How Banks Cheat in Limited Liability instances

At one time, Bankers were considered trusted individuals and respected in the community. But with the advent of technology, Bankers of the older generation receded into the background and technologists came into the Banking profession. Today Technologists have become Bankers and Traditional Bankers who still remain have become slaves of technology aware persons within the Bank.

The new generation Bankers are short on integrity and follow the Kaliyuga principle of “Self Benefit” and “Self Preservation” at the cost of anything. This generation would not hesitate to destroy their neighbor if it helps them.

I as an ex-Banker is making this statement after observing the behaviour of some of the Bankers in the current banking scenario.

People are aware how ICICI Bank in the case of S.Umashankar who lost money through phishing, went about sharing the fraud  proceeds with the fraudster, tried to shield the fraudster by erasing evidence, by refusing to file Police complaint etc. There are several instances where insiders in Banks have themselves committed offences and otherwise assisted outsiders in committing frauds against innocent customers and then dragged the cases in Courts for years using the money power.

Fortunately, both the RBI and the TDSAT along with some of the cyber savvy adjudicators under ITA 2000 (It Secretaries) have come to the assistance of the innocent Cyber Fraud  victims in Banks and held the Banks liable to pay the fraud amount back to the victims. They have recognized that dilution of security through negligence or otherwise is an assistance for the commission of the fraud and hence the liability should be borne by them.

The “Limited Liability System” introduced by the RBI was one of the greatest steps in this regard and accordingly, in any case of fraud involving internet banking or credit cards or debit cards, where the fraud has been committed by an outsider, the Customer would have Zero liability if he disputes the transaction when he receives the SMS alert. In such instances, the Bank has to restore the account by providing value dated credit to the customer without any delay.

In order to avoid this liability, Banks have started to play games which are exposing the malicious nature of current day Bankers in India.

Yesterday, I came across an incident involving HDFC Bank in which a credit card customer has found that during the period when his old credit card is being replaced with the new credit card, the old credit card has been swiped in a foreign location for over Rs 1.26 lakhs. The customer when he received the call from the Bank to verify the transaction, has stated that he has not carried out the transaction. However, next day, Bank has sent him an SMS that they were not able to reach him when they tried to inform him about the transaction.

If the Customer thinks that he has already replied and does not take further action to continue disputing the transaction, perhaps the Bank would later on say that he did not respond within 3 days or 7 days and try to hold him liable.

It therefore appears that the Bank is trying to create an evidence that it has tried to contact the customer and he was not available. This is a fraudulent action of the bank which should result in criminal action against the persons responsible.

In another incident, ICICI Bank has called a customer about a new card and the card fees. After the customer has indicated that he has no intention of using the card because it is not a free card as was marketed, he has still been billed and is being threatened with adverse effect on CIBIL rating. At the same time, the Bank has recorded a wrong e-mail address of the customer and keeps sending mobile SMS which cannot be replied back.

In both these incidents, Bankers of the current generation have come out as unreliable and fraudulent. The possibility of insider involvement in these instances are high.

I hope both HDFC Bank and ICICI Bank wake up and remember that they exist because of the customers and they need to respect genuine customers and not take any stand that will favour the fraudsters instead of the genuine customers.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Has Rajeev Chandrashekar been compromised by the Bitcoin lobby?

A report has appeared in news.bitcoin.com under an article titled  “Indian Parliament Member helping Crypto Community influence Regulation” that Mr Rajeev Chandrasekhar, BJP MP from Bangalore has agreed to “help” and “Influence” the Crypto legislation in India. It is also stated that he met some of the leaders of the Bitcoin industry on 16th instant.

The report also states that Rajeev has given “great guidance” on how to approach positive regulations and this is hailed as a goo step forward for the “India Wants Crypto” campaign of the Bitcoin lobby in India.

This comes as a surprise since Mr Rajeev Chandrashekar is a technocrat who can understand technology and the real intentions of the Bitcoin lobby which is to promote the “Digital Black Currency” so that all the corrupt members of the society can escape the scrutiny of law and enjoy their black wealth.

So far Mr Rajeev has been considered as an MP who could be relied upon for promoting good causes. Hence it is surprising if the report is true.

However, it is likely that what Mr Rajeev could have said was related to just the Block Chain technology and not Bitcoin as a currency of transactions in replacement of legit currency. It is likely that the Bitcoin community is misusing the courtesy extended by the MP to meet the members of the community who visited him.

I have today requested Mr Rajeev Chandrashekar to clarify if the report is true and will share his views if I get a reply from his office.

I will be the happiest person if I get clarified that Mr Rajeev Chandrashekar remains what I presumed he was ..a knowledgeable and reliable politician who stood for the benefit of the society.

A Disturbing Observation

At the same time it is observed that whether with his knowledge or not, a “Bitcoin Miner” is being run from the website of www.rajeev.in, as indicated by the following report.

What this means is that whoever visits the website of BJP Rajyasabha member Mr Rajeev Chandrashekar, would perhaps be gifted with a “Bitcoin miner injection” into the visitor’s computer.

I would like to point out to Mr Rajeev Chandrashekar that this injection of the bitcoin miner is “Introduction of a computer contaminant” and is a contravention of ITA 2000/8 under Section 43(c) and is also a cognizable offence under Section 66.

I request Mr Rajeev Chandrashekar to clarify if the Bitcoin Miner has been included in his website code with his consent and knowledge. If not he can clarify how it got into his website.

At the same time Mr Rajeev Chandrashekar may clarify his stand on Bitcoin legislation and whether he has given his assurance to “Influence” the legislation ostensibly in favour of the Bitcoin community.

I also request Mr Rajeev Chandrashekar to make a public declaration of his “Bitcoin” and other “Private Crypto currency holding”.

I also request Mr Rajeev Chandrashekar to publicly disclose the entire discussions which he had with the Bitcoin industry representatives which included Mr Satvik Vishwanathan who  had been recently arrested by Bangalore police on charges of attempted illegal transactions involving setting up of Bitcoin ATMs, and was therefore a target for investigation by the Enforcement Directorate.

Naavi

P.S: I have been an admirer of Mr Rajeev Chandrashekar, and it is with lot of pain in my heart and disillusionment that I have written this article. I pray to Lord Ayyappa of Shabarimalai (which Mr Rajeev has visited perhaps today) that let wisdom dawn on Mr Rajeev to clarify that he is not with the Digital Black Currency that Bitcoin represents.

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

Views of Kris Gopalakrishna…on Privacy…3

(This is in continuation of the previous article)

We shall now take a few other comments made by Mr Kris Gopalakrishna as follows and try to derive an inference out them.

5.“I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.

6.“The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”

7.“Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”

I am not sure why Mr Kris says that “Establishing policies around data…is not codified today”. The PDPA does exactly address this issue (though it is in the process of being enacted). The Corporate responsibilities on what principles of collection and processing is to be followed and how the “Data Trust Score” has to be developed etc has been addressed by PDPA. We have to only get the law passed without delay and get the implementation process into action.

As regards the concerns about disclosing the identity, the concept of the data collector being a “Data Fiduciary” and exercising the responsibility of a trustee can address the concern to a large extent, much more than what GDPR has addressed in GDPR as the Data Controller’s responsibilities.

If therefore the KGC does not trample on the implementation process of PDPA,  privacy governance in India through data protection would make substantial progress. If the DPA then takes control then the data protection regime can bring confidence to people concerned with their privacy.

Speaking on “Anonymity” Mr Kris has commented

8) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”

This aspect has been addressed by PDPA both by declaring that Anonymization will make a personal data go out of the jurisdiction of PDPA and also criminalizing the re-identification where anonymized information may be re-identified.

The very definition of “Anonymization” is that it can never be re-identified, but under the concept of “Dynamic Data” and the “Corporate restructuring” as well as AI, no body can be certain that an anonymization process be 100% effective.

The failure of anonymization and consequential re-identification can be addressed under PDPA if properly implemented by hoisting vicarious liabilities on the inefficient anonymization as well as the re-identification.

Lastly, Mr Kris has reflected

9. “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”

In this comment, Mr Kris has acknowledged the need for data sovereignty and the need for the country to consider aggregated personal data as an asset of the nation. It is precisely this concept which is in conflict with commercial exploitation and the committee has to  show how it will ensure that the national interests are not compromised.

Partially the PDPA will address this issue. KGC will however need to ensure that any of its recommendations donot provide loopholes for commercial establishments to take out the benefits of Indian personal data out of the country. If they are allowed, this will be considered as “Data Laundering” or “Data havala” similar to money laundering and havala.

If this committee can find a Data Governance framework that can prevent the TransUnion type of data heist, then it will be a great achievement. Let us hope the committee would be able to reach this goal.

(Comments welcome)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Views of Kris Gopalakrishna…on Privacy…2 Leveraging data for the benefit of the individuals

(This is in continuation of the previous article)

The next two comments of Shri Kris Gopalakrishna that we would like to analyze is

2. “India has a huge opportunity to leverage data in every aspect: data will be very important in providing credit, better banking services, healthcare, education, retail and ecommerce.”

3. “Everywhere, the efficiency can be improved, services levels enhanced. It is not just the companies benefitting, the individual also benefits,”

These comments reflect the potential for corporate benefit such as credit rating, health insurance etc which are projected to be beneficial to the individual because of better efficiency.

Ever since e-Governance and E Banking concepts became a reality in India, we the Citizens and the Consumers have been held the promise of “Economy through Digitization”. But in practice such economies have never been realized. At one time we had free Banking. Now we need to pay for ATM services and also for physical visits to the branches. There are charges for NEFT transfers (May be it is removed now). The annual ledger charges have now become service charges and the Government benefits on these through Service tax and GST. As a result, E Banking has become more expensive than non e-Banking. Similarly, E Governance has become more expensive than non e-Banking. Over and above this, fraud risks are to be borne by customers. Even Cyber Insurance cost is hoisted on the consumers.

This “Higher Efficiency and benefit to the consumer” is therefore a scam that IT companies promote. Less said about it better it is.

Let us therefore forget this benefit coming to consumers out of Big Data Governance. The fact is that eventually, commercial companies will make more money, consumers will pay for more security. There could be of course new services and convenience but it is a trade off with additional cost

we can also look at another comment made by Mr Kris that is related to the above.

4. In the physical world, property rights have been clearly established. I think, over time, property rights will be clearly established in the online world.”

We have debated this at length earlier. GDPR has not adopted the “Property” concept. California Consumer Privacy Act has adopted the “Property Concept”. In India DISHA (proposed) endorsed the property concept of personal data but PDPA rejected it and brought in a superior concept of “Data Trusteeship”.

The concept adopted by PDPA is globally unique though many in the industry may not appreciate its value and by ignorance degrade it to the GDPR concept of “Personal data being a transferable Right”.

This is one area where I would wish the KGC does not err. I urge each of the members of the committee to go through the discussions presented at naavi.org on the concept of “Data Fiduciary-Data Principal relationship” and how it differs from “Data Controller-Data Subject relationship”.

Initially, I had also preferred the “Property” concept at one level and a separate intermediary of “Data Trusts”, but Justice Srikrishna was more innovative and suggested something better in the concept and merged the concept of Data Trusts into the concept of Data Controller and created the “Data Fiduciary”.

This innovation needs to be preserved as it has the potential to be one of the most innovative concepts in Data Protection regulations across the globe.

While leveraging the benefits of the Personal data aggregation, the KGC should ensure that “Data Laundering” through “Mergers and Acquisitions” as we have pointed out in the case of TransUnion taking over CIBIL.

Similar corporate re-structuring tactics may be used to defeat the some of the provisions of Data Protection such as Data Sovereignty and cross border restriction of personal data transfer.

We need to watch if these contentious issues will be addressed by the committee with National Interest in mind.

Personally, I have an apprehension that the strong industry lobby that opposed Data Localization in PDPA will, through NASSCOM and other industry members of the committee try to dilute the Data Sovereignty principle and the Data Localization requirements. Taking a conspiratorial speculative outlook, I even have a thought in the corner of my mind that this committee has been formed only with the idea of killing the Data Localization concept strongly promoted by Justice Srikrishna committee. I hope Mr Kris will realize this in due course and does not allow such manipulation.

I hope the minutes of meeting of this committee would be available under RTI for the public to ensure that no such deviations of purpose occur.

In fact, these are the days when Legislative proceedings are broadcast in realtime and we are asking Supreme Court to conduct hearings with a real time video broadcast to the public. It is therefore time to consider that committees such as these also should consider public broadcast of their proceedings. This will ensure transparency to the operations of the committee.

Will the Chairman consider video  broadcasting of proceedings in real time?

(Continued)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Views of Kris Gopalakrishna.. What do they indicate for the Privacy regulation in India?

(Continued from the previous article)

Shri Kris Gopalakrishna, Co-Founder of Infosys who has been appointed the “Chairman” of the “Expert Committee on Data Governance Framework” with the terms of reference

a) To study various issues relating to Non Personal Data

b) To make specific suggestion for consideration of the Central Government on regulation of Non Personal Data

has provided some indication of what is in his mind on “Privacy” and “Data Protection” through is interview in ET  From his interview we have culled out 9 statements on which we provide our comments.

The reason why we are taking up this for debate is that the views of the Chairman of the committee could influence the final outcome of its recommendations and hence it is necessary for data protection regulation watchers to understand his mindset.

The views and corresponding comments are as follows. These comments donot necessarily indicate any disagreements but try to clarify issues.

  1.  “the broad strokes of data regulations lie in trying to leverage the economic value of data for the benefit of the citizens, not just for corporations, and protecting them from the vulnerabilities inherent in the digital era.

In the past, the broad strokes of “Data Protection regulation” was embedded in “Cyber Crime Prevention” legislations such as ITA 2000/8. It recognized “Data” as a valuable asset of the organization and companies do protect data in their own interests. But when an enterprise fails to protect data and apart from adversely affecting its own interest, adversely affects the interests of other persons, the law provided a remedy which included prosecution of company and its officials for negligence.

After the advent of strong data protection laws, the broad strokes of “Data Protection Regulation” leveraged the need of individual privacy protection. Hence GDPR prescribed stringent penalties that made the industry sit up and take notice of the compliance requirements. In India, PDPA was framed by Justice Srikrishna to provide a similar “Data Protection Governance Framework”.

These regulations kept a window open to accommodate the interests of the Data Analytics industry by accommodating “Legitimate Interest” and “Anonymization of Personal Data”.

Anonymized data was completely out of the Data protection regulation and “Re-identification of anonymized data” was a punishable offence/civil wrong in some of these regulations. Similarly, Corporate data was out of the purview of these legislation, though some ambiguities remained on “Employee Data” and “Business E-Mail”.

The “Data Governance Framework” of pre-data protection regulation era and also the “Anonymized and Non Personal Corporate Data” in the “Post-data protection regulation era” was dictated by frameworks such as the Information Security models of ISO.. In the post data protection regulation era, the GDPR/PDPA compliance framework assumed importance and supplemented the earlier ISO frameworks. Some of the ISO frameworks like ISO27001 voluntarily added ISO27701 like provisions as extensions so that it can assist companies for securing both corporate and personal data.

The PDPSI (Personal Data Protection Standard of India) as proposed by Naavi was a “Data Governance Framework for personal data and suggests a similar approach to Corporate/Non personal data.

Now the Kris Gopalakrishna Committee (KGC) on Data Governance Framework has flagged the “leveraging the economic value of data” for the benefit of the citizens. This “economic value” gets generated by the aggregation and derivation out of the individual data  accumulated from different sources. If the source is “Anonymized pool” of personal data (Which may include the IoT data), the economic value of the aggregated data is what the Big Data industry is today exploiting.

The Justice Srikrishna committee however flagged a different type of data where one person provides an identified data under a consent but it automatically reveals the personal data of his family or community and on aggregation reveals certain value added behavioural information and raised a concern that this needs to be regulated.

It is not clear if KGK committee will restrict its recommendations to the processing of ” Anonymized personal data” only or “Identified community information” which relates to “Community Privacy”.

The views of Kris Gopalakrishna indicates that contributors of individual data  should benefit by their contribution even when anonymized, and converted into value added data. This is the concern raised by Naavi in his article on Dynamic Data.

There is an IPR issue in the case of such value creation and whether the citizen can be provided a part of the benefit through a legislation and if so, how needs to be explored.

(To be continued)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Kris Gopalakrishna clarifies the role of Data Governance Committee

We refer to our two earlier articles on the subject of “Data Governance Framework” and the new Expert Committee on Data Governance that has been announced.

It was pointed out that the Srikrishna committee had spoken of the necessity of a new regulation for what Justice Srikrishna described as “Community Privacy”. This new “Right” of the “Community” was recognized because the “Identified Personal Data” of individuals to which the PDPA (Personal Data Protection Act) referred to, would  when aggregated lead to “Identifiable Community Data”.

The notification of the committee however referred to a different term called “Non Personal Data”. Non Personal Data could be “Anonymized Data” since “Anonymized data” is any way out of scope of PDPA and not considered as “Personal Data” at all.

Non Personal data however includes corporate business data as well as the community data which Justice Srikrishna committee referred to. Presently such data is being secured under ITA 2000/8 and the “Prohibition of Re-identification” under PDPA. But neither of these two aspects cover the concept of “Community Privacy” which remains a term yet to be legally defined and covered under any law.

We pointed out in our articles that creating a regulatory framework for addressing the “Community Privacy” issues is a continuation of the PDPA work and is as complex as the personal data protection itself. We also pointed out that the “Data Governance Framework” as the industry perceives is today dictated by the Business requirements of an enterprise and the personal data protection requirements are super imposed on the Corporate Data Governance Framework as “Compliance Requirements”.

We pointed out that the notification refers to “Deliberation of Data Governance Framework” but refers to the Srikrishna committee in is preamble( Which concerned with Community privacy”), while the terms of reference made a reference to issues related “Non Personal Data”. In the context of the legislatory requirements envisaged by the Justice Srikrishna committee, it was also pointed out that the constitution of the committee did not reflect the requirements.

If however, the reference to Srikrishna committee is ignored and what this committee is to deliberate is only on “Big Data Processing”, then its constitution with people with IT industry experience is good enough. It would then be like the Committee on E Commerce which gave its own recommendations within the PDPA provisions. But the committee in its final report should not over step its expertise boundaries and recommend concessions to the Data Analytics industry which would be in conflict with PDPA, either by design or by error.

I am reminded of two other instances in the legislative history of Cyber Laws in India which presented similar issues and Naavi.org had reasons to raise its voice.

The first was the “Expert Committee” which was formed in 2005 to look into amendments to ITA 2000 following the Bazee.com issue which wanted an immunity to be given to Intermediaries from being held liable under Section 79 of ITA 2000.

Second was when the G Gopalakrishna Committee of RBI deliberating on the E Banking security guidelines was tried to be manipulated by some Bankers within the Committee to secure their interests by declaring OTP and 2F authentication as “Electronic Signature”.

On both these occasions, Naavi.org vehemently opposed the moves and finally the committees made changes to incorporate the views.

In the first instance, the 2005 amendments were replaced with the 2008 amendments by the standing committee of the Parliament headed by a Congress MP Mr Nikhil Kumar. (Refer here)

In the second instance, the GGWG committee itself dropped an entire proposed chapter on legal issues and reverted back to the Internet Banking guidelines of 2001. (Refer here for details)

We wish that the Kris Gopalakrishna committee will be responsive enough to understand the concern expressed by us that What Srikrishna Committee wanted is different from what the terms of reference to this committee indicate and it would not be proper for this committee to tread into the shoes of regulatory extension of PDPA, unless the committee consists of a strong judicially oriented person/s. Otherwise the committee may come up with recommendations which will meet opposition of Privacy activists.

What Kris Gopalakrishna says

In this context it is interesting to note what Mr Kris Gopalakrishna has said yesterday in an interview with ET.

His comments as indicated  in the ET report are as follows and we shall comment on each of these as the “Views of the Chairperson of the proposed committee which may redefine Privacy laws in India”.

a) “the broad strokes of data regulations lie in trying to leverage the economic value of data for the benefit of the citizens, not just for corporations, and protecting them from the vulnerabilities inherent in the digital era.”

b) “India has a huge opportunity to leverage data in every aspect: data will be very important in providing credit, better banking services, healthcare, education, retail and ecommerce.”

c) “Everywhere, the efficiency can be improved, services levels enhanced. It is not just the companies benefitting, the individual also benefits,”

d) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”

e) “The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”.

f) “Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”

g) “I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.

h) In the physical world, property rights have been clearly established. I think, over time, property rights will be clearly established in the online world.”

i) “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”.

These indicate his present views and could get reflected in the final report of the committee also. It can be considered as what the Committee may view as its own interpretations of the terms of reference.

Hence we need to take this up for debate so that the Committee proceeds in the right direction.

My Comments on the above views will follow in the next article. Readers can also send their comments to Naavi.

(To Be continued)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 2 Comments