Will Ravishankar Prasad show the same courage as Mr Modi?

Recently, the Ministry of Communications and Information Technology (MeitY) has come out with a notification under Section 79 A of ITA 2008 indicating the norms for notification of a Government agency as an “Electronic Evidence Examiner” who can be called upon by a Court for certification of authenticity of an electronic document which is available to the Court as an “Evidence”.

The eligible organizations are required to make an application with some information about their credentials. All the agencies who may apply now will be other Government agencies only.

One of the requirements specified in the “Scheme” for notification is that the applicant organization has to be compliant with two international standards ISO/IEC 17025 and ISO/IEC 27037.

The notification essentially means that if an organization wants its forensic practices to be in tune with what the ministry expects for notification, they need to first understand what are the specifications under these two standards and then implement the standards and also call one of the accredited ISO certification agencies to review their processes and give a certificate that they are in compliance with the requirements of these standards.

The specifications are “Proprietary documents” protected under copyright and cost in Swiss Francs, CHF 138 and CHF 158 respectively. (1 CHF=Rs 66.98). Therefore, the documents cost around Rs 20,000/- which is the minimum investment that any organization has to incur in foreign exchange just to know what MeitY wants. It is a normal practice in ISO documents where by one standard refers to another and so on so that many times the user needs to buy several ISO documents just to understand one standard. Then even if the organization is compliant, it needs to get certified from an accredited ISO organization for which one has to incur an expense of say around Rs 3 lakhs. A part of this goes to the Indian consultant and a part may be royalty that goes to ISO.

In 2011, the then ministry had notified rules under Section 43A which required “Reasonable Security Practices” to be followed by all Companies who collect personal and sensitive personal information from the public. This will include all companies today who use Aadhaar information which means perhaps lakhs and lakhs of corporate entities. The Ministry in its notification almost made it mandatory that all these companies will use ISO 27001 standards as the requirement of compliance.
As a result of this notification which was also placed in the Parliament and was part of the national regulation, a huge benefit running to thousands of crores was potentially passed on to the ISO organization in foreign exchange. When this was pointed out the ministry officials (refer here) the officials privately agreed that there was no mandate that ISO 27001 compliance could be considered as “Deemed Compliance under Section 43A” but did not make any change in the notification.

Similarly, recently the Union Health Ministry came out with a notification on EHR standards which needs to be complied with all IT companies handling health information as well as all hospitals, pharmacies etc in which reference was made to around 35 ISO standards. Compliance therefore required first acquisition of all these standard specifications at a cost in foreign exchange.

It is considered absolutely criminal to suggest Indian citizens that if they want to follow the laws of the country, they need to buy documents from a foreign agency just to know what the law means. By bringing in such references into notifications that are placed and passed in the Indian Parliament, the ministries are actually making the legislators also part of this siphoning away of our money.

This practice should stop not withstanding the efforts required. In the US, the national agency called NIST (National Institute of Standards and Technology ) has developed and placed all standards required by the IT industry in the website and allow free download to any person. While the standards are mandatory for the US Government agencies, others can use it as the Best Practice. The standard documents are so well written that they are good enough to be followed as a guideline by other countries also.

It is therefore perfectly possible for the Indian Government to completely indigenize the standard specifications by developing our own Information and Information Security standards. It is only in the case of data that needs global mobility that we need to adopt international standards. Some of these may be required in industries such as the health Care processing industry where the health data generated in India may have to be processed abroad. Otherwise none of the “Best Practice Standards” need to be imported. Though there is an attempt to adopt some of these standards under local standard organizations and by nodal agencies, the effort is only half hearted and not fully adopted.

I therefore urge the Government and particularly the Ministry of Information Technology to set up a Committee on IT standards and develop the equivalent of the entire ISO series of standards and the Privacy Standards of various US and EU nations for local use and publish it as a freely available Indian Standard. In order to avoid Copyright Infringement charges, it will be necessary to individually re-write each of the standards in our own words just as what NIST has done and we need to do this immediately when we are moving towards the Digital India concept faster than what we earlier envisaged.

The objective should be that all regulatory requirements are codified as “Open Source” and this should be considered as a “Make in India” project for regulatory standards.
If this is not done, then the payment which we make to buy the standard documents will be considered as a “Tax” levied on Indian citizens to meet compliance of Indian law which is mandatory.

This is unlikely to be permitted within our Constitution and if challenged in the Supreme Court is bound to elicit heated opposition to several of the initiatives of the Government.

Further complications can be avoided if the Ministry of IT moves quickly and adopts a policy of writing all standards of Information Security and Quality under the ISO family as new standards in India and provide it as open source. Otherwise Government should pay some compensation to ISO and provide mandatory compulsory publication of all Standards for free public use.

A decision like this can be taken only by a person of the stature of Mr Modi just as he took the decision on the demonetization. Now Mr Ravishankar Prasad has an opportunity to do what Mr Modi did in the demonetization issue. Will he raise to the occasion?

Naavi

Print Friendly

Digital Evidence Examiner .. More on the notification..and on ” Compliance Tax”

(This is a continuation of the previous article found here)

ITA 2008 introduced a new section Section 79A under Chapter XIIA in which the following was narrated.

Section 79A:  Central Government to notify Examiner of Electronic Evidence

The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

Explanation:- For the purpose of this section, “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence,digital audio,digital video,cell phones,digital fax machines”.

This section enabled the Central Government to notify any organization belonging to either the Central or State Government as an “Examiner of Electronic Evidence” (EEV). The objective of this section was to enable a Court to seek expert opinion on electronic evidence before it. 

The use of the word “may” instead of “shall” indicates that this was an option. being an option, it implies that Court proceedings could have gone on and may still go on even if an “expert opinion” of the notified EEV is not available.

The doubt that now arises is whether it is mandatory that only notified EEVs can be called as “Experts” and no body else?

We may note here that under Section 79A, an EEV is an organization and not an individual. However the one who stands in the witness box and gives evidence is an “Individual”. By defining an organization as an “Expert”, the section enables the notified EEV to send any of its representatives not necessarily the one who actually conducted the forensic examination on the document to represent the EEV and confirm the “Expert View”.

There  is no provision under Section 79A to notify any “Individual as an Expert Witness in relation to an electronic document”.

Hence the present system of “individual Experts” who are persons who have demonstrated expertise in the field to which the evidence belongs (Not necessarily one with a degree or a diploma or a certificate) providing evidence which can be considered as an “Expert Evidence” where the opinion in addition to fact is also material, will and should continue.

We now look at the documents released by the Government for further comments.

The Notification

The notification starts with a wrong statement “Section 79A of the Information Technology Act 2000 mandates central Government to notify…”

We need to note that the section does not “Mandate” but suggests. This is an important aspect which we should note. As a suggested “option” the law does not prohibit a situation where there is no “Notified Electronic Evidence Examiner”. Hence even after a few labs are “notified”, others may continue to function.

The notification says that this is an experimental effort in which 3 to 5 labs will be notified and has encouraged the eligible bodies in Central and State Governments to apply for notification.

The application form for notification is provided in Annexure II

The empanelment will require development of a “Quality Manual” in which SOPs and other documents are required to be presented for the following.

  1. Case Acceptance
  2. Handling of Exhibits
  3. Security and Preservation of Exhibits
  4. Analysis of Exhibits
  5. Electronic Evidence Analysis Report Format
  6. Tools and Equipment Testing
  7. Training
  8. Internal audit reports specific to scope Quality assurance
  9. Any other procedure

The department has also developed a 9 page Scheme for Notifying Examiner of Electronic Evidence

The scheme actually copies ISO 17025 standard on General requirements for the competence of testing and calibration laboratories  and ISO 27037 standard of Information Technology-Security techniques-Guidelines for identification, collection, acquisition and preservation of digital evidence.

The evaluation process will therefore involve a few ISO auditors chosen by the MeiTy.

To understand what the Government of India wants its citizens to do on Cyber Security, we are always required to pay a “Tax” in the form of purchasing an ISO document. This has been a principle followed by the DeiTy officials during Mr Kapil Sibal’s days. The same process is now being continued during Mr Modi’s regime under Mr Ravishankar Prasad.

Hence to know more about the Standards a payment of around 10000/- or more in foreign exchange has to be made to buy the document and then the lab has to pay fees to an ISO auditor to certify if what they are doing is right. A part of this fee will also go out in foreign exchange to the ISO organization as a contribution of the Indian Government.

People like us think this is an unfair “Tax” to be compliant. (Refer my earlier article in the subject here.)

Hope Mr Arun Jaitely will take note that MeiTy is introducing its own Tax on digital transactions such as “Compliance to Cyber Law” without the sanction of the budget. Also the benefit goes abroad. This is an obnoxious practice and needs to be set right as part of “Make in India” campaign where all information security standards are indigenized like NIST and released free of charge to the public.

I request Mr Ravishankar Prasad or any official of the MeiTy to clarify why MeiTy is not in a position to draft its own standards by consulting NPA or CDAC or even FBI, like how NIST does for the US and avoid reference to the documents which are only available on payment of foreign exchange in a Government notification considered mandatory for compliance by Citizens of India and departments of Government itself.

Naavi

Print Friendly

The Role of “Notified Digital Evidence Examiners”

On 2nd January 2017, the Government of India came out with a notification under Section 79A of ITA 2008 on a pilot scheme for notification of organizations under Section 79A as “Digital Evidence Examiners”. Since then some news papers are putting out reports which are not completely correct. We need to understand the notification and its purpose correctly and not be mislead by ignorant statements printed even by reputed news papers.

I refer to one such report in Economic Times under the title “India to finally get electronic evidence authenticators”which inter-alia made a statement

“In a move that will aid investigators and prosecutors, the Centre has finally decided to appoint “Examiners of Electronic Evidence“ who will be the only ones authorized to tell courts if an e-evidence is authentic “

This statement is incorrect and misleading and needs to be clarified.

In the same article, a senior IPS officer is quoted which reflects  a correct understanding. He says

“The first line of argument from the defence is that the footage or voice is doctored. Presently, material is sent to forensic labs based on court direction on a case-to-case basis. But we need one or more authenticators to who we can straight away go even before taking it to the court.Their seal and sign must qualify as concrete attestation before any court.”

Digital Evidence is presently part of almost all Court proceedings. In the past they have been used successfully to prosecute the offenders in cases both under ITA 2000/8 or IPC. The first case in which conviction was obtained with the use of electronic evidence being the main evidence to prove the crime was the “Suhaskatti Case” (Details available in two part judgement reproduced)  way back in 2004. Subsequently several Courts have taken cognizance of electronic evidence. The latest important judgement is the judgement of the Supreme Court in what is called the “Basheer Case”.

Other than these, several Courts have used electronic evidence to prove facts in a litigation both civil and criminal.

It is not as if the Courts have not admitted and appreciated any electronic evidence so far. In the past whenever an electronic evidence is presented in the Court, the evidence is first admitted on the basis of Section 65B certification. Later during trial, if any of the defendants have an objection, they may produce their own expert opinion to counter the evidence. The Court if it needs may then call a Forensic Expert acceptable to it to give his opinion in the matter.

This process will continue.

Presently Police often were requesting the Court for permission to send a seized hard disk or mobile to a Government Forensic Lab (There are a few private labs whose services have been used by the Police from time to time) and then the Government lab gives its analysis which is presented by the prosecution in the Court. If the Police proceeds with analysis without such a Court permission, there is fear that the evidence may be considered as having been unauthorizedly tampered with and the findings rejected. Hence Police will now be happy to get the notified labs to whom they can send the evidence. Obviously, such labs will be the CFSL and State level forensic labs.

By this notification, the Police may be able to speed up their investigation so that they can take the assistance of these accredited labs at the investigation stage itself.

If the defendant disputes the evidence he may request for a fresh independent analysis by requesting for a Cloned copy of the hard disk. The two experts may be cross examined in the Court to satisfy the Court one way or the other.

Section 79A is an enabling provision which states as under.

79A Central Government to notify Examiner of Electronic Evidence

The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

Explanation:- For the purpose of this section, “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence,digital audio,digital video,cell phones,digital fax machines”.

This section was introduced with the Information Technology Amendment Act 2008 and became effective from 27th October 2009. Under this provision the Central Government was empowered (Note the word “may”) to appoint any “agency of the Central or State Government” as an “Examiner of Electronic Evidence”. This is not meant for individual experts but only for an organization.

It is expected that the organization would follow certain standard practices which make their process reliable enough for the Court to consider the evidence certified by it as authentic enough to proceed with the trial.

It will be a standard process in all such forensic investigations that the lab will on receipt of a material (container of electronic document such as a hard disk, mobile, CD, pen drive etc”) create cloned copies so that any request for production of the evidence in the form in which it was presented to them is fulfilled.

We need to note that this would require money to be invested in buying additional hard disks and devices similar to the evidentiary objects. For example, if 10 hard disks are presented as evidence by the Police, the lab has to buy 10 similar hard disks to keep a cloned version of the hard disks. The Police would also perhaps have a cloned copy of their own created at the time of seizure. Thus there will be a proliferation of digital evidence storage devices and the labs will have to ensure that budgets for such expenses are provided for.

Why Digital Evidence Examiner’s Certification should be discretionary not mandatory?

Electronic evidence is admitted as evidence based on its Section 65B certification. This will be prima facie evidence for trial purpose.  Then the trial begins when one of the parties presents its findings of the evidence.  At this point of time, the interpretation of the evidence as presented by the presenter of the evidence will be admitted  as long as the evidence is  not challenged by the defendant.

This situation will be similar to say a signed letter presented in evidence on which the signature of the defendant is not challenged. If the signature is challenged in such cases,  the Court may invite a signature or handwriting expert to give his views.

Similarly, any electronic evidence admitted in a Court can be proceeded with without a further certification from the “Digital Evidence Examiner”. Where the Court on its own decision or when the evidence is disputed, it may be mandatory to seek the opinion of the examiner notified under Section 79A. However, the opinion of the examiner may still be challenged by the defense.

It will be the discretion of the Court to decide how much value they would place on the evidence before the certificate of the Digital Evidence Examiner and after such certification.

Meeting “Admissibility” criteria under Section 65B of IEA is mandatory but requiring the Certificate of a Digital Evidence Examiner need not be considered as “Mandatory”. It is discretionary.

Police may still consider it as a Best Practice

However, practically, Police may not like to present evidence in their hands without this certification so that they are not accused of shoddy investigation. So, in practice Police may adopt a practice of sending every electronic evidence for “Digital Evidence Examination” in an accredited lab.

The certification may improve the “Probative Value” of the evidence and make it more difficult for the defendant to get it termed “unreliable” by the Court.

But just because an evidence is certified by a “Digital Evidence Examiner”, Court cannot refuse to allow the defendant to question the evidence. This would amount to trampling of the rights of the defendant. 

In future Courts and the Police  need to dispassionately consider whether it is practical to send all digital evidence to such labs as a mandatory process and if so whether it is feasible to close any case in which Cyber evidence is involved (Which is almost hundred percent of all investigations) within reasonable time.

Imagine that in the case of every civil and criminal case involving written document, every such document has to be sent to a handwriting expert for certification. Such a demand would be impractical. However, in the interest of justice whenever there is a slight doubt about the authenticity of a written document, it is prudent to send it for the views of a handwriting expert.

Imagine the investigation of the molestation case which Bangalore police cracked recently from CCTV footage and Mobile Tower data. There will be hundreds of such cases in which truck loads of evidence in digital devices would be used and if all these are to be certified in the accredited labs, we are looking at a practical impossibility.

Hence, we should accept that the use of Digital Evidence Examiner should be considered as “discretionary” and not “mandatory”.  Whenever there is a “reasonable” (standard of reasonableness can be low to begin with) doubt as to the authenticity of an electronic document presented as evidence, then Courts may adopt a mandatory requirement of examination by an “accredited digital evidence examiner” (Which is an organization and not an individual) while the Police will continue to have the discretion to adopt it as a “Best Practice”.

I however state that if it is considered mandatory and all digital evidence is dumped on such labs, there will be a serious hit on the trials and the cyber criminals will be happy with the delays.

Despite what I have stated above, the notification was long overdue and is welcome. It was a necessary follow up of the ITA 2008 which was left unattended. Hence we welcome the move with caution.

(Follow up article)

Naavi

Print Friendly

Traffic Light Protocol

Classification of documents before distribution is one of the important activities of data managers in organizations. The better part of Information Security lies in properly classifying a document and tagging them properly for every end user to understand what he can do or not do with the document in his hands.

In this connection, it is interesting to observe the document tagging protocol used by US Cert named appropriately as the “Traffic Light Protocol (TLP)“.

Attention to this protocol was drawn with the Obama Government in USA publishing an FBI investigation document that probed into the hacking of e-mails of the Democratic National Committee by suspected Russian hackers which helped expose many of the secrets of Mrs Hillary Clinton and perhaps contributed decisively to the victory of Mr Donald Trump.

While the Obama administration has been livid with the hacking and revelations, and also taken action against many Russians being expelled and agencies being closed down, the information security observers note that the FBI document was released under the TLP as a “White” Document indicating that it can be distributed widely.

The TLP uses colour codes and nomenclatures to designate the documents and define the sharing boundaries.

There are four colour codes under the protocol and they indicate as follows:

“TLP:WHITE” indicates “Unlimited” boundaries for distribution.

“TLP:GREEN”: indicates that the information is meant for limited disclosure restricted to the community.

TLP:AMBER” indicates that the information is meant for limited disclosure restricted to the participant’s organizations

“TLP RED” indicates  “Not for disclosure”, and restricted only to the participants.

The complete definitions are found in the following table (Source: US CERT)

 

Color When should it be used? How may it be shared?
 TLP:RED 
Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
 TLP:AMBER 
Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.
 TLP:GREEN 
Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.
 TLP:WHITE 
Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

 

More details of the protocol can be found on the website of US CERT. Probably Indian corporates may also use similar tagging protocol for tagging their documents.

Naavi

Print Friendly

RBI amendment means…Digi Real Notes Can now be issued by Corporates:

I refer to the article “Here is how the Currency Shortage can vanish in a jiffy with “Digi-Real Currency” in which a solution to meet the current crisis of shortage of currency notes was discussed.

One of the amendments that RBI has announced on the Prepaid Cards appears to make the suggestion even more viable than what had been earlier.

In my earlier suggestion, I had preferred that the “Digi-Real Notes” which are paper instruments issued as “Zero Value” and with monetary value loadable by transfer of money to a digital account mapped to the instrument, be issued by Banks using their current infrastructure for printing cheque leaves. One of the reasons for this was to provide a sense of respectability to the paper notes which will obviously look less valuable than currency notes.

Now RBI has issued an amendment to its master circular on Prepaid cards vide its circular dated 27th December 2016 which appears relevant to our discussions.

According to the circular, the para 7.9 of the  master circular dated July 1, 2016 on Prepaid payment instruments has been amended.

The amendment is as follows:

i. Banks may extend the provisions of paragraph 7.9 of Master Circular on PPIs dated July 01, 2016 to include other entities / ‘employers’ such as unlisted corporates / partnership firms / sole proprietorship / public organizations like municipal corporations, urban local bodies, etc. (employers) for onward issuance to their staff / employees / contract workers, etc.
ii. Banks shall extend this facility only to those entities / ‘employers’ that have a bank account with them and after obtaining an undertaking that they are not availing of this facility from any other bank.
iii. Verification of the identity of the staff / employees / contract workers, etc. shall be the responsibility of the concerned ‘employer’. The bank should put in place proper systems to capture and maintain details of the employees to whom the cards are issued by the ‘employer’ along with copies of photograph and identity proof of such employees. The ‘employer’ is also required to make available details of bank accounts (if any) of the employees to the bank.
iv. Banks shall load/reload PPIs after obtaining necessary authorisation and above mentioned details of the employees/staff/contract workers, etc. from the ‘employers’.
v. Extant instructions of paragraph 7.9 (d), (e), (f) and (g) continue to be applicable.

 The above changes shall come into effect from the date of this circular.

With this amendment it is now possible for a number of Companies including unlisted companies and even the proprietary concerns to issue “Prepaid Cards” co-branded with their Banks by identifying their employees. It will be as simple like issuing identity cards. Once issued, the participating Bank can allow loading of money into the prepaid card.

As a result of this amendment, the burden of issuing KYC based prepaid cards by Banks will be delegated to a number of employers.

The “Digi-Real Notes ” as suggested is also a similar instrument (though it is not a card) and may be termed as a “One time use prepaid instrument” that is actually handed over by the transferor to the transferee. Now such instruments can be issued not only by Banks but also by other agencies.

However for the instrument to be widely accepted, the issuing company needs to have some respectability and the look and feel of the instrument has project a sense of confidence.

This circular will enable many Companies to issue such prepaid instruments/cards to their employees and relieve the problem of currency shortage.

We may however reiterate that if the Companies only issue “Cards” as per the circular, the holders will only be able to use it as a “Digital payment” under say RuPay network. The card remains with the employee and can be used for payment to merchants. It will not substitute currency.

But if the suggestion of the undersigned is accepted, the “Digi Real Notes” can be “One time use prepaid cards” that can be used as a substitute for currency of any denomination such as Rs 100 or Rs 500/- or Rs 1000/- and will completely eliminate the need for the actual currency. At a cost of issuing the plastic cards, employers need to issue  “Coupons” with their logo with whatever security feature they can accommodate within their budget. Employees can also be given an option to either pick up the “Cards” or “Digi-Real Notes”. A small charge can also be made to cover the cost.

I hope companies will consider this suggestion now that the legal aspect has been cleared. Even if private sector fails to respond quickly, public sector companies may move in quickly and create the precedence that can be taken up by others. This should meet the salary day rush for cash coming up in the next three days.

Naavi

Print Friendly

Here is how the Currency Shortage can vanish in a jiffy with “Digi-Real Currency”

P.S: At the request of some of my friends, I have elaborated here the concept of Ze-Mo coupons I referred to in my previous article as a possible solution to the post-demonetization measure where there is a shortage of currency in the market. This solution was part of the patent applied solution titled “Digital Value Imprinted Instrument System” applied in 2003 and subsequently not pursued for various reasons. Presently the copyright is still with Naavi. However in the interest of the needs of the country at this point of time, I am publishing this solution with the hope that it can be exploited by either the Government owned Banks or any FinTech Company. There are a few more security aspects that can be incorporated in the solution beyond what is presented here to make the solution more robust….. Naavi

I present here a solution to the post demonetization problem that we are facing in India today where there is a serious shortage of currency notes. It is stated that the printing capacity of RBI indicate that it will take some more time for the withdrawn notes to be replaced fully.

The solution presented here is an adaptation of Naavi’s “Digital Value Imprinted Instrument System (DVIIS) as a “Digi-Real Currency” which will look as under. (May be printed on the security paper used in cheques)

This will be a form of a  hybrid instrument which uses the “Brick and Click” technology. It is a digital currency with a physical existence. People can hold it, feel it and hand it over to another person as they do now using a currency note.

However, there is no monetary value written on the instrument. The monetary value can be found by either checking the serial number on a website or on a mobile app. Persons with QR code reader or bar code reader can use them with or without the app .

The basic instrument is issued by a Bank in the form of books with “Zero Value” on the instrument.

The holder can then use the App/website, enter the serial number and load an amount on the instrument such as Rs 50,Rs 100, Rs 500 or Rs 2000 or for that matter any other amount also by transferring the value from his account to the digireal cheque. In this aspect it will be similar to a “pre-paid card” but the difference is that the Digi Real coupon is actually handed over to the person to whom the holder wants to pay some money and the receiver has the psychological satisfaction of holding the instrument with monetary value embedded inside.

Compared to the completely digital system that the “Mobile Wallets” etc represent, this Digi Real Currency is like filling up the missing link between the purely physical instrument based currency system as we use today and the  proposed digital payment system. Ideally this should have come first before the introduction of the pure digital systems but currently we have moved ahead by leaping across. Those who donot have the strength to leap fully are the people who will benefit by this intermediary solution that enables transformation in easy to digest steps.

This system is different from the Sodexo type of coupons where the value is printed on the instrument because it is easy to duplicate. By not indicating the value on the instrument, the acceptor is forced to “Verify” the value. If he so desires, he can note the value as read by him on the back of the instrument where there will be space for keeping notes.

Verification of value can be done by several alternate means of entering the number into an SMS, or read a QR code or read a Bar code. Even IVR system can be configured for the purpose.

It is also different from any instruments issued by the Banks today against payment since in such instruments similar to DDs or Certified Cheques or Cash Cards,  the customer has to first block his funds to get the pre-paid instruments where as in this instrument he can keep the blank instruments with him and use it for any denomination and commit his funds only at the time of use.

The holder will be given the option to

a) Extinguish the instrument by transferring the money to any bank account through the App

b) Hand over the instrument to another person without himself encashing it

c) Disable further transfer permanently or temporarily by locking the instrument ( preventing theft)

The current printing capacity for cheques by Banks should be sufficient to print required number of this instrument which will be about half or one fourth the size of a current account cheque book. This will reduce the cost of paper used. Also part of the back of the instrument can be used for advertisement to subsidize the cost.

It can be supplied to the customers and delivered at their homes so that they need not que up at the Banks. Each book can be used in any denomination of currency so that the shortage of one or other denomination does not arise. Eventually this instrument can enable the “Cashless Society” that we are dreaming off.

The system will prevent hoarding of this currency by putting an expiry date on the instrument after which it can only be transferred to the Bank account and extinguished. The instrument will therefore be in circulation all the time.

The system has many hidden security features all of which I have not discussed here. It will be more tamper proof than the currency except for the need for people to understand the use of App. In this respect it is not different from the Mobile Wallets, USSD codes or UPI apps. But it should be easier to understand and use than these apps. The only necessary operation that an ordinary man on the street needs to know is “How to Verify the value”. The other aspect is transfering the value to his account for which he can use assistance of other knowledgeable persons if required or the Bank itself where he can deposit the instruments like any other cheque.

The only risk that will remain will be “Hacking of the server” in which the value of the instrument is maintained. But if we today trust the Banks for our money in their core banking software, we should trust them also for this data base of digit-real currency. The need for strengthening the security in this system as well as the need for protective measures such as Cyber Insurance etc will continue.

The possibility of a “Denial of Access” is also a risk that frustrates the system. This has to be tackled by proper distributed system of authentication that can be configured by the Banks. The load on the system is of course not high since compared to the current transaction authentication related system load, query authentication involved in this instrument has a lower load on the systems and bandwidth. The “Query” received would be to validate a given number of the instrument and return the value recorded against it. There is no need to authenticate the transferor, transferee and initiating a transfer instruction from one bank account to another.

I am presenting this commercially valuable suggestion here so that the Government/NPCI/Banks can make use of it if it desires.

If any FinTech company intends to develop this product, I will be able to assist them in developing the solution with appropriate modifications as may be required.

Naavi

(Comments are welcome)

Print Friendly