Was Gurmeher Kaur guilty of “Trolling”?

For the last week or so, there have been intense debate on the social media and TV media about the Gurmeher Kaur incident where the 20 year old student of Delhi University kicked off a controversy by posting a You Tube Video in which she said “Pakistan did not kill my father, War did”.

Gurmeher’s father was a Kargil martyr and her statement incensed many who felt that she was trying to absolve Pakistan of the responsibility for the Kargil war.

When those who opposed her view posted their comments including one from Virendra Sehwag saying “I did not score two triple centuries. My Bat did”, the media started hounding Sehwag and others accusing that they were unfairly trolling Gurmeher, the poor 20 year old Girl and Student who had a “Right of Free Expression” under our respected Constitution with which all these “Liberals” swear. The people who opposed Gurmeher were accused of “Trolling” .

It is therefore necessary for Cyber Watchers to debate what constitutes “Trolling” and whether it should be considered as an “Offence” and if so under which law? etc.

As a disclaimer, I would like to say that I donot support the threats on this “20 year old  girl student” which was repeatedly stressed by Burkhadatt. I however consider that she was acting at the behest of political interests represented by RG and AK to raise a controversy in the light of the ongoing UP elections and to inconvenience BJP. She therefore deserves to be considered as a “political activist” and not a “Student”. Her age and gender is immaterial for holding her a motivated political worker.

First of all, I am seriously opposed to the student politics of all kinds and our educational institutions should be free of elections and political affiliations of all kinds. Students should focus on education and those who remain students eternally and keep creating problems whether in JNU or Ramjas or Film Institute-Pune or Jadhav University, must be kicked out of the educational institutions. They are free to join political parties and continue their disruptive work but not pose as if they are “Students” and claim respect and sympathy.

Those who support Gurmeher would like to consider that the “Trolls” have tried to curb the “Freedom of Expression” of Gurmeher and forced her to shut up and retreat from the “Campaign” she was in.  If Section 66A of ITA 2008 was present, perhaps we could have seen cases being filed (or tried to be filed by Congress and AAP) on Sehwag and others for harassing the young Girl student. Probably if a proper advocate who can influence the Judges by their powerful arguments as they did in the Shreya Singhal case is engaged, they may get the honourable Supreme Court to declare that “Trolling” is an offence and Sehwag and others like him should be immediately arrested for having violated the  Constitution of India.

In this connection, I would like to draw the attention of this community about the definition of what constitutes “Trolling”.

According to the Wikipedia,

Internet Troll means

“In Internet slang, a troll (/ˈtroʊl/, /ˈtrɒl/) is a person who sows discord on the Internet by starting arguments or upsetting people, by posting inflammatory,extraneous, or off-topic messages in an online community (such as a newsgroup, forum, chat room, or blog) with the intent of provoking readers into an emotional response or of otherwise disrupting normal, on-topic discussion,often for the troll’s amusement”

This definition seems to fit to Gurmeher’s post more appropriately than say Sehwag’s post. Hence she would be considered guilty of “Trolling”.

So if “Trolling” is to be punished, the first person to be convicted would be Gurmeher herself and hence her supporters should be wary of going to the Court seeking a remedy for trolling.


Print Friendly

“Aggregator” defined in Motor Vehicles Act..ITA 2000/8 compliance mandated

The Motor Vehicles Amendment Bill 2016 which seeks to bring in many changes to the current Motor Vehicles Act has been approved by the Cabinet according to a report. (Refer here) The Bill is yet to be passed into an Act.

The Bill has caught attention of the public from several angles. One aspect that has been making rounds in the WhatsApp circles is the proposed increase in the penalties for traffic violations.

The second important aspect is the protection to good Samaritans proposed in the Bill so that accident victims may get immediate medical attention.

The third noticeable aspect is an attempt to define an “aggregator” like the Olas and Ubers.

According to the proposed section 2 (1A), an “aggregator” means a digital intermediary or market  place for a passenger to connect with a driver for the purpose of transportation”.

There will be a need for the “aggregator’ to get a license under Section 93 of the Act for which guidelines are to be issued by the Central Government. It is also specifically mentioned that the aggregator shall comply with the provisions of the Information Technology Act 2000 and the rules and regulations made there under.

The penalty clause under Section 193 proposes as follows:

“Whoever engages himself as an aggregator in contravention of the provisions of section 93 or of any rules made thereunder shall be punishable with fine up to one lakh rupees but shall not be less than twenty-five thousand rupees.”

“Whoever, while operating as an aggregator contravenes a condition of the licence granted under sub-section (4) of section 93, not designated by the State Government as a material condition, shall be punishable with fine of five thousand rupees.”.

According to these provisions, it would be mandatory for the Aggregators to be compliant with ITA 2000/8 failing which they need to face the possibility of a fine of upto Rs 1 lakh. This will be considered as additional to the penalties that may be imposed under ITA 2000/8 which will kick in when a wrongful harm has been caused by an “intermediary”.

It would be interesting to see how this section will be interpreted in practice.

Let’s watch the developments when the Bill is discussed in the Parliament. It is quite likely that the debate will completely ignore the impact of ITA 2000/8 though for us this is an important aspect to be taken note of.

It is also proposed that a”National Driving License Register” would be maintained (should be available in electronic form) and certain changes like change of address etc can be made electronically.

Also the State Government has been mandated to introduce electronic monitoring of enforcement (legitimizing the use of CCTVs, Speed Guns, body wearable cameras etc for booking offences) for which State Governments need to make rules.

The Central Government and the State Governments can also make rules for  the use of electronic forms and means for the filing of documents, issue or grant of licence, permit, sanction, approval or endorsements and the receipt or payment of money.


Reference documents

Copy of the Amendment Bill

Copy of the present Act


Print Friendly

“Theory of Secure Technology Adoption”… what it is..

[P.S: This post is meant for the Academicians and discusses certain theoretical concepts. Professionals in the Information Security domain may seriously dispute some of the concepts and it is considered perfectly logical and welcome.]

Naavi is a techno legal professional and has been thought leader in the field of Cyber Laws in India. Many of the innovative thoughts of Naavi have been expressed through this website and have found practical uses in the form of services.

As an academic practitioner, Naavi has applied his Technical, Legal and Behavioural Science training and education to the field of Information Security to develop his own version of Total Information Assurance (TIA) built on the pyramid model of hierarchy of TIA objectives from Availability to Non Repudiation through different stages of Integrity, Confidentiality, and accountability.


Naavi has adopted a model which differs from the traditional model with “Availability” as the foundation while traditional thinking of “Security” places “Confidentiality” as the focus and no hierarchical stacking of objectives. The reasons for the deviation is explained elsewhere and it suffices to say that it is based on the practical implementation thinking process of a business manager and stems from the basic premise that “Information Security is for the protection of the Information Owner” more than “Protection of the Information” and hence decisions are to be guided primarily from the business owner’s perspective and not the perspective of the Information Security professional if the two functions can be distinguished.

Similarly, Naavi propounded the “Theory of Information Security Motivation” based on the “Pentagon model” where he tried to explain the process of how Information Security implementation in an organization can be motivated for implementation by the practitioners. This adopted a closed wall integrated approach concept instead of the hierarchical concept under the premise that all 5 elements of IS motivation need to close in like walls to be effective.

The essence of the theory was that IS implementation cannot be motivated until the five elements of Awareness, Acceptance, Availability, Mandate and Inspiration formed a closed boundary plugging the possible leaks. This included the three dimensions of technology (availability and awareness), Law (Mandate and awareness) and Behavioural Science (Acceptance, Inspiration and Mandate).

Now, in the “Theory of Secure Technology Adoption” Naavi is focussing to study and present how in his view, technology is adopted by people and organizations and what is the role of security in such technology adoption.

Obviously there could be many other studies of similar nature which has thrown up different dimensions of this thought. This is yet another contribution to the academic pool of thought.

I will present some brief thoughts about the theory in subsequent posts and expect others to build on it and develop it with the central thought that “Secure Technology Adoption” has a pattern which we try to understand so that in future product/service developers would take note of why certain technologies get easily adopted and certain technologies get adopted after a lapse of time and certain technologies are shunned by the market.

In developing my thoughts on this subject I would be influenced by what I have read, studied, tought and experienced over time and hence reflect some thoughts of the great thinkers of the past. Such coincidences are incidental and not intentional.


Print Friendly

WhatsApp camera bug could lead to misleading digital evidence

WhatsApp has become a powerful communication app which is used by many to also take photographs which are immediately sent out to groups or contacts at minimum effort. No doubt this is a great feature and very useful for the users.

However, I observe that there is a practical issue connected with the camera function which could render it an instrument of “Manipulation of Digital Evidence”.

If one uses the WhatsApp camera button and clicks a photograph with the front camera, then the image is stored with a lateral inversion. An example is shown below.

The problem occurs when a person takes an action picture such as one writing a letter with his right hand. The picture may show that the person is writing with his left hand.  At first glance therefore the person would appear to be a leftie. This could vitiate immediate evidentiary value of the photograph and adds a new dimension to accepting such photographs as digital evidence.

This is a technical bug which should be corrected by WhatsApp by introducing an automated operation to recognize that a picture is being taken with the front  camera and immediately make a lateral inversion of the picture before it is stored in the application and forwarded to the addressee.


Print Friendly

Principle of Secure Technology Adoption..creating a secure ecosystem for Cyber transactions

Ever since the demonetization, the pace of technology adoption  in India by common people particularly for financial transactions, is on the increase. The UPI system supported by the multi banking platform such as the BHIM has brought digital payments within the reach of every common person holding a mobile. JIO now has announced that it will be releasing LTE enabled feature phones at Rs 999/- and along with its data offers, will further ensure that the mobile penetration will reach deeper and deeper into the lower strata of our society.

It is a matter of pride that India is progressing in the use of digital communication and adopting it even for E Governance, E Commerce and E Banking.

But some times I feel as if it is a kind of joy which a parent feels when their young child who has just learnt to ride a cycle wants to go out into the streets on his cycle. It is a joy to recognize that the child has grown up but  it is a  joy that is peppered with a concern on what risks the child would face on the streets. Some parents would be so overwhelmed by the concern that they would never allow the child the permission to go out. But some may try to facilitate the child to go out on the streets and also try to manage the risks that may arise in the process.

A wise parent  is not paranoid about the risks nor would ignore the risks. He/she may advise the child about the risks to the extent necessary but to the extent to scare him/her off of his/her enthusiasm to go out cycling on the streets.

Cyber Security professionals today are in this dilemma….

….Should we support and encourage the Government and the people to go ahead and adopt to technology? ..ignoring the risks?.. or

……Should we put our foot down and block the technology adoption?.

May be we should also consider the third option…

…….Should we act like a wise parent who takes such steps as to enable “Safe Cycling on the Streets for the Newbie”?

Naavi.org has been confronted with this difficult choices from time to time in its quest for “Building a Responsible Cyber Society” which is the motto with which the undersigned embarked on his journey into spreading the message of  Cyber Law around 1999 using the internet as the media.

At times we have been highly critical about the unplanned developments that are pushed through by commercial interests and even blamed the Government agencies and RBI for their inability to moderate the introduction of technology. But more often we have always ended with the thought that technology is welcome but its adverse impact needs to be recognized and citizens need to be protected. It is under this thought that we have always focussed on “Cyber Law Compliance” on the one hand and “Cyber Insurance” on the other hand.

The next wave of cyber security risk would be unleashed with the Aadhaar Enabled Payment Systems which on the face of it looks incredibly attractive but at the same time opens up a huge level of risks for the user as well as the intermediary organizations.

In the light of this development, we would like to flag the possibility of Cyber Fraud risks that may arise from the “Stored Biometric Replay Attack” that can be used to authorize fraudulent payments which could put the public in a direct war path with the authorities particularly the Banks and RBI.

UIDAI has protected itself through legislation to avoid liabilities but the intermediary Banks will be exposed to the risks of vicarious liability under ITA 2008 and the limited liability principles under the RBI guidelines.

The Banks are of course trying to persuade RBI not to confirm the “Limited Liability Principle” (Check RBI Circular of August 11, 2016). If RBI yields and Prime Minister Mr Modi and Finance Minsiter Mr Arun Jaitely continue to ignore our repeated reminders , the Banks will successfully push the liability for frauds on the public.

Public will then turn their anger against the rapid technology adoption without corresponding initiation of security measures. Mr Modi should remember how his demonetization policy was opposed more for the bad implementation rather than the policy itself .

We therefore urge all the three stake holders namely the Cyber Fraud victims, the Banks and the Government to take appropriate actions in their respective spheres of activity to ensure that the Cyber Risks particularly in the digital payment eco system is managed effectively.

We need to therefore urge all these stakeholders to find out ways and means of “Secure Technology Adoption” and not be drawn into technology adoption because it is the “fashion of the day”.

The principles discussed above in the context of  Banking and Digital Payment system are even more relevant when we take into consideration the Internet of Things, Digital Medical devices/implants, Driver less Cars, Smart Cities etc.

In this context, we would like to present for academic discussion the “Theory of Secure Technology Adoption” . The dimensions of this theory will be explained in greater detail in the subsequent post/s.


Print Friendly

Security of Aahaar again comes for review

The recent news report that UIDAI has initiated investigation on three firms suspected to have violated the rules of aadhaar authentication by sending stored biometrics to UIDAI server for authentication. The firms involved are Axis Bank, Suvidha Infoserve and E Mudhra. (Refer article here). UIDAI claims that the data received for authentication multiple times was an “Exact Match” which is statistically impossible and hence indicate a “Stored Biometric” being sent for authentication. The firms on the other hand have stated that the authentication request refers to “Testing” of some applications and not any attempt in committing any fraud.

While in this particular instance, there may not be any fraudulent intentions on the part of the three parties involved, the incident has confirmed what we have been indicating as a possible security risk where the biometric can be stored in soft form and re used.

In the past we are aware that Certifying authorities have been indulging in the practice of keeping copies of private keys which can later be used for committing digital signature forgeries. Neither the CCA or the Government has taken corrective steps.

Now the entire “Aadhar Based Payment System” is in jeopardy because of the revelation of this incident. As one of the security professionals has pointed out (Refer article here), it was naive for UIDAI to announce in the public how they were able to identify the potential violation of Aadhaar authentication  in this case. Like it often happen when Police officials conduct press conferences to boast about a successful investigation, the revelations made by UIDAI will be information to future fraudsters on how to bypass known security measures.

Now, having committed one mistake too many, it is the responsibility of UIDAI to harden their authentication mechanism without necessarily giving out too many details to the public. It is of course still possible to secure  the authentication mechanism through innovative methods. But UIDAI may or may not be capable of identifying such mechanisms nor they may be interested, since it is the characteristic of UIDAI that they have been always in denial mode whenever security weaknesses are pointed out.

We hope that without first resolving the security issues, UIDAI does not jump into Aadhaar based payment systems through NPCI and land Indian citizens in trouble.


Print Friendly