Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

FinTech Companies in P2P Lending will now be NBCFCs

Posted by Vijayashankar Na on September 21, 2017
Posted in Cyber Law  | No Comments yet, please leave one

We have discussed at length the subject of P2P lending platforms in the past and highlighted the need for proper regulation. Some of the earlier discussions can be found in the following articles.

Peer to Peer Lending Platforms and Regulatory Compliance

FinTech Companies need to watch out for the new regulations from SSWG

Will PSD2 have an impact in India?

RBI’s FinTech Working Group needs to secure Consumer interests also

Now RBI has finally come out with a notification that P2P lending platforms will be treated as “NBFCs”. (See Report here)

According to the notification

the term “the business of a peer to peer lending platform” shall mean the business of providing under a contract, the service of loan facilitation, via online medium or otherwise, to the participants who have entered into an arrangement with that platform to lend on it or to avail of loan facilitation services provided by it.

This is the correct interpretation as otherwise there would have been chaos in the financial services industry.

The P2P lending platforms raise funds at one end and lend it at the other end. While Banks absorb the funds into their account and then lend it out of their own kitty, P2P platforms may match the buyers and lenders directly and earn commission in between.

However, in practice it would be the platform that would be guaranteeing the repayment of loan participation coupons to the suppliers of lendable resources and recover the funds from the borrowers. If this had not been regulated, there would have been scope for many scams.

Though the Fintech company’s representative publicly states that they welcome the development, it is clear that many of the companies who were planning to come out with their Start Up operations have not factored in the regulations and need to completely revamp their proposed operations.

We welcome the move of the RBI.

Naavi

 




Has “Namo Smartphone” bought Flipkart?

Posted by Vijayashankar Na on September 20, 2017
Posted in Cyber Law  | 1 Comment

There is an entity called namo smartphone at IPO Building, 7 Race Course Street, Delhi 110001, with phone +91 7905457748 and e-mail address namo.smartphone@outlook.com.

This entity seems to own a domain name called FLIPKART-BIG-BILLION-DAY-SALE.COM and is offering some special gifts and sending out the following message through WhatsApp.

At first glance it appears as if it is a Flipkart official site since there is such a sale presently going on. Obviously, it is not.

The domain name has been registered at godaddy.com in the name “Namo Smartphone” which uses the familiar nick name of Mr Narendra Modi.

This therefore represents violation of two trademarks with an objective of misleading the public through “Impersonation”. It is therefore both an offence under Trademark Act and Section 66C of ITA 2000/8.

From the registration details, it appears that the domain name has been running since last 10 days without Flipkart recognizing it.

A little while earlier another WhatsApp message with special offers under the domain name flipkart-gst-sales.in was also received .

This domain is registered in the name of “GHFTYD FTYFT”, with phone number +91.9876545367 and e-mail ID, yogeshbtrn23@gmail.com. It appears that this person must be having several domain name registrations and all of them could be considered as tools for committing frauds.

With little effort, both these fraudsters can be traced if either Flipkart or the Police is really interested in public good.

It is only because companies like Godaddy.com are only interested in making money in domain names and not interested in public welfare and ICANN Is also encouraging this tendency to book domain names in fictitious names of registrants that such frauds are being facilitated.

I urge the Police to initiate action in these two cases which we are placing in the public domain and I urge Flipkart to register a complaint.

We have seen that whenever a new film is released, hundreds of websites are blocked under the suspicion that links to pirated copies would be made available in these sites, and even some Courts have issued orders of such nature on  “Unknown Potential Offenders”.

In such cases there is a producer who loses money and hence takes some action.  But in the Flipkart case, it is only the public who may lose money and hence no body seems to be bothered.

At least in this case since the reputation of Mr Modi is involved, will the Police take action?

Naavi




Section 65B Certificate is like the Digital Signature

Posted by Vijayashankar Na on September 19, 2017
Posted in Cyber Law  | No Comments yet, please leave one

The system of Section 65B (IEA)  Certification was born along with Information Technology Act 2000 and has been in place  with effect from 17th October 2000. However, it was only in 2015, after the P.K.Basheer judgement of the Supreme Court stating that Section 65B certificate is mandatory for all electronic documents, that there was a realization by the legal community. Now in many of the lower Courts, judges are asking for electronic documents to be certified under Section 65B.

As a result, there is now a scramble for finding out  the format in which the certificate is required to be provided. Many are trying to find out a “Standard” format that can be used in all certificates.

One such standard format which is being floated around is an “Affidavit” format since “Affidavit” is the most familiar document in our legal system.

Every body in the legal fraternity has respect for the document when it is called “Affidavit” and wants to file an affidavit as a ritual for any statement to be made to the Court. Courts also look at it as a procedural requirement rather than a committed declaration.

There are not many instances where a person giving a false affidavit is punished for perjury though every body knows that when the petitioner and the respondent both present affidavits swearing some thing exactly opposite, only one is swearing on a truthful statement and the other is making a false statement under oath.

Technically there could be a case where both the petitioner and the respondent may believe that their statement is true and are therefore not making the statements in bad faith. But such cases are few where some interpretation or inference is involved and not facts. Most are cases where on a matter of fact two diametrically opposing affidavits will be filed in a Court as if it is a matter of right to lie before the Court in self interest. Courts are also lenient in such cases and are not punishing people who deliberately file false affidavits to mislead the Court.

We must first agree that just because a statement is made under the title of an “Affidavit” and on a stamped paper, it does not acquire sanctity. What is stated there in and whether the person has the knowledge that the statement is true is important.

In the case of the Section 65B affidavits, the statement may only say that the document filed as a print out “identical to the electronic document” which is available in the computer or mobile. But this is not sufficient for the document to be accepted under Section 65B.

In our previous article “An Affidavit will not be a proper format for Section 65B Certificate”, we had indicated why the Affidavit format used by some is not the correct format. Many have since asked me to clarify why I think so, particularly when some courts have accepted the affidavits.

Without meaning any disrespect to any Court, I would like to say that from 17th October 2000 till date many Courts have been accepting electronic documents without any certificate, let alone in the correct format in which Section 65B certificate is required. This does not make such submissions as acceptable under law.

During all these years, CEAC has been producing certificates in the “CEAC Format” which according to our humble opinion was what is envisaged under Section 65B and Courts have accepted this without any problem.

However, if some body asks me to publish a “Standard” format which others can also use, it is not possible. I am not saying this because the format is a “Trade Secret” but because each certificate is unique and distinct to the type of document and the manner in which it was observed and recorded.

In this respect I consider that a Section 65B Certificate is like the “Digital Signature”.

A Digital Signature is a combination of a representation of the person signing an electronic document and the content of the electronic document. Hence if the person is different or the document is different, the digital signature file is different.

Similarly, a Section 65B Certificate is uniquely tied to the content of the electronic document which is the subject of certification and the process in which they were experienced by the person who is providing the certificate. Hence there is no single format fit for all cases.

In the first ever case (State of Tamil Nadu Vs Suhas Katti, AMM Court Egmore, Chennai) in which CEAC filed a certificate signed by Naavi, the subject document was in a server of Yahoo Inc and was accessible within a “Group”. The document was certified in support of the Prosecution and I was also examined as an “Expert Witness” and cross examined. What the Court thought of the process was also briefly reflected in the judgement (Copy available on www.ceac.in).

Immediately there after, the same Court invited me to observe a “CD seized from a crime scene” and certify the contents there in. I did it for the Court.

Subsequently, I have certified a variety of documents such as “Web Pages”, “Documents in a Corporate Network computer”, “Mails received or sent by a person visible in his/her email server”, SMS or WhatsApp messages on a mobile, Blackberry encrypted files saved on a computer, CCTV footage, Audio visual files etc.

As one can guess, each of these instances are unique and my observations run in some cases to hundreds of pages and the Certified copies submitted have even run to around 1700+ pages in one case.

Most of the times the electronic documents are on an “As is where is” basis. In some cases, the report may view further documents with a forensic tool which also is certified under Section 65B.

I suppose people will now appreciate why a Section 65B Certificate cannot be put on a standard format atleast when CEAC is involved with its own reputation to maintain.

I also make it clear that CEAC Certification like any Section 65B Certificate is for admissibility of the electronic document and subsequently Court may invite a Section 79A registered “Digital Evidence Examiner” (Government Agency registered for the purpose…none has been registered so far) and subject the electronic document to any further forensic examination.

In some cases, I am being asked if the Section 65B Certificate can be given by the plaintiff or the respondent himself or his lawyers. I have maintained that this will be considered “Self Serving” and reduce the value. Further the advocate giving a certificate may not be advisable since he becomes a witness to his own case.

A “Trusted Third party” is always preferred.

CEAC may be one such choice but need not be the only choice. If the trusted third party is credible, it would make the work of the Judge easier and he may avoid the need for every electronic document to be submitted to a Section 79A certified Government agency for verification.

If the certification agency is credible as per the Judge, there may also be no need to examine the Certifier as a witness also. Further, the Certificate given by the Certifier to the person at whose instance it is provided, may be submitted by him to the Court under his affidavit stating that this is the document submitted by the Certifier and this should be sufficient for the Court to admit the electronic document.

There could be some minor disagreements as to the procedure involved in submission which each Court may try to decide on its own but this would get standardized over a period of time.

While on the subject, I will also have to mention another issue that confronts CEAC from time to time which arises from the lack of understanding the Section 65B certification process and format.

Many times the users are unable to understand the effort required in extracting the electronic documents and provide the certificate and often are disappointed that even me known for free service most of the time quote a minimum of Rs 5000/- for the service. On the average the actual cost could be even higher and those who are accustomed to paying Rs 1000 for a lawyer to send a notice find it difficult to appreciate the value. Similarly, some ask for certification of a print out taken by them which I refuse. I have however done many “Remote Observation and Certification” where the user is not right in front of me but sitting say in USA.

In one recent case, a software professional engaged in a matrimonial dispute used the services for CEAC certified E Mail Delivery to the respondent which was critical to the case. But even he was unable to appreciate the value of the service. Many times, when we approach a company for a software and they quote a few lakhs of rupees, we wonder why a software should cost so much. Similarly those who donot understand the service  are unable to also understand the value of the service and the cost involved.

It is only when the see that the CEAC certification under Section 65B is not a simple affidavit will they realize that the costs are not only reasonable but down right a steal.

I have elaborated this process for the reason that some of the persons asked me specifically to explain why the affidavit format is not favoured by me and I could sense that some of them may be having doubts as to whether I am rejecting a simple and cost effective requirement with some thing more complicated and expensive for personal vested interests.

I hope I have made things clear at least now.

Naavi




We speak a lot about “SPAM” and need to prevent it. We also speak of Phishing and other forms of impersonation that arises because people can send out e-mails (and also hide their domain registration details) all in the name of “Privacy”.

Actually, “Hiding the originating IP address” which both Google and Microsoft as well as other service providers do actually is a boon to criminals to the extent that we can say that there is a “Conspiracy” to promote spam and help criminals.

Whenever law enforcement need to identify the source of an e-mail, they need to raise a CrPc notice and seek the information. Even then these “Privacy Protectors” who are themselves the biggest Privacy invaders try to frustrate the law enforcement by not providing the information until they are forced.

It is time for all Privacy protagonists to self introspect if this practice is actually protecting the “Privacy” and if so is it the “Privacy of the Criminal” that it is protecting while at the same time invading the privacy of an honest internet user.

If as a spam filtering mechanism we disable all incoming e-mails which donot allow the recipient to view the originating IP address then technically we can prevent spamming and perhaps even phishing. Unfortunately, this is not  practical at present since this would block almost all incoing e-mails.

We therefore need a solution where by the e-mail service providers like Google or Microsoft should enable an automatic process by which a “Recipient of an E-Mail” should be provided a direct request for originating IP option  so that at the click of a button, he should be able to get the Originating IP address.

The header information without originating IP address is of no use to the recipient and hence there should be some provision by which an “Expanded header with originating IP address” can be requested and immediately responded to by the ISPs.

This can also be enabled through a change of law making such a provision mandatory and I urge the Government of India to consider this change of law in the next amendment of ITA 2008.

Hopefully this will ease the burden on our law enforcement people and also reduce the need for the service providers to spend time attending to law enforcement demands.

Naavi

Today’s Kannada Prabha (Bangalore Edition) has carried an article as above. It is titled “Online Property Registration System: Confusion”. The article goes on to indicate that the Government of Karnataka has prepared itself for introducing a new system of property registration called “Easy Registration” in which part of the registration process is completed without the property owner presenting himself before the registrar.

A Complete English version of the circular is not available at this point of time and when available, the same will be posted here.

We had on September 19, 2015 posted an article titled “ Has Karnataka Legislature passed a faulty legislation and set to create a new Telgi ?“. In this article we had referred to an amendment that the Karnataka Government proposed for Indian Registration Act 1908 to enable registration of properties and Power of attorney documents without the presentation of the executant in front of the registrar.

We had highlighted that this was ultra vires the central Act namely Information Technology Act 2000 (ITA 2000/8) and hence cannot be passed.  There is no need to repeat this again here.

Subsequently we had also posted an article on August 11, 2017, titled Calling Attention of Dr Ponnuswamy Venugopal- AIADMK MP- on Proposed Amendment to Indian Registration Act 1908 ” where in we had indicated that the Parliament may also pass a bill which is ultra vires the ITA 2000/8.

The current article in Kannada Prabha under the credit line of Shivakumar Belitatte, appears to indicate that the Government has proceeded to act on this proposed amendments. I am not aware if the Government got the assent of the President for the proposed amendments. My request to the Government officials on this has remained unanswered and some body has to file an RTI to get the information.

Under the circumstances we proceed with the assumption that the Government is trying to introduce the system in defiance of the Central Government’s authority which has become a sort of political bravado some State Governments are trying to show as a part of their personal vendetta against the Prime Minister. Ms Mamata Bannerjee of West Bengal is in the forefront of such “Rogue States” opposing every action of the Central Government solely for the sake of opposing Mr Modi. Unfortunately, Karnataka Government run by Congress Party seems to be also following the footsteps of “Didi” and I would like to caution the IAS officers who advise the Government in this regard to show wisdom and courage to provide correct advise to the politicians who are blinded by their personal political agenda.

The purpose of this article is not to start a political debate on whether Karnataka is becoming a “Rogue State” like West Bengal. However, it is our duty to point out if any of the decisions proposed to be introduced by the Government has the danger of an adverse impact much beyond the immediate political obectives. This decision to introduce “Online Registration of Property documents without the physical presence of the registrant” is one such decision that has the potential impact of facilitating large scale frauds in the real estate transactions in the State and therefore needs to be guarded against.

I foresee the possibility of the real estate mafia to register benami properties and conduct land grab operations by initiating false and fraudulent property transfers without the knowledge of innocent property owners.

The urgency for introducing the online registration which is illegal at this point of time and ultra vires the powers of the State Government could have been felt because some of the properties of influential people are benami holdings and with the pressure on black money elimination, the benami properties need to be converted into other forms or sold off. The online registration system will be helpful for this purpose.

Along with the Benami property holders taking advantage of the system, there will be Cyber Criminals who will devise new forms of attack where by the properties of innocent citizens would be transferred without their knowledge. Some of this could be the properties of NRIs who may not know what is happening here or properties of deceased persons or properties which are in legal dispute.

As a result, all real estate property holders will be exposed to a Cyber Crime Risk which will render holding of property in Karnataka more risky than in other places. Those IT employees working abroad and holding locked flats in Bangalore may find that new flat owners could have been created overnight and properties sold off.

According to the news paper report referred to above, some of the senior officials have objected to the system but it appears that the political leadership has over ruled them.

I wish the IT Secretary and the Law Secretary stand up and resist this ill advised move.

Those in the public service who will read this and the local media should take up this matter with the High Court and ensure that the move is stayed with immediate effect.

I hope the CM of Karnataka realize that this move is very dangerous and will create an irreversible situation as was created by the incident of fake Stamp papers created by Mr Telgi because of which many property documents today are in use though the stamp papers used in the documentation are fake.

My friendly advise to the Chief Minister of Karnataka is that his political fortunes are better secured by not pushing through this “Online Registration System for Immovable Properties” and he should not succumb to the pressures from outside despite the need to raise funds from real estate operators to fight the next elections.

I also take this opportunity to call the attention of the Central Government to ensure that the move is stopped along with the bill in the Parliament which is under consideration.

Naavi

It was heartening to note today that Times of India front news page carried a news of a successful Cyber Crime prevention operation in which Skimming in 5 ATMs were detected before any customer reported a loss. Normally Banks realize that skimmers are placed on their ATMs only after scores of frauds are reported. Some times the skimmers might have even been removed and moved to another ATM before anybody has recognized that a Skimmer was in deed in operation.

We should therefore congratulate Kotak Bank for having identified the skimmer and reported it to the Police quickly.

Once the skimmers were reported, it was perhaps the connectivity that enabled the Police to zero in on the foreigners from Romania who are supposed to have planted them. According to the report the accused came on a tourist Visa and used the age-old practice of fixing the skimmer on the Card slot and a Camera some where to record the Pin entry.

What however surprises most is that in the days of CCTV cameras and ATM guards, how is it possible for some body to walk in, fix the skimmer and the camera, spray paint the edges and go back without being observed. It is simply not possible except when the Bankers are not vigilant and implemented the “Reasonable Security Practices” under Section 43A of ITA 2000/8.

Have the Police filed a case against the Bank?… Obviously no.

Though most Bank frauds occur because of the negligence of the Banks, (It may not be the case with Kotak Bank in this case), Police have always been reluctant to call them to account. This only has encouraged them to continue “Reckless Banking” motivated by the greed for more profits and putting the customers always at risk.

After the Corporation Bank ATM incident, Bangalore Police had sent a mandate that all Banks should provide security guards at the ATM. Banks promptly told RBI that they want to be compensated for the increased cost of such security and started charging money for withdrawals on which today we even pay GST and enrich the Governments both at the center and the state.

Have the Bangalore Police questioned the banks if these ATMs were guarded properly? Whether the CCTVs were functioning? Whether the CCTV footage was being monitored?… We don’t know.

The report goes on to say that thousands of customer data might have been captured and sent out of the country. Had the Police not acted fast, there would have been a catastrophic attack on the Indian Banking system.

What do we all them?… it is called Cyber Terrorism because it strikes terror in the minds of ATM users as a category of our population.

But have the Police booked a case as “Cyber Terrorism”?…. Obviously no.

Police may  look at this case only as an unconfirmed  “Attempt” and since “No Loss” has been reported, it may pass out as a “Petty case of trespass into the ATM area”.

Since the arrests might have been made because the CCTV footage might have caught the suspects, or because the skimmer’s were programmed to send the information to an IP address/Mobile number which was accessed by the accused, the charges that may be pressed may be as some not so serious offences. Also it may not be easy to fix the arrested persons to the satisfaction of the Court to the attempted or successful “unauthorized access” under Section 66 of ITA 2000/8

Since the accused are foreign nationals, going by the way the Italian Marines who were accused of murder in Kerala was handled, these accused will be very soon (if not already) out of jail and moving out of the country.

So, apart from today’s headlines, all the creditable action of the Police may not end up with a lasting deterrence.

Have the Customers filed a case against the Bank for compromising their “Sensitive personal data”? … Again the answer should be a resounding No.

All our Privacy Lawyers are more interested in politically sensitive cases such as when a politician’s  Twitter is hacked  but not when an ordinary Bank customer’s data is compromised because of the negligence of the Bank.

It is of course not practical for an individual Bank customer to file complaints since even when there is some wrongful loss suffered, it is difficult to convince the Police to register an FIR or take up investigation after filing of an FIR. When it is only a loss of “Personal Data”, despite the noise people make on the Supreme Court judgement, there will be no PIL that may be filed … unless this article motivates some public-spirited lawyer in India.

The ITA 2000/8 has made a provision where by when the community interest is adversely affected by a contravention of ITA 2000/8, the Adjudicator of Karnataka can take suo-moto action on behalf of the public.

But, Will the Adjudicator of Karnataka take any action?….. Most probably No

More importantly, the Karnataka Adjudicator (as an office) has to first come out of the false narrative it has built around it that it is not empowered to take up a complaint against a Bank under Section 43 before we can expect it to even consider the suggestion of a suo moto action against banks.

[P.S: Why do I say that the Adjudicator of Karnataka is not interested in coming to the help of the community against a Bank?… and after all, who is the Adjudicator of Karnataka?… I am too tiered of discussing this issue …those interested may search this site for “Adjudicator” and find out.]

In the light of the above, it is now open to senior Police officials like Mr Pratap Reddy, Kishore Chandra and ably assisted by officers like Sharat to take such action which will really leave some long term impact on Cyber Security atleast as it surrounds ATMs.

My brief suggestions in this regard are listed below and is addressed not only to the Police but also to the Banks and RBI.

  1. All ATMs should restrict the entry through a biometric lock which collects anonymous biometric information which remains de-identified until it is investigated under a reported crime.
  2. All ATMs should be locked and released only after a “Face Recognition” is registered.. again as a de-identified information which also remains de-identified until it comes under investigation for a reported crime.
  3. The biometric and face recognition information should be sent to a secure encrypted storage which is not under the control of the Bank..could be under the control of RBI, under  the principles of “Regulated Anonymity” that has been explained serveral times here. The essence of the principle is that the information is held in an encrypted form som where but the decryption and disclosure control  rests not with the collector and user but with a group of controllers. In many of the recent incidents we always have the problem of CCTV footage being erased when the authority responsible for storing the footage itself is a suspect of a crime or negligence.
  4. All ATMs should be under the surveillance of a designated Bank official who gets the feed of the ATM room and watches for any irregularity. When the Face recognition camera fails to capture the image, the ATM should not function at all. When the surveillance camera does not function, it should be the responsibility of the officer to lock the ATM until the camera is restored. Emergencies can be handled through the help line requests that are to be diverted to a senior responsible Bank officer.
  5. All ATMs should be checked physically for Skimmers, Key Loggers, unauthorized PIN hole cameras, Attempt to disengage the CCTVs etc, unexplained power outages etc so that any attempt to fraud can be quickly identified and reported. The officer in charge should file a mandatory security audit report every day ensuring the “Physical Safety of the ATM”.
  6. The current case should be booked under Section 66F of ITA 2008 (Cyber Terrorism) as an attempt to attack a group of Bank customers and thereby destabilize the Indian economy. The arrested persons should be denied bail, passports seized and trial taken up by a special Court for speedy disposal.
  7. The Adjudicator also should move a suomoto action against the Bank and fine them a hefty sum which should be set aside as a “Cyber Security Awareness Creation Fund” and used for educating the customers of Banks on Cyber security.
  8. CERT-IN should move RBI and the Banks to ensure that sufficient investment is set aside to improve the security of ATMs on the lines suggested above or better.
  9. Banks who have not yet acted on the RBI’s limited liability circular should be penalized for deliberate failure to follow regulatory agency’s mandate.
  10. All foreigners coming into Bangalore need to be tracked  for identifying potential fraudsters for which our VISA system should be enforced with greater vigilance.

If the Police and  Banks together try to keep a focus on the Bank customer who is the most affected party in this incident, then this success will not end up as a one day news headline point but some thing that will improve the security of the Banking system in India.

Will it happen?….

…Hope is eternal and we continue to hope that atleast a few of the above security measures would be taken up by the relevant agencies.

Naavi