Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Petrol Bunk Chip Scam is a Cyber Crime

Posted by Vijayashankar Na on April 28, 2017
Posted in Cyber Law  | No Comments yet, please leave one


Police in Lucknow have raided several Petrol Bunks in Lucknow who were using a Chip inside the dispensing unit to dispense less petrol for every litre dispensed and systematically siphon off about 50 ml for every litre of petrol.

This is similar to a fraud discovered some time back in Bangalore where Auto meters were tampered with a Chip which made the meters run faster than they should.

In fact Chinese are known to master the “Manchurian Chip” fraud where by they insert chips inside computers for the purpose of creating a backdoor. This has been confirmed earlier by Scotland yard in POS machines where credit card information was being stolen and forwarded to China from UK.

Refer this Article of 2008

Both these cases are clearly “Tampering with a Computer device” and amount to a cyber crime under Section 66 of ITA 2000/8 besides other sections of IPC.

So far it appears that Police are hunting only for the person who fitted the Chip in the bunk. They need to actually arrest the Petrol Bunk owners who are the financial beneficiaries of the fraud.

It is possible that some of them might have removed the chip by this time. However, if the petrol purchase and sale quantities are audited and reconciled over a period, it is possible to observe if the total sale is more than the petrol purchased by the bunk and this should be sufficient to book the owners for a criminal offence both under ITA 2000/8 and also under the Income Tax act for suppression of income.

Hope Police will act in this direction.

Naavi


When a Palghar girl posted a message on her Facebook raising a query …Why there should be Mumbai Bundh if Mr Bal Thakrey has died? and another Palghar girl clicked on “Like” button against the message, Police in Palghar moved in at the pressure of Shiv Sena activists and perhaps in a bid to prevent a law and order situation arrested the two girls and the Magistrate remanded them to 15 days judicial custody. Unfortunately, the girls belonged to the minority community and media went berserk along with the pseudo secularists.  Naturally, it became an issue for national debate culminating int he scrapping of Section 66A of ITA 2000/8 by the Supreme Court.

Unfortunately, the debate was not on the excess committed by the Police in arresting the girls for the innocuous posting on Facebook or liking. The wrath was on the law, more specifically the Section 66A under which the case had been booked and there was the uninformed pseudo intellectuals who wanted the offending law to be scrapped.

Our honourable Courts, both the High Court in Mumbai and subsequently the Supreme Court seemed to agree that there was something wrong with the law, (implying that there was nothing wrong with the Police in interpreting the law) and finally  the honourable Supreme Court cited this incident as creating a “Chilling Effect” on the fundamental right of “Freedom of Expression” enshrined in our Constitution and declared that there is no way that this can remain in our law.

There were several brownie points gained by the persons involved in ensuring that Section 66A was scrapped including Police officers, activists, advocates and media persons and even the Judges.

The Government also caved in to the popular perception that Section 66A as it was drafted was at fault and not its interpretation by the Police, prosecutors and the Judges at all levels.

Soon after Section 66A was scrapped, people including the Police, Government and Supreme Court realized that it was a mistake to have scrapped the section and are desperately looking for its reintroduction. A separate expert committee has now been formed to amend ITA 2008 to bring back Section 66A in a face saving manner. The T.K.Vishwanathan Committee is working on this along with other changes that may be required.

In the meantime, WhatsApp has been in the news not only for having been banned in Kashmir for its misuse by Terrorists, but also elsewhere where Admins are being threatened of legal action for offensive messages in a group.

The latest such report comes from Varanasi,  according to a joint order issued by the district magistrate of Varanasi and the city’s police chief, FIR can be filed against the Administrator of a WhatsApp group for the posting of an offensive content in the group.

According to the news report, concerns are often raised about fake news, morphed photos and offensive videos circulated on social media that can potentially trigger tension and even communal strife in a region. To address this, an order has been issued jointly by the Police and Magistrate in Varanasi that an FIR (first investigation report) can be filed against a group administrator if factually incorrect, rumour or misleading information is circulated on his/her social media group.

There is no doubt that WhatsApp as well as other messaging solutions and the social media in general can be misused by deviant minds to commit crimes of different sorts including inciting the community.

We take strong objection to the Magistrate and the Police Officer threatening the WhatsApp admins and creating a “Chilling Effect” across the country targeting the WhatsApp admins in general.

We have a law in India called the ITA 2000/8 and the Magistrate and the Police are bound to follow the law and not create their own laws however well intentioned their “order” may be.

Police often give advisories to the public about various crime situations, and an “Advisory” to WhatsApp Admins that they should be careful when adding members to a group to avoid bad elements who try to incite passions and to take counter action if any body is trying to circulate fake news for the purpose of inciting violence in the community.

But an “order” is completely out of place and is ultra vires the law. It must be withdrawn to limit the damage.

In this context it is necessary for us to reiterate that we need to distinguish what is a “Message” and What is “Publishing” and how even the Supreme Court missed this point when they ruled on Section 66A in the Shreya Singhal Case that Section 66A addresses “Free Speech” and makes it punishable.

Notwithstanding the value of this judgement as a “precedent” that can be followed by lower Courts, I would like to state that there is a need to reject this judgement and re-establish a correct understanding of the position of WhatsApp and other messaging systems.

Let me clarify before I am misunderstood that I am completely against the action taken by the Police on the Palghar girls as well as other cases cited in the Shreya Singhal case. But I hold the “Uninformed, ignorant Police” for the plight of innocent citizens and not Section 66A.

Section 66A addressed what we need to recognize as “Messaging” and there are other sections such as Section 67, 67A and 67B which address what we need to recognize as “Publishing”, though the Courts missed this point all together.

Messaging is a communication from one person to another directly with the use of a device such as a mobile phone sending SMS, or E Mail. A message sent to one person is not expected to be available to another person unless the same message is duplicated to the other person in the form of “Group Messages”.  “Publishing” on the other hand is a message that is in public domain and is available for any body who is able to access it. Section 66A was meant for messaging and not for publishing. Twitter and Facebook is “Publishing” and not “Messaging” and hence the Supreme Court was wrong in using the Facebook and Twitter cases brought wrongly under Section 66A to scrap Section 66A.

Now in the case of a group message, the law enforcement would be concerned in the case of say a group which meets privately and discusses some criminal activity. Here all the group members have assembled for a common purpose including the Admin who is like the person who organizes a meeting in his house.  Though the discussion happens under close doors, if the  law enforcement comes to know of the use of a meeting for any anti social activities, it can take action not only against the owner of the house, but also the person who sent out the invites, the person who gave the objectionable speech.

But if a meeting has been organized for some other purpose and some body stands up and shouts say an anti social slogan, then one has to be careful in defining what is the action that the owner of the house where the meeting is taking place and the person who called the meeting and other participants need to take and whether the Police and the Magistrate issue an order that they will be arrested under a charge of organizing the entire event only for the purpose of committing an illegal act.

If so, in the Kannhaiya Kumar case, even the Vice Chancellor of the University and other administrators should be equally guilty.

Police and the Judiciary should recognize that “WhatsApp” is a “Platform” that enables people to send messages from their device to another member’s device. If the addressee is online, the message may reach him immediately. If not, the message would be “in transit” and be delivered to the addressee when he reconnects. In the meantime it is in temporary storage as a “Cache” in the whatsapp server.

WhatsApp is not  “Publishing” and the members join voluntarily and are not public. Hence any message exchanged in WhatsApp should be considered as a “Private” communication between two consenting individuals. However, if some body comes before me and shouts/whispers  anti national slogans, you cannot hold me responsible for it. Similarly, the members of a Whats App group are not responsible individually for the views expressed by anybody else.

The Administrator is also a “Listener” in this context. His role in administration does not include “Moderation” of a message before it is posted. His powers are limited to removing a member.

The responsibilities of a Admin is therefore

a) to ensure that the group members who donot follow certain standards of communication should not be allowed to remain. (Finding out if a message is fake or not is not an easy responsibility even for the Police and it is not fair to assume that the Admin would be capable of investigation about the correctness of any message posted.)

b) to ensure that before admitting a member into a group,  he knows some thing about the person

 These two responsibilities need to be incorporated as a “Group Policy” and Naavi.org has given a “Model WhatsApp Admin Policy” to be followed.

I would have appreciated the Police in Varanasi and the Magistrate if they had formulated a similar policy and advised the Admins to adopt the same.

They could also have called a public meeting of “WhatsApp” admins (Which should extend to Telegram, Snapchat etc) in which the concerns of the law enforcement were discussed and these model policies presented.

Since Admins may not always be online when an offending message is posted, I normally advise any body else who consider the message as offending to post their objection. This should atleast absolve them from the responsibility of being complicit in the mis-information campaign.

I suppose that at least now, the concerned persons will take steps to withdraw what they have called as an “order” and make it only as an “advisory” and instead try to conduct an awareness program for the public to appraise them of their responsibilities both as members of a group as well as an admin. If not, the mistake of the Police will once again create a new law which is not supposed to be there where by Administrators of WhatsApp group are required to be police officers themselves.

We should stop the practice of ignorant Police Creating Laws through misinterpretation which gets validated through the ignorant judicial process that follows establishing a “Fake Law” as “The Law”.

Naavi


 

Will PSD2 have an impact in India?

Posted by Vijayashankar Na on April 27, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Recently, in the WhatsApp circles, there was news about RBI cautioning the public with “Multi Bank Balance Enquiry Apps”. This was actually an advisory issued earlier on 11th April 2015, in which RBI stated as follows.

“It has come to the notice of the Reserve Bank of India that an app (application) is doing rounds on WhatsApp purportedly to facilitate checking of balance in customers’ bank accounts. The application has an RBI logo with the title ‘All Bank Balance Enquiry No’ and has listed several banks with either a mobile number or call centre number.
The Reserve Bank wishes to clarify that it has not developed any such application. Members of public are, therefore, advised to use the application, if at all, at their own risk.”

This could well be the case of a “Fake App” or a “Fraudulent App” or the case of a  misuse of the RBI trademark.

But in the era of growing FinTech companies, there are many genuine Apps that try to provide money management facilities which includes “Multi Bank Account Access” and hence this could be taken as a general guidance against all such Apps.

Since finance information is one of the most sensitive of the personal information and that today most Bank accounts are linked to Aadhar and Aadhar itself is linked to everything including the PAN card, these “Multi Bank Apps” represent one of the highest concentrations of “Privacy Risks” and call for a special attention on defining the “Data Security Requirements”.

While the RBI advisory above was re-circulated in the Social Media and created some caution, it does not amount to a proper “Information Security Advisory”.  The Watal Committee report addressed the issue of growing security concerns in the digital payment systems along with the need to promote such payments and advised review of the Payment and Settlement Act 2007 (PSSA-2007) under which a “Payment Regulatory Board” (PRB) would supervise the requirements of information security in the digital payment industry.

The Watal Committee also mooted the idea of an “Open access” to the payment systems by non Banking PSPs (Payment System Providers). When guidelines for this do come up, the FinTech companies may be able to have unhindered access to the financial data of individuals. This could blur the difference betweeen Banks which people trust much more today than the PSPs many of which are start ups with quick profits as their goal. Today many of them do have an access to the credit information through CIBIL or other so called “Credit Rating Agencies” which many times work on imperfect data and create adverse issues for individuals. But what the new regulations open up is an access to the core Banking system where FinTech companies may have access to highly sensitive personal information.

In the EU zone, the “Payment Systems Directive” or the PSD addressed the issue of Privacy and Data Security in this domain. Now the PSD2 which is the revised directive has been made applicable with effect from 13th January 2018 along with the GDPR getting into force from 25th May 2018.  The Watal Committee made a brief mention of PSD but did not take into account the PSD2. The Government has recently announced that by around Diwali, a new Data Protection Act could be in place in India and if so, it should incorporate some additional measures of data protection for Personal Financial Data (PFD) in tune with the strict EU standards.

While the IT companies involved in data processing contracts from the EU companies would be required to comply with PSD2 provisions as a contractual data processor, the FinTech companies themselves who may indulge in PSP activities may not take note of PSD2. They are presently bound by Section 43A and Section 79 of ITA 2000/8 and required to comply with the Privacy regulations and implement what may be termed as “Reasonable Security Practices”. However their practices are unlikely to meet the minimum standards of information security that is required in such cases.

Most mobile Apps access financial information by taking an unhindered permission for SMS, E Mail and Calls before the user even downloads the app and examines its dimensions. Since Banks send information about transactions to the SMS and E Mails, the entire financial history of the customer will be available to the App. This is used for creating expense accounts and other reprots which are presented as useful service to the data owner. There is no doubt that the information would be useful, but in the process the risk of critical PFD being shared with the FinTech Company is a source of concern.

When one views the Terms and Privacy policies of these FinTech companies, one may observe many anti-consumer clauses with absolutely no warranty on either the information security or even the quality of service.

It was amusing to observe that one of the Apps which is considered a successful FinTech App, limits its own indemnity to the user to Rs 1000 while trying to get an unlimited indemnity from the user for its benefit with no warranty. However, the website of the Company instead of talking about “Zero Warranty”and “Unlimited Liability”  promises “Bank Grade Security” and “No collection of Sensitive personal information” while the App’s privacy policy and terms donot have the required assurances.

It was further interesting to observe that if one tries to make a psychological profiling of the Company, one is further intrigued by the “About Us” page of the Company highlighting the assets of the company which is captured by the following illustration.

The Company boasts of 5 million downloads in the last three years and “Google Best App” award in 2015. As a keen observer of Information security practices, the Privacy concerns across the globe and the emerging data protection regulations in India, US and EU, it is difficult to get convinced that a company that is proud of the number of Beers consumed and its Bar Stools strength can be trusted with the financial information of a consumer.

This comment is not meant only against this company since this could be the typical approach of most of these “FinTech” companies which are managed by  good techies but without matching concern for information security.

When the new Data Protection Commissioner takes charge in India and such companies seek registration as a PSP, I wonder how the privacy policies and terms of use would be scrutinized.

If on the otherhand the new Data Protection Act of India tries to adopt the strict terms of privacy regulations that a EU commission may expect under PSD2 or GDPR, then most of the Indian FinTech Companies will fail the “Test of Consumer Protection”. The Watal Committee report does focus on Consumer interest and even the RBI has many times indicated its concern on consumer interest being sidelined by technology based banking software products.

Unless the FinTech Companies include a mandatory Cyber Insurance package where the user’s are protected against direct and indirect losses arising out a data breach caused by using of the service, the Data Protection Commissioner should consider the security as “Inadequate” and redflag the Apps.

PSD2 or GDPR or even the ITA 2008 would basically work on “Consent”, “Disclosure” followed by other obligations of data protection. However, a “Disclosure” which is incomplete and misleading and a consent based on “Clicking of the Continue” button on an App will hardly suffice the rigid standards of Consent envisaged under any legal principles.

I therefore urge the members of the FinTech Companies to come out of their “Tech Shell” and understand the disservice they are doing to the community by luring public into Apps with little or no security and really introduce some measures which includes a fair insurance coverage for the users of their Apps along with a fair terms, and reasonable security.

I also request RBI that its 2015 advisory should not remain only as a formality and should be followed up by a new regulatory measure by the Payment Services Regulatory Board or the RBI committee which oversees these functions to address the issues of dilution of data security through mobile Apps.

Sooner this happens better it is for Indian public. In the meantime, I also urge the FinTech  industry to introspect and generate a . “Self Regulatory Mechanism” that would protect the integrity of the industry.

In June 2016, RBI formed a committee under the Chairmanship of Mr Sudarshan Sen (SSWG) which had a scope to review the FinTech industry as it is emerging in India. However there is no further news on the activities of this Committee. If it is still active, it should take into account the requirements of protecting the FinTech customers of India in terms of data protection standards equivalent to PSD2 and GDPR through the proposed Indian Data Protection Act or through a notification from RBI which is revising the PSSA-2007 as recommended by the Watal Committee.

Naavi

Section 65B Certification of electronic evidence produced in a Court proceeding in India has been a matter of intense discussion in the circle of Forensic experts, Law Enforcement and of course the Legal fraternity.

Historically, the undersigned was the first person to produce a report under Section 65B of Indian Evidence Act in a Court in India. (Suhas Katti Case in 2004). Subsequently, it has been followed by many other Certificates issued under the banner of Cyber Evidence Archival Center (CEAC)  in the last 12 or more years.

During this time, the undersigned has handled many interesting CEAC certifications including  Web site pages, E Mails, Mobile data, Corporate Computer data, Personal Computer data, YouTube Videos, CCTV Videos, Extracts from Forensic software, Remote Desktop views etc. Some certifications are straight forward web pages as they appear, some are extracted with the use of some forensic software etc. Some electronic documents are text documents that can be easily printed out and some are audio and video files which have to be rendered only in soft copy format.

Every one of these different types of documents,  have been a challenge in terms of meeting the Section 65B requirements. Some times it has been necessary to structure solutions  to extract the electronic documents as per the best understanding of the requirements of Section 65B as perceived by the undersigned .

As a result of such long experience over the past 12 plus years, the undersigned has developed  specific procedures  to present the “Computer Output” as required under Section 65B of Indian Evidence Act.

I am aware that there are legal luminaries who have special expertise in Indian Evidence Act and some of them may hold views different from mine on some aspects of how the section 65B  has to be interpreted.  It is possible that for various reasons, many of them had not focussed on the issue of Section 65B until recently when Supreme Court drew its attention to the mandatory need for Section 65B certification for all electronic evidences presented to the Court. (Refer Basheer Case).

I was however drawn into it right from 2002 when CEAC was formed as a service and has therefore the procedures developed must be considered as an evolution of the system over a long period.  (It is not out of place to mention that I had proposed CEAC to be public private partnership with the the Ministry of IT at that time through the then CCA though it could not be implemented while it continued as a private service.)

At this point of time, Naavi’s approach to Section 65B certification used by CEAC should perhaps be considered as one of the approaches that needs to be accepted as a major school of thought  even if other experts have a different view point. However, we can  say that Jurisprudence on this aspect is still under development and different experts arguing differently and different Courts interpreting differently could be common. Some time in the future, I suppose the honourable Supreme Court will look into many of my articles including this one and give its own interpretation which itself may undergo many iterations over time.

With this humble submission, I would like to present below my view on one hypothetical case based on a reference received by me regarding submission of forensic reports by Forensic Labs and Government owned establishments such as CFSL or other equivalent organizations.

In the reference, there were the following aspects.

  1. The evidence consists of a Call Data Record (CDR) extracted from a Mobile Service Provider (MSP). (Perhaps this includes  Tower data record along with the billing and usage records)
  2. Mobiles seized from the accused sent to the lab for analysis
  3. Hard disks seized from the accused sent to the lab for analysis.

For the sake of discussion, I consider the following hypothetical requirement of the law enforcement.

The accused has used the mobile phone/s to make calls to say other co-accused or to the victim to further commit an offence which may be a Cyber Crime or a Physical Crime. . The CDR was collected from the MSP and handed over to the lab for further analysis. Mobiles and Hard disks were seized from the accused by the Police and sent to the lab. The CDR evidence is to be used along with the forensic analysis of the mobile where there may be contact details, some SMS/WhatsApp messages. It is possible that some of this data might have been deleted and has to be recovered using appropriate recovery software. Some of the recovered data may be fragments needing further interpretation. The Computer hard disk will also have many items related to the mobile and CDR either in active files or deleted and recovered. There could also be a back up of phone data in the computer of the accused whose hard disks have been seized.

The question that was posed in a reference was

a) Who will provide Sec 65B certificate for the CDR

b) Will the Lab provide Section 65B certificate for its report?

I will try to provide my views on these queries to the best of my knowledge and experience.

Though the final report is provided by the Lab, the CDR is handed over to them as an input along with other seized hard disks.

The CDR is an extract from the systems of the MSP and has to be therefore certified under Section 65B by the MSP’s person in charge.

If the MSP admin allows the files to be viewed by an independent expert, then the independent expert may take on record what he has seen, the circumstances under which he saw the documents, record it and add it under his Section 65B certification.

The CDR as presented by the MSP may be in say an excel form which the lab may use as an input and analyze through a CDR analysis software. This may display many results that appear in the screen of the analyst’s computer which he may record and use in his report.

Similarly, the mobile data or hard disk data may be analysed by the analyst using forensic software of different descriptions. The software may discover deleted files and show on the analyst’s screen. Some of these electronic documents as it appears on the analysts’ screen may be captured and used as a part of the analyst’s report.

At the end of this exercise, the analyst will come to some conclusion in his report and answer the queries raised by the investigating officer.

In such a scenario, the question of how Section 65B certification has to be used by the Lab expert is a matter of discussion.

Now in the above case, the report could be considered as a combination of

a) Matter of fact observation when some content is displayed on the screen of the analyst under certain standard conditions.

b) Certain content displayed which may require an “Expert Knowledge” to draw a meaning.

Section 65B is mainly concerned with the presentation of an electronic document lying inside a computer as a “Computer Output” that can be experienced (Read, heard, seen) by the observer, for the purpose of admissibility by a Court.

“Interpretation” and drawing conclusions which are not obvious from the visible computer outputs (presented either as a print out or soft copy) is a subject matter of an expert in the domain. The matter of fact part of the report also requires certain expertise but the level of expertise required for interpreting the data may be higher or it may be completely an expertise outside the computer domain.

For better clarity, let us take an illustration where a lab analyst extracts an image of a wounded person from the computer and renders it as a computer output in his Section 65B Certified report. Another expert say a doctor views the photograph and opines that this wound appears to have been caused by such and such a weapon etc…

Here there are clearly,  two experts … First, the computer expert who discovered the image from a pile of deleted images and the second expert who had nothing to do with Sec 65B Certified report but is an expert in another domain.

Some times, the division of roles of the “Observer” who extracts the information and the “expert” who interprets the document may not be so clear. It may be the same person who uses a forensic tool to extract fragments of a file containing log records and uses his computer expertise to interpret that the log record extracts mean certain things.

The Forensic lab analyst  has such dual role and hence his report has this dual characteristic of being a report both as an observer of a “matter of fact” and as an expert “Who interprets the fact”.

Another illustration that explains this situation is as follows.

Let us say there is a photographer who takes photographs. If it is a digital photograph, he can give a “matter of fact section 65B certification” stating this is a faithful reproduction of a photograph which I took using such and such camera on such and such date and time at such and such place. This  is the typical certificate  where the certifier does not express any opinion on who is there in the photograph, what is happening, Is it a marriage? or Is it a quarrel? etc.

Let us now say that the photograph is a video in which two persons are speaking in French. Let’s say the photographer fortunately knows French language and can interpret what the two are talking. He therefore produces a report in which the video is enclosed and states that the two persons were planning a terrorist attack. His certificate is now more than a Matter of fact certificate and includes his own expert view based on his language expertise.

The report that normally a Forensic lab person gives has this dual element of expertise, where in the first place, there is a simple expertise of using some tool and making some electronic documents appear on the screen which is then printed with a CTRL+P command and in the second place, involving  a “Forensic Expertise” where he adds his “Opinion” into the report.

A Good lab report has to be structured in such a manner that these two aspects are clearly brought out in the report itself so that the Court can use the “Matter of Fact” report and discard the expert report if it deems fit. Alternatively Court may accept the matter of fact part of the report but approach another expert for interpretation to substitute the expert opinion part of the report.  This means that the report may be taken as evidence in part and rejected in part. It may also be possible that the defense may accept the report of the “matter of fact part” but challenge only the “Expert opinion” part.

It is a moot point at this point of time if the reports provided by CFSL or other organizations which normally provide such forensic certificates have a system of structuring their reports as described above. It is possible that they simply enclose the evidentiary objects examined and directly go to give its point by point reply to the investigating officers, queries on the evidence.

Once we understand this nature of the Lab report, we can address the issue of whether Section 65B certificate is required for the lab report or not.

If the Analyst has reproduced any extracts of electronic documents as part of his report and relied on such extracts, then Section 65B certificate is required.

If the Analyst does not use any electronic document as part of his report and only gives out his views in isolation, then he need not provide Section 65B certificate.

In such a case he can be cross examined as a witness and further information can be sought.

In the case of a self evident/self sufficient “Matter of Fact Certificate”, the parties/Court may decide not to put the analyst as a witness and examine him, since there is no dispute on the matter of fact part of the report.

In most of the practical cases, a forensic lab will have electronic documents discovered by them based on which they provide their opinion. Hence their reports will have elements of both a “Matter of Fact Certification” and a “Forensic Expert Opinion”.  Hence Section 65B certification as well as presentation as a witness may be required.

Where there is a case when there is a web page which has been certified by an independent observer like CEAC as it appears to the public on the web with only simple tools such as a standard computer, running on  a standard operating system and a standard browser application, the Section 65B certificate may be accepted without the need for cross examination of the certifier (unless the defense wants to challenge the witness and probably allege fabrication of evidence).

In such cases, the parties may accept the computer output for admissibility and argue on the content as they require. Eg: One may say that the words used are defamatory and obscene and the other may say it is not. The judge has to take the call.

In the Suhas Katti case, I had produced an extract from a web page which the advocates argued whether it was obscene or not. I had no role in deciding whether it was obscene content. Similarly, I had recorded the IP address visible in the header information of the message and given my limited expert view with the use of a “Whois query tool” to say this IP address appears to belong to BSNL, Mumbai. This was a low level forensic expertise. I was however examined in this case as an “Expert” and cross examined but there was no disagreement on the evidence produced. The only objection raised by the defense was that I was not a Government employee and the Court felt that expert can be a private person.

I have presented the detailed view point above to indicate that the Section 65B certificate is meant for replacing the need for the Judge to interpret the “Original Binary Content of an electronic document” and enable him/her take a view on the electronic document on the basis of a print out or soft copy of what the binary content means when rendered on the screen of a computer  as a “Computer Output”. This is with the limited objective that the electronic evidence can be admitted and trial can proceed. (Readers may kindly read my earlier articles on the subject also links to which is provided below)

The Forensic labs therefore learn to structure their reports appropriately to indicate that part of the report is simply to render the “electronic document” as a computer output as is visible to a low level expert while in some cases, the report continues with an expert view where the “Opinion” of the observer is added as an “Expert”.

What I have presented here as a requirement for Forensic labs should also apply to a “Digital Evidence Examiner” accredited under Section 79A of the ITA 2008 and summoned by the Court for its assistance.

Comments are welcome.

Naavi

Related Articles

1. Basheer Case Judgement and Section 65B of Indian Evidence Act…Cyber Jurisprudence develops

2. Section 65B of Indian Evidence Act on Electronic Evidence Explained

3. Clarification on Section 65B… Who should sign the Certificate?

4. The Role of “Notified Digital Evidence Examiners”

ISMG India carried a report on the Prepaid Instruments recently which has been reproduced here.

Refer for more details here:

Naavi

Beware of the Cyber “Stone Pelters”

Posted by Vijayashankar Na on April 24, 2017
Posted in Cyber Law  | No Comments yet, please leave one

The news about WIPRO retrenching some employees has caused a slight stir in the minds of many aspiring Engineering graduates about the future of their employment prospects. Though the number of retrenchments in WIPRO is by itself not a large number compared to the strength of its work force, it does give an indication of the direction in which the IT job market seems to be moving.

It is possible that this trickle may gather momentum and other companies also start shuffling their work force creating a crisis in the IT workforce and large scale unemployment of computer savvy workforce.

There is a need for Cyber Space watchers to recognize that when techies start losing jobs, the possibilities of at least some of them getting into deviant habits are very much real since they have the necessary skill sets to create “Cyber trouble”. Some who run short of cash for their genuine needs may turn to providing online support to the cyber underworld in the form of writing malware codes or spamming or acting as virus droppers.  Some may use the time to reignite their previous jealousies and personal vengeance on others which may manifest in more of crimes like hacking of face book profiles, defamation and even “Glassdoor Attacks”.

In general, the Cyber Crime incidence in India may increase if the job losses occur in IT industry. This is more so since some of the job losses will be in the mid level workers with experience and financial commitments as they are replaced with the low cost freshers.

Some of these job losses are also triggered by the “Protectionist” attitude that is growing in the US and other markets. Consequent to the Visa restrictions imposed by USA  and possibly more to follow if the trend spreads to Europe. Mr Trump has been clear in his approach that he wants Indian IT companies to create more jobs in USA rather than exporting manpower from India and this certainly means that the growth prospects for Indians working in USA will dwindle.

In this context we can recognize that just as frustration of youth in the Kashmir Valley can be the reason for them turning into “Stone Pelters”, the frustration if it grows in the Cyber Workforce in India could create a situation where Indian techies may start turning into “Cyber Stone Pelters”.  Hence keeping such skilled workforce from not falling prey to negative thoughts and keeping up a positive motivation is the challenge before us.

Both from the point of view of maintaining the IT prosperity in India and not creating a fertile ground for Cyber Criminal workforce to increase, we  have a need to find solutions to reduce the impact of IT job losses that may hit the Indian IT companies in the next few months.

The  one obvious thought is that the situation indicates that  India’s IT development will be more dependent on the outsourced business than it has ever been in the past.  If Indian IT companies have to reduce their work force in USA or cannot expand its present workforce working onsite, to meet the future growth, the only solution left for them is to replace the current work force or the future potential with a “Virtual Workforce”.

But Mr Trump may be pushing the US IT companies to increase jobs in the IT industry which may force them to bring pressure on Indian IT companies to recruit more locals in US to replace the Indian workforce presently working onsite. Additionally, jobs in the IT industry is also being affected adversely by the  increasing levels of “Automation” which also may eat up some jobs and we need to address this issue as well. Hence there is a challenge for replacing the current workforce of Indians working in US with a virtual workforce without losing the business.

We therefore need to find innovative solutions to ensure that there is no job loss despite the new developments in US, Europe or elsewhere.

The problem that Indian IT companies are facing now have been partially created by the policies of the IT companies in the past giving more emphasis to “Body Shopping” rather than “Skills Marketing”. The industry has today built its business model on “Number of Billable Heads” rather than “Measurable Outputs”. It is now time for Indian companies to start changing the narrative of their business offerings from “We offer so many heads at xx dollars per hour” to “We offer the solution at a cost of xxx dollars per month”.

I therefore call upon the IT industry to start a new generation of BPOs where the concept of “head count based billing” is given a go by and only “measurable service units based billing” is adopted.

This apart, there is a need for Government to provide some additional incentives for the BPO industries to be more competitive on the basis of “Solution Offerings”. The proposed new Data Protection Act of India will be one policy decision where the Government action will affect the industry either positively or negatively and hence it has to tread carefully when the new law is introduced.

Naavi

Close It