Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

India has been taking significant strides in popularizing Alternate Dispute Resolution mechanisms such as Arbitration and Mediation because of the special interest shown by the Modi Government. On 31st December 2015, the Indian Arbitration and Reconciliation Act 1996 was comprehensively amended (w.e.f. 23rd October 2015) which brought in significant changes to the system as has been prevailing in India. (Check for details at Naavi’s the ADR Knowledge Center). The changes were aimed at reducing delays in the arbitration process, bringing in higher level of discipline among the Arbitrators, Reducing the Cost and also encourage the use of electronic documents in the conduct of ADR.

On January 13, 2017, the Department of Legal Affairs, Ministry of Law and Justice formally constituted a ten member High Level Committee under the chairmanship of retired Judge of Supreme Court, Justice B.N.Srikrishna.

The committee was to look into various factors to accelerate arbitration mechanism and strengthen the arbitration ecosystem in the country as well as examining specific issues and drawing up a roadmap required to make “India a robust centre for international and domestic arbitration”. In particular the committee was required to suggest measures for institutionalization of arbitration mechanism, national and international, in India so as to make India a hub of international commercial arbitration.

After considering views of existing arbitral institutions in March 2017, the Committee has now come up with its recommendations which were released by the Honourable Minister Ravi Shakar Prasad today.

 The detailed report is yet to be available for discussion. However, as per the press reports the following recommendations have been made by the committee.

  • Setting up of an autonomous body, styled the Arbitration Promotion Council of India (APCI), which would recognize institutes providing accreditation to arbitrators, hold training workshops for advocates.
  • Creation of a specialist Arbitration Bench to deal with commercial disputes. Judges hearing such matters should be provided with periodic refresher courses in arbitration law and practice.
  • Creation of a specialist Arbitration Bar by encouraging the establishment of fora of young arbitration practitioners.
  • Changes in various provisions of the 2015 Amendments in the Arbitration and Conciliation Act to make arbitration speedier and more efficacious.
  • Declaring International Center for Alternate Dispute Resolution (ICADR) as an institute of National Importance and takeover of the institution by a statute.
  • Creation of the post of an ‘International Law Adviser’ who shall advise the Government and coordinate dispute resolution strategy for the Government in disputes arising out of its international law obligations particularly arising out of bilateral investment treaties (BIT).
  • Permission to foreign lawyers to represent clients in international arbitrations held in India and promoting India as a venue by easing restrictions related to immigration, tax etc.
  • Promotion of ADR mechanisms including provisions of mediation facilities by arbitral institutions and considering a separate legislation governing mediation

The changes proposed are of far reaching effect and requires to be closely followed.

We shall await the availability of the detailed report to comment on specific parts of the recommendations in due course.

Naavi

All Articles

Amendments to ACA 2015 suggested by Srikrishna Panel on Arbitration
Srikrishna Panel: Donot make Arbitration the exclusive preserve of Lawyers and Judges
Two Major Failures of the SriKrishna Committee on Arbitration
Ten Commandments of the Justice Srikrishna Committee… and where the Committee has failed?
Justice Srikrishna Committee on Arbitration Submits its report

The so called “Aadhar Hacking Case” filed in Bangalore on Abhinav Shrivastava, a has also revealed two important lessons for organizations such as UIDAI, NIC and Hospitals on the one hand and also the Police and the Adjudicator of Karnataka on the other hand. I hope these lessons will be learnt.

Techno Legal Vs Technical Information Security: 

Today’s reports  corroborate the views expressed yesterday in these columns (Refer :The Aadhar unauthorized access case in Bangalore.. Requires More Debate)in which a tentative modus operandi was indicated.

This is a vulnerability in the systems operated by the e-Hospital application owner and shows lack of due diligence under Section 79 of ITA 2000 and lack of “Reasonable Security Practice” by that organization under Section 43A.

The modus operandi as indicated by the accused in his demonstration indicate the vulnerabilities in the system which not only the e-Hospital app user (eg Hospital like NIMHANS), but also NIC and UIDAI who should have been aware of. It is this kind of threats and vulnerabilities that need to be identified in ITA 2008 compliance audits which these agencies are failing to conduct.

I consider that this incident has given a good example of how “Techno Legal Information Security Incident Management” is different from what people (Information Security professionals who use the Uni-dimensional Information Security approach) call as “Incident Management today”.

I hope that this is the first lesson we need to take note from this incident.

Human Rights Violations by Unwarranted Aggression by Police

Police however have not so far initiated any action on the organizations who contravened provisions of  Section 79 and Section 43A of the ITA 2000/8. UIDAI also has not made any complaint against NIC or the e-Hospital application user whose app was used by the Abhinav App.

Instead, both the UIDAI and Police are after the techie who created the app that enabled the release of the aadhar data of individuals on specific request by the mobile owners whose mobile is linked to the aadhar.

On August 4th itself TOI reported  that UIDAI chief AB Pandey said, “The UIDAI would like to inform and reassure the public that there is no breach of any Aadhaar data and compromise of individuals’ privacy and security in this case.”

In view of this admission the very basis of complaint by UIDAI can be declared as unfounded and wrong. They rushed to complain before understanding in full what had happened and the Police blindly acted. Ignorant media persons naturally went to town stating that there was a breach of Aadhar security etc.

All this sensationalism will influence the Supreme Court hearing on the Privacy issue. We know that it was one such indiscretion committed by some constables in Palghar who booked Section 66A case against two girls for their Face Book post/like that made the great Supreme Court ultimately coming down heavily on the Section 66A and scrapping it. A similar over reaction of the Judiciary cannot be ruled out because Bangalore Police is making a mountain out of the mole hill in this case.

Now that UIDAI says there is no breach, it is inappropriate for the Press to continue describing this incident as a “Hacking” incident and they should stop this representation. This is actually a “Security Breach” incident in the e-hospital platform which was exploited by a Techie to create an App which was used by about 50000 persons to check their demographic data as available in the Aadhar data base.

This incident was similar to an earlier case which the undersigned had brought out when a Hyderabad techie had created an application for booking of train tickets through IRCTC bypassing some server restrictions and Captcha. In that case the concerned person was informed by the undersigned and reminded by a TOI reporter that what he did in posting an IRCTC booking application for public download was wrong in law. Fortunately, he understood the error and removed his web post before anybody complained to IRCTC. This saved the career of an otherwise intelligent techie.

As per the original report on the Aadhar case, the Police had booked a complaint under Aadhar Act Sections 37 and 38, ITA 2008 Sections 65 and 66 as well as IPC Section 120B, 468 and 271. (P.S: Sections used has been corrected as indicated at the end of the article. IPC sections used are Sections 34, 120B, 468 and 471. Aadhar Act sections are not there.)

Now that the complainant (UIDAI) admits that there was no breach of Aadhar data, it is difficult to see the logic of how the Police can apply the Aadhar Act sections.

Section 120B of IPC is for “Conspiracy” which should include multiple persons acting together for common criminal intent. This also is absent in this case and hence this section is not applicable.

Section 271 of IPC is completely off the mark and I cannot understand why it was used. This section states as under:

Section 271 of IPC: Disobedience to quarantine rule.—Whoever knowingly disobeys any rule made and promulgated by the Government for putting any vessel into a state of quarantine, or for regulating the intercourse of vessels in a state of quarantine with the shore or with other vessels, or for regulating the intercourse between places where an infectious disease prevails and other places, shall be punished with imprisonment of either description for a term which may extend to six months, or with fine, or with both.

(Ed: 7th August: As per the copy of the FIR accessed just now, it appears that Section 271 is not added in the FIR. Instead Section 471 (IPC) is present. The error is due to the wrong reporting by a news paper and regretted)

Section 468 of IPC pertains to “Forgery” which also is difficult to be proved.

As regards Section 65 of ITA 2000, it is strange that this section continues to be mis-understood and misapplied in cases where  there is no requirement by law for information to be retained for a certain period of time.

The only section that is relevant to Abhinav Shrivastava, incident is Section 66 of ITA 2000 where one can allege that there was an “Un-Authorized Access”. This also can be disputed as to whether the unauthorized access was to a e-Hospital application or Aadhar server and whether there was a dishonest and fraudulent intention.

We also should not forget that in Karnataka, there is a decision of the Adjudicator of Karnataka that Section 43 (and therefore section 66) cannot be applied when the person who has committed the offence or the entity on whom the offence (Unauthorized access) has been committed is not an “Individual”.

Hence under this precedence, Section 66 also may fail in this particular case.

Thus it appears that the entire case is built on fancy interpretation of different sections all together made to appear as if it is a serious and heinous crime deserving a huge punishment.  In the process the Police have arrested the person in a good technical position and permanently damaged his career prospects.

Probably all the sections were added so that no bail could be granted to the person. Otherwise when people with thousands of crores frauds are roaming freely both inside and outside prisons in Karnataka, there was no justification that Abhinav should have been remanded to custody and could not have been interrogated without arrest or under house arrest.

If the Police had understood the problem properly and not swayed by the name of the complainant, they could have handled this with finesse without unnecessarily hurting the accused to the extent they have done.

Probably this calls for a review of the police action from the “violation of Human Rights” angle. Unfortunately all our Human Rights activists are only interested in protecting Terrorists and Naxalites and this techie will not be considered as a fit case for them to step in.

I am reasonably confident that some of the more informed persons in the Cyber Crime police station in Bangalore would have felt that the arrest might not be necessary in this case but some body must have persuaded the Police to make this a demonstration of what would happen if some body meddles with the UIDAI system.

“Consistency” is the hallmark of good Policing and unless this is maintained, public will not be able to trust the law enforcement system. I hope that Cyber Crime Police in Bangalore tries to maintain this consistency and stand up to pressures from vested interests.

I request the Police to revise their approach and let this techie out on Bail to mitigate part of the wrong they have already committed.

This is the second lesson we need to learn from this incident.

A Note to the Principal Secretary IT of Karnataka

At the same time, I would like to use this opportunity to remind the Principal Secretary IT, Government of Karnataka, who is also the “Adjudicator of Karnataka” that it is a standing precedence created by a past Adjudicator that Section 43 cannot be applied to anybody other than an “Individual” and hence section 66 also becomes a section that can be invoked only of the victim is an “Individual” and not UIDAI or NIC or a NIMHANS hospital.

The current Adjudicator has the responsibility to review this precedence and correct the past mistake. I request him to take this up suo-moto without waiting for any body to file a petition in this regard.

A Note to the Techies, OLA and other Start Ups

I have repeatedly highlighted the necessity of techies to be aware of the Cyber Law related risks that they may ignorantly transgress leading to a permanent loss of career as this incident would mean to Mr Abhinav Srivatsava. The responsibility lies on the educational institutions (like IIT Kharagpur in this case) and the Companies (like OLA in this case) to ensure that those who are trained to create Cyber products are aware of the ethical ways to use their skills.

Just as I have earlier stated that had TCS conducted a “HIPAA Awareness Training” for its employees who were involved in the EPIC case  could have saved the $940 million liability, if OLA had conducted an ITA 2008 awareness training for its key executives, they would have been able to retain Abhinav as their  key employee and avoid a shock to its entire work force which would have a very demoralizing impact on the organization.

Perhaps this incident in which OLA was not involved will however reduce its valuation of the because the company they acquired (Qarth Technologies Pvt Ltd) is now an “Accused” in a Cyber Crime. Other Start ups need to take note.

Naavi

 

P.S: The above article is based on the news paper report on the sections under which the arrest has been made. Also, it is possible that Police may have information that we donot know. These views may therefore be taken as a view based on available information in the public and stand corrected if required.

7th August 2017: 19.00 hrs: PS: I have just accessed the FIR copy and would like to make a correction in the sections used in the case. As against the earlier asianet report based on which the sections have been indicated in the above article, the FIR indicates the following sections now: Sections 65 and 66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. The complaint has been made by UIDAI but the sections of aadhar act seems to have been removed. Some of the comments made in the articles therefore stand corrected.

The earlier report of the sections used was based on the following news report in asianetnews.

Naavi