Naavi.org

Naavi.org has been in the forefront of discussions on Cyber Crimes, Data Security, Compliance requirements etc. The objective of all this is to ensure that “Digital India” does not suffer from the lack of security that is in the DNA of online transactions. 

In this journey towards “Secure Digital India”, we need to ensure that the digital payment systems are properly secured. In this process, internationally there have been several initiatives such as the ISO 27001, PCI DSS, SET protocol for card processing, 3-D Secure and its adaptations by VISA, Masters, Amex etc.

In India we have the RuPay scheme which has been conceived to provide a domestic system to enable Indian Banks and financial institutions to participate in the electronic payments market. The Rupay-e-Commerce architecture takes into account the three domains of the issuer, NPCI and the acquirer. The NPCI operates the PaySecure system and the NPCI switch and enables the authentication of the transactions.

The RuPay system has the potential to be a popular global brand like the VISA and Masters. Similarly the authentication system that Rupay adopts also has a potential to be a global system.

India has an advantage that is not available to other countries in the form of the Aadhaar identification system. Though the Supreme Court has placed some curbs on the innovative use of the Aadhaar for authentication by private players, there are acceptable work -arounds and even the possibility of convincing the Supreme Court on specific national security projects for the use of Aadhaar.

If we can use both the Aadhaar network and the NPCI together, it may be possible to enhance the security of online payment systems to a level which could be better than other existing systems.

While the 3-D secure system has the 3 domains namely the acquirer domain, issuer domain and the interoperability domain, which has also been used in the PaySecure architecture of NPCI, it may be possible to look at a four dimensional system (4-D Secure) based on the following constituents.

1. 1. Consumer
   2. Merchant
   3. Banking/Financial institutions
   4. Technology

In this model there are four responsibility centers. The Technology is the “Interoperability domain” managed by say NPCI. The Banking is the domain of all card issuers and payment system managers. The Consumer and the Merchant are the basic originator and destination of the underlying transactions.

This model recognizes that “Technology” is the interface between the different legal responsibility centers. In the first leg of the transaction, the  transaction originated  by the Merchant has to be authenticated by the Customer or vice versa.

In the second leg, the financial part of the transaction originated by the card owner or the Merchant has to be authenticated by the card issuing Bank/his agent .

If the origination of the financial part is a “Pull Transaction”, the Merchant sends his request to the acquiring Bank. If it is a “Push” transaction, the customer sends his request to the card issuing Bank.

The Technology Provider can act as an agent of the Card Issuing bank or the Acquiring bank. The Technology provider can use the UIDAI authentication service in any permitted form. In case of high value transactions, the full e-KYC formality can be invoked. In other cases simple random multi factor parameter check can be used. The identity parameter input if taken in the form of Virtual Aadhaar at the Merchant’s website, it may be within the current directions of the Supreme Court.

Other options including collection of the identity parameter by the Banking system instead of the Merchant or by the UIDAI itself or by NPCI as an agent of UIDAI can be considered and brought into the protocol.

The above is a thought which may be refined by technology experts. However the essence of this suggestion is that we can develop an online payment architecture which is unique to India and if it gets traction, develop similar standard models elsewhere where the UIDAI type of authentication is substituted by some other acceptable trusted third party authentication acceptable to the Banking system or the Card issuer consortium.

I invite technology specialists to improve upon this model if possible and take it forward. I urge NPCI to take the lead in this direction by forming an expert committee along with UIDAI authorities and the MeiTy and examine the possibilities.

Naavi

Reference Articles

Principle of Secure Technology Adoption…creating a secure ecosystem for cyber transactions

Will Rupay challenge VISA/Master and be a global brand?

Aadhaar adds another security layer to frustrate “Benami”s

It is Y2K moment again in India, with Virtual Aadhaar ID

[P.S: This discussion has some important issues related to Information Technology Act 2000, (ITA 2000), Arbitration and Conciliation Act (ACI) (as amended upto date) and the data protection regulations.]

It is always sad when a Company and its co-founder fight out a legal battle particularly when the dispute does not relate to any financial misappropriation but relate to alleged data theft.

In such cases, it is difficult to segregate how much of the dispute arises out of real wrongful loss caused to the company and how much arises out of personal acrimony between a senior executive who has fallen out with the current management.

One such incident came to public recently when Mr Mohit Rajpal, the ex-Co founder of mytaxiindia.com and the current Director of goibibo.com approached TDSAT, Delhi following an earlier Adjudication.

This appeal to TDSAT was disposed off on 15th May 2019 on one issue of law related to the challenge on the jurisdiction of the Adjudicating Officer (AO) under ITA 2000. The matter has not been discussed on the merits of the disputes.

[P.S: This discussion is for academic purpose and is based on the copy of the judgement of TDSAT. At this point of time, I donot have access to more details including the details of the pleadings. As and when more information becomes available, if necessary, the analysis presented here may be updated…. Naavi]

(Copy of the judgement can be found here)

Mr Mohit Rajpal was the Co-Founder & Director of Mytaxiindia.com for a period of around 2 years from July 2015 to July 2017. During that time, he appears to have executed an employment agreement cum NDA (dated 10/7/2015) containing the usual data security clauses that he shall not use the data acquired during the service for purposes other than the requirements of the job etc.. The agreement seems to have also had the usual clause that disputes arising out of the contract will be subject to arbitration and such arbitration recourse will survive even after the employment contract is terminated.

These are clauses which we usually find in every employment contract.

It appears that after the employment agreement  was terminated (Perhaps with the resignation of the employee), a dispute has arisen where the company alleges that certain information was transferred from the “Official E Mail ID” of Mr Mohit Rajpal to his personal E Mail ID.

We reiterate that in the absence of full information as to what was the information that was transferred and what was the alleged “Wrongful Loss” sustained by the Company on account of such transfer etc., this discussion is only on the issue of whether the arbitration clause is binding against an adjudication process initiated by one of the parties.

The AO has ordered that the matter cannot be mandatorily referred to Arbitration and he can exercise jurisdiction on the complaint as received. Mr Mohit Rajpal has appealed against this decision to the TDSAT pressing for arbitration. In the process he has also cited a second agreement namely the share holder’s agreement between Mr Mohit Rajpal and the investors of the Company which appears to also have an arbitration clause.

The purpose of the share holder’s agreement is different from the NDA cum Employment agreement and there was a different arbitration clause in this agreement.  This was an arbitration where the seat of arbitration was Singapore. (Applicable law is not clear to us at this point of time).Hence there were two arbitration agreements with different objectives, applicable laws and jurisdictions that the AO and TDSAT had to consider before arriving at the current ruling.

In its judgement, TDSAT has upheld the jurisdiction of the AO and come to the conclusion that the Arbitration clause is not to be considered binding in this case.

The arbitration clause in the share holder’s agreement (which was not invoked during AO proceedings and brought in only in TDSAT proceedings) was found not applicable since the agreement did not have any data security related obligations. Hence only the NDA cum Employment agreement was considered by TDSAT for this decision.

Though TDSAT had two earlier decisions under TRAI Act in which the arbitration requirement had been over ruled, the appellant appears to have contested it on the grounds that in civil disputes, the tribunal should be bound by the arbitration act.

One of the arguments pressed was that the Adjudication powers have a financial limit of Rs 5 crores and there after the dispute has to go to a civil court and in that event the civil court would be bound by the requirement for arbitration and hence even at this stage AO should consider the provisions of the arbitration act as binding on this dispute.

TDSAT refused to go into the decision based on the evaluation of the nature of the dispute, whether it is of civil nature only or involves criminal nature etc. It has categorically stated

“..The larger issue as to effect of provisions of Arbitration Act upon enquiry into complaints under the IT Act and grant f compensation on that basis is left open”.

TDSAT also rightly observed

“..This issue may also depend upon the peculiar facts of a case because sometimes the complaint of breach of security and theft of data may affect large number of persons and may not be arbitrable for the simple reason that all affected persons may not be bound by a common arbitration clause.”

In view of the above, the appeal was dismissed and the AO was permitted to proceed to decide the complaint in accordance with the law.

A Solution Missed?

One of the options that the AO/TDSAT could have exercised was to retain the AO’s powers to adjudicate after the Arbitration and let the complainant also feel satisfied that he had received justice.

In deciding this case, the AO will be required to take a view on complicated issues of data protection which would be better handled through “Mediation/Conciliation” more than even “Arbitration”, where data security experts are involved.

It is therefore possible that the AO may find it difficult to resolve the dispute to the satisfaction of both the parties and the matter will be back with TDSAT in due course.

Being an Employer-Employee dispute, the matter has to be handled with an understanding of the nuances involved in management of business where the top executives work 24X7 from anywhere including the home and often end up with a seamless integration of personal and official work.

Top entreprenerus/directors of startups often have no distinction between personal life and official life and their psyche is built on such total dedication and integration of personal life with official life.

Many times, as long as the employee attends to business matters even while he is at home, the companies (bosses) are happy. But the moment a dispute arises with a boss,  (which could simply be an ego clash), companies start finding distinction between personal and official duties and blame the employee.

Understanding such issues and bringing the disputes to an amicable settlement is best done through mediation even more than Arbitration.

The legal issues themselves may not be black and white and therefore insisting on legal remedy alone through either Arbitration or Adjudication may not the best solution to resolve this dispute.

However, it appears that the option of “Mediation” and “Conciliation” does not seem to have been explored in the current case.

I hope that the AO should atleast now suggest the parties to first try out Mediation before continuing with his enquiry as per Section 46 of ITA 2000/8. Whether Arbitration act is binding or not binding is not necessarily the issue.

Amicable resolution of the dispute between a Co-Founder who must have contributed to the setting up of the business and the current business beneficiaries is the real issue.

The purpose of alternate dispute resolution mechanisms, including the Adjudication and Tribunals should be to ensure that law is applied as a last resort after all efforts on amicable settlement are considered, explored and given an opportunity to succeed.

If it fails, the legal system can always take over.

Such an approach will be most suitable in cases such as these where there is no financial loss like in the case of a banking fraud and the dispute is about a notional loss arising out of alleged wrongful  data sharing.

Naavi

Section 65B certificate has been discussed in detail in this website as well as the book by Naavi.  Now some queries have been raised on the recent Supreme Court judgement of 1st May 2019 in the case of “State of Karnataka Lokayukta Police Station, Bengaluru vs R.Hiremath”.

Without any prejudice to the other merits of the case, I would like to make a comment here only on the Section 65B aspect. 

This is a judgement from a bench of Justice D Y ChandraChud and  Hemant Gupta where Section 65B came for discussion.

In this case, the Police had filed a Chargesheet and at that time had produced some electronic documents such as CDs without a Section 65B certificate. The CDs contained some video recording from a “Spy Camera”. The spy camera was handed over by the Lokayukta to the the complainant for recording a meeting in which bribe was asked for. .

A Single Judge of the Karnataka High Court had rejected the charge sheet and one of the grounds was that the electronic document produced as evidence was not accompanied by a Section 65B certificate and this defect is not curable by a subsequent certification which the Police must have offered to provide.

The recording pertained to 12th and 13th November 2012 and the High Court took a decision to reject the evidence in its order of 27th April 2017.  if the Certificate is to be produced, it is to be produced today after a lapse of 7 years

The question was whether this omission to produce Section 65B Certificate at the time of filing of charge sheet could be corrected subsequently.

The defence argued that the production of Section 65B now will be like an “After thought” and hence should not be allowed. 

The Supreme Court held that the omission was not fatal and could be corrected. In the process it stated that Section 65B Certificate can be produced any time during the trial.

If the only principle under question is whether an electronic evidence first produced without a Section 65B evidence can be re-produced with another copy with Section 65B certificate, it is not possible to disagree with the Supreme Court since the objective of the evidence is to produce truth and it should be allowed until the time the evidence is not closed and even later subject to the Court’s discretion.

However, certain other aspects of the judgement need to be analyzed from the academic perspective. We will also not go into the aspect of “Privacy” etc since it has already been established through other judgements that the means of obtaining the evidence does not adversely affect the relevance of the evidence. (Though if the means of getting the evidence was illegal, it may constitute a separate counter offence that the collector of the information has to contend with if challenged).

The Hiremath judgement repeatedly mentions “Secondary Evidence”. It is necessary that the Courts correctly interpret the concept of “Secondary Evidence” in the case of Electronic Documents. We have explained this in great detail in the book on Section 65B. (check the E Book section for the link).

In the case of electronic document, the “Section 65B certified copy of the computer output” is also a “Document” and is admissible without the production of the original. It is therefore futile to discuss “Primary” and “Secondary”. In the instant case, the “Primary” document is the binary recordings in the spy camera. Every other copy has to be Section 65B certificate by the respective persons who copied it from one state to another. The chain of contemporaneous certificates has to be maintained for the  final evidence to be admitted.

The problem with taking the Hiremath decision too far is that it would introduce a sense of complacency with the producers of electronic evidence  who may postpone the certification to a later day for several reasons. But it must be remembered that the electronic evidence may later vanish from the place from which the first document used as evidence either at the investigation time or later. 

There will be a tendency to take the print out produced at one point of time say the 2012 print out in this case and one officer putting a seal and writing “I Certify …..” and call it a Section 65B certificate.

This would be a gross abuse of how the Section 65B certificate has to be produced.

A Section 65B certificate is issued by a person who converts the computer visible electronic document into a “Computer Output” which could be a print out or a soft copy. In this certificate the process of capture has to be part of the certificate. The devices used have to be identified. Hence if a document has been marked by the Court in 2012 and later it allows some body to certify it in 2017, then the device used and the process with which the observer created the first copy may no longer be relevant.  Hence it has to be observed once again and a new Certified copy has to be produced.

This is fine as long as the document from which the computer out put is produced is still in existence. But the Court may have to allow the new documents to be marked either as “Additional exhibits” or as “Replacement of earlier marked exhibits”. Then some body may have to further certify that the two marked exhibits donot have any material difference.

It is therefore advised that it is better to produce the Certified copy at the earliest time to avoid practical problems of re-creating the computer outputs. At the time of pre-FIR investigation, perhaps police may have to act urgently with whatever evidence is on hand and hence certification may not be insisted when a private complainant makes the complaint. But the Police should be careful to keep a certified copy before the original vanishes.

Naavi

Foundation of Data Protection Professionals (FDPPI), Mumbai Chapter has organized a webinar on the above topic

Date and Time: Today (11th May 2019) at 20.00 hours IST.

Participation is free.

Connect to  : https://zoom.us/j/531199935

Meeting ID: 531 199 935

If you want to join only on mobile audio, you have the option to dial in. (Dial in number for your country can be obtained at https://zoom.us/u/ad5m3K152c

RSVP: Adepu Bondiah: E Mail: fdppi.mumbai@fdppi.in

Naavi

Naavi was the first person in India to have raised the need for making EVMs cyber law compliant.

It was way back in 2001 when that Naavi first flagged the possibility of Hacking in Indian Elections.  It was pointed out at that time itself that the EC should recognize that under ITA 2000, any election malpractice could be called as Hacking and imprisonment of upto 3 years could be invoked on those who indulge in booth capturing and related offences.

Again in 2003 when an incident was observed in Tamil Nadu where a sticker of one party was fixed in front of a candidate of another party to mislead the voters, a more detailed analysis of what makes EVMs cyber law compliant was discussed. (Refer here)

The essence of the problem was that the EVM was a system where a paper ballot paper is pasted on the face of the EVMs containing the buttons which were internally connected to a counter. It was therefore possible for the paper ballot to be manipulated so that the votes given for one person as per the printed ballot paper actually went to another candidate inside the machine.  It was considered as inappropriate legally to thus link a paper document to an electronic data base.

A Solution was also suggested which was

a) Replace the front of the machine containing the ballot paper with a touch sensitive screen and display the candidates list along with the symbol (now photo can be included) and provide for the voter pressing on any part of the row.

b) Once the Vote is thus cast, display the ballot paper with the vote mark as the old paper ballot paper used to look along with a time stamp.

c) Calculate the hash value of the displayed document and print the hash value with time stamp on a roll of paper sealed inside the EVM.

I can boldly say that the EC did not understand the benefit of such a system and even now may not be able to appreciate why this system was suggested.

At that time, the only issue was the cost of a touch screen of the size required for the EVM and the need to replace the available units.

Now after 15 years we are back to discussing how to make EVMs more reliable. The EC has now adopted the VVPAT system which involves a second unit, printing on a roll inside  the second unit and capturing the vote slip in a box.

The Cost of EVMs today are much higher and the addition of the VVPAT as a separate unit along with the need to transport it secure it etc makes it perhaps more expensive than the earlier proposal. The touch screens have also become much economical now and I have a hunch that the solution suggested by me would be far more cost effective.

I therefore urge the Government to even now consider this suggestion seriously.

In the meantime, the Supreme Court is expected to hear the PIL filed by the opposition parties who have demanded that 50% of the VVPATs are to be manually counted. This is after their earlier request for 100% counting having been rejected.

Mr Chandarababu Naidu is personally attending the hearing in the Supreme Court to add the Political touch to the hearing. The CJI himself is under great pressure as the lobby against him is creating personal pressure through the harassment case.

The Supreme Court may therefore be under great pressure to oblige to the opposition demand and take India back to the days of manual ballot paper system.

However, I would like the Supreme Court to keep in mind that “Counting VVPAT Slips” is not the same as “Counting of paper ballots”.

ITA 2000 renders VVPAT to be an “Electronic Document”. It is not a paper document. Hence the laws under ITA 2000/8 apply along with Section 65B of IEA as to the recognition and admissibility of the VVPATs in Court proceedings.

Once the Court agrees to VVPATs being counted, a question arises as to what will happen even if an insignificant difference arises between the electronic counting and the manual counting of the electronic documents called VVPAT slips.

Firstly the legality of manual counting of an electronic document is questionable. It is like manually counting the rows of a table as displayed in the computer screen and using it as an over riding of the electronic counting which the computer may display as “Number of Rows”.

Just as the physical paper pasted on the electronic document should not be linked to the button with an electronic circuit inside, the electronic document of VVPAT slip if counted manually will not be legally valid.

Secondly, the intention of the voter is expressed when he presses the button on the EVM (Unit 1 ). That unit has captured the “Button Press” in its data base which gets counted electronically.  The VVPAT on the other hand is a secondary tool which is provided to enable the voter to be satisfied that his vote has gone to the right party. What the VVPAT unit displays is only a secondary confirmation and not the primary vote. If the voter sees any discrepancy, he has a right to object immediately. If not it is presumed that the secondary confirmation is acceptable.  The secondary confirmation is displayed in the VVPAT by an instruction sent by EVM. Though this follows the initial pressing of the voting button, the VVPAT instruction goes after the vote is registered. Hence it is a transaction which occurs after the voting process is over.

The VVPAT slip therefore does not have any legal validity as a “Vote”.

If therefore a discrepancy arises between the EVM and VVPAT, then the EVM count has legal validity and the VVPAT count only creates confusion and controversy. Having accepted the VVPAT manual counting, tomorrow we may not be able to ignore even if the vote difference is just one or two as in principle it may mean that the Electronic counting was not correct and therefore has to be cancelled.

If the Supreme Court is naive to accept this politically motivated PIL, then it will give room for a complete disruption of our election system which has been hailed the world over.

I therefore urge that the Supreme Court takes a proper decision that protects the integrity of the elections and donot give room to the anti national opposition parties to disrupt the democratic system in the country by discrediting our system of EVMs.

If necessary in future, EC can adopt the Naavi model of EVMs suggested above and strengthen the system further both technically and legally.

These opposition parties have proved both in West Bengal and in Amethi that even the EVM based voting can be rigged with booth capturing. It is unfortunate that the EC and the Supreme Court does not take suo-moto action in such cases but is serious on mischievous litigation of the opposition parties.

What is again under test in this case is the ability of the Supreme Court to understand techno legal issues and also its ability to steer clear of politicization of litigation in the Supreme Court.

Let’s keep our fingers crossed.

Naavi

(P.S: Report has come that SC has rejected the PIL. We welcome the decision)

Some of the earlier articles:

Hacking and Indian Elections

Cyber Law Compliance and Electronic Voting

Clarifications on Cyber Law Compliance of EVMs

Hacking and Indian Elections …Naavi.org

Cyber Law Compliancy and Electronic Voting…Naavi.org

PIL Filed on EVMs in Supreme Court..Naavi.org

Order Passed on PIL on EVMs..Naavi.org

EVM Controversy