Cyber Catastrophe in the horizon.. 70000 domains in India under Cyber Attack

(This is a continuation of the several articles on Net4India issue that Naavi.org has been highlighting)

Action on the Complaint

Since I have been receiving many e-mails regarding the issue of Net4India which it is difficult to respond to individually, I shall henceforth be posting my views directly here.

At present I have communicated with Mr Vikram Bajaj, the Resolution Professional, Mr Samiran Gupta, ICANN country head in India. Both have promised to help but have not been able to resolve the issue.

Mr Vikram Bajaj is seeking further directions from NCLT and Mr Samiran Gupta is perhaps  bound by ICANN policies.

It appears that the issue of how Net4India was given a loan of Rs 194 crores by SBI which became an NPA is to be considered as a potential fraud which requires CBI investigation. The promoters of the company are not in India and are taking refuge in UK like Vijay Mallya.

In the meantime, the Bankruptcy proceedings have been started but NCLT perhaps was not informed about the interests of thousands of customers who were also creditors of Net4India (I refer to this as the 70000 community. The exact number is not known).

NCLT did not issue notices to these small and big creditors who had paid advance money in their accounts and were continuing to make payments for renewal and other services.  If an inventory of creditors had been drawn up, the cumulative amount due to these customers many of them were registered as resellers would have surfaced.

Each of the domain names registered represented a contractual obligation of Net4India to keep the domain operative and was guaranteed by ICANN. The value of the domain name was created out of such contracts. Each of the 70000 plus domains had an opportunity cost in terms of the fees payable for registration and also the additional costs involved in shifting the domain names to an alternative service provider.

It is to be noted that the company had continued its service even during the time the resolution proceedings were going on and it was only in recent times  that some specific actions were visible on the customer dash board  to discontinue some services.

It is also noted that after we raised the issue through this forum,  a few have received AuthCodes for transfer of domain names. This indicates that resolution of specific issues are still possible but there have been no common resolution.

After we had a brief meeting of some of the concerned members, Mr Mahendra Limaye, Advocate has agreed to correspond with the RP and try to find a resolution. If required and if costs are taken care of, he may be prepared to take the issue as a PIL. Those of you who prefer this route may indicate it separately in a communication to Mr Limaye. Some of you have copied such requests to me and atleast a few seem to have hesitation in sharing the information.

I have indicated that all persons who want to take up further action in this regard have to first send a request to Mr Vikram.bajaj@gmail.com. Later if they want they can contact Mr Limaye.

Larger Issues need to be addressed

Naavi.org will however continue its efforts to ensure that there are appropriate systemic changes that are brought to the system of Domain Name registrations and how the registrars may function and how the consumer are not held to ransom because of business failures of the registrars.

These are issues that have been ignored by ICANN, NIXI, as well as the MeitY. We need to ensure that lasting changes are brought to our legal system if necessary through Notifications under ITA 2000 or even amendment to ITA 2000 so that this kind of problems donot recur at least in India.

As one of the measures,  I am invoking the attention of the Finance Ministry, the Law Ministry, the IT Ministry and the Ministry of Consumer Affairs, all of whom have a stake in this resolution. CERT-In and NIXI should also be interested in finding technical solutions to a Cyber Catastrophe  that appears to be imminent.

If  70000 domains in India had been discontinued by  China or Pakistan we would have called it as a Cyber Attack and it would have been discussed by Mr Ajit Doval, Cert-In and other cyber security policy makers.

But what is happening now is that this largescale discontinuance of domains is occurring because of our own making. This issue has to be addressed by our authorities to find a resolution and cannot be left to be decided as a NPA recovery issue.

CBI Enquiry Required

The root cause of the problem is the Banking Fraud with State Bank of India. The Finance Ministry has not flagged this fraud and not conducted an investigation. RBI has not so far come up with its views on this NPA of Net4India, how it was built up.  No CBI enquiry was ordered by RBI. SBI vigilance department also has not made public any action taken by them to prevent this NPA.

I request that the Finance Minister Mrs Nirmala Sitharaman, to take action on this end immediately by initiating a CBI investigation.

The CBI enquiry should not be confined to SBI loan fraud but also extend to how the NCLT was mislead into suppressing the interests of the 70000 customers who were also creditors of Net4India and  how without giving any notice to them, the bankruptcy proceedings were continued in favour of one applicant.

I request the Ministry of Finance and RBI to also intervene in the proceedings of NCLT on the next hearing date of October 1st.

NCLT ignoring the value of Data Asset

We have raised the issue of NCLT ignoring the value of data as an asset of this company which is a different academic debate which we will continue.

It is our belief that NCLT did not recognize the existence of the data asset in the organization and just as a ransomware causes denial of service, the bankruptcy proceedings without addressing the issue of these customers was a flaw.

If the value of this data namely the cumulative opportunity cost related to the services of  70000 customers along with the Intellectual Property Rights that are going to be adversely affected, is  considered, it would perhaps be more than the Rs 194 crores that the company owed to SBI.

By not factoring this data asset in the insolvency determination the NCLT decision itself appears incorrect. This value is available only on a going concern basis and NCLT has simply destroyed the value by itself by not letting the business continue.

Just imagine that if these 70000 domains expire over the next few months and get registered by alternate registrants world wide, the businesses of all these domain name owners will come to a stand still and the IPR on the domain names will be lost.

ICANN should consider this as a global Cyber catastrophe and try to address the issue.

I request Mr Samiran Gupta of ICANN to file his intervention in the NCLT proceedings on October 1st and ensure that the interests of the Domain Owners world over are represented in this resolution.

Ministry of IT

We do accept that NCLT ignoring the value of data as an asset is to be expected since it is a more sophisticated thought not commonly understood in the legal or judicial fraternity.

But the same ignorance cannot be accepted on the part of the MeitY. Though this controversy has been in discussion for some time and the Ministry of IT has been part of the communication loop, no statement has come forth from Sri Ravishankar Prasad the Minister of IT and Law nor from the Secretary IT or from other departmental heads in MeitY.

We are discussing the Non Personal Data Governance law as proposed by Kris Gopalakrishna Committee report and discussing how to unlock the value of data  besides the Personal Data Protection Bill.

MeitY should have therefore realized that the Net4India issue is not simply a recovery of an NPA of Rs 194 crores by sale of immovable property but involved a larger issue of 70000 domain owners being deprived of their virtual property along with the cumulative value of their balances in the accounts with Net4India. This represents hard cash like the balances in a Bank which is going into liquidation.

It was the responsibility of MeitY to intervene with the NCLT proceedings and ensure Business Continuity even while the recovery of the Rs 194 crores through sale of property was being discussed.

I request the Secretary of MeitY to intervene in the next hearing of NCLT which I understand is on October 1st.

Ministry of Consumer Affairs

So far, the Ministry of Consumer Affairs has not been brought into picture in this controversy. But since the consumer interests of 70000 plus consumers of Net4India is being threatened, it is necessary for Mr Ram Vilas Paswan to ask his secretary to intervene. Since Mr Paswan was once a Minister of Communication technology, he should be able to quickly perceive that closing an ISP through an insolvency petition is also serving a death sentence on the customers who in this case number 70000.

If the NCLT had considered that Net4India is a Going Concern and the fate of 70000 businesses are dependent on the entity continuing its services until they can be parked with an alternate service provider, then the insolvency proceedings would have gone smoothly. In fact if the data asset had been recognized, NCLT might have not even considered Net4India insolvent.

Now it is the responsibility of the Ministry of Consumer affairs to collectively represent the interests of the 70000 consumers and intervene in the NCLT proceedings on October 1st.

Net Impact

I am aware that by suggesting a CBI enquiry and filing of intervention petitions by ICANN, MeitY, Ministry of Finance, RBI, Ministry of Consumer Affairs etc , I am complicating the process.

Some would say that all those who raise their voice can be satisfied by resolving their issue selectively so that the opposition dies down naturally and this should suffice. But the need to address the larger community interests drives me to take up this issue further.

I will be bringing information contained here in to Mr Mahendra Limaye who is in communication with the Resolution Professional and to the other parties. Being in a public cyber space,  the information should be considered as reaching the NCLT also.

Hence if NCLT is concerned about the general public, there is one immediate solution  that it can consider. On October 1st when the next hearing takes place, NCLT can on its own  admit that these issues were not brought to its attention earlier and therefore it would review its earlier order.

In the process NCLT can

a) suspend the insolvency proceedings,

b) appoint a technical team which can be supervised by the Resolution Professional with the assistance of one or more representatives from NIXI or the MeitY

c) Ensure that all the services of Net4India are immediately restored.

d) issue a request for bid for taking over of the Registrar business of Net4India  by another registrar

e) Direct NIXI and ICANN to set up special cells to receive domain name related complaints related to dot in and other domains, and initiate domain name transfers as may be requested by the customers

These can bring quick resolution of the problem while the CBI enquiry and other reforms can continue in the background.

These measures would protect the IPR of the domain name users and also the continuity of business.

In case there is a run on Net4India and this has to be prevented, then NCLT may also order an automatic “On Credit” renewal of all domain names expiring at Net4India for at least one year so that the panic can subside and an alternate registrar can take over the business smoothly.

Shall we hope for such a development on October 1st?

Is the media aware of this problem and ensure that pressure is brought on the authorities?

Let’s wait and see.

P.S: I have tried to present the issue as I see it.

There could be some errors in my reading the situation from the public information I have access to.

It is possible that all the parties mentioned above including NCLT might have already taken note of these concerns and my criticisms may be misplaced.

May be Mr Vikram and Samiran are genuinely trying hard to resolve the issue and donot deserve criticisms I am making. 

If so, my apologies to all concerned. But the proof of pudding is in the eating. We want the issue to be resolved instantly without further delay. Otherwise, the fight has to continue.

I request all the visitors to spread this information through the social media so that it draws the attention of the media and the Government. As a part of this campaign to raise awareness of the problem, make this following banner which has a hyperlink to this article viral.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

The Anniversary Webinar of FDPPI

The webinar to mark the second anniversary of FDPPI was held today on the topic of “Getting Ready for the Personal Data Protection Era”.

Sri Tejasvi Surya, honourable MP inaugurated the webinar.

Mr Vijayashankar, Chairman of FDPPI delivered the Key Note address

A Panel consisting of Mr Venkat Satish Guttula, Rediff.com, Mr Rajesh Kumar, Infosys, Mr Satish Kumar Dwibhashi, Wibmo, Mr Srikanth, TVS and Mr Vijayendra Shenoy, Consultant participated in the discussions.

The following three videos capture the dliberations.

  1. https://youtu.be/lG4Ja1EjMBA 

2. https://youtu.be/Jxehujd0oMo

3. https://youtu.be/6ImLKtMujKA

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Getting Ready for the Personal Data Protection Era-Live at 10.30 am

The Live webcast of the webinar on Getting ready for the Personal data protection will be available online here

Watch LIVE – 23-Sep-2020 | 10:30am IST

YouTube:

Facebook: https://www.facebook.com/naavi

Twitter: https://twitter.com/naavi

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

If you are an SME… you should be in this webinar on September 23rd

FDPPI, Foundation of Data Protection Professionals in India is a Not for profit company established in 2018 dedicated to the empowerment of the Data Protection industry in India.

FDPPI has already established itself as a leading institution in India in the field of Data Protection and provides affordable, global quality certification programs for professionals who want to build a career in Data Protection.

FDPPI is also in the process of establishing a compliance framework “Personal Data Protection Standard of India” as a standard for the use of SMEs and MSMEs on par with the globally recognized standards.

These two projects are expected to not only enable SMEs and MSMEs to be compliant with the Indian and Global data protection laws such as ITA 2008 (at present), PDPA-2020 (Proposed in India), GDPR and other laws which multiple countries have established, without the usual high costs associated with such certifications and compliance programs but save precious foreign exchange for the country.

While Data Protection is a concept well understood in the IT industry, its importance is not so well appreciated in the manufacturing industry and SME sector.

The Personal Data Protection Bill 2019 is now before the Joint Parliamentary Committee of the Parliament and is expected to be passed into a law soon. When the law comes into operation, it will extend the provisions of ITA 2000/2008 (Information Technology Act 2000 amended in 2008) and make it necessary for all organizations handling personal data to be proactively compliant or otherwise face prospects of significant fines. Though certain time would be available for compliance, prudent managements need to start their journey towards compliance early so that they are not caught napping at a later date.

“Getting Ready for the Data Protection Era” is aimed at creating a basic awareness of how the proposed law may affect SMEs including those in the Non IT sector. It is an initiative to spread the awareness of PDPA.

This is a “Free Webinar”  available for any interested person upon registration and invitation. The registration form is available here.

Understanding PDPA is not only essential to remain compliant but also to prepare ourselves for the next era of “Non Personal Data Governance Regulation” which the Government of India is working on to unlock the value of Non Personal Data.

We are pleased to inform that the honourable Member of Parliament, Sri Tejasvi Surya has consented to inaugurate the program. Several organizations such as See Change Consulting, KASSIA and BSPIN are supporting the  program for the benefit of their members.

Don’t miss the opportunity to attend this Program and enrich your knowledge.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

What is the objective behind the application of Bankruptcy code on Net4India?


“The intention of the insolvency and bankruptcy code is to keep companies a “going concern” and not liquidate them”. 

..so said our honourable Finance Minister while getting the Bankruptcy and Insolvency Code passed through the Parliament. But contrary to what the Finance Minister said, the story of Net4India and the application of the IBC indicates that the law is used not only to liquidate the subject company but if possible push many of the 70000 domain name registrants to the brink of liquidation.

To enable the Finance Minister to appreciate how the law can be misused, and is being misapplied, I would draw her the attention  to what happened in the NCLT proceedings related to Net4India.

For those who think “Data is Oil”, it is inconceivable to think how Net4India with a wealth of personal and critical corporate data, could ever be declared “insolvent”.

If we go by what happened to CIBIL, which was taken over by TransUnion and got access to sensitive personal data of millions of Indians, net4India should have been a mouth watering acquisition for any company which knows the value of “Data”.

According to rough estimates, Net4india had more than 70000 domain names as of date and might have had over 5 lakh customers at its peak operational level. Many of these domains are also hosted on the Net4India servers and contain more personal data. If a Company had hosted its email server with Net4India, the amount of data that Net4India has access is unimaginable.

In a few months from now, Personal Data Protection Act will be in place in India and make it very difficult for companies to access personal data. At this juncture, Net4India being available should have been an irresistible acquisition for any intelligent business house since the value of personal data in the hands of Net4India would perhaps appreciate after Personal Data Protection Act is passed.

It would therefore be of interest to know how much valuation was assigned to this data by NCLT before it came to the conclusion that the company was not able to repay its debts and an order is to be passed for liquidation of its assets.

In fact most of the data processing industry as well as Cyber Insurance companies are struggling to develop a model for valuing personal data. When the Non Personal Data Governance Act comes in the next couple of years, we will also be trying to value the Non Personal Data which is put through a data exchange and value unlocked.

If therefore NCLT has used some yard stick to value the data and then arrive at the inventory of assets of Net4India, it would be a precedence which would establish a model for data valuation. Was it done on the basis of replacement cost?, Was it done on the basis of sensitivity of data, was it done on the basis of any other criteria would be a great learning point for the industry.

I hope NCLT would release its valuation model for all of us to learn.

There is however one school of thought that NCLT might have assigned no value to data and gone ahead with the liquidation process.

It is here that we need to ask whether NCLT went by the “Going Concern” basis or “Gone Concern basis” to decide that Net4India should be put under the sword.

I am not sure how NCLT can be made to disclose the basis on which they ordered the sale of the assets of the company without taking precautions to unlock the value of the data.

I request some public spirited person in Delhi to raise an RTI query with the Finance Ministry and NCLT to disclose the data valuation model used in the Net4India case can be made public.

If however, it is found that in this instance,

a) NCLT valued the data at zero value under a gone concern approach,

b) decided that no notice is to be issued to the data owners,

c) decided that no consideration is to be given to the deposits made by the customers and resellers in their account,

then it is time for the IT Ministry to wake up and protect the interest of domain registrants in the country by measures such as declaring that all “Domain Name Registrars” and “ISPs” are to be considered as “Critical IT Infrastructure” and any discontinuance of the business  be subjected to prior approval of the Government.

The Government  may introduce a Registration system for such service providers, collect security deposit like the Statutory Liquidity Ratio of Banks and MeitY supervised winding down plan when required,  so that the service providers donot vanish from the scene whenever it is convenient.

These can be brought through notifications under Section 70B and 79 of ITA 2000. If not under PDPA these organizations have to be declared as “Significant Data Fiduciaries” and subject to codes and practices to protect the interest of the data principals.

In the case of Net4India it is also necessary to re-visit the irregularities in the granting of loan to the company by SBI particularly since there is a rumour that the promoters had fled the country some time back around 2017 when the problems first surfaced.

I hope that these measures if implemented, would atleast help some learning out of this episode.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

NCLT Order on Net4India is killing 70000 + customers and needs immediate modification

NCLT and the Finance Minister are in opposition

While we were discussing the problems of 70000 plus customers of Net4India who are using the domain name registration service or web hosting service or e-mail server service or secured server etc, honourable Minister of finance Smt Nirmala Sitaraman was answering a query in the Parliament on 19th September 2020 where she expressed that the Bankruptcy code was not intended to be merely a recovery mechanism but a program to enable industrial recovery.

The NCLT order on Net4India which was sent to me yesterday however indicates that the bench consisting of Mr M.M. Kumar and S.K.Mohapatra in its order dated 8/3/2019 based on a petition by State Bank of India has done precisely what Mrs Nirmala Sitharaman said was not the objective of the Bankruptcy code.

This order ought to have been a matter of public discussion since it affected a very large number of customers who enjoy the rights under the Consumer Protection Act. According to the website of Net4India, there are over 5 lakh customers while the ICANN indicates that there were 73000 domain name registrants under Net4India. Whatever may be the correct figure, it is large enough and it is a fact that NCLT had no idea of how its order would affect these 70000+ customers.

NCLT was literally blind in looking at the problem only as an application from SBI to recover its borrowings of about Rs 194 crores. It has just seen whether there was a loan, whether it was not repaid and simply issued an order. Its 30 page order  does not make any mention of what is the business of Net4India and what would be the consequence of its order.

The applicant namely Edelweiss Asset Reconstruction Company has filed the application under Section 7 of the Insolvency and Bankruptcy Code 2016 proposed one Mr Vikram Bajaj as the Resolution Professional, a Chartered Accountant and Company Secretary by profession.

According to the order, Net4India established in 1985 approached SBI in 2002 and was granted a loan which after several enhancements became an NPA of Rs 194 crores. SBI filed a recovery proceedings which is pending at Lucknow DRT.

In the meantime Edelweiss invoked the Bankruptcy code under which NCLT issued an interim order appointing a Resolution Professional Mr Vikram Bajaj. A public notice was also released on the sale of a property and the status of the sale is unknown.

No Notice to Customers

In all these development, neither NCLT nor the RP made any attempt to keep the customers of Net4India informed. No notice was displayed on the website of the company and no individual notice was served on individual creditors of the company. Many of these customers have placed advance deposits with the company and are creditors.

The entire proceedings have been done in a suspicious manner as if to take over the property of the company by vested interests. A separate investigation is required to find out if there is any real estate mafia involved in the transaction.

Considering that the business of Net4India was a money spinner, it is inconceivable that it ran up a debt of Rs 194 crores without an active negligence from SBI. Hence how the debt arose in the first place and how the NCLT ignored the DRT pendency and went ahead with its order culminating in the sale of immovable property is a matter fit for CBI investigation and investigation by the vigilance department of SBI.

While the investigation whether this is another Vijay Mallya type of Banking fraud is a separate issue flagged for the Ministry of Finance to consider, we would like to highlight certain failures of the NCLT and the RP in the issue of and execution of the order which disrupted the critical business of over 70000 domain name registrants who registered their domain names with Net4India and many more who used the other services so that the system is improved in the long run.

NCLT did not value Data

It is clear from the order that NCLT chose to ignore the impact of the proceedings on the customers of Net4India and also the value of the “Data” that was inside the servers which were housed in the building which is now up for sale.

It is a common principle that when a building with tenants are sold, the tenants would be given sufficient notice and time to shift out. But in this NCLT order, the service users who have parked their web assets including some on which there could be IPR, have been frozen without notice.

This is a violation of the fundamental right of the Citizens. NCLT does not have any right to forcibly close down my business nor confiscate  my web assets. RP had no right to cause the services to be disrupted. It is possible that NCLT and RP may say that they have not prevented Net4India to continue its services. But this is not a matter of finding an excuse. NCLT and the RP must take the responsibility for the damage they have caused to all the customers of Net4India.

Had Net4India been a Bank, would not the NCLT taken steps to ensure that the rights of other depositors are protected?. The Government of India recently amended the cooperative bank’s law to enable such intervention in case of winding down of a cooperative Bank. The same principle should have applied here also.

Had Personal Data protection Act been in place, the Data Protection Authority would have come into reckoning before this order was issued.  Now Net4India and NCLT as well as the RP have not accounted for the “Data” as an asset and whether it was an asset which was covered by the mortgage deed and whether NCLT had any right to confiscate the data as part of the Asset reconstruction exercise.

In case the data had been valued, perhaps the decision that Net4India was insolvent itself would have been considered as incorrect. Hence NCLT has defaulted in the basic evaluation of whether Net4India was solvent or not since it did not value the data sitting inside the servers of net4India. The order is therefore wrong ab-initio.

It is also possible that NCLT and the RP were not even aware of the value of data they were immobilizing in the process of this asset reconstruction. Despite Naavi.org highlighting this, the MeitY has also not realized how the valuable data is being dumped aside in a locked building in the sale proceeds.

If tomorrow the company closes down, the RP may sell the Computers along with the data residing there in without even worrying about the confidentiality of the information which would be “Sensitive Personal Information”.

This is the Voice of 70000 customers of Net4India

We are now raising the voice of the 70000 plus customers of Net4India that NCLT and the RP have caused disruption of their respective business for which there would be a claim of damages and this group of customers need to be considered as a major creditor of Net4India entitled to the proceeds of any asset realization.

A Core group of the affected persons today met virtually and decided to form a “Forum of Net4India Customers” and take up a legal fight against those who ignored the interests of the customers and are going ahead with the distribution of assets within a closed group by misleading the NCLT which may be ignorant of how a “Going Concern” involved in critical internet services can wind down its operations.

The biggest question that arises is why it did not occur to the NCLT that there are thousands of customers whose web assets would be frozen if they are not transferred out to an alternate service provider before the building is locked down.

The ICANN has been talking individually to some and perhaps allowing some transfers to happen on privileged basis without extending the benefits to common people. MeitY has not woken up to the fact that the “Critical infrastructure asset” of the country is at stake. The CERT In and the National Security Advisor, Mr Ajit Doval have not recognized that there is a national security interest involved here.

It is to be recognized that Net4India has been in business since around 1998 when I first registered a domain name and most of the old timers which may include Banks and others might be having their domain names registered with Net4India. Now if all of them have to close down their shop because of the NCLT order, then national interests are at stake.

An evaluation of the impact of the closing down of the Net4India operations should have been conducted by NCLT before it issued the interim order. It should have invited a public objection after proper advertisement across the country and individual notices to all the customers before acting on the complaint.

In the Data Protection Scenario, NCLT has caused a large scale harm to data subjects (even forgetting the corporate entities who suffer loss of business), by not issuing individual notices to all individual customers and not securing their interests as a “Data Fiduciary”. While the proposed PDPA has some exemptions for the tribunals, the ITA 2000 does not spare any organization that causes wrongful loss to an entity by contravention of Section 43 and 43A of ITA 2000.

We can explore if the RP Mr Vikram Bajaj may be held liable for the wrongful loss of the tens of thousands of data subjects and service users and how the NCLT will bear the vicarious responsibility.

These are issues which have been flagged for the first time in India and there is a need for a complete review of the way NCLT has handled this issue.

We therefore urge NCLT to immediately modify its order and appoint a technical team under the guidance of NIXI to ensure that all data in the Net4India servers are secured and made operational so that the services such as domain name transfers, changes in domain name related information, the e-mail services and hosting services are commenced without any further delay.

The core team of suffering customers of Net4India have therefore decided to form  the “Forum of Net4India Customers” and represent their requirements to the appropriate forums.

All those customers who are interested in joining in this fight may kindly contact Naavi for more information.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment