Cyber Security Framework and Directors of Banks- An Action Plan..for Now..

The Cyber Security Framework (CSF-2016) proposed by RBI to be implemented by Banks has posed a stiff challenge to the community of Bank Directors. After the lukewarm response to its previous guidelines including the E Banking Security Guidelines (GGWG Recommendations) of 2011 from Banks, RBI has now tried to tighten its screws on the Bank boards and therefore repeatedly sought the direct responsibility of the Board of Directors in Banks for ensuring implementation of the recommendations under CSF-2016.

The Countdown has already started. By September 30, 2016, RBI wants several aspects of its recommendation to be in place and it is hardly 51 days to this deadline and probably not more than two board meetings left to review the implementation.  The challenge is stiff, but we need to make a start and start running. The spirit is to make an honest attempt.. afterall, we are in the season of Olympics and participation is the key.. Making an honest attempt to win is necessary….But actually winning is incidental..

Let’s briefly review the challenge that our Bank Directors have on their hand now. I wish Directors in banks and more appropriately the “Independent Directors” need to take note of the following in their own interest.

The first deadline given by RBI was July 31, 2016 by which the Board should have approved a “Gap Analysis ” and signed on a report sent to the DBOD.  Probably most Banks should have completed the formality. Those who have shot off the report may now review if the report was complete and those who have not, need to review how quickly they can recover the lost ground.

Banks already have some infrastructure to handle Information Security and there will be a sub committee of senior executives already assigned to the task of managing the Information Security in the Bank as per the GGWG guidelines. There is also a CISO in most Banks. The CISO should therefore present (should have already presented) to the Board his assessment of the Gap and recommended action plan.

If not, summon another Board meeting immediately and ask the CISO to make a presentation. Even if a note has been already presented, it is recommended that the CISO is asked to present his views on the Gap report already sent to RBI and modifications that may be required.

The “Gap Report” is to document the current status of the implementation of the “Cyber Security Program” vis a vis the recommendations contained in the Cyber Security Framework-2016 elucidated in the RBI circular of June 2, 2016.

Obviously, in order to prepare this Gap Report or approve it as a member of the Board of Directors, there is a need to understand the CSF-2016 document and absorb its implications. This itself requires a deep understanding of the nuances of Cyber Risk Management without which the Directors can be easily mislead that “All is Well” and ignore the urgent action to be undertaken.

The first question to be raised is

  • It is a requirement of the CSF-2016 that the Board of Directors should be adequately trained on Cyber Security issues. Has the CISO organized such an awareness  program for the Directors? If not.. when is it scheduled?
  • In order not to waste further time, the agenda for the next Board meeting should include a presentation by the CISO of not only the action plan under CSF-2016 but also a general training on the implications of CSF-2016 .
  • Since CISO is the implementing party, it is better if such a training program is organized by an external consultant who understands the issues in managing Information Security in the Banking environment and should precede the presentation of the CISO so that right questions can be raised to the CISO.
  • Since it is embarassing for the Board to call for a training for itself, it is better to call this an  “Interaction with an expert” or a “Round Table” in which the implications of CSF-2016 can be discussed by the members of the Board along with the CISO and his team.

Some of the challenges that the Directors need to meet during this initial interaction is..

a) The Gap report should have identified the Cyber Threats that confront the Banking environment considering the business and product profile of the Bank. The CISO should have developed a “Threat Register” to identify and list the threats.

b) The Gap report should have identified the Cyber Vulnerabilities of the system including the technical, regulatory, and manpower related deficiencies in the system.

c) Based on the threats and vulnerabilities, the CISO should have developed a “Risk Register” listing out the individual Cyber Risks that confront the Bank.

d) The “Risk Identification” should not be restricted to technical matters only and should also address the legal issues such as compliance to Information Technology Act 2000 as amended in 2008 and later (ITA 2000/8) and also take into account the human factors that can result in exploitation both at the employee level and the customer level

c) The Risk Identification has to also assign a measure of the risk criticality  which can be either a subjective evaluation of “Low Risk”, “Medium Risk”, “High Risk” etc or assign a value in an objective manner if possible.

d) The CISO should also indicate and recommend the “Risk Management Policy” consisting of how much of the risk can be avoided, how much of the risk can be transferred by insurance, how much of the risk can be mitigated by various measures and how much of the risk has to be absorbed by the organisation.

e) The CISO should also indicate and recommend a brief overview of a  “Risk Mitigation Plan” and suggest what should be the “Risk Appetite” of the organization. It would however be the decision of the Board to determine the “Risk Appetite” of the organization which reflects the extent of risk that it can absorb in the interest of business since ultimately commercial activity is always a risk-return trade off.

f) The CISO may also be asked to present his specific recommendations on the status of implementation on the 24 Baseline controls that have been indicated in Annexure 1 of the CSF-2016 as well as how to approach the SOC set up indicated in Annexure 2 and the Incident Reporting structure indicated in Annexure 3 of the CSF-2016

The “Gap Report” is only a starting point and may be imperfect. But what is required to be done is to set in motion a corrective plan so  that by September 30, 2016 when a comprehensive “Cyber security Policy” along with an operating “Security Operations Center” and a “Cyber Crisis Management Plan” is to be presented to the RBI with the recommendations of the Board, the Directors are fully aware of the responsibilities they are undertaking in submitting the plan.

This is also the time for the Board to review if its current information security management infrastructure is adequate and needs to be augmented. Finding right people in the domain is not easy and even if a decision is taken today, it is impossible to get quality people before the deadline of September 30 has already elapsed by a mile. Hence the first set of action has to be initiated by the existing team summoning whatever assistance they can gather from within and available external consultancy resources.

There is no doubt that your CISO will say setting up an SOC is a long term project and even a proper risk assessment will take time. But RBI has taken this into account and advised that Banks cooperate amongst themselves through the CISO forum coordinated by IDRBT to share knowledge and achieve the goals faster than what they would otherwise achieve.

This however requires shedding of individual egos of Banks and their CISOs and working in a spirit of cooperation and benefit to the Banking community on the whole.

The Board has a responsibility to provide support to their CISOs to explore such cooperation in a spirit of give and take so that professional CISOs are not constrained by the fears of breaking the norms of secrecy that often shrouds the operation of the information security departments.

… With these introductory words, I urge the Directors of the Banks to accept the challenge placed before them by RBI to strive towards achieving the Cyber Security Goal however difficult it appears to be.



Print Friendly

YingMob may be prosecuted for Cyber Terrorism.. Will Mr Rajnath Singh take action?

The security world is warning Indian Android mobile users that the malware HummingBad has been spreading fast across the globe and pose a threat to Indian mobile users also.

This malware which is reported to have infected over 1.4 billion Android devices worldwide and generates an ad revenue of over $300000 to its Chinese owner “Yingmob”, which is a Chinese mobile ad server company, which had already been linked to the development of malware targeting Apple iOS devices.

Once on a device, HummingBad is capable of exploiting  a full range of paid services, including displaying mobile ads, creating fraudulent clicks from users’ devices, and installing additional fraudulent apps.According to Check Point,  the apps display more than 20 million advertisements per day, and Yingmob achieves over 2.5 million ad clicks per day which translates into significant revenues.  Yingmob’s average revenue per clicks (RPC) is $0.00125, making accumulated daily revenue from clicks is over $3,000. Added to revenues from fraudulent app downloads, which exceed $7,500 daily, Yingmob makes over $10,000 per day, more than $300,000 a month.

Under the Indian laws, such “Unauthorized introduction of a code is considered a computer contaminant and is an offence under Section 66 of ITA 2000/8”. In case any of the intruded mobile is a property of the Government of India, the intrusion can be considered as an offence under Section 66F which is considered as “Cyber Terrorism” under which “Life Imprisonment” is possible. Also in view of Section 75 of ITA 2000/8, Indian Courts have a jurisdiction to take on trial this offence and pronounce a verdict.

In order to discourage legitimate commercial companies getting into cyber crime as business, it is necessary that such activities are nipped in the bud. I therefore urge the Indian Government to lodge a formal complaint with evidence obtained from Check Point and prosecute YingMob for Section 66F offence in India and then take up the issue at International Levels.

This trend of mobile malware that tries to root into the system may also be commercially beneficial to the mobile companies since users tend to get fed up with the slowing down of their devices and often decide to buy a new mobile rather than put up with a persistent malware induced performance attrition. Probably the Chinese mobile Industry is not so unhappy therefore that there are companies like YingMob in their midst.

Besides, the growth of mobile ransomware poses unimaginable threat to the India’s Digital India program and if proper defensive action is not taken to prevent the YingMob type of companies from using its resources to commit international crimes, the future for Indian economy is in danger of being swamped by a Cyber war attack launched through the same mobiles through which HummingBad may be operating today as a relatively less harmful, performance reducing malware. Left unchecked it can become a monster in the days to come.

It is time India takes a lead in checking such malpractice and show to the world that such deceit does not pay.


Print Friendly

The Case of stolen NSE Live Data

(P.S: The discussion that is contained herein is for educational purpose and in exercise of free speech rights in public interest of journalism)

The Incident as Reported

An interesting case has been reported from Mumbai where the Mumbai Cyber Cell has arrested a person from Durgapur for illegally selling “Live NSE Feed”. The accused, one Mr Rajendra Kumar Chell has been booked under Section 420 (Cheating) of IPC besides Section 66 and 66B of ITA 2000/8.

The complaint was filed by the manager of NSE working in a NSEs group company DotEx international Ltd (100% subsidiary of NSE) which has purchased exclusive rights to sell live Capital market data. DOTEX was providing such service to 33 other companies.

Around October 2015, the company DotEx noticed that two websites other than their customers appeared to be selling NSE live data and when approached, offered the service for a fee. On payment the complainant was provided with a “Team Viewer” ID and password through which access was provided to live data. By logging into the Team Viewer, the user would be able to view the “NSE Now Terminal System” and the live market data. The complainant has alleged that the two website owners had stolen NSE’s live data and were selling it illegally.

On receiving the complaint, on January 19, 2016, the police have traced the accused through the Bank account to which payment of the subscription amount (Rs 2550/- presumably per month) was credited and the arrest has now been made on 2nd July 2016.

(Details of the case as reported in


It is not clear how the accused first acquired the data. It is possible that he would be one of the legal subscribers to the DotEx service which he shared with others like a “Sub Broker”.

“The NSE’s real time data is provided in three levels (level 1, level 2,level 3 and tick by tick). Level 2 provides market depth data upto 5 best bid and ask prices and Level 3 provides market depth data upto 20 best bid and ask prices .The real time data feed is provided in TCP-IP format. It is provided on-line through a dedicated 2-10 mbps channelized E1 private leased line circuits. This line shall be owned by the customer and the line should be from National Stock Exchange, Mumbai to the premises of the customer. Alternatively, the customer can take the data from one of our authorised data vendors.” (Source: DotEx website)

This is raw data which the users need to use through appropriate systems and software. According to the NSE tariff table, the level 3 service for tick by tick basis offered on “Terminal Basis” may cost as much as Rs 99 lakhs for both capital markets and Futures segment. This can be used “Free” by 300 users  with an additional Rs 1140 per month per user there afterwards.

It is presumed that one such user has re-sold the service. It is also possible that the accused has subscribed to the service legally with one of the brokers who is authorized to sell the data and tried to re-sell the same data to his customers.

Alternate Legal Interpretations

The case represents certain important legal interpretations and opens up some old discussions on the principles involved in Copyright law.

Presently the case has been booked under Sections 420 of IPC, Sec 66 and 66B of ITA 2000/8.

Section 420 of IPC is a broad section and states as under

420. Cheating and dishonestly inducing delivery of property.—Whoever cheats and thereby dishonestly induces the person de­ceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.”

In the instance case, the “Property” is the “Live NSE Data”. Assuming that the property belonged to DotEx as an exclusive licensee, the allegation is that it was dishonestly sold to others by the accused. Does this qualify to be called “Property” under IPC, is a matter to be discussed if IPC sections are to be applied to the case.

On the other hand, Section 66 of ITA 2000 is a reflection of Section 43 and includes “Unauthorized Access” to a computer system including data. Section 66B applies to “Usage of stolen computer resource” which includes data. Hence application of ITA 2000/8 is undisputed though the cause of action under sections 66 and 66B needs to be established. This revolves around “Whether the sharing of data was authorized or not”.

The angle of  License Rights

The interesting aspect of the case is what was the rights available to the accused with regard to the data and whether he wrongfully applied the rights.

More than the concept of “Data Theft”, this offence appears to be falling in the domain of  transgression of the “License to use”. If the accused is an authorized user in the first place and re-sold it to others, it may not qualify as “Data Theft” or “Unauthorized Access” but may have to be debated under the “Terms of usage of license”.

The scheme as reflected in the NSE tariff card, envisages that an authorized user can anyway share the data with 300 free users and more on additional payment basis. It is possible that the accused may be one such licensed user of another licensee.

In the instant case, the accused has further used “Team Viewer” and created a “Closed system of sub-users” who have been authorized to share the feed which was available to him probably as a legal right. If therefore the first right was legal, the sale thereof would be legal or otherwise based on the contract on which the first right was obtained.

SEBI regulates the scheme of “Sub Brokers” and “Investment Advisors” as regards providing “Investment Advise” from the point of view of investor protection. But SEBI regulation may not prohibit distribution of raw data on which the investors may take their own decision. Hence in the instant case, there may not be any violation of SEBI regulations. However, if the concept of “Sub Brokers” and “Investment Advisors” as regulated by SEBI permits providing of investment advice as well as data sharing services through broker’s own shared “Trading software”, there is an implied permission for brokers to share NSE live data to their customers.

The key point therefore that determines this case is how did the accused first come to possess the right to the data and what were the terms. If the terms under which the accused acquired the data did not specifically prohibit its sharing with others either for consideration or otherwise, it may be difficult to make the charges stick.

In this connection, I am reminded of an old debate on copyrights in which it was discussed if a “License to a Music CD” obtained by a person entitles him to play the music aloud in such a manner that the music could be heard by the other non licensees in the vicinity some of whom may be the members of the family of the licensee and some not. (P.S: Reference may be found in the archives in

We can also discuss such “Licence Rights” as to whether it extends to the playing of the music on loud speakers in a function for a fee.

We have similar debates where TV broadcasters and cable operators object to playing of TV in a public place such as a restaurant, arguing that the licence given is for use by a “Single Person”. Even BCCI and ICC have used such rights for restricting rights of providing live feeds of cricket match scores and taking pictures of live sports action etc.

It appears that in the instant case also a debate will ensue on whether the data feed which gets displayed on a TV screen should be viewable only by the licensee and no body else.

The trend in the copyright arena is to narrow down the licenses to such an extent that every commercial harnessing of the licensed material whether it is for personal use or for education or for other truly commercial purposes under different forms of licensing so that the user can be bled to the last drop of his blood.

It must be also remembered that the data in this particular instance refers to the collection of activities of investors as captured by the system. NSE is only an aggregator of the actions of investors to make a bid or buy or sell. The live data feed is therefore not a originally created “Intellectual Property” of the NSE. Hence the right of NSE on live data feed is not “Absolute”.

A comparable example is a sports event where the sportsmen create the spectacle. But the “Organizer” claims right to the viewing of the “Spectacle”.  However, in a Cricket match organized by BCCI, it pays the players so that it can claim the right to their performance view. In the case of NSE, the investors pay money in different forms to NSE and hence NSE cannot automatically claim the right to display the actions of the investor.

 Hence there are several larger complicated issues involved in determining if the offence in this instance is upheld.

If therefore the present charge is upheld, there could be a fall out which would affect several other usage contexts of data beyond the stock markets.

In particular, in the stock market domain,   it would affect every licensed live data feed owner such as a broker. If the concept of “Live data feed is only for the licensee” is upheld, every employee of the broker who works in the trading hall and has the probability of viewing the live data feed on the trader’s screens, would be considered as a “Licensed user”.

Similarly, if a customer of a broker is using a broker’s feed on his personal computer and his friend or colleague is shoulder surfing to find out how a share is moving, it could be construed as an offence of data theft.

From preliminary information that is available, it is unlikely that either DotEx or any of its 33 licensed data users and the scores of licensed brokers have a robust usage contracts that prohibits the viewing of the trading screens on a user’s computer  by friends and family members of the licensed users. They may however make retrospective changes to their contracts now to manipulate the terms of usage of their live data feed to protect their interests unmindful of the possibility that such unilateral changes of contractual terms may amount to offences under Section 65 or 66 of ITA 2008 as well as offences under IPC for manipulation of evidence.

I wish that the Court which goes into the case understands the possibilities of an undesirable consequence of its decision (if it upholds the charge and rules out that a licensed user cannot share the trading screen with another) which would require every computer user to ensure that his computer screen is not visible except to himself when a trading screen is running and take a consumer centric view of the incident.

(The above discussion is for academic purpose and in exercise of the journalistic freedom of speech and is based on the information available at this point of time. I reserve the right to change my views if additional information becomes available)


 Related Articles:

When you buy music, will you be buying trouble?

Copyright Act amendments in India.. Watch Out for surprises

Print Friendly

The mystery land of Cyber Insurance-2: What is Cyber Insurance?

Naavi along with some of his friends embarked upon a Cyber Insurance Status study in India titled “India Cyber Insurance Survey 2015”. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi

When the exploration of the Cyber Insurance land was contemplated, it was known that knowledge about the concept of Cyber Insurance was low in the market. Hence the expectations of the study was set low. There was no surprise here to find out that the penetration of Cyber Insurance in India was low. Some of the reasons for such a status despite the growing Cyber Crime threats is analysed here.

Penetration Levels:

Let us analyze one set of the responses which indicated as under:

 92 % of the respondents who represented different IT user entities had no experience of taking Cyber Insurance.

54% of the respondents stated that they are unlikely to consider in the near future.

90% said that they will consider only if they suffer any loss in a cyber attack.

74% said that they will consider only of they have an attack on themselves.

72% said that they may consider if a suitable product at a right price is available and 80% said that they will consider if there is a mandate. 

The respondents were all senior professionals from IT sector and included CEOs. For 54% of them to say they are unlikely to consider Cyber Insurance in near future was very disappointing.

The fact that 90% said that they will consider only if they suffer a loss indicated the dreaded syndrome of “Closing the stable  doors  after the horses have bolted”.

I can categorically state that many of the organizations may either not survive after their first attack or may get so badly battered that their survival after the attack would be an unending struggle.  None of us know what is in destiny for us. But for us to take the Cyber Risks so lightly is nothing short of recklessness and readyness to commit harakiri.

I therefore strongly advocate entrepreneurs of all kinds to shed their complacence and take a look at the need for Cyber Insurance.

I also want to highlight here that the need for Cyber Insurance is more for the entrepreneurs than the Cyber Security professionals since the business risk lies mostly with the entrepreneurs and their investors. If a company faces a fatal attack, the Cyber Security professionals will easily walk out and settle in another company enriched with their experience. Their loss is for a limited time and can be overcome. But for the entrepreneur, loss of his dream project may be the end of the world.

Hence it is the Company promoters, Directors and Investors and Business Managers, who need to watch out for what I am set to say on Cyber Insurance through these columns.

Cyber Insurance is part of Cyber Security Management

Cyber Security professionals who understand that Cyber Security management consists of the four strategies of ” Risk Mitigation,  Risk Transfer, Risk Avoidance and Risk  Absorption” and “Risk Transfer” is achieved through Cyber Insurance should also need to watch out. After all they are senior professionals today and many of them will be owners of business in the Start Up revolution that is sweeping our country.

The first reason why a responsible professional is not keen on Cyber Insurance, is that there is less than needed understanding of what is “Cyber Insurance”. Let us therefore try to address this issue first.

Two Components of Cyber Insurance

Cyber Insurance has two major components. One is insuring self damage where losses suffered by the insured is covered by the insurer. The second is that when a Cyber incident occurs, the insured may suffer a liability to pay damage to an outsider. Cyber insurance also covers this as “Liability insurance”.

It is easy to understand this concept by looking at similarities or otherwise between Motor Insurance. In motor insurance, if an accident happens, the owner of the vehicle gets a compensation to pay for the repair of the vehicle. At the same time, under the motor vehicles act, if he is liable to pay damages to third parties, that is also covered.

Cyber Insurance is also like Motor Insurance and has the two components of “Own Damage” and “Third Party Liability”.

The “Cyber Incident” may happen due to many reasons. For example it can happen due to internal technical issues including physical issues such as electrical outage, flood, fire etc. It can also happen due to fault in the hardware or software. It can happen due to human failure such as negligence of employees. It can also happen due to malicious intentions of humans including insiders and unknown attackers from the wild.  In such attacks there are also those which are categorized as “Zero Day Attacks” which essentially means that until such an attack is revealed , even the manufacturer of the software/hardware does not know that a certain Zero day vulnerability exists in the system which he has in good faith sold to the IT user who is today facing a liability situation.

Asset Valuation Issues

A quick glance at the various reasons that can cause a loss which may come under the umbrella of a Cyber Insurance indicates why Cyber Insurance is complicated and poses a challenge not only to the insured but also to the insurance industry itself in structuring a suitable policy.

For example, for insuring “Own Damage” one needs to value the Cyber Assets. While it is easy to value the hardware and purchased software, for which there is a cost and a depreciation, the value of internal software development needs to be arrived at on an assessment. Also a huge part of the cyber assets is in the form of “Data” which is acquired at a cost. The resident data should therefore be valued.

Now check back with your CFOs if there is a proper valuation of the cyber assets reflected in the balance sheets and whether your current asset valuation policies for the purpose of P&L is well suited for claiming insurance.

Most companies have a system of writing off all software purchases as “Expenses” though its beneficial use is spread over several years. Hence many soft assets continue to be used much after they find no mention in the balance sheets. As regards the hardware, it is often the practice to retain a nominal value of Rs 1 in the balance sheet even after the value is depreciated for a conservative reflection of the P&L. A similar approach is required for any software acquired at a cost so that no asset remains outside the radar. When a cyber event occurs and the company has to regroup, what is relevant is “Replacement Cost” of the asset and not the depreciated value represented in the balance sheet.

Of course it would be convenient for the insurance company if the insured is stating that what he has lost is of “Zero Value” on the books while it costs a bomb to replace. Insurance company may simply value the assets at book value and deny any compensation.

There is therefore the first hurdle of “Asset identification and Valuation” for the purpose of “Cyber Insurance” on which the industry has to reach a convergence.  Perhaps the Chartered Accountants and the Institute of Chartered Accountants need to think if their asset valuation system needs to be reconsidered.

I would urge the Institute to consider valuation of IT assets on “Replacement Cost”.  Depreciation may be considered as first tier, second tier and third tier. The first tier depreciation would be the writing off of the cost over the estimated useful period of the asset. The second tier depreciation could be the conservative approach where assets are depreciated faster than their useful life as a conservative practice. The third tier depreciation would be the equalization amount which arises due to the revaluation of the asset at replacement cost.

If accountants follow this system of representing the asset value, then analysts can pick up either the replacement value or the book value as they please. Insurance companies may use the replacement cost for evaluating the compensation while share holders and SEBI may look at the lower asset value as a conservative estimation of profits.

Where software assets are developed within the company, there needs to be a valuation process which is today mostly absent. Only service companies who bill their services to their clients have a good system of evaluating their operational costs. Others ignore the internal development cost which gets debited to the P&L as an expense. There  is a need for maintenance of employee work record and assigning them to valuation of Work in Progress and later to the completed service. If this can be done, there would be a greater efficiency in the operation of many IT companies. This is of course the work of a Cost Accountant who can develop a system of valuing the service component which can be rightly priced for business purposes while at the same time providing the asset value for the insurance purpose.

Last item of asset is the “Data”. While the company can value “Data” on the basis of its acquisition cost, during a cyber incident leading to a liability  and insurance claim, what is relevant is not the asset acquisition cost but the loss which the victim has suffered and has claimed from the Company under the legal rights given to him under law.

Dependency on Compliance

This “Liability” estimation depends on the “Legal Compliance” status of the company such as “Reasonable Security Practice” and “Due Diligence” under ITA 2008 and also the Privacy Rights granted under the constitution or other laws.  Additionally the efficiency of our legal system where victims are aware of their rights and make adequate claim also will influence the losses which the company suffers and expects to be covered by the insurance policy.

Just as Liability insurance has a dependency on ITA 2008 compliance of the insured, the estimation of replacement value of soft assets has a dependency on the DRP and BCP status of the company. If a Company has an excellent DR and lost assets can be recovered in full without much cost, the replacement cost as well as the insurance liability will be reduced.

It is for this reason, that the survey has discussed in greater detail the Compliance status responses to which will be discussed in subsequent articles.

Declared Value of Assets

Practically, when an Insurance contract is written, the insured and the insurer have to identify the value of assets since it determines not only the liability but also the premium. The general practice is for the proposer to seek insurance based on the details furnished in the proposal form which will include the value of the assets to be insured. The insurer looks at the value and determines the premium.

Now it is possible that if the insured and the insurer is not on the same level of understanding, the contract may be vitiated by declarations that are made by the proposer which always works to the advantage of the insurer.

The insurance contract is considered as a “Uberrimae Fedei” contract or a “Contract of utmost faith” and in such contract the entire responsibility to make truthful declarations lies on the proposer. The insurance company can accept the declarations in good faith and later rescind the contract when a claim is made on the grounds that the proposer was aware of some adverse aspects which he did not declare during the insurance time.

The easily understandable example is when we take a health insurance and fail to disclose pre-existing diseases. While the insurer can accept the proposal, and charge a premium based on the declaration, if a claim arises, then the insurance company goes into an investigation mode and finds out that there was an pre-existing condition of the insured which would have altered the premium and risk and since it was not disclosed, the entire contract is declared invalid and claim denied.

A similar situation may arise in Cyber Insurance if the insured fails to declare earlier security incidents, weaknesses in its DR/BCP or other IS related issues. “Hiding Truth” is therefore not  a good strategy at the time of insurance and this is a challenge for professionals since they might have hidden the truth even from their own management in the past.  Hence a strong “Security Incident Management” policy and implementation is essential to write a robust insurance contract.

Another factor which insurers should remember is that in the event valuation of assets at the time of insurance is lower than at the time of the insurance claim, (When a re-assessment is made as a general practice) it may be considered as an event of “Under insurance” and the insurance company may decline to pay the full loss considering the shortfall as “Self Insurance”.

Hence it is important for the insured and insurer to agree upon a proper valuation system so that there will be no claim of “Under Insurance” or even “Over valuation” though there may be a natural appreciation or depreciation of the value for different reasons.

Need for Well Structured Policies

These complications are one of the reasons why perhaps 72% of the respondents to our study felt that they may consider Cyber Insurance if a suitable product at suitable price is available.

This also indicates what an insurance company needs to do now that it knows that 92% of the respondents are their potential customers who may consider such products.

If all the complications of asset valuation etc cannot be sorted out to mutual satisfaction, insurance companies will offer coverage with certain sub limits for different types of losses. Though this may not be a perfect solution for the insured, it represents a way forward for further refinement of the product.

(……Discussions To continue)


Earlier Article in the series:

The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

Print Friendly

Has RBI Permitted Social Media Banking?.. What about audit of Mobile Apps?

We have been following the discussions on how the Unified Payment Interface introduced by RBI has created one big security risk where the telecom links have been provided a direct access to Banking transactions server through execution of USSD codes.

Though the authorities claim to have adequate security, customers are yet to be convinced about whether RBI and the Banks are saying the truth.

Does it mean that Banks and RBI can lie?

I would like consumers to make their own conclusions from the following RTI exchange between one Mr Sisirkumar and RBI.

(P.S:Though this RTI pertains to ICICI Bank, the issues are expected to apply to other Banks also)

Mr Sisirkumar of Vijayawada made a simple RTI Query to RBI raising the following questions.

  1. Details on decision taken by RBI to let Banks use Social media and mobile applications.. and how RBI arrived at a decision that this does not violate the privacy of customers or their data.
  2. Details on specific documents related to approval given by RBI to ICICI Bank limited for creation of the following accounts.

3. Details of  decision taken to permit ICICI Bank to do social media banking

4. Copy of RBI guidelines on how online presence can be conveyed to customers

5. A copy of the results of the security and privacy audits conducted by RBI

6.Details of the official RBI accounts on social media and the relevant act as per which they have been created and their purpose.

RBI has replied to the above RTI as follows:

Reply for query1:

” Department of Payment and Settlement Systems, Reserve Bank of India (DPSS, RBI) has not issued specific instructions to Banks on areas raised in the query. However, Banks have been advised vide our circular on mobile banking which is available on the website of RBI at link:

Para 2(ii) of Annexure I advise that social media can also be used by the Banks to build awareness and encourage customers to register on mobile Banking as one of the measures of customer awareness programs”

Reply for query 2:

“DPSS, RBI has not issued any such approvals to ICICI Bank Ltd”

Reply for query 3:

“No Specific instruction has been issued to ICICI Bank”

Reply to query 4

“DPSS has not issued any instructions in this matter”

Reply to query 5:

“DPSS has no information in this matter…. Your query has been forwarded to provide information if available..”

Reply to query 6:

“DPSS, RBI has no information in this matter….Your query has been forwarded to CPIO…”

Subsequently regarding query 6, M.Nandakumar, CPIO replied on January 12, 2016 stating :

“We have no information”

Another reply dated January 11, 2016 signed by Ms Alpana Killawala , CPIO stated for the same query,

“From April 13, 2015, the Reserve Bank of India has presence on two Social Media sites namely, You Tube and Twitter. It is an initiative taken by Reserve Bank for enhanced outreach and real time engagement with the public in addition to engaging with them through traditional media.

Purpose: For wider dissemination of information about RBI policies, rules and regulations”.

On query 5, a reply dated January 15, 2016, Subhash Chandra Mishra, another CPIO replied

“No Security or Privacy audits of mobile applications of banks are done by us. However, the level of adherence to extant guidelines issued by RBI are examined during the course of annual inspection of banks.”

From the above it is clear that the DPSS which issues guidelines on the use of technology is not even aware of the need for security and privacy audits and the CPIOs are completely confused about the state of affairs.

The replies confirm that RBI has not even considered security and privacy audits of mobile apps and have not recognized the security risks associated with the use of Twitter and Facebook for conducting banking transactions such as balance enquiry and transfer of funds. Perhaps they are not even aware that some banks are using Twitter handles to interact with the Banking servers and execute fund transfer requests.

As an ex Banker and lot of respect for RBI (by tradition), it is a big surprise for me to note the level of incompetence at the RBI.

This in fact corroborates some of my earlier concerns that I expressed in respect of use of USSD codes for Banking transactions by NPCI.

I am awaiting Banking security experts to react to what we have indicated here particularly to the fact that the mobile apps have not been audited by RBI.

In the earlier guidelines IDRBT was supposed to clear any banking related applications. Obviously, this guideline is being flouted by Banks and RBI has not taken any corrective action.


Print Friendly

Cyber Anarchy Unleashed… says S.N.Ravichandran commenting on striking down of Section 66A

Mr S.N.Ravichandran, a member of Cyber Society of India and a person having extensive experience of having worked with Cyber Crime victims as well as Law Enforcement Officials in Coimbatore has sent the following views about the recent Supreme Court decision in the Shreya Singhal Vs Union of India case.

The views of Mr Ravichandran is corroborated by today’s TOI report where a policeman posted obscene information (Refer article: Cop misreads 66A relief, posts porn clips on WhatsApp group with DIG, SSPs in it). Yet another report says “After SC scrapped 66 A,  Sec 67 lands an IT prof in prison“.

Experts continue to have differing views. But most of the experts who have experience in working with Cyber Crime cases are not entirely happy with the decision while the human rights activists are in the fore front of hailing the decision.  Most of the prominent persons are however moderate in their expression since they want to be seen as not criticizing the highest court of the land. Mr Pavan Duggal therefore concludes “Legislative language must ensure balance between curbing rights and protecting them“.

What we are repeatedly saying is that there is that striking down of the section was done without appreciating that the section had nothing to do with the attack on free speech indulged in by the Police.  Such abuses will continue with or without Section 66A and with or without ITA 2000. Mere possibility of abuse should not the ground for removing the section because a logical extension of this principle will remove the more than half of our laws.  Mr Ravichandran’s observations are on similar lines and he presents his case with conviction and elaborately.




Cyber Anarchy Unleashed Courtesy The Supreme Court of India

The strength or infirmity of a judgment sometimes depends on a single fact presented properly or improperly, appreciated wholly or partially and conclusions drawn from the presentation. If facts presented are viewed by a mind clouded by preconceived notions and/or is driven by the cacophony of noise made by vested interests then that judgment is bound to be flawed. The judgment given by the Supreme Court on Section 66A falls in such a category.

 This probably is one of the few cases where the petitioner has presented facts arising out of misconception and presumption, the respondents have responded without conviction and with ignorance of the subject and the judgment delivered without applying one’s mind. My objections after reading the judgment arise from the following points.

The judgment starts at para 20:

  1. With these prefatory remarks, we will now go to the other aspects of the challenge made in these writ petitions and argued before us.  .Article 19(1)(a) Section 66A has been challenged on the ground that it casts the net very wide – “all information” that is disseminated over the internet is included within its reach. It will be useful to note that Section 2(v) of Information Technology Act, 2000 defines information as follows:

“2. Definitions.—(1) In this Act, unless the context otherwise requires,—

(v) “Information” includes data, message, text images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche.”

Two things will be noticed. The first is that the definition is an inclusive one. Second, the definition does not refer to what the content of information can be. In fact, it refers only to the medium through which such information is disseminated. It is clear, therefore, that the petitioners are correct in saying that the public’s right to know is directly affected by Section 66A. Information of all kinds is roped in – such information may have scientific, literary or artistic value, it may refer to current events, it may be obscene or seditious.

That such information may cause annoyance or inconvenience to some is how the offence is made out. It is clear that the right of the people to know – the market place of ideas – which the internet provides to persons of all kinds is what attracts Section 66A. That the information sent has to be annoying, inconvenient, grossly offensive etc., also shows that no distinction is made between mere discussion or advocacy of a particular point of view which may be annoying or inconvenient or grossly offensive to some and incitement by which such words lead to an imminent causal connection with public disorder, security of State etc.

The petitioners are right in saying that Section 66A in creating an offence against persons who use the internet and annoy or cause inconvenience very clearly affects the freedom of speech and expression of the citizenry of India at large in that such speech or expression is directly curbed by the creation of the offence contained in Section 66A.

66-A. Punishment for sending offensive messages through communication service, etc.

—Any person who sends, by means of a computer resource or a communication device,—

………..or to deceive or to mislead the addressee or recipient

 The petitioner’s assumption that Section 66A covers “all information disseminated on the net” is completely wrong.

 The Section only talks of “any information”. It talks only of particular  information sent by a person to a recipient. The information between the sender and the recipient alone is the subject of the section. Again only that information between the sender and the recipient which is qualified by the adjectives “offensive, menacing etc” is sought to be punished.  Further the Section does not envisage the sensitivity of a third person, not involved in the correspondence, to take umbrage at the tone of the information. It is the recipient who must be affected by such messages.

Section 66 A restricts itself only to that information which is objected to, by the recipient. Section 66 A further qualifies the above statement by saying that the recipient must affected by such messages.

Section 66 A also lays down the condition that the information so sent must be false to be taken cognizance of.  

It goes further to tell that the recipient must have received the messages “persistently”.

It also mentions that the sender must have done it anonymously.

It is surprising that a simple reading of the Section, which would have lent clarity to the subject, was not done by the petitioner, the respondent and/or by their Lordships.

Section 66 A does not, by any stretch of imagination, encompass the net and all the information posted on it as wrongly claimed by the petitioner. It concerns only with messages between a person and a recipient who could be another person or group of persons.

The definition of information as given in the Act is an inclusive one. That it is restricted to cyber space as far as this act goes only proves that considerable thought has gone into the formulation. The Act concerns itself only with crimes committed in Cyber space or with/or on computers, computer resources etc. It does not concern itself with information or crimes committed outside this realm.

It is inconceivable how the Hon’ble Judge presumed that the Section  covered “all the information” on the entire net, when the wording of the Section 66 A itself points out that it is restricted to only those computer, computer resources etc through which the information travels from one person to another. While the net is a medium through which the information travels from one person to another  Section 66 A restricts itself to only that portion of the net or cyber equipment or Cyber space which has been used by sender to send the message.

It does not talk or imply or cover other parts of cyber space or equipment through which information posted by other persons through, or, on different parts of the net for public consumption or private conversations. No restrictions are envisaged or can be seen to be covered by this section regarding posting, uploading, sharing, communicating information other than what has been stated above.

The petition has erred by claiming that all information posted on the net falls in the ambit of this section. The respondent has erred by not refuting this argument and instead requesting the Court to reframe the Section and the Court has erroneously assumed that the petitioner and the respondent are aware of what they are debating about and has passed a judgment without going through the Section and considering the ramification of the sweeping observation made. Ignorance has been compounded by lack of conviction and given legal sanctity by the strings of ill considered and thoughtless observation.

His Lordship has leapt from defining information to the presumption that the Section concerns only with the medium of transmission. From this understanding a conclusion that the petitioner is correct in her contention that the public’s right to information has been affected has been arrived at. How such a wild and presumptuous conclusion is arrived at is not explained.

Section 66 A talks specifically of information in the form of messages exchanged between a person as a sender and a recipient through the medium of cyberspace. Where does the public come into the picture? How is the right of the public to information affected? Is it the Lordship’s contention that the public has a right to the information shared between two individuals or two private parties?

Having said this one cannot but conclude that the basic premise of the petition is flawed. It therefore necessarily follows that the conclusion reached on this premise would be wrong. Section 66 A and the offences specified under it does not violate any provision of Section 19(1) on the citizen’s Right to Freedom and Expression. From this conclusion it follows that any discussion on Section 19(2) is unnecessary, irrelevant, immaterial and infructous. The judgment is required to be set aside on this ground alone.

  1. This decision lays down the test that has to be formulated in all these cases. We have to ask ourselves the question: does a particular act lead to disturbance of the current life of the community or does it merely affect an individual leaving the tranquility of society undisturbed? Going by this test, it is clear that Section 66A is intended to punish any person who uses the internet to disseminate any information that falls within the sub-clauses of Section 66A. It will be immediately noticed that the recipient of the written word that is sent by the person who is accused of the offence is not of any importance so far as this Section is concerned. (Save and except where under sub-clause (c) the addressee or recipient is deceived or misled about the origin of a particular message.) It is clear, therefore, that the information that is disseminated may be to one individual or several individuals. The Section makes no distinction between mass dissemination and dissemination to one person. Further, the Section does not require that such message should have a clear tendency to disrupt public order. Such message need not have any potential which could disturb the community at large. The nexus between the message and action that may be taken based on the message is conspicuously absent – there is no ingredient in this offence of inciting anybody to do anything which a reasonable man would then say would have the tendency of being an immediate threat to public safety or tranquility. On all these counts, it is clear that the Section has no proximate relationship to public order whatsoever. The example of a guest at a hotel `annoying’ girls is telling – this Court has held that mere `annoyance’ need not cause disturbance of public order. Under Section 66A, the offence is complete by sending a message for the purpose of causing annoyance, either `persistently’ or otherwise without in any manner impacting public order

Selective reading of Section 66A leads to selective understanding. Selective reading of the Section with a mindset leads to blinkered understanding. Selective and blinkered understanding does not lead to a fair and clear appreciation of the objects and reasons of the subject. The Additional Solicitor General talks of information disseminated on the net and media and publishing at length. All of which have no bearing or relevance to Section 66 A which is about private messages or information exchanged between two or more individuals. Information shared between two or more individuals over e-mail, mobile phones on a one to one basis or on a conference call, or messages sent over any of the social media sites including Twitter is between the sender and the recipient and is not for public consumption. If by reasons of not taking precautions to secure the communications, the information or message is revealed to the public, even then, since the communication is not addressed to the general public, cognizance of any hurt, or annoyance caused to the unintended reader of the message cannot be taken. His Lordship has accepted that the Section has no proximate relationship to public order.

He also mentions that the section does not contain any ingredient in this offence of inciting anybody to do anything which a reasonable man would then say would have the tendency of being an immediate threat to public safety or tranquility   Then the natural conclusion would be that the Section refers to a private relationship or transaction which is of no interest to the public. If that is the case then how does one conclude that it affects Freedom of Speech and Expression? This observation only confirms that the Section deals with the dispatch of information in the form of a message from one person to one or several persons and in the event that a recipient finds it distasteful he or she has the right to lodge a complaint and have action initiated against the sender of the message after due investigation.

By declaring this section as unconstitutional the Hon’ble Judge has infringed on the fundament Right of Redressal and the Fundamental Right to Freedom to move, act, speak and express within the boundaries of law which is guaranteed by the Constitution. This judgment has extended  protection to a stalker or a bully to send unwanted, obscene, annoying, harassing, offensive and menacing messages to vulnerable individual and groups of individuals in society. His Lordship has assumed that the Section does not give importance to the recipient’s sensitivity just because the recipient is addressed only in section (c).

How this conclusion is arrived at is beyond explanation.

That there is a sender and a recipient is implicitly and explicitly indicated in the Section. It has also been observed that the Section does not discriminate between individual dissemination or mass dissemination. While this observation is correct the moot point is how does it affect the constitutionality of the Section.  The purpose of the Section is to determine if an offence is committed and the punishment is specified for it.

An offence is committed irrespective of whether the message has been communicated to a single or mass gathering if the investigation is able to prove that there was an intention on the part of the sender to hurt, annoy, offend or menace the recipient be he one or several.  In para 21 of the CA No 749,750, 751,752,764,765,766 of 2003 P Nedumaran vs State The Madras High Court has quoted extensively from authoritative pronouncement of the  pronouncement  of  the  Apex Court  in  People’s Union for Civil Liberties case, cited supra, in respect of the interpretation of the provisions of Sec.49(6),  Sec.49(7)  and  Sec.21  of POTA, it will not be necessary for us to examine the nature of the offences in the light  of  the submissions made before us. 

In so far as the provisions of Sec.21 of POTA is concerned, the Supreme Court holds: “But the petitioners apprehension regarding the absence of mens rea  in  these sections and  the  possibility of consequent misuse needs our elucidation.  It is the cardinal principle of criminal jurisprudence that mens rea  element  is necessary to  constitute a crime.  It is the general rule that a penal statute presupposes mens rea element.  It will be excluded  only  if  the  legislature expressly postulate otherwise.” (Emphasis is mine)

Referring to  the  KARTAR  SINGH  v.  STATE OF PUNJAB (1994 (3) SCC 569) , the Supreme Court then further goes on to hold:

“Mens rea by necessary implication could be excluded from a statue only where it is  absolutely  clear  that the implementation of the object of the Statue would otherwise be defeated.  Here we need  to  find  out  whether  there  are sufficient  grounds  for  inferring  that  Parliament  intended to exclude the general rule regarding mens rea element.”

 The Supreme Court then referred to the decisions in STATE  OF  MAHARASHTRA  v.M.H.  GEORGE (AIR  1965  SC 722); NATHULAL v.  STATE OF M.P.  (AIR 1966 SC 43) and INDER SAIN v.  STATE OF PUNJAB (1973 (2) SCC 3 72) and further observed:

 “Offence under section 3(1) of POTA will be constituted only if it is done with an –

 ‘intent’.  If Parliament stipulates that the ‘ terrorist act’ itself has  to be committed with the criminal intention, can it be said that a person who ‘profess’ (as under section  20)  or  ‘  invites  support’  or  ‘arranges, manages,  or  assist  in  arranging  or  managing  a  meeting’ or ‘addresses a meeting’ (as under section 21) has committed the offence if he does  not  have an intention or design to further the activities of any terrorist organization or the commission of terrorist acts?  We are clear that it is not. 

Therefore, it  is  obvious  that  the offence under Section 20 or 21 or 22 needs positive inference that a person has acted with intent  of  furthering  or  encouraging terrorist activity  or  facilitating  its  commission.   In other words, these Sections are limited  only  to  those  activities  that  have  the  intent  of encouraging  or  furthering  or  promoting  or  facilitating the commission of terrorist activities.  If these Sections are understood  in  this  way,  there cannot be  any  misuse.   With this clarification we uphold the constitutional validity of Sections 20, 21 and 22.  “

 Mens Rea is an essential component of any offense and it has to be established.

 Then the question of clear and present danger discourse comes up

  1. Viewed at either by the standpoint of the clear and present danger test or the tendency to create public disorder, Section 66A would not pass muster as it has no element of any tendency to create public disorder which ought to be an essential ingredient of the offence which it creates.

When the test of Clear and Present Danger is applied to public order Section 66 A would not pass muster. This is natural because Section 66 A is not about an offence which would create public disorder. The Clear and Present Danger when applied to the individual who receives an offensive or menacing call or message is what the section addresses.  I have quoted from the above judgment extracts from the same US Court examples cited to show how this Section is essential for protection of an individual from threats-

“Interestingly, the US Courts have gone on to make a further refinement. The State may ban what is called a “true threat”.

 “’True threats’ encompass those statements where the speaker means to communicate a serious expressionof an intent to commit an act of unlawful violence to a particular individual or group of individuals.”

 “The speaker need not actually intend to carry out the threat. Rather, a prohibition on true threats protects individuals from the fear of violence and from the disruption that fear engenders, in addition to protecting people from the possibility that the threatened violence will occur. Intimidation in the constitutionally proscribable sense of the word is a type of true threat, where a speaker directs a threat to a person or group of persons with the intent of placing the victim in fear of bodily harm or death.”

See Virginia v. Black (Supra) and Watts v. United States 22 L. Ed. 2d. 664 at 667

While the US Courts has been extensively quoted on the sanctity of Freedom of Speech and its importance to democracy it is puzzling to note that its recommendation for the State to step in and make laws to protect an individual or a group of individuals from being threatened is ignored.  To add insult to injury the judgment now overturns laws made by the State to protect a citizen’s right to freedom, life and liberty in guise of protecting his Right to Freedom of Speech and Expression.

The attention of the Court is drawn to two cases of national importance where messages sent over the mobile phone went viral and created panic situation.

In the first instance in 2008 at the height of the global sub-prime loan crisis when banks were falling all over the world a SMS from a person stating that “ICICI bank was on the verge of bankruptcy” led to a run on the bank and it required the RBI to intervene with substantial funds to retrieve the situation

In the second instance it may be recalled that an SMS message regarding mass targeting of people in the North East led to an exodus of the people from different parts of the country to the North East.

 These two instances are sufficient grounds to show that messages can do have the propensity to create public disorder or instill fear in the public on a mass scale. If these examples are taken into account then the argument that 19(2) is not satisfied does not wash. The Section cannot be dismissed as constitutionally invalid. It is surprising that the respondents did not quote these examples.

  1. Equally, Section 66A has no proximate connection with incitement to commit an offence. Firstly, the information disseminated over the internet need not be information which “incites” anybody at all. Written words may be sent that may be purely in the realm of “discussion” or “advocacy” of a “particular point of view”. Further, the mere causing of annoyance, inconvenience, danger etc., or being grossly offensive or having a menacing character are not offences under the Penal Code at all. They may be ingredients of certain offences under the Penal Code but are not offences in themselves. For these reasons, Section 66A has nothing to do with “incitement to an offence”. As Section 66A severely curtails information that may be sent on the internet based on whether it is grossly offensive, annoying, inconvenient, etc. and being unrelated to any of the eight subject matters under Article 19(2) must, therefore, fall foul of Article 19(1)(a), and not being saved under Article 19(2), is declared as unconstitutional.

It is irrational to presume and make sweeping statements that information disseminated over the internet need not be information which “incites” anybody at all. It may be pointed out that in several cases in the US and UK the reason for children committing suicide or individual’s killing other people or raping women has been traced to pernicious information on ways and means of committing suicide, killing people and pornographic material available on the net including pedophilic material,  threatening messages, bullying messages,  defamatory information being posted on the net.  It is for this reason that Section 67 of the Information Technology Act has been promulgated to prevent such information from being openly disseminated over the net. 

Section 66 A addresses such of that information which when communicated to a target would either be a crime itself (sending inappropriate material to a child) or induce or force a victim to submit to the attacker. It is quite possible that such targeted communications could cause a crime to be committed by the recipient in self defense against such insidious attempts if no other avenue is left open to him/her for redressal.

This judgment has ensured that. Is it the Court’s contention that a violent reaction from a harassed victim alone will ensure the Court’s intervention to uphold his/her Right to Life and Liberty? Looking at the issue from this point of view the government has every right to enact laws to prevent any action which would incite violence on an individual or a group of individuals and not necessarily the public. Under this argument Section 19(2) would definitely apply and the Section is constitutionally validated.

Attention of the Supreme Court is drawn to the following settled case:-

In the case filed by A.K.Gopalan against the State of Madras, Union of India May19 1950 the Court pointed out that ” Thus the right to freedom of speech and expression is given by 19 (1) (a). But clause (2) provides that such right shall not prevent the operation of a law which relates to libel, slander, defamation, contempt of Court or any matter which offends against decency or morality or which undermines the security of, or tends to overthrow, the State. Clause (2) thus only emphasizes that while the individual citizen has a free right of speech or expression, he cannot be permitted to use the same to the detriment of a similar right in another citizen or to the detriment of the State. Thus, all laws of libel, slander, contempt of Court or laws in respect of matters which offend against decency or morality are reaffirmed to be operative in spite of this individual right of the citizen to freedom of speech and expression.

I would also like to mention at this point that the Supreme Court has frowned on the practice of quoting foreign judgments at the drop of a hat particularly when our own Court has decided on issues. It would have been in the fitness of things if the case quoted above had been cited as it has a direct bearing on the subject.

 What has been said with regard to public order and incitement to an offence equally applies here. Section 66A cannot possibly be said to create an offence which falls within the expression ‘decency’ or ‘morality’ in that what may be grossly offensive or annoying under the Section need not be obscene at all – in fact the word ‘obscene’ is conspicuous by its absence in Section 66A.

What has been said with regard to public order and incitement applies equally applies here. Section 66 A covers offences which falls within the expression of decency or morality which may offend or annoy the recipient of the message.  For example a simple message saying “I love you” sent a thousand times to a married woman by a person who is not her husband fall s squarely in this expression. Anonymous calls at unearthly hours done persistently over a period of time could be considered as annoying.  Calling a senior government official on his official phone and talking inanities is also an offence. Obscenity is not included in Section 66A since it is covered under Section 67.

  1. However, the learned Additional Solicitor General asked us to read into Section 66A each of the subject matters contained in Article 19(2) in order to save the constitutionality of the provision. We are afraid that such an exercise is not possible for the simple reason that when the legislature intended to do so, it provided for some of the subject matters contained in Article 19(2) in Section 69A. We would be doing complete violence to the language of Section 66A if we were to read into it something that was never intended to be read into it.Further, he argued that the statute should be made workable, and the following should be read into Section 66A:

“(i) Information which would appear highly abusive, insulting, pejorative, offensive by reasonable person in general, judged by the standards of an open and just multi-caste, multi-religious, multi racial society;

Director of Public Prosecutions v. Collins –(2006) 1 WLR 2223 @ para 9 and 21

Connolly v. Director of Public Prosecutions reported in [2008] 1 W.L.R. 276/2007 [1] All ER 1012

– House of Lords Select Committee 1st Report of Session 2014-2015 on Communications titled as “Social Media And Criminal Offences” @ pg 260 of compilation of judgments Vol I Part B

(ii) Information which is directed to incite or can produce imminent lawless action Brandenburg v.Ohio 395 U.S. 444 (1969);

(iii) Information which may constitute credible threats of violence to the person or damage;

(iv) Information which stirs the public to anger, invites violent disputes brings about condition of violent unrest and disturbances; Terminiello v. Chicago 337 US 1 (1949)

(v) Information which advocates or teaches the duty, necessity or proprietary of violence as a means of accomplishing political, social or religious reform and/or justifies commissioning of violent acts with an intent to exemplify glorify such violent means to accomplish political, social, economical or religious reforms [Whitney vs. California 274 US 357];

(vi) Information which contains fighting or abusive material;

Chaplinsky v. New Hampshire, 315 U.S. 568 (1942)

(vii) Information which promotes hate speech i.e.

(a)Information which propagates hatred towards individual or a groups, on the basis of race, religion, religion, casteism, ethnicity,

(b)Information which is intended to show the supremacy of one particular religion/race/caste by making disparaging, abusive and/or highly inflammatory remarks against religion/race/caste.

(c) Information depicting religious deities, holy persons, holy symbols, holy books which are created to insult or to show contempt or lack of reverence for such religious deities, holy persons, holy symbols, holy books or towards something which is considered sacred or inviolable.

(viii) Satirical or iconoclastic cartoon and caricature which fails the test laid down in Hustler Magazine,Inc. v. Falwell 485 U.S. 46 (1988)

(ix) Information which glorifies terrorism and use of drugs;

(x) Information which infringes right of privacy of the others and includes acts of cyber bullying, harassment or stalking.

(xi) Information which is obscene and has the tendency to arouse feeling or revealing an overt sexual desire and should be suggestive of depraved mind and designed to excite sexual passion in persons who are likely to see it.Aveek Sarkar and Anr. vs. State of West Bengaland Ors. (2014) 4 SCC 257.

(xii) Context and background test of obscenity. Information which is posted in such a context or background which has a consequential effect of outraging the modesty of the pictured individual.

Aveek Sarkar and Anr. vs. State of West Bengal and Ors. (2014) 4 SCC 257.”

  1. What the learned Additional Solicitor General is asking us to do is not to read down Section 66A – he is asking for a wholesale substitution of the provision which is obviously not possible.

The learned Additional Solicitor General has erroneously asked the Court to read matters in Section 66A which do not fall in its ambit. However having said that it may be pointed out the following points (i, ii iii, vii (a,b and c), x) are part of Section 66 A. While the Court has rightfully declined to read down the Section it need not have jettisoned the entire section since the purpose of Section 66 A is to define such offences and make it punishable.

  1. These two cases illustrate how judicially trained minds would find a person guilty or not guilty depending upon the Judge’s notion of what is “grossly offensive” or “menacing”. In Collins’ case, both the Leicestershire Justices and two Judges of the Queen’s Bench would have acquitted Collins whereas the House of Lords convicted him. Similarly, in the Chambers case, the Crown Court would have convicted Chambers whereas the Queen’s Bench acquitted him. If judicially trained minds can come to diametrically opposite conclusions on the same set of facts it is obvious that expressions such as “grossly offensive”or “menacing” are so vague that there is no manageable standard by which a person can be said to have committed an offence or not to have committed an offence. Quite obviously, a prospective offender of Section 66A and the authorities who are to enforce Section 66A have absolutely no manageable standard by which to book a person for an offence under Section 66A. This being the case, having regard also to the two English precedents cited by the learned Additional Solicitor General, it is clear that Section 66A is unconstitutionally vague.

A complete reading of the above two cases would have shown the Court the conclusion that the Queen’s Bench arrived at.

In DPP v Collins [2006] 1 WLR 2223 Lord Bingham said:

“Section 127(1)(a) does of course interfere with a person’s right to freedom of expression. But it is a restriction clearly prescribed by statute. It is directed to a legitimate objective, preventing the use of a public electronic communications network for attacking the reputations and rights of others. It goes no further than is necessary in a democratic society to achieve that end.”

He therefore concluded that section 127(1), in itself, did not infringe Article 10 of European Convention of Human Rights.

The European Convention of Human Rights and the United Nation Convention on Human Rights provide for reasonable restrictions to be placed on the fundamental rights of freedom of Speech and Expression.

In Conally vs DPP (UK) QBD 2015 20 Feb 2007.pdf   the court observed that:

“A person who sends an indecent or grossly offensive communication for a political or educational purpose will not be guilty of the offence unless it is proved that his purpose was also to cause distress or anxiety. In other words, the nature of the communication may shed light on the defendant’s mens rea. But I do not see how the fact that a communication is political or educational in nature can have any bearing on whether it is indecent or grossly offensive”.

 And further ” the words “grossly offensive” and “indecent” are ordinary English words. They are not used in a special sense in section 1 of the 1988 Act”

In the same case Lord Dyson has observed

What about “for the protection of the rights of others”? Little case-law was cited to us as to what this phrase means. In Chassagnou v France (1999) 29 EHRR 615, 687 para 113, the ECtHR said that the “rights of others” included, but were not restricted to, the Convention rights of others. They said: “It is a different matter where restrictions are imposed on a right or freedom guaranteed by the Convention in order to protect “rights and freedoms” not, as such, enunciated therein. In such a case only indisputable imperatives can justify interference with enjoyment of a Convention right”.

In Jersild v Denmark (1994) 19 EHRR 1, the ECtHR held that there had been a violation of article 10 when three youths were prosecuted for taking part in a television programme about racism in Denmark. The youths made racist remarks during the course of their television interview. The ECtHR found that the programme was not made for the purpose of propagating racist views. The court acknowledged that the remarks would have been “more than insulting to the targeted groups” (para 35) and was clearly of the view that the prosecution by the Danish authorities was aimed at the protection of the “rights of others” ie the victims of racist remarks. The prosecution was to further this legitimate aim.

But the court concluded that it was not necessary in a democratic society. This can be seen clearly at para 37: “Having regard to the foregoing, the reasons adduced in support of the applicant’s conviction and sentence were not sufficient to establish convincingly that the interference thereby occasioned with the enjoyment of his right to freedom of expression was “necessary in a democratic society”; in particular the means Judgment Approved by the court for handing down. Veronica Connelly v Director of Public Prosecutions Draft 22 March 2007 12:54 Page 10 employed were disproportionate to the aim of protecting “the reputation or rights of others”. Accordingly the measures give rise to a breach of Article 10 of the Convention”.

The protection of the right not to be insulted by racist remarks was a legitimate aim within article 10(2). It was a “right of others” which, by implication, must have been considered to be an “indisputable imperative” (to use the language of Chassgnou).

If grossly offensive and menacing are ordinary English words then the meaning which is given to these words must be taken literally. The words can be considered offensive or menacing only if the sender’s purpose was to cause distress or anxiety in the recipient. The message should be malicious in intent. The words of the message should throw light on the reason for the communication. It is part of the investigation and the judge to establish the intent of the sender of the message.

The Court has stated that judicially trained minds cannot come to an agreement on what is offensive and what is menacing and that it is subject to the predilection of the judge. It is precisely for this reason that cases go on appeal from the magistrate to the sessions to the High Court and finally to the Supreme Court.  The belief is that higher the Court greater is the experience of the Judge and more balanced will be the judgment. Now how fair is it to throw out a law just because two judges do not agree to a common interpretation? If this is the raison d’etre for throwing out Section 66 A then most of the existing laws will also have to be thrown out because differing interpretations have been given at different times by different Judges in the same Court.

The words like annoyance, offensive, menacing etc are not vague terms. They have specific meanings as given in the judgment itself. While the meanings are well defined the problem lies in establishing the degree of hurt or annoyance or fear or offense that a person feels on receiving such a communications. This will vary from human to human depending on gender, age, culture, customs, geography, education senstivity etc. It is for this particular reason that these words have not been defined to the point of certainty. It is not possible or desirable to   design a one size fit all shoe. Words which are subjective in nature cannot be legislated upon. It is left to the Court to decide the depth of offense caused and decide accordingly. In that process if judges differ then so be it. The decision of the highest body will prevail. Dismissing Section 66 A on these grounds is not the solution.

The same sense has been communicated in Criminal Appeal 913/2010 in the Supreme Court Judgement Dated:4/28/2010  filed by S.Khushboo vs Kanniammal & Another under Section 499,500 &505.  This judgments highlights the fact that for a charge of defamation to apply the complainant must prove that elements of mens rea and actus reus are present and the remarks must be a direct one against any individual, company, association or body of people.

These observations can also be extended to the interpretation of Section 66A and it provides the necessary protection to any person sending information or message over a computer system or a computer enabled communication system. The Section when read along with the above judgment gives protection to the freedom of speech guaranteed by the Constitution.

  1. These two Constitution Bench decisions bind us and would apply directly on Section 66A. We, therefore, hold that the Section is unconstitutional also on the ground that it takes within its sweep protected speech and speech that is innocent in nature and is liable therefore to be used in such a way as to have a chilling effect on free speech and would, therefore, have to be struck down on the ground of over breadth.

As already stated earlier Section 66 A does not cover all the information posted or communicated over the net. It is restricted to only that portion of information which a recipient may find hurtful or annoying or offensive or menacing. Extending the section to information over and beyond its purpose, labeling it as sweeping and overly broad and then holding it as unconstitutional is akin to giving a dog a bad name and hanging it for that name.

  1. In this case, it is the converse proposition which would really apply if the learned Additional Solicitor General’s argument is to be accepted. If Section 66A is otherwise invalid, it cannot be saved by an assurance from the learned Additional Solicitor General that it will be administered in a reasonable manner. Governments may come and Governments may go but Section 66A goes on forever. An assurance from the present Government even if carried out faithfully would not bind any successor Government. It must, therefore, be held that Section 66A must be judged on its own merits without any reference to how well it may be administered.

Section 66 A is not an invalid proposition in any manner. The learned Asst. Solicitor General’s assurance to prevent the abuse of law is a direct consequence to the petitioner’s request to repeal the section since it was abused.  The assurance is not a reflection on the validity of the Section. Governments may come and Governments may go but it is the interpretation of the Section in the Supreme Court which will stand till such time as the findings are overturned at a later period of time when another set of Justices view the Section from a different perspective and circumstances. Change is part of human existence.

The requirement for the law was felt and Section 66 A was introduced. Yes the section has been abused in about six incidents. It must be pointed that in all the six incidents the Supreme Court has come to the rescue of the victims which is as it should be. In all the six incidents the role of the lower judiciary is also to be highlighted. A reasonable solution that could have been suggested was to have the lower judiciary educated on the law. If the lower judiciary is not able to appreciate the law then the judge has to be changed, not the law. More stringent punishment can be prescribed for misuse of the law.  Throwing out the law on specious conditions is not a solution.

  1. The argument of the learned Additional Solicitor General on this score is reproduced by us verbatim from one of his written submissions:

“Furthermore it is respectfully submitted that in the event of Hon’ble Court not being satisfied about the constitutional validity of either any expression or apart of the provision, the Doctrine of Severability as enshrined under Article 13 may be resorted to.”

It is unfortunate that the Learned Solicitor General instead of mounting a robust defense of the Section has himself suggested that constitutional validity of any expression could be treated under the Doctrine of Severability by the Supreme Court. This suggestion could only have risen from a lack of conviction on his part on the section. Lack of confidence about one’s own position is half the battle lost even before entering the battlefield. As far as victims are concerned the Asst. Solicitor General has rendered them a signal dis-service.

  1. The present being a case of an Article 19(1)(a) violation, Romesh Thappar’s judgment would apply on all fours. In an Article 19(1)(g) challenge, there is no question of a law being applied for purposes not sanctioned by the Constitution for the simple reason that the eight subject matters of Article 19(2) are conspicuous by their absence in Article 19(6) which only speaks of reasonable restrictions in the interests of the general public. The present is a case where, as has been held above, Section 66A does not fall within any of the subject matters contained in Article 19(2) and the possibility of its being applied for purposes outside those subject matters is clear. We therefore hold that no part of Section 66A is severable and the provision as a whole must be declared unconstitutional.

It has been explained why Section 66 A cannot be declared as unconstitutional in the above paragraphs if these arguments can be accepted then it follows that the above observation by the Hon’ble Supreme Court is also in error. Section 66 A falls squarely in the subject matter of 19(2) and 19(6) since public morality, public order and the Right to life and liberty are addressed in this Section. Section 66 A must be declared to be constitutional.

Par 99 to 101 makes observation on the Procedural infirmity of the Section. Extensive references have been made to the procedures for media and defamation and causing enmity between different religions have been made.  Section 66 A deals only with messages and communication between individuals and groups of individuals on aone to ne basis. It does not deal with information addressed to the public at large. Therefore citing sections from Cr.P.C and applying it to Section 66 A is not relevant or material. The Supreme Court could have observed accordingly. Para 111 of the same judgment contradict the position taken in these paragraphs.

All the arguments cited above apply equally to Section 118 (d) of the K.P. Act of 2011.

I rest my Case.


Coimbatore 641 043



Print Friendly