ISIS Propaganda from a Bengaluru Executive?

It is a shocking revelation that one of the most prominent Twitter handles carrying on ISIS propaganda happens to be that of a young professional working in Bengaluru in an MNC firm.


The twitter handle was titled Shami Witness and the person is identified by his pseudo name Mehdi.

The incident highlights how terrorism has spread its wings to young professionals with good educational background. It is unfortunate that the Police in Bengaluru had no inkling to the goings on.

It also highlights the failure of the employee behaviour monitoring system in the organization in which the person was employed and HR professionals need to think of new ways of identifying such deviant minds working in the system.


P.S: Another question which the Government of India and Karnataka need to answer is that just as they banned Uber and other app based taxi services, will they ban the ad company in which the person was employed and also other ad companies !

Share Button
Print Friendly

Government Fails to understand the Uber business model


The incident in Delhi involving a Uber taxi driver (a known criminal convicted earlier) committing rape of a girl using the taxi service to get a drop back to her house at around midnight after attending a party and pub has exposed the inability of the Government of India to understand the business model of app based taxi service.

When these officials who does not understand business, try to regulate a business that they donot understand, we cannot but see the bizarre knee jerk reactions alround.  So far the Government is talking of banning the taxi services without realizing that these companies such as Uber, Ola or Taxi for Sure donot run a taxi service as we traditionally understand. They provide certain technology services to the drivers (may also be the owners) of vehicles which are available for adhoc hiring. They are “Communication Management Companies” or a “Digital Call Center service” trying to bring the commuters and the vehicle owners for meeting mutual requirements. Everything else is “Perception”.

In a way, the problem being faced by the app based taxi services in India is similar to the problems faced by Bitcoin community some time back when RBI came down heavily on the system taking it as a challenge to the currency system.

In the case of the Bitcoins, the system was promoted and perceived as a “Currency” replacing the Rupee or Dollar where as it was a “commodity” acceptable for exchange of goods and services  in a “Limited Voluntary user forum”. The mistake was that of both the community which promoted it as a currency and the regulators who considered it as a currency.

Now, as regards the Uber, Taxi for Sure and Ola, are not “Fleet Operators” who own vehicles under a permit and run it with the help of drivers employed either on salary basis or on contract basis. In the “app based taxi service”, if any body has to be registered as a “Commercial Taxi” it is the individual driver who operates the taxis and not the Ubers or Olas. It is incorrect to even call them as “Taxi operators”. They must be called ” Aggregators” acting on behalf of the drivers. In fact it is more appropriate to consider  the Ubers and Olas  as the agents of the taxi drivers and not the other way round.

It would therefore be not possible for the transport department to register them as taxi operators without a change of law. If this path of changing of law to consider Ubers and Olas as taxi operators is attempted by any of the State Governments, it could lead to more legal complications than what they are trying to solve. As per the current laws, perhaps a single vehicle owner can register himself as a “Commercial Taxi Operator” and this law is sufficient to address the needs of the drivers who are affiliated to the Ubers or Olas.

The Ubers and Olas would be still liable as an “Intermediary” with some vicarious liabilities arising out of representing themselves as “Principals owning the taxis” instead of  “Agents for Booking”. Their liability will be more like the “Cyber Cafes”.

If the Government tries to define the Ubers and Olas as “Fleet Operators”, then they also need to consider the impact of such an interpretation on  private bus booking agents, train or air ticket booking agents, tour operators etc. If the Government says that Ubers and Olas cannot run their business without owning the vehicles themselves, then similar rules would be made to all other cab operators and auto rikshaw operators also that only the owners need to run the business. This will be impractical and cannot be implemented. In that case the app based service providers can consider that they are being discriminated and their fundamental right to run a business of their choice would be unfairly curtailed. If challenged, the Supreme Court may have to declare such laws as unconstitutional.

If the role of Ubers and Olas as a technology intermediary is recognized, their technology strengths can be harnessed by the Government to ensure that consumers get a good service and at the same time technology can be used in various ways to improve the security of the passengers.


Share Button
Print Friendly

Uber failed in ITA 2008 Compliance


Before we proceed, let me make one point clear. Banning of Uber and other “App Based Taxi Services” is completely unacceptable. It is an immature reaction to the incident and should be reversed immediately.

We need to learn from the incident and make a root cause analysis to identify what improvements can be brought into the system. If we have any hope of building “Smart Cities”,we need to be capable of  managing “Smart Taxi Services”. If a similar approach had been adopted to Banking where there have been hundreds of frauds, we would have closed internet and mobile banking long back.

The app based taxi services such as Uber, Ola or Taxi For Sure are extremely convenient to the public. It is also a great way of providing employment where individuals can throw up their resources  to a pool and earn a living. In Bengaluru, Ola is extending the service to Autos and it can be a great boon to the public if properly handled. The benefits of the service are too over whelming to be be denied to the public just because of the misdeed of one driver.

We need to find out how the service can be improved and made more secure without banning the service. In this context we can explore if ITA 2008 compliance would have assisted the app based companies to improve the security of their service.

Under ITA 2008, the services of the app based taxi operators would be recognized as an “Intermediary”. They receive messages from members and transmit them to the service providers. In the process they add value to the service by various means. Such service could also be provided by a telephone call center. The app is a digital tool that does the work better.

The “App Center” which could be a “Web Site” that operates in the background need to be compliant with Section 79 of ITA 2008. According to ITA 2008 the App Center (Or its owner who is the company such as Uber) need to exercise “Due Diligence” and “Reasonable Security Practice” failing which they would be liable for any contravention of ITA 2008.

The offence in question however falls under IPC committed with the use of electronic documents to lure the customer. However when the driver switched off the app to facilitate the crime, he caused “Disruption” of service which is a contravention under Section 43 of ITA 2008 as well as an offence under Section 66 of ITA 2008. It will also attract Section 85 of the Company according to which the individuals who are in charge of business of the company may be held liable personally for the civil and criminal liabilities arising out of the incident.

If the app company needs to defend against the liabilities arising out of the contravention, it needs to show observance of “Due Diligence” and “Reasonable Security Practice”.

A proper interpretation of the provisions of ITA 2008 indicate that there should be a “Privacy Policy” and appropriate disclosure policy while the intermediary collects and uses sensitive personal information from public for providing the service. The enrolled drivers would be “Business Associates” of the company and the company (Intermediary) needs to have appropriate policies, procedures and controls in place to ensure that information passed on to them is used only for the purpose for which it was provided, namely to provide the taxi service and nothing else.

Such security measures would include an anticipation of the failure of the network when the service provider loses connectivity with the driver either because he can switch it off or because the network may not be available and the counter measures that are required to address the consequences which are considered reasonable. This is a “Threat” and a “Vulnerability” that leads to a “Risk” that needs to be mitigated.

Such reasonable counter measures could be “Alerting the Passenger” and his/her emergency contacts that “The taxi in which the passenger is travelling is temporarily out of contact and its last known location was ….” and also alerting the nearest police control room. In the instant case, it would have woken up the  passenger and enabled her to protect herself better.

The Police may say that they donot have the resources to respond to such alerts since there would be too many false alarms. But if the first alert from the app is corroborated by a subsequent alert from say the passenger using some security app of their own, then the police can swing into action through the patrol vehicles to check. Also the passenger can confirm when the booking is made  if he/she has accompanying passengers or is travelling alone which can tag the alert as “Non Critical” or “Critical”.

The back ground verification of the drivers would however be an essential part of the security and can be used to tag the drivers as “Verified” or otherwise.

The beauty of technology is that if we are innovative, we can up the security several notches and make the life of the citizens that much more secure.

We hope that our administrators understand the power of technology and use it properly rather than banning the use of technology for managing the taxi services. In the coming days the app based transport services will be an integral part of “smart city life” and it would be unwise to interrupt this technology development.

I also urge the app taxi operators to immediately form a forum of their own and develop a “Standard Security Procedure” to be an “industry practice”. They can then seek approval of such information security practice under Section 43A of ITA 2008 as a “Reasonable Security Practice”.

This would protect their business from knee jerk and arbitrary regulations from different Governments and harassment from corrupt politicians and police.


Share Button
Print Friendly

Cost of Data Breach in India


Business Managers always have  difficulty in appreciating the need for investment in Information Security. Money is always a scarce resource in any organization and there are always competing demands. Managers often prefer a marketing investment against an IS investment since the benefits of a marketing activity is more visible and are often immediate.

An investment in IS is however meant to prevent an adverse incident and if it is successful, then we may often not recognize the benefit. No body may  recognize that there was in deed a threat and it was prevented because of the IS investment. Even at the initial decision making stage, it is difficult for the business manager to appreciate why he should invest in IS when there has been no adverse impact on the organization in the past.

In the light of this dilemma, it is interesting that the Ponemon Institute has released an eye opening 2014 survey report quantifying the cost of data breach in India. Though the impact of a security threat may differ from one organization to another, there are certain observations in the report which every manager needs to take note.

For example

1.  The survey points out that the cost of data breach in India increased by 31% in the last year from RS 2271/- to Rs 3098/-. This is cost for one lost or stolen data. In actual practice, whenever there is a data breach incident in an organization, data is lost in large numbers. The average total organizational cost according to the study therefore is reported to have increased by 32% from Rs 6 crores to Rs 8.3 crores.

If therefore there is  a probability of one breach in an organization, then the cost would be around Rs 7 crores. It should also be remembered that the cost of loss in the Financial Sector such as Banks is nearly twice that of  the above average.

Hence one breach is all that it takes to close down a business.That single killer breach can occur any time because there are a number of threats lurking in the environment and a number of unattended vulnerabilities in the organization. It can also occur because a company has a lakh employees and  any one of them can cause the breach for various reasons including negligence, lack of awareness and malicious intention.

Every company has to therefore check if they have the ability to survive  even one breach incident if it occurs in their organization. If not, then they should not argue on the investment required in mitigating the risk even if the risk mitigation may not guarantee 100% elimination of the risk.

2 The survey observes that customers abandon organizations at a higher rate following the data breach. It is natural that customers do abondon organizations if a security breach in that organization puts the customer’s own business at risk of loss. On an average the customer turnover after a data breach increased by 11%. Marketing personnel who compete for investment from the IS department should consider that they need to get that much more of new business to protect their revenue if they try to snatch investment from the IS departments. In financial terms, the average cost of  lost business costs increased from Rs 1.53 crores to Rs 2.01 crores during the year.

3. The study also goes on to state that the cost of data breach can come down by around 9% merely by appointment of a CISO. It can also come down further by around 12% with a good incident response plan, another 20% by a strong security posture and Business Continuity program. In other words the study predicts that around 40% of the cost of data breach can be brought down by simple IS measures and there in lies an indication of the ROI on IS investments.

These figures must be sufficient for any business manager to understand that cutting investment in information security does not reflect prudence.

Refer here for more details

Related Article.


Share Button
Print Friendly

Section 66A and Section 79 of ITA 2008 at Supreme Court

Hindustan Times has reported (Refer: Article  “SC warns govt over gagging social media” in Hindustan Times ) that the Supreme Court has demanded that the Government submits its views to the Court within one week and threatened that it may otherwise keep the section under suspension.

The main issue under consideration by Supreme Court is whether Section 66A is “Un-Constitutional” and interferes with the “Freedom of Speech”.  If SC is satisfied that the section does interfere with the freedom of speech since it criminalizes posting of comments on Face Book and Twitter as in the Palghar Case, it may come to the conclusion that Section 66A needs to be scrapped. Simultaneously the indication is that SC may also take a view on the responsibility of intermediaries under Section 79 in similar cases. has expressed its views on this issue several times and would like to reiterate its views for immediate reference.

1. The current complaint before the SC is based on the action of Police in some of the cases such as the Palghar case. The most recent is a case filed on Mr N.Chandra Babu Naidu by TRS Chief Chandrashekar. In our opinion, all these cases have been filed by an error of judgement on the part of the Police and hence are not relevant to the issue whether Section 66A is unconstitutional or not. Postings in Face Book and Twitter should be considered as “Publishing” and is not within the provisions of Section 66A which should be restricted to “Messages” and “E Mails”. Restrictions on “Publishing” under ITA 2008 is restricted to what is “Obscene” and is covered under Section 67. All other defamation issues must be considered as outside the purview of ITA 2008 and should be considered as falling under IPC. A relevant “Explanation” under Section 66A would be a sufficient relief in the present case.

2.The reason why scrapping of Section 66A is not recommended is that this section addresses issues such as Cyber Bullying, Cyber Stalking, Phishing and Spamming. Hence there is a need to retain the section.

3.There is also a question on whether “Annoying” can be a sufficient ground to be equated with “Defamatory”.  Feeling “annoyed” is a personal reaction and is not the same as “being Defamed” in the presence of others. A person can get annoyed for nothing and cannot be a ground for removal of any content under Section 79.  An intermediary cannot also sit in judgement of whether there is a defamationary element in any content as this is the responsibility of the judiciary….unless the defamation is primafacie evident.  Intermediary can only put up a counter view and start a process of grievance redressal.

Let’s wait for further developments.


Related Article by Pranesh Prakash

Share Button
Print Friendly

Syndicate Bank loses Rs 1.13 crores of customer’s money


In a repeat of a common cyber crime which have earlier been reported in the case of Exporters and Importers, an NRI customer of Syndicate Bank in Manipal has reportedly lost Rs 1.13 crores.

It appears funny that the Bank transferred money based on undigitally signed e-mail received in the name of the customer.

See Report here

It is almost like celebrating an anniversary of the article titled “Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud” published in this site on 27th November 2013 highlighting the responsibilities of Export Promotion Councils, ECGC and Banks in ensuring that such e-mail frauds are not committed.

It is unfortunate that the Bank remained illiterate to such information available in the market. RBI should also share with the public what action it has taken to educate the Bankers on such Cyber Crime Risks.

It is sad that Banks and other regulatory institutions seem to be oblivious of their responsibility to protect the citizens from such frauds.

Unfortunately this fraud has happened in Karnataka which is a haven for Cyber Criminals since there is no cyber judicial system operating here at present. With the Adjudicator of Karnataka shooing away Cyber Crime victims from seeking justice through his office, the CM and Chief Justice looking elsewhere, Cyber Crime victims of Karnataka have no where to go for justice. At least if the Bank had been head quartered outside Karnataka, the situation would have been better.

Until such time that there is change in the approach of Karnataka Government on re-activating the Adjudication system in the State and until the Chief Justice of Karnataka opens his eyes to the problem, it is better for Bank Customers in Karnataka to keep their money in Mumbai headquartered Banks since the adjudication system in Mumbai is more active and some justice can be expected.


P.S: The details on why the Adjudication system is not active in Karnataka and why the Karnataka Government and Karnataka High Court is responsible for the miserable state of Cyber Judiciary in the State has been discussed several times in this site and requires no repetition. I wish CM Mr Siddaramaiah who is himself a law graduate or the Chief Justice of Karnataka invites me to explain why I feel so bitter.


Share Button
Print Friendly