Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

India is presently in the process of re-writing some of the Cyber laws regarding

a) Privacy… through the Supreme Court’s view on whether Privacy is a Fundamental Right?

b) Data Protection Act under drafting

c) Health Data Privacy Act under drafting

d) TRAI draft guideline on Privacy under discussion

e) Information Technology Act

We can presume that Supreme Court will say that “Privacy” is a “Fundamental Right” of an Indian Citizen subject to “Reasonable Restrictions”. It may make some lofty noises but will not make much change in the Privacy Environment. More will be done through the other laws.

In the meantime, another issue has cropped up in the Cyber Space on “Ad Blocking” which has been challenged under “Copyright” legislation as if “Advertisement is a fundamental right” of business and removal would be an offence. (See this article for more information)

In India, ITA 2000 defines any “Program” that “Without the permission of the owner of the computer”, “diminishes the value or utility of a service”, which should include unauthorized use of “My Bandwidth usage Rights” as a “Computer Contaminant”. Introduction of such Computer contaminants is a cognizable offence under Section 66 of ITA 2000/8 read with Section 43.

Unfortunately the clarity that “Advertisements” could be considered as “Computer Contaminants” have not been properly recognized by Law enforcers and Consumers and hence no action is being taken when consumers are being cheated by Advertisers.

Many times content is being completely covered by Ads repeatedly or video ads starting rolling as soon as we visit a website etc. This menace has now started affecting the Mobile Users also to the extent that “Ad Supported Apps” have become a nightmare to the content/service users.

There are many instances when without the knowledge of the App owners, Obscene ads and invitation to pornographic websites are appearing even in mobile apps meant for common usage. I have pointed out such issues in “Google Ads” in one Radio app and have also seen it in the Chess Online App. This indicates that whatever filters are supposed to block such ads at the end of the ad supplier, is not working.

“Ad Blocking” has therefore become a necessary requirement at the user end as a “Consumer Right”. However many content providers including media websites have started a trend to block content unless the AdBlocker is removed. The recent DMCA attack on “Easylist” which was asked to remove a site from its filter. This may snow ball into a serious fight between greedy content providers and the Consumers.

While Advertisement industry (of which I was a part in the past) has a legitimate reason to exist, it has to recognize that Advertisement has to be an appendage to content and not the other way round. The media trend now in print started by Times Group is that the first page of a news paper is an Advertisement and content starts only from the third or fourth page.

Paid content on TV channels are also more than proportionately covered by Advertising to the extent that consumers feel like paying for the ads more than for the content. Initially TRAI tied to block advertisements in paid channels but the commercial strength of the TV channels over powered the TRAI and brought advertisements even into paid channels.

The “Rule of Proportionality” between content and advertising has been given a go by in the Print and the TV and it is slowly creeping into the web and mobile. We need to preserve this through the forthcoming changes in Cyber Laws that address “Privacy”.

While static ads that take a banner in the bottom or top is mostly tolerated, the so called “Intersticial Ads” that cover the entire page and does not allow the content to be displayed until the ad goes off is an encroachment of the “Privacy” of the content user and has to be condemned.

Similarly the video ads that start playing on a website as soon as the page is loaded without waiting for the user to chose whether he has to run the ad or not eats away the bandwidth that the consumer has bought at a cost for browsing the content and not the ads. Such ads take more than 100% of the band width otherwise required for the content viewing. Since all ISPs are stakeholders in this “Bandwidth bloating game” all of them are happy with such ads. Only the consumer is unhappy.

There is no doubt that content owners justify their right to advertisement because of the contractual consent they may try to obtain by some standard form contract terms hidden some where in the website which may not even be confirmed by the digitally signed means of clicking on the “I Accept” button.

It should therefore be ruled that “Ad Blocking” is a “Fundamental Right” along with the “Privacy Right” and cannot be abrogated by contract which any way most of the times is an implied contract only.

I therefore urge that the Privacy Laws that are being drafted now should define “Advertisements” as an “Intrusion of Privacy” and “Ad Blocking” should not be considered as a “Right” either under Copyright laws or Free speech consideration.

If for some reason, our Supreme Court fails to recognize this, I wish ITA 2000 amendment should recognize this and introduce a clause to recognize that

“Unsolicited Ad serving on web or mobile should be considered as a “Spam” and subject to “Reasonable Restrictions”.

Such reasonable restrictions should include by way of “Rules” that the ad content on a mobile or  a webpage should not exceed 10% of the visible space and the total bandwidth usage by ads should not exceed 15% of the total bandwidth required for the page.

Any excess should be specifically authorized each time by an affirmative consent which should be recorded and made auditable by relevant authorities.

Any contravention should be made punishable by way of civil compensation to the consumer as well as fine just as TRAI does on contravention of unsolicited call blocking norms.

One more regulation that needs to be considered is that

When a service is contracted by a user (eg: when an app is first installed or a Privacy Policy version is frozen on the website), whatever was the advertisement composition, should not be increased after the installation without express consent.

The above suggestions can also be made to TRAI since it has placed the consultation paper for public comment upto September 22, 2017.

Since “Privacy” is a “Right to be Left Alone”, the “Ad Blocking” can be considered as protection of this “Right to be left alone to use the content” without the intrusion of the Advertisements. The honourable Supreme Court should take note of this and if possible, make a suitable observation.

Putting a regulation on Advertisements across all media should mitigate the risk of commercialization of web and mobile services and preserve the “Net Neutrality” principle also.

I hope TRAI will give due thought to the need to put a control on the Advertisements and appropriately draft their rules on Privacy protection. (We shall separately discuss the consultation paper in a subsequent article)

Naavi

Print Friendly, PDF & Email

Court in Puri debates Section 65B (IEA) and Section 79A (ITA2000)

Posted by Vijayashankar Na on August 12, 2017
Posted in Cyber Law  | 3 Comments

The Court of the Sub-divisional Judicial magistrate Puri, in its judgement dated 4th August 2017 has come up with some interesting observations on  Section 65B of Indian Evidence Act and Section 79A of ITA 2000/8 that needs to be taken note of.

The case refers to  State Vs Jayant Kumar Das (G.R. Case No 1739/2012: T.R.No.21/2013)  in which the C.F.S.L., Kolkata had submitted it’s opinion on certain Electronic Documents which came up for discussions both from the point of view of Section 65B certification and also the status of C.F.S.L as an “Expert”.

For the record, the accused was charged under Sections 292/465/469 and 500 of IPC and Sections 66C/67 and 67A of ITA 2000/8 and the Court sentenced him under different sections.

(Copy of the Judgement available here)

For the purpose of our immediate discussion we shall restrict ourselves to the observations in the judgement about Section 79A of ITA 2000/8 and Section 65B of Indian Evidence Act.

One of the issues raised by the defence counsel challenging the evidence was that CFSL Kolkata was not notified as a “Digital Evidence Examiner” under section 79A of ITA 2000/8. Hence it cannot be considered as an “Expert” for the purpose of Section 45A of Indian Evidence Act.

The Judgement  rejected the argument of the defence counsel and held that

“Even if, the notification U/s. 79(A) of I.T. Act is not available yet it is admissible and the opinion of the expert complied with Section 45 of the Indian Evidence Act 1872 and Section 293 of Cr.P.C. is a relevant fact.

We may add that Section 79A states that the Government “may” notify (not “Shall”) agencies for the purpose of providing expert opinion on Electronic evidence before any Court. Hence we may consider that it is not mandatory that the Government has to notify agencies under Section 79A and if no such notification is made, the evidence is not to be considered as “Expert Opinion”. In our earlier article we have explained the role of “Digital Evidence Examiners in great detail.”

The defence counsel also raised the issue regarding the signing of the Section 65B certificate on which the Judge made some detailed comment worth taking note of.

In this connection, Para 29 of the judgement is worth reproducing completely as it explains some critical aspects of Sec 65B:

“The certificate U/s. 65(B) of the Indian Evidence Act is mandatory for the  purpose to show  that  the  evidence is genuine.

Whoever claims that   the   computer  generated  evidence     was  produced  from     his computer shall  merely have  to certify on the document that the relevant record   in  question  is  genuine  and   has  been  produced from  his electronic  device.  After that  he  has to sign  it. This  statement shall  be titled as certificate U/s. 65(B) of the Evidence Act. 

The hard  disc which may   contain  a  electronic     document  also  cannot  be   considered  “ Primary  document”.  Since it  is only a  “container” and  real electronic document is an expression in binary language which cannot be read  by a  human  being  and   needs to  be  interpreted  with  the  assistance  of binary reading device( computer operating system + application).

Considering   the  interpretation U/s.  65(B)  of Indian Evidence Act the certificate  under  this  section  as a matter  of fact  to the  effect  that  what on the  saw what  on the  reproduced as a computer  output   failthfully.

This  can   be  done   by  any  person  who  is  observing    an  electronic document in his computer and  once  it to be produced as an evidence. It is not necessary that a document from yahoo  website has to be certified only by a   yahoo  server administrator.  The  certificate can  be  given  by any  person who  can  lawfully access the  document in electronic   form who  understand  the  contains  and  is  considered as an  expert  in  such domain.”

The above view is in complete agreement with our view expressed on this site several times earlier.

As we have stated earlier, the jurisprudence on Section 65B certification is still in the phase of development and in this process this judgement is a notable step.

To Summarize our view on the two aspects, we can state,

Section 65B certificate is for the “output” created from an electronic document that a person experiences and can be provided by any person who experiences the electronic document. (The word “Experience” is more relevant than “read”, since we may have some electronic documents which are not “Text” documents that can be read but could be audio or video documents that can be heard or seen.)

Once an electronic document is presented with a proper Sec 65B certificate it would be a sufficient requirement for admission by the Court at the trial stage. However the defence can challenge it. At that time it is open to the Court to call for an “Expert Opinion” on the Sec 65B Certified document which is in its hands already.

This examination of a “Disputed but Admitted Electronic Evidence” may be done by a “Digital Evidence Examiner” if available or by other “Experts” at the discretion of the Court. No document would be considered invalid soley for the reason that the “Expert” is not a “Digital Evidence Examiner” or that no such “Digital Evidence Examiner” has certified the document either before or after admission.

It is also necessary to note that some times, the electronic evidence presented by forensic organizations like CFSL is a “Hybrid” document which is both a “Matter of Fact” presentation of an electronic document which requires Section 65B certificate and an “Expert Opinion” where the person signing the certificate expresses his “expert views” on the matter of fact information available in the certified report.

I have also held in the past that it is desirable for the Forensic experts to realize this hybrid nature of their report and properly present their certified report so that Court may accept the “Matter of Fact part of the report” independent of the “Expert Opinion” part and the defence may accept the “Matter of fact part of the report” but challenge the “Expert Opinion”.

Some of these aspects will come up for discussion again in future and get clarified in due course.

P.S:: One aspect on which we are unhappy in the disposition of this case is that desihunt.com, the accessory to the crime has gone unpunished.

The site is still in existence and running “Dating” and “Wife Swapping” groups etc., which can be used by others to commit the same offence for which the accused in the above case was convicted. 

The domain name desihunt.com has been registered by a registrar by name Wild West Domains LLC and the identity of the owners is being sheltered by the registrars under the false pretension of “Privacy”.

Though this was not a subject matter of the case, the Court could have made an order for the Police to pursue a case against the website in the interest of the public in general.

Now I urge the “Adjudicator of Orissa” who is the “IT Secretary of Orissa” to take immediate action to get this website closed and owners brought to trial separately both for civil and criminal penalties.

People who are familiar with the old “Dr Prakash Case” in Chennai will remember that one of the websites that his brother was maintaining to which the offending photos were allegedly being uploaded by Dr Prakash carried a disclaimer as we see in this website  now stating

“This Site is a dating and social networking portal for like minded adults above 18 years of age.  Please leave this Site immediately if you are under 18 years of age ( 21 in some countries/states,  please check your local regulations ), or if it is illegal to view adult dating/networking portal  in your country/state. By clicking on enter link you agree with the terms”.

The value of such disclaimers without any technical barrier to prevent entry of minors is a matter of a separate debate”.

Naavi

Print Friendly, PDF & Email

I call for the Attention of our honourable member of Parliament, Dr P.Venugopal, a Loksabha member of AIADMK from Thiruvalluvar Constitutency. 

Dr Venugopal is the Chairman of the “Standing Committee” which gave recommendations on the amendments to Indian Registration Act 1908 through Registration (Amendment) Bill 2013. This amendment is pending in the Parliament. The proposed Bill is set to make many radical suggestions which some in the media have hailed as helpful to the land owners in rural areas.

However, some how the possibility of the Bill creating huge problems and creating un surmountable Cyber Crime issues that would hurt both rural and urban masses has not been properly identified and flagged. Hence the need for this article, a copy of which is also sent to the officials mentioned in the report and some other MPs so that corrective action can be taken.


One of the key aspects of the proposed Amendment to Indian Registration Act Bill of 2013 is the proposed amendment to Section 32 of the Indian Registration Act 1908 (IRA 1908). The apparent reason of the amendment is to ensure that the executant of the document need not be physically present with the Registrar at the time of registration and his presence can be by “Electronic Means”.

According to the proposed amendment, the section 32 as is present now is set to be replaced with the following text:

Section 32: Persons to present documents for registration:

Except in the cases mentioned in sections 31, 88 and 89, or when the document is presented by electronic means, every document to be registered under this Act, whether such registration be compulsory or optional, shall be presented at the proper registration office, in the manner as may be prescribed,––

(a) by the person executing or claiming under the same, or, in the case of a copy of a decree or order, by a person claiming under the decree or order; or
(b) by the representative or assignee of such person; or
(c) by the agent of such person, representative or assignee, duly authorized by the power of attorney executed and authenticated in the manner hereinafter mentioned.”

The essence of the section as it is present now is that for registration of any document it is necessary for the executant to be personally present before the Registrar. However, the amendment proposes to exempt this need for personal physical presence by making it possible for presentation of a document by “Electronic means”.

It also means that when an “Agent” of the executant duly authorized by a Power of Attorney is executing the documents on behalf of the principal, can also present an “Electronic Power of Attorney”. (If the main document itself can  be executed with “Electronic Presence” it could automatically mean that the Power of Attorney Document may also be registered through “Electronic Means”.)

These provisions might have been introduced as a measure of upgrading the e-Governance features of document registration. However there are several legal and practical issues which require this amendment to be scrapped.

According to Information Technology Act 2000, (amended in 2008),  Section 1(4) read with the Schedule I, ITA 2000 does not apply to any document or transaction such as  “Any contract for the sale or conveyance of immovable property or any interest in such property” . Therefore, Section 4 and Section 5 which apply to recognition of electronic documents as equivalent to paper and electronic signatures as equivalent to written signature does not apply to documents that are presented to the Registrar for transfer of immovable property. Similarly a power of attorney document or a Will in electronic document is also not recognized in law.

If therefore Section 32 of Indian Registration Act 1908 is amended, it would only mean that the executant can show his face on a video conference but the actual documents of transfer of property or power of attorney has to be in paper form only.

Under the amended Act, (Section 32A) a photograph has to be affixed and thumb impression has to be obtained. naturally in the case of “Electronic Presence”, only  an electronic copy of the photograph and a thumb impression captured by a biometric device under the control of and at the location of the executant has to be used. Such biometric data is required to be received across the open network of the Internet by the registrar’s systems.

Also under Section 32A, a “Proof” of the fact that the executant of the Power Of Attorney is alive has to be produced. Since the person is not physically present, perhaps the Registrar has to view the video and decide if the person is “Alive” and “is not insane” and  “is mentally in a condition as to take logical decisions”.

He should also verify that the video he is seeing is current and the person is online in real time. He should also check that the biometric data he receives is not a “Stored Biometric” that has been earlier collected by some body and transmitted now as that of the executant.

Will the  “Registrar” be aware of these risks and the consequences of impersonation of the “Electronic Presence”?…

I would like the Standing Committee of the Parliament which gave its report on this amendment to conduct a survey of about 100 Registrars and get the information on whether it is feasible for the Registrar to confirm the identity of a person and the genuineness of the biometric from the binary data that flows through an open insecure network from the computer of the executant sitting in a remote place to the registrar’s office.

Also, the moment you open a communication link to the registrar’s system to be accessed through internet, hackers from all over the globe would jump in to look into what is inside the registration system and how they can use or misuse the information. Since the registrations are supposed to be done from “Anywhere”, the registration offices will be linked on a network and hence any intelligent hacker getting entry to one registration office will be able to plant a virus and a back door to play havoc with the system.

This will lead to a risk worse than what we are envisaging in the hacking of Aadhar network.

When these provisions were suggested by the Karnataka Government, (Refer articles below), we stopped at calling this an “Ultra Vires” act since ITA 2000 cannot be amended by the State.

But now the proposal is coming from our Parliament itself and our IT Minister past and present will be part of the crowd which will say “Aai” when the amendment is called out without thinking much on the consequences of saying Aai” to such a sef defeating monster of a proposal which is fit to be called a “Bhasmasura Proposal” since it will soon come to haunt the creator himself.

The standing committee recorded the following comments on this particular amendment:

“The Committee observe that the Bill proposes to substitute Section 32 whereby a provision is made for presentation of documents by electronic means for registration.

The Committee note that the proposed provision would facilitate the increased use of electronic means for registration which in turn would reduce corruption and ensure transparency in the procedure.

The Committee, however, observe that the identity and genuineness of the executants in case of electronic registration can be ascertained and proved only through biometric identification and other similar mechanism without which the possibility of fraudulent registrations cannot be ruled out.

The Committee, therefore, recommend the Department of Land Resources to impress upon the States to allow electronic registration only when all Sub-Registrar Offices are well-equipped with the facilities of not only for online registration but also for fool-proof identification of genuineness of executants.”

The Committee or the Amendment has not however thought of what procedures are to be followed when the “Electronic Presence” is used instead of physical presence and how Section 65B certification would be used for recording the presence etc.

The Committee also is still thinking of “Documents” to be presented electronically where as what is feasible is only the “Presence” through electronic means since documents will fall under Section 1(4) of ITA 2000/8.

The Committee members also seem to have not heard the term “Electronic Signature” and hence have not used it in their report. They seem to think that the “Thumb Impression” which is captured by the devices they must have seen being used as “Attendance Registers” are as good as the physical thumb impressions.

Since the Bill has reached this level, it is clear that so far all persons including the officials have not taken note of the problems highlighted here. They also might not have consulted the MeitY in this regard. If not checked, the Bill will therefore go through the Parliament without any further thought.

I therefore request Dr Venugopal to immediately take steps to withdraw this proposal to amend the Section 32 of Indian Registration Act 1908.

I also request all those who read this and can reach out to the decision makers may bring it to their notice so that the possibility of a catastrophic legislation being passed is prevented.

Such other members who are in the committee and the executives who are associated who can also initiate corrective action if they are sensitive to the points raised here, are as follows:

Honourable Members of Loksabha: Shri Harish Chandra Chavan, Shri Jugal Kishore, Shri Manshankar Ninama, Shrimati Mausam Noor, Shri Prahlad Singh Patel, Shri Gokaraju Ganga Raju, Dr. Yashwant Singh, Shri Ladu Kishore Swain, Shri Ajay Misra Teni, Adv. Chintaman Navasha Wanaga, Shri Vijay Kumar Hansdak

Honourable Members of Rajya Sabha:Shri Ram Narain Dudi, Shri Mahendra Singh Mahra, Shri Ranvijay Singh Judev, Dr. Vijaylaxmi Sadho, Shri A. K. Selvaraj, Shrimati Kanak Lata Singh

Members of the Secretariat: Shri Abhijit Kumar – Joint Secretary, Shri R. C. Tiwari – Director, Smt. B. Visala – Additional Director, Smt. Meenakshi Sharma – Deputy Secretary.

Naavi

Copy of the Bill as presented in the Parliament.

Copy of the Standing Committee Report

The amendments proposed by Karnataka Government in 2015

Article in naavi.org on the proposed Karnataka legislation:

Has Karnataka Legislature passed a faulty legislation and set to create a new Telgi?

Karnataka Government’s Mistake may embarass the President of India

Print Friendly, PDF & Email

On July 6th 2017, RBI after 10 months of thinking, released the official confirmation of the “Zero Liability Circular”. 

Naavi.org had urged the banks to go for a “Competitive Compliance Drive” and initiate measures to implement the provisions of the circular.

While no Bank seems to have taken specific measures such as the new Policy on how to handle liabilities when frauds are reported after the first 7 days etc, an interesting internal message in State Bank of India has been reported.

This is said to be a message sent as an internal circular to the staff of SBI and in the end includes a sentence that this can be shared with customers.

The message runs as follows:

SBI CARD FRAUD ALERT

For the information of all officers and staff

Due to a recent incidence of a fraudulent credit card/debit card transaction of Rs. 57000 in the account of an officer of one of the branch of our bank. It is our duty to inform all of you to disable international access/usage for your credit/debit card as international transaction do not require an OTP and are Vulnerable to huge frauds by culprits who are difficult to trace out.

MODUS OPERANDI

1. while our officer was busy with customers in peak time at his branch, he has received multiple messages for multiple fraudulent transactions amounting to Rs. 57000/-.
2. Our officer thought that his 4 in 1 in hrms is being credited by the bank.
3. He realised the fraud only after business hours after checking his account.
4. By that time Rs. 57000 was stolen by fraudster.
5. If he could have realised with in 3-4 hours of the fraudulent transaction, that amount could have been reversed by taking immediate steps. However a complaint has been lodged with the concerned department.
6. our officer felt that he has not received an OTP and so there is no possibility of a fraudulent debit but for international transactions otp is not required.
7. Just by knowing the card number and expiry date and CVV, a fraudster can do any no. of transactions.

In this connection, we advise all of you to kindly disable international access/usage for your credit/debit card by following these steps,

FOR DEBIT CARDS

1. We have to download SBI QUICK app from play store in which there is an option as ATM CUM DEBIT CARD.
2. In that we will find ATM CARD SWITCH ON/OFF option.
3. In that screen we have to enter last four digits of our ATM card No. and we have to select OFF for international usage. we can also select the OFF Option for e-commerce transactions(FOR THOSE WHO DNT DO ONLINE PURCHASES ON E-COMMERCE SITES).
4. Immediately we would receieve a confirmation message for the same. however, In the same menu and in same way, we can also activate whenever we required.
we can also de-activate the international usage just by sending a message as SWOFF INTL XXXX( last four digits of card no.) to 9223966666 from registered mobile no.

FOR CREDIT CARDS

1. We need to logon to WWW.SBICARD.COM site.
2. Left side of menu where you will find REQUESTS, in that an option as ACTIVATE INTERNATIONAL USAGE.
3. After clicking on it we will find two options as activate & deactivate, there we have to select de-activate, then immediately a service request no. will be generated&you will see a message as
Congratulations! You have successfully de-activated international usage on your SBI card ending with XXXX.

Please share to all your customers and colleagues.
Customer education customer delight

It is ironic that SBI seems to have woken up because one of its Staff members have lost the money. There are hundreds of such customers who are also busy and become victims to such frauds.

Obviously, SBI would refund the money to its staff member without asking any question on how did it happen and whether he had revealed his password to some body else  etc. I wish some body puts an RTI application to find out how they resolved this case and why they donot adopt automatic refund process for customers and prefer to drag customers to Court.

Anyway this is a “Cognizable Offence” and Police have right to investigate since the information is now available. I wish Mumbai Police investigate how the fraud happened and record whether the Bank admits that even without the customers giving out their passwords in phishing attacks they can lose money. This is important since the same Bank will stand before a Court and swear that their security is perfect and there can be no unauthorized access except by the customer’s negligence. This myth will be shattered.

If the staff member is guilty of giving out the password, then it will prove that whatever education that the Bank has been providing to its customers has not even gone to its own staff.

Either way, SBI should now automatically own all such frauds as their inefficiency and provide immediate refunds. …which is the essence of the Zero Liability circular anyway.

However, the facility to activate and deactivate international usage is some thing every Bank has to enable. The internal transactions are atleast controlled by OTP.

But this is not sufficient and as in the case of debit cards, SBI should also provide for deactivation and anytime reactivation of even the local use.

We congratulate SBI for the measure since most of the time other Banks tend to follow SBI. These are measures  suggested by the Damodaran Committee in 2011 which are coming to be implemented now. Better late than never!

Also RBI should now audit the actions taken by Banks since July 6 2017 to introduce the measures suggested by the said circular so that customers would feel safer.

Naavi

Print Friendly, PDF & Email

Will Police Employ Abhinav Srivastava as a consultant?

Posted by Vijayashankar Na on August 11, 2017
Posted in Cyber Law  | 2 Comments

There is a news report today that the Bangalore Police are so impressed with Mr Abhinav Srivastava who was arrested under the charge of hacking into UIDAI data base that there is a discussion on engaging him as a consultant for the Police. (See Report here).

At this point of time, this remains a rumour and could be a fancy wish of some. At least we have seen TV serials about such a practice in USA where “Community Service” is one of the options offered to a criminal as part of the sentence. Hence the Cyber Crime Police could create a structure for using convicted hackers to be part of the Police team for a certain number of years until the sentence runs out.

I am not sure if Criminal Jurisprudence in India provides similar innovative discretion to a Judge. Probably experienced criminal lawyers can clarify.

However, there is nothing wrong that in deserving cases, Courts could consider such innovative punishments which could be the most appropriate in some cases. But if such things are to be properly brought into the system, then we should be sure about Judges not being corrupt. We have several instances in India of Judges faking arithmetic errors and acquitting criminals or granting bail or allow convicts to be on parole on non existing grounds.

If therefore “Community Service” is allowed as a “Punishment”, then many criminals would buy such punishments and later negotiate with their mentors who are supposed to monitor the sentence to go scot free.

However, in the case of Cyber Crimes in particular, it appears that such punishments are relevant since in most cases the accused could be educated and more often becomes an offender either because of “Ignorance of law” or for psychological conditions such as “Technology Intoxication”. Such persons can be perhaps amenable to a reformatory process.

In the case of Abhinav Srivastava, this could have also been suggested as a face saver for the Police/UIDAI since the case is not strong. The case has been booked and the person has been arrested for “Unauthorized Access of Aadhar Facilities”. But actually he has perhaps created a tool which is used by third parties who made use of an “Authorized Access Source” under circumstances that there was no clear bar on his not using the source.

Without adding the 80000 members of the public who downloaded and used the App as the main accused, it would be difficult to blame only the tool manufacturer.

Further, it is difficult to establish the guilty mind (mens-rea) of the accused to bring about a criminal charge. There will be little scope of civil claims since no body may be able to prove “Wrongful loss”.

If the case is pursued further, several intermediaries also need to be considered as Co-Accused and brought to book. This would be embarrassing both for the complainant as well as the Government.

If the case is dismissed, then there is a possibility of a back lash with an accusation of mishandling of the case and possible human rights violation.

Hence some face saving solution which is a Win-Win solution for all could be a good option to consider.

One possible method by which such innovation can be brought into the system would be through a “Compounding Process” where the complainant and the accused come to a written agreement on the basis of which the Complaint is withdrawn. Probably the Police or the Court can mediate in arriving at such a compounding agreement which is acceptable to all.

Hopefully the Abhinav Case becomes a trend setter in this respect and such a compounding arrangement is worked out. Since an FIR has already been lodged in this case, the Court will have to be in the picture for the compounding agreement. In the process it would be better if an SOP (Standard Operating Procedure) would be drawn up by the Court and the Police to be used when required in future to ensure that the system is not misused .

(Since this is more a matter of Criminal Justice system, I would expect readers to correct if my contentions are incorrect and add their own comments… Naavi)

Naavi

Also Read: Bengaluru Police Smitten by Abhinav’s tech skills

Print Friendly, PDF & Email

Draft Bug Bounty policy for UIDAI

Posted by Vijayashankar Na on August 10, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Naavi.org had suggested a model Bug Bounty Policy for Private Sector Companies as part of its Cyber Law Compliance Center (CLCC) Activity. Copy of this policy is available through the menu link CLCC. This was drawn in March 2016 specifically for private sector companies. This could act as a guide to a possible Bug Bounty policy that UIDAI could use.

Now after the Abhinav Srivastava incident, questions arise on what “Due Diligence” step should UIDAI take in the light of what has happened. On the one hand UIDAI may maintain rightly that this is not a case of hacking of the CIDR and therefore there is no vulnerability in the access system. They would be correct in claiming that whatever is considered as an “Unauthorized Access” could have taken place at the level of the e-hospital platform used by one of the e-hospital users. NIC may be the organization responsible for the maintenance of the e-Hospital platform.

At present, the complaint against Mr Abhinav Srivstava has been made by UIDAI and if the security breach has occurred not at the level of CIDR, it appears that the complaint should not have been entertained in the first place by the Police. On the other hand, UIDAI could have raised the complaint against NIC or the e-hospital user stating that they had caused defamation of UIDAI and its security by not following adequate security at their end.

Also the KUA agreement with UIDAI as well as the check list for accreditation of KUAs clearly mention that the management of the KUA should give an undertaking to UIDAI that they are compliant with ITA 2000/8. It is however proven that the KUA agencies (Hospital) involved in this case never had a proper Privacy Policy, Terms of use and Grievance Redressal Mechanism in place. Hence, there was a clear violation of the contractual arrangement and lack of “Reasonable Security Practice”.

Police cannot however launch any proceedings based on Section 43A of ITA 2000/8 since it is a matter that should be taken up by individual persons who may claim damages on account of the breach or by the Adjudicator who has suo moto powers to take up the case on behalf of the public.  It is unthinkable that the Adjudicator anywhere in India would take up a complaint against NIC or the Government hospitals using e-hospital application since the Government itself is a party to the management or mis-management of the information security practice in these agencies.

Under Section 79 however, if there has been any criminal offence attributable to the intermediary, the crime can be extended to the organization for lack of “Due Diligence”. If therefore it is felt that in the use of Abhinav App, there was some crime committed either under ITA 2000/8  then it would be feasible for Police to have taken action against such intermediaries. However so far Police have not initiated any action in this direction.

Let’s for the time being forget what the Police may do here after and focus on how should UIDAI respond now with all the experience they have gained in the incident.

Failure of the Incident Management System

The first observation I would like to record is that UIDAI did not wake up the presence of an App in Google PlayStore claiming eKYC through Aadhar until around 80000 downloads took place. In fact there were many more such applications in PlayStore some of which might have been taken off now. The inability to observe presence of such Apps can be considered as the “Failure of the Incident Management System” of UIDAI.

Tomorrow if some body opens a website www.uidai-kyc.in or uidai-kyc.com (Both of which are available for registration) does UIDAI have the measures in place to recognize this and take remedial action?… Probably not.

Hence there is an urgent need for UIDAI to set up policies and procedures to identify such “Attempt to Impersonate” as a “Techno Legal Cyber Security Incident” as part of its “Due Diligence” practice. It should raise an internal ticket and resolve it at the earliest documenting the entire resolution and lessons drawn.

Since such measures donot exist, it is just an indication that UIDAI itself is not ITA 2008 compliant and has not taken “Reasonable” measures to prevent occurrence of Cyber Crimes under different sections of ITA 2000/8.

On September 5, 2009, Naavi.org had published an article titled Reasonable Security  Practices For UID Project  A Draft for Debate Prepared by Naavi”. In the last 8 years, UIDAI and Aadhar has changed its perspective and hence this draft needs revision. But the fact that UIDAI needs to be itself ITA 2000/8 compliant still exists and such an exercise includes development of such policies and procedures that would identify and mitigate all risks identified below.

Need for Crowd sourcing Risk identification

UIDAI is a service that would be used by more than a billion people and multiple times during the year. It is a service which will be a prime target of hackers around the world including Cyber terrorists and enemy nations such as China and Pakistan interested in Cyber warfare.

UIDAI may be capable of taking care of internal server security preventing unauthorized access. We can therefore accept their contention that the UIDAI systems are safe.

However, risks arising from the negligence of Users and Sub Contractors which may indirectly cause reputation loss to UIDAI and raise National security issues may not be adequately addressed by UIDAI and this is well demonstrated in the past.

The fact that despite Naavi.org raising several issues not only by the Nov 4 2016 article on e-Hospital but also regarding the domain name registration in individual officer’s names and use of digital certificates of US companies etc, UIDAI has not responded promptly to address the potential risks.

We may therefore consider that the internal Information Security team of UIDAI cannot be expected to mitigate such risks nor even identify them in time.

It is therefore essential that UIDAI responds to the present crisis by inviting well intentioned security  professionals who are not in the roles of UIDAI to be part of the security risk identification infrastructure by starting a “UIDAI-Bug Bounty Program”.

UIDAI as a Protected System

The Need for UIDAI Bug Bounty Program also arises from the fact that UIDAI has been declared as a “Protected System” under Section 70 of ITA 2000/8 though the notification

Government of India has notified through Gazette Notification  GSR 993 (E) dated 11th December 2015 that

UIDAI’s Central Identities Data Repository (CIDR) facilities, Information Assets, Logistics
Infrastructure and Dependencies Installed at UIDAI (Unique Identification Authority of India)
locations to be Protected System for the Purpose of Information Technology Act 2000.

Authorised personnel as per Sub-section (2) of Section 70 of IT Act 2000 (amended 2008)
having role based access to UIDAI-CIDR facility are:

1. Designated UIDAI officers & Support Staff.
2. UIDAI authorised team members of contracted Managed Service Provider (MSP).
3. Other authorised third party Vendors and its partners.
4. UIDAI authorised business partners.

Section 70 of the ITA 2000/8 states as under:

Sec 70: Protected system (Amended Vide ITAA-2008)

(1) The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety. (Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)

(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

It is obvious that the Gazette Notification of 11th December 2015 does not fulfill the requirements of Section 70 in full since it does not provide the details of how this protected system needs to be operated. Merely stating that “Role Based Access” would be provided is grossly inadequate to meet the requirements of Sec 70. It is necessary that detailed information security practices and procedures need to be developed.

Normally we say that the detailed Information Security Policy may not be “Disclosed to Public” for security reasons.

However, in the case of Section 70 systems, since “An Attempt to Access” the system is as much an offence as actual access and could result in imprisonment of upto 10 years, public have the right to know what would constitute an “Attempt” to access the CIDR systems and who will be considered as “Not Authorized”.

It is our interpretation that persons who are authorized to access these systems should be identified by name and cannot be described as “UIDAI Business Partners” or “Other authorized third party vendors” and its partners or “Designated UIDAI Officers & Support Staff” or “UIDAI authorized team members of contracted Managed Service Providers” or such other general terms.

If and when Abhinav’s case goes to a Court, there will be a discussion on whether UIDAI has clarified on what is “Authorized Access” to UIDAI systems and in the absence of clarity, whether Mr Abhinav can be said to have “Unauthorizedly accessed” the systems.

In view of the need to clarify what constitutes a crime under Section 70 of ITA 2000/8 when some body accesses the CIDR system, UIDAI needs to define and publish “Permitted Access System” and also take reasonable precautions at their end to ensure that any attempt to access their systems outside these permitted parameters are blocked by their Firewall and also generate appropriate alerts/Notices to the person who is attempting to access the system outside the permitted procedure.

The website of www.uidai.gov.in declares certain website policies which are only related to visit to UIDAI website and even in that respect it is not fully adequate. It does not say anything about the access to CIDR systems. This needs to be corrected.

In view of the above, a properly structured Bug Bounty Policy can be a good tool not only to crowd source the skills of security professionals to harden the security around UIDAI but also  to provide clarity to the access rules under Section 70 of ITA 2000/8.

Essential Features of UIDAI Bug Bounty Program

The Model Bug Bounty Policy for Private Sector published by the CLCC provides a general template under which the UIDAI-Bug Bounty Policy needs to be developed.

It would be inappropriate for me to try and draft a final policy for UIDAI on this website since UIDAI is supposed to have more intelligent and more informed persons at their disposal and can do a better job. I therefore would not try to attempt such an exercise.

However some points that needs be made are

  1. In the “Objective Clause” the fact that UIDAI system is a Section 70 declared “Protected System” must be included.
  2. The policy should be prominently shown on the UIDAI website.
  3. Alerts are to be shown when a visitor tries to get any information from the website including getting his own Aadhar data.
  4. The names of authorized persons who have the access rights are to be displayed on the website.
  5. Restricted procedure on how the authorized persons can access the systems should also be displayed. (This does not need disclosure of the detailed information security policy that would reveal the network details etc).
  6. The definition of “Bug” for the “Bug Bounty” purpose should be defined to include all possible means by which the system could be compromised and data accessed except as provided under Section 70 notification.
  7. Being a Bug Bounty program for a “Protected System” where “An attempt to access” can be a crime, it is necessary that any person who would like to check for a “Bug” needs to be first “Registered” as a “Prospective Bug Bounty Hunter”. The registration has to be with UIDAI and obviously with an “Aadhar KYC”. The permission may be restricted to Indian nationals and could be denied on the basis of a background check which the UIDAI can undertake before granting the permission.
  8. Any activity of the Bug Bounty Hunter before he obtains the permission could be treated as an unauthorized attempt to access and UIDAI may reserve it’s right to take action though they can use their discretion in this regard.
  9. The critical aspect of the program would be how the Bug Bounty Committee would be constituted. Given the fact that the receiver of the Bug report can turn around and charge the reporter of a Crime, the reporting has to be treated like “Whistle Blowing”. The Committee therefore cannot be a committee of the CEO/CTO of UIDAI. It has to be committee of “Respected Members of the community” who anonymize the registrant and also scrutinize the bug without any pre-conceived notions and egos. Only after the bug is accepted by UIDAI management, the committee may reveal the identity of the bug reporter at his option. The committee members should provide the confidence to the public that an honest good faith report even if it is incorrect would not be considered as malicious and would not be proceeded against for punishment.
  10. The Bug itself may be never publicized in detail so that UIDAI may retain its reputation and not be open to the charge that several bugs were found to be present. All professionals know that just as there can be no 100% information security, there may not be 100% bug free software service. Hence, mere identification of bugs is not to be considered as a loss of reputation of the IS/IT team of UIDAI. Some politicians particularly in the opposition may not understand this and pass criticisms but such criticisms should be ignored.

Wisemen say

“The Greatness of a person is not that he has never fallen down, but it is how gracefully he gets up”.

This applies to UIDAI after the recent spate of media exposures about the so called Aadhar Data Breach”. It is now in the hands of UIDAI to show if it is a great institution and gets up gracefully or acts mean and crucifies Bug finders.

Naavi

Also Read: The National ID Card Challenge for Nandan Nilekani.. Part I: Part II

Print Friendly, PDF & Email