Naavi.org

I refer to the various articles regarding the Net4India issue and it appears that time has come to question the wisdom of the Government of India in not intervening in the NCLT proceedings regarding the Net4India issue.

To summarize the developments till now, Net4India was a leading domain name registrant in India and lakhs of Indians registered domain names with the company and many thousands also availed other services for hosting their domain names and e-mail services from them. The company was therefore a critical service provider for Internet based activities in India.

The company however stopped its operations some time back and customers found out that an NCLT proceeding had been initiated by Edelweiss Asset Reconstruction Company to which State Bank of India assigned the debts of the company.

It is not clear how SBI came to run the huge debt against the Company and whether there was any internal vigilance enquiry or CBI enquiry from the Ministry of Finance or RBI. It appears that there was no such enquiry and there was a massive fraud in SBI resulting in an NPA of more than 200 crores when SBI quietly shifted the action to NCLT.

Until the matter was brought to open by Naavi.org, there was no clarity on why Net4India was not servicing their customers properly. Now the reason for the partial closure of the operations has become clear. It is due to the insolvency proceedings that has been initiated for the recovery of the SBI loan through Edelweiss Asset Reconstruction company.

However, we can identify that there were many faults by NCLT, SBI etc which has resulted in the current crisis. It is also not clear if in the assignment of debt from SBI to Edelweiss whether the valuation was done fairly. These are subject matters for the  Finance Ministry to consider. Nothing less than a CBI enquiry into the way by which the debt was built up in SBI, how it was assigned to Edelweiss and how they tried to suppress the digital assets of Net4India either by design or ignorance causing losses to lakhs of citizens of the country.

Some of the omissions of NCLT and others can be listed as follows.

a) Not ensuring that the notice about the insolvency proceedings was displayed on the website of Net4India website which is the contact point for the lakhs of its customers many of whom were also small creditors of the company.

b) NCLT not properly understanding the business of Net4India nor making an assessment of its digital assets before they ordered the sale of its properties and starting the insolvency proceedings.

c) From the order dated 25th September 2020, it is now clear that the NCLT has been fully appraised now. However the website of Net4India still sports the “Covid Notice” and there is no notice of the proceedings.   Though it is little significance now since  the customers of Net4India have been wronged by NCLT and that cannot be reversed, the fact that NCLT does not even now realize that it ought to ensure that a notice on all Net4India websites speaks volumes about the knowledge and efficiency of our judicial system in facing the challenges of the Digital era.

d) Since the Judges manning NCLT are the previous generation judges, it is the responsibility of the IT Ministry and the Law Ministry to actually organize appropriate training to the judges in the NCLT which makes them realize that today there is no company in India which does not have digital assets. In many instances the digital assets may far outweigh the physical assets and in all insolvency proceedings it should be mandatory for NCLT to recognize the presence of digital assets and how its value may be unlocked before proceeding with the insolvency petition.

e) The Government of India is presently considering the “Non Personal Data Governance Act” based on the report of the Kris Gopalakrishna Committee. This Act envisages setting up of a “Data Exchange” where non personal data can be sold for value like shares in BSE/NSE. On the other hand, NCLT which has thousands of corporate insolvency petitions seems completely ignoring of the value of data as a corporate asset.  Had the special nature of the business of Net4India been factored into the insolvency proceedings, the revelations in the order of 25th September 2020 would have surfaced in the first hearing itself. In that case, even before the immovable property belonging to the company was sought to be sold, the digital assets would have been encashed by transferring the business of the Domain Name registration to another entity as a “Going Concern”.

f) It is also time for NCLT to give confidence to the corporate world if they follow the concept of value of an asset on a “Gone Concern Basis” or a “Going Concern Basis”. If law recognizes “Intellectual Property” and we have a whole system for protecting, transferring and selling Trademarks, Copyrighted works , Patents etc, the law should also recognize that a substantial part of the value of IPR exists on a “Going Concern” basis. When there is an insolvency proceedings, unless special care is taken the IPR such as Trademarks come down to Zero. However, before the value of a trademark comes down to Zero, there could be companies in the similar business who may like to take over the trade mark or other rights so that some value can be realized before applying the insolvency hammer. Similarly the digital assets of Net4India can be valuable as a going concern and become zero as a gone concern. NCLT should try to preserve the value by adopting the Going Concern basis of valuation as long as feasible.

g) In the Net4India case, the lakhs of customers would have been happy if another registrar had taken over the business and provided business continuity to their operations which depended on the domain names and other ISP services registered with Net4India.

I would like NCLT to give a thought to what would happen if the domain name nclt.gov.in stops functioning from tomorrow or some cyber squatter diverts the domain. What if the e-mail address of the registrar of NCLT or the RPs stops functioning from tomorrow.

Then the cost that NCLT will have to pay for restoring its operations  is the value of the domain name nclt.gov.in or the e-mail address registrar@nclt.gov.in.

NCLT should ask itself whether  this value is reflected in the NCLT asset register.

I am separately discussing the valuation of data assets in a follow up article. But for the time being I want to only highlight that if one domain name of nclt.gov.in is having such value that if it is stopped there would be chaos in the country, then imagine that Net4India had more than  70000 domain names registered by different individuals and companies in India who were given a scare that their business doors have been closed because NCLT did not recognize that the insolvency proceedings will indirectly drive many others into insolvency or at least significant losses.

h) Again, I am willing to concede that the Judges of NCLT did not study valuation of data during their LLB days nor encountered such issues during the days when they grew in the system to don the responsible position they hold today.

But Does not MeitY know the value of data asset and how it can affect the proceedings of asset reconstruction and insolvency?.

Does not Finance ministry which oversees the Insolvency act know?

Does not Edelweiss reconstruction which was the petitioner know?

Does not SBI which gave a loan of 200+ crores to Net4India  know?

I feel that all these agencies lacked the vision to understand that their action in trying to collect their debts of Rs 200 crores could jeopardize the assets worth thousands of crores of the customers of Net4India?

Do they know that even an innocuous domain name like naavi.org is valued nearly a lack of rupees though it may take only Rs 700 per year to maintain it?. If it is so, we can imagine what would be the value of 70000 plus domain names alone which the proceedings have jeopardized.

Who is responsible for this?

Digital India wants to know if all these agencies including NCLT is willing to apologize to the public for their ignorance?

Will the Meity or Law Ministry or Finance Ministry take the responsibility for not creating the awareness about the value of data with the NCLT judges?.

In most compliance measures we say that “Awareness training” is a pre-requisite for a company. Is this not a pre-requisite before judges are appointed to the NCLT or RPs pass the examination?

i) Even though NIXI has assured that dot.in domain names will be transferred out of Net4domains and AuthCodes have been released in recent weeks, the transfers are yet to be completed since after the new registrar requests for confirmation of transfer, no response is coming from net4India. I hope NIXI will look into this and ensure that the transfers get completed.

j) While NIXI has shown some concern in attending to the dot in domain holders, ICANN remains to be intransigent. ICANN is still insisting that unless its dues from Net4India is cleared, they will not allow transfer of domains in the generic TLDs.  They are only affecting the domain name registrants by their actions and not the Registrar.

k) ICANN failed in its due diligence in not taking action in time when Net4India was converting itself into a reseller and roped in another entity to defraud the customers who had no clue on how this transfer would affect them. Now the NCLT order of 25th September indicates that Net4India committed a fraud by retaining its main registrar contract with ICANN without making payment of dues but shifted the revenue generating business to another entity. All companies who are part of this “Domain laundering” must be identified and punished.

l) If all the above actions are to be taken, then the MeiTy has to step in and take the responsibility for resolving the issue.

We must consider that Net4India is an indicator of the shortcoming in the ICANN system of Domain Name registrations appointing registrars without proper due diligence. Hence this matter needs to be addressed at the ICANN policy level also so that business failures of registrars does not hold the world to ransom.

I want ICANN to imagine the impact on the global economy if GoDaddy stops its business today for whatever reason.

Indian Government has to think if it is possible for  ICANN to hold Indian Government to ransom by threatening the closure of the domain name registries. What is the guarantee that this will not happen some time in the future when ICANN management comes under the control of China -Pakistan-North Korean nexus? .

Since ICANN does not have a solution for this, can Indian Government continue to keep Indian digital economy dependent on ICANN registrars? Is it not time for the Indian Government to ensure that the interests of the Indian citizens is protected by ensuring that all domain name registrations of Indian citizens are under the control of the Indian Government and not external body can threaten us to shut down our digital system.

This requires that NIXI should be given the responsibility for all TLDs registered by an Indian citizen. For this process, the domain name registration system should have a “Right of the Nation” clause and the registrant should be provided an option to appoint a Government of his choice or by default the Government of a country of which he is a citizen as the controller for the domain. In the event of contingency where the registrar stops business ICANN should enable the designated Government to take over control of the said domain.

If Internet is considered a human right, there is a need to ensure that the domain name registration system is also secured properly so that the Net4India issue should be the last such incident in India.

Countries all over the world are passing personal data protection laws to protect the right to privacy of their citizens. Domain Name registration represents the Right to do digital business and it needs to be also protected. Fortunately we donot need a separate law for this purpose and we can bring it under our Information Technology Act 2000. We can consider the situation like what we are now facing as a “Denial of Access” and an offence under Section 66 of ITA 2000. Every one who is directly and indirectly responsible for this situation should be prosecuted under ITA 2000 so that they donot mess with the digital asset system.

In the meantime, watch out for my views on the valuation of digital assets for which the Chartered Accountant Community has to make some changes in their accounting practices.

Naavi

(Comments welcome)

Organizations in India and elsewhere are today confronted with the need to be compliant with multiple data protection paws.

As long as the concern of a company was just “Security” of information, it was fine to adopt a common framework such as ISO 27001 and try to manage the Confidentiality, Integrity and Availability (CIA) of data and protect all the information under one umbrella.

Even when the CIA principle got extended to “Accountability” and “Non Repudiation” it was not difficult to extend the ISO 27001 framework with a few additional controls applicable across the company.

However in practice, companies always had difficulty in extending ISO 27001 across an enterprise spread over multiple locations and often an organization restricted the implementation to the most visible facility while calling itself “ISO 27001 compliant”.

The WHM situation at present completely negates the ISO 27001 as the facilities get spread out and the concepts of physical security loses its meaning.

Additionally many companies today process personal data from different countries and they are exposed to different laws to be complied with simultaneously.

Indian companies will soon enter into this uncertain zone since they were today required to only contend with ITA 2000 and Section 43A which could be applied to all the information they handled in electronic form.

But the situation is now changing. PDPAI (Personal Data Protection Act of India) is coming. PDPA will replace Section 43A of the ITA 2000 but the rest of ITA 2000 remains.

In this emerging scenario companies will have to be compliant both to ITA 2000 as well as PDPAI. Additionally if they handle data from EU they need to be compliant to GDPR. If they handle data from California, they need to be compliant with CCPA and so on. Ultimately, the company need to be compliant with 100 plus data protection laws if they want to be globally compliant. Hence one ISO 27701 with ISO 27001 will not suffice to be compliant with multiple data protection laws.

When the number of such data protection regulations were only a handful, the company could set up different sub-entities to handle different compliances like setting up “Dedicated ODCs”. This concept was suggested under HIPAA for handling of PHI and non PHI  activities by the recognition of a “Hybrid Entity” and application of HIPAA only to the recognized HIPAA component of the facilities of the hybrid entity. This is also permitted under PDPAI (as per the current Bill) as a “Notified Facility processing information of foreign citizens under a contract”.

However, in the context of the number of compliances increasing to double digits at least, it is impossible to create physically the separate personal data silos.  Hence we need to look for virtualization of the compliance process so that we virtually capture the personal data from different data protection regimes and apply different compliance requirements.

The “Personal Data Protection Standard of India” (PDPSI) proposed by Naavi and FDPPI will be the first such global data protection framework which can be applied not only in India but in the entire world.

This is a “Made in India – Made for the World” Project. It pursues the “One Company-One Compliance Framework” principle.

The PDPSI in implementation consists of a Core consisting of certain standards and is supported by implementation specifications which are consist of some common controls and some controls that are different at the procedural level depending on the law that applies.

The personal data classification system under PDPSI takes care of segregating the personal data as per the relevant data protection law so that different sets of implementation specifications are implemented for different sets.

However, one PDPSI implementation should be sufficient for compliance of all data protection laws. To the extent data protection includes securing the personal data under the CIA concept , the PDPSI  also doubles up as the ISMS for the personal data component of the data.

Nothing prevents the organization to extend the same standard to the “Non Personal Data” as well with the set of specifications minus the data protection law specific controls.

Hence One Standard for the enterprise as a whole.

Because of this unique structuring of PDPSI it is capable of being used as a “Universal Compliance Standard” across countries, across different data protection laws.

Truly.. Made in India for the World.

FDPPI, (Foundation of Data Protection Professionals) is in the process of developing a set of Lead Auditors who can implement the PDPSI framework based compliance systems so that the concept does not remain a concept only but will soon be rolled out in India.

If any organization wants to adopt the PDPSI framework, they may contact the undersigned.

Naavi

It appears that our persistent follow up with different agencies including the Finance Ministry, MeitY as well as the NCLT itself besides the RP and others, has yielded some positive results.

Since morning other registrars are contacting domain name owners whose domains are stuck with Net4India suggesting transfer of domains to their service.

It appears that NCLT has in today’s hearing must have provided the necessary permission.

It is not clear if this is restricted only to dot in domains or it will extend to other domains also.

The exact way it is to be done is also unclear. Whether the Authcodes would be released to the registrants and they can then approach the registrars of their choice or the Authcodes will be released only on a request by the destination registrar is not clear.

We may get some clarity by tomorrow.

The standard mail received is as follows:

Quote:

NIXI has stared permitting end users of .IN Domain to migrate to other registrars (other than Net 4 India).

NIXI has decided not to discontinue the .IN Services for those .IN domain end users whose renewal is due till December, 2020

For Name server update, end users may send mails to following email ids to avail direct services (without help of Net4 India)
i. techsupport@registry.in
ii. registry@nixi.in
iii. rajiv@nixi.in
Unquote:

Kindly use this opportunity. At least it will enable you to transfer the dot in domains.

Naavi

(This is a continuation of the several articles on Net4India issue that Naavi.org has been highlighting)

Action on the Complaint

Since I have been receiving many e-mails regarding the issue of Net4India which it is difficult to respond to individually, I shall henceforth be posting my views directly here.

At present I have communicated with Mr Vikram Bajaj, the Resolution Professional, Mr Samiran Gupta, ICANN country head in India. Both have promised to help but have not been able to resolve the issue.

Mr Vikram Bajaj is seeking further directions from NCLT and Mr Samiran Gupta is perhaps  bound by ICANN policies.

It appears that the issue of how Net4India was given a loan of Rs 194 crores by SBI which became an NPA is to be considered as a potential fraud which requires CBI investigation. The promoters of the company are not in India and are taking refuge in UK like Vijay Mallya.

In the meantime, the Bankruptcy proceedings have been started but NCLT perhaps was not informed about the interests of thousands of customers who were also creditors of Net4India (I refer to this as the 70000 community. The exact number is not known).

NCLT did not issue notices to these small and big creditors who had paid advance money in their accounts and were continuing to make payments for renewal and other services.  If an inventory of creditors had been drawn up, the cumulative amount due to these customers many of them were registered as resellers would have surfaced.

Each of the domain names registered represented a contractual obligation of Net4India to keep the domain operative and was guaranteed by ICANN. The value of the domain name was created out of such contracts. Each of the 70000 plus domains had an opportunity cost in terms of the fees payable for registration and also the additional costs involved in shifting the domain names to an alternative service provider.

It is to be noted that the company had continued its service even during the time the resolution proceedings were going on and it was only in recent times  that some specific actions were visible on the customer dash board  to discontinue some services.

It is also noted that after we raised the issue through this forum,  a few have received AuthCodes for transfer of domain names. This indicates that resolution of specific issues are still possible but there have been no common resolution.

After we had a brief meeting of some of the concerned members, Mr Mahendra Limaye, Advocate has agreed to correspond with the RP and try to find a resolution. If required and if costs are taken care of, he may be prepared to take the issue as a PIL. Those of you who prefer this route may indicate it separately in a communication to Mr Limaye. Some of you have copied such requests to me and atleast a few seem to have hesitation in sharing the information.

I have indicated that all persons who want to take up further action in this regard have to first send a request to Mr Vikram.bajaj@gmail.com. Later if they want they can contact Mr Limaye.

Larger Issues need to be addressed

Naavi.org will however continue its efforts to ensure that there are appropriate systemic changes that are brought to the system of Domain Name registrations and how the registrars may function and how the consumer are not held to ransom because of business failures of the registrars.

These are issues that have been ignored by ICANN, NIXI, as well as the MeitY. We need to ensure that lasting changes are brought to our legal system if necessary through Notifications under ITA 2000 or even amendment to ITA 2000 so that this kind of problems donot recur at least in India.

As one of the measures,  I am invoking the attention of the Finance Ministry, the Law Ministry, the IT Ministry and the Ministry of Consumer Affairs, all of whom have a stake in this resolution. CERT-In and NIXI should also be interested in finding technical solutions to a Cyber Catastrophe  that appears to be imminent.

If  70000 domains in India had been discontinued by  China or Pakistan we would have called it as a Cyber Attack and it would have been discussed by Mr Ajit Doval, Cert-In and other cyber security policy makers.

But what is happening now is that this largescale discontinuance of domains is occurring because of our own making. This issue has to be addressed by our authorities to find a resolution and cannot be left to be decided as a NPA recovery issue.

CBI Enquiry Required

The root cause of the problem is the Banking Fraud with State Bank of India. The Finance Ministry has not flagged this fraud and not conducted an investigation. RBI has not so far come up with its views on this NPA of Net4India, how it was built up.  No CBI enquiry was ordered by RBI. SBI vigilance department also has not made public any action taken by them to prevent this NPA.

I request that the Finance Minister Mrs Nirmala Sitharaman, to take action on this end immediately by initiating a CBI investigation.

The CBI enquiry should not be confined to SBI loan fraud but also extend to how the NCLT was mislead into suppressing the interests of the 70000 customers who were also creditors of Net4India and  how without giving any notice to them, the bankruptcy proceedings were continued in favour of one applicant.

I request the Ministry of Finance and RBI to also intervene in the proceedings of NCLT on the next hearing date of October 1st.

NCLT ignoring the value of Data Asset

We have raised the issue of NCLT ignoring the value of data as an asset of this company which is a different academic debate which we will continue.

It is our belief that NCLT did not recognize the existence of the data asset in the organization and just as a ransomware causes denial of service, the bankruptcy proceedings without addressing the issue of these customers was a flaw.

If the value of this data namely the cumulative opportunity cost related to the services of  70000 customers along with the Intellectual Property Rights that are going to be adversely affected, is  considered, it would perhaps be more than the Rs 194 crores that the company owed to SBI.

By not factoring this data asset in the insolvency determination the NCLT decision itself appears incorrect. This value is available only on a going concern basis and NCLT has simply destroyed the value by itself by not letting the business continue.

Just imagine that if these 70000 domains expire over the next few months and get registered by alternate registrants world wide, the businesses of all these domain name owners will come to a stand still and the IPR on the domain names will be lost.

ICANN should consider this as a global Cyber catastrophe and try to address the issue.

I request Mr Samiran Gupta of ICANN to file his intervention in the NCLT proceedings on October 1st and ensure that the interests of the Domain Owners world over are represented in this resolution.

Ministry of IT

We do accept that NCLT ignoring the value of data as an asset is to be expected since it is a more sophisticated thought not commonly understood in the legal or judicial fraternity.

But the same ignorance cannot be accepted on the part of the MeitY. Though this controversy has been in discussion for some time and the Ministry of IT has been part of the communication loop, no statement has come forth from Sri Ravishankar Prasad the Minister of IT and Law nor from the Secretary IT or from other departmental heads in MeitY.

We are discussing the Non Personal Data Governance law as proposed by Kris Gopalakrishna Committee report and discussing how to unlock the value of data  besides the Personal Data Protection Bill.

MeitY should have therefore realized that the Net4India issue is not simply a recovery of an NPA of Rs 194 crores by sale of immovable property but involved a larger issue of 70000 domain owners being deprived of their virtual property along with the cumulative value of their balances in the accounts with Net4India. This represents hard cash like the balances in a Bank which is going into liquidation.

It was the responsibility of MeitY to intervene with the NCLT proceedings and ensure Business Continuity even while the recovery of the Rs 194 crores through sale of property was being discussed.

I request the Secretary of MeitY to intervene in the next hearing of NCLT which I understand is on October 1st.

Ministry of Consumer Affairs

So far, the Ministry of Consumer Affairs has not been brought into picture in this controversy. But since the consumer interests of 70000 plus consumers of Net4India is being threatened, it is necessary for Mr Ram Vilas Paswan to ask his secretary to intervene. Since Mr Paswan was once a Minister of Communication technology, he should be able to quickly perceive that closing an ISP through an insolvency petition is also serving a death sentence on the customers who in this case number 70000.

If the NCLT had considered that Net4India is a Going Concern and the fate of 70000 businesses are dependent on the entity continuing its services until they can be parked with an alternate service provider, then the insolvency proceedings would have gone smoothly. In fact if the data asset had been recognized, NCLT might have not even considered Net4India insolvent.

Now it is the responsibility of the Ministry of Consumer affairs to collectively represent the interests of the 70000 consumers and intervene in the NCLT proceedings on October 1st.

Net Impact

I am aware that by suggesting a CBI enquiry and filing of intervention petitions by ICANN, MeitY, Ministry of Finance, RBI, Ministry of Consumer Affairs etc , I am complicating the process.

Some would say that all those who raise their voice can be satisfied by resolving their issue selectively so that the opposition dies down naturally and this should suffice. But the need to address the larger community interests drives me to take up this issue further.

I will be bringing information contained here in to Mr Mahendra Limaye who is in communication with the Resolution Professional and to the other parties. Being in a public cyber space,  the information should be considered as reaching the NCLT also.

Hence if NCLT is concerned about the general public, there is one immediate solution  that it can consider. On October 1st when the next hearing takes place, NCLT can on its own  admit that these issues were not brought to its attention earlier and therefore it would review its earlier order.

In the process NCLT can

a) suspend the insolvency proceedings,

b) appoint a technical team which can be supervised by the Resolution Professional with the assistance of one or more representatives from NIXI or the MeitY

c) Ensure that all the services of Net4India are immediately restored.

d) issue a request for bid for taking over of the Registrar business of Net4India  by another registrar

e) Direct NIXI and ICANN to set up special cells to receive domain name related complaints related to dot in and other domains, and initiate domain name transfers as may be requested by the customers

These can bring quick resolution of the problem while the CBI enquiry and other reforms can continue in the background.

These measures would protect the IPR of the domain name users and also the continuity of business.

In case there is a run on Net4India and this has to be prevented, then NCLT may also order an automatic “On Credit” renewal of all domain names expiring at Net4India for at least one year so that the panic can subside and an alternate registrar can take over the business smoothly.

Shall we hope for such a development on October 1st?

Is the media aware of this problem and ensure that pressure is brought on the authorities?

Let’s wait and see.

P.S: I have tried to present the issue as I see it.

There could be some errors in my reading the situation from the public information I have access to.

It is possible that all the parties mentioned above including NCLT might have already taken note of these concerns and my criticisms may be misplaced.

May be Mr Vikram and Samiran are genuinely trying hard to resolve the issue and donot deserve criticisms I am making. 

If so, my apologies to all concerned. But the proof of pudding is in the eating. We want the issue to be resolved instantly without further delay. Otherwise, the fight has to continue.

I request all the visitors to spread this information through the social media so that it draws the attention of the media and the Government. As a part of this campaign to raise awareness of the problem, make this following banner which has a hyperlink to this article viral.

Naavi