Net 4 India.. Further progress

We are happy to announce that the difficulties of Net4India Customers who had lost control of their domain names, e-mail accounts, hosting facilities etc because the NCLT committed the blunder of not recognizing the existence of a continued business and the interest of the customers and blindly went ahead to declare Net4India as insolvent and freeze its operations may be coming to an end.

While the systemic changes required to be brought in to ensure that such incidents donot recur will continue to be followed up with the MeitY, I am glad to know that ICANN has completed the process of selecting a registrar who would take over the current business of Net4India. Ltd.

Full details of the process is available here. 

As per the announcement, PDR Ltd, (Public Domain Registry) has been designated as the organization to which the Net4India registrations would be transferred.

ICANN anticipates PDR will begin contacting registrants with information on how to access and manage their domain name registrations by early next week.

Once completed, the ICANN-approved bulk transfer will result in the migration of all gTLD registrations from Net 4 India to PDR. There is no charge to registrants for this bulk transfer, and no AuthInfo codes are required for this process.

Once the transfers happen, we suppose that it would be the discretion of the registrants to either continue with PDR or transfer the domains to their preferred domain registrars. Since PDR will be expensive compared to other registrars, we suppose most of the registrants would  look forward to transfer the domains to alternate domain registrars.

We need to wait and see how this proceeds further.

In the process of this appointment of PDR as the registrar, ICANN has ordered an automatic data transfer across the borders for which there is no consent. Also this is likely to transfer the continuing business potential of the customers who were wronged by NCLT to a foreign registrar. MeitY by not intervening in the process has caused the erosion of foreign exchange and cross border data transfer, which need to be corrected.

It is presumed that NCLT must have approved the scheme. If so, we need to again point out the lapse on the part of NCLT not to have recognized the need to get the business transferred to an Indian registrar.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

PDPSI framework to incorporate measures for treatment of Personal Data of Deceased Data Principals

We had earlier discussed certain issues concerning handling of personal data after the death of the data principal in our article titled “Digital Assets of the Deceased…Need for a legislative Change”.

Some views were also expressed through the following webinar in the FDPPI’s Jnaana Vardhini Series.

Following this webinar, FDPPI has set up a task force to develop a recommendatory white paper on the handling of Personal data of deceased data principals under the PDPB 2019 which will come up for further discussion in the Parliament during the next session. The task force recommendation would be taken up with FDPPI’s PDP Advisory Board for developing a broader policy at the national level. Also FDPPI’s PDP Code Committee will develop the code of practice for Data Fiduciaries to develop the policy document applicable for Data Fiduciaries on handling the personal data of the deceased customers.

The problem of determining how to handle personal data of deceased persons has many complications. Personal Data is often the key to access data lying with a Data service provider (Eg: E Mail service provider or a hosting company). The data lying within the account space of a service provider can be identified as an intellectual property coming under  “Copyright”. A software code developed by an individual may have copyright and also patent rights. In such cases the “Property character” of the data is well established and what is required is a “Claim Process” to enable the legal heirs to inherit the rights on the intellectual property.

However, “Personal Data” which includes the “Password” used for accessing the account is not clearly recognized as a “Property” and the right on individually identifiable data elements required as a password or to re-set the password cannot be assigned like the ownership of a “Intellectual Property”. In order to ease the claim process for settlement of a deceased person’s data property, if we start recognizing personal data as “Property” then during the life time of the data principal, we must agree for alienation of the personal data as a property.

In the “Non Personal Data” scenario, it is possible to recognize data as an alienable property and a “Sale” or “Licensing” or “Assignment” can be recognized as a means of transferring the property. But in the case of “Personal Data” Indian PDPB and GDPR may prefer to avoid the term “Sale” and use only “Assignment of Rights” as a means of transfer of any beneficial interest.

The Singapore PDPA which has extended the rights under the PDPA-2012 (Sg) to the personal information of deceased persons for 10 years or the HIPAA which has extended certain obligations of the covered entity to protect the EPHI for 50 years have looked at the “Personal Data of the deceased persons” as a “Commodity”. Though “Rights of Privacy” have no significance after death even under these laws, the laws expect “Protection” including non-disclosure to unauthorized person to continue for the state time period.

It is only in CCPA that the prospect of “Personal Data” being capable of being “Sold” has been discussed without any reservations.

Though Indian law has not spoken of “Transfer of Personal Data” from one person to another, the concept of “Consent Manager” used in the Act indicate that a Data Principal can transfer the right to “give consent” or “withdraw consent” to the consent manager. Just as the collection of personal data from a data principal to a data fiduciary is supported by a “Consent” in accordance with the Indian contract Act, the provision of the right to “Give or withdraw consent” is given by the Data Principal based on the “Consent to appoint a Consent Manager”.

Unfortunately the “Consent” which is a “Contract” does not survive the death of the Data Principal and hence on receipt of the knowledge of death of the consent giver, the data fiduciary should freeze the transactions in the account. Where the basis for collection and processing was not consent (say in GDPR) then, there would be a “Legitimate Interest” which survives the death of the data principal.

Hence the legal basis of collection and processing can have an impact on the right of the data fiduciary to continue processing of a deceased data principal’s personal data.

One solution which would have resolved this issue was to have introduced a “Nomination” facility for “Personal Data”. This has to be done with a new statutory provision and perhaps the PDPB 2019 itself is an opportunity to introduce the provision of “Nomination”.

In case the JPC has not suggested any provision in this regard, this can be introduced as an additional amendment when the Bill is introduced in the Parliament. This requires introduction of a definition of “Nomination of Personal Data” in Section 3 and also an additional sub section under Section 14 ( Processing of personal data for other reasonable purposes”.

The detailed procedures under this clause may include

a) Sending an annual confirmation request (similar to balance confirmation in Bank overdraft accounts) for validating the privacy policy.

b) If no reply is received to the confirmation request, sending a second request with a notice that the account would be de-activated and tagged as “Dormant” after a period of say 6 months

c) If no reply is received, for 6 months, sending a final notice and transferring the account along with the personal data to an arvhive.

d) If no re-activation request is received for 2 years ( Or say 6 years as in the case of  HIPAA), transferring the personal data and the data lying in the account to a Government Repository, which can be created by the DPA itself, by adding a new function of DPA under Section 49(2).

The PDPSI framework will be immediately incorporating this suggestion as a recommended implementation specification within Implementation Specification (IS17) on Notice and Consent form, and related implementation specifications such as Classification (IS 33),  Access Control (IS 36), Data Storage and Security (IS 37), Data Destruction (IS 43) etc.

In the absence of the available guidance from the DPA and the PDPB 2019, PDPSI will incorporate some controls which may be modified after the PDPB 2019 becomes a law.

PDPSI will therefore be the first framework for PDP-CMS which would address this contentious issue as a part of the compliance.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

What is the intention of MCA?.. To trap Crypto Owners?

“The Hindu Business Line” news paper carried a headline today stating : “A Glimmer of Hope for Cryptos in India”

Economic Times says : “Crypto Disclosures to protect Investors; MCA”

A statement attributed to an official states “The move would bring in greater transparency in the activities of companies engaging in trading of cryptocurrencies, which are not legal tender in India” .

We are aware that the media particularly the above two publications hold an editorial policy in support of the legalization of the Digital Black Currency in the name of Bitcoin and its various avatars.

We are also aware that there are many in the Government particularly in the Finance Ministry who are sympathetic to Bitcoins.  So also many judges in the Supreme Court.

We have been demanding that the Government officials, Judges and also businessmen should declare their holdings of Bitcoin and all related “Private Cryptos”.

In the light of the above demand, if we look at the MCA notification it is clear that MCA has thrown a gauntlet at the Digital Black Money holders.  It could be considered as a clever move to trap the holders of Digital Black wealth.

We are aware that many corporates who were attacked with ransomware demands, did pay out using Bitcoins. Obviously, they should have diverted their white money into buying Bitcoins and it would not have reflected in the Balance sheet. Now they need to disclose the transaction along with the source of payment, details of the seller and the exchange through which they bought.

If they have used their personal black money, then they cannot disclose the transaction. If the seller has sold it from his black wealth, he will need to explain. If the Exchanges claim that they are doing KYC, they need to declare the identity of the people involved. If the transaction has gone through a Bitcoin wallet held abroad, there is a possibility of a havala transaction.

If the companies donot declare their Bitcoin holdings, if and when the Government bans the Crypto and gives a window for existing investors, the Companies who have hid the transaction now cannot declare later.

The same argument applies to the individuals. They now need to declare their crypto assets in this year’s tax return and if they do, have to explain the source. If they donot, then they permanently remain black money holders and in the eyes of Indian law remain tax evaders.

Damned if you do and Damned if you don’t.

I am sure that the same publications which are today welcoming the MCA move will tomorrow ask for more concessions to ensure that the current holders are given immunity. Then the same people who were opposing the Electoral Bonds, Bearer Bonds and the schemes for regularization of previous tax defaults will have to eat their words.

Let us observe how things develop….

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Supreme Court needs to introspect

It is sad to see that Twitter is full of ridicule for the Supreme Court of India following its intervention in the Oxygen supply issues.

The formation of a National Task force to streamline Oxygen supply by the Supreme Court, however good intentioned it may be, is an over reach by Supreme Court into the executive functions of the Government. This is a constitutional misadventure which should have been avoided.

The Court could have urged the Government to act and could have engaged in an off-judgement conversation to hasten action.

If the shortage of oxygen is due to black marketing and hoarding, the culprits are to be identified and punished. If it is due to the inefficiency of the Government machinery, the reasons why Government Jobs have become the preserve of the inefficient and the root cause such as “Reservation” should be explored.

The task of allocating a life saving commodity equitably to thousands of locations in India is a logistics issue. It cannot be solved by diverting oxygen from a less privileged state to Delhi or more privileged states or to protect the Judges in a specially created five star hospital.

The Supreme Court could have asked for advice from some companies in logistics business or IIMs to work out a more efficient method of managing the Oxygen supply. IT Companies could have helped in the rolling out of the software if required.

Instead Supreme Court has created a committee of a different kind of professionals which will only result in one more paper and no action. All the Committee members are medical experts and have no direct experience or knowledge on Oxygen production, supply in the world and logistics of how to distribute it across the nation without any patient feeling that his oxygen was not snatched away by another patient. They cannot say Delhi Judges need more oxygen than Chamarajanagar villagers or why West Bengal needs more Oxygen than Uttar Pradesh.

Dr Devi Shetty has given valuable suggestions on how to control the next shortage of medical professionals and this committee is more suited for that decision than on streamlining of Oxygen supply. The judgement indicates that the Court does not have expertise in identifying the root cause for the problem nor a possible solution and have just reflected the combined views of a few gentlemen with some life experience based on what the lawyers put up before them in terms of evidence and arguments.

Creation of such task forces can only frustrate the executive and make them less accountable. Now all initiatives of the executives would stop and the IAS officers will look upto the directions from the committee. This may create more harmful in the days to come.

Most of the citizens today are questioning the Supreme Court why they are not addressing the issue of pending cases. Naavi.org has repeatedly been asking the rationale for the “Bollywood Judgement” which allowed Bitcoin trading in India against the wishes of RBI which is the designated regulator. The Judges of the Court has still not come out with a declaration of their Bitcoin/Crypto asset holding to clear themselves of the suspicion of being irrationally biased.

The Supreme Court did not intervene when Net4India customers were suffering and feeling digitally choked because of the mis-handling by NCLT.

The Supreme Court has not been able to stop the political violence in West Bengal leading to hundreds of BJP workers being killed by their political opponents. They have turned a blind eye to the DMK workers in Tamil Nadu going violent against their political opponents. The Court did not act when farmer’s agitations were required to be curbed.

These inefficiencies/biased functioning of the Supreme Court,  not to talk of the charge of nepotism and corruption, has turned Supreme Court action in setting up the task force in the current Oxygen shortage context into an object of ridicule.

The selective action of Supreme Court to indulge in such executive activism is a dangerous tendency and should be curbed at the earliest.

I therefore urge the CJI to call for a full bench meeting of the Supreme Court and draw up some ethical standard operational procedure for the functioning of the Court when such public interest issues need to be adjudicated.

If possible, Supreme Court should consider setting up a Taskforce of respected citizens to help the judges draw up a plan of action to ensure that the Judiciary remains within its boundaries and let the Executive function on their own.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Watching the NPCI…Let NPCI not become a Crypto Exchange mechanism

We have pointed out several times how NPCI needs to take more responsibility for securing financial transactions in India

Besides yesterday’s article (NPCI needs to be watched) Some of the earlier articles in this regard are given below.

The Cosmos Bank fraud.. Could better security at NPCI have prevented it?

Software Application is not a mere piece of coding…There is business behind it

NPCI and RBI cannot absolve themselves of responsibility in UPI Fraud

4-D Secure protocol for Online security… Attention NPCI

Will NPCI indulge in Data Laundering like CIBIL?

Tweaking the MDR charges …Watal Committee recommendations…3

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance

The Unification of Fraud possibilities through UPI

Presently, NPCI is showing its affinity towards Bitcoins and is supporting Crypto Exchanges. We have a strong feeling that NPCI is getting ready to give a back office support to Crypto Exchanges to defeat any designs of RBI to bring a ban on Crypto currencies.

If RBI comes up with an official Crypto currency, NPCI may provide simultaneous support for all Crypto Assets as a category and enable that Bitcoins may continue to be used in our economy.

We have brought this possibility to the notice of all regulatory agencies but all regulators including the ministers in the Modi Cabinet are silent. The power of corruption can silence any body and it is showing its power by supporting the Bitcoin lobby. Honest citizens of India have no faith in Judiciary and the Government and are getting ready to succumb to the powers of corruption. Politicians take tax payer’s money distribute it before election and after election to their supporters and the tax payers look like fools who donot know how to live in this society.

Leaving this philosophical thought aside for a day when Mr Narendra Modi has a day of enlightenment like the Buddha, let us turn our attention to some academic debate on the NPCI handling Personal Data of millions of Indians and whether this data is safe in their hands, in the light of the CIBIL incident discussed earlier.

Status of NPCI

NPCI acts as a clearing house of all financial transactions using the UPI Id. All Banks have registered mobile numbers of account holders to the account which is also linked to the Aadhaar, PAN etc. When a UPI ID connects to a Bank account, it carries with it the payload of all personally identifiable sensitive data.

NPCI acts as an intermediary transmitting the requests from one UPI ID to another UPI ID. Hopefully the personal data behind the UPI IDs need not come to the hands of NPCI and remain with the respective Banks.

However, NPCI is maintaining a data base of financial transactions of various kinds which are linked to Inter Bank transfers of money, Credit card payments, payments from google pay, amazon pay, phone-pe, paytm etc. It must be having mobile numbers to bank account links of the public.

However, NPCI does not directly deal with individuals and is not visible as a “Data Fiduciary” to a data principal. It collects all the data from the participating institutions under a data processing contract not visible to the public.

It has 221 institutions registered for the UPI transactions including many cooperative Banks, As of April 2021 it handled 447.343 crores of transactions valued at Rs 1692.974 crores. This included Aadhaar related transactions, Bills pay transactions, eKyc transactions etc

It is clear that NPCI should have in its possession enormous amount of personal data in its accessible control.

However, the Privacy policy of NPCI available here and archived as on date here provides a very sketchy information about the personal data collected by NPCI and how it is used or shared.

There is a single Privacy Policy which addresses the website visitors which does not make any mention of the indirect data principals to whom NPCI is a “Joint Data Fiduciary”.

Para 2 of the policy states

“NPCI, in its role as a retail payment system service provider and a payment gateway, may receive financial information of a person which may include name of bank, account number, withdrawal amount, cheque number, payee details etc. Collection of such information by NPCI is in consonance with statutory and regulatory requirements and internal procedural and operating guidelines and byelaws. The internal procedural, operating guidelines and bye-laws of NPCI are duly documented.”

Para 3 appears incomplete and states as under

STORAGE OF INFORMATION

NPCI collects personal information online primarily to provide our visitors with a more relevant experience on this web site. When doing so, NPCI takes every reasonable effort to avoid excessive or irrelevant collection of data. As a corporate body and payment system service provider, NPCI maintains the records and information in a safe and secured manner as per its policy and in compliance with the statutory provisions and directions for the period required by it and as prescribed by laws and rules etc. We collect personal information only to the extent that it is necessary for the purposes set out below:

a. ———-

b. ———-

Personal information, if captured, is stored in paper and electronic files within NPCI’s premises, and approved archives. NPCI does not allow any unauthorized access to the information stored by it in any form whatsoever . The information is securely stored and access is restricted to authorised personnel only. NPCI incorporates confidentiality clause in non-disclosure agreement with entities having business with NPCI to keep personal information secure and confidential and not to disclose the personal information to others, unless required by law or by an order of a court or by written instruction by NPCI. Such non-disclosure agreements stipulate that all personal information obtained by other party from the arrangement with NPCI will be returned or destroyed on termination/expiry of the non-disclosure agreement.

Further, anytime you visit this web site, NPCI may gather certain non-personally identifiable information regarding the means you use to access our site. This information may include the type and version of your browser, your service provider, your IP address and any search engine you may have used to locate the website. We use this information to help diagnose problems with our server, administer the web site, and compile broad statistical data.

The purpose for which information is collected is left blank.

It is surprising that for an organization of global reputation, has such a shabby privacy policy which is not even complete.

If such an organization starts supporting the Digital Black Money exchange in India, then we can expect that the future of Indian economy is endangered.

Naavi.org has sought some clarifications from NPCI regarding the above and awaiting response.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

NPCI needs to be watched

NPCI was incorporated in 2008 and functions today as the national clearing house of all payments. Initially there were 10 promoters all of whom were Banks. It included foreign Banks like Citi Bank and HSBC. Since then several other Banks have been allotted equity.

Recently there is a move to set up a Private Sector NPCI clone or allow private equity directly in NPCI.

If we remember what happened in CIBIL and how CIBIL which was once owned to the extent of 92% by Banks was surreptitiously sold out to TransUnion and in the process 500 million plus sensitive personal data sets became the property of a US based private sector company.

This was a strategy which we called  “Data Laundering”.

At present, NPCI has a substantial chunk of financial data  travelling through their switches. Many private players have a facility to link their systems to NPCI and open a channel of communication to the Bank accounts of customers. The “Registered Mobile Number” is the only tenuous link to this access.

While NPCI may claim that they are a “Financial Intermediary” and may not store personal data of individuals in a manner a Bank may store, the possibility that the data passing through NPCI can be diverted and transaction profile extracted with a link to the registered mobile number cannot be ruled out. Once a registered mobile number is identified, it gives links to Aadhaar, PAN, Bank accounts, IT records and even the social media activities of the person.

We can therefore consider that NPCI is having access to all the sensitive personal data of people whose financial transactions pass through the NPCI.

When there are thoughts of privatization of such operations alarm bells should ring since this could be a preparation for another CIBIL type of data laundering.

Hence NPCI has to be kept under watch to check if they can be trusted with the financial information passing through their servers.

Presently, NPCI is managed under the Ministry of Finance which is amenable to all sorts of pressures from vested interests.

It appears that one of the reasons why the PDPB 2019 is getting deferred from one session to another is that the Ministry of Finance is demanding some changes which may be not acceptable. After all we know that NASSCOM and DSCI have already placed their demands for modification that wants financial information to be removed from the category of “Sensitive Personal Information” so that it can be freely transferred out of India. The Finance Ministry should be supportive of such move since this is necessary to allow data laundering through privatization of organizations like NPCI.

Today, yet another indication has surfaced why the Ministry of Finance cannot be trusted to take care of the interests of the country in securing the financial systems.

Some time back, Mrs Nirmala Sitharaman spoke in support of Bitcoins. We had raised our concerns directly with the Ministry of Finance to which as expected no response was provided either by the Minister or the secretaries.

It appears that the Ministry is stalling RBI and preventing them from re-issuing their circular which banned support to Bitcoin exchanges by Banks which was dramatically permitted by the “Bollywood Judgement” of the Supreme Court.

In the last few days, RBI seemed  to be re-introducing controls to prevent support of Banks in supporting Bitcoin trade and hence the Bitcoin industry has moved its attention to NPCI. This has triggered a fresh move from the Bitcoin lobby to put pressure on NPCI and support its cause.

Today a series of articles have been planted in the media stating

“NPCI Scraps Crypto ban Idea”, “NPCI leaves it to Banks to decide on blocking of Crypto trades”  “NPCI refuses to ban Crypto”etc

What this means is that NPCI has started supporting the Crypt Exchanges and they may allow private Bitcoin exchanges to use the NPCI switch to carry out Crypto trade by passing the Banks. Even if Banks are prevented from directly supporting Crypto trades, NPCI will become the larger clearing house to settle the payments between the buyers and sellers of crypto exchange.

Just as Bitcoin and Crypto currencies are going to make Indian Currency redundant, now NPCI will make RBI controlled Banks redundant and the eco system for Crypto trade would be complete without the Banks. 

I once again call upon Mrs Nirmala Sitharaman to wake up and break her silence. We donot know if she is on the side of Black money holders or against them. We request her as part of the Modi cabinet to confirm or deny whether the Ministry of Finance is trying to support the Bitcoin industry which is the support base of Cyber Criminals and Cyber terrorists besides being the digital black money of the world.

I have been highlighting that Crypto Ban is required to eliminate the strength of “Digital Black Money” and “Cyber Criminals”. I have also highlighted that anti Government activities of the opposition parties could be funded by Crypto currencies.

Mr Amit Shah may not be understanding the risk that a well oiled currency of the criminals can pose to national security. Mr Narendra Modi appears to be too busy with Covid issues and lost his will to eliminate black money. We urge them to realize the damage they are causing by their procrastination on the issue of Crypto ban.

Elimination of black money which includes banning of Cryptos is a step to recognize the honest citizens of India who donot want to support this global black money eco system. India leading a global movement to ban Cryptos as “Unregulated Currency” is essential to prevent illegal drug trade, illegal arms trade, as well as choke the dark web.

I wish some body makes Mr Modi realize that this cannot be done except by him and after his time, this country is likely to have a very bleak future. Already West Bengal and Kerala have joined J& K as problem states and some others will soon join. We then need another Sardar Patel to unify the country. One step required to slow down the erosion of nationalistic politics and empowerment of corruption led politics is to eliminate the source of funding of such transactions which requires Cryptos to thrive.

NPCI appears to be gearing itself to the role of a “Digital Black Money Exchange”.

In the meantime we need an explanation from NPCI for their recent supporting statements to boost Bitcoin.

As of now NPCI is open to RTI and I would like some of my friends to find out if all NPCI executives can declare their Crypto holdings  so that if and when Cryptos are banned and the holdings have to be accounted, we will know if these executives have been honest in their declarations.

If Mr Modi really musters courage to ban Cryptos, the industry will still try to extract a concession in the form of an extended time to get their crypto wealth converted into legit money. But this raises a moral issue that when demonetization of physical currency is given a certain window for conversion, why demonetization of digital currency be given more time.

I also request the Chief Justice of India to get a declaration of Crypto holdings of all the Judges since as and when the issue reaches the Supreme Court and argued as “Fundamental Right”, the bench of the Supreme Court which hears the case should be clean.

If BJP is really interested in eliminating corruption in India, this is the time to show their resolve.

Naavi

P.S:

I would like Privacy and Security professionals to go through the NPCI privacy policy available at https://www.npci.org.in/privacy-policy

(Also achieved at https://naavi.org/uploads_wp/2021/npci_privacy_policy.pdf)

Refer

Responsibility for data protection in case of Amazon pay etc lies with NPCI. Says RBI

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment