Header image alt text


Building a Responsible Cyber Society…Since 1998

For the last few weeks, intense debate has ensued on whether the RBI Governor, Mr Raghuram Rajan should get a second term or not.

The media has been batting for an extension of Mr Rajan’s tenure as if he is a Messiah for the Indian future and without him the economy is doomed. They however seem to be reacting more to the fact that Dr Subramanya Swamy has been in the camp that has an opinion that Mr Rajan need not get an extended term.

Dr Swamy has his reasons both economic and others. The way the media anchors of all major English channels are reacting, it is clear that they are trying to build the case for extension as if it is a PR campaign.

Fortunately, Mr Jaitely, Mr Modi or Mr Amit Shah have not given enough ammunition for the media anchors to make it a BJP vs Rajan issue and it remains a  Swamy Vs Rajan issue.

Naavi.org has also been commenting on the role of the Governor of RBI not from the point of view of his contribution to control inflation but his failure not to address the issue of “Security for Depositors”, arising out of insecure banking practices, information security oriented risks and Cyber Frauds. The media has not however made any comment on the failures of RBI on this Cyber Fraud prevention front.

Naavi.org did point out on occasions that Mr Rajan has been obsessed with his role as an “Economist” and has not fulfilled his role as “A Regulator of the Indian Banking System”. It was as if he was suffering from a “Role Set” and could not see beyond the interest rate regime, the CRR/SLR regime and lately the NPA regime. All these are fine. But they cannot be the only objectives of the institution of RBI.

Let’s now see some of the areas on which media should research and provide us information on the following:

During the last few years there has been serious issues of farmer’s debt leading to many suicides and also creating a political backlash on the Modi Government.

Did Rajan undertake any steps to improve rural debt system to ease the difficulties of the farmers? ..No.

Has Mr Rajan ever commented on the raising retail prices due to hoarding of essential commodities by select wholesalers and how RBI could help in controlling the same? ..No

Has Mr Rajan ever espoused the cause of Small and Medium industries who are unable to meet the growing import competition from China?

Has he ever made any policy tinkering to support the “Make in India” campaign which the Government wants to push hard? …No

As regards Cyber Frauds,

Has Mr Rajan ever even recognized the growing problems which small banking customers are facing because of Mobile and Internet Frauds?

Has he ever commented on how Banks have been unfairly treating the fraud victims dragging them to Courts and enjoying the fruits of the Bank’s negligence?

Has he responded to the repeated requests from the undersigned that “Cyber Insurance” should be made mandatory for Banks at least as a part of the new Bank licensing process?

Has Mr Rajan taken action against Banks for their failure to follow KYC causing frauds of various types including cloning f Cards, Cloning of Cheques, Phishing etc…..

Answers to all these are No, No and No.

Mr Raghuram Rajan has thrust Core Banking on all Urban Cooperative Banks and allowed Social Media Banking in a few Banks without appreciating that these Banks are unprepared for the leap in technology.

All these failures have resulted in the Risk of technology Banking being unfairly hoisted on poor customers of Banks. It was only during the last one month that a “Cyber Security Subsidiary” has been spoken of. We are yet to see how this project takes off during the next term of the next Governor, who ever he is.

I therefore demand the Media anchors including the anchors of CNN IBN, NDTV, India Today, Times Now etc try to evaluate the performance of Mr Rajan more comprehensively than what they are doing now.

Dr Swamy has not only pointed out the failure of Mr Rajan in bringing down interest rates which Dr Swamy feels could have stimulated the economy and helped in achieving a higher growth, but also indicated that Mr Rajan tried to help Mr Karti Chidambaram by leaking some information from ED.

If Dr Swamy makes such an allegation, it cannot be brushed aside since Dr Swamy is not a  Kejriwal. Dr Swamy is methodical and when he makes an allegation, he knows that he needs to back up with prima facie evidence and most of the times, single handedly takes it to its logical conclusion in Courts. So, I would not make the mistake of ignoring his accusations.

During many occasions in the past, Mr Rajan has given an impression that he is against the policies of the current Government. Though we can accept part of it as a positive aspect of the Governor being independent, the possibility of him trying to discredit the current Government as Dr Swamy suspects, cannot be ruled out.

Under the circumstances, extending his term by another three years could be considered as a “Risk” by the current Government.

While the media may continue to debate and try to create a favourable opinion to get him an extension, and Mr Rajan may also try to make a last minute effort to drop the interest by 0.5 % in the next policy due in a couple of days, Modi Government should find out a good substitute and give a happy farewell to Mr Rajan.

This would be good for both the Government and Mr Rajan himself since any further disclosures from Dr Swamy may embarass everybody. I am sure that Dr Swamy would not escalate the issue if Government decides to replace Mr Rajan at the end of his term instead of taking any action now.


Related Articles:

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?


At naavi.org, we have been discussing the issues of Cyber Crimes and Cyber Law since 1998. After initial years of focus on Cyber  Laws, we moved to discussing the proactive defense in the form of Techno Legal Information Security and Cyber Law Compliance.

Recently, we have moved into discussion on  “Cyber Dispute Resolution” in the form of ADR/ODR.

Along with this we need to also devote some attention on “Cyber Insurance” since it engulfs all other aspects of Cyber Security which we have discussed so far in the different niche areas.

A few months back, Naavi initiated an all India survey on Cyber Insurance to document the current status of the Cyber Insurance industry in India, along with a few other like minded persons. Some aspects of this survey has been shared in some of the earlier articles.

Naavi has been a strong advocate for developing Cyber Insurance industry in India since atleast a decade but the response of the industry has been luke warm. It is only in the last three years that some Insurance companies have been seriously talking of Cyber Insurance. However the user industry is still not keen on adoption since there is a mismatch between the expectations of the Insurers and the user  industries regarding the coverage and cost.

It was one of the objectives of the survey that we bring a focus on the industry so that both the service offeror and the potential customer of the insurance products understand what is on the table.

It was known that the current knowledge of the product in the user industry would be low and hence the response on the survey also would be low. At the same time, it was also known that the insurers were few and would not like to share their views in a survey. Despite this known handicap we went about the survey trying to contact over 1000 information security professionals to elicit responses through e-mail. Finally, we had a small sample of 50 who gave the complete response and had to settle for closing the survey though the initial target aimed was at least 100..

During the time of the survey and before, I have also personally tried to draw the attention of the decision makers upto Prime Minister Mr Modi as well as Mr Raghuram Rajan the Governor of RBI through all known means to make Cyber Insurance concept a part of their policy initiatives.

However, it was regrettable to note that neither the visionary Mr Modi nor the much acclaimed economist Governor Rajan seemed to appreciate the importance of even initiating a preliminary discussion on Cyber Insurance.

Mr Modi introduced and pushed some insurance products for farmers and rural folk in the form of Crop insurance and low cost life insurance. However, he failed to respond to the need of Cyber Insurance though his other programs on “Digital India” are increasing the Cyber Risk even for the rural folk at an alarming rate.

Similarly, Mr Raghuram Rajan is increasingly driving RBI policies on technology to the use of high risk Mobile and Social Media platforms without a corresponding protection either in the form of increased information security initiatives or Cyber Insurance. Naavi urged RBI to make Cyber Insurance mandatory for new Banks being licensed, but RBI would take no such initiative.

We also have to take on record that the Union Ministry of IT under Mr Ravishankar Prasad and the CERT-IN have also been completely oblivious to the increasing Cyber Risks and the need for Cyber Insurance.

It was also observed that the insurance regulator and the top insurance industry players also did not respond to many of the approaches made by the undersigned either to start discussing the subject in their forum or to actively participate in the survey. In fact I was surprised that the Insurance industry leaders were still grappling with the problem of using IT in Insurance industry rather than providing insurance cover against Cyber Crimes. The industry leaders are at least 10 to 15 years behind the current market developments and are not expected to be able to understand the requirements of the Cyber Insurance industry for long time to come. The few companies who have started offering Cyber Insurance policies are only reproducing the policies of their international partners. This represents a very depressing state of affairs in the Insurance industry for whom Cyber Insurance could be a huge opportunity.

(P.S: I would be glad to be challenged on these comments and welcome industry players to raise their objection if any)

In the light of this all round apathy on protecting the interests of Netizens who are every day bombarded with news of Cyber Crimes and losses in E-Banking and M-Banking, it is left to a few individuals such as the undersigned to continue their mission on educating the market on the need for Cyber Insurance with the hope that some day others will wake up from their slumber.

In this endeavour, I would like to share the detailed findings through a series of forthcoming articles so that more people would be interested in the subject.

The objective of unraveling this series of articles is to enhance the understanding of the subject of Cyber Insurance amongst Netizens so that sooner or later they start pressurizing the institutions to introduce cyber insurance as a standard warranty to their products.

We hope that Mr Modi’s team will wake up from their “All is Well Syndrome” and start working on Cyber Insurance along with the Digital India and Smart City programs.

……..This is Naavi’s proposition to BJP/NDA in the eve of their review of  “Two years in Governance”

…..Watch out for more in the coming articles….


When on July 16, 2013, naavi.org pointed out in its article “Loans Through SMS?”,it was the first time that it was pointed out that some thing fishy was going on under the website: http://www.cgtmse-govt.in . It was pointed out that the website could be a fraudulent site trying to lure innocent loan seekers and impersonated a Government website.

Subsequently, one of the readers (Mr Vinod) made some personal investigation and confirmed that the physical addresses given on the site was non existent.  At that time the main focus was that there was impersonation of a website cgtmse-govt.in. It was repeatedly pointed out that Government should take action in bringing down this phishing site.

However, Government did not do anything and the fraudulent website continued even after the Government changed in the Center from UPA to NDA. The site content promptly changed to suit the change in the Government.

Much later, with some of the efforts of people in Nagpur including Mr Mahendra Limaye, the site was closed.

In the meantime many people had lost money responding to the offer from the website. One such entity was Tushar Kant Mohanty of Raipur who had lost Rs 22.36 lakhs.  The amount was transferred from the victim’s account to the account of the fraudsters in Axis Bank and Punjab National Bank, two Banks frequently used by fraudsters due to prevailing  lose KYC practices.

Fortunately, the victim has now been able to recover his amount from the balance that was available at PNB through an order from the Chattisgarh Adjudicator.

Mr Mahedra Limaye must be congratulated on the successful conclusion of his client’s case and obtaining him the relief.

However, it is observed that the adjudicator has not found fault with CGTMSE which is was grossly negligent in facilitating the fraud particularly after it was informed way back in June 2013 that a fraud was being committed in its name. The Mohanty fraud occurred in April 2014 nearly an year after the fraud was brought to light and all those who contributed to the fraud through negligence and in action should have been made to pay a price for it.

Similarly, the Adjudicator has only ordered recovery of the credit balance that was available in the PNB’s account and has not penalized PNB and Axis Bank for being “Fraudster’s Bankers”.

Axis Bank has also not been made the respondent and hence escaped liability.

The Adjudicator should realize that Mohanty’s case is a representative case of the many other frauds that these fraudsters have committed and it is the duty of the Adjudicator to protect the interest of all these victims some of whom might not be in Chattisgarh or Maharashtra and were not the complainants in this particular complaint.

However, the Adjudicator had the power to take suo moto recognition of all such frauds and held PNB, Axis Bank and CGSMTE liable for facilitating the fraud through their negligence and lack of due diligence under Sections 79 and Section 85 of ITA 2000/8.

He could have also provided further damages to Mohanty to cover his expenses.

While we appreciate the Adjudicator for the order at a time when there are no other Adjudicators in the Country taking up such complaints, we would have been happier if the order had been simultaneously been made that the Banks and CGTMSE were liable for all others who had been defrauded by these fraudsters. He could have collected a fraud recovery amount of around 100 lakhs, from CGTMSE, PNB and AXIS Bank, acted as a receiver, collected applications from other victims and settled their claims. This would have set a precedent that would have helped in driving a sense of responsibility to these Banks and other agencies like CGTMSE.

Probably, Mahendra Limaye should file an additional petition on behalf of “Unknown Victims” and get a compensation awarded collectively like a “Class Action”. I suppose ITA 2000/8 has necessary powers.

 I hope PNB or the fraudster does not challenge the order so that the victim can atleast be happy that his actual loss has been recovered. Since the Cyber Appellate Tribunal is not operating appeal if any may arise only in Chattisgarh High Court. I urge that High Court should not intervene to grant any stay on this order if an appeal is made to them.


Reference: Copy of the order


Hewlett Packard Enterprise has released its latest report (HPE Cyber Risk Report 2016) providing an interesting perspective on the threat landscape prevailing in 2015. The report is compiled by an analysis by the  research team of data collected from open source intelligence.

The research highlights the following key themes.

  1. Collateral damage
  2.  Overreaching regulations
  3. Need for Broad impact solutions
  4. Decoupling Privacy and Security efforts
  5. Persistence of earlier threats
  6. Attacks on Applications
  7. Monetization of Malware

The detailed report is available here.

The report highlighted that in several instances, attacks touched people who never dreamed they might be involved in security breach, causing collateral damage. Two cases cited as example for such collateral damage were the cases involving the United States Office of Personnel Management and Ashley Madison. 

The report also highlighted that the reaction from the regulators to the attacks were often damaging and counter productive. It was observed that the over reaching regulations pushed legitimate security research underground.

The report indicated that the fixes to vulnerabilities should move from releasing patches to individual vulnerabilities to building sustainable defences to prevent attacks. It  urges Adobe and Microsoft in particular to invest in broad asymmetric fixes that knock out many vulnerabilities at once.

An interesting observation held out in the report is that in the wake of revelations by Edward Snowden and other whistle blowers have led to moves to erode “Privacy” rights in preference to “Security” needs.

It was also observed that many of the incidents arose from bugs already known to the market indicating that there was negligence in implementing security patches of the earlier years.

Report indicates that attackers have shifted efforts to attack applications directly rather than attacking the perimeter network.  It observes that with increasing use of Mobiles, the perimeter of a network is in the user’s pockets and the security practitioner needs to recognize this.

The report also highlights the growing malware market which has strengthened the attack industry and increased its disruptive capabilities.

Security professionals need to study the report in detail and factor the observations while building the security in their respective environments.


The TCS-Epic incident.. a lesson for all

Posted by Vijayashankar Na on May 13, 2016
Posted in Cyber Law  | No Comments yet, please leave one

Here are some of my views expressed in an interview with ISMG Asia on the recent TCS-Epic episode.


The interview can be accessed here:

P.S: Kindly note that the voice is slightly distorted and looks hurried through. I suppose it is because of some technical issue in recording.


Earlier Article at naavi.org

Over the last decade and more specifically over the last few years, there has been a tremendous development in the use of ICT with the mobile technology taking firm roots. On the one hand Mr Modi has been promoting the “Digital India” concept and going all the way to promote the use of digital technology such as Aadhar.

Naavi.org has been cautioning the over use of the technology without appropriate safeguards such as information security and Cyber Insurance. However, certain types of regulation need to be cleverly drafted so that there is no misuse of technology but the regulation does not hurt development. Drafting of such legislation requires a knowledge of both the domain of legislation as well as the technology. Lack of such professionals in the bureaucratic circles appears to be creating situations where some decisions are taken at different ministries which directly affect Mr Modi’s development agenda.

There appears to be a set of people in the Governments who are hurt by the beneficial aspects of e-Governance and would like to curb the power of technology through new regulations. They seem to be targetting Cyber technologists with a vengeance by introducing restrictive laws that betray lack of understanding of the Cyber Business model solely to meet their short term goals some of which may be sinister Anti-Modi designs.

Two examples that stand out in recent times is the Arvind Kejriwal’s fight agaisnt Uber in Delhi and Karnataka Government’s bill on Aggregators of Taxi services. In both cases new laws have been passed to curb the growth of the new business.

Surge Pricing was bad to some extent but it had some logic. It could be regulated to prevent fraudulent pricing instead of bringing down the system itself. Karnataka’s law on taxi aggregators also tries to hit out at the new business model because the Government feared losing revenue from taxi operations.

Now a third fight has opened up in the new “Map Law” which imposes hefty fines upto Rs 100 crores for erroneous “Geo Spatial Information” besides possible 7 year imprisonment.

While the apparent intention was to ensure that India’s borders are not wrongly depicted by Google Maps, the law appears to actually hit the domestic start ups and small companies which are developing new business around the location of the user.

The new law would seriously hurt many mobile app operators who could be could be a taxi operator or a medical service or an ambulance service or a catering service or a grocery supply service. Today every business wants to know the location of the customer and make services available on “Near You” basis. Probably it could hit you and me who may use WhatsApp to share our location.

The draft law has now drawn the attention of the public that it may introduce an unintended licensing system  that could kill many small businesses and go completely against the “Start Up” concept that Mr Modi is promoting under the Digital India concept.

According to Section 4 of the proposed law,

Dissemination, Publication or Distribution of the Geo-spatial Information of India.-Save as otherwise provided in this Act, rules or regulations made there under, and with the general or special permission of the Security Vetting Authority, no person shall disseminate or allow visualization of any geo spatial information of India either through internet platforms or online services, or publish or distribute any geo spatial information of India in any electronic or physical form. “

Under Section 9

“Any person who wants to acquire, disseminate, publish or distribute any geo-spatial information of India, may make an application along with requisite fees to the Security Vetting Authority for security vetting of such geo-spatial information and licence thereof to acquire, disseminate, publish or distribute such Geo-spatial Information in any electronic or physical form. “

Under Section 3,

“Save as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geo spatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”

Under Section 13

“Whoever disseminates, publishes or distributes any geo spatial information of India in contravention of section 4, shall be punished with a fine ranging from Rupees ten lac to Rupees one hundred crore and/or imprisonment for a period upto seven years.

It is noted that the law criminalizes the dissemination of information without license by a stringent 7 year imprisonment term without even any hint of a need to prove some criminal intentions.

There is no “Exemption” provision that exempts users and any body else without malicious intentions from penalty.

There is no doubt that the law in its present form is absurdly draconian and will be struck down if challenged in a Court of Law. I hope the Government withdraws the law or makes substantial correction without exposing itself to another embarrassment in the Supreme Court.

If the law makers had any sense of the market place they would have restricted the penalty to only cases where the depiction of wrong borders was intentional and use of maps was for some anti national purpose. In every other case, a wrong map is a consumer protection issue and it would suffice if the consumer interest is protected with a penalty in the form of damages.

For example, if a map on a mobile App depicts there is an Adigas hotel in 5th Main, Chamarajpet, Bangalore and I search for the hotel for half an hour and cannot find it, it would suffice if I can collect a “Free Meal Coupon” as a compensation. There is no need for the app developer to be jailed for 7 years under a cognizable offence.

The law makers are simply unaware of how many of our businesses would be facing 7 year imprisonment term for their routine business activities on account of this new proposed law.

I cannot but think that the law has been framed only to defame Mr Modi and his efforts to promote Digital India by some bureaucrat who sits in the Government as a mole of Congress. Already a campaign has been mounted in Washington Post citing the absurdities of this law.

I wish Dr Subramanya Swamy finds out who actually was responsible for framing such a draconian law.

On the contrary, if this is simply a case of over enthusiasm and a blinkered vision that “Maps” means “Google” and “Apple” and hence one can think of Rs 100 crore penalty, then the concerned official should admit his ignorance and resign from his responsible position immediately or else removed.

 It is well known that this law will not deter Pakistan or China from depicting the maps of Indian Border as they wish. Hence the law will not have any effect but to make innocent Indian businesses to pay. It is expected that Apple or Google will pay whatever license fee is imposed on them and pass on the burden to the users such as the Zomatos, the Olas etc. The cost of doing business will therefore go up and the Ease of Doning Business index of India will dive down.

Hence there is a need for Mr Modi to immediately initiate corrective action.

I Invite public to send their views on this draft bill to jsis@nic.in within next 30 days to protect Digital India


Related Article :  Livemint