Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998


Globalization of Indian IT business has created many challenges to the Indian economy as a whole and in particular to certain domain specific regulators. One such regulator who finds himself frequently under a bind is RBI while regulating the Foreign Exchange transactions. Over the years the strict regulations under FEMA have been diluted and great freedom has been given to the Indian public to purchase foreign exchange and also retain it abroad and use it for specified purposes.

In the Free Trade environment, there are many instances where an Indian company enters into a business contract in which it commits itself into certain obligations which directly or indirectly are convertible to payment of compensation to a foreign company in foreign exchange. In the process the regulatory functions of RBI gets disturbed.

As long as the compensation is reasonable and is directly related to and is a part of the revenue proposed to be earned through the contract, it is a fair proposition.

However, in the recent days, we know that “Indemnity” obligations under certain contracts far exceed in value to the actual revenue gained in the contract. One example of this was the claim made on SIFY (Before its merger with TechM) of US$ 1 billion for violations in its software development contract and failure to provide appropriate documentation for the beneficiary (UPAID) to obtain a valid Patent in USA. This is reported to have been finally settled for US $ 70 million in the dispute resolution process.

TCS also faced a situation where a claim of US$ 940 million was made on it by an US Company Epic for a data breach incident, which again must have been reduced to around $200 million in subsequent discussions.

Recently, Tata Group had to face litigation to meet its obligations under a contract with DOCOMO which involved payment of compensation in foreign exchange.

These are instances which indicate that Companies land up confronting RBI in seeking foreign exchange remittance arising as a contractual obligation about which RBI had no inkling until the liability has matured. Given the comfortable FE reserves at present, RBI may be able to meet the requirements without fuss but it is bad in principle that RBI should be unaware of such liabilities until they fructify.

With the onset of GDPR which speaks about a penalty level upto 4% of global turnover of a data controller/data processor coming directly under the jurisdiction of EU, the rules of the game have changed. The EU companies will without doubt incorporate compliance obligations along with indemnity clauses in their contracts with Indian sub contractors who are “Non EU Data Processors”.

Some Indian companies may come directly under the regulation if they are providing any services to EU citizens including “Monitoring” the activities of EU data subjects. All other data processors in India who enter into a contract with any international data controller is also exposed to the indemnity liability by virtue of the contracts signed.

Some of these contracts may appear to emanate from say US but the US client himself may have a back to back processing contract with the EU countries and hence the Indian Companies have to cover themselves for the GDPR risk even in these contracts.

Hence the “Liability Risk arising out of data breaches, for Indian companies acting as Data Processors” is a universal risk that cumulatively add up to several billion US dollars. It cannot be ignored.

Remember that the indemnity clause may simply say “..shall indemnify any loss caused to Party A by Party B not complying with the provisions of this contract..” (or equivalent) and not specify any limits.

We are therefore exposing ourselves to a risk of 4% of global turnover of the international vendor and not limited to 4% turnover of the Indian company.

GDPR also provides for the EU data subjects themselves claiming compensation from the subcontractors of a data controller also and hence some maverick may file a class suit on an Indian Company for a mass data breach running to a claim of compensation of billions of dollars.

In this context, we need to take a look at some of the clauses which are there in the Model Standard Contract Clauses which have been issued by EU earlier which were already part of some Business Process Contracts or may be incorporated in the contract now renewed under GDPR in a contract under article 46(2)(a).

Some of these clauses are as follows:

“…The data subject can enforce against the data importer this Clause, ….(Ed: when a remedy may not be easily available against the data controller)”

“…The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law”

“.. The data importer agrees and warrants:….that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract…” etc

Without going into further details, we can very well see that these contractual terms try to override the Indian laws.

We should not consider that these are normal clauses under a contract where the jurisdiction for dispute resolution is normally switched from Courts to Arbitration or from one country to another country. These clauses determine the liability which is “Indeterminable” at the time of signing of a contract and on which the contracting parties may not have a “meeting of mind”.

Secondly, India has a financial regulation under which RBI is regulating the flow of foreign exchange. While in pursuance of the overall economic objectives of the country, RBI has provided for many free remittance options, some with a mere reporting or approval from an Authorized dealers, remittances that may run to millions of dollars cannot be delegated to Authorized dealers or brought under free contractual remittances.

Hence when a data processor company in India receives a notice from a EU regulator or a Data Controller to pay a few million US dollars as compensation or attend an arbitration which eventually may lead to a similar decision, even if the company has foreign exchange balances earned through its exports and held in approved Foreign Currency accounts (Exchange Earner’s Foreign Currency Account or EEFC) , it cannot take a decision to make the payment without referring the matter to RBI.

The permissible debits to an EEFC account are as follows. (Refer here)

i) Payment outside India towards a permissible current account transaction [in accordance with the provisions of the Foreign Exchange Management (Current Account Transactions) Rules, 2000] and permissible capital account transaction [in accordance with the Foreign Exchange Management (Permissible Capital Account Transactions) Regulations, 2000].

ii) Payment in foreign exchange towards cost of goods purchased from a 100 percent Export Oriented Unit or a Unit in (a) Export Processing Zone or (b) Software Technology Park or (c) Electronic Hardware Technology Park

iii) Payment of customs duty in accordance with the provisions of the Foreign Trade Policy of the Central Government for the time being in force.

iv) Trade related loans/advances, extended by an exporter holding such account to his importer customer outside India, subject to compliance with the Foreign Exchange Management (Borrowing and Lending in Foreign Exchange) Regulations, 2000.

v) Payment in foreign exchange to a person resident in India for supply of goods/services including payments for airfare and hotel expenditure.

Permitted current and capital account transactions under FEMA are described below.

A Current Account Transaction has been defined as a Transaction other than Capital Account Transactions, means all transaction which do not alter assets or liability outside India of resident or assets or liability in India of Non Resident .

such transaction includes,

-Payments due in connection with foreign trade, other current business, services, and short term banking and credit facilities in the ordinary course of business.

-Payments due as interest on loans and as net income from investments,

-Remittances for living expenses of parents, children, and spouse residing abroad,

-Expenses in connection with foreign travel, education and medical care of Parents, Spouse and children’s.

Capital Account Transactions are classified into two classes:

(i). Capital Account Transactions of person resident in India.

-Investment in foreign securities
-Foreign Currency loans raised in India and abroad
-Transfer of Immovable properties outside India
-Guarantees issued by a person resident in India in favour of a person resident outside India.
-Export, Import and holding of currency/currency notes.
-Loans and overdrafts (borrowings) by a person resident in India from a person resident outside India
-Maintenance of foreign currency account in India and outside India by a person Resident in India.
-Taking out a insurance policy form an insurance company outside India.
-Loan and overdraft to a person resident outside India
-Remittance outside India of capital assets of a person resident in India.
-Sale and purchase of foreign exchange derivatives in India and abroad and commodity derivatives abroad

(ii). Capital Account Transactions of person resident outside India.

(a) Investment in India by way of Issue of securities by a body corporate or an entity in India and investment therein by a person resident outside India; and
Investment by way of contributions by a person resident outside India to the capital of a firm or proprietorship concern or an association of person in India.

(b) acquisition and transfer of immovable property in India in favour of, on behalf of a person resident in India.

(c) Guarantee by a person resident outside India in favour of, or on behalf of a person resident in India,

(d) Import / Export of Currency/Currency Notes/ into/from India by a person resident outside India

(e) Deposit between a person resident in India and person resident outside India.

(f) Foreign Currency Accounts in India of a person resident outside India

(g) Remittance outside India of a capital assets in India of a person resident outside India.

All payments in foreign exchange other than what is mentioned above require “Prior Approval” of Government of India.

However, in the case of liabilities arising out of the Standard Contractual Clauses in a data processing contract, a Company approaches the Government or RBI as a post-facto request that it has to remit foreign exchange and RBI or the Government will be in a dilemma of how to deal with this fait accompli.

In my opinion, a Company entering into a contract knowing fully well that it does not have a prior approval of the Government for the contingent event of performance of one of the contractual clauses arises, amounts to entering into a “Fraudulent Contract”.

It is neither enforceable by the Data Controller nor it is executionable by the Indian data processor.

Should we place our Indian companies in such a situation?…… there is need for NASSCOM and the Government to ponder over the issue.

On my part, I suggest companies to ensure that the contracts are all made “Subject to laws prevailing in India” . In other words, it contracts should include “GDPR Exclusion Clause” where

a) the liabilities are limited to a particular amount for which the Company should have a prior permission from the Government or

b) Liabilities are subject to the laws in India including FEMA.

I am sure that the business managers will raise a hue and cry on rejecting the standard contractual clauses suggested by the clients and the corporate legal advisors may be brushed aside.

However, from the compliance angle, I would advise the legal advisors and compliance managers to raise an alert so that the top management takes a decision based on its risk appetite. The CFOs and the Financial Auditors should qualify the accounts for both balance sheet purpose and SEBI purposes that “Certain liabilities committed by the Company are not quantified and not provided for”.

Alternatively, NASSCOM, RBI and the Finance Ministry need to sit together and find out a solution. Presently, it is a good time to find a solution through the proposed Indian Data Protection Act which is under drafting by the Ministry of IT in consultation with NASSCOM. This law will introduce a super regulator for data protection who may be called the “Data Commissioner of India” who will be responsible for all “Data” processed in India.

ITA 2000/8 tries to provide protection for data from the perspective of an Indian data subject whose personal and sensitive personal information is processed by an Indian company. It indirectly addresses the rights of international bodies by suggesting that “Reasonable Security Practice” under Section 43A is as defined in a contract between the data subject/data controller and the data processor. This will enable an international data controller to seek remedy for his losses under ITA 2000/8 when there is a breach of contractual terms of security. This opens up a door for the indemnity clause to be enforced with the support of Indian judiciary. (Adjudicator).

The proposed Data Protection Act of India may go a step further and make all data processors in India subject to a registration/licensing process with the data commissioner. This office can if necessary also be made responsible to vet the data processing contracts and ensure that there are no inherent conflicts.

Alternatively, the Data Commissioner of India should be given a mandatory power by which no legal action can be initiated against a registered data processor in India without the permission of/intervention of the Data Commissioner. In such a case this office will act as a filter between the Indian data processors and the foreign Data controllers/Data subjects and ensure that no unreasonable liability suit is hoisted on Indian companies.

I request the MeITy, NASSCOM and RBI/Finance Ministry to quickly start negotiating on this matter before the law is frozen (before October as the Government has indicated).

An opportunity missed now will be an opportunity lost for ever.

Naavi

Petrol Bunk Chip Scam is a Cyber Crime

Posted by Vijayashankar Na on April 28, 2017
Posted in Cyber Law  | No Comments yet, please leave one


Police in Lucknow have raided several Petrol Bunks in Lucknow who were using a Chip inside the dispensing unit to dispense less petrol for every litre dispensed and systematically siphon off about 50 ml for every litre of petrol.

This is similar to a fraud discovered some time back in Bangalore where Auto meters were tampered with a Chip which made the meters run faster than they should.

In fact Chinese are known to master the “Manchurian Chip” fraud where by they insert chips inside computers for the purpose of creating a backdoor. This has been confirmed earlier by Scotland yard in POS machines where credit card information was being stolen and forwarded to China from UK.

Refer this Article of 2008

Both these cases are clearly “Tampering with a Computer device” and amount to a cyber crime under Section 66 of ITA 2000/8 besides other sections of IPC.

So far it appears that Police are hunting only for the person who fitted the Chip in the bunk. They need to actually arrest the Petrol Bunk owners who are the financial beneficiaries of the fraud.

It is possible that some of them might have removed the chip by this time. However, if the petrol purchase and sale quantities are audited and reconciled over a period, it is possible to observe if the total sale is more than the petrol purchased by the bunk and this should be sufficient to book the owners for a criminal offence both under ITA 2000/8 and also under the Income Tax act for suppression of income.

Hope Police will act in this direction.

Naavi


When a Palghar girl posted a message on her Facebook raising a query …Why there should be Mumbai Bundh if Mr Bal Thakrey has died? and another Palghar girl clicked on “Like” button against the message, Police in Palghar moved in at the pressure of Shiv Sena activists and perhaps in a bid to prevent a law and order situation arrested the two girls and the Magistrate remanded them to 15 days judicial custody. Unfortunately, the girls belonged to the minority community and media went berserk along with the pseudo secularists.  Naturally, it became an issue for national debate culminating int he scrapping of Section 66A of ITA 2000/8 by the Supreme Court.

Unfortunately, the debate was not on the excess committed by the Police in arresting the girls for the innocuous posting on Facebook or liking. The wrath was on the law, more specifically the Section 66A under which the case had been booked and there was the uninformed pseudo intellectuals who wanted the offending law to be scrapped.

Our honourable Courts, both the High Court in Mumbai and subsequently the Supreme Court seemed to agree that there was something wrong with the law, (implying that there was nothing wrong with the Police in interpreting the law) and finally  the honourable Supreme Court cited this incident as creating a “Chilling Effect” on the fundamental right of “Freedom of Expression” enshrined in our Constitution and declared that there is no way that this can remain in our law.

There were several brownie points gained by the persons involved in ensuring that Section 66A was scrapped including Police officers, activists, advocates and media persons and even the Judges.

The Government also caved in to the popular perception that Section 66A as it was drafted was at fault and not its interpretation by the Police, prosecutors and the Judges at all levels.

Soon after Section 66A was scrapped, people including the Police, Government and Supreme Court realized that it was a mistake to have scrapped the section and are desperately looking for its reintroduction. A separate expert committee has now been formed to amend ITA 2008 to bring back Section 66A in a face saving manner. The T.K.Vishwanathan Committee is working on this along with other changes that may be required.

In the meantime, WhatsApp has been in the news not only for having been banned in Kashmir for its misuse by Terrorists, but also elsewhere where Admins are being threatened of legal action for offensive messages in a group.

The latest such report comes from Varanasi,  according to a joint order issued by the district magistrate of Varanasi and the city’s police chief, FIR can be filed against the Administrator of a WhatsApp group for the posting of an offensive content in the group.

According to the news report, concerns are often raised about fake news, morphed photos and offensive videos circulated on social media that can potentially trigger tension and even communal strife in a region. To address this, an order has been issued jointly by the Police and Magistrate in Varanasi that an FIR (first investigation report) can be filed against a group administrator if factually incorrect, rumour or misleading information is circulated on his/her social media group.

There is no doubt that WhatsApp as well as other messaging solutions and the social media in general can be misused by deviant minds to commit crimes of different sorts including inciting the community.

We take strong objection to the Magistrate and the Police Officer threatening the WhatsApp admins and creating a “Chilling Effect” across the country targeting the WhatsApp admins in general.

We have a law in India called the ITA 2000/8 and the Magistrate and the Police are bound to follow the law and not create their own laws however well intentioned their “order” may be.

Police often give advisories to the public about various crime situations, and an “Advisory” to WhatsApp Admins that they should be careful when adding members to a group to avoid bad elements who try to incite passions and to take counter action if any body is trying to circulate fake news for the purpose of inciting violence in the community.

But an “order” is completely out of place and is ultra vires the law. It must be withdrawn to limit the damage.

In this context it is necessary for us to reiterate that we need to distinguish what is a “Message” and What is “Publishing” and how even the Supreme Court missed this point when they ruled on Section 66A in the Shreya Singhal Case that Section 66A addresses “Free Speech” and makes it punishable.

Notwithstanding the value of this judgement as a “precedent” that can be followed by lower Courts, I would like to state that there is a need to reject this judgement and re-establish a correct understanding of the position of WhatsApp and other messaging systems.

Let me clarify before I am misunderstood that I am completely against the action taken by the Police on the Palghar girls as well as other cases cited in the Shreya Singhal case. But I hold the “Uninformed, ignorant Police” for the plight of innocent citizens and not Section 66A.

Section 66A addressed what we need to recognize as “Messaging” and there are other sections such as Section 67, 67A and 67B which address what we need to recognize as “Publishing”, though the Courts missed this point all together.

Messaging is a communication from one person to another directly with the use of a device such as a mobile phone sending SMS, or E Mail. A message sent to one person is not expected to be available to another person unless the same message is duplicated to the other person in the form of “Group Messages”.  “Publishing” on the other hand is a message that is in public domain and is available for any body who is able to access it. Section 66A was meant for messaging and not for publishing. Twitter and Facebook is “Publishing” and not “Messaging” and hence the Supreme Court was wrong in using the Facebook and Twitter cases brought wrongly under Section 66A to scrap Section 66A.

Now in the case of a group message, the law enforcement would be concerned in the case of say a group which meets privately and discusses some criminal activity. Here all the group members have assembled for a common purpose including the Admin who is like the person who organizes a meeting in his house.  Though the discussion happens under close doors, if the  law enforcement comes to know of the use of a meeting for any anti social activities, it can take action not only against the owner of the house, but also the person who sent out the invites, the person who gave the objectionable speech.

But if a meeting has been organized for some other purpose and some body stands up and shouts say an anti social slogan, then one has to be careful in defining what is the action that the owner of the house where the meeting is taking place and the person who called the meeting and other participants need to take and whether the Police and the Magistrate issue an order that they will be arrested under a charge of organizing the entire event only for the purpose of committing an illegal act.

If so, in the Kannhaiya Kumar case, even the Vice Chancellor of the University and other administrators should be equally guilty.

Police and the Judiciary should recognize that “WhatsApp” is a “Platform” that enables people to send messages from their device to another member’s device. If the addressee is online, the message may reach him immediately. If not, the message would be “in transit” and be delivered to the addressee when he reconnects. In the meantime it is in temporary storage as a “Cache” in the whatsapp server.

WhatsApp is not  “Publishing” and the members join voluntarily and are not public. Hence any message exchanged in WhatsApp should be considered as a “Private” communication between two consenting individuals. However, if some body comes before me and shouts/whispers  anti national slogans, you cannot hold me responsible for it. Similarly, the members of a Whats App group are not responsible individually for the views expressed by anybody else.

The Administrator is also a “Listener” in this context. His role in administration does not include “Moderation” of a message before it is posted. His powers are limited to removing a member.

The responsibilities of a Admin is therefore

a) to ensure that the group members who donot follow certain standards of communication should not be allowed to remain. (Finding out if a message is fake or not is not an easy responsibility even for the Police and it is not fair to assume that the Admin would be capable of investigation about the correctness of any message posted.)

b) to ensure that before admitting a member into a group,  he knows some thing about the person

 These two responsibilities need to be incorporated as a “Group Policy” and Naavi.org has given a “Model WhatsApp Admin Policy” to be followed.

I would have appreciated the Police in Varanasi and the Magistrate if they had formulated a similar policy and advised the Admins to adopt the same.

They could also have called a public meeting of “WhatsApp” admins (Which should extend to Telegram, Snapchat etc) in which the concerns of the law enforcement were discussed and these model policies presented.

Since Admins may not always be online when an offending message is posted, I normally advise any body else who consider the message as offending to post their objection. This should atleast absolve them from the responsibility of being complicit in the mis-information campaign.

I suppose that at least now, the concerned persons will take steps to withdraw what they have called as an “order” and make it only as an “advisory” and instead try to conduct an awareness program for the public to appraise them of their responsibilities both as members of a group as well as an admin. If not, the mistake of the Police will once again create a new law which is not supposed to be there where by Administrators of WhatsApp group are required to be police officers themselves.

We should stop the practice of ignorant Police Creating Laws through misinterpretation which gets validated through the ignorant judicial process that follows establishing a “Fake Law” as “The Law”.

Naavi


 

Will PSD2 have an impact in India?

Posted by Vijayashankar Na on April 27, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Recently, in the WhatsApp circles, there was news about RBI cautioning the public with “Multi Bank Balance Enquiry Apps”. This was actually an advisory issued earlier on 11th April 2015, in which RBI stated as follows.

“It has come to the notice of the Reserve Bank of India that an app (application) is doing rounds on WhatsApp purportedly to facilitate checking of balance in customers’ bank accounts. The application has an RBI logo with the title ‘All Bank Balance Enquiry No’ and has listed several banks with either a mobile number or call centre number.
The Reserve Bank wishes to clarify that it has not developed any such application. Members of public are, therefore, advised to use the application, if at all, at their own risk.”

This could well be the case of a “Fake App” or a “Fraudulent App” or the case of a  misuse of the RBI trademark.

But in the era of growing FinTech companies, there are many genuine Apps that try to provide money management facilities which includes “Multi Bank Account Access” and hence this could be taken as a general guidance against all such Apps.

Since finance information is one of the most sensitive of the personal information and that today most Bank accounts are linked to Aadhar and Aadhar itself is linked to everything including the PAN card, these “Multi Bank Apps” represent one of the highest concentrations of “Privacy Risks” and call for a special attention on defining the “Data Security Requirements”.

While the RBI advisory above was re-circulated in the Social Media and created some caution, it does not amount to a proper “Information Security Advisory”.  The Watal Committee report addressed the issue of growing security concerns in the digital payment systems along with the need to promote such payments and advised review of the Payment and Settlement Act 2007 (PSSA-2007) under which a “Payment Regulatory Board” (PRB) would supervise the requirements of information security in the digital payment industry.

The Watal Committee also mooted the idea of an “Open access” to the payment systems by non Banking PSPs (Payment System Providers). When guidelines for this do come up, the FinTech companies may be able to have unhindered access to the financial data of individuals. This could blur the difference betweeen Banks which people trust much more today than the PSPs many of which are start ups with quick profits as their goal. Today many of them do have an access to the credit information through CIBIL or other so called “Credit Rating Agencies” which many times work on imperfect data and create adverse issues for individuals. But what the new regulations open up is an access to the core Banking system where FinTech companies may have access to highly sensitive personal information.

In the EU zone, the “Payment Systems Directive” or the PSD addressed the issue of Privacy and Data Security in this domain. Now the PSD2 which is the revised directive has been made applicable with effect from 13th January 2018 along with the GDPR getting into force from 25th May 2018.  The Watal Committee made a brief mention of PSD but did not take into account the PSD2. The Government has recently announced that by around Diwali, a new Data Protection Act could be in place in India and if so, it should incorporate some additional measures of data protection for Personal Financial Data (PFD) in tune with the strict EU standards.

While the IT companies involved in data processing contracts from the EU companies would be required to comply with PSD2 provisions as a contractual data processor, the FinTech companies themselves who may indulge in PSP activities may not take note of PSD2. They are presently bound by Section 43A and Section 79 of ITA 2000/8 and required to comply with the Privacy regulations and implement what may be termed as “Reasonable Security Practices”. However their practices are unlikely to meet the minimum standards of information security that is required in such cases.

Most mobile Apps access financial information by taking an unhindered permission for SMS, E Mail and Calls before the user even downloads the app and examines its dimensions. Since Banks send information about transactions to the SMS and E Mails, the entire financial history of the customer will be available to the App. This is used for creating expense accounts and other reprots which are presented as useful service to the data owner. There is no doubt that the information would be useful, but in the process the risk of critical PFD being shared with the FinTech Company is a source of concern.

When one views the Terms and Privacy policies of these FinTech companies, one may observe many anti-consumer clauses with absolutely no warranty on either the information security or even the quality of service.

It was amusing to observe that one of the Apps which is considered a successful FinTech App, limits its own indemnity to the user to Rs 1000 while trying to get an unlimited indemnity from the user for its benefit with no warranty. However, the website of the Company instead of talking about “Zero Warranty”and “Unlimited Liability”  promises “Bank Grade Security” and “No collection of Sensitive personal information” while the App’s privacy policy and terms donot have the required assurances.

It was further interesting to observe that if one tries to make a psychological profiling of the Company, one is further intrigued by the “About Us” page of the Company highlighting the assets of the company which is captured by the following illustration.

The Company boasts of 5 million downloads in the last three years and “Google Best App” award in 2015. As a keen observer of Information security practices, the Privacy concerns across the globe and the emerging data protection regulations in India, US and EU, it is difficult to get convinced that a company that is proud of the number of Beers consumed and its Bar Stools strength can be trusted with the financial information of a consumer.

This comment is not meant only against this company since this could be the typical approach of most of these “FinTech” companies which are managed by  good techies but without matching concern for information security.

When the new Data Protection Commissioner takes charge in India and such companies seek registration as a PSP, I wonder how the privacy policies and terms of use would be scrutinized.

If on the otherhand the new Data Protection Act of India tries to adopt the strict terms of privacy regulations that a EU commission may expect under PSD2 or GDPR, then most of the Indian FinTech Companies will fail the “Test of Consumer Protection”. The Watal Committee report does focus on Consumer interest and even the RBI has many times indicated its concern on consumer interest being sidelined by technology based banking software products.

Unless the FinTech Companies include a mandatory Cyber Insurance package where the user’s are protected against direct and indirect losses arising out a data breach caused by using of the service, the Data Protection Commissioner should consider the security as “Inadequate” and redflag the Apps.

PSD2 or GDPR or even the ITA 2008 would basically work on “Consent”, “Disclosure” followed by other obligations of data protection. However, a “Disclosure” which is incomplete and misleading and a consent based on “Clicking of the Continue” button on an App will hardly suffice the rigid standards of Consent envisaged under any legal principles.

I therefore urge the members of the FinTech Companies to come out of their “Tech Shell” and understand the disservice they are doing to the community by luring public into Apps with little or no security and really introduce some measures which includes a fair insurance coverage for the users of their Apps along with a fair terms, and reasonable security.

I also request RBI that its 2015 advisory should not remain only as a formality and should be followed up by a new regulatory measure by the Payment Services Regulatory Board or the RBI committee which oversees these functions to address the issues of dilution of data security through mobile Apps.

Sooner this happens better it is for Indian public. In the meantime, I also urge the FinTech  industry to introspect and generate a . “Self Regulatory Mechanism” that would protect the integrity of the industry.

In June 2016, RBI formed a committee under the Chairmanship of Mr Sudarshan Sen (SSWG) which had a scope to review the FinTech industry as it is emerging in India. However there is no further news on the activities of this Committee. If it is still active, it should take into account the requirements of protecting the FinTech customers of India in terms of data protection standards equivalent to PSD2 and GDPR through the proposed Indian Data Protection Act or through a notification from RBI which is revising the PSSA-2007 as recommended by the Watal Committee.

Naavi

Section 65B Certification of electronic evidence produced in a Court proceeding in India has been a matter of intense discussion in the circle of Forensic experts, Law Enforcement and of course the Legal fraternity.

Historically, the undersigned was the first person to produce a report under Section 65B of Indian Evidence Act in a Court in India. (Suhas Katti Case in 2004). Subsequently, it has been followed by many other Certificates issued under the banner of Cyber Evidence Archival Center (CEAC)  in the last 12 or more years.

During this time, the undersigned has handled many interesting CEAC certifications including  Web site pages, E Mails, Mobile data, Corporate Computer data, Personal Computer data, YouTube Videos, CCTV Videos, Extracts from Forensic software, Remote Desktop views etc. Some certifications are straight forward web pages as they appear, some are extracted with the use of some forensic software etc. Some electronic documents are text documents that can be easily printed out and some are audio and video files which have to be rendered only in soft copy format.

Every one of these different types of documents,  have been a challenge in terms of meeting the Section 65B requirements. Some times it has been necessary to structure solutions  to extract the electronic documents as per the best understanding of the requirements of Section 65B as perceived by the undersigned .

As a result of such long experience over the past 12 plus years, the undersigned has developed  specific procedures  to present the “Computer Output” as required under Section 65B of Indian Evidence Act.

I am aware that there are legal luminaries who have special expertise in Indian Evidence Act and some of them may hold views different from mine on some aspects of how the section 65B  has to be interpreted.  It is possible that for various reasons, many of them had not focussed on the issue of Section 65B until recently when Supreme Court drew its attention to the mandatory need for Section 65B certification for all electronic evidences presented to the Court. (Refer Basheer Case).

I was however drawn into it right from 2002 when CEAC was formed as a service and has therefore the procedures developed must be considered as an evolution of the system over a long period.  (It is not out of place to mention that I had proposed CEAC to be public private partnership with the the Ministry of IT at that time through the then CCA though it could not be implemented while it continued as a private service.)

At this point of time, Naavi’s approach to Section 65B certification used by CEAC should perhaps be considered as one of the approaches that needs to be accepted as a major school of thought  even if other experts have a different view point. However, we can  say that Jurisprudence on this aspect is still under development and different experts arguing differently and different Courts interpreting differently could be common. Some time in the future, I suppose the honourable Supreme Court will look into many of my articles including this one and give its own interpretation which itself may undergo many iterations over time.

With this humble submission, I would like to present below my view on one hypothetical case based on a reference received by me regarding submission of forensic reports by Forensic Labs and Government owned establishments such as CFSL or other equivalent organizations.

In the reference, there were the following aspects.

  1. The evidence consists of a Call Data Record (CDR) extracted from a Mobile Service Provider (MSP). (Perhaps this includes  Tower data record along with the billing and usage records)
  2. Mobiles seized from the accused sent to the lab for analysis
  3. Hard disks seized from the accused sent to the lab for analysis.

For the sake of discussion, I consider the following hypothetical requirement of the law enforcement.

The accused has used the mobile phone/s to make calls to say other co-accused or to the victim to further commit an offence which may be a Cyber Crime or a Physical Crime. . The CDR was collected from the MSP and handed over to the lab for further analysis. Mobiles and Hard disks were seized from the accused by the Police and sent to the lab. The CDR evidence is to be used along with the forensic analysis of the mobile where there may be contact details, some SMS/WhatsApp messages. It is possible that some of this data might have been deleted and has to be recovered using appropriate recovery software. Some of the recovered data may be fragments needing further interpretation. The Computer hard disk will also have many items related to the mobile and CDR either in active files or deleted and recovered. There could also be a back up of phone data in the computer of the accused whose hard disks have been seized.

The question that was posed in a reference was

a) Who will provide Sec 65B certificate for the CDR

b) Will the Lab provide Section 65B certificate for its report?

I will try to provide my views on these queries to the best of my knowledge and experience.

Though the final report is provided by the Lab, the CDR is handed over to them as an input along with other seized hard disks.

The CDR is an extract from the systems of the MSP and has to be therefore certified under Section 65B by the MSP’s person in charge.

If the MSP admin allows the files to be viewed by an independent expert, then the independent expert may take on record what he has seen, the circumstances under which he saw the documents, record it and add it under his Section 65B certification.

The CDR as presented by the MSP may be in say an excel form which the lab may use as an input and analyze through a CDR analysis software. This may display many results that appear in the screen of the analyst’s computer which he may record and use in his report.

Similarly, the mobile data or hard disk data may be analysed by the analyst using forensic software of different descriptions. The software may discover deleted files and show on the analyst’s screen. Some of these electronic documents as it appears on the analysts’ screen may be captured and used as a part of the analyst’s report.

At the end of this exercise, the analyst will come to some conclusion in his report and answer the queries raised by the investigating officer.

In such a scenario, the question of how Section 65B certification has to be used by the Lab expert is a matter of discussion.

Now in the above case, the report could be considered as a combination of

a) Matter of fact observation when some content is displayed on the screen of the analyst under certain standard conditions.

b) Certain content displayed which may require an “Expert Knowledge” to draw a meaning.

Section 65B is mainly concerned with the presentation of an electronic document lying inside a computer as a “Computer Output” that can be experienced (Read, heard, seen) by the observer, for the purpose of admissibility by a Court.

“Interpretation” and drawing conclusions which are not obvious from the visible computer outputs (presented either as a print out or soft copy) is a subject matter of an expert in the domain. The matter of fact part of the report also requires certain expertise but the level of expertise required for interpreting the data may be higher or it may be completely an expertise outside the computer domain.

For better clarity, let us take an illustration where a lab analyst extracts an image of a wounded person from the computer and renders it as a computer output in his Section 65B Certified report. Another expert say a doctor views the photograph and opines that this wound appears to have been caused by such and such a weapon etc…

Here there are clearly,  two experts … First, the computer expert who discovered the image from a pile of deleted images and the second expert who had nothing to do with Sec 65B Certified report but is an expert in another domain.

Some times, the division of roles of the “Observer” who extracts the information and the “expert” who interprets the document may not be so clear. It may be the same person who uses a forensic tool to extract fragments of a file containing log records and uses his computer expertise to interpret that the log record extracts mean certain things.

The Forensic lab analyst  has such dual role and hence his report has this dual characteristic of being a report both as an observer of a “matter of fact” and as an expert “Who interprets the fact”.

Another illustration that explains this situation is as follows.

Let us say there is a photographer who takes photographs. If it is a digital photograph, he can give a “matter of fact section 65B certification” stating this is a faithful reproduction of a photograph which I took using such and such camera on such and such date and time at such and such place. This  is the typical certificate  where the certifier does not express any opinion on who is there in the photograph, what is happening, Is it a marriage? or Is it a quarrel? etc.

Let us now say that the photograph is a video in which two persons are speaking in French. Let’s say the photographer fortunately knows French language and can interpret what the two are talking. He therefore produces a report in which the video is enclosed and states that the two persons were planning a terrorist attack. His certificate is now more than a Matter of fact certificate and includes his own expert view based on his language expertise.

The report that normally a Forensic lab person gives has this dual element of expertise, where in the first place, there is a simple expertise of using some tool and making some electronic documents appear on the screen which is then printed with a CTRL+P command and in the second place, involving  a “Forensic Expertise” where he adds his “Opinion” into the report.

A Good lab report has to be structured in such a manner that these two aspects are clearly brought out in the report itself so that the Court can use the “Matter of Fact” report and discard the expert report if it deems fit. Alternatively Court may accept the matter of fact part of the report but approach another expert for interpretation to substitute the expert opinion part of the report.  This means that the report may be taken as evidence in part and rejected in part. It may also be possible that the defense may accept the report of the “matter of fact part” but challenge only the “Expert opinion” part.

It is a moot point at this point of time if the reports provided by CFSL or other organizations which normally provide such forensic certificates have a system of structuring their reports as described above. It is possible that they simply enclose the evidentiary objects examined and directly go to give its point by point reply to the investigating officers, queries on the evidence.

Once we understand this nature of the Lab report, we can address the issue of whether Section 65B certificate is required for the lab report or not.

If the Analyst has reproduced any extracts of electronic documents as part of his report and relied on such extracts, then Section 65B certificate is required.

If the Analyst does not use any electronic document as part of his report and only gives out his views in isolation, then he need not provide Section 65B certificate.

In such a case he can be cross examined as a witness and further information can be sought.

In the case of a self evident/self sufficient “Matter of Fact Certificate”, the parties/Court may decide not to put the analyst as a witness and examine him, since there is no dispute on the matter of fact part of the report.

In most of the practical cases, a forensic lab will have electronic documents discovered by them based on which they provide their opinion. Hence their reports will have elements of both a “Matter of Fact Certification” and a “Forensic Expert Opinion”.  Hence Section 65B certification as well as presentation as a witness may be required.

Where there is a case when there is a web page which has been certified by an independent observer like CEAC as it appears to the public on the web with only simple tools such as a standard computer, running on  a standard operating system and a standard browser application, the Section 65B certificate may be accepted without the need for cross examination of the certifier (unless the defense wants to challenge the witness and probably allege fabrication of evidence).

In such cases, the parties may accept the computer output for admissibility and argue on the content as they require. Eg: One may say that the words used are defamatory and obscene and the other may say it is not. The judge has to take the call.

In the Suhas Katti case, I had produced an extract from a web page which the advocates argued whether it was obscene or not. I had no role in deciding whether it was obscene content. Similarly, I had recorded the IP address visible in the header information of the message and given my limited expert view with the use of a “Whois query tool” to say this IP address appears to belong to BSNL, Mumbai. This was a low level forensic expertise. I was however examined in this case as an “Expert” and cross examined but there was no disagreement on the evidence produced. The only objection raised by the defense was that I was not a Government employee and the Court felt that expert can be a private person.

I have presented the detailed view point above to indicate that the Section 65B certificate is meant for replacing the need for the Judge to interpret the “Original Binary Content of an electronic document” and enable him/her take a view on the electronic document on the basis of a print out or soft copy of what the binary content means when rendered on the screen of a computer  as a “Computer Output”. This is with the limited objective that the electronic evidence can be admitted and trial can proceed. (Readers may kindly read my earlier articles on the subject also links to which is provided below)

The Forensic labs therefore learn to structure their reports appropriately to indicate that part of the report is simply to render the “electronic document” as a computer output as is visible to a low level expert while in some cases, the report continues with an expert view where the “Opinion” of the observer is added as an “Expert”.

What I have presented here as a requirement for Forensic labs should also apply to a “Digital Evidence Examiner” accredited under Section 79A of the ITA 2008 and summoned by the Court for its assistance.

Comments are welcome.

Naavi

Related Articles

1. Basheer Case Judgement and Section 65B of Indian Evidence Act…Cyber Jurisprudence develops

2. Section 65B of Indian Evidence Act on Electronic Evidence Explained

3. Clarification on Section 65B… Who should sign the Certificate?

4. The Role of “Notified Digital Evidence Examiners”

ISMG India carried a report on the Prepaid Instruments recently which has been reproduced here.

Refer for more details here:

Naavi

Close It