Naavi.org

We have time and again stated what we think is the correct legal position as regards the controversy raised by the opposition regarding the VVPATs.

The Supreme Court could have avoided the current problem by ruling in the first place that the VVPAT is only an acknowledgement and it has no legal significance or precedence over the electronic click made by the voter. However, the Supreme Court did not factor in the nefarious motive of the opposition to disrupt the counting process using the VVPAT as an excuse.

Now the opposition has raked up an issue that VVPATs should first be counted and tallied before the counting the electronic votes recorded in the EVM is undertaken. Mr Chandrababu Naidu has also revealed their intention that if there is any mismatch, the counting should be stopped.  It is therefore clear that the objective of the opposition is to stop counting and create a constitutional crisis.

Under the circumstances as an observer of the Cyber Crime and related scenario, I anticipate the following developments tomorrow which will all be aimed at confusing the Election Commission and harassing them to yield to the demands of the opposition.

1. At the time VVPATs are taken up for counting, first there will be a call for tallying the machine number, the number of votes etc recorded in the form given to the polling agents by the poll booth officials.
2. When these are done, there could be one or more booth agents who would have changed the form which was in their hands for some times now and claim that the information given to them at the booth and what is now being shown do not tally. Hence there will be a claim that the machines have been switched or the votes have been tampered with.
3. If the discussion goes past this and counting is done, then the polling agents who will be present at the counting of the physical slips will say that some slips were wrongly dropped into BJP box and it has to be recounted again and again. They may also ensure that one or two slips are stolen and destroyed. They may even hide it inside their inner clothes like the drug peddlers or even eat up one or two of the slips. The EC would not be able to forcibly check the agents physically like the ED or the Police and a ruckus will be created that there is a difference in the count and hence the counting should be stopped forthwith.
4. There may be demonstrations and physical violence outside.
5. There will be an urgent mention at the Supreme Court for a stay.

I therefore request that the EC and the Government of the day responsible for the law enforcement in each counting centers which include those under the control of Opposition ruled states like West Bengal and Andhra Pradesh to ensure that the counting process is not interrupted.

It may be necessary for the Central Forces to be in charge of all counting centers to manage the law and order situation.

At the back of all this, I reiterate that the VVPATs are only acknowledgement slips and the vote of the voter is recorded electronically in the EVM and if there is any discrepancy, the EVM count should be considered as valid.  Further litigation if any should be after the candidate is declared elected and an election petition is filed.

Any other approach will be unfair and also illegal.

Naavi

[PS: Happy that the above concern did not materialize. EC refusing to agree for the VVPATs to be counted first was helpful. Also Mr Chandrababu Naidu losing badly in AP and Mamata being jolted in WB further defused the opposition. Overall, we are relieved that the Tukde Tukde gang was defeated and nationalist forces marched to a grand victory……Naavi, 23rd May 2019]

The opposition parties aggrieved by the exit poll results are raking up an issue with the EC regarding what needs to be done when there is a mismatch between the VVPAT counting and the EVM records.

The Supreme Court which did not have the appropriate vision to take a view on this when the matter was before it just ruled that in 5 booths in every constituency, VVPAT has to be counted. This means that about 8000 VVPAT slips may be counted in every booth. If there is a counting error then there could be a difference of one or two vote numbers with the EVM count. This may be insignificant but is enough for the political parties to cry that there is some thing wrong with the EVMs and the election should be repeated with ballots.

The EC has internal dissensions which may actually complicate the issue.

I therefore provide here what I think is a legal position to be taken into account.

The Indian Elections have adopted the EVM system for which there is sufficient legal backing. As per this, election is conducted by the voter expressing his choice by pressing the button on the EVM. The process of voting is therefore completed when the button is pressed. The count of this is in the EVM. There ends the election process.

The VVPAT is a system that provides an acknowledgement to the voter. The acknowledgements are preserved for verification in case of large scale malpractice as evidence. But the VVPAT slips are not votes. They are secondary confirmation to the electronic signal generated by the depression of the voting button.

The VVPAT is generated not by a voter’s action but by the action of the EVM after the vote is recorded. Hence it is a subsequent event.

Hence if there is a mismatch between the EVM count and the VVPAT, the EVM count should prevail. In case there appears to be a large scale malfunctioning where the difference is statistically significant, then the matter becomes an issue of the post poll legal challenge. What is a “Significant” difference for a 1600 or so votes is what a statistician can determine. In my view it could be some where like 2% or about 30 votes.

I hope the EC and the Courts will consider this view when they have to consider the objections.

Naavi

Naavi.org has been in the forefront of discussions on Cyber Crimes, Data Security, Compliance requirements etc. The objective of all this is to ensure that “Digital India” does not suffer from the lack of security that is in the DNA of online transactions. 

In this journey towards “Secure Digital India”, we need to ensure that the digital payment systems are properly secured. In this process, internationally there have been several initiatives such as the ISO 27001, PCI DSS, SET protocol for card processing, 3-D Secure and its adaptations by VISA, Masters, Amex etc.

In India we have the RuPay scheme which has been conceived to provide a domestic system to enable Indian Banks and financial institutions to participate in the electronic payments market. The Rupay-e-Commerce architecture takes into account the three domains of the issuer, NPCI and the acquirer. The NPCI operates the PaySecure system and the NPCI switch and enables the authentication of the transactions.

The RuPay system has the potential to be a popular global brand like the VISA and Masters. Similarly the authentication system that Rupay adopts also has a potential to be a global system.

India has an advantage that is not available to other countries in the form of the Aadhaar identification system. Though the Supreme Court has placed some curbs on the innovative use of the Aadhaar for authentication by private players, there are acceptable work -arounds and even the possibility of convincing the Supreme Court on specific national security projects for the use of Aadhaar.

If we can use both the Aadhaar network and the NPCI together, it may be possible to enhance the security of online payment systems to a level which could be better than other existing systems.

While the 3-D secure system has the 3 domains namely the acquirer domain, issuer domain and the interoperability domain, which has also been used in the PaySecure architecture of NPCI, it may be possible to look at a four dimensional system (4-D Secure) based on the following constituents.

1. 1. Consumer
   2. Merchant
   3. Banking/Financial institutions
   4. Technology

In this model there are four responsibility centers. The Technology is the “Interoperability domain” managed by say NPCI. The Banking is the domain of all card issuers and payment system managers. The Consumer and the Merchant are the basic originator and destination of the underlying transactions.

This model recognizes that “Technology” is the interface between the different legal responsibility centers. In the first leg of the transaction, the  transaction originated  by the Merchant has to be authenticated by the Customer or vice versa.

In the second leg, the financial part of the transaction originated by the card owner or the Merchant has to be authenticated by the card issuing Bank/his agent .

If the origination of the financial part is a “Pull Transaction”, the Merchant sends his request to the acquiring Bank. If it is a “Push” transaction, the customer sends his request to the card issuing Bank.

The Technology Provider can act as an agent of the Card Issuing bank or the Acquiring bank. The Technology provider can use the UIDAI authentication service in any permitted form. In case of high value transactions, the full e-KYC formality can be invoked. In other cases simple random multi factor parameter check can be used. The identity parameter input if taken in the form of Virtual Aadhaar at the Merchant’s website, it may be within the current directions of the Supreme Court.

Other options including collection of the identity parameter by the Banking system instead of the Merchant or by the UIDAI itself or by NPCI as an agent of UIDAI can be considered and brought into the protocol.

The above is a thought which may be refined by technology experts. However the essence of this suggestion is that we can develop an online payment architecture which is unique to India and if it gets traction, develop similar standard models elsewhere where the UIDAI type of authentication is substituted by some other acceptable trusted third party authentication acceptable to the Banking system or the Card issuer consortium.

I invite technology specialists to improve upon this model if possible and take it forward. I urge NPCI to take the lead in this direction by forming an expert committee along with UIDAI authorities and the MeiTy and examine the possibilities.

Naavi

Reference Articles

Principle of Secure Technology Adoption…creating a secure ecosystem for cyber transactions

Will Rupay challenge VISA/Master and be a global brand?

Aadhaar adds another security layer to frustrate “Benami”s

It is Y2K moment again in India, with Virtual Aadhaar ID

[P.S: This discussion has some important issues related to Information Technology Act 2000, (ITA 2000), Arbitration and Conciliation Act (ACI) (as amended upto date) and the data protection regulations.]

It is always sad when a Company and its co-founder fight out a legal battle particularly when the dispute does not relate to any financial misappropriation but relate to alleged data theft.

In such cases, it is difficult to segregate how much of the dispute arises out of real wrongful loss caused to the company and how much arises out of personal acrimony between a senior executive who has fallen out with the current management.

One such incident came to public recently when Mr Mohit Rajpal, the ex-Co founder of mytaxiindia.com and the current Director of goibibo.com approached TDSAT, Delhi following an earlier Adjudication.

This appeal to TDSAT was disposed off on 15th May 2019 on one issue of law related to the challenge on the jurisdiction of the Adjudicating Officer (AO) under ITA 2000. The matter has not been discussed on the merits of the disputes.

[P.S: This discussion is for academic purpose and is based on the copy of the judgement of TDSAT. At this point of time, I donot have access to more details including the details of the pleadings. As and when more information becomes available, if necessary, the analysis presented here may be updated…. Naavi]

(Copy of the judgement can be found here)

Mr Mohit Rajpal was the Co-Founder & Director of Mytaxiindia.com for a period of around 2 years from July 2015 to July 2017. During that time, he appears to have executed an employment agreement cum NDA (dated 10/7/2015) containing the usual data security clauses that he shall not use the data acquired during the service for purposes other than the requirements of the job etc.. The agreement seems to have also had the usual clause that disputes arising out of the contract will be subject to arbitration and such arbitration recourse will survive even after the employment contract is terminated.

These are clauses which we usually find in every employment contract.

It appears that after the employment agreement  was terminated (Perhaps with the resignation of the employee), a dispute has arisen where the company alleges that certain information was transferred from the “Official E Mail ID” of Mr Mohit Rajpal to his personal E Mail ID.

We reiterate that in the absence of full information as to what was the information that was transferred and what was the alleged “Wrongful Loss” sustained by the Company on account of such transfer etc., this discussion is only on the issue of whether the arbitration clause is binding against an adjudication process initiated by one of the parties.

The AO has ordered that the matter cannot be mandatorily referred to Arbitration and he can exercise jurisdiction on the complaint as received. Mr Mohit Rajpal has appealed against this decision to the TDSAT pressing for arbitration. In the process he has also cited a second agreement namely the share holder’s agreement between Mr Mohit Rajpal and the investors of the Company which appears to also have an arbitration clause.

The purpose of the share holder’s agreement is different from the NDA cum Employment agreement and there was a different arbitration clause in this agreement.  This was an arbitration where the seat of arbitration was Singapore. (Applicable law is not clear to us at this point of time).Hence there were two arbitration agreements with different objectives, applicable laws and jurisdictions that the AO and TDSAT had to consider before arriving at the current ruling.

In its judgement, TDSAT has upheld the jurisdiction of the AO and come to the conclusion that the Arbitration clause is not to be considered binding in this case.

The arbitration clause in the share holder’s agreement (which was not invoked during AO proceedings and brought in only in TDSAT proceedings) was found not applicable since the agreement did not have any data security related obligations. Hence only the NDA cum Employment agreement was considered by TDSAT for this decision.

Though TDSAT had two earlier decisions under TRAI Act in which the arbitration requirement had been over ruled, the appellant appears to have contested it on the grounds that in civil disputes, the tribunal should be bound by the arbitration act.

One of the arguments pressed was that the Adjudication powers have a financial limit of Rs 5 crores and there after the dispute has to go to a civil court and in that event the civil court would be bound by the requirement for arbitration and hence even at this stage AO should consider the provisions of the arbitration act as binding on this dispute.

TDSAT refused to go into the decision based on the evaluation of the nature of the dispute, whether it is of civil nature only or involves criminal nature etc. It has categorically stated

“..The larger issue as to effect of provisions of Arbitration Act upon enquiry into complaints under the IT Act and grant f compensation on that basis is left open”.

TDSAT also rightly observed

“..This issue may also depend upon the peculiar facts of a case because sometimes the complaint of breach of security and theft of data may affect large number of persons and may not be arbitrable for the simple reason that all affected persons may not be bound by a common arbitration clause.”

In view of the above, the appeal was dismissed and the AO was permitted to proceed to decide the complaint in accordance with the law.

A Solution Missed?

One of the options that the AO/TDSAT could have exercised was to retain the AO’s powers to adjudicate after the Arbitration and let the complainant also feel satisfied that he had received justice.

In deciding this case, the AO will be required to take a view on complicated issues of data protection which would be better handled through “Mediation/Conciliation” more than even “Arbitration”, where data security experts are involved.

It is therefore possible that the AO may find it difficult to resolve the dispute to the satisfaction of both the parties and the matter will be back with TDSAT in due course.

Being an Employer-Employee dispute, the matter has to be handled with an understanding of the nuances involved in management of business where the top executives work 24X7 from anywhere including the home and often end up with a seamless integration of personal and official work.

Top entreprenerus/directors of startups often have no distinction between personal life and official life and their psyche is built on such total dedication and integration of personal life with official life.

Many times, as long as the employee attends to business matters even while he is at home, the companies (bosses) are happy. But the moment a dispute arises with a boss,  (which could simply be an ego clash), companies start finding distinction between personal and official duties and blame the employee.

Understanding such issues and bringing the disputes to an amicable settlement is best done through mediation even more than Arbitration.

The legal issues themselves may not be black and white and therefore insisting on legal remedy alone through either Arbitration or Adjudication may not the best solution to resolve this dispute.

However, it appears that the option of “Mediation” and “Conciliation” does not seem to have been explored in the current case.

I hope that the AO should atleast now suggest the parties to first try out Mediation before continuing with his enquiry as per Section 46 of ITA 2000/8. Whether Arbitration act is binding or not binding is not necessarily the issue.

Amicable resolution of the dispute between a Co-Founder who must have contributed to the setting up of the business and the current business beneficiaries is the real issue.

The purpose of alternate dispute resolution mechanisms, including the Adjudication and Tribunals should be to ensure that law is applied as a last resort after all efforts on amicable settlement are considered, explored and given an opportunity to succeed.

If it fails, the legal system can always take over.

Such an approach will be most suitable in cases such as these where there is no financial loss like in the case of a banking fraud and the dispute is about a notional loss arising out of alleged wrongful  data sharing.

Naavi

Section 65B certificate has been discussed in detail in this website as well as the book by Naavi.  Now some queries have been raised on the recent Supreme Court judgement of 1st May 2019 in the case of “State of Karnataka Lokayukta Police Station, Bengaluru vs R.Hiremath”.

Without any prejudice to the other merits of the case, I would like to make a comment here only on the Section 65B aspect. 

This is a judgement from a bench of Justice D Y ChandraChud and  Hemant Gupta where Section 65B came for discussion.

In this case, the Police had filed a Chargesheet and at that time had produced some electronic documents such as CDs without a Section 65B certificate. The CDs contained some video recording from a “Spy Camera”. The spy camera was handed over by the Lokayukta to the the complainant for recording a meeting in which bribe was asked for. .

A Single Judge of the Karnataka High Court had rejected the charge sheet and one of the grounds was that the electronic document produced as evidence was not accompanied by a Section 65B certificate and this defect is not curable by a subsequent certification which the Police must have offered to provide.

The recording pertained to 12th and 13th November 2012 and the High Court took a decision to reject the evidence in its order of 27th April 2017.  if the Certificate is to be produced, it is to be produced today after a lapse of 7 years

The question was whether this omission to produce Section 65B Certificate at the time of filing of charge sheet could be corrected subsequently.

The defence argued that the production of Section 65B now will be like an “After thought” and hence should not be allowed. 

The Supreme Court held that the omission was not fatal and could be corrected. In the process it stated that Section 65B Certificate can be produced any time during the trial.

If the only principle under question is whether an electronic evidence first produced without a Section 65B evidence can be re-produced with another copy with Section 65B certificate, it is not possible to disagree with the Supreme Court since the objective of the evidence is to produce truth and it should be allowed until the time the evidence is not closed and even later subject to the Court’s discretion.

However, certain other aspects of the judgement need to be analyzed from the academic perspective. We will also not go into the aspect of “Privacy” etc since it has already been established through other judgements that the means of obtaining the evidence does not adversely affect the relevance of the evidence. (Though if the means of getting the evidence was illegal, it may constitute a separate counter offence that the collector of the information has to contend with if challenged).

The Hiremath judgement repeatedly mentions “Secondary Evidence”. It is necessary that the Courts correctly interpret the concept of “Secondary Evidence” in the case of Electronic Documents. We have explained this in great detail in the book on Section 65B. (check the E Book section for the link).

In the case of electronic document, the “Section 65B certified copy of the computer output” is also a “Document” and is admissible without the production of the original. It is therefore futile to discuss “Primary” and “Secondary”. In the instant case, the “Primary” document is the binary recordings in the spy camera. Every other copy has to be Section 65B certificate by the respective persons who copied it from one state to another. The chain of contemporaneous certificates has to be maintained for the  final evidence to be admitted.

The problem with taking the Hiremath decision too far is that it would introduce a sense of complacency with the producers of electronic evidence  who may postpone the certification to a later day for several reasons. But it must be remembered that the electronic evidence may later vanish from the place from which the first document used as evidence either at the investigation time or later. 

There will be a tendency to take the print out produced at one point of time say the 2012 print out in this case and one officer putting a seal and writing “I Certify …..” and call it a Section 65B certificate.

This would be a gross abuse of how the Section 65B certificate has to be produced.

A Section 65B certificate is issued by a person who converts the computer visible electronic document into a “Computer Output” which could be a print out or a soft copy. In this certificate the process of capture has to be part of the certificate. The devices used have to be identified. Hence if a document has been marked by the Court in 2012 and later it allows some body to certify it in 2017, then the device used and the process with which the observer created the first copy may no longer be relevant.  Hence it has to be observed once again and a new Certified copy has to be produced.

This is fine as long as the document from which the computer out put is produced is still in existence. But the Court may have to allow the new documents to be marked either as “Additional exhibits” or as “Replacement of earlier marked exhibits”. Then some body may have to further certify that the two marked exhibits donot have any material difference.

It is therefore advised that it is better to produce the Certified copy at the earliest time to avoid practical problems of re-creating the computer outputs. At the time of pre-FIR investigation, perhaps police may have to act urgently with whatever evidence is on hand and hence certification may not be insisted when a private complainant makes the complaint. But the Police should be careful to keep a certified copy before the original vanishes.

Naavi

Foundation of Data Protection Professionals (FDPPI), Mumbai Chapter has organized a webinar on the above topic

Date and Time: Today (11th May 2019) at 20.00 hours IST.

Participation is free.

Connect to  : https://zoom.us/j/531199935

Meeting ID: 531 199 935

If you want to join only on mobile audio, you have the option to dial in. (Dial in number for your country can be obtained at https://zoom.us/u/ad5m3K152c

RSVP: Adepu Bondiah: E Mail: fdppi.mumbai@fdppi.in

Naavi