Naavi.org

On 16th of June, 2022, the Government of India issued a Gazette Notification declaring some of the digitals assets of ICICI Bank as “Protected System” under Section 70 of ITA 2000.

At present only a copy of the Gazette Notification regarding ICICI Bank is available in  public, though the press reports suggest that HDFC bank and NPCI systems have also been declared as protected systems. There is no information on SBI though SBI maintains most of the Government accounts.

The Meity Website and the egazette.nic.in are yet to publish the notifications for public knowledge.

The ICICI Bank website does not report the development.

This information needs to be notified by ICICI Bank to the stock exchanges and SEBI and so far no such indications are available on the NSE website.

It appears that ICICI Bank is stunned by these developments and does not know how to react.

It is not clear why the Government took this action and whether there was any credible intelligence that the Bank was under attack and NIA has to investigate the same in national security interest. This possibility alone seems to justify why the Government has not notified SBI which is the Bank which holds most of the Government treasury accounts and other assets.

The notification related to ICICI Bank available through another source has been reproduced here.

MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
NOTIFICATION
New Delhi, the 16th June, 2022

S.O. 2808(E).— In exercise of the powers conferred by sub-section (1) of section 70 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby declares the computer resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server, being Critical Information Infrastructure of the ICICI Bank, and the computer resources of its associated dependencies to be protected systems for the purpose of the said Act and authorises the following
personnel to access the protected systems, namely: –

(a) any designated employee authorised by the ICICI Bank;
(b) any authorised team members of contractual managed service provider or third-party vendor who have been authorised by the ICICI Bank for need-based access; and
(c) any consultant, regulator, government official, auditor and stakeholder authorised by the ICICI Bank on case to case basis.

2. This notification shall come into force on the date of its publication in the Official Gazette.

[F. No. AA-11018/2/2021-CL&ES]
Dr. RAJENDRA KUMAR, Addl. Secy.

Since this is the first time a private sector network has been declared as a “Critical IT Infrastructure” and Section 70 invoked, it is necessary to study the impact of the declaration on the organization.

We can reproduce Section 70 of ITA 2000 to understand the objective of the section.

Section 7o: Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

(Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)

(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

After the amendment of ITA 2000 in 2008/9, Section 70 can be invoked only for “Critical Information Infrastructure”. Critical  Information infrastructure needs to be a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”

A justification of why the declared system is considered “Critical Information Infrastructure”  needs to be provided along with the notification. So far we donot see such justification in the notification.

It is necessary for the Government by order in writing to authorize the persons who are authorized to access the declared system and also prescribe the information security practices and procedures for such a protected system.

This written instructions should ideally accompany the notification since any attempt to access the system  in contravention of the section could be punished with an imprisonment of 10 years.

In other words the notification is introducing a serious criminal law provision which could impact several persons associated directly or indirectly with the system.

At present the instruction is vaguely expressed in the notification in generic terms such as that the declared systems (resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server,) may be accessed by

(a) any designated employee authorised by the ICICI Bank;
(b) any authorised team members of contractual managed service provider or third-party vendor who have been authorised by the ICICI Bank for need-based access; and
(c) any consultant, regulator, government official, auditor and stakeholder authorised by the ICICI Bank on case to case basis.

In other words the notification is authorizing ICICI Bank to designate the employees or contract persons any consultant, any regulator, any government official, any auditor and any stakeholder authorized by the Bank . The “Stakeholder” may include the customers of the Bank who have to access the CBS system for managing their accounts.

The order therefore abdicates the responsibility of the Government and delegates the powers under the section to the Bank itself.

This appears to be ultra-vires the Act.

On 22nd May 2018, Meity had notified (S.).2235(E) the information Security Practices and Procedures for Protected system.

Now this notification will be binding on ICICI Bank and over ride any other policy that may be in place.

One of the requirements of this policy is that the Bank should constitute an Information Security Steering Committee (ISSC) which should include a representative/s of CERT IN, the Director General of which has been declared as the Nodal officer NCIIPC under Section 70A and 70B of the ITA 2000.

The detailed IS policy as provided in the notification of May 2018 needs to be implemented by the CISO of the Bank who should continuously report to the CERT-IN.

In other words, the CISO of ICICI Bank will now be considered as a subordinate of the CERT-IN and CERT-IN effectively takes over the responsibility for guiding the bank on all its IS measures.

This arrangement is similar to the system where Financial Institutions nominate their representatives in the Boards of companies which they have financed and perhaps turned sick.

In other words, the Government of India has expressed loss of confidence in the ability of the Bank to maintain the security of its systems and found it necessary to exercise a direct supervision.

The “Access Control” mechanism of the Bank will now come directly under the scrutiny of the CERT IN.

The current vague instructions in the Gazette notification which allows any ‘Tom Dick and Harry’ to access the system is highly dangerous to the CERT In since it now becomes answerable to any system intrusions.

The undersigned has brought a sample of an intrusion to the notice of CERT IN and sought its reaction to the same. This refers to an e-mail which the Bank has identified as a “Phishing Email” which however indicates that the phishing URLs are hosted in the ICICI Bank server itself.

The email is reproduced here for the information of the security professionals

One can observe the URL https://verification.icicibank.com through which the malicious web page appears to have been has been activated.

Now such incidents become the responsibility of CERT IN and if they fail to exercise adequate control on such happenings, the officials of CERT IN would be liable for their negligence.

Further, if Section 70 is invoked on ICICI Bank, HDFC Bank today, there is no reason why it should not be invoked on SBI or PNB or even large hospital chains etc.

Whether CERT IN be able to handle the responsibilities of multiple large private companies is a moot question. Perhaps they need to expand their work force several times to handle such responsibilities.

We shall watch the developments of how this new trend of Government Security infrastructure being extended to protect private digital assets work on the ground.

I wish a proper assessment of the Risks to CERT IN arising out of such responsibilities had been made before such a momentous decision was taken.

(Comments invited)

The MeitY had announced Intermediary Guidelines and Digital Media Ethics guidelines on 25th February 2021 which had evoked the Anti-CAA kind of response from the industry. Several High Courts (Kerala, Bombay and Madras)came up with their own interim orders  truncating the notification and the matter landed up in Supreme Court.

Now an amendment notification has been issued on 6th June 2022 for which public comments have been invited. A public consultation meeting with stakeholders was also conducted yesterday by the honourable minister Mr Rajeev Chandrashekar.

The window for public comments will be open upto July 6th.

The amendment mainly related to the Grievance Appellate Committee to be set up under the following rule:

Appeal to Grievance Appellate Committee(s): –

(a) The Central Government shall constitute one or more Grievance Appellate Committees, which shall consist of a Chairperson and such other Members, as the Central Government may, by notification in the Official Gazette, appoint;1

(b) Any person aggrieved by an order made by the Grievance Officer under clause (a) and clause (b) of sub-rule (2) of rule 3 may prefer an appeal to the Grievance Appellate committee having jurisdiction in the matter within a period of 30 days of receipt of communication from the Grievance Officer;

 (c) The Grievance Appellate Committee shall deal with such appeal expeditiously and shall make an endeavour to dispose of the appeal finally within 30 calendar days from the date of receipt of the appeal;

 (d) Every order passed by the Grievance Appellate Committee shall be complied by the concerned Intermediary.

The objective of this appellate committee is to address the complaints about content removal received by an intermediary when its decision to remove or not remove a content may be dissented to by a platform user or member of public.

During the public consultation, several thoughts were exchanged. However the discussion failed to address the action that can follow the decision of the Grievance Appellate Committee.

Also some of the discussions revolved around the constitution of the committee and whether it has to be managed by legal/judicial officers or members of the Government.

It appeared that no thought has been spared on the acceptability of the proposal without amendment to the ITA 2000 itself.

At present ITA 2000 has a statutory mechanism of grievance redressal which includes the Adjudicator and the Appellate Tribunal. Though the effectiveness of this system may be questioned, the fact remains that these are part of the law and cannot be superseded by the notification.

However before the dispute reaches the Adjudication, any effort at resolving the dispute through ADR process including Ombudsman, Mediation or With recourse Arbitration can be tried. However at the end of such process if the dispute remains unresolved, it has to be referred to the statutory grievance redressal system which in this case is the Adjudication under Section 46 of ITA 2000.

Hence the proposed Grievance Appellate Committee has a subordinate relationship with the Adjudication process and need not be manned by a high level committee with judicial officers. It can be handled by the officials of Meity with or without some representation from outside experts. If the Meity adopts an ODR approach, it can involve experts from the industry and resolve disputes like a sub committee of the Meity subject to further appeal lying before the Adjudicator.  It would be sufficient if the sub committee is headed by an officer of the rank equivalent to the IT Secretaries of the State or below.

Any attempt to make this committee’s decision binding on the Adjudicators would be ultra-vires the Act. A clarification that appeals about the decision of the committee lies with the Adjudicator would be in order.

I hope the Meity takes this view into consideration.

Naavi

It was a great pleasure for me to read the article today written by Advocate Dr Mahendra Limaye of Nagpur highlighting the need to strengthen the recipient side process of digital payments.

As many of the readers know, Naavi has been pursuing the historical case of S Umashankar Vs ICICI Bank since 2008 in which some money was lost due to unauthorized access of an NRE account at Tuticorin and laundered through another current account of ICICI Bank at Fort Mumbai branch.

In this case the deficiency of security at ICICI Bank at both branches were clearly highlighted. The negligence of the account holding branch at Tuticorin and the negligence and complicity of the Fort Branch were presented with evidence gathered from the Bank’s own records.

The Adjudicator of Tamil Nadu gave the award in favour of the customer based primarily on the negligence of the Tuticorin branch while highlighting the deficiencies of the Fort Branch.

In the appeal, TDSAT highlighted the negligence of the Fort Branch and dismissed the appeal of the Bank once again confirming the award in favour of the customer and against the Bank.

Now the matter is before the Madras High Court and in the final stages of a decision on the further appeal of ICICI Bank. For the time being it is inappropriate to discuss the issues as being presented in the Madras High Court and as we wait for the final decision of the honourable Court.

But what Mr Limaye has written will  surely come for further discussion in the Court.

Naavi

According to a report in Economic Times, SEBI has reportedly advised all mutual fund AMCs to report any information on Cyber incidents within 6 hours to CERT IN and SEBI, within 6 hours of noticing such incidents.

This is keeping with the CERT IN data breach guidelines released on 28th April 2022.

With this the Six hour norm has been set for data breach notification by CERT IN, RBI and SEBI as against the DPA 2021 suggesting a 72 hours window.

Naavi

Madurai Bench of Madras High Court cancelled the bail grated earlier to a youtuber Sattai Durai Murugan for posting an offending video. The Court (Justice B Pugalendhi) observed that the records show Mr Durai Murugan to be a habitual offender in posting videos with derogatory comments against political personalities.

Though political sensitivities were involved in this case, in the process of adjudging the bail cancellation petition filed by the Police, the Court observed ” Intermediaries Duty bound to regulate content”.

The Court has inter-alia stated

“It is duty of the intermediaries to ascertain whether those videos are in accordance with their policies and guidelines and in terms of the contract and to block the channels if the videos are not in accordance with the terms and policies. … If it is not blocked or removed even after it was brought to their knowledge, the intermediaries are committing the offence under Section 69A (3) of the Information Technology Act,”

In delivering the judgement which related to a political comment, the Court referred to the possibility of posting of videos related to making of Bombs and Obscenity etc and quoted Albert Einstein on Atom Bomb.

The Court was assisted in the case by an amicus curie advocate K K Ramakrishnan. The amicus pointed out to the community  guidelines formulated by the platforms and indicated that the action to block offending videos is part of the guidelines and the terms of the platform usage.

At a time when the Intermediary Guidelines of the Central Government are being vigorously challenged as being against the  constitutionally guaranteed freedom of speech, this judgement making sweeping observations beyond the specifics of the case could raise further controversies.

Copy of  the Judgement

The allegation involves comments made in Tamil and has certain political connotations and hence we would not like to comment on the same at this point.

However,  it appears that invoking Section 69A(3) for the order was not perhaps  appropriate. This section empowers the Government to issue certain directions in the interest of sovereignty and integrity of the nation etc… It does not automatically empower the police to act without such directions. Such directions can be issued by a “Designated Officer” who is the group coordinator of the Cyber law division

Recently, on June 1st, the Government had issued a draft amendment to the Intermediary Guidelines of February 25th , later withdrew it and again requested for comments on 6th June 2022

The essence of these guidelines (with respect to Digital Media) which are opposed in several courts including Madras High Court was to oppose the self regulatory and administrative mechanism suggested for regulating the digital content and imposing a code of ethics.

In the light of these developments at the national level, the judgement of the Madurai Bench appears to stick out as an aberration.

Further whether a judgement related to certain basic principles of constitution were relevant to be made in the cancellation of bail plea is also a point of debate.

Providing power of “Censorship” to the channel has its own counter applications and has to be therefore viewed more closely. The platform of twitter is already accused of biased decisions to block some messages and not block some other messages and the license for such arbitrary action is taken from the assumed power of regulation of the content.

Any such powers will convert the platform into “Not an Intermediary” as per ITA 2000 and hence will invoke the “Digital Media Ethics Code” which is now under scrutiny of the Supreme Court. Hence the current decision appears to interfere with an ongoing broader debate.

It would therefore be interesting to observe if this decision gets appealed against in a division bench or in Supreme Court.

In this bail related petition, the Court appears to have focussed more on the Intermediary liability. It would have been more appropriate if the Court had focussed on the grounds for cancelling the bail application.

Also there appears to be a confusion between the “Designated Officer” under rule 3 of the GSR 781 (E) notification and the nodal officer of an organization. The power of the nodal officer is only to make recommendations to the Designated officer requesting for blocking of any service. However, the judgement quotes provisions of Information Technology (Procedure and Safe guards for Blocking for Access of Information by Public) Rules, 2009, vide G.O(D)No.20, Information Technology (B4) Department, dated 18.03.2020. [The notification was not found on the website (Government of Tamil Nadu : Government Orders | Tamil Nadu Government Portal (tn.gov.in).] and indicates that the SP has been nominated as the nodal officer. The authority for such appointment at the state level may not be binding under Section 69A. Also if YouTube cannot be persuaded to remove any content, it cannot be considered as a ground for denial of bail to a person who has posted the content. The case against the YouTuber ought to have been made out only with his not meeting the earlier bail conditions if any.

By alluding to Section 69A, 79 and 84B, the judgement seems to have placed some confusion in the minds of the cyber law observers about the intermediary responsibilities which was perhaps avoidable.

(A detailed discussion on this may be taken up later)

Naavi

For a long time, there has been a set of vested interests in India who have been opposing the “Data Localization” concept. They succeeded in diluting PDPB 2018 to PDPB 2019/DPA2021 and removed the need for a copy of non sensitive personal data being retained in India.

One of the arguments that Naavi.org had placed is the potential positive impact of the data localization on the business of creating new data centres and data centre professionals.

The argument based on the law enforcement needs was easy to understand but the objections raised in the form of “No facilities exist in India”, “There is a shortage of professionals” etc continue to make rounds in the sponsored media.

However, it appears that the trend is slowly changing and now we are seeing a series of stories which try to highlight the economic benefits in the Data Center domain though  it is yet to be linked to the DPA 2021 as an expected benefit.

Today’s article in economic times titled “Infra status to data centers may spur Rs 700-720 billion investments over 5-10 years”

Money Control reports “How Data centres could spur a wave of investments  in infrastructure”that the demand for data centres will spur the growth in real estate as well as power sectors.

Mint in its article “Data Centre boom to spur talent race” says,.. “India’s data centre boom is expected to generate thousands of jobs and fuel a race for talent in the years ahead, in a repeat of the talent hunt now playing out in the country’s information technologies services sector”.

The sudden spurt of the many articles indicate that a powerful sponsor has joined the race of data centres in India which has woken up all the journalists to write about data centres.

Is it the Jio? or Google? or Microsoft? or Tatas?…. or a new entity?… We should know soon.

But it appears that the resistance to data localization in DPA 2021 is likely to now decrease since one part of the industry would significantly benefit from the Act.

Naavi