Naavi.org

NPCI was incorporated in 2008 and functions today as the national clearing house of all payments. Initially there were 10 promoters all of whom were Banks. It included foreign Banks like Citi Bank and HSBC. Since then several other Banks have been allotted equity.

Recently there is a move to set up a Private Sector NPCI clone or allow private equity directly in NPCI.

If we remember what happened in CIBIL and how CIBIL which was once owned to the extent of 92% by Banks was surreptitiously sold out to TransUnion and in the process 500 million plus sensitive personal data sets became the property of a US based private sector company.

This was a strategy which we called  “Data Laundering”.

At present, NPCI has a substantial chunk of financial data  travelling through their switches. Many private players have a facility to link their systems to NPCI and open a channel of communication to the Bank accounts of customers. The “Registered Mobile Number” is the only tenuous link to this access.

While NPCI may claim that they are a “Financial Intermediary” and may not store personal data of individuals in a manner a Bank may store, the possibility that the data passing through NPCI can be diverted and transaction profile extracted with a link to the registered mobile number cannot be ruled out. Once a registered mobile number is identified, it gives links to Aadhaar, PAN, Bank accounts, IT records and even the social media activities of the person.

We can therefore consider that NPCI is having access to all the sensitive personal data of people whose financial transactions pass through the NPCI.

When there are thoughts of privatization of such operations alarm bells should ring since this could be a preparation for another CIBIL type of data laundering.

Hence NPCI has to be kept under watch to check if they can be trusted with the financial information passing through their servers.

Presently, NPCI is managed under the Ministry of Finance which is amenable to all sorts of pressures from vested interests.

It appears that one of the reasons why the PDPB 2019 is getting deferred from one session to another is that the Ministry of Finance is demanding some changes which may be not acceptable. After all we know that NASSCOM and DSCI have already placed their demands for modification that wants financial information to be removed from the category of “Sensitive Personal Information” so that it can be freely transferred out of India. The Finance Ministry should be supportive of such move since this is necessary to allow data laundering through privatization of organizations like NPCI.

Today, yet another indication has surfaced why the Ministry of Finance cannot be trusted to take care of the interests of the country in securing the financial systems.

Some time back, Mrs Nirmala Sitharaman spoke in support of Bitcoins. We had raised our concerns directly with the Ministry of Finance to which as expected no response was provided either by the Minister or the secretaries.

It appears that the Ministry is stalling RBI and preventing them from re-issuing their circular which banned support to Bitcoin exchanges by Banks which was dramatically permitted by the “Bollywood Judgement” of the Supreme Court.

In the last few days, RBI seemed  to be re-introducing controls to prevent support of Banks in supporting Bitcoin trade and hence the Bitcoin industry has moved its attention to NPCI. This has triggered a fresh move from the Bitcoin lobby to put pressure on NPCI and support its cause.

Today a series of articles have been planted in the media stating

“NPCI Scraps Crypto ban Idea”, “NPCI leaves it to Banks to decide on blocking of Crypto trades”  “NPCI refuses to ban Crypto”etc

What this means is that NPCI has started supporting the Crypt Exchanges and they may allow private Bitcoin exchanges to use the NPCI switch to carry out Crypto trade by passing the Banks. Even if Banks are prevented from directly supporting Crypto trades, NPCI will become the larger clearing house to settle the payments between the buyers and sellers of crypto exchange.

Just as Bitcoin and Crypto currencies are going to make Indian Currency redundant, now NPCI will make RBI controlled Banks redundant and the eco system for Crypto trade would be complete without the Banks. 

I once again call upon Mrs Nirmala Sitharaman to wake up and break her silence. We donot know if she is on the side of Black money holders or against them. We request her as part of the Modi cabinet to confirm or deny whether the Ministry of Finance is trying to support the Bitcoin industry which is the support base of Cyber Criminals and Cyber terrorists besides being the digital black money of the world.

I have been highlighting that Crypto Ban is required to eliminate the strength of “Digital Black Money” and “Cyber Criminals”. I have also highlighted that anti Government activities of the opposition parties could be funded by Crypto currencies.

Mr Amit Shah may not be understanding the risk that a well oiled currency of the criminals can pose to national security. Mr Narendra Modi appears to be too busy with Covid issues and lost his will to eliminate black money. We urge them to realize the damage they are causing by their procrastination on the issue of Crypto ban.

Elimination of black money which includes banning of Cryptos is a step to recognize the honest citizens of India who donot want to support this global black money eco system. India leading a global movement to ban Cryptos as “Unregulated Currency” is essential to prevent illegal drug trade, illegal arms trade, as well as choke the dark web.

I wish some body makes Mr Modi realize that this cannot be done except by him and after his time, this country is likely to have a very bleak future. Already West Bengal and Kerala have joined J& K as problem states and some others will soon join. We then need another Sardar Patel to unify the country. One step required to slow down the erosion of nationalistic politics and empowerment of corruption led politics is to eliminate the source of funding of such transactions which requires Cryptos to thrive.

NPCI appears to be gearing itself to the role of a “Digital Black Money Exchange”.

In the meantime we need an explanation from NPCI for their recent supporting statements to boost Bitcoin.

As of now NPCI is open to RTI and I would like some of my friends to find out if all NPCI executives can declare their Crypto holdings  so that if and when Cryptos are banned and the holdings have to be accounted, we will know if these executives have been honest in their declarations.

If Mr Modi really musters courage to ban Cryptos, the industry will still try to extract a concession in the form of an extended time to get their crypto wealth converted into legit money. But this raises a moral issue that when demonetization of physical currency is given a certain window for conversion, why demonetization of digital currency be given more time.

I also request the Chief Justice of India to get a declaration of Crypto holdings of all the Judges since as and when the issue reaches the Supreme Court and argued as “Fundamental Right”, the bench of the Supreme Court which hears the case should be clean.

If BJP is really interested in eliminating corruption in India, this is the time to show their resolve.

Naavi

P.S:

I would like Privacy and Security professionals to go through the NPCI privacy policy available at https://www.npci.org.in/privacy-policy

(Also achieved at https://naavi.org/uploads_wp/2021/npci_privacy_policy.pdf)

Refer

Responsibility for data protection in case of Amazon pay etc lies with NPCI. Says RBI

Yesterday, Mr Tejasvi Surya, the honourable MP of South Bangalore and his colleagues and a few MLAs joined together and exposed a major Terrorist plot in Bangalore involving sophisticated Cyber Crime techniques.

Refer some details here:

flipboard.com

News18.com

The media and opposition leaders who were complaining about the Government mis-management of oxygen supply were stunned when they learnt that the BBMP War Room was the center of this terror operation which involved creating panic amongst the population, large scale deaths and unrest in the community.

The Police Commissioner announced that two persons were arrested and a case was booked.

During the press conference, Mr Surya said that his team was stonewalled by BBMP refusing to share vital crime related information indicating that there was a complicity of BBMP officials in this scam. The Commissioner of Police has not so far indicated arrest of any BBMP officials. The least which was expected was the immediate arrest of the IAS officer Ms Tulsi who was in charge of the BBMP War room. Police owe an explanation as to why there was no prima facie case against this War Room in charge and the several computer operators in the War Room and several Arogya Mitra agents in some hospitals who were all prima facie involved in the fraud.

Police seem to be handling this with kid gloves and it is apparent that political influence may be at play despite the involvement of an MP and several MPs.

Mr Yeddyurappa as CM requires to show more courage to handle the situation.

During the reporting yesterday, it was indicated that 16 muslim youth were appointed in the War Room and were part of the conspiracy. None of them seem to have been arrested. This showed a possible organized attempt to take over the operation of the War Room by a group of radicals and investigation has to proceed in this direction.

Section 66F of ITA 2000 says

“Whoever, With intent to…. strike terror in the people and section of the people by denying or cause the denial of access to any person authorized to access computer resource; or attempting to penetrate or access a computer resource without authorisation or exceeding authorized access; or introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death…”

This section fits in perfectly to the current crime since the software intended for booking of the bed was manipulated and just as it happens in the Phishing scams batch processing of allotments were made in the dead of the night.

Police should include Section 66F in the charge sheet immediately and include the Cyber Crime wing to secure the electronic evidence without which the benevolent Courts will gladly discharge all the terrorists for lack of admissible evidence.

All Hospital managements through which the 4000 plus cases as pointed out by Mr Surya were handled,  were also aware of the fraud and must be considered as suspected beneficiaries.

I call upon the IT system managers and CISOs of these hospitals which include Manipal Hospital and Apollo Hospital to explain why they were not monitoring the log records related to booking and could not identify the suspicious pattern of allotments. There was a failure of the IT Security and conspiratorial silence of the professionals which requires explanation. If the CISO community had been vigilant in these hospitals, the fraud could have been identified before many deaths happened in the last week. These hospital CISOs should now conduct an audit and document to identify more such cases of fraudulent allotments of beds, fraudulent vaccinations etc. This is part of the IS management requirements.

Bangalore Police like in other places have the reputation of making noise when the case is hot and later allow things to be compromised. I hope this will not happen in this case as it has already taken the life of many.

Naavi

P.S: Added on 6th May 2021:

As expected, the above article did raise stiff opposition from professionals who believe that politics has got mixed up in the above narration. Objection was to the use of the word “Terrorism” and to the pointing out of the community mentioned by the MP during his interaction.

I owe an explanation in this regard.

As regards the facts, the incident is an unauthorized modification of information residing inside the computer and is therefore undoubtedly an offence under Section 66 of ITA 2000. Whether it comes under Section 66F and is fit to be called “Cyber Terrorism” is a subject of interpretation. It depends on the motive and the effect. The fact that “Covid affected community” did feel terrorized more from lack of medical facilities rather than the decease and more deaths are attributed to the lack of timely medical attention rather than the inherent damage caused by the decease itself in this second wave, indicates that the conditions of Section 66F were fulfilled.  The effect is causing death is also undisputable though it is a consequence of the act. Hence theoretically the incident can be called Cyber Terrorism under Section 66F. It is for the further investigation and trial to establish.

As regards the reference to the community, the MP and the MLAs did ask a question to the BBMP officials about the role of the 16/17 persons all of whom were from a community. In the video the answer given by the BBMP official Ms Tulsi was unconvincing. Following the entry of CCB, some of these have been arrested. Though there is lack of clarity whether 17 people were arrested yesterday as was reported by some TV channels or only 4 were arrested and some were picked up and detained for questioning (Not technically arrested) is a matter of detail. It is true that not all the arrested people were belonging to the minority community . But many more including many  BBMP officials may be charged if a proper investigation occurs. As we are aware that very soon other political and religious influences will start playing and the investigation could lose steam. We are in a country where politicians shed more tears for Batla encounter deaths or for Ishrat Jahan encounter than for people who died because of the activities of such terrorists. Even the Police may be hesitant to reveal the names of the arrested because they want to protect their community identity.

When Mr Tejasvi Surya and Mr Ravi Subramanyam pointed out the involvement of 17 muslims, either directly as employees of BBMP or otherwise, it was natural for the public to get disturbed. Police and Politicians are normally wary of calling a spade a spade and Mr Tejasvi Surya is an exception to this rule which is not liked by all. My support to Mr Surya as a Whistleblower in this incident has therefore evoked opposition in some professional circles. I accept it as a natural reaction.

However, for those professionals who think “Professionalism” comes only with remaining silent when some society issues are involved, I would like to disagree. Just as an individual can be a harsh CEO at office and a soft father at home, a professional has to wear multiple hats and it is possible to be able to fulfill his professional duties without giving up his conscience. Many of my professional friends have taken to public service during this Covid emergency even at the cost of their professional opportunities.

For those in the minority community who are hurt with my reference, I would like to state that the perception needs to be corrected from within the community. If 10% of the community are bad, it is the duty of the other 90% to correct the community and also change the perception of the other community. Problem is that views of the 10% remain visible and saner voices are drowned. Professionals in the minority community remain silent supporters of such injustice and many are willing to flaunt their religious preferences  while the majority community normally keeps the two  separate.

I even saw anger expressed against Mr Tejasvi Surya and calling for his arrest. So far, the professionals who are angry with me or Mr Surya have not condemned the persons named. I call upon the professionals who object to my supporting Mr Surya’s statement to unequivocally condemn any person irrespective of the community who is involved in this crime. I am prepared to do so and have called for punitive action against the BBMP official in charge of the war room.  Corruption and greed is omni present and it is the duty of professionals to fight against it. If corruption is less  in some members of BJP, they deserve support because there is hope for India. Mr Modi is one such person and we are seeing the twilight of a raising Sun on the horizon in Karnataka which has to be supported and nurtured.  I have been expressing my anger from time to time against BJP members also, particularly in the issue of Crypto Currency ban. The criticisms are issue based and not otherwise.

If my references above trigger an introspection in the community of professionals to be fair and honest and not resort to brushing issues under the carpet because it is not fashionable, the purpose of raising the issue is served.

I have many friends in the minority community and I urge them to take leadership to change the community mindset to support or oppose anything in the name of the community.

Naavi

The issue of an Intermediary Guideline and Digital Ethical Code as a joint effort of the MeitY and Ministry of I & B has revived the thoughts of the “Communication Convergence Act” that India considered. During the days of Mr Ramvilas Paswan in the Vajapayee Government, the proposal to have a unified Ministry was dropped and along with it, the concept of Convergence Act was also dropped.

Now the Internet Service Providers (ISPs) have been making attempts to take over part of the media elements in the Internet by creating OTT services.  Airtel DTH has introduced a Set Top Box that integrates the DTH service with OTT content. There is the Amazon Fire Stick that  achieves the same objective with an attachable device with a higher cost.

Soon Optical Fiber based  ISPs would bring TV service along with its internet connection.

These developments could cause a disruption to the DTH services since the Fiber based connections are weather proof and can be used in replacement of the DTH service even on the Computer and Mobile devices.

It is therefore time for all DTH service providers to integrate their broadcasting services with an Internet channel which can be siphoned off the Set Top Box into the Wifi network and extended to the computer network at home.

Currently such a unified service can work under dual licensing, one from the I & B ministry and the other from MeitY. This could help in increasing the reach of Internet across the country which is essential in the Corona induced environment when Work From Home is the new norm.

The “Satellite Based” Internet system is also ideal to ensure that every inch of the country is covered with Internet connectivity. This will be a good supplement to the Mobile based network which requires nearness to a tower. Satellite based DTH Cum Internet service may not require Towers which are also a source of radiation. Any remote farm house can put up a satellite dish and draw both TV signals for entertainment and the Internet signals for other uses.

I presume that technology for this exists as of now and is being embedded in the new generation of Set top boxes. Hope it will become a common service in due course.

The question is who will be the first to introduce such a service?… Airtel? TataSky? Videocon? Dish TV?… Let us wait and watch.

Naavi

Reference Articles at Naavi.org:

The Objectives

This has reference to the various discussions we have had on this website on the issue arising out of the insolvency petition on Net4India which resulted in thousands of domain name registrants and website companies being unable to operate their websites and E Mail accounts.

After Naavi.org escalated the issue to all levels, first NIXI resolved the transfer issue of  dot in domain names and now ICANN has also taken steps to resolve the transfer of other domain name extensions such as dot.com names.

ICANN has announced   today that it has activated the DARTP process (De-Accredited Registrar Transition Procedure) to enable the successful transition of domain names currently registered with Net 4 India limited to an ICANN accredited registrar who can serve the registrants.

It appears that NCLT which was holding up the resolution so far has cleared the process.

According to ICANN,

“ICANN org is initiating the DARTP process to identify and select a gaining registrar(s) as quickly as possible.

The gaining registrar(s) will assume various responsibilities, including supporting former Net 4 India Limited domain name registrants with the renewal, transfer, and management of their domain names as required in the RAA.

Once the gaining registrar(s) is identified and confirmed, it will be listed on the Bulk Transfers page.

ICANN expects to announce the gaining registrar(s) within the next two weeks.

Once the transfer of registrations has been completed, the new registrar(s) will contact registrants with information on how to access and maintain their domain name registrations.

It is critical that registrants follow the instructions provided by the gaining registrar(s) regarding how to manage their domain name registrations. There is no cost to registrants for the bulk transfer.”

There are still some issues such as the holders of e-mail addresses in vsnl.com domain which was discontinued by the Tatas. We have to wait and see how this would be resolved. We also need to see how the residual balances that the account holders held with Net 4 India would be accounted for.

It is a tragedy that the resolution took so much of time and NCLT needs to apologize to the Indian public for causing this issue and delaying resolution for such a long time.

The issue of Net 4 India taking a loan from SBI and defaulting is apparently a fraud that requires a CBI investigation. The NCLT needs to be educated on how it should meet its responsibilities to the society when the interests of the public are involved. The arrogance of being a Judicial authority should not give a license to NCLT to ignore the interest of 70000 plus members of the public. The MeitY, as well as the Supreme Court failed to intervene and resolve the issue.

I hope all these agencies learn a lesson from the incident and correct their actions in future.

Naavi

In December, Cellebrite, a noted Mobile forensic company announced that Signal App Crypto had been cracked and Cellebrite is assisting the Law enforcement to view messages which Signal claims to be encrypted end-to end. (See article here)

Obviously, this was a big blow to the ego of Signal as well as its claim to be the messaging solution that can be relied upon for Privacy as people move out of WhatsApp.

And Signal in its retaliatory jab, has announced that Cellebrites phone cracking software has its own vulnerabilities which the Signal founder has cracked and that the vulnerabilities can compromise privacy of individuals whose data had been accessed by Cellebrite. (Refer here)

It must be noted that Signal has admitted to “Cracking” which is an offence in every country. On the other hand Cellebrite’s UFED if used by a law enforcement agency, the compromised information would be only with the law enforcement and hence Cellebrite is reasonably protected from direct liabilities.

The mutual accusations between Cellebrite the security company and Signal the encryption company that in a given instance may be helping the criminals is an example of how companies can destroy each other for ego issues.

This is a self destructive exercise in which Cellebrite is better off as it is on the law enforcement side. For Signal, it will be a losing battle both legally as well as reputation wise.

Naavi

We have in the past discussed the issue of “Digital Wills”.  (Refer here: Inheritance of Virtual Assets) ITA 2000 has kept “Wills” in electronic form outside the provisions of ITA 2000. Hence “Digital Wills” are not valid like written documents under Section 3 of ITA 2000. There is a logic for this and hence we can accept this as the current policy of the Government to keep possible frauds by creation of fake digital wills.

Now Dr Prashant Mali, well known Cyber Law expert has published a comprehensive article on the issues related to digital assets and their inheritance. (Refer here).

We are in the threshold of the passing of the PDPB 2019 which will bring new regulations in force on how to handle or how not to handle personal information. In due course we may also have a legislation on “Non Personal Data Governance” and how to unlock financial value out of such assets.

Naavi has also recommended that “Data Assets” should be brought into account books by creating a contra entry in the balance sheet as both an asset and a liability until such time that we have a proper method of valuation of data assets acceptable to the accounting fraternity.

FDPPI has also adopted the PDPSI (Personal Data Protection Standard of India) as a framework for audit and certification of Personal Data Management System (PDPMS).

In the light of the above, it is considered that we need to suggest some changes to the law to resolve the issues of “Transfer of Digital Assets to the legal heirs of deceased”.

This needs to be referred to in ITA 2000 in the form of a “Guideline to Intermediaries on handling of Deceased accounts”. It also has to be addressed in the PDPB 2019 follow up in the form of guidelines to be issued by DPA in due course.

In the recent notification of Intermediary guidelines (February 25, 2021), there is a requirement  that the Intermediary shall periodically validate the account holder’s data and get his/her consent at least once a year for the TOS/Privacy policy. In the case of deceased, the intermediary will not get the response and also the account may show an inoperative status. Presently some intermediaries simply disable the account and the assets inside the account get lost.

There should therefore be an amendment to the Section 79 guidelines to the following effect.

“In the event of an account being inoperative for more than 6 months, the Intermediary shall notify the account holder to renew the account by posting a data transaction (which could even be a reset of the password). If the customer remains incommunicado, then the account  may be treated as dormant and archived for better security with an additional factor of authentication for renewal.

If the account remains dormant for a further period of say 18 months, then the account may be declared as inoperative and flagged for an increased level of security.

An inoperative account shall be notified to the office of “Controller of Deceased digital assets” (CDDA) to be created by the MeitY.

If there is any knowledge that the account holder is deceased, the account shall be notified as “Account holder reported deceased” with a suitable mark on the content along with the source of such information and the CDDA shall be notified.

The CDDA may try to establish contact with the account holder and if the account holder fails to respond for a period of 6 months, or on receipt of any confirmation that the account holder is deceased, inform the account holder who there after shall transfer all the assets of the deceased  to the CDDA.

In case of e-mail accounts and facebook pages or the like, the notice that the account has been transferred to CDDA shall be prominently noted as a default error response.

There after the legal heirs may contact CDDA  for transfer of the digital assets and subject to the satisfaction of CDDA the asset may be transferred to the legal heirs of the deceased on demand.

In the event of the legal heirs opting to disown the data, the data asset shall be considered the asset of the sovereign state and shall be kept at the disposal of CDDA which shall dispose it of in appropriate public interest.”

Since the digital information in a personal account is classified as “Personal Data” under the PDPB 2019, the Data Protection Authority shall be empowered to make the regulations under the PDPB 2019 and such an amendment can be incorporated at the time of passage so that detailed guideline can be issued by DPA in due course.

The CDDA could be an authority which would be a “Data Fiduciary” under PDPB 2019. It can also use anonymization of the information and create value to be harnessed as sovereign asset realization when the Non Personal Data Governance Act becomes operative. In the context of upcoming regulation for banning crypto asset, that law also needs to incorporate a reference on how to deal with the crypto assets of the deceased.

I urge FDPPI, the premier Data Protection agency in India to take up the issue to formulate policy guidelines in this regard.

Naavi

Also refer:

Forbes article

Prnewswire

Research paper