EVM Vulnerability Exposed
April 30: Electronic voting machines (EVMs) have
been in wide use for several years in India. In the last few elections doubts
have been expressed about the vulnerability of the machines
and some time back even a
PIL had been
filed against the system. Naavi has been also highlighting the "Cyber
Crime and Cyber Law Compliance" part of the system .(
A detailed note on the various ways by which EVMs can be
manipulated is now in the public domain through a paper released by three
volunteers (J. Alex Halderman, Hari K. Prasad, Rop Gonggrijp)
who have conducted an extensive research on the actual machines. The report can be
found here. (4 MB PDF file).
A video of on the findings is also available here.
cartoon can be found here.
Is there a solution to making EVM's trust worthy?
Perhaps Yes. If any entrepreneur is interested in developing a suitable
alternative system, Naavi would like to discuss the possibilities.
Article by senthilraja : Article
Ranjitha decides to take action
April 30: Ranjitha, the Tamil actress who was
allegedly involved in certain objectionable action in the video related to
Nityananda has after a long time broke her silence and raised objection to her
name being dragged into the case. The implication of her statement is that the
lady in the video is not her and any reference to the same would attract
defamation action. Interestingly she has also indicated that action under ITA
2000 may be initiated. In case she maintains that she is not the person in the
video, then the charge can only be on the defamation front and on the media
which stated that it was she who appeared in the video. The charge under ITA
2000 may come either in case there is an allegation that the video has been
morphed with Ranjita identity being added to some other video. Alternatively,
a charge can be made under Section 66E of ITA 2008 for "Breach of Privacy"
provided she admits that it was herself in the video but it was violation of
her privacy. It would be interesting to see how she sustains the defamation
statement in a court if required.
A few years back a similar incident had occurred in Tamil
Nadu where what was called a "Trisha Video" was in circulation. Here also the
celebrity decided to disown that it was she who had been secretly photographed
and hence Police could not press any serious charges. For Section 66E charge
to be made it is essential that the person should admit that it was his or her
privacy that was violated. Otherwise the case would be hollow. The defendant
can also feign ignorance stating that the charecter looks like the celebrity
and it was reasonable for him to assume so. Under Section 66A, he can claim
that it was "not known to be false". Hence Ranjitha's case is unlikely to be
sustained under ITA 2008 if attempted.
Article by Neeraj Arora
Charge sheet Filed in Umashankar Case
April 30: Just before the judgment of Umashankar Vs
ICICI Bank adjudication was released holding ICICI Bank liable on Phishing, it
is now also known that a chargesheet has been filed by the Chennai police in
the case under Section 66 of ITA 2000. Chargesheet includes Sections
419,420,465,468 and 471 of IPC also. The chargesheet however has been made
against the account holder in Mumbai Fort branch of the Bank to which the
phished amount was transferred and later withdrawn in cash across the counter.
The criminal proceedings recognize the offence under Sec 66
as was done by the adjudicator while exercising his jurisdiction. The
adjudicator had consequently also examined the operation of Section 85 and
held that ICICI Bank was liable under Section 85 due to a failure in
fulfilling the "Due Diligence" obligations. This automatically means that
ICICI bank officials in charge of the business as well as the Directors of the
Bank are also liable for the offence and such offence may extend to criminal
obligations. The precedence of baazee.com in the ITA 2000 scenario as well as
several other IPC instances would be sufficient to make ICICI Bank liable on
In the instant case, the Mumbai branch was accused of
opening the account of the fraudster without following KYC norms, granting him
"Overdraft" facilities, allowing him to withdraw Rs 4 lakhs in cash across the
counter immediately after the disproportionate amount was credited to the
account, destroying the CCTV evidence available to identify the fraudster,
failing to lodge a complaint when the fraud was brought to their notice,
claiming that they were entitled to retain part of the fraud proceeds to
recover the overdraft amount etc make ICICI Bank officials in Mumbai
susceptible to be charged for criminal negligence.
ICICI Bank should be relieved that the Police have spared
them from being charged either under Section 66 or under Sec 420 of IPC though
there were enough grounds for the same. There is however a possibility that at
some point of time in future, Police may rethink and add the Bank as
Co-Accused in the case or alternatively a PIL may be filed for the purpose.
Who is the Competent Authority for Blocking websites?
April 28: Search engines have a practice of registering for a price links that appear
on the top of a search query.
A press release from PIB indicates that GOI has
issued directions to major search engines Google, Yahoo and MSN that no
"Sponsored Links" shall be displayed for the search query on "SEX". According to the Press Release, the direction has been issued under Section
69 of ITA 2008 by the Controller of Certifying Authorities. (CCA). It is
however noted that under the amended Section 69 under ITA 2008 and the rules
notified there with, the competent authority to issue the necessary directions
is not the CCA but the secretary of Ministry of Home Affairs at the Center or
Also the directions under this section is meant for
"Interception and monitoring" of the type
alleged to have been undertaken by the NTRO recently as reported by the
outlook magazine and
denied by the Government. The actual action directed here falls under the
powers available under Section 69A and the competent authority for issuing the
same according to the notified rules is a "Designated Officer" to be
designated or in his absence the Secretary of the Department of Information
Technology under emergency powers. However in a recent case at the Delhi High
Court, a direction was issued to CERT IN for blocking and
CERT IN filed a
reply stating that the competent authority for blocking is "Coordinator,
Cyber Law Division, Department of Information Technology".
It therefore appears that the PIB press release is based on
a incorrect information based on the earlier version of ITA 2000 where the Section
69 directly gave powers to the CCA for interception and decryption. It is
surprising that there is confusion at the department of IT itself on who is
the competent authority for blocking access under ITA 2008.
Cyber Crime is Big Business This Year
April 27: Experts feel that Cyber Crimes will
further increase in 2010 in both the number of incidents as can be measured by
say the number of malware codes in circulation, number of botnets created,
number of credit cards stolen, number of financial frauds etc bit also grow in
terms of value. For the time being it is impossible to estimate the potential
security threat arising out of Cyber Crimes since there is dearth of
statistics on reported cyber crime incidents.
Naavi.org contemplates creation of a "Digital Security
Consortium" in India and bring together all agencies working in the area of
Cyber Crime prevention under one banner for information exchange purpose. This
we consider is the first step to understanding Cyber Crimes.
Article in FE
UN Rejects International Cyber Crime Treaty
April 27: UN has rejected a Russia backed proposal for a new Cyber Crime treaty on
the grounds that a new study is required before it could be considered. The
decision is obviously influenced by US and EU communities who advocate that
there is already an existing treaty for the purpose. The EU community signed
the Budapest Convention which has been ratified by 46 countries.
Convention gives police powers to access servers in other countries without
the permission of the authorities, as long as the system owners sanction the
access. Criminals can hop between servers in different countries quickly,
police want to be able to secure electronic evidence before they move on, and
need to be able to subpoena service providers to hand it over. Russia is in
opposition of this provision.
It is time if India can consider itself well placed to suggest a
regional Cyber Crime Treaty for South East Asia which can then be harmonized
with the other international treaties.
Conference on Cyber Security
April 25: Confederation of Indian Industry Southern Region (CII) held
a one day conference on Cyber Security at Hotel Accord Metropolitan, Chennai
on 24th April 2010. This is a brief report (from Naavi as a speaker/delegate)
on the proceedings of the conference. P.S: This is not an official report of
CII and contains only the personal observations of Naavi...More
Copyright Act Set for Amendment
April 20: A Bill to amend Indian Copyright Act 1957 and
incorporating certain provisions which are of importance to Digital Documents
has been introduced in the Rajya Sabha. Copy of the draft bill is available
Consumer Court Verdict against a Bank
16: Close on the heels of the verdict from the Adjduicator of
Tamil Nadu which imposed a liability on ICICI Bank for a Phishing fraud, TOI
has reported a Consumer Court verdict from Mumbai in which the Court has held
a Bank liable for a fraud in the Net Banking transactions of a customer Mr
Nikhil Futan involving a loss of Rs 4.6 lakhs.
It is however clear that the time has finally come for
Banks to secure their e-Banking technology or else face the liability. So far
Banks have not been reporting to any authority statistics of the number of
Phishing and other e-fraud incidents reported to them and hence there is a
lack of assessment of the gravity of the problem. It is time that RBI and
CERT-IN works out a mechanism for the report of all Cyber Crimes affecting the
It is also necessary for SEBI to question ICICI Bank and
other listed Banks if they have properly disclosed the Phishing risks in their
Clause 49 declarations...
ICICI Bank Phishing Case..comments
April 15: The article in the Internet Edition of Economic Times on 14th instant on
the adjudication verdict regarding ICICI Bank phishing case has elicited
several responses from the public. Some of these comments emanate from lack of
facts and create a wrong impression in the minds of the public. Since it
appears that further comments on the site have been closed, I am providing my
reactions to the comments to the ET article
Article in Statesman
My Comments to Reader's Comments in Economic Times
An Open Letter to IBA Chairman
April 14: Naavi invites IBA Chairman for a public debate on the Phishing Risks faced
by Bank Customers in India and what is expected of the Banks as a positive
reaction to the TN adjudicator's Landmark judgement of 12th April 2010.
Also read :Land Mark Judgment in Phishing Case
Microsoft Outsourcing Contract to Infosys
In what could be considered as a major victory for the
Indian Software and Outsourcing industry, it has been announced that
Microsoft has outsourced its internal IT services--help desk, desk-side
services, infrastructure and application support--to Indian outsourcing firm
Infosys. For Infosys, managing Microsoft's internal IT gives it a high-profile
customer and insight to using the latest technologies from the software giant.
It is stated that Infosys will manage IT services for Microsoft employees worldwide
and it is a part of consolidation of services that
were already outsourced to HP and others. Related
Phishing Victims see light at the end of the tunnel
April13: Phishing is an act of cheating against a Bank customer
resulting in the cheater obtaining an electronic copy of the access signature
which is then forged to take away the money lying to the credit of the
customer. Banks facilitate the crime by following archaic security and
authentication methods ignoring the law of the land and instructions of RBI.
Now in the judgment of 12th April 2010 from the Adjudicator of Tamil Nadu in
Umashankar Vs ICICI Bank in which ICICI Bank was found guilty under Section 43
of ITA 2000 read with Section 85 of the same act and the victim was ordered to
be paid compensation by the Bank the victims of this fraud see a light at the
end of the tunnel. Naavi.org has been repeatedly cautioning the Banking
industry that neglecting the authentication mandate of ITA 2000 was accepting
the legal risk in the transactions and they need to switch over to the use of
digital signatures in their communication and Internet Banking. The judgment
of Mr PWC Davidar, the adjudicator of Tamil Nadu provides a timely reminder to
the Banking industry which is trying to leap into mobile Banking before
understanding and mastering the Internet Banking risks.
We are informed that ICICI Bank may appeal against
Article in Business Line
Related Article in ET :
Article in Rupee Times :
Article in stockwatch.in
Land Mark Judgment in Phishing Case
April 12: In a landmark judgment in India, delivered by Sri PWC
Davidar, IAS, the Adjudicator of Tamil Nadu (also the IT Secretary) has
passed an award for payment of Rs 12.85 lakhs to a petitioner who alleged a
fraudulent withdrawal from his ICICI Bank account. This is the first case on
"Phishing" going for adjudication in India. The judgement has asserted the
jurisdiction of the adjudicator in Phishing case, asserted the coverage of
Section 43 for Phishing, and also the application of Section 85 of the Act
making the Bank liabile for the fraud. ...More..
Copy of Judgement
Related Article in governancenow :
Related Article in techgoss :
Related Article in rediff.com
Call for Inclusion of Cyber Laws in Law Curriculum
While inaugurating the training programme on the Cyber Security and Cyber Law
for Judicial Officers, organised by the Institute of Management in Government
(IMG) here on Saturday, Justice Rajesh Tandon Cyber
Appellate Tribunal chairman suggested
that the Government should take the initiative to adopt a uniform policy to
include the cyber laws as part of the law education in the country,
Justice Rajesh Tandon has said.
Court Emphasizes Sec 65B certification of Electronic Evidence
THE DELHI High
Court has directed all additional session judges of the district courts to be
cautious while handling cases related to electronic records. Justice Pradeep Nandarajog
observed recently that " We have repeatedly noticed that additional
sessions judges are exhibiting computer- generated print outs on statements of
the investigating officer that he obtained them from a particular source,
without complying with the mandate of Section 65 B of the Evidence Act . The
Judge has passed this order recently after noticing that many trial
courts had accepted electronic records merely on the statement of the
investigating officer ( IO). The court was hearing an appeal by three men who
had been convicted by a lower court of kidnapping a child for ransom.
It has been reported in TOI today that a businessman in Delhi has taken
steps to write a will for his digital assets. The legal aspects of such a move
was discussed earlier in October 2009.
Readers may note that we have two issues here. First is a
Digital Will where the document has the characteristics of a will but
expressed as an electronic document. This at present is not recognized by
virtue of ITA 2008. Second is the physical will for a digital asset.This is possible if an “Electronic Document” or a “Password”
or “Files in Electronic form either in a computer or on the Web” is recognized
as an asset. If so there is a need for discussion on whether the asset is
“Movable”or “Immovable” or a new vareity which may be called “Virtual Assets”.
Naavi firmly believes that there is a scope for a separate
legislation on “Inheritance of Virtual Assets” on the lines of Transfer of
Property act or Indian succession Act or a combination of both. It is interesting that at least one citizen has raised this
issue and caught the attention of the media.I trust that the Government of India, Ministry of Information
Technology, constitutes a suitable taskforce to discuss all aspects regarding
defining of virtual asset, its ownership, transferability etc.:
Is PDS worth
April 2: An interesting debate has been raised by
the Jago Party about the feasibility and desirability of abolishing the
current Public Distribution System. The key to implementation of the
suggestion lies in appropriate e-Governance solutions being developed
whether to retain the existing system or to introduce a new system. Since
use of technology for public benefit is close to my heart, I am raising some
of the issues associated with this suggestion...
Can Section 66A of
ITA 2008 be used for "Defamation on the Internet"
April 1: "Defamation" is an important legal issue that arises often
on the Internet. In India, so far defamation was being covered in law under
Section 499 of IPC which can be extended to Internet speech or documents. ...After the ITA 2008 was notified with effect from October
27, 2009, Section 66A has often been cited as a new provision regarding
"Defamation in electronic form".
Perhaps it would take a few more years for the opinion on
these matters to crystallize. Until then Naavi.org advocates that it may be
left to the choice of the complainant to invoke either 66A of ITA 2008 or Sec
499 of IPC and not both and if it is intended that the case is pursued both on
criminal front and the civil front, the civil claim may be pursued with the
Adjudicator while a Cyber Crime complaint may be lodged with the Police for
appropriate action on the criminal front...More
[The above opinion is presented only for academic debate
and comments for publication or otherwise are welcome by e-mail at