Header image alt text


Building a Responsible Cyber Society…Since 1998

I refer to the discussions we had in the case of the Phishing fraud at Musiri Branch of State Bank of India where I tried to provide some guidance to the Customer on what sort of complaint he has to register. I had also sent an e-mail directly to the branch.

I understand that the customer has lodged a formal complaint with SBI on the lines suggested.

As is usual, SBI branch will send the complaint to the LHO and the Branch Manager normally does not take any action. The reply will normally be so much delayed that the fraudster could make an easy escape before the investigation even starts.

We are all aware that most computer systems work on the principle of “Cache” storage of log information which automatically gets over written after some time with new data. Hence if any evidence has to be extracted from computer systems, it should be done within a short time after the incident. Otherwise the evidence gets erased and the system owner can give an excuse that information is no longer available.

SBI will also use the same excuse and after making the customer wait for some time will say that the information is no longer available. Some times this can be out of ignorance and some times it could be deliberate.

Law however is very clear that “Deletion of data when it was required to be kept for the time being under law” is a cognizable offence under Section 65 of ITA 2000/8 with a possible imprisonment of upto 3 years. Even under Section 204 of IPC, it is an offence carrying a sentence of 2 years.

Once therefore the customer informs the Bank that an unauthorized transaction appears to have taken place in the electronic systems belonging to the Bank, all the log records and associated information becomes recognized as “Potential Evidence in a Cognizable Crime”. Hence they shall not be destroyed in the usual course of “Cache being over written”. All relevant information needs to be “Archived” securely and as per Section 67C of ITA 2000/8 for such period and in such format as is relevant for the purpose. Otherwise there is a second offence under Section 67C carrying another 3 years imprisonment.

This also applies to the Mobile Service Providers and Wallet Companies who may be involved in the fraud. The ultimate beneficiaries of the fraud and all the intermediaries who are involved in the process would be known from the Bank’s records.

The first task is therefore to obtain a certified copy of a report from the Bank about the status of the account indicating their version of how the transactions indicated by the Customer to the Bank as “Unauthorized” have been recorded in their books.

Some times they simply ask the customer to download the statement from the Internet and read the particulars of the transactions. Police/Customer should reject such response and insist that the branch Manager provides a Certified copy of the statement under the Bankers Book Evidence Act for a drilled down statement which shows the details of the transactions which includes

a) Name of the beneficiary

b) Date, Time upto seconds of the transaction

c) IP address, Mobile Number or other meta data collected with the transaction.

d) Details of the authentication measures used by the Bank to pass the transactions of similar nature.

e) Adaptive authentication measures followed by the Bank and the reasons why they failed in the particular instance

f) Report of the IS team of the Bank on how their system was compromised to pass a forged transaction

g) A Bit image copy of the hard disk where the disputed transactions were authenticated with Section 65B certification

Bank may provide the information in installments since some information may be available with the Manager and for some he has to contact his Core Banking server team .

LHO is only an administrative head and no time should be wasted in simply writing a letter to LHO and waiting for the reply.

If the Manager does not cooperate, Police has the authority to push for action over e-mails for instant information provision failing which they should record that the Bank was not cooperating in collection of evidence and this may be considered as a “Passive Assistance” to the fraudsters.

In some cases, Police may be hesitant to ask the Bank Manager tough questions since he represents an organization as big as say SBI and the customer is a relatively powerless person. Banks are also more resourceful and they can hire more reputed lawyers and even try to influence the investigations to favour them using their contacts in the city and financial power.

In such cases customer should not hesitate to approach the Court to expedite the investigation.

However, we can consider that in most cases Police may want to help the customer but they donot know how to proceed.

It is in this context that we put out a detailed note on what information has to be asked from SBI Musiri Branch in the subject case. I understand that they have dodged the customer on some technical grounds of how the letter was issued which I hope the local advocate would take care.

Additionally, since two days have elapsed when SBI received the knowledge that a fraud might have been committed in their systems it was their duty to preserve the evidence.

I therefore advise the Musiri Customer of SBI to issue another notice to the Bank signed by the advocate that they demand the information forthwith and in the event any evidence which was present in the system as of the time the fraud was first reported over phone or otherwise to the call center of the Bank by the customer is found to have been tampered with, action would be initiated on the Bank and its employees under Section 65 and 67C of ITA 2008 in addition to the current charges of “Conspiring with the Fraudsters and other intermediaries to cheat the customer”.

(P.S: I am sure the advocate can find the necessary sections under IPC for the purpose.. 420? and 120B?)

I was today informed of another incident in Punjab National Bank Pudukottai where the customer has lost Rs 38499/- . The amount appears to have been credited to MobiKwick, Airtel, Make My Trip and other service providers .

My advise to the customer and the Police in Pudukottai is similar to what I have indicated in the Musiri case. Please issue an immediate notice to the Bank holding Bank as the accused since the fraud has occurred within the electronic systems of the Bank. The Intermediaries like MobiKwick, Airtel, Make My Trip etc should also be issued a notice and a case for conspiring along with PNB and some unknown customers of the service providers (like MobiKwik etc) to defraud the customer.

It is the duty of each of these service providers and the Bank to jointly and severally bear the liability and to provide all necessary information that can assist the Police in finding the end users.

If these agencies want my assistance on how they should proceed to collect the evidence required they are free to contact me.

Police on their side should invoke Section 79 and 85 of ITA 2000/8 along with other sections of offence and charge the officials including the branch manager, and other relevant persons responsible for the security of the Banking transactions.

I demand that the RBI and the Bank’s own fraud prevention section should immediately take steps to preserve the evidence and assist the police to bust the case.

I suggest that the Police may also send a notice to the RBI Governor to clarify the validity of the “Limited Liability Circular” issued by them on August 11, 2016 which they have indicated subsequently as being formally issued.

In their replies to RTI queries, RBI has confirmed that this circular is under finalization. But so far they have not made their decision public though they might have conveyed it in their meetings with Banks.

If RBI is holding back the issue of the circular to facilitate the Banks from escaping from the liability, it is necessary for Mr Urjit Patel to come out clean on his inability to get the circular issued.

If as in the previous instances of Damodaran Committee report etc, RBI backs down under the pressure of the commercial banks to protect the customers, they they should atleast stop issuing Circulars with no intention of making them operational to fool the public. Otherwise, the Media may start reporting RBI circulars under the “Fake News” columns rather than in their main news sections.



Cyber Appellate Tribunal Goes into limbo again?

Posted by Vijayashankar Na on June 20, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Cyber Appellate Tribunal was a creation of the Information Technology Act 2000 and was the appeal Court for all Adjudicators (One in each State and Union Territory) and the Controller of Certifying Authorities. The Adjudication system became effective from 2003 and Cyber Appellate Tribunal started operating in Delhi some time in 2005.

The Cyber Appellate Tribunal in the country was established by the Central Government in accordance with the provisions contained under Section 48(1) of the Information Technology Act, 2000. The Tribunal initially known as the Cyber Regulations Appellate Tribunal (CRAT). After amendment of the IT Act in the year 2008 (Which came into effect on 27.10.2009) is known as the Cyber Appellate Tribunal (CyAT).

The Tribunal started functioning from October, 2006 in a portion of the Department of Information Technology  building at CGO Complex, Lodhi Road, New Delhi.

Hon’ble Mr. Justice R.C. Jain, a retired Judge of Delhi High Court was the first Presiding Officer of the Cyber  Appellate Tribunal, who joined as Presiding Officer on 4th October, 2006. The tenure of Mr. Justice R. C. Jain, as Presiding Officer of Cyber Appellate Tribunal expired on 7th December, 2007.

On appointment of Hon’ble Mr. Justice R.C. Jain as Member of National Consumer Disputes Redressal Commission, Hon’ble Mr. Justice Rajesh Tandon, a retired Judge of Uttrakhand High Court took over the charge as Presiding Officer of Cyber  Appellate Tribunal on 25th February, 2009. Tenure of Justice Rajesh Tandon, as Chairperson of this Tribunal  expired on 30th June, 2011.

Since that day, CYAT has been dysfunctional since no new Chair Person was appointed. Though Justice S.K.Krishan was appointed as a Member and was eligible to be the Chair Person, he was not notified as Chair person and he also retired. Subsequently another Technical member was appointed and the Registrar was functional but no activity could be undertaken since the Central Government and the Chief Justice of India could not agree on a candidate for the post.

As a result the Cyber Judicial system in India has been non existent since June 2011 and odd cases have been tried at the High Court under its jurisdiction as the Court of appeal over Cyber Applellate Tribunal and under the conventional writ jurisdiction.

This also gave an excuse for Adjudicators to stop functioning and today India does not have a properly functioning Cyber Judicial system and the victims of Cyber Crimes have little support from the Judicial system. This would have caused a dent in the “Ease of Doing Business Index” of India about which Mr Modi is very fond off.

Since this appointment of Chair Person of CyAT was caught in the ego battle between the Central Government and the Supreme Court surrounding the NJAC and neither was really concerned with the citizens who were adversely affected by this ego battle, no action was taken from 2011 to 2017 to re activate the Tribunal.

Now the intelligent Finance Minister of the Union Of India found an idea to deflect the criticism of inaction by the Modi Government and stated that some of these dysfunctional Tribunals are a cost center to the Government and have no need to exist. He therefore went on a cost minimization exercise and merged CyAT along with a few other tribunals into one other Tribunal which was functioning. Accordingly he added a provision in the Finance Act 2017 to merge CyAT to TDSAT and washed his hands off. The Minister of IT Mr Ravi Shankar Prasad who is also an advocate like Mr Jaitely and is also the Minister of Law conspired in this apparent cost cutting measure that was actually meant to kill the controversy with the CJI on an agreeable name for the Chair Person and in the process CyAT went into the oblivion.

Necessary legal amendments to ITA 2000/8 has been done and now TDSAT becomes the appellate authority after the Adjudication of a Cyber dispute under Section 46 of ITA 2000/8. The amendments have been incorporated in the version of ITA 2008 posted on www.naavi.org and the mobile App Cyber Law Guru

In the earlier article, “Amendments to Finance Bill on Cyber Appellate Tribunal..We are worried”  I have given my personal views on the subject.

Now it is reported that the Madras High Court is hearing a petition challenging the provisions of the Finance Act 2017 which dealt with the merger of different Appellate Tribunals and the High Court has issued notice to the Central Government.

The petition is filed by Madras Bar Association and is being herd by a bench consisting of Chief Justice Indira Banerjee and Justice M Sundar. Senior Advocate Arvind Datar appeared for the petitioner.

The petitioner has raised some very valid questions on how the abolition of Tribunals was handled as a part of the Money Bill and this is likely to be a huge issue that would determine the scope of the powers of the Government in using Finance Bill for non Finance legislation.

Mr Datar presented that

“When the Constitution gives a special provision for passing a Money Bill, it implies that bills unconnected with matters mentioned in Article 110 cannot be labelled as Money Bills. Such a practice amounts to Fraud on the Constitution and is a colourable exercise of power. This is a repeated practice as evidenced by the passing of the Insolvency and Bankruptcy Code, 2016 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

The Supreme Court had, in Krishna Kumar Singh v. State of Bihar (2017) 3 SCC 1, held that abusing ordinance making power will be a fraud on the Constitution. Likewise, deliberate use of Article 110 to circumvent the need of Rajya Sabha approval will be a fraud on the Constitution. The Supreme Court judgment cannot be nullified by an act of Parliament or by rules. This has been laid down by a number of cases including Madan Mohan Pathak v. Union of India (197 8) 2 SCC 50. Thus, the money bill process was abused to make amendments to the functioning of tribunals…”

The petitioner has prayed for quashing Sections 156 to 189 of the Finance Act, 2017 and the Finance Act, 2017 and the Tribunal, Appellate and other Authorities (Qualifications, Experience and other conditions of Service of Members) Rules, 2017 as unconstitutional

We feel that there is merit in the petition and this is likely to be a long drawn battle which may ultimately be settled by the Constitution bench of the Supreme Court of an appeal over whatever decision the Madras High Court arrives at.

In the meantime we can expect that the TDSAT will not hear any appeals pending at CyAT and hence the defunct system of Cyber Judiciary continues. Victims should therefore continue to rely on the State High Courts to pursue their litigation in Cyber Crime cases coming under the provisions of Section 46 of ITA 2000/8.


Earlier articles : 

Amendments to Finance Bill on Cyber Appellate Tribunal..We are worried

Process of Cyber Appellate Tribunal merger with TDSAT complete

Cyber Appellate Tribunal to re-emerge as TDSAT

India has reportedly completed its diplomatic negotiations and formalities to ensure that Switzerland will automatically share the details of Bank accounts opened by Indian nationals in that country with Indian authorities so that numbered Swiss Bank accounts can no longer be used to park black money.

While  it has perhaps come a little too late in the day and its impact on curbing black money in India could be limited, this can be appreciated as a step in the right direction.

However, intelligent Black money operators have already found alternate means to park their Black money in the form of “Bitcoins” and other “Private Crypto Currency” (AltCoins) and hence are not much concerned with the Swiss Bank accounts now. The pressure is therefore now on the Government to some how legitimize Bitcoins as a “Digital Currency” so that it can be an easy instrument for parking black money.

Bitcoins and other Private Crypto Currencies will also be  a boon to terrorists in Kashmir, as well as Naxalites who need to receive funding from abroad for their nefarious activities in India and printing fake currency in Pakistan and tossing it over Malda-Bangladesh border or pushing it through Nepal is a cumbersome process. On the other hand, Crypto currency transaction is a great digital solution to the operation of transferring funds from ISI to terror networks in India.

Obviously, there are many in India who have great sympathy for the cause of breaking India and all those are interested in getting Bitcoins legitimized.

Though the Government of India formed a Committee under the Finance Ministry and sought the opinion of public formally through the MyGov.in website, the way the MCX and other quasi Government organizations tried to influence the decision in favour of recognition of Bitcoins, it was clear that there could be supporters of Bitcoins within the Government itself.

We can therefore expect that left to the Committee, no decision may come forth in near future and the current status of where “RBI is not prepared to declare Bitcoins as illegal” or “SEBI not being prepared to declare Bitcoin Exchange as illegal”, “ED acting deaf and dumb in not taking action against FEMA violations” will continue.

I therefore urge the Ministry of  Electronics and Information Technology (MeitY) under Mr Ravi Shankar Prasad to take suitable steps within their control to bring about suitable changes in the Information Technology Act to protect the country from the menace of Private Crypto Currencies.

Since ITA 2000/8 is already under a process of amendment, some amendments can be taken up when these amendments are considered. However, this would be a long drawn process and hence some action is required immediately in the form of a Notification which is within the hands of the Secretary of the department. It can be issued as a Gazette Notification and later presented to the Parliament for ratification in the next session.

The first step required to be done in this regard is

a) De-recognizing the Crypto Currency including Bitcon as a valid Electronic document under Section 4 of ITA 2000/8

b) Introducing criminal penalties for the use of Bitcoins and other Private Crypto currencies as a perceived currency or a legitimate commodity with value attached.

c) Introducing regulatory checks which act as deterrents to the spread of the Bitcoin and other Crypto currencies as part of  various legitimate  IT services

Some suggestions in this regard are as follows:

  1. Presently, First Schedule of ITA 2000/8 lists documents that are not within the purview of the Act. The documents listed here have no “Recognition” under Section 4 of ITA 2000/8. In this list Bill of Exchange and Promissory notes are already included as “Excluded Category” and are defined as “Negotiable Instruments other than the Cheque”.

“Currency” is not considered as a “Negotiable Instrument” and is regulated through RBI Act with an exclusive power to RBI to issue “Currency Notes”.

Crypto Currencies are “Electronic Documents” and hence are recognized under Section 4 of ITA 2000/8.

RBI does not however declare it as “Currency Note”. But in practical usage, it is promoted and used as if it is a currency like other currencies like the dollar or pound or euro. There are exchanges that convert these AltCoins to other fiat currencies some times through sophisticated money laundering schemes such as using Lindens (currency of the secondlife.com).

There is therefore a misconception that these Crypto Currencies are “Virtual Currencies” and should be encouraged just like the PayTm or similar digital payment systems.

In order to remove the misconception and to prevent misuse and misrepresentation of Crypto Currency as a legitimate legal tender, Schedule I of ITA 2000/8 should be expanded with addition of the following instrument as excluded either with an explanation or amendment.

” Any Electronic Document that purports to constitute a negotiable instrument (other than the cheque) under the Negotiable Instruments Act 1881, or purports to be a “Currency” under the RBI Act 1934″

2. Section 66C of ITA 2000/8 makes fraudulent use of signature of a person as punishable.

The scope of the section may be extended by adding the words ” or  fraudulently and dishonestly makes use of any electronic document” within the section so that it applies both to the fraudulent use of a signature as well as any other electronic document. (This would also cover some crimes omitted when Section 66A was scrapped)

3. Section 69, 69A and 69B  of ITA 2000/8 provides powers to authorities to intercept, block or decrypt or seek information from any person. If the person is unable to provide assistance, he would be liable for punishment.

In the rules associated with these sections, it must be made clear that the authorities may demand decryption information of Bitcoins or other AltCoins and if the person is unable to provide the decrypted information, it should be considered as a punishable offence. (P.S: Encryption includes any form of hiding the information including the use of numbers for identifying the holders of bitcoins or wallets. Hence “Decryption Demand” means revealing the identity of the persons behind the transaction)

Notices under these sections can be issued to Bitcoin wallet companies and exchange companies to reveal the identity of transactions including the entire chain of transactions that constitutes the block chain.

Bitcoin holders may also be demanded to decrypt the Bitcoin information failing which they may attract penalty. Such property can be confiscated as property that is subject to investigation.

This would make Bitcoin and crypto currency  holding and trading as untenable and unless a separate positive regulation legitimizing such currencies is introduced, the current market of crypto currencies will vanish.

Since the above measures are well within the powers of the MeitY, it should be considered for immediate use even before the committee constituted for the purpose comes to an agreement on what kind of regulations can be considered.

It is the duty of every honest citizen of the country to ensure that the currency system of the country cannot be undermined by anonymous private crypto currencies like the Bitcoins.

I trust that MeitY will find suitable means to address the de-legitizimization of Bitcoins and Private Crypto currencies without any further delay.


Yesterday, I highlighted the plight of a customer of State Bank of India Musiri branch in Tamil Nadu who lost Rs 49773/- through a fraud. We can recall here the decision of the Adjudicator of Tamil Nadu in the case of S.Umashankar Vs ICICI Bank that even in the case where the customer has compromised the credentials in a phishing attack, the Bank is liable for its negligence and is liable to pay the customer for his loss.

I want State Bank of India, Musiri branch manager read this judgement when he contemplates replying to our open letter of yesterday.

The logic is very clear. A fraud happens when there are is an ultimate victim who is out of pocket and the ultimate fraudster who has enriched himself with a wrongful gain. In between there are different entities some of whom have participated in the chain of transactions which together form a “Money Laundering Exercise” where money is stolen from an honest person and the tainted money is passed through different filters leading to a clean possession of an asset in the hands of the fraudster .

The intermediaries facilitating the fraud who are all “Partners in Crime” include the Banks, Mobile service providers and the PPI and even the E Commerce Site where the fraudster uses the stolen

money to buy products and services. The Mules who function as Phishing agents and the BPOs that run in Noida/Gaziabad area where IT companies are set up as “Phishing Call Centers” are directly involved in cheating the Bank customer.

There is no doubt that the Phishing mules are no longer innocent youngsters who are earning their daily meal by creating phishing websites and making calls etc. They are using all their social engineering skills to cheat innocent victims and their masters are like mafia gang leaders. These people deserve to be put behind bars for a long long time. Though some of these are arrested from time to time, I presume the Courts and the Criminal lawyers ensure that they are out on bail soon to continue their nefarious activities.

As far as the victim is concerned, he does not have the resources to fight the mafia network and therefore is at a disadvantage having to fight the crime mafia.

On the other hand, the intermediaries like the Banks, the Mobile Service Providers and PPI service providers have no business to be assisting the fraudsters with their own negligence.

The E Commerce service providers who actually deliver goods against such fraudulent payments some time fail to cooperate with the law enforcement by not sharing the product delivery addresses or delivering products on street corners instead of at an identifiable address of the buyer. To that extent of negligence they also have to take the blame for letting the frauds perpetuate.

However, the greater responsibility lies on the other intermediaries who help in the money laundering scheme of the fraud gang. None of the phishing fraudsters will be able to encash their crime booty except with the assistance of the intermediaries. Without opening a Bank account or a PPI account in a mobile, it is impossible for these frauds to be successful.

Hence these financial intermediaries are the key to controlling such frauds and their negligence is unpardonable.

The most visible form of the negligence of these financial intermediaries is in not having a robust KYC system and enabling the fraudsters to open fake accounts either in the Bank or in obtaining SIM cards. As a genuine customer we all know that when we want to open a Bank account or obtain a SIM card, we are subject to all forms of rigorous checks and if this is a common practice, it should not normally be possible for fraudsters to open fake accounts. But it is a fact that fraudsters do succeed in opening fake accounts and use the account repeatedly to commit frauds on others.

This only proves that these financial intermediaries have moles in their own organizations who enable fraudsters to open fake accounts by tampering with the KYC documents. In most cases, the KYC documents of a genuine customer may be used for the fake accounts putting the genuine customer also at the risk of being accused of a fraud at a later time. Since these moles are employees or contractors of the financial intermediaries, the vicarious responsibility for their fraudulent activities lies with the financial intermediaries.

It is in this context that financial intermediaries need to develop rigorous KYC practices starting not with their technology hardening but with the hardening of their processes in appointment and management of KYC agents.

Until such time these Banks and Mobile operators understand their responsibilities and discharge them with a sense of duty to the public, we will continue to say that India is not ready for financial innovation and introduction of products such as Aadhar Enabled Payment Systems.

We also continue to hold that these intermediaries should be not only made to pay for their negligence by picking up the fraud liabilities but also be criminally charged for reckless handling of the financial systems putting the society at stake.

I therefore call for Police in Musiri to file a criminal charge on State Bank of India, Musiri for defrauding their customer by adopting inadequately secured authentication methods which have enabled in the commission of the fraud.

In case SBI tries to divert the charge to various PPI operators such as PayTM, mPesa, one97.com, Oxigen, who are the companies which SBI appears to have pointed out as beneficiaries of the above fraud, Police should file cases against these operators also since their KYC could have failed.

If some of these are non KYC accounts, still the log records of these operators would be useful and they should be called for. If they are not able to provide log records, they should be charged for negligence and non compliance of ITA 2000/8.

Today, Banks want to continue their present approach to digital Banking where they want to pocket their commissions and service charges and expect Customers to underwrite the risks. This is unacceptable. Banks should pay for their negligence and if necessary cover themselves with Cyber Insurance.

Any system of electronic banking that does not protect the customer against “Phishing” is not a secure system and must be abandoned.

Unless we try to make an example of this case which represents instance of an ignorant customer being provided with an unwanted banking facility which he is unable to understand and therefore becomes a victim of a fraud, we will not be able to make progress in improving the security eco- system.

Since it is a policy decision of the RBI that such services are being pushed to ordinary people in a false sense of digital progress, the RBI Governor Mr Urjit Patel is also answerable for lack of proper understanding of the Banking customer.

It appears that the current state of affairs where “Insecure Banking” has become the accepted norm, is also a result of RBI being managed by “Economists” instead of “Bankers”. These economists know only how to tinker with interest rates and appear to have inadequate understanding of the retail Banking system.

It is difficult not to also blame our Finance Minister and Prime Minister who are being mislead into promoting digital habits as a part of the digital revolution and driving the Indian Banking customers towards a day when Indian Banking system will collapse.

For the time being, my advise to rural Banking customers is to ignore the  call of the politicians to go digital and stay at transactions which they can understand. If they are comfortable in going to the Bank and meeting the Bank manager to deposit and withdraw your money, they should stick to it and not go for mobile Banking. If they are comfortable in dealing with cash, they should stick to it and return your debit cards today to the bank and obtain an acknowledgement.

I know that this message may not directly reach the target customers who are illiterate villagers but I am placing it here so that NGOs may pick it up and spread the message.

I have already placed these suggestion with Mr Modi stating that until he is able to introduce mandatory Cyber Insurance, he should stop promoting digital payment systems as he is knowingly or unknowingly committing the Indian society to doom.

The dream of “Less Cash Society” cannot be pushed without a mandatory Cyber Insurance protection for all customers of digital payment system. If the Government is not ready for this, they should stop talking of “Less cash society”. Such Cyber Insurance cover should come at the cost of the Banks and should not be loaded on to the customer.

As some economists have pointed out, the system of digital payment replacing the cash transactions where every transaction is loaded with a service cost would erode the wealth of the transferor with each transaction until the “Cash in digital form becomes zero after successive deductions of service charges”.

Hence it is not feasible to load costs onto digital transfer and it has to be boarne by the Banking system out of the efficiency related savings and benefits.

Hope these words of wisdom from an ex-Banker, E-Business Consultant and Techno Legal Information Security observer reaches the right persons and they act in the right direction without branding me as “Anti Developmental” or “Anti BJP” since I am neither.

I am one who believes that technology can be harnessed in a manner that does not endanger the financial system but technologists who donot care about the society and the regulators who donot understand the risks along with Politicians who look for short term gains are not using technology in a responsible manner.

I presently trust Mr Modi to be able to take corrective action but he has left this responsibility to Mr Arun Jaitely who is too busy to identify where the shoe pinches for the ordinary people and apply corrections. Others donot seem to matter.


This is an open letter to

The Manager, State Bank of India, Musiri Branch, Tiruchirapalli Branch, Tamil Nadu.

Dear Sir

I am informed that on June 7th 2017, 5 fraudulent withdrawals have been made from one of the customer’s of your branch having account number 3353XXXXX38  (P.S: Full Name and other details are already known to you and hence it is not reproduced in this public forum. If required, it will be provided) amounting to Rs 49773/- which was the hard earned savings of a poor customer.

I have reasons to believe that SBI has been completely negligent in passing these fraudulent debits to the account without following proper security measures as required under Information Technology Act 2000/8 and RBI guidelines.

I am aware that you would be having your excuses on why you passed the forged transactions without following reasonable security practices. These are subject matter of further detailed litigation if it becomes necessary.

I also request you to refrain from obtaining any false declarations from the customer under duress to defend your position.

In the meantime, I would like you to kindly inform your customer in writing the following:

  1. Full details of each of the 5 debits including the nature of transaction, IP addresses if they were online transactions, Merchant establishment details if they were offline transactions.
  2. Details of any awareness training you had provided to the customer regarding the risks of digital payments when you decided to provide him a Debit card and internet access.
  3. Reasons why you have not reimbursed the amount as per RBI guidelines on “Limited Liability” when the fraud was reported to you
  4. Reasons why you have indulged in a money laundering exercise in association with the fraudsters and allowed your customer to be cheated.
  5. Reasons why you have not invoked Cyber Insurance and given a refund to the customer immediately.
  6.  Your views on whether this fraud related to the recent incident when SBI recalled 6 lakh debit cards which were compromised and if not, why do you think it is not so related.
  7. The details of when and how you have reported this fraud to CERT-In and your HO and if not, why you chose not to report the fraud as required under law as well as regulatory guidelines.
  8. If the payments have been made at any ATM outlets or Merchant Establishments, kindly obtain and forward CCTV footages with Section 65B (Indian Evidence Act)  certification. If you are unable to produce such footage, please provide reasons on why you are unable to produce such evidence.
  9. If the transactions were made online, please obtain and send all log records showing the entry of CVV, VBB and other security PIN if any with date time etc again with Section 65B (IEA) certification. If you are unable to provide such information, kindly let us know the reasons why you donot want to produce such evidence.
  10. If the transactions were made offline, please obtain and send the POS machine logs along with transaction summary slips showing the customer’s signature. if you are unable to provide the same, kindly give reasons on under which RBI guideline you are allowing Card Not Present transactions without obtaining the customer’s signature and matching it with the signature on the back of the card.
  11. If the money is purported to have been drawn by some third party fraudsters, kindly obtain and forward the KYC documents to identify the fraudsters. If you are unable to produce such information, kindly indicate why you are allowing such money laundering to be committed by your Bank and its associates.
  12. Please also send the names and designations of all SBI officials and the Merchant Establishments and ATM owners who are involved in this money laundering exercise.

I will collect the information from your customer so that decision can be taken on further course of action including launching of criminal proceedings against State Bank of India and its officials including you.

I wish you would immediately take steps to refund the amount to your customer as per RBI guidelines so that there would be no requirement of further action.



I am also intending to initiate launch of a public movement at Musiri to ask all your customers to return all cards issued by SBI as they are likely to be used by associates of the Bank to defraud innocent customers. I hope this would be a national movement that will make SBI realize its responsibilities in dealing with E Banking.

I also call upon the Chair person of State Bank of India to take suitable steps to redress the grievance of the customer without raising any excuses.

I request the Adjudicator of Tamil Nadu (IT Secretary) to use his powers under Section 46 of ITA 2000/8 and initiate a suo-moto action against SBI to redress the grievance of the customer.

I request NGOs such as Cyber Society Of India (CySi) to take up the issue as a Public Interest and persuade SBI to see reason and redress the grievance of the customer.

I also request Reserve Bank of India to advise SBI to take immediate remedial action.

I also request NPCI and CERT In to intervene and assist in the resolution of the dispute since they are also responsible for the lack of adequate security of digital payment transactions.

I also request Mr Arun Jaitely and Mr Narendra Modi, honourable Finance Minister and Prime Minister of India who are pushing for digital payment systems without understanding if the public are ready or not and without ensuring that Banks are not hands in glove with fraudsters and looting public money to instruct SBI to redress the customer grievance immediately.




Falsified Evidence under Section 65B certificate

Posted by Vijayashankar Na on June 14, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Section 65B of Indian Evidence Act requires a certificate to be produced with any Electronic Document submitted as evidence in a Court of law, at the admission stage.

The mandatory requirement of Section 65B certificate came into effect on 17th October 2000 when ITA 2000 (Information Technology Act 2000) was notified. However it was the undersigned who produced first such certificate in a Court. It was  in 2004 in the State of Tamil Nadu Vs Suhaskatti case for criminal prosecution under Section 67, in the Egmore AMM Court, Chennai. Based on the certified evidence the Court went on to proceed with the trial and convict the accused. The conviction sustained even in the appeal at the Session Court upholding the validity of the evidence. Since then the Section 65B certificates produced by the undersigned have been produced in other courts from time to time.

However it was not until the Supreme Court judgement in the P A Anvar Vs P.K Basheer that the litigation market players realized that electronic evidence without Section 65B certificate would not be admissible in the Courts. Even the Police have started adding in their CrPc notices calling for information which may be in electronic form to be provided with Section 65B certificate.

Naturally, there is a scramble now on understanding how the certificate has to be given. Though Naavi.org and ceac.in have put out clear information on how Section 65B certificate is to be produced, there are a few legal practitioners who may hold some different view points on some of the finer points of certification. Such differences will persist for some time and will be resolved over a period of time as long as we try to understand the purpose of the section and its use case scenarios.

What is however necessary for Companies in particular from the ITA 2008 compliance angle and ordinary citizens relying on such evidences to fight cases in the Courts is to understand that if the evidence is not properly produced, they may be rejected by the Court at the admission stage itself.

On the other hand, we also need to warn companies and individuals that some times there is a tendency to produce evidence which is deliberately falsified with the hope that no body would find out.

I recently came across such an incident where a large Telecom company had filed an apparently falsified electronic evidence to support its case against one of their employees. The electronic documents were supported by Section 65B certificate and also an affidavit in the Court.

It is possible that the defense may submit suitable arguments to throw this evidence out but what we need to remember is that production of falsified evidence is clearly an offence under Section 193 of IPC which is a cognizable offence carrying 7 years of imprisonment.

The person who produced a falsified Section 65B certificate and an affidavit in respect of the certificate would be liable for punishment under Section 193.

Such an Act will also be an offence under Section 43/66 of ITA 2000/8. Some of these incidents would also be offences under Section 65 and Section 67C of the Act as well.

When such person is an employee of a company and the interest of the Company is involved, the Company would also be guilty of the offence and it would extend to the “Officers in charge of Business” and “Directors” under acts such as the Companies Act  and ITA 2000/8.

While the offence under Section 193 of IPC carries 7 years imprisonment the ITA 2000/8 offences carry 3 years imprisonment.

I therefore advise those who donot know how to produce Section 65B evidence should not take the risk of producing falsified evidence as it may boomerang on them during the course of the trial when it is proved to have been falsified.

In Civil cases when such falsification comes to the knowledge of the Court it would be possible for the Judge to order that criminal action should be initiated by the prosecution separately either under IPC or ITA 2000/8. Perhaps it may be possible for the Court to initiate Contempt of Court proceedings for misleading the Court through falsified evidence.

Even in cases where an electronic evidence was present at one point of time but the litigant has failed to get Section 65B certificate for an evidence and subsequently it is no longer available, instead of trying to falsify the evidence with a compromised Section 65B certificate, it is better to forego the presentation of the documentary evidence in the form of electronic documents and try to proceed with other evidence on hand including oral evidence and witnesses.


Close It