an independent political policy stand that is good for the State.

Let’s watch how this war between the Government and the NASSCOM play out..

Related Article:

Karnataka Hold meeting with E Commerce players

Karnataka Loses upto 2000 crores in tax revenue to e-commerce

Share Button
Print Friendly