The Special Task force of the UP Police has arrested one Mr Ram Prakash Singh who had sent fake e-mails to all the aspirants of a job who had to attend an interview stating that the interview had been postponed and getting himself selected unopposed.
It is unfortunate how the intelligent MBA graduate who applied for a position of Allahabad University thought that he could get away with the fraud. Now the person has permanently damaged his career for which he must have worked hard for the last two and half decades.
The incident shows how “Lack of Awareness of Cyber Laws” pushes people to take risks that they would not otherwise take if they had known that a strong law exists against such acts and our Police are capable of solving such mysteries.
At the same time, it is necessary for authorities such as the Registrar of the University in this case to adopt such practices that provide a proper authentication to the recipients of their official e-mails which would have enabled them to identify the fraud.
The discussion in this context comes back to the use of digital signatures which unfortunately has become more an instrument which is being used very inefficiently and in-appropriately. I anticipate that this case has the potential to snowball into another “Basheer Case” bringing into open a legal requirement which most people failed to see for decades after ITA 2000 was enacted.
The tragedy is that the system of digital signatures as provided in the ITA 2000/8 has not been properly implemented even by the licensed Certifying Authorities and presently even the CCA does not seem to exercise the required control. It is therefore time that some body brings to open the inadequate and illegal practices that prevail in the use of digital signatures in India.
Just as the Section 65B certification of electronic documents suddenly became critical to for all litigations because the Supreme Court suddenly spoke about it in one of its judgements, there will be some case in which the Supreme Court may make a reference to the need for the use of digital signatures in responsible communications and suddenly every body will wake up to the reality which the undersigned has been mentioning as an essential ITA 2008 compliance requirement for a long long time.
However, when such a realization dawns on the society, even CCA will be found wanting since at present the institution of CCA is just considered as another cabin in the Ministry of Information Technology rather than a statutory authority which has its own place in the Indian Cyber Law domain.
Recently, I had raised an objection that CCA had “De-Recognized” digital certificates issued earlier by the authorized Certifying authorities (CAs) and advised them not to consider it valid for KYC for making online subscription applications for renewal.
On the other hand, CCA had allowed the CAs to use authentication for KYC based on OTPs sent to the mobile numbers which was only as good as the KYC of a mobile service provider who had no contractual obligation to the CAs and the Digital Signature system. This subordinated the new Digital Certificates issued by CAs to the verifications done by the mobile companies before they issue SIM cards.
Most CAs allow their RAs to process the new CA applications where the RA gets the OTPs over phone, downloads the certificates on Cryptographic keys at their end and deliver it to the subscriber. In the process they are compromising the private key ab-initio and also making the subscriber liable for punishment under the ITA 2000/8.
Does CCA know that the system of Digital Signature Certificate issue is being abused? .. Certainly… But Have they taken any steps to correct it ? …Certainly not.
If therefore Supreme Court asks CCA that if in the Allahabad Case, the e-mails had been sent under the digital signature of the registrar, would it have constituted a valid legally binding instruction to the candidates and whether such a system is tamper proof, can the CCA affirm before the Court and state that digitally signed e-mails are tamper proof?
I hope CCA gives a thought on how it will respond when it will be before the Supreme Court and is quizzed for its actions under the Act to protect the integrity of the system of digital signatures. The citizens of India will also ask the CCA if it has discharged its duties as envisaged under law and created the right foundation for the “Digital India” with “Less Frauds” ( since no-frauds is only a myth).
I understand that today the position of CCA is not being recognized as a body that is independent of the MeiTy and CCA is a protected contractual appointment without the power of removal etc., which makes it a powerful quasi-judicial body.
I suggest that CCA should form a Sub Committee (The first CCA had formed such a committee) consisting of experts which can go into all aspects of how Digital Certificates are being used in the system and how the regulation has functioned and how it has to be improved etc. and thereby undertake a complete review of the system as it should develop in the coming days. This would be a proactive measure of Compliance which may prevent future embarrassments.