Naavi.org

John McAfee who some times back  vowed that he would unmask the identity of Satoshi Nakamoto and said “Finding Satoshi is a piece of cake” has now declared “War on India” in support of Bitcoin.

Knowing the brilliance of this man, it is possible that he could have revealed the identity of Satoshi and perhaps not only been refrained from revealing the identity but turn a warrior for Bitcoin. Not sure if this indicates a good pay off from Satoshi sufficient to change his stance in favour of Bitcoin to the extent that he is declaring a “Cyber War” on India.

But it is unfortunate that the person who was well respected in India has chosen to be a “Deviant” and declare his hostility to India and declared a war against the country.

Following the information that India is considering a Bill to make Bitcoin transactions illegal and carry a 10 year imprisonment (Refer here), Bitcoin supporters have started behaving like Mamata Bannerjee after Modi’s victory in the elections.  CCN.com calls this an “Insane” proposal . Others have started a campaign to protect their interest to hold “Digital Black Money” . (Refer all news articles here).

Mr John Mcafee has gone one step forward and has invited “Anonymous” to declare a war on India. (Refer here)

It is obnoxious for a professional to behave in such open support of a system which is a “Currency of Criminals and Terrorists” and deserves to be shut down across the world.

This deserves to be condemned in strongest terms and countered effectively just like a ISIS call to dismember India.

Mr Arun Jaitely has already clarified that we are intending to ban Bitcoins and I hope there will be no re-thinking despite the pressures that Mr McAafee kind of people may try to mount on us.

Let Mr McAfee realize that we in India are committed to the removal of black money and consider Bitcoin as the biggest manifestation of black money. Those who hold and support Bitcoin or other private Crypto currencies are trying to hide behind excuses to preserve their ill-gotten black wealth.They are global money launderers. Hence action through law to eliminate Bitcoin from the system is very much relevant to us.

I have already suggested that Bitcoin should be considered as an instrument of global terrorism and we should ourselves declare a war on Bitcoin. I have also urged Mr Modi to crate a global consortium of like minded countries to take the Bitcoin ban as a global policy.

It appears that Mr McAfee has suddenly woken up to say that he wants the war to be fought against India and not against the terrorists who use Bitcoins as a currency for illegal drug trade, arms trade, financing of ISIS like terrorism etc. This is the typical “Urban Naxalite Mentality” that he is displaying and must be condemned in strongest terms.

Mr McAfee should respect Indian sovereignty and choice to remove the black money in all forms from the system and not try to undermine our rights to make our own law however unpalatable it is for him.

In the context of this threat held out by John McAfee, I request that the Government of India should take such steps as may be necessary to protect our interests including the following measures.

1.Expedite the passing of the Anti Crypto Currency Bill

2.Declare use and promotion of private crypto currencies as “Financial Cyber Terrorism” and all countries supporting the system as supporters of terrorist activities.

3.Vocal supporters like McAfee should be considered as equivalent of global terrorists like Masood Azar and black listed from doing any commercial transactions in India. If he enters India, he should be arrested and tried for terrorism and war against India.

4. I urge the Government to immediately stop all use of McAfee products because they may be used to hack into our systems and wage a war as declared by him

5. I urge RBI to recognize the risk that this declaration poses to the Indian Banking system and advise all Banks in India to stop using McAfee products.

5. I urge public to stop using any McAfee products not only to prevent them being used for hacking but also to build economic pressure on a Company which has declared a war on India.

I urge the Government of India to issue a notice to McAfee to clarify his “War Call” and mobilization of Cyber war force.

Naavi

It was heartening to read an article in todaysgazette.com that “Leading Banks across the world are Blocking Crypto currencies” .

According to the report,

In the U.S., several banks have banned their users from using their credit cards to buy cryptocurrencies. The Bank of America, JP Morgan, Citigroup, Discover, and Capital One are freezing the accounts of users who try to use their credit cards to buy cryptocurrencies. Also it states that  VISA  severed its links with Wave Crest after Visa claimed that Wave Crest was not following its rules.

In the U.K., Lloyds banking group was the first to announce it was banning users from buying crypto with their credit cards, following which  the Bank of Scotland, Halifax, and MBNA also banned their customers from buying cryptocurrencies. Most banks are pointing out money laundering and high volatility, as among the top reasons for banning trades related to crypto.

In Asia, the Hong Kong and Shanghai Banking Corporation (HSBC), is also blocking users from carrying out any transaction related to Bitcoin or altcoins. In India, Banks have warned their customers against using their cards to buy cryptocurrency and threatened that customers who did not reveal the nature of their transactions will have their accounts closed and  terminate any account used to fund trades related to cryptocurrency.

These developments need to be taken note of by the Ministry of Finance under Mrs Nirmala Sitharaman so that an appropriate notification is issued to end the uncertainty in the Indian regulatory scenario. The MeiTy can also make a move on its own to ensure that the list of “Exclusions” indicated in Schedule 2 of ITA 2000/8 includes “Any Electronic document purporting to be a currency or legal tender”.

Naavi

Complaints from an employer against an employee for data theft is a common occurrence in the corporate world particularly when the employee has exited the company and also started a competing business.

In the current business environment where the corporate work is carried on with the use of e-mails and from home computers, it is natural that in most cases, employees will have corporate data in their personal custody and in personal computers.

Most companies will also have employee contracts which typically has an NDA clause in which the employee is supposed to return corporate data in his hands in the event of his leaving the company etc. However, some of the provisions of the employee NDA contract are impractical and is ignored in practice.

Hence disputes do arise in every resignation of an employee and quite often when a critical employee leaves the organization, the organization may also be unreasonable in pursuing criminal cases against the employee using the business practice to which both were parties during the employment including sharing of the corporate data in the personal domain of the employee.

In resolving such cases, the Courts need to appreciate corporate practices, the “Data Protection/Information Security policies” of the Company, the intention of the parties etc besides the provisions under law such as ITA2000/8.

One such interesting case was recently decided at TDSAT in the case of Dr Rishi Dixit & Ors Vs PreventiNe Life Care Pvt Ltd.  PreventiNe Life Care is a  genetics laboratory based in Mumbai (India), offering genetic screening and predictive testing services in association with various Hospitals.  It obviously handles “Sensitive Personal Data” which is the subject of data protection obligations under ITA 2000/8 and the upcoming PDPA and industry standards such as HIPAA etc. Dr Dixit is a medical professional employed in the organization and delivering his professional services as head of diagnostic services. He appears to have resigned in 2012 along with some of his research colleagues and later set up a rival company.

The Company had alleged that the accused had stolen software and also corporate data  in the form of confidential algorithm, formulas, process, client/customer list, project, research paper,diagnostic procedure and other important information, which were the properties of the Company, through  emails sent from the company network to the personal e-mails. Using the said information the accused are alleged to have started a rival company Navigene Genetic Science Pvt Ltd and adopted a similar business model.

The Adjudicator had therefore granted a compensation of Rs 30 lakhs to be paid by the accused to the Complainant (PreventiNe Life Care) which was challenged in an appeal to TDSAT and was disposed off recently on 31st May 2019.

This case has implications for study under ITA 2000/8, Data Protection regulations, and also Copyright laws. There are similar cases that may be under litigation in many courts including the civil and criminal courts outside the Adjudication/TDSAT system and the judgement could have its indirect influence in such cases.

 A Copy of the Judgement is available here . 

Some observations on the judgement are recorded here for academic discussion.

1. The rival company was opened while the accused were still in the service of the earlier company and therefore violated one of the clauses of the employment contract. This was however a matter for the civil courts to adjudicate as regards the compensation and was rightly noted as not falling under Section 46 of ITA 2000/8.
2.  The Adjudicator also noted that he is not considering the IPR issues involved in the dispute. However the possibility of some of the information being “Copied” from e-mails sent by the Company to the accused has been taken note of and hence Copyright violations have been recognized.
3.  The defense that the information was sent by the company to the personal e-mails of the employees and thereby the company relinquished its right on the confidentiality of the information has been rejected.
4.  The use of such information for purposes other than for which they were shared by the Company has been held as a contravention of Section 43 of ITA 2000. Accordingly contravention of Section 43(b), 43(i) and 43(j) along with Section 66 of ITA 2000/8  was taken into account by the Adjudicating Officer.
5.  TDSAT has made a specific comment that the complainant is free to pursue the matters of employment contract and copyright which have not been taken into account in this adjudication in a separate action and proceeded to look at the appeal in the context of the application of ITA 2000/8 both for the misuse of data in the form of software on which the company had rights as well as the business data.
6. TDSAT has after comparing the reports generated by the systems used by the two parties come to the conclusions that there are significant differences between the two which may not indicate that the software was stolen. (This is relevant for the copyright issue also).
7. It was recognized that if the software was stolen and modified, the person responsible was a person who was not a party to the dispute and hence some of the charges regarding conspiracy to steal, modify and misuse the software cannot be validated.
8. As a result of the observations recorded by TDSAT,  the charge that the appellants had stolen, copied or misused the proprietary software developed by the respondent for generating the diagnostic reports is held not sustainable against the appellants. This substantially eliminates the “Copy Right” aspect and any remedies under the copyright law might have been seriously dented by the observations.
9. As regards the other allegation, some data has been provided as proof from the hard disk of the computer system used by the accused. It is not clear if the electronic evidence produced in this respect was appropriately certified under Section 65B. The defense appears to have failed to challenge the evidence and therefore the evidence might have been admitted by deemed mutual consent. Considering that the final outcome of the case was very much dependent on this evidence, the omission could be considered catastrophic. (Ed: This observation of Naavi is not to dispute whether the accused deserved to be punished but to flag a common mistake that many litigants do which enables the accused to escape liability on technical grounds)
10. It has been held by TDSAT that one of the accused who was also the promoter of the rival company cannot be held liable under Section 43 since there is no evidence against him of the data being stolen from the victim company and has only used his domain knowledge to interpret whatever data was made available to him by the other co-accused.
11. Since one of the two allegations (Software theft) failed and one of the accused was also held not liable, the damage of Rs 30 lakhs granted by the Adjudicator was reduced to rs 15 lakhs.

It is also noted that the judgement appears to have been written by honourable Sri A.K. Bhargava, member of the TDSAT since it involved significant technical issues besides the legality of the applicability of Section 43(b), 43(i) and 43(j) of ITA 2000/8 to the dispute.

The advantage of a two member TDSAT with a technical member has been highlighted in this case. Cyber Appellate Tribunal when first formed was a single Judicial member body and though subsequently a technical member was appointed, no hearing could be held by the two member body until it was merged with TDSAT.

Naavi has also for a long time advocated that the Adjudication body under ITA2000 should be fortified by adding the Law Secretary of the State to the panel. Hopefully, this suggestion will be considered by the Government and I request the IT Minister to consider this amendment to ITA 2008 when the next opportunity arises.

It must be noted that this case was a complicated Techno Legal Issue involving ITA 2000/8 as well as Copyright issues and TDSAT has shown dexterity and finesse in arriving at the final judgement. The judgement makes a good case study for academicians.

Naavi

Time has come now to analyze the draft PDPA 2018 bill in depth so that when the final version of the bill is passed, contradictions can be minimized.

One aspect that needs discussion in this regard is the distinction between “Consent” and “Explicit Consent”.

” Consent” is defined under Section 12 of the Act and “Explicit Consent” is defined under Section 18.

Consent as per Section 12 is defined as under.

12. Processing of personal data on the basis of consent.—

(1) Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.

(2) For the consent of the data principal to be valid, it must be—

(a) free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872);

(b) informed, having regard to whether the data principal has been provided with the information required under section 8;

(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing;

(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and

(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

(3) The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.

(4) The data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing of personal data in accordance with sub-section (2).

(5) Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

Under Section 18, Explicit Consent is defined as:

18. Processing of sensitive personal data based on explicit consent. —

(1) Sensitive personal data may be processed on the basis of explicit consent.

(2) For the purposes of sub-section (1), consent shall be considered explicit only if it is valid as per section 12 and is additionally:

(a) informed, having regard to whether the attention of the data principal has been drawn to purposes of or operations in processing that may have significant consequences for the data principal;

(b) clear, having regard to whether it is meaningful without recourse to inference from conduct in a context; and

(c) specific, having regard to whether the data principal is given the choice of separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.

It appears that the sections make little distinction between “Consent” and “Explicit Consent”. Both need to be valid under the Indian Contract Act and have to be informed, clear and specific.

Further Section 12 itself suggests that the data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing .Hence the Data Fiduciary has to collect appropriate proof both for Section 12 and Section 18. Additionally, the burden of proof under Section 18 for “Explicit” consent has to be stronger than what is necessary for Section 12.

Presently the business practice is to take a consent through an electronic document presented online to which the data subject expresses his approval by clicking the “I Agree” button.

This “Click Wrap” contract is only considered a “Implied Contract” under ITA 2000/8 since there is no “Signature” for the electronic document as approved under ITA 2000/8. If such an implied contract is acceptable for Section 12, then the higher degree of authentication for Section 18 has to be with the application of the approved “Digital Signature” such as through an “eSign”. Unfortunately due to the Supreme Court decision on Aadhaar, eSign cannot be used by private parties. (unless the eKYC system is modified for the use of Virtual Aadhaar ID). Hence it is practically difficult or impossible to obtain an online digital signature to make an “Explicit Consent” an effective authentication under law.

There is also another problem that needs resolution. The “Consent” under Section 12 of PDPA makes a reference to Section 14 of the Indian Contract Act making it look like a process to be compliant with the Indian Contract Act. At the same time, under Section 4 of PDPA 2018, it is stated that the “Data Fiduciary” “owes a duty” to the “data principal”. The use of the words “Fiduciary” and “Duty” indicate that what PDPA envisages as the role of the Data Fiduciary is that of a “Trustee” and not as a “Contractor of the Data Subject”.

Hence the nature of the document that creates the Data Principal-Data Fiduciary relationship should be considered as one that creates a “Trustee relationship where the data subject/Principal is the beneficiary”.

If the online consent document has to be considered as a document that is equivalent to a “Trust deed”, there is a conflict with Section 1(4) of the ITA 2000/8 according to which an electronic document purporting to be a Trust deed is not recognized under Section 4 of ITA 2000/8.

Hence the online consent which is a purported click wrap contract is not valid and even if considered as an “Implied Contract”, it cannot create the “Fiduciary” relationship as envisaged. Such a contract would also be treated as a standard form contract and the onerous clauses need to be specially highlighted.

Considering the conflicts arising out of the PDPA 2018 and ITA 2000/8 and the Indian Contract Act, there is a need to take some special care when the PDPA bill is finalized.

Firstly, through PDPA 2018, an exception has to be provided to Section 1(4) specifically to state that Section 1(4) of ITA 2000/8 does not apply to a “Document Creating a Data Fiduciary Relationship” as per Section 12/18 of PDPA 2018.

Secondly, “Explicit Consent” should be defined as a “Consent” which is authenticated by a digital/electronic signature under Sections 3/3A of ITA 200/8. Simultaneously, exemption should be provided by a reference to the Supreme Court if necessary that “Explicit Consent” can be provided with the use of eSign. If however the CCA re-notifies its eSign notification by substituting the use of Virtual Aadhaar ID  or offline verification for eKYC , no reference is required to be made to Supreme Court.

These issues need to be addressed when the PDPA Bill is discussed in the Parliament.

Naavi

The allocation of portfolios to the ministers in the Modi cabinet was delayed but finally fell into place. It was good to see Mr Amit Shah as Home Minister instead of the Finance Minister and Mrs Nirmala Sitharaman as the Finance Minister. The return of Mr Ravishankar Prasad as IT minister provides a much needed continuity so that the pending issues can be continued without much of a break.

In particular, return of Mr R S Prasad means that the Personal Data Protection Bill will be reintroduced at the earliest. It may still go to a standing committee but at least the process will be set in motion. Similarly in the last few months of the last Government, the opposition had created un necessary hurdles on the Intermediary Guidelines under IT 2008, Aadhaar and the Section 69 of ITA 2008 notifications. Now that Mr Prasad will be back, there would be a commitment to resolve all these pending issues.

On Aadhaar, the amendment bill which Srikrishna committee had suggested should be taken up on a priority. If necessary Government should go for a review with the Supreme Court to enable use of Aadhaar infrastructure more productively. (our views on the ordinance is available here)

Hopefully, the Supreme Court will not continue keep interfering in the day to day administration of the Government at the behest of the political opponents.

Naavi

During the final days running upto the 2019 elections, Congress and its Lutyen’s media created a controversy about EVMs that engaged the attention of the whole country including the Supreme Court. But for the resolve of the two of the Election Commission members, Chandrababu Naidu and Congress would have succeeded in disrupting the election process. By not accepting the demand for the first counting of VVPAT slips, EC perhaps saved the day.

Supreme Court Set a wrong Precedent

But it must be placed on record that the honourable Supreme Court failed to uphold the integrity of the Election Commission by acceding to the request of the opposition for counting VVPATs in 5 machines per constituency.

It is not a question of what is the harm in such counting even if the result had to be delayed by 4 hours?

The net result of the Supreme Court agreeing to the count of 5 VVPATs instead of one was that VVPATs were given a presumptuous recognition as if they were “Voting Slips” similar to the ballot papers of the olden day manual voting. Had the scenario speculated by the undersigned  , there would have been a constitutional crisis. Supreme Court would have been solely responsible for creating such a crisis.

As long as the Supreme Court cannot rid itself of the influence of a few politically motivated senior counsels who can set the agenda for the Court, such incidents will keep recurring. The CJI is personally facing the wrath of such advocates and their supporting lobby in his personal case which has eroded the reputation of the Court itself.

Hence the Government, Election Commission and the Supreme Court has to jointly work for the restoration of the faith in the electoral system and ensure that politicians donot sully the image of the election process as it suits them.

I therefore call upon the Modi 2.0 government to take necessary action to restore the faith of the EVM system in particular and the election system in general

I recently heard from a famous astrologer that the Government may introduce “Online Voting” in this term. This demand has been there primarily for enabling the NRI voters and further to improve the voting percentages. There is definitely merit in the demand but it needs to be approached with caution.

The problems with our electoral system now include

a) The Electoral rolls are not upto date and hence there could be genuine omissions of voters who move out from one address to another and also because political parties actually introduce bogus voters to rig the elections. There are many rogue state governments who would indulge in such practices with the possible assistance of the local officers of the election commission much before the election heat is generated. We therefore need to find measures to sanitize the electoral rolls.

b) The EVMs are not amenable to the kind of manipulation that Mr Kejriwal or Kapil Sibal are complaining because there are over riding physical security measures that are difficult to manipulate. But it is still possible to capture booths and force voters to vote for a particular party or for one party to simply create votes in the names of the voters without the voter being present. When there are state Governments like West Bengal and Kashmir or Kerala who cannot be easily disciplined even with the central security forces, “Booth Capturing” cannot be easily eliminated. We need to find measures to prevent such booth capturing.

c) The confusion created by the Supreme Court regarding the counting of VVPATs as a confirmation of the EVM count itself needs to be resolved legally and technically. This aspect has been discussed several times by the undersigned (Refer articles here). The legal position needs to be re-iterated and clarified so that we end the opposition to EVM arguments once and for all.

To address all these issues, I request the Government to take the following actions.

1. Updation of Electoral Rolls

Consider updating the electoral rolls at every booth level through an online authentication process  through a three stage process.

First would be the self authentication by the voter himself for which he can provide appropriate KYC documents. The second would be by the EC officials. Upto this, the system would be similar to the present system.

The third (an addition to the current process) is by the other approved co-voters in the same constituency through a block chain method. The approval block chain in the third stage could fork if the voter’s entry is not approved by others. This should be recognized as a challenge and should be open to the voter producing necessary confirmation and also submitting himself to a penalty if his identity is proven to be wrong in a subsequent enquiry.

The three level approved voter’s list should be considered for further use as the official revision of the voter list.

The “Challenged Voter List” may be published separately by the EC from time to time so that the affected voters may take steps to get their names removed from the list if necessary.

Votes cast by those in the “Challenged Voter List” should be considered as “Provisional Votes” which may be recognized only during an election petition.

2.  Voting Surveillance

The present system of having Central forces in the booth is only having partial effect in ensuring fair polling. Since 100 % of the booths cannot be secured by the CRPF and the inability of polling officials to prevent lumpen elements taking over the process cannot be prevented, it is necessary that every voting booth has to be subject to an electronic surveillance through a CCTV which broadcasts the voting process to a public website which can be viewed by the voters.

The CCTV picture of every voter should be recorded so that it can be challenged later in an election petition. It goes without saying that “Burqua” or “Helmet” may have to be removed during the voting process.

3. EVM modification

Every EVM must be modified to have a touch sensitive screen on top on which the ballot paper appears as an image. When the button is pressed on the screen, the status of the screen with the voting mark has to be captured as a screen image, hashed and the hash value printed in the VVPAT. While the VVPAT will continue to show the image of the party etc as is done now to satisfy the voter, the printing of the hash of the image containing the copy of the ballot paper after voting along with the time stamp will provide an electronic evidence of the ballot cast. This will provide legal validation of the VVPAT as a copy of the ballot paper.

It must however be clarified that as long as the electronic voting is recognized by the Peoples Representation Act, the voting gets completed when the electronic signal arising due to the pressing of the button by the voter as generated by the screen on the EVM is stored in the memory of the EVM. The binary imprint on the EVM’s memory is the etching of the ballot cast.

After the casting of the vote, generation of the VVPAT is an acknowledgement created as a secondary copy of the original binary noted ballot. There should be technically no mismatch between the votes recorded in the EVM and the counted number of VVPAT slips. If however they do arise, then the EVM count should be considered as the more reliable and legally recognized vote and discrepancy if any should be subject to a discussion in an election petition only. At the time of such election petition the both official may be required to provide a Section 65B certificate to the batch of VVPAT slips relevant for the challenge.

I request that the Modi Government in its second term takes up this issue seriously and take remedial action. The Election Commission itself may take up these suggestions and submit its recommendations to the Government. The Government should submit the same to the Supreme Court as a suo moto review so that the Supreme Court should also  record its views without hiding behind the arguments of motivated advocates during a PIL on a later date.

It is necessary that the Government, the Election Commission and the Supreme Court work as a single responsible team to bring credibility to our electoral system rather than each blaming the other. We need each of these three bodies to express “Vishwas” on the other. “Vishwas” of these three will bring in “Vishwas” for the citizens on the electoral process.