Header image alt text


Building a Responsible Cyber Society…Since 1998

Where do I start my GDPR compliance?

Posted by Vijayashankar Na on March 17, 2018
Posted in Cyber Law  | No Comments yet, please leave one

Many organizations in India are now concerned about the need to be compliant with GDPR before the deadline of 25th May 2018. They must be receiving many e-mails from their business partners abroad with the query “Are You GDPR Compliant”?. There is therefore a scramble in the industry circles about how to be GDPR compliant in quick time.

Any compliance program is a “Journey”. It is not completed in a day. In any compliance journey it is always tough to make the beginning. Once begun, the task is half done. The same applies to GDPR compliance also. Start your GDPR compliance and you would be able to say “I am in the process of achieving GDPR Compliance”.

The first milestone to achieve is “We are GDPR Ready”. This GDPR readiness is important for all data processors who are now negotiating a data processing contract with a EU GDPR sensitive business partner who is constrained to ask the question about your GDPR readiness before starting the business dialogue with you. Before GDPR sensitive data comes into the systems and it is operated in a compliance regime for some time, it is not possible to test the real GDPR compliance of any organization.

Hence, before the actual processing of GDPR sensitive data commences and it is observed for a certain period, it is difficult to jump to the conclusion that any organization is “GDPR Compliant”. If they have instituted all measures required for compliance, the organization may however declare themselves to be “GDPR Compliance Ready” and nothing more.

Indian Companies who are Data Processors need to understand that their main obligation is with the Data Controller who hands over the “Personal Data” which comes under the material scope of the GDPR (Article 2.1) under a “Processing Contract”. The main liability for GDPR compliance is for the Data Controller and not the Indian Business Associate. (Unless the Indian Company is more than a mere Business Associate for data processing but indulges in direct collection of relevant data.).

The First question which any Indian company has to ask a controller is therefore,

Do you have a GDPR Compliance Check list for a non EU data processor? If so, please share it with us and we will make necessary arrangements. Otherwise, we are “Ready” to understand what could be your requirements and how it can be met at our end.

I will not be surprised if many of the Data Controllers think that EU GDPR is also applicable to extra territorial jurisdictions like India and India does not have any other local laws which may be in conflict. They may therefore presume that you are as much aware as them about GDPR and there is no need for them to tell you how to be GDPR compliant.

If you have such a client, then you can tell them,

“Yes, we are aware of GDPR and if you want, we can think on your behalf and implement GDPR for you. But this will be a GDPR consultancy contract and different from the Data Processing contract and will be charged separately”

Do Indian Companies have the negotiating strength to say as suggested?…. Each company needs to ask itself.

GDPR imposes liability mainly on the Data Controller and expects them to implement the Compliance requirements at the design stage of the process. It is only the Data Controller who knows what for the data is being collected and how it needs to be processed. It is only the Data Controller who has access to the drafting of the “Informed Consent” and getting it from the Data Subject. The Data Processor is not directly involved in determining the purpose of collection and the processing requirements.

There may be an exceptional case where the Data Controller has the right to determine how the data has to be collected but engages a sub contractor to create and manage a website or a system through which the data is collected after providing the necessary disclosures and obtaining the consent. In such a case, the Data Processor is himself the “Data Collector”. But still it is the responsibility of the Data Controller to specify in the service contract how the Data Collector cum Data Processor collects and processes the data.

Hence the “Data Processing Engagement Contract” becomes the key to start GDPR compliance and will be the starting point for compliance in India. Either the Data Controller has to come up with one such document or say, we donot have a detailed agreement on how the GDPR compliance is required to be done but please consider the GDPR document as part of this agreement. Interpret it in your context and be compliant.

An Indian company keen on the business may jump at such an opportunity with or without charging extra fees for consultancy. However in such cases the responsibility to interpret GDPR clauses shifts to the Indian company. We all know that legal interpretations are always daisy. There may be differences  in interpretation and the interpretation of the Indian company may not be agreed upon by the EU company when a dispute actually arises.

Hence in such cases, it is necessary for the local company to conduct a GDPR Impact analysis in the context of what is envisaged in the contract and develop a written document that is sent to the principal for his information and confirmation. In this document, the obligations that the local company takes and the obligations it does not want to take or cannot take because of conflict with the local laws can be specified.

Once this “GDPR Impact Assessment and Implementation Plan” is documented in a contractually agreeable manner, the Indian company can go ahead and implement the requirements from the technical perspective, test it to the extent possible and if everything goes well call itself “GDPR Compliant”.

The principal has the right to inspect the implementation plan, run his own tests and be satisfied beyond the claims of the local company at any time either before starting the processing contract or later.

Since there is a cost to “Getting GDPR Ready”, if the Data Controller imposes a condition that “You should be GDPR ready before …. and I will inspect and have the right to reject”, the local company should either take the cost of getting GDPR ready as a cost of business promotion or collect it separately as additional preparatory cost.

I presume that wise Indian companies have already adopted these measures.


Print Friendly, PDF & Email

Currently GDPR and Aadhaar are both hot subjects for discussion amongst professionals whether they are Privacy activists, Information Security professionals or Lawyers.

GDPR is at one end of the spectrum often looked upon by Privacy activists as the ultimate in Privacy Protection legislation. Aadhaar on the other hand is at the other end of the spectrum often looked upon as the greatest villain in Privacy breach in India.

The Supreme Court of India continues to hear the petition of Privacy Activists who are more concerned about the political damage they can create on the Government by attacking Aadhaar than any public good.

There appear to be some foreign technical persons calling themselves “Ethical Hackers” who are camping in India to hack into Aadhaar data and prove that Aadhaar is the epitome of Privacy invasion in India. It is not clear where motivation comes to these persons and whether they are motivated by their commitment to the Privacy of the Indian Citizen or committed to the political advantages that can accrue to Black Money owners in India if the present intentions of the Government to link Aadhaar to Mobile and Bank accounts is frustrated through intervention from the Supreme Court

We the Indians are aware that even Supreme Court is having its own agenda and many times takes decisions which are “TRP oriented”. The Privacy judgement, the Scrapping of Section 66A are examples of decisions where the Court has shown its inclination to come to conclusions based on the public perception that can be created about the “Progressive Views of the Judiciary”.

In this context it is essential for us to examine how does GDPR try to address the issues of Privacy in the context of Public interest, National Security and Journalistic freedom.

Chapter IX of GDPR  refers to “Provisions Related to Specific Data Processing Situations” and sets in the rules regarding processing of personal data in the context of Right to Freedom of Expression and other issues including “Processing of National Identification Number”.

Article 85 of GDPR  leaves it to member states to reconcile by law the right to protection of personal data pursuant to GDPR with the right to freedom of expression and information including processing for journalistic purposes and the purposes of academic, artistic and literary purposes.

Article 86 refers to personal data in official documents held by a public authority or a private body for the purpose of carrying out an activity in the public interest which may be disclosed under a Right to Information kind of law.

As one can appreciate, the canvas to define exclusion under Article 85 and 86 is fairly wide and if we take this as a guide for the Indian context where we are waiting for our own Data Protection law, there is enough scope to consider that our existing laws including the Right to Information Act can be considered as an automatic exclusion to GDPR.

Article 87 is interesting since it directly relates to a situation similar to Aadhaar. It states as under:

Article 87: Processing of the national identification number

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

This article provides complete rights to member states to over rule GDPR when it comes to processing of national Identification Number or any other identifier of general application. Obviously, “Appropriate safeguards” are prescribed.

This article provides guidelines both to Indian Companies who are often over reacting to the GDPR  by imposing on themselves non existing restrictions on to what extent the local regulations may over ride GDPR and yet it can be considered as “GDPR Compliance”.

If the member states of EU themselves have the freedom to enact laws that may over ride EU, it is obvious that an independent sovereign country like India where in most cases, the GDPR application is through the contracts between the Data Controller in EU and a Data Processor in India, the local laws such as Information Technology Act 2000/8 will have paramount priority over and above GDPR.

I therefore caution Indian Companies that in their eagerness to be GDPR compliant, they should not ignore the need to be ITA 2008 compliant.

We need to build GDPR Compliance within the parameters of ITA 2008 compliance. Fortunately, ITA 2008 is eminently designed for such requirement since Section 43A and definition of “Reasonable Security Practice” accommodates such contracts as defining the security requirements for compliance. The only difference would be that the remedy may have to be sought under ITA 2000/8 read along with international treaties and laws applicable to international contracts. GDPR cannot be super imposed in derogation of these other remedial options.

The second aspect we need to take note from Article 87 is that even the rigorous GDPR regulation on Privacy provides for an exception of National Identification Number in the EU member countries. Hence the Indian Data Protection Act can also exempt the processing of Aadhaar data from the restrictions.

The Supreme Court should therefore take cognizance of this fact and donot make the mistake that they committed in scrapping of Section  66A of ITA 2008 while ruling on Aadhaar.

Linking of Aadhaar to Bank accounts and to Mobile is a requirement of public interest to prevent Black Money, Benami transactions as well as Terrorism and Crimes and the right of the Government to use the National Identification Number such as Aadhaar for such purposes cannot be curtailed by the Court without taking on the blame that the decision is meant to please the silent majority of anti nationals who advocate that Aadhaar has to be scrapped.

The above support for Aadhaar is however not in derogation of the requirement that there has to be adequate safeguards to secure the Aadhaar usage in a manner that it cannot be misused to commit crimes. It is in this context that the “Virtual Aadhaar” becomes most important as a security measure so that at least in the future “Stored Biometric Attacks” through the Aadhaar user agencies does not occur.

My support for Aadhaar above also does not mean that Aadhaar authorities are taking all steps that are necessary for securing the infrastructure of Aadhaar and that they are not arrogant and not dismissive of the risks.

It is however considered that Aadhaar linking to Financial information and identity of individuals to several activities is essential to build a Safe India and no legal hurdle should be placed to prevent this honest effort of the Government. The security concerns are however real but can be addressed if UIDAI makes full efforts in this regard.

The first thing UIDAI needs to check is the progress of the Virtual Aadhaar implementation. The system should be in trial operation by 1st of April and in mandatory operation by 1st of July.

While some data security organizations in India are busy conducting surveys on our GDPR preparedness, UIDAI itself or other data security organizations should focus also on conducting a survey on our preparedness for implementation of Virtual Aadhaar as an identity to replace Aadhaar identity by Banks and Mobile operators.


Print Friendly, PDF & Email

I must admit here my excitement about Quantum Computing and discussing the impact of a principle of Physics for Cyber Law development, since I left my formal college education as a student of Physics, when the Quantum Mechanics was at its infancy and it is a feeling like being “Back to the Past” .

Though I had my post graduation in Nuclear Physics and studied Particle Physics to some depth, specialized in subjects such as Nuclear Forces etc., the subject of Quantum Physics was still new and not understood properly at that time. I  had even baffled everybody including myself in an interview at Physical Research Laboratory (PRL) in Ahmedabad when I solved a quantum physics question in real time put to me by the interviewers  who were interviewing me for the post of a “Scientific Assistant”  which most other interviewees had failed to do.

Though I refused the offering despite repeated requests to join and turned my back to the pure science, I never imagined that after 40 years I will return to study the impact of Quantum Mechanics to the present domain of my specialization which happens to be the Techno Legal aspects of Law.

But it appears that Cyber Law in India and elsewhere will be deeply impacted with emerging technologies of which Quantum Computing is one which will over turn many of the present concepts of law.

Hence study of “Cyber Laws in the Emerging Technology Scenario” will be the new focus which we should term the “Quantum Cyber Law Specialization” or “Futuristic Techno Legal Specialization”.


Today I have taken one topic for discussion which is the interpretation of Section 65B of Indian Evidence Act (IEA) and to examine if Naavi’s Interpretation of Sec 65B survive the Superpositioning concept of Quantum Computing.

The legal and Judicial community has struggled to interpret the section even after 18 years of its existence and it would be a further challenge to interpret Sec 65B in the emerging quantum computing age. For a large part of these 18 years since Section 65B (IEA) came into existence,  few recognized its existence and hence there was nt much of a debate on the topic. It is only in the recent past that the community has started discussing the issue many times with a wrong perspective.

During most part of this time, Naavi’s interpretation of Section 65B was not seriously challenged. In the recent days there are a few law professionals who would like to interpret things differently. They may draw support from some Judges who are dishing out judgements without fully understanding the impact of their wrong decisions on the society. This tendency comes from the inability of some to un learn what they have learnt for the last 3 or 4 decades of their legal career. They are therefore uncomfortable with what the Supreme Court stated unambiguously in the Basheer Judgement and want to interpret things in their own way.

Naavi has been saying, wait… it took 14 years for Supreme Court to realize the existence of Sec 65B and it may take a few more years for the entire community to come to the same understanding which Naavi has been advocating since 2000.

In this connection, I have tried to give a thought to what will happen to my interpretations of Section 65B when Quantum Computing comes into play.

Quantum Computing is not an easy concept to understand even by specialists in Physics. Hence for the lawyers and judges to understand Quantum Computing would be understandably challenging. It is possible that I also may have to refine some of my own interpretations presented here and I reserve my right to do so. I will however explore all the Cyber Law challenges presented by the Quantum Computing. For the time being, I am only looking at the concept of “SuperPositioning” and its impact on Section 65B interpretation.

What is SuperPositioning

SuperPositioning is a concept in Quantum Computing.  In the classical computing scenario, a Bit can have a value of either 0 or 1. The Quantum Bit or Qubit can however have a value of 0 and 1 at the same time. When you measure the value, it will show either 0 or 1 but when you are not measuring it can hold two values simultaneously.

This “Dual State capability” of a Qubit may be fascinating for the scientist who swears by the concepts such as Heisenberg’s principle of uncertainty, multiple quantum energy levels of the electron in a hydrogen atom, quantum energy state of the nucleus of a Phosphorous atom, the direction of spinning of a sub atomic particle, light being both a wave and a particle at the same time, there being a parallel universe, time being a new dimension, Worm-hole being a tunnel to future, etc.,.

But to a judge who is looking for “Evidence beyond reasonable doubt” and for the criminal justice system where a witness is expected to answer only in the binary- “Yes” or “No”, the uncertainty inherent in the Quantum Computing will be a huge challenge.

In fact, at present we can state without battling an eyelid that if I stand on the witness box and start talking of the “SuperPositioning” and more specifically on the “Entanglement” aspects of Quantum Computing and how it requires a re-interpretation of Section 65B, I will be thrown out of the Court as some body who has lost his mind.

Since no body can throw me out of this blog, let me take the courage to proceed further and try to raise some issues which may be academic discussion points as of now but will be important for the Cyber Lawyers of the future.

But in the days to come, Cyber Law will be revised to accommodate the “Uncertainty Principle of an Electronic Document”. The time to recognize this concept has already come in respect of Section 65B.

Current Dilemma in Section 65B Yet to be resolved

From the years since ITA 2000 came into being and until the Supreme Court judgement in the P.K.Basheer case on 18th September 2014, there was little discussion on Section 65B of Indian Evidence Act (IEA) in the higher echelons of the Indian judiciary.

The decision of the Chennai AMM Court accepting the first Section 65B certificate issued by Naavi and convicting the accused in the historic Suhas Katti case (Refer here), was perhaps too insignificant in the eyes of the many senior advocates to take note of and hence was not noticed.

Since there were no debates in the august Supreme Court about Section 65B, “Eminent Advocates” who had gained their eminence through their expertise and years of work in “Non cyber law” domains such as Constitutional Law or Law of Evidence did not take time off to discuss the implications of Section 65B in right earnest. One opportunity that was presented in the case of Afsan Guru case in 2005 was lost because the case was a high profile case of terrorist attack against the Nation in which technical issues could not be given too much of importance. Hence when Mr Prashant Bhushan raised the technical issue of non availability of Section 65B certificate for some of the evidence, Court considered the other evidence before it and proceeded with the case.

This was interpreted as a rejection of “Mandatory requirement of Section 65B certificate” under Section 65B and became a precedent that prevailed until the Supreme Court over turned it in the P.K.Basheer case. 

However, Naavi continued to hold his forte and did not accept the Afsan Guru judgement in respect of mandatory requirement of Section 65B certificate for electronic evidence admissibility as correct.

We have discussed several the issues arising out of P.K.Basheer judgement both in naavi.org and ceac.in and readers may refer to them for more clarity.

We have held that the P.K.Basheer judgement has provided judicial support to most of the views of Naavi regarding Section 65B. There was only one aspect of the judgement where we have pointed out that a clarity remained to be exercised. It was in the view expressed in the judgement as follows:

“The situation would have been different had the appellant adduced primary evidence, by making available in evidence, the CDs used for announcement and songs. Had those CDs used for objectionable songs or announcements been duly got seized through the police or Election Commission and had the same been used as primary evidence, the High Court could have played the same in court to see whether the allegations were true. That is not the situation in this case. The speeches, songs and announcements were recorded using other instruments and by feeding them into a computer, CDs were made therefrom which were produced in court, without due certification.”

Naavi has consistently held that “Electronic Record” is a third type of evidentiary object that is different from “Oral” and “Documentary” as provided in Section 17 of IEA and should be considered as a special category whose admissibility is under the provisions of Section 65B alone.

While interpreting Section 65B, some of the “Eminent Non Cyber Law Jurists” have still not reconciled to the unlearning of the concept of “Primary Evidence” and “Secondary Evidence” where “Primary Evidence” lies inside a CD or a hard disk and “Secondary evidence” is a copy that is produced since primary evidence cannot be produced in the court.

In the electronic document scenario, the original document is a “Binary Expression”. The binary expression which we call as an “Electronic Document” is a sequence of bits which is present either in the form of magnetic states of a unit of a magnetic surface or as the depressions on a CD surface which reflect light in a manner different from its neighboring unit. The stream of such bits when read by a reading device associated with a software running on a hardware interprets the sequence of binary expressions as a “Text”, “Audio” or “Video” which we, the humans call as “Electronic Documents” and debate if it is “Primary Evidence” or “Secondary Evidence”.

The “Original Electronic Document” is an expression that can only refer to the first creation of a given sequence of bits which constitute an electronic document being interpreted as evidence. For example when a digital camera captures a picture, it first creates a sequence of bits in the RAM space. This is however not a recognized electronic document where it is in a state not “meant to be accessible so as to be usable for a subsequent reference”. (Sec 4 of ITA 2008).

When this sequence of bits gets transferred to  a “Stored Memory” in a device such as a “memory card” or a “hard disk” etc., that represents the first instance of the electronic document that came into existence. Before this, the magnetic/optical surface on which the document is recorded was in a  “Zero State”. Every bit on the surface was designated “Zero”. When the electronic document is being etched on the surface some of these “Zero” s were converted into “Ones” and the “Unique sequence created” was subject to a “Protocol”. This sequence of bits stored subject to a “Protocol” is what we call as “Original Document”.

But this “Original Document” has no meaning without being read in devices which understand the protocol and renders the information in a human understandable form. For example, if the image has been captured in a .txt or .doc or .mp3 or .avi or .mp4 or formats, then the electronic document has a sequence of zeros and ones which conform to the respective protocols. It is not possible to separate the protocol information from the electronic document itself and hence the document remains in a given format along with the protocol information.

When a reading device is presented with the electric/electronic impulses generated by such a sequence of bits, if the device is capable of interpreting the protocol, it will convert it into a humanly experience document which we may call as Text, Audio or Video which a judge can view and take action. If the device is not capable of understanding the protocol, the document would be rendered in an un-intelligible form. If it is a text, it will appear as gibberish, if it is an audio we may here a meaningless echo sound, if it is a video we may see only lines on the screen. If a sequence of bits need to be experienced by a human being, we must use a device which understands the protocol and converts the bits in a specific manner into an humanly readable/hearable/viewable form on a computer screen or a speaker.

So, even if in the Basheer case the original CD had been produced or in the case of Suhas Katti, the hard disk with yahoo.inc had been produced or in other cases, the memory card of a video camera is produced as “Original Evidence”, the judge can view it only if he uses a device which is configured to the protocol to which the sequence of bits corresponds. If the judge takes a view of the document as he is seeing on a computer, he is responsible for the protocols that have been used in rendering the sequence of bits to a humanly understandable document.

In a comparable environment, if a “Forged” signature is being questioned before a Court, the judge can himself view the signature and form his own opinion on whether the signature is forged or not. But prudence requires that the Court will ask another expert to give it a certificate whether it is forged or not so that the Judge does not become the witness and will only try to interpret the evidence with reference to the law.

The same principle applies to electronic documents viewed by a Judge without insisting on a Section 65B certificate from another.

This aspect was recognized by the magistrate Thiru Arul Raj of the Chennai AMM court in the Trisha defamation case referred to by me in my article on “Arul Raj, the Unsung Hero” (Refer here) in which the principle was laid down that even when the so called “Original” electronic document is before the Court, it has to be Section 65B certified by a third party.

In this background we can now appreciate why the Section 65B certificate requires that it has to be produced in the manner in which it is required to be produced namely

“identifying the electronic Documents rendered in the computer output”,

“Indicating the process by which the computer output was produced”,

“Providing certain warranties on the production of the Computer output” and

then considering the “Computer Output” as “Admissible Evidence” without the need for producing the original.

In this process the Certifier is stating that when he followed a certain protocol which is indicated in the certificate, he was able to view the electronic document in the form in which it has been presented in the computer output and he is responsible for the faithful reproduction of what he himself saw or heard into the format in which he has rendered the computer output.

I wish all eminent jurists including the Judges of Supreme Court go through the above multiple number of times to appreciate why I have been stating that Section 65B certificate can be produced by any third party (subject to a level of credibility) who has viewed the document and not necessarily the administrator of the device (as wrongly indicated in the SLP order in the case of Shafhi Mohammad).

This also underscores my view that in the case of electronic document, we always deal with the “Secondary Document” which  is a rendition of the original etching of the binary sequence and humans are incapable of viewing the “Original” which is a binary expression mixed up with the viewing protocol. We should stop comparing the “Computer Output” under Section 65B with a photocopy of a paper document and talk as if both are same.

Quantum Computing Era

Now, let us turn our attention to the main object of starting this post which was to look at Section 65B in the context of the emerging technologies such as “Quantum Computing”.

The legal professionals may find the earlier paragraphs hard enough to digest and may not have the stomach to start debating what would be Section 65B interpretation in the Quantum Computing era. May be this is too early to discuss the Cyber Law requirements for the emerging technologies since even scientists have tried to start understanding Quantum Computing only now.

But a “Futuristic Cyber Law Specialist” (whom we may also call “Quantum Cyber Law Specialist” or a “Futuristic Techno Legal Specialist”),  needs to tread a path which no body else has tread and therefore we shall continue our exploration.

We must realize that Quantum Computers are expected to work along with Classical computers and hence the current concepts of data storage in bits with “0 or 1” state may not vanish with the advent of Qubits with “0 and 1”. But data may be processed in an “Artificial Intelligence Environment” using “Quantum Computing” and presented in a classical computing environment.

In view of the above, Quantum computing will be part of the process but the  human interaction with the electronic document which will be certified as a computer output in a Section 65B certificate would be in a classical computer.

Additionally, “Quantum Computing” may sit in between two classical computing scenarios. For example, data may be captured by a classical computing system and become part of the “Big Data” which is processed by a Quantum Computing system and results rendered back in Classical computing environment.

Though the journey of the “Electronic Evidence” from birth as the “Original binary impressions on the first classical computing device passes through the “Worm-hole like” quantum computing environment, it comes back into the Classical computing environment when the Sec 65B certifier views it and converts it into a Computer output.

I therefore consider that Section 65B certification interpretation of Naavi will survive the Quantum Computing age. Lawyers may however raise certain forensic doubts regarding the reliability of an electronic document certified under the Section 65B and Forensic witnesses under Section 79A may need to answer them to the satisfaction of the Court.

However Section 65B certification being a matter of fact certification of what is viewed as a Computer output in the classical computer of the observer will not be vitiated by the complexities of the processes that go behind the scene.

Courts should understand that they are not entitled to confront the Section 65B certifier to a cross examination on the reliability of the back end processing systems as long as they are the standards the industry of computing adopts as technology.

I look forward to views from both my legal and technology friends regarding the above.


Print Friendly, PDF & Email

Cyber Laws have been in discussion in India since around 1998 when the first draft was published. After the passage of Information Technology Act 2000, the laws came into existence and started affecting every one of our activities on computer including personal activities such as E Mails, Web activities, Mobile phone communication, etc as well as commercial activities such as  E banking, E Commerce, E Governance etc.

However after 20 years since the draft E Commerce Act 1998 was released by the Government of India, our Courts and Police as also the Lawyers are still struggling to understand and interpret the law. We therefore have difficulties in understanding Section 65B certification of electronic evidence, the legal implication of digital and e-sign, understanding certain crimes such as hacking,  the man in the browser attacks, Viruses, Trojans etc.

Indian judicial system however being an adversarial system, is capable of absorbing inadequate understanding and interpretation of law since the responsibility of the judge is to interpret evidence and arguments as presented by the parties. . At higher levels, Judiciary is comfortable with a state of inconsistency so that every judge takes his own decision based on what he understands of the law and leaves it to the higher judicial authority to correct mistakes if required.

This means, Garbage in Garbage out principle is applicable for our Judicial verdicts. This is acceptable to the Judicial system. But should it be also acceptable to the victims of bad judgements?…a point to ponder

In some strange way, being a country where citizens are tolerant of inefficiency and corruption in all affairs of the Government, Police and Judiciary, we simply shrug off a bad decision and move on.

But one thought comes across my mind when we observe some of the latest developments in technology around us.

First is the advent of  Big Data, Data Analytics, IoT, Artificial intelligence etc which are common discussion points today in the IT industry. We have been discussing what happens to the concept of “Privacy” when “Aadhar” is used as an Universal ID as if it is the biggest challenge before humanity. Silently however, Artificial Intelligence and humanoid robots have made their appearance which will create many new challenges to the Cyber Law makers and Cyber Law interpreters.

Some of the challenges in application of Cyber Law to the current technological developments have manifested in the domain of Banking and Finance. The debate on Block Chain technology Bitcoins, etc are issues that have presented the complications that the new technologies may be creating in the economic world. If a simple negligence in technology implementation in Banking such as not linking SWIFT messaging system to the CBS system, and providing access without robust security  in Banks can give raise to frauds worth thousand of crores and destabilize our economy and stock markets, we can imagine what kinds of upheavals may be caused in the society when the new technology developments such as Artifical Intelligence and humanoid robots take over key decision making process in say our Governance and Military operations.

Parellelly the manufacturing industry is also transforming itself into the Industry 4.0 state where Cyber Physical systems take over manufacturing processes with Artificial Intelligence and Data Analytics supporting the back end decision making process. The manufacturing industry is much less Cyber Law aware than the Banking and IT industry and hence the legal implications of frauds as well as the probability of frauds and crimes occurring in the manufacturing sector is much higher than in the Banking and IT industries.

I therefore anticipate a higher level of problems in the Manufacturing industry in India when the IT professionals try to push through “Disruptive Innovations” unmindful of the “Destructive Impact” on the society.

The Information Security focus therefore needs to be re-directed to address the requirements of the manufacturing industry even while we tackle the issues in the IT and Banking/Finance domains.

The fact that even after 20 years of introduction of Cyber Laws in India, our Legal and Judicial system is yet to understand the law and implement it in a consistent manner makes me wonder, how the Cyber law creators and Cyber Law interpreters would react when the new developments such as “Quantum Computing” becomes a reality.

A few month’s back, I remember that one technologist did ask me in a meeting if Indian Cyber Law is ready to face the challenges posed by Quantum Computing. Though I did state that a “Proper Interpretation” of the current laws could help us interpret the laws whether the information is processed in a classic computer system where data is stored in “Binary” language or in Qubits where the data is stored or processed differently, considering the inability of the system to understand even the current system of laws, it appears as if my optimism may perhaps be misplaced.

For those who struggle to interpret an electronic document created as a sequence of binary interpretation of the state of a transistor, it would almost be impossible to even imagine that a “Transistor” will now be replaced by a “Quantum Energy State” which can take the uncertain  value  of one or zero or both. In such a situation if a hacker has manipulated the back end process and generated a fraudulent output, how do we recognize the “Unauthorized Manipulation of data”, “how do we produce forensic evidence of the manipulation” etc will be a challenge that is not easy to solve.

Add to this “Super positioning” prospect in Quantum computing to the “Entanglement” concept where two states of a data holder can be in physically separated but the state of one could be modified by changing the other, the problem becomes more fuzzy.

If nothing else is certain, the quantum increase in the computing powers of the future generation of computers (working as back end systems driven by quantum computing processing) would need a change in our perception of “Probability of a Cryptographic key being broken”. If the current key strengths become unreliable, we may need to re-think on many of the concepts of information security and make corresponding changes in out laws.

Even today, the Criminal Jurisprudence principle that all evidence should be “Proved  beyond Reasonable Doubt” poses huge challenges when applied to Electronic Evidence. In the Quantum computing era, such issues would be even more challenging.

If therefore we want to upgrade our Cyber Laws from the current state of Cyber Law 1.0 to the era of Artificial intelligence which could be Cyber Law 2.0 and subsequently to the era of  Quantum Computing which could be called Cyber Law 3.0, then our Cyber Law makers need to start acting today in understanding the problems that the new technologies will pose to our Judges who are now in the very initial stages of appreciating the current version of Cyber Law.

Will the Government understand the challenge that the emerging technology in Computer software and hardware will pose?… if so…. when? ….is the question that remains unanswered in my mind.

I welcome the view of the readers… if any


Print Friendly, PDF & Email

On 7th March 2018, in the Court of Judicial magistrate, 1st Class, 3rd Court, Tamluk, Purba Medinipur, pronounced a judgement  in the case of State of West Bengal Vs Animesh Boxi. (Case no GR 1587/17).

See Report here

The essence of the case pertained to a complaint from a girl that the accused had uploaded certain nude photographs of her in a porn website.

The accused was convicted under Sections 354A, 354C, 354 and 509 of IPC as well as Sections 66E, 66C, 67 and 67A of ITA 2008. The case involved presentation of electronic evidence of different kinds and forensic investigation online and on a mobile device, a Computer etc.

Obviously the judgement which runs into 129 pages has attracted attention of Cyber Crime experts and academia and will be debated even in the coming days.

While on the face of it, it appears that a girl was adversely impacted and deserves sympathy and the boy deserves to be condemned for his action, from the perspective of judicial dispensation of the case, the judgement does not inspire confidence that proper justice has been done.

We are presently in the midst of another complaint in the case of the cricketer Shami, again in the courts of West Bengal where a woman has used the provisions of gender biased law to charge Mr Shami of “Rape” and “Murder”. She has also roped in some of the relatives of Mr Shami to ensure that he is condemned for life.

See the report on Shami here

In the midst of a genuine need to prevent atrocities on women, the misuse of law meant for addressing genuine grievances of an exploited woman being used by the rich and powerful to take undue advantage is a matter of concern for the society. When law is misused repeatedly, the public confidence on such laws and the enforcement mechanism dwindles.

The Police and the Judiciary therefore has an additional responsibility in such cases to ensure that without in any way negating the spirit of the law to protect oppressed women, they donot impose the law with a harshness that is not deserved under the given circumstances.

Naavi.org has been in the forefront of a “War on Cyber Pornography” for the last two decades and hence will always be supportive of oppressed women. However when privileged women tend to settle their personal revenge misusing legal provisions, and the Police and Judiciary turn a blind eye or abets such a misuse, there is a need to raise a voice of protest.

I would like to refrain from a discussion on these cases in these columns because any thing said is likely to be mis-interpreted. From the information available in the media it must however be put on record that both the complaint registered against Mr Shami and the above Judgement of “Revenge Porn” donot inspire confidence that proper justice has actually been done.

I leave it to the future to determine if events that may unfold substantiate this view.



Print Friendly, PDF & Email

This is for general information of the public:

One Day Training Progamme on Information Security for Industry Managers

Wednesday: 21 March 2018: Hotel Accord, Puducherry

CII Puducherry is organizing an One Day Training Programme on Information Security for Industry Managers on Wednesday: 21 March 2018: Hotel Accord, Puducherry


This session is meant for all Business, IT and IS managers.

The workshop will be conducted by Na.Vijayashankar, Information Assurance Consultant, popularly known as Naavi and  is a pioneer in Cyber Laws in India ( https://in.linkedin.com/in/naavi)

Date & Timing :    Wednesday, 21 March 2018 – Starting from 0900 to 1700 hrs.

Venue :   Hotel Accord, No. 1, Thilagar Nagar, Ellaipillaichavady, (Near Rajiv Gandhi Statue & Opp to Muruga Theatre).

Those who are interested may contact CII, Puducherry. (www.cii.in)


Print Friendly, PDF & Email