Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

I call for the Attention of our honourable member of Parliament, Dr P.Venugopal, a Loksabha member of AIADMK from Thiruvalluvar Constitutency. 

Dr Venugopal is the Chairman of the “Standing Committee” which gave recommendations on the amendments to Indian Registration Act 1908 through Registration (Amendment) Bill 2013. This amendment is pending in the Parliament. The proposed Bill is set to make many radical suggestions which some in the media have hailed as helpful to the land owners in rural areas.

However, some how the possibility of the Bill creating huge problems and creating un surmountable Cyber Crime issues that would hurt both rural and urban masses has not been properly identified and flagged. Hence the need for this article, a copy of which is also sent to the officials mentioned in the report and some other MPs so that corrective action can be taken.


One of the key aspects of the proposed Amendment to Indian Registration Act Bill of 2013 is the proposed amendment to Section 32 of the Indian Registration Act 1908 (IRA 1908). The apparent reason of the amendment is to ensure that the executant of the document need not be physically present with the Registrar at the time of registration and his presence can be by “Electronic Means”.

According to the proposed amendment, the section 32 as is present now is set to be replaced with the following text:

Section 32: Persons to present documents for registration:

Except in the cases mentioned in sections 31, 88 and 89, or when the document is presented by electronic means, every document to be registered under this Act, whether such registration be compulsory or optional, shall be presented at the proper registration office, in the manner as may be prescribed,––

(a) by the person executing or claiming under the same, or, in the case of a copy of a decree or order, by a person claiming under the decree or order; or
(b) by the representative or assignee of such person; or
(c) by the agent of such person, representative or assignee, duly authorized by the power of attorney executed and authenticated in the manner hereinafter mentioned.”

The essence of the section as it is present now is that for registration of any document it is necessary for the executant to be personally present before the Registrar. However, the amendment proposes to exempt this need for personal physical presence by making it possible for presentation of a document by “Electronic means”.

It also means that when an “Agent” of the executant duly authorized by a Power of Attorney is executing the documents on behalf of the principal, can also present an “Electronic Power of Attorney”. (If the main document itself can  be executed with “Electronic Presence” it could automatically mean that the Power of Attorney Document may also be registered through “Electronic Means”.)

These provisions might have been introduced as a measure of upgrading the e-Governance features of document registration. However there are several legal and practical issues which require this amendment to be scrapped.

According to Information Technology Act 2000, (amended in 2008),  Section 1(4) read with the Schedule I, ITA 2000 does not apply to any document or transaction such as  “Any contract for the sale or conveyance of immovable property or any interest in such property” . Therefore, Section 4 and Section 5 which apply to recognition of electronic documents as equivalent to paper and electronic signatures as equivalent to written signature does not apply to documents that are presented to the Registrar for transfer of immovable property. Similarly a power of attorney document or a Will in electronic document is also not recognized in law.

If therefore Section 32 of Indian Registration Act 1908 is amended, it would only mean that the executant can show his face on a video conference but the actual documents of transfer of property or power of attorney has to be in paper form only.

Under the amended Act, (Section 32A) a photograph has to be affixed and thumb impression has to be obtained. naturally in the case of “Electronic Presence”, only  an electronic copy of the photograph and a thumb impression captured by a biometric device under the control of and at the location of the executant has to be used. Such biometric data is required to be received across the open network of the Internet by the registrar’s systems.

Also under Section 32A, a “Proof” of the fact that the executant of the Power Of Attorney is alive has to be produced. Since the person is not physically present, perhaps the Registrar has to view the video and decide if the person is “Alive” and “is not insane” and  “is mentally in a condition as to take logical decisions”.

He should also verify that the video he is seeing is current and the person is online in real time. He should also check that the biometric data he receives is not a “Stored Biometric” that has been earlier collected by some body and transmitted now as that of the executant.

Will the  “Registrar” be aware of these risks and the consequences of impersonation of the “Electronic Presence”?…

I would like the Standing Committee of the Parliament which gave its report on this amendment to conduct a survey of about 100 Registrars and get the information on whether it is feasible for the Registrar to confirm the identity of a person and the genuineness of the biometric from the binary data that flows through an open insecure network from the computer of the executant sitting in a remote place to the registrar’s office.

Also, the moment you open a communication link to the registrar’s system to be accessed through internet, hackers from all over the globe would jump in to look into what is inside the registration system and how they can use or misuse the information. Since the registrations are supposed to be done from “Anywhere”, the registration offices will be linked on a network and hence any intelligent hacker getting entry to one registration office will be able to plant a virus and a back door to play havoc with the system.

This will lead to a risk worse than what we are envisaging in the hacking of Aadhar network.

When these provisions were suggested by the Karnataka Government, (Refer articles below), we stopped at calling this an “Ultra Vires” act since ITA 2000 cannot be amended by the State.

But now the proposal is coming from our Parliament itself and our IT Minister past and present will be part of the crowd which will say “Aai” when the amendment is called out without thinking much on the consequences of saying Aai” to such a sef defeating monster of a proposal which is fit to be called a “Bhasmasura Proposal” since it will soon come to haunt the creator himself.

The standing committee recorded the following comments on this particular amendment:

“The Committee observe that the Bill proposes to substitute Section 32 whereby a provision is made for presentation of documents by electronic means for registration.

The Committee note that the proposed provision would facilitate the increased use of electronic means for registration which in turn would reduce corruption and ensure transparency in the procedure.

The Committee, however, observe that the identity and genuineness of the executants in case of electronic registration can be ascertained and proved only through biometric identification and other similar mechanism without which the possibility of fraudulent registrations cannot be ruled out.

The Committee, therefore, recommend the Department of Land Resources to impress upon the States to allow electronic registration only when all Sub-Registrar Offices are well-equipped with the facilities of not only for online registration but also for fool-proof identification of genuineness of executants.”

The Committee or the Amendment has not however thought of what procedures are to be followed when the “Electronic Presence” is used instead of physical presence and how Section 65B certification would be used for recording the presence etc.

The Committee also is still thinking of “Documents” to be presented electronically where as what is feasible is only the “Presence” through electronic means since documents will fall under Section 1(4) of ITA 2000/8.

The Committee members also seem to have not heard the term “Electronic Signature” and hence have not used it in their report. They seem to think that the “Thumb Impression” which is captured by the devices they must have seen being used as “Attendance Registers” are as good as the physical thumb impressions.

Since the Bill has reached this level, it is clear that so far all persons including the officials have not taken note of the problems highlighted here. They also might not have consulted the MeitY in this regard. If not checked, the Bill will therefore go through the Parliament without any further thought.

I therefore request Dr Venugopal to immediately take steps to withdraw this proposal to amend the Section 32 of Indian Registration Act 1908.

I also request all those who read this and can reach out to the decision makers may bring it to their notice so that the possibility of a catastrophic legislation being passed is prevented.

Such other members who are in the committee and the executives who are associated who can also initiate corrective action if they are sensitive to the points raised here, are as follows:

Honourable Members of Loksabha: Shri Harish Chandra Chavan, Shri Jugal Kishore, Shri Manshankar Ninama, Shrimati Mausam Noor, Shri Prahlad Singh Patel, Shri Gokaraju Ganga Raju, Dr. Yashwant Singh, Shri Ladu Kishore Swain, Shri Ajay Misra Teni, Adv. Chintaman Navasha Wanaga, Shri Vijay Kumar Hansdak

Honourable Members of Rajya Sabha:Shri Ram Narain Dudi, Shri Mahendra Singh Mahra, Shri Ranvijay Singh Judev, Dr. Vijaylaxmi Sadho, Shri A. K. Selvaraj, Shrimati Kanak Lata Singh

Members of the Secretariat: Shri Abhijit Kumar – Joint Secretary, Shri R. C. Tiwari – Director, Smt. B. Visala – Additional Director, Smt. Meenakshi Sharma – Deputy Secretary.

Naavi

Copy of the Bill as presented in the Parliament.

Copy of the Standing Committee Report

The amendments proposed by Karnataka Government in 2015

Article in naavi.org on the proposed Karnataka legislation:

Has Karnataka Legislature passed a faulty legislation and set to create a new Telgi?

Karnataka Government’s Mistake may embarass the President of India

On July 6th 2017, RBI after 10 months of thinking, released the official confirmation of the “Zero Liability Circular”. 

Naavi.org had urged the banks to go for a “Competitive Compliance Drive” and initiate measures to implement the provisions of the circular.

While no Bank seems to have taken specific measures such as the new Policy on how to handle liabilities when frauds are reported after the first 7 days etc, an interesting internal message in State Bank of India has been reported.

This is said to be a message sent as an internal circular to the staff of SBI and in the end includes a sentence that this can be shared with customers.

The message runs as follows:

SBI CARD FRAUD ALERT

For the information of all officers and staff

Due to a recent incidence of a fraudulent credit card/debit card transaction of Rs. 57000 in the account of an officer of one of the branch of our bank. It is our duty to inform all of you to disable international access/usage for your credit/debit card as international transaction do not require an OTP and are Vulnerable to huge frauds by culprits who are difficult to trace out.

MODUS OPERANDI

1. while our officer was busy with customers in peak time at his branch, he has received multiple messages for multiple fraudulent transactions amounting to Rs. 57000/-.
2. Our officer thought that his 4 in 1 in hrms is being credited by the bank.
3. He realised the fraud only after business hours after checking his account.
4. By that time Rs. 57000 was stolen by fraudster.
5. If he could have realised with in 3-4 hours of the fraudulent transaction, that amount could have been reversed by taking immediate steps. However a complaint has been lodged with the concerned department.
6. our officer felt that he has not received an OTP and so there is no possibility of a fraudulent debit but for international transactions otp is not required.
7. Just by knowing the card number and expiry date and CVV, a fraudster can do any no. of transactions.

In this connection, we advise all of you to kindly disable international access/usage for your credit/debit card by following these steps,

FOR DEBIT CARDS

1. We have to download SBI QUICK app from play store in which there is an option as ATM CUM DEBIT CARD.
2. In that we will find ATM CARD SWITCH ON/OFF option.
3. In that screen we have to enter last four digits of our ATM card No. and we have to select OFF for international usage. we can also select the OFF Option for e-commerce transactions(FOR THOSE WHO DNT DO ONLINE PURCHASES ON E-COMMERCE SITES).
4. Immediately we would receieve a confirmation message for the same. however, In the same menu and in same way, we can also activate whenever we required.
we can also de-activate the international usage just by sending a message as SWOFF INTL XXXX( last four digits of card no.) to 9223966666 from registered mobile no.

FOR CREDIT CARDS

1. We need to logon to WWW.SBICARD.COM site.
2. Left side of menu where you will find REQUESTS, in that an option as ACTIVATE INTERNATIONAL USAGE.
3. After clicking on it we will find two options as activate & deactivate, there we have to select de-activate, then immediately a service request no. will be generated&you will see a message as
Congratulations! You have successfully de-activated international usage on your SBI card ending with XXXX.

Please share to all your customers and colleagues.
Customer education customer delight

It is ironic that SBI seems to have woken up because one of its Staff members have lost the money. There are hundreds of such customers who are also busy and become victims to such frauds.

Obviously, SBI would refund the money to its staff member without asking any question on how did it happen and whether he had revealed his password to some body else  etc. I wish some body puts an RTI application to find out how they resolved this case and why they donot adopt automatic refund process for customers and prefer to drag customers to Court.

Anyway this is a “Cognizable Offence” and Police have right to investigate since the information is now available. I wish Mumbai Police investigate how the fraud happened and record whether the Bank admits that even without the customers giving out their passwords in phishing attacks they can lose money. This is important since the same Bank will stand before a Court and swear that their security is perfect and there can be no unauthorized access except by the customer’s negligence. This myth will be shattered.

If the staff member is guilty of giving out the password, then it will prove that whatever education that the Bank has been providing to its customers has not even gone to its own staff.

Either way, SBI should now automatically own all such frauds as their inefficiency and provide immediate refunds. …which is the essence of the Zero Liability circular anyway.

However, the facility to activate and deactivate international usage is some thing every Bank has to enable. The internal transactions are atleast controlled by OTP.

But this is not sufficient and as in the case of debit cards, SBI should also provide for deactivation and anytime reactivation of even the local use.

We congratulate SBI for the measure since most of the time other Banks tend to follow SBI. These are measures  suggested by the Damodaran Committee in 2011 which are coming to be implemented now. Better late than never!

Also RBI should now audit the actions taken by Banks since July 6 2017 to introduce the measures suggested by the said circular so that customers would feel safer.

Naavi

Will Police Employ Abhinav Srivastava as a consultant?

Posted by Vijayashankar Na on August 11, 2017
Posted in Cyber Law  | 2 Comments

There is a news report today that the Bangalore Police are so impressed with Mr Abhinav Srivastava who was arrested under the charge of hacking into UIDAI data base that there is a discussion on engaging him as a consultant for the Police. (See Report here).

At this point of time, this remains a rumour and could be a fancy wish of some. At least we have seen TV serials about such a practice in USA where “Community Service” is one of the options offered to a criminal as part of the sentence. Hence the Cyber Crime Police could create a structure for using convicted hackers to be part of the Police team for a certain number of years until the sentence runs out.

I am not sure if Criminal Jurisprudence in India provides similar innovative discretion to a Judge. Probably experienced criminal lawyers can clarify.

However, there is nothing wrong that in deserving cases, Courts could consider such innovative punishments which could be the most appropriate in some cases. But if such things are to be properly brought into the system, then we should be sure about Judges not being corrupt. We have several instances in India of Judges faking arithmetic errors and acquitting criminals or granting bail or allow convicts to be on parole on non existing grounds.

If therefore “Community Service” is allowed as a “Punishment”, then many criminals would buy such punishments and later negotiate with their mentors who are supposed to monitor the sentence to go scot free.

However, in the case of Cyber Crimes in particular, it appears that such punishments are relevant since in most cases the accused could be educated and more often becomes an offender either because of “Ignorance of law” or for psychological conditions such as “Technology Intoxication”. Such persons can be perhaps amenable to a reformatory process.

In the case of Abhinav Srivastava, this could have also been suggested as a face saver for the Police/UIDAI since the case is not strong. The case has been booked and the person has been arrested for “Unauthorized Access of Aadhar Facilities”. But actually he has perhaps created a tool which is used by third parties who made use of an “Authorized Access Source” under circumstances that there was no clear bar on his not using the source.

Without adding the 80000 members of the public who downloaded and used the App as the main accused, it would be difficult to blame only the tool manufacturer.

Further, it is difficult to establish the guilty mind (mens-rea) of the accused to bring about a criminal charge. There will be little scope of civil claims since no body may be able to prove “Wrongful loss”.

If the case is pursued further, several intermediaries also need to be considered as Co-Accused and brought to book. This would be embarrassing both for the complainant as well as the Government.

If the case is dismissed, then there is a possibility of a back lash with an accusation of mishandling of the case and possible human rights violation.

Hence some face saving solution which is a Win-Win solution for all could be a good option to consider.

One possible method by which such innovation can be brought into the system would be through a “Compounding Process” where the complainant and the accused come to a written agreement on the basis of which the Complaint is withdrawn. Probably the Police or the Court can mediate in arriving at such a compounding agreement which is acceptable to all.

Hopefully the Abhinav Case becomes a trend setter in this respect and such a compounding arrangement is worked out. Since an FIR has already been lodged in this case, the Court will have to be in the picture for the compounding agreement. In the process it would be better if an SOP (Standard Operating Procedure) would be drawn up by the Court and the Police to be used when required in future to ensure that the system is not misused .

(Since this is more a matter of Criminal Justice system, I would expect readers to correct if my contentions are incorrect and add their own comments… Naavi)

Naavi

Also Read: Bengaluru Police Smitten by Abhinav’s tech skills