Naavi.org

Naavi calling for banning of Crypto Currencies is old news. I have many times faced the question if Crypto Currency (say Bitcoin) is so bad, why is it that USA among other countries is not banning it?. Now I can take a little comfort that a Noble winning economist in USA also has called for shutting down Cryptocurrencies. (Refer this article in financial express)

Whether US bans Bitcoin or not, it is necessary for us to remember that our needs are different from other countries and we can take a decision that is independent of others.

In fact, if we have to have a common policy with US, we can make US dollars a legal tender in India because USA has made it a legal tender. But everyone knows that this is not recommended. If it is done, we will ruin our economy.

If making Rupee freely convertible to US dollar which is a globally recognized and stable is detrimental to the Indian interests, it is amply clear that making rupee convertible to the anonymous, privately regulated Bitcoin will be catastrophic.

Can we regulate what is not recognized?

Yesterday, I had the privilege of interacting with a group of Legal officers from RBI in which there was a detailed discussion on Crypto Currencies. It looks that there is lot of doubt in the minds of the officers basically because, people asking for banning of Bitcoin are in the minority or at least less aggressive than those who are promoting Bitcoins in India.

One dilemma of RBI is that people are talking of “Regulation” and asking that RBI should regulate Crypto Currency. But this is a trap which RBI should avoid.

It is not conceivable how can RBI “Regulate” a transaction without “recognizing” what is being regulated. Whatever may be the scope of regulation, there will be always some loopholes for violation and they will be used to make part of the Bitcoin legitimate.

For example, if RBI says “Bitcoin” is banned, there will be 1000 other versions to substitute it. If RBI says a particular “protocol” is not acceptable, there will be tinkering with the protocol to escape the ban.

RBI cannot match with the techno marketers and fight the innovative ways to encash the Bitcoin Ponzi scheme. If it tries to do it, it will only meet with failure.

On the other hand, the RBI Act can be amended to include any form of Cryptocurrency as the sole prerogative of RBI by just adding the word “which term shall include crypto currencies” in section 22 of RBI Act after the words “Currencies”.

The threat of Libra

The Recent flotation of “Libra” by Facebook is an attempt to make “Face Book” the Central Bank of the Globe. While Bitcoin only threatened the existence of RBI, Libra may threaten the Central Banks of many countries.

Facebook has the membership strength which makes it one of the biggest congregation of people in any one single economic unit if we define it as one. The Crypto Currency Libra which Face Book wants to introduce and which our media seems to be enamored with (Refer this article in Hindu) will be managed by a “Founder Group” (Libra Association) which consists of Facebook, Mastercard, VISA, Uber and the Vodafone group.( A total of 28 influential corporate groups appear to be supporting Libra).

It is stated that Libra issue would be backed by a reserve of real assets though we donot know the nature of such assets. It is probable that the market valuation of the real estate owned by some of these groups and their promoter shares as well as their present wealth in the form of Bitcoins and other crypto currencies may be thrown in as their contribution to the reserves.

It is not clear how the initial stock of Libra would be developed. Will the founders be allocated some Libra stock in lieu of the assets contributed to the reserve? or as “Sweat equity” of the promoters with some freeze on sales for a certain period? Will the Company issue stock through an ICO?

It is possible that all these techniques may be used in combination so that the initial stock is credited to the Company as saleable stock. This may completely avoid “Mining” at the stage and the seed stock may be credited to the promoters as their contribution whether withdrawable or not. It may also be made additional security to the reserves kitty. Since the value will keep appreciating as the trading picks up, the value of the seed stock as reserve will also keep increasing without any effort from Facebook.

It is possible that “Mining” may be available as reward for using some resources of Face Book or as loyalty points etc. We can expect that all marketing acumen of Facebook will be used to create a stock of saleable Libra stock.

Having issued the stock, it will then be sold at market rate to the investors world over and the blocks will start rolling out. Mining may be introduced at this stage and may be limited to the block validation fee as a percentage of the transactions validated with a low level of difficulty.

The promoters in the Libra Association may provide their services against Libra and that itself would provide a huge market.

Unless law makers are able to understand how this scheme may be able to keep itself outside the framework of legacy laws, it is likely that Libra would get the initial traction enough to be a threat to the economy. (Refer this article in guardian.com for more details)

It is stated that Facebook may avoid launching this in India to avoid a confrontation with the RBI. But it is likely that many of the Indians may acquire and transact in Libra unless such transactions are not specifically prohibited in law.

It is therefore necessary for RBI and the Finance Ministry to take such steps as may be necessary to ensure that Bitcoin or Libra does not become the new conduit of global economic transactions that would hurt our economic interests.

If this requires amendment to ITA 2000, PMLA or FEMA, it must be done without further delay.

I also call upon the new Finance Minister Smt Nirmala Sitharaman to use the budget to make a specific mention that

“Crypto Currencies are not recognized in India and any transaction related to dealing with any Crypto Currency would be considered as a conversion of legit currency wealth to an illegal asset and punishable under Prevention of Money Laundering Act”

As regards meeting the threat of Libra in the long run, the strategy should be “Eliminating Digital Black Wealth” and must be taken as the foreign policy stand of India. We should lead the formation of a “Anti Crypto Currency Group” of countries and fight this global menace just like terrorism.

Ceding to Bitcoin and Libra is like ceding Kashmir to the separatists since separatism is also considered as “Freedom Struggle” by a few. If Kashmir is not negotiable for India, Rupee is also not negotiable. We cannot allow Bitcoin or Libra to make any inroads to the Indian currency system.

I hope RBI and the Finance ministry  will recognize this and act appropriately.

Naavi

The Cyber Law Guru app which is available on Android platform has now been extended to cover Personal Data Protection Act.

Now queries can also be sent over the App on PDPA related areas and would be answered to the best of the ability of the expert panel. (Expert Panel at present consists of Naavi alone).

PDPA is now in draft form and will be re-introduced in the Parliament to start the process of it being a law.

Cyber Law College of Naavi already has structured a Certificate Course in PDPA and would be delivering it as an inhouse course for organizations and through scheduled web based course. Details are available on www.cyberlawcollege.com

Naavi

Naavi has been in the forefront of promoting the concept of ODR. (Online Dispute Resolution). The full details of the service as recommended and ready for pilot implementation is available at www.odrglobal.in  . The concept of ODR that Naavi is promoting involves a virtual meeting place for conducting the interaction between the stakeholders and is backed by a back office support where required.

Naavi has been trying to convince the legal fraternity to adapt their dispute resolution approach to online mediation and arbitration using the ODRGLOBAL platform either partially or fully. Naavi also proposed a CDMAC (Cyber Disputes Mediation and Arbitration Center” exclusively for the Cyber Fraud related disputes.

The ODRGLOBAL platform was proposed as a pilot, ready to use and easily expandable project which other arbitration councils as well as the industry players could use.

However, this concept which is globally unique is yet to attract the attention of the users and remains one of the futuristic projects of Naavi to be implemented.

It appears however that the days of ODR are now slowly dawning on India with repeated calls being made for such a service in different context.

The Latest call has come from the Governor of Reserve Bank, Mr Shaktikanta Das who while delivering a lecture in NIBM, stated

“..we also need to address the existing inadequacies in customer service and benchmark it against international standards. Efforts in developing robust customer grievance redressal mechanisms to increase customers’ trust and confidence in payment systems will be continued. “

The RBI in its recent document titled “Payment and Settlement Systems in India Vision 2019-20”, stated

There is need for harmonising the TAT (Turn around Time) of customer complaints and requisite chargebacks. Such time lines should be reasonable and also in alignment with the instructions issued in respect of customer liability for unauthorised electronic payment transactions. The Reserve Bank will be addressing the various facets in this regard, with the objective of optimal time lines expected to result in customer delight and certainty of conclusion.

Recourse to technology-driven dispute redressal mechanisms that are rule-based, transparent, customer-friendly and involve minimum (or no) manual intervention will be advocated / encouraged / appreciated.“

The Highlevel committee on Deepening of Digital Payments headed by Mr Nandan Nilekani in its report released in May 2019 stated as follows.

As users go digital, they will expect a higher quality of service from digital payments. They will also expect better protection from fraud and risk. The committee recommends that payment systems use machine driven, online dispute resolution systems to handle complaints.

Additionally, the Data Protection Act as proposed (PDPA 2018) has under Article 39 stated as follows:

Every data fiduciary shall have in place proper procedures and effective mechanisms to address grievances of data principals efficiently and in a speedy manner…A grievance raised .. shall be resolved by the data fiduciary in an expeditious manner and no later than thirty days from the date of receipt of grievance by such data fiduciary.

Similar responsibility is cast on companies even under GDPR as well as the ITA 2000.

In all these cases of grievance redressal, easy access by the stakeholders and the quick resolution is feasible only through an ODR system and not otherwise.

Hence it is essential for the ODR mechanism to be made available in a professional manner.

An indication of the likely move by RBI was already available since ICICI Bank had recently started some activity in this regard and will come up with their system shortly. The other Banks like HDFC Bank need to follow suit without much delay thereafter to maintain their market position.

We can therefore see an enhanced activity in this regard.

The uniqueness of the ODRGLOBAL service that naavi has proposed is that the platform can be used for both mediation and arbitration and in the case of arbitration, a legally valid evidence of the proceedings can be kept with the CEAC certification of the proceedings under Section 65B of Indian Evidence Act 1872.

Organizations such as Arbitration Councils, legal firms, e-commerce companies etc who are desirous of partnering with Naavi in the ODR Global project are welcome.

Naavi

P.S: Proposals from technology startups interested in developing projects with Naavi are welcome to contact Naavi for collaborative development of these services.

• On May 3rd 2019, a State Gazette Notification was released in Maharashtra regarding the use of Electronic Mail Services by the Bombay High Court. The notification No P.0703/Rule/BHC is called “Bombay High Court Service of Processes by Electronic Mail Services (Civil Proceedings) Rules, 2017.

A copy of the rules is available here.

It may be recalled here that the Bombay Court in an earlier judgement in 2018 had suggested that courts can opt for modern ways of service. In this judgement the honourable judge had discussed the different modes of effecting substitute service of summons under Order 5 Rule 20 of the Code of Civil Procedure, and observed,

“…in sub-rule (i) and (ii), the substituted service means fixing the copies of the summons on different place as mentioned in the Rule. However, the sub-rule(iii) gives further option that the summons can be served in such other manner as the Court thinks fit. Thus, the manner which the Court opts for should be akin to the earlier mode of service, which is mentioned in the Rule. For this, the Court can take into account the modern ways of service which are available due to internet connection. It can be served also by courier or by email or by WhatsApp etc.

Similar views have been held by a few other Courts which are enamored by WhatsApp type of messaging applications and held that service of a notice through WhatsApp is acceptable and the “Blue Tick” is an acknowledgement etc. (Also see details here).

Now the Bombay High Court has gone one step further and amended the rules of the Court through a Gazette notification to adopt the service of notices through E mails. Accordingly the new rules dated 3rd may 2019 have been notified.

While we welcome the desire of the Court to adopt to modern means of communication, we would look at the notification to understand and analyze from academic view point whether it is in compliance with the law of the land or creates a rule that is ultra vires the law. If so, we need to also debate whether  it is desirable for the Courts themselves to ignore the compliance of law either by ignorance or specific  design.

Definition of E Mail

The notification defines an “Electronic Mail” as a store and forward method of composing, sending, storing and receiving messages in electronic form via computer based communication mechanism.

The “Electronic Mail service” is defined as a notice or any process of Court sent by electronic mail by an officer authorized in this behalf by the high court or the district court as the case may be, such communication emanating from an addres specified for the purposes of these Rules.

The definition is incomplete without reference to the definition of a “Computer” under ITA 2000 and a reference there of should have been made in the rules.

The definition is redundant since ITA 2000 defines “Electronic Form” and “Equivalence of a document in electronic form to a document in paper form” through section 4. Hence communication of an order which was permitted to be sent through paper mail is automatically valid when sent through an E Mail or any other form of electronic communication. No revision of procedure  was required.

No Mention of Authentication or Section 65B Certification

The rules donot make proper mention of “Authentication” of the mails  with the use of Electronic/Digital Signature and a need for Section 65B certification when a “Sent” communication is to be admitted as “evidence”.

It was necessary for stating that the Court officer besides the judge shall use a registered digital signature for the purpose of sending out the communication on behalf of the Court.

In case an electronic record is to be produced as evidence to prove that an e-mail has been sent or the e-mail has been received or that an e-mail has been returned un-delivered, whether through an e-mail system or a WhatsApp like system, it is necessary to produce such electronic document along with a Section 65B certificate for it to be admissible.

There is no mention of this requirement.

This is a clear non compliance of the law of the land.

Who determines the Validity of the E Mail address?

The rule also states that the petitioner who wants the notice to be sent to the counter party should file an affidavit stating the e-mail address of the counter party.

Sections 11 to 13 of ITA 2000 clearly lay down the rules regarding “Attribution” of an electronic message, the “Need for Acknowledgement if any”, “The time and place of sending or receiving of an electronic message” which interalia requires the contracting parties to “Designate” e-mail addresses for communication as part of their communication contract.

The procedures notified completely ignores the provisions of the ITA 2000 and defines its own rules.  A use of an e-mail for certain correspondences for prior communication cannot be used for legal communications after a dispute has reached the Court. This is fraught with risks and gives room for misuse.

The procedure suggested is akin to the sending of a mail by ordinary post and not like a mail sent by a “Registered Post” or “Registered Post Acknowledgement Due”…to the last known  address…but without  confirmation.

If the Court had adopted the use of Section 65B certificate for evidencing prima facie delivery, then the delivery would have some sanctity like in the case of registered/Registered acknowledgement due delivery of post or the use of a reliable courier service.

Use of the e-mail address on a website as the address to which notices can be sent is daisy since most websites may have an address such as “Info@…” or “Webadmin@…” etc. These may not be designated for the receipt of legal notices.

On the other hand, it would have been better if the Court had held that “Due Diligence” under Section 79 of ITA 2000/8 required a specific e-mail address to be designated as for legal notices.

The Court could have reiterated that under ITA 2008, it is mandatory for websites to designate a “Grievance Officer” whose contact address is to be mandatorily provided on the website. This would have been not only respecting the law as it exists but also could have supported a provision which many are ignoring.

I am aware that a PIL was also filed with the Bombay High Court itself that websites are failing to comply with this provision of ITA 2000/8 regarding provision of contact addresses, though I am not sure of the outcome. Hence the requirement under ITA 2000/8 in this regard was within the knowledge of the Court and it would have been good if this had been re-iterated.

It is noted that under rule 7, parties have been permitted to opt for the use of E-mail by consent which is understandable. Provision of email address could have been made a mandatory provision for filing any petition or reply to the Court.

The suggested protocol attempts to do this.

However in such cases option may have to be provided to some litigants not to use electronic  communication. This would be in conformity with the principle of natural justice.

No mention of Security

The suggested protocol is bereft of the security requirements. In fact it provides immunity for the court and its officers not to be held liable for any omission. Considering that the omissions are derogation of a statutory law, the responsibility of the Court and its officials should not be ignored.

Overall, the notification does not inspire the confidence that the rules have been framed after properly evaluating the provisions of ITA 2000/8 to the context.

Naavi

Naavi has been one of the early proponents of Cyber Insurance in India. This site carries many articles in the past on the subject of Cyber Insurance (Refer here). Additionally, www.cyberinsurance.org.in  contains many of these articles in one place.

In 2015, Naavi.org initiated  a National survey titled India “India Cyber Insurance Survey 2015”, under “Mission Cyber Insurance” that we took up.   This survey was conducted with respondents being professionals in the Information Security domain and other professionals in IT companies and academics. The objective of the survey was to establish a bench mark of perception about Cyber Insurance in India which could be tracked later with similar surveys in the following years.

The survey gave good insights into the status of Cyber Insurance industry in India at a time none of the Indian insurance companies had actually introduced products offering coverage for liability arising out of Cyber Crimes. There were “Cyber Asset Insurance”, “Employee Fidelity Insurance”, “Errors and Ommission Insurance” which were often considered as Cyber Insurance. But real coverage of risks arising out of third party cyber crimes was not available. Few of the insurance contracts written at that time was basically on the reputation of the insured and did not take into account the “Risks” involved for which liabilities were to be covered.

The findings of the survey are available in a series of four articles here.

1.The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

2. The mystery land of Cyber Insurance-2: What is Cyber Insurance?

3. The Mystery Land of Cyber Insurance-3: Who should get Cyber Insurance Cover?

4. Cyber Insurance-4: The enigma called Cyber Insurance Premium

Naavi.org was not able to repeat the survey in the subsequent years to track the development. However, we are glad to know that DSCI has recently conducted a survey and released its report.

According to the DSCI survey,

1. 1. 350 cyber insurance policies have been sold till 2018, which is a 40% increse from overall base in 2017

   2. India’s yearly cyber premium market is around INR 80-100 crore (USD 11-14 million)

   3. IT/ITes and Banking & Financial services are the early adopters. The demand has increased because of Contractual requirements and GDPR. New demands from manufacturing, pharma,retail, hospitality,R&D and IP based organizations are observed.

   4. The premium amount ranges from USD 6500-8000 for a coverage of USD 1 million (0.65 yo 0.8%)

The report makes a mention that the threat surface in India is expanding due to increasing digitization . It is reported that India is the 2nd most affected country due to targetted attacks (for attacks between 2016-2018) and average cost for a data breach in India has gone up to INR 11.9 crores, an increase of 7.9% from 2017 with the average cost per record being Rs 4552.

During 2017-18 it is stated that the number of policies increased from 250 to 350 and  the coverage included First Party expenses such as  “regulatory Investigation and Fines”, Expenses regarding “Forensic IT Audit”, Stakeholder notifications, legal costs, credit monitoring, PR etc, third party liabilities as well as business interruption loss and Cyber thefts such as Fund transfer frauds, Cyber extortion etc.

Four insurance providers namely TATA AIG, HDFC Ergo, ICICI Lombard and Bajaj Allianz were indicated.

The challenges that confront the industry continue to be lack of awareness and understanding by the buyers and lack of acturial data for proper assessment on the part of the insurance providers.

Two of the companies namely HDFC Ergo and Bajaj Allianz were listed as companies offering personal Cyber Insurance. which was available from around Rs 50,000/- to Rs 10 crore. The Bajaj Allianz policy however offers a coverage with several sub limits for different types of losses. The HDFC Ergo policy offers a combined limit though the pricing is higher than Bajaj Allianz.

The survey also documents some strategic steps that may be taken to promote Cyber Insurance which we may discuss separately in subsequent articles.

A brief recount of issues listed for attention in the survey are as follows:

Government/Regulatory Bodies

-Creating awareness and ecosystem skills in cyber insurance policies

-Incentivizing SMBs through direct intervention or providing procurement benefits

-Providing Toolkits and Checklists

-Creating an ecosystem for cyber insurance to mitigate risks & improve resilience

-Mechanism for Data Breach Notification

-Creation of Cyber Incident Data Repository

-Promoting actuarial science for better modelling of cyber risks

Technology Firms

-Establish sector-specific cyber risk assessment framework

-Innovate to oer tailor-made products & services for cyber risk evaluation, forensics, incident response etc.

-Fortify capabilities

Brokers

-Spread awareness on essential coverage – create toolkits & checklists

-Support SMBs and startups, who wish to buy insurance policies

-Clearly articulate provisions under cyber insurance, and other insurance policies

Insured/Buyer

-Engage with a technology firm for cyber risk evaluation

-Before buying, important to create a ‘Cyber Insurance Committee’ that has representation from Insurance Purchase Group, Offices of CFO, CEO, CIO/CISO, CRO and CMO, for better decision making

Carriers (Insurance Providers)

-Fortify technological capabilities or engage with third party to conduct pre-breach cyber risk assessment and post-breach assessment

-Digitize for data-driven decision making

-Prepare for comprehensive inclusion of data privacy & protection to cover regulations such as GDPR, India’a Draft Bill on Data Protection etc.

Provide value-added services – customization, free counselling, trainings etc.

-Clearly articulate provisions under cyber insurance, and other insurance policies

Overall, it is good that DSCI has recognized the importance of building awareness about Cyber Insurance in the industry. Hope the initiative will continue.

Naavi will continue his efforts in this direction both through the awareness building through www.naavi.org and www.cyberinsurance.org.in. CyberInsurance.org.in was actually meant to be a platform for all stake holders in the Cyber Insurance domain to come together though it is yet to achieve this objective. Hopefully there will be greater awareness of Cyber Insurance and keener interest in the days to come.

Naavi

Bitcoin battle has now assumed bigger dimensions and escalated into a “Cyber War proposition” mooted by one of the prominent Anti Virus and Security product manufacturer namely “John McAfee”.  It is not clear if Mr McAfee has any controlling interest today in the company but it is reasonable to expect that he would wield a significant influence over  the decisions of the company and perhaps on some of its loyal employees.

Additionally it appears that Mr McAfee has taken a leadership role in mobilizing hactivists to believe that there is a cause for which they should declare a war on India. Again it is not clear if the hactivists really consider Mr McAfee as a person whose words should be respected and they should launch an attack on India.

Nevertheless, as a Security Risk manager of India, CERT-IN cannot ignore the warning given by Mr McAfee that if India passes a legislation to ban Bitcoins in India, he is inviting a Cyber War against India.

McAfee is a company which was acquired by Intel in 2010 and later on spun off as a separate company.  In 2017,  an Asset Management Firm TPG (Texas Pacific Group) acquired controlling interest of 51% while Intel retained 49%.

It is possible that some of these private equity firms may be indirectly connected with John McAfee.

We recognize that McAfee is an independent professionally managed company today and is not influenced by the views of Mr john McAfee.

However, it is necessary for the company to clearly come out and disassociate itself with the statement of Mr McAfee and re affirm its commitment to fight Cyber Crimes and particulary, that it has no intentions to influence the decision of the Indian Government on Bitcoins.

McAfee as a company should recognize that sharing its name with Mr McAfee is a “Reputation risk” for the company and in situations like this, it is necessary for them to come out with appropriate assurances to the public that it is not in agreement with the call for a Cyber War on India given out by Mr McAfee.

I look forward to such a statement from the company. In the meantime, I request CERT-IN to send a notice to McAfee as a company asking them to clarify their views on the statement of Mr McAfee.

Until we receive a satisfactory response from the company, McAfee products should be put on watch since it is possible that  it may be used to plant Bitcoin mining trojans or other types of malware to harm Indian interests.

I request CERT IN also to come up with a suitable clarification in this regard. I also invite our MPs like Rajeev Chandrashekar and Tejasvi Surya to raise this issue in the Parliament to obtain clarification from CERT-In.

Naavi