Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

We have discussed some aspects of the organizational structure for the proposed CERT-Fin in our previous article (See here)

Let’s now see some of the other aspects of the report on which public comments can be submitted upto July 31, 2017.

The scope of activities of the CERT-FIN will be defined by MOUs that will be signed between CERT-In and the CERT-FIN as well as CERT-FIN and its sub sectoral CERTS such as CERT-RBI, CERT-SEBI, CERT-IRDAI, CERT-PFDRA etc.

Presently the functions of CERT In is defined under ITA 2008 and similar obligations and powers need to be bestowed with the sectoral CERTs with some oversight responsibility being retained with CERT IN.

The Core Mission of the CERT-Fin would be to provide support to the stake holding organizations in identifying Cyber threats and Vulnerabilities so that the Cyber Risks can be mitigated. This can be achieved by dissemination of threat information collected from global sources and out of its own research to the stake holders on a real time basis.

Simultaneously, there could be regulatory responsibilities which may include providing directions to the stakeholders on security matters and pulling them up if required.

The statutory powers vested with the CERT IN cannot be transferred to the sectoral CERTs including CERT Fin and at best these CERTs may be allowed to make recommendations to CERT-In for regulatory sanctions on an erring stake holder.

According to the report the following are listed as the activities of the CERT-FIN

1) Analysis of financial sector cyber incidents and reporting the incidents to CERT-In including

i) Collection, analysis & dissemination of information on cyber incidents.
ii) Forecast and alerts on cyber security incidents.
iii.) Emergency measures on cyber security incidents
iv) Coordination for cyber incident response activities.
v) Issue guidelines, advisories, vulnerability and white papers relating to
information security
vi) Monitor sectoral efforts in financial sector towards maintaining dynamic and
modern cyber security architecture, developing awareness amongst
regulated entities and public in general.
vii) Such other functions relating to cyber security in financial sector, as may be
prescribed

2) Create Awareness on security issues through its website and 24X7 incident response helpdesk

3) Provide Incident Prevention and Response Services and Security Quality Management Services

4) Offer policy suggestions for strengthening financial sector cyber security to all stakeholders including regulators/Government

5) Conduct workshops for employees of the sector and public if necessary through public-private partnership

6) Provide seamless integration for information dissemination to other nodal agencies using standard protocols.

7) Develop its own research capability to identify threat information which essentially means that it should maintain its own Honey-Pot, SOC and ability to collect, process and value add on threat intelligence.

8) Facilitate quality training and certification programs including online programs in the cyber security area, develop manpower and expertise in Cyber Security product development and Cyber operations etc.

9) Collaborate with academic institutions such as IITs and IISc to chart out the long term plan for Cyber Security infrastructure  in the Indian context.

10) Develop Critical manpower infrastructure to improve employability of youth at the bottom of the pyramid by designing proper courses.

11) Identify “Protected Systems” in the sector (under Section 70 of ITA 2008)

12) Develop an international Interface with tie ups with various financial CERTs operating internationally to adopt international best practices in its functioning.

13) Standing Technical sub committee to be established to ensure collaboration with TEL-CERT (New CERT for the telecom sector) for continuous flow of information

14)Coordinate efforts at rendering the  Financial Infrastructure secure through efforts including Cyber Risk Insurance

The report suggests that apart from placing the report in public domain for comments, workshops can be held with all stakeholders and scholars specialized in the area of Cyber Security, leading academic and technology institutions for feedback.

The proposed scope of activities for the CERT-Fin is fairly comprehensive and completely welcome.

However, keeping in mind our previous observations of the merit of a “Unified Command” for better Cyber Security management, and preventing subsuming of the Cyber Security functions within the functional responsibilities of the individual regulators, thereby subordinating the security objectives to other functional objectives, it is essential that most of the above responsibilities need to be kept with CERT-In itself.

If CERT-Fin tries to become a complete CERT in itself including international interface, management of SOC for the industry, Research through Honey-Pots etc, its core competence which is liaising with the industry stake holders may go under utilized. There will be needless duplication of efforts and degradation of the objectives.

It is therefore suggested that CERT-FIN should focus on meeting the objectives of CERT-In which is well reflected in the above document itself as part of the CERT-FIN responsibilities as an accessory to CERT-In rather than doing all of it on its own.

What this could mean is to re-invent CERT-In itself as a Section 8 company and enrol representatives of each of the Financial Sector regulators into its Governing body, create CEOs for each sector with appropriate domain expertise and run the entire operations of CERT-FIN as an integral part of CERT-In outside the direct control of the individual regulators. This new CERT-In should report directly to the PMO and share intelligence space with the Police and Military since Cyber issues are part of any Cyber Terrorism or Cyber war strategies in the current days.

The working group has failed to underscore the risk of “Imported Hardware and Software” used in the IT infrastructure and the need for quick indigenisation.

The “Research” is therefore also required on “Unraveling the hidden code” in hardware and software that is embedded in our devices and analyzing them from the security perspective.

It must be recalled here as a matter of caution that last time an attempt was made to have “Security Certification for Telecom Equipment”, the committee headed by the IISC director and having representation of CERT In director was formed. However, the operations were sponsored by none other than a leading Chinese Telecom equipment supplier indicating a complete absence of security precaution to avoid conflict situations.

We should not do a similar mistake now and the core operations of CERT-In should be funded from the budget directly by the Parliament carved out as part of the National defense expenditure.

CERT-FIN may raise funding from its stake holders and use it for its outreach activities such as education etc and reduce the burden on the exchequer. However any funding or sponsorship of the core activities of the CERT-In or any other CERT organization by the stake holders themselves is not a good idea and should be re visited.

P.S: The above comments are meant to stimulate further thought among the public so that they can provide their own feedback on the working group report. I hope it would be useful for this purpose. 

It is made clear that the observations are not meant in anyway to undermine the great effort that has gone into the preparation of this report and the efforts deserves a high degree of praise. 

I will be forwarding these thoughts also as my observations on the report. I urge readers to also send their observations without fail.

We appreciate the public consultation effort and ensure that it becomes useful to the decision makers so that this practice continues.

Instead of remaining silent and later coming up with criticisms, it is necessary for the Civil Society to respond now even if some of the early reactions can be wrong for lack of adequate research. 

Naavi

Print Friendly

The Working Group under the Chairmanship of  the Director General of CERT-IN constituted to study and submit the recommendations on the setting up of a Computer Emergency Response Team (CERT) exclusively for the Financial Sector in India covering Banks, Fintech Industry, BFSI sector, Stock Market Sector, the Pension Fund sector etc, has submitted its report and sought comments from the stake holders including Public before 31st of July 2017. The comments can be sent by email to surjith.k@nic.in or sent by hard copy to Shri Surjith Karthikeyan, Deputy Director (FSDC), Department of Economic Affairs, Ministry of Finance, Room No 269, North Block, New Delhi 110001.

A Copy of the report along with the press note is available here.


A brief discussion of the report with immediate comments are available below.

Organization:

  1.  CERT-FIN will be set up as a Section 8 Company with financial contributions from the industry. It will be guided by an “Advisory Board” for providing strategic direction as well as for reviewing its performance and for allocation of budget/resources.
  2. There will also be a Governing body with nominees of shareholding institutions.
  3. RBI will act as a “Lead Regulator” for setting up CERT-Fin.
  4. CERT-Fin will be acting a “Sectoral CERT” for the Financial Services industry and will be an umbrella organization for the industry.
  5. Additionally, “Sub Sectoral CERTs” may be set up for sub sectors within each of the regulators such as RBI, SEBI, IRDAI and  PFDRA .
  6. CERT-FIN itself will be working under a contractual arrangement with CERT-In and in turn have contractual arrangement with other sub sectoral CERTs.
  7. Cert-Fin will be jointly funded by all financial sector regulators.

Comments 1 (Organization of CERT-FIN):

The suggested set up indicates that where today there is one CERT in the form of CERT-In, now there will be a total of Five or Six organizations called “CERT” s just for covering one sector namely the Financial sector.

Further, a precedence is being set up that each regulator will have its own CERT which will function as if it is a department of the regulator.

The suggested set up apart from proliferating the number of entities will create issues in inter CERT information sharing the way some times the intelligence agencies at the Central and State level face.

It appears that each regulator wants to keep the control on the players in their domain. In other words, IRDAI does not want to share security incident information in say an Insurance Company with RBI and SEBI does not want to share the security incident information with PFDRA and so on. Each regulator is protecting his turf.

Further the CERT-Fin  will be a figure-head  which will be governed by a Board of Directors and directed by two super management bodies firstly a “Governing Body” and secondly ” An Advisory Body”.

Under the Company’s Act, any body that can set guidelines to the Board and control its budget is considered “Ultra-Vires” the Company’s act since the Board has to be supreme. Legal debate may therefore be necessary for the Advisory Body to be what it is suggested to be.

The entire set up is a recipe for inefficiency, infighting and increased cost.

At present, CERT-In has the legal powers to be the nodal agency for all information security issues. This itself has been diluted with NCIIPC (National Critical Information Infrastructure Protection Center) which is the second nodal agency under Section 70A of ITA 2000.

There is no doubt that there is a lot of work to do in Cyber Security work in the country and it requires a huge manpower. But the best way to start the work is with a proper structuring of the control organization. What is now shaping up is certainly not appearing to be an ideal set up.

Given that the “Advisory Body” will control the budget and also give operational directions, the CERT-FIN will be a puppet. I pity the CEO who is likely to head this organization which on the face of it appear to be a very prestigious entity. Any CISO worth his name will think twice before accepting the responsibility.

The suggested structure is also creating a precedent where by tomorrow there will be demand for one CERT for Airlines, One CERT for Surface Transport, certainly one CERT for GST, One CERT for the Army, One for Airforce and one for Navy and so on and ultimately atleast one CERTs for each of the ministries. Then a question will be raised why not one CERT for each State and it will be a big mess difficult to untangle.

I strongly suggest that this needs to be thought over once again.

Presently RBI already has an IT division and IDRBT exists as an organization with some experience in managing critical networks. Some how these departments are being bypassed and additional 5 organizations are being created.

We are aware that out of these regulators, Except RBI and perhaps SEBI other regulators donot have much exposure to IT itself and let alone Information Security. IRDAI is just now learning how to use IT for Insurance Business. PFDRA is a much more recent organization and not much is known about its IT capability.

Also when an CERT-FIN is funded by the stake holders and the same stake holders become part of the Advisory group and share holder’s meeting, it is effectively a set up where the “Controlled End up as the Controller”. There will be no hard decisions taken in such a body and all security decisions will be subordinated to the commercial interests of the funding agencies. We find that even now RBI is often not able to assert itself against Big Banks though the legal structure is in favour of the RBI. In the proposed set up of the CERT-FIN, there will be no control for the FIN CERT Management on its own existence and hence they will have to follow the diktats of the supporting organizations whose security postures need to be challenged by the CERT-FIN

CERT-In itself for whatever it has done or not done in the last 16 years after ITA 2000 and 8 years after ITA 2008, has gathered valuable experience from which it can manage things better than the five new CERTs that are being created.

There is no doubt that domain expertise may be lacking in CERT In today for different sectors. But keeping the current structure, one can build four different Directors reporting to the Director General and each such Director can be provided with a domain expertise support from sub-sectoral-advisory groups/Committees and such an organization should be far more effective under a unified command.

For effective management of the security of the Cyber world, a “Unified Command” is most essential. The only division that can be considered is one such command for the military and one for the civil society and further sector wise division should not be made to create parallel organizations.

Additionally CERT-In has to be liberated from the  Meity and made into an independent entity in true spirit with a separate building and budget. It should be separated in body and mind from the current set up. 

We observe that currently, even the controller of certifying Authority which is a statutorily independent body,functions just like a department of Meity.

Because CERT-In contains the word “Team” in its name, it is being treated as if it is an informal group within the mighty MeitY. This has to change if Cyber Security should be managed properly.

Security and Functionality are two different aspects of IT management. While Meity needs to handle Digital India promotion, CERT-IN needs to put the checks and balances so that technology does not become a run away horse.

Even in a corporate environment we know that unless the CISO is liberated from the CTO and made to report directly to the Board, he cannot discharge his duties properly.

Similarly CERT-In which is the apex quasi judicial authority mandated to manage the Cyber Security of the country needs to be treated as an independent organization and report directly to the PMO.

Any other structure is not only inefficient but also dysfunctional.

A Suggestion

The Government of India should call for an informal meeting of Management Experts from the private sector and discuss some of the specific aspects of managerial challenges that the proposed structure may create as raised here and just listen to the management Gurus before proceeding further. I also request relevant academic institutions such as IIMs, IIITs, NLSUI, NALSAR etc to conduct symposia on CERT-FIN and submit free and voluntary suggestions to the Government on how the organization could be structured for better coordination and effect.

(The discussion will continue in the next article)

Naavi

Print Friendly

Can a Programmer be a good Compliance Official?

Posted by Vijayashankar Na on July 19, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Who would make an effective Compliance official in an organization? is a question that troubles many in the management.

In large organizations, there is no dearth of people or capacity to appoint professionals and hence there could be several persons with different designations trying to work on Compliance. There could be a Chief Privacy Officer and CISO working along with a Chief Compliance official with each commanding a team under them. But most companies donot have that luxury and have to meet the legal obligation nevertheless with some body doubling up with “Additional Charge”.

HIPAA-HITECH Act mandates that a person should be designated as “Privacy Compliance Official” and “Security Compliance Official” and his contact should be available on the website 24X7.

ITA 2008 mandates that there should be a “Grievance Officer” under Section 79 who faces the customers and a “Compliance Contact person” facing CERT-IN or Ministries of Finance and Home for being available for responding within 2 hours if need be.

Cert-In is a quasi judicial body which can order legal action in case of non compliance while other agencies may initiate action under other legal provisions.

The Compliance official is expected to be the nodal person to interact within the organization and be answerable to the regulators. He needs to have the skills of PR to deal with the regulators and people within though on the face of it the function seems to be a legal role.

In such a scenario, the questions that trouble most managements of small organizations is how do I assign the responsibilities of compliance within my existing team members whose core activity may be either IT or Software programming with no exposure to law. There is no doubt that they can take the assistance of external consultants for understanding ITA 2008 compliance requirements but ultimately some body under the roles of the organization needs to be designated as a “Compliance Official”

Compliance is an activity which starts from the zero day of a company’s existence. Hence even when a Start Up entrepreneur starts his initial work, and launches his project in a low key controlled public release he needs to have a compliance official. In case the entrepreneur fails to designate a person, the CEO himself becomes the compliance official. Since the CEO needs to focus on other business needs, it would be wise that he designates some body who works closely with his team and is present in the office all the time to act as a Compliance official rather than taking over the responsibility himself even though the buck ultimately stops with him.

In circumstances where the CEO works only with a team of software programmers and no body else to assist him, it therefore becomes necessary for one of the software developers and ideally the Team Lead to be also designated to be the Compliance Official.

If a CEO proposes that the person whom he has recruited for his software development expertise should also be designated as a “ITA 2008 compliance official” or a “Grievance Redressal official”, the software professional would in many cases not be comfortable since he thinks that he is not a “Legal Person” and hence “Compliance” does not sit with his designation properly.

However, it is time that software developers realize that basic knowledge of Cyber Law is today an essential knowledge for all IT workers and without it, they are likely to be challenged in their career progress. We often talk of “Privacy by Design” and that only means that the person who thinks of software architecture and coding should have some basic awareness of what his software is expected to do when it faces a client.

Today if we have many “Zero Day vulnerabilities” that pose a threat to Cyber Security, the main reason is that the software developers out their ignorance have not taken care of security at the time the software was designed and constructed. It has been an after thought which leads to compromises and creates security holes.

It is therefore felt that in smaller organizations, there is nothing unnatural in a software team lead to be additionally designated as “ITA 2008 compliance Official” and persons with such responsibility should consider themselves as premium  professionals. It goes without saying that they need to understand their responsibility and discharge it faithfully.

I would advise software professionals to go through a quick online course if necessary (check apnacourse.com for course of Cyber law college) or take up more formal courses if time permits to equip themselves with some basic cyber law knowledge that enables them to work with an external consultant when required and discharge their responsibilities as a compliance official. The knowledge may also enable them to improve the quality of their software since the software by design would be “compliance ready”.

So, the new slogan that we need to pursue in software circles is “Compliance By Design” and I hope the software community raises to this requirement which actually helps the cause of Cyber Security.

This should reduce the incidence of “Zero Day Vulnerabilities” and the cost of maintaining “Bug Bounty Programs” along with the cost of Cyber Insurance coverage for user organizations.

Naavi

Print Friendly

The war on Bitcoin… Should it be legalized? Banned? or left to find its own fate in the chaotic world of unregulated and anonymous Crypto world has now reached the door of the Supreme Court of India.

A Public Interest Litigation has been filed  (Writ Petition (Civil) no. 406 of 2017) under Article 32 of the constitution against Union of India, Ministry of Finance and Reserve Bank of India, against the use and business of  illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.

Vijay Pal Dalmia, an Advocate along with Mr. Siddharth Dalmia, an engineer and a law student are the petitioners. 

We appreciate the action taken and ensuring that it is not only against Bitcoin but against all Alt Coins. This was extremely essential since all anonymous Crypto Currencies are fungible and alert criminals have already converted their Bitcoins into Ethereum or other coins and hence banning only Bitcoin and leaving the rest would not be of help.

The petition was heard on 14th July by a Bench of Hon’ble Chief Justice of India J.S. Khehar and Hon’ble Mr. Justice D. Y. Chandrachud,  which gave four weeks to the Reserve Bank of India to examine all security related issues about virtual currency, including BitCoin, and respond to the Petitioners.

RBI was now having three options before it namely “Ban”, Regulate” or “continue to observe” (or procrastinate)

The petition  has now removed one  of these options namely “Continue to Observe”.  RBI has no option but to respond.

In the meantime, the Finance Ministry has set up a task force in which RBI is also represented along with SBI and that is expected to give its view much before the 4 week dead line of SC and hence RBI may simply forward a copy of the report of the committee and not take any other decision of its own.

So, Supreme Court should have actually issued a notice to the “Bitcoin Task force” (Which is as much anonymous as the Bitcoin as regards its constitution) to respond directly to the Supreme Court.

By asking RBI to respond directly to the petitioner, it appears that Supreme Court is trying to avoid taking a view unless it is forced.

While it is good that Bitcoin has come under the radar of the Supreme Court, the resolution of the Court is not satisfactory. Perhaps the Court is yet to understand the full implications of legalization of Bitcoins and its impact on the society.

When Shreya Singhal brought a public interest litigation on scrapping of Section 66A of ITA 2008, the then CJI commented… “We were waiting for some body to file the petition”….. It was no surprise that the Court in its final order in this case eloquently upholded the “Freedom of Expression” as a constitutional right and went over board in interpreting Section 66A in a manner that suited its pre-disposition resulting in the scrapping of Section 66A of ITA 2008.

However, in this matter of Bitcoin, the Honurable Supreme Court has failed to recognize the impact on Terrorist Finance and Black Money Creation if Bitcoin is allowed to remain in the environment. This is regrettable.

We seriously believe that the Bitcoin community is trying to corrupt all decision makers to provide a favourable decision to legalize Bitcoins which is a darling of every corrupt bureaucrat or business men, politician, or even a corrupt member of the Judiciary.

Hence the longer the decision lingers on there is a greater probability that the decision makers may be corrupted. I will not be surprised if some of them might have already found in their mail box, mails indicating that a certain number of bitcoins are credited to their bitcoin wallet. A decision should therefore be arrived at soon.

It is now for Mr Narendra Modi the saviour of India to take note that if Bitcoin is allowed to be legalized, then all his effort on Demonetization would go to dogs. Wish some body close to him brings this to his personal attention without getting it filtered out so that a proper decision can be taken by the Task force. 

The proper decision means “Banning all holdings and activities surrounding Bitcoin and every other privately managed Crypto Coin” and nothing short of it.

If the RBI’s reply is not satisfactory or the Task force comes out with a contrarian decision, I wish the petitioners of this PIL approach the Supreme Court once again for a decision to save the country.

Alternatively, the Bench should modify the order and ask the Task force of the Finance Ministry to respond directly to the Supreme Court within the next 15 days so that the hearing may continue.

Naavi



I am reproducing the Press Release given out by Mr Vijay Dalmia, the advocate for information.

This Writ Petition was in Public Interest under Article 32 of the Constitution of India for issuance of Writ of Mandamus or any other appropriate Writ, order or direction directing the Respondents to take emergency and urgent  steps for restraining the sale and purchase of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., which are being traded and invested-in openly and extensively within the knowledge and domain of the Respondents anonymously over internet and otherwise for a host of anti-national, illegal and nefarious activities, such as funding of terrorism and insurgency, illicit trade of arms and drugs, recruitment of terrorists, bribery, corruption, money laundering, tax evasion, generation of black money, payment of ransom, human trafficking, transfer of money through hawala, hawala trade, illicit investments, avoidance of banking channels and surveillance of funds, online gambling resulting in negative impact on Indian currency, inflation, loss of control of Government on financial discipline and illegal diversion of money, and all this happening without any border restrictions or geographical constraints by avoiding and violating laws, resulting in danger to the integrity and sovereignty of India causing harm and danger to the peace and tranquility of the society,  the security of the state and the residents of India.

This writ was an outcome of a cyber attack on 13th May, 2017 by Wanna Cry ransomware. The WANNA CRY ransomware opened the eyes to the truth behind the cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc. to the world including India. It has been reported widely in media that Lakhs of people got their data encrypted and their system was locked in India and over other 104 countries. Since 13th of May, the entire world is concerned about the ransomware. This large-scale worldwide cyber-attack was launched affecting computer networks in many countries across the globe, including India. The hackers demanded payments of $300 to $600 (roughly Rs. 19,000 and Rs. 38,000) using Bitcoins as a ransom for unlocking computers and affected devices. The magnitude of the attack is yet to be ascertained by the Indian Government. The Reserve Bank of India had to notify all banks to operate their ATMs only after updating software systems to avoid being infected by ransomware. It has been reported in media that one of the biggest impacts so far has been on computers used by the Andhra Pradesh police where 18 units across five districts, including Visakhapatnam and Srikakulam, had been under attack. There were reports that the virus also infected computers in the offices of the West Bengal State Electricity Distribution Company in three blocks,Belda, Data and Narayangarh in West Midnapore district. The attack has crippled lakhs of computer devices and networks computers across the globe, and struck banks, hospitals, and government agencies in several countries. In India, many of these hackings go unreported as companies do not want to ‘damage’ their reputation and ransom money may be paid through Bitcoins as anonymity is maintained. Ransomware is a form of malware that encrypts a computer’s files and displays a message to the user, saying it will decrypt the files for payment, typically via Bitcoin. WannaCry is a program targeting Microsoft’s Windows operating systems where hackers take control of a computer and lock the data until the victim make a payment in return.

That some of the laws which are being violated because of open dealings in illegal Cryptocurrencies like Bitcoins, are as under:

  • The Constitution of India, 1950;
  • Reserve Bank of India Act, 1934,
  • The Foreign Exchange Management Act, 1999 (“FEMA”);
  • The Reserve Bank of India Act, 1934 (“RBI Act”);
  • The Coinage Act, 1906 (“Coinage Act”),
  • The Securities Contracts (Regulation) Act, 1956 (“SCRA”);
  • The Sale of Goods Act, 1930 (“Sale of Goods Act”);
  • The Payment and Settlement Systems Act, 2007 (“Payment Act”).
  • Indian Contract Act, 1872 (“Contract Act”).

In the writ petition following prayers were made:

  1. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to declare cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., as  illegal;
  2. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to take immediate steps in the present situation of emergency, for restraining and banning the sale and purchase of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.;
  3. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to ascertain the actual figure of  illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., that has been sold and purchased in India, and fix accountablity and responsibility for the same;
  4. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to investigate and prosecute all those who have indulged in the sale and purchase of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., that has been sold and purchased in India, and fix accountablity and responsibility for the same;
  5. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to ban access of all website, web links and mobile applications, which are being used to buy and sellillegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc. and all other website and mobile applications which are accepting bitcoin as a payment option;
  6. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to give advertisements and wide publicity through all media, educating public about the illegalities involved with the sale, purchase and dealing of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.;
  7. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to implement existing laws, rules and regulations in true letter and spirit for prohibiting sale, purchase and dealing of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.,
  8. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents, in case there is any deficiencies in existing laws, rules and regulations,  to enact appropriate law and frame rules and regulations to regulate sale, purchase, dealing, holding and reporting of cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs).

The other relevant details of the PIL are as under:

Date of Hearing: 14th July, 2017

VIJAY PAL DALMIA vs. UNION OF INDIA THROUGH CABINET SECRETARY

Writ Petition (Civil) no. 406 of 2017 (PIL)
BEFORE SUPREME COURT OF INDIA
CHIEF JUSTICE’S COURT
HON’BLE THE CHIEF JUSTICE Mr. J.S. Kehar
HON’BLE DR. JUSTICE D.Y. CHANDRACHUD

Now the issue has been referred to the Reserve Bank of India, to take a call on the subject matter within 4 weeks of the receipt of the copy of the writ along with the representation of the undersigned.

The issue of the Crypto Currencies/ Virtual currencies like Bit coins is of national importance, and needs a debate in media as well as a firm stand by the Government of India.

Best Regards,

Vijay Pal Dalmia, Advocate

Print Friendly

Are Drugs to be made legal in India?

Posted by Vijayashankar Na on July 17, 2017
Posted in Cyber Law  | No Comments yet, please leave one

What a ridiculous question to ask?… any one would say. But this thought came to me after reading the comment supposedly made by a Finance Ministry Official (Unknown) quoted by coindesk.com in its article available here.

(If this quote is a result of what is published in Hindu, then all my remarks on Coindesk.com will apply also to Hindu)

The article states that a Finance Ministry Official has made a statement that Bitcon trading will be taxed. In the recent days the price has come down from $3000 to $2000. Hence there is a huge loss and some of it must have been suffered by those who acquired it in the last few months when the Indian Government started considering whether Bitcoin should be legalized or not. This article is therefore possibly is a “Pump and Dump” effort to jack up the price in India.

The exact quote is intriguing and states as under.

“Banning will give a clear message that all related activities are illegal and will disincentivize those interested in taking speculative risks, but it was pointed out it will impede tax collection on gains made in such activities and that regulating the currency instead would signal a boost to blockchain technology, encourage the development of a supervision ecosystem (that tracks legal activities and may also assist in tracking illegal activities) and promote a formal tax base.”

My first thought is that this is fake and no official will be naive to consider that “impeding tax collection” could be a reason not to ban Bitcoin. I have through a comment posted on the site asked for the name of the official and if I donot get the name, it would prima facie confirm that the article could be a fraudulent plant to influence the view of the finance ministry committee which is expected to come up with its report and suggestions.

I donot think that India under Mr Modi has gone that bankrupt as to consider Bitcoin as a source of revenue for the Government without which the progress would be impeded. If so, it would be even more profitable to formalize a tax base for drugs and arms as that would also boost the revenue collection and give an opportunity to track the sales. The only catch is that most such trades including Bitcoin happens through anonymous trades in foreign based exchanges and there is no way Indian authorities would be able to track it.

If Bitcoin is declared as a “Banned Substance” and a “Suspected Currency of Choice for Money Laundering and Terrorism”, by law, then any use of Bitcoin or trading of Bitcoin can be declared as “Assistance to Money Laundering” and “Assistance to Terrorism” and tracking could be possible by invoking international treaties.

I request coindesk.com to stop the posting of fake quotes as it would be defamatory to Mr Arun Jaitely and his subordinates. People who have tried to defame Arun Jaitely know what would be the consequence!.

I also request our Finance Minister or Finance Secretary to come out with a proper denial of this quote as otherwise, Mr Subramanya Swamy may start preparing another petition of his own on how to unravel whether this quote is true or fake and to whom it should be attributed.

The Supreme Court is already seized of the matter and even  the Court may issue a notice to Coindesk.com to reveal the name of the official quoted in the report. If Coindesk.com removes the article, ( I will have a certified copy under Section 65B of IEA) then additional charge of “Tampering with Evidence” can be filed under Section 65 of ITA 2000/8.

There is only one option for the Government…To Ban (and announce it without any delay) Bitcoin and all Crypto Currencies unless the Reserve Bank of India floats one.

Even such a RBI sponsored Crypto Currency (BitRupee or whatever it may be called) would be acceptable only if every mining and every transaction is linked with an identity code and RBI can trace it to an individual whose KYC has been properly done. I will separately provide guidance if required on how the Government can boost its revenue in such a project.

For example, Only Digital Signature or E Sign certificate issued in India by a licensed Certifying Authority should be acceptable for authentication of transaction and wallet addresses). Even if mining is allowed to others it could be through a  licensing system with the Miner paying a proper tax. Essentially, there should be no anonymity for the transaction.

Any other suggestion even if made would be a fraud on Indian economy and any suggestion that such a decision will in fact be made is a fraud to mislead innocent investors.

Naavi

Print Friendly

(P.S: This is a reflection from the discussions had at the conclave in Delhi on July 14/15, 2017 on “Securing Cyber Space”)

The Conclave hosted a discussion on Legal Issues on Data Localization, Jurisdiction and Sharing in which I made out certain points which are reflected in this article.

The principle of Data Localization is “Data” should be stored in the country of its origin, particularly when the data relates to the personal information of its citizens. It is a demand of the law enforcement for a long time even in India. Change in law is also being demanded in this context.

In practice, Data Localization translates into holding the data in a data center which is physically located within the boundaries of a given country.

Jurisdiction is a growing concern particularly with the development of Cloud Computing and is related to the demand for Data Localization. Presently most Cyber Laws provide extra territorial jurisdiction in law though at the implementation level, there is a problem of exercising jurisdiction in the absence of treaties.

Data Sharing is related both to Data Localization as well as Data Jurisdiction but it is more a factor of “Attitude” and “Business Concerns”. If industry wants to share data on incidents either among themselves or with an industry specific CERT, there is no law to prevent it since there is always the possibility of de-identification of personal data. Businesses are more concerned about reputation loss and avoid data sharing and this attitude needs to change.

Certain countries have started legislating on Data localization. Initially small countries like Nigeria and Vietnam started the trend perhaps to preserve their authority being eroded. Russia in 2015 mandated that “data operators that collect personal data about Russian citizens record, systematize, accumulate, store, amend, update and retrieve data using databases physically located in Russia”.

China has announced a “Cyber Security Law” which mandates that “Critical Information Infrastructure Operators” need to store certain personal and business information within China.

Some countries have tried to achieve data localization objectives by placing legal restrictions on data being stored outside their jurisdiction by imposing heavy penalties. GDPR is one such example. Even HIPAA of US falls into this category.

India has already been trying to implement the Chinese model where by Government sector data is to be stored within India through operational guidelines. A law can however be introduced either through the amendments now under consideration for ITA 2008 or through the proposed Data Protection Act being designed.

In taking a view on the required legislation in this regard, we need be clear on why do we like or need Data Localization.

For example, we need to ask Is Data Localisation required

a) As a strategy to increase data storage business in the country?

b) As a requirement to protect the privacy of the data subject?

c) As a means to empower the law enforcement to investigate crimes?

d) As a provision to enable snooping by Government?

If we need Data localization to protect the privacy of a data subject, we need to also pass necessary laws of privacy protection and without such a law, the data localization demand appears less convincing.

Law enforcement or the Government requires only “Access to Data” for their investigation and it is immaterial whether the data is in India or abroad.

There are also enough provisions already in the law to demand production of data for investigation or even snooping (through ISPs) under ITA 2000/8 and quite often the problem is not with the law or the powers of the law enforcement but the willingness of data controllers to abide by the demand.

Under Section 69, 69A, 69B or 70B, authorities in India may demand entities who are collecting and storing data from India  to provide access including decryption failing which the entity can be charged for non-cooperation with criminal penalty for the executives of the Company. If the data controllers are not understanding their liability or the authorities not enforcing their powers, then we need to see how do we improve the enforce ability of the law.

Data by its very nature needs to be copied for disaster recovery purpose and also need to be encrypted for security purpose. We therefore cannot legislate that data cannot be copied or encrypted.

Disaster Recovery against “Country Risk” requires storage of data in multiple countries. Hence when we talk of “Data Localization”, we may only be able to insist that “A copy of the Data shall be stored in the local server” which will serve the policing requirement. This is different from the provision of “Data Shall not be moved out of the borders” which is required for Privacy Protection requirements.

We know that Data irrespective of location can be accessed and manipulated from anywhere. Hence data stored here in India may be made inaccessible by encryption or even deleted so that law enforcement is denied access. At the same time even if data is stored elsewhere in the cloud, it can be accessed from India if we have the credentials.

Hence the requirement being pursued that data should be stored in the servers located in India is not necessarily a critical requirement. What we need is “Data Access” which is a function of the willingness to the data controller to cooperate which is addressed in the penal provisions attached to ITA 2008 for not cooperating with CERT IN or Secretaries of Home or IT in different contexts.

One of the other speakers pointed out that even for treaty purposes, a provision under CrPc such as Sec 91 notice can be held equivalent to a judicial order to claim that the respondent needs to comply under the treaty. Under this principle, the need for a new law for cases where the existing law with appropriate notifications may suffice is not supported.

Even if a law is attempted, it may have to restrict itself to “Data of Indian Subjects” and cannot extend to data of foreign subjects processed in India.

In this context we may have to define our Data Protection law with the distinction as to the nationality of the data subject which should become part of the data classification procedure . There could be separate regulations for  Personal and Sensitive personal data  of Indian subject, Data of non personal kind from Indian corporate, personal Data of data subjects of different countries of origin, non personal data of foreign data subjects etc.

On the contrary if we fully utilize the powers under the ITA 2008, we can achieve all the law enforcement objectives. In case of resistance by data controllers,we have no option to exercise our penal provisions to ensure compliance.

We therefore can think of shedding our fixation on “Server Presence in India” and focus more on “Ensuring Compliance of Data Controllers to Indian law enforcement requirement”.

The concept of “Data Access” being more important than “Data localization” is already enshrined in our law through Section 65B of Indian Evidence Act which recognizes that “Data as Viewed on a Computer can be admissible in a Court of law, if it is produced along with some relevant certificates” without the “Data Container” (The hard disk in which data resides) is brought into the custody of the Court.

We need to appreciate that Data is like Spectrum. It can be experienced but not held in hand. The binary data gets processed in an application and operating system and gets rendered as an text or sound or an image visible or audible by a human being. This effect of the data is what causes legal issues and “Access” is sufficient to provide judicial validity to data wherever it resides as long as it can be accessed from India. If people donot cooperate in allowing such access, they will not do so even if we seize the server and bring it into the Court.

The objective of Data Localization, Data Jurisdiction and Data Sharing therefore boils down to

a) A permission to access data when required

b) Avoid any body else from preventing such access

ITA 2008 provides quasi judicial powers to the Director General CERT-In which extends not only to the Government sector but also to the Private Sector. He has necessary powers to issue notifications that need to be complied with including mandatory reporting of incidents. If these powers are properly exercised, the need for a new Cyber Security Law for Data Localization, Data Jurisdiction and Data Sharing may not arise. Any such new law will only increase the confusion with overlapping provisions in multiple laws.

On the other hand, if we desire to introduce Data Localization for the purpose of increasing Data Storage activity in India, we can do so not only for the storage of personal data of Indian data subjects, but also for the global citizens by implementing strategic business oriented decisions including some legal fine tuning.

For this purpose we need to allow setting up of defined  “Data Processing Zones” (One the lines of SEZs) where the processing is made immune by law to intervention of Indian laws. Such Data islands can be used to process data of foreign subjects as per laws of that country. If the services can be otherwise cost effective, there is no reason why data processors abroad may not think of using Indian data centers for processing data of EU or US data subjects subject to laws of their respective countries.

Summary of Action Points

  1. Law already recognizes that Data is different from the Data Container and while Data Containers can be placed within India, data inside is controlled on the basis of logical access  which may be exercised from within the country or outside. Hence Data Localization as a concept of data server being located in India is not a critical requirement. Enforcing Access to data is more critical.
  2. Law can define classification of data  based on the citizenship of the data subject in addition to the sensitivity parameters. Indian law may be able to regulate the law of Indian data subjects irrespective of location of the server.
  3. Law may liberate the information of foreign subjects processed in India from Indian regulation by creating special Data processing Zones. This will promote Indian and foreign companies to process the data of subjects of their respective countries, subject the laws of their countries with immunity from laws of the Indian Government. This will provide them the confidence that Indian Government does not snoop on this data nor Indian law enforcement seizes the data or asks for access except as otherwise done through treaties. Since the data subjects are not Indian, there is nothing to lose by giving up this right. In the exceptional circumstances, the option of treaty would still be there. This will improve the prospect of “Process Data In India” as a business proposition.
  4. Though a Separate Cyber Security Law is the flavour of the day with Russia, China, Singapore and Australia adopting that strategy, we donot necessarily follow the herd. To avoid proliferation of laws with overlapping provisions, India may use the existing provisions through ITA 2000/8 with minor amendments to the same act if necessary to meet the requirements of
    1. having access to data of Indian subjects irrespective of location of servers and nationality of the data controllers and
    2. to simultaneously liberate the data of non Indian subjects from Indian legal encroachment through setting up of the Special Data Zones.

Naavi

Print Friendly