Naavi.org

A draft of a modified  Intermediary guidelines under Section 79 of ITA 2000/8 was released  on 24th December 2018, modifying the earlier guideline of 11th April 2011. Public comments were called for on the draft until 31st January 2019. Now the consolidation of comments running to 609 pages has been released by Meity. Counter comments can be sent on these comments until 14th February 2019 after which Government may proceed to finalize the draft.

The copy of the consolidated report is available here.

Naavi’s views has been provided under the banner of FDPPI which is available at pages 21-28.

It is heartening to note so many responses being filed and with a detailed analysis. The response seems to vindicate my earlier view that what we are seeing is the second awakening in the industry about the presence of a law called Information Technology Act 2000 and its implications on the functioning of the industry. The law came into being on 17th October 2000 but most people in the industry ignored. It was only in 2011 when Section 43A rules were published, that the industry woke up to the existence of the law.

Now the Management localization and the automated tools suggested in the rules have been noticed by the industry and there is some effort to record their views.

Several advocates have placed their views invoking “Constitutional Issues” repeatedly and quoting the Puttaswamy judgement.

We will try to highlight some of the salient suggestions that have been made in the comments in due course.

To start with we draw the attention of the industry professionals to the specific suggestions made in the FDPPI comments particularly the idea of developing an “Intermediary Dispute Resolution Policy” and implementing it through accredited dispute resolution agencies on the lines of the ICANN control on domain names.

The advantages of such a system will be discussed in subsequent articles.

Naavi

I was glad to see a report that a person  was sentenced to 10 year imprisonment for SIM Swapping fraud. It was unfortunate that he was a young 20 year old college student. The fraud involved crypto currencies which I classify as “Currency of the Criminals”.

The incident was however not in India but in California as this report indicates. According to the report he is the first hacker sentenced for SIM swapping fraud.

These kind of frauds happen regularly in India and our laws are not so stringent to impose any deterrent punishments to these criminals. 

I am happy that such stringent punishments are meted out to such criminals. This should not be misunderstood that I am harsh on a young boy who is being punished but actually, I am sympathetic and compassionate to the many of the victims whom this person affected out of his greed.

Indian Courts need to take note of this Criminal Jurisprudence and ensure that in India when such cases are found, the culprits donot get immediate bail and are punished properly.

Naavi

Indian Banking has taken shape from the UK Banking laws. One of the principles that Banking has followed for a long time is trying to be secretive about the fraud losses at least in the individual balance sheets of Banks for the fear of adversely affecting consumer confidence.

It however appears that the winds of change are blowing across UK which needs to be also emulated by India. I recently came across a website of ukfinance.org.uk  where comprehensive fraud statistics for the Banking and payment card industry has been provided. This would be very useful for the Cyber Insurance industry to develop its products and also for the industry and law enforcement to understand the risks and take mitigation step.

In India, RBI has been very reluctant to provide such details and even on RTI applications are taking the stand that they donot segregate fraud data in such detail.

May be it is time that RBI changes its stand and start publishing such data regularly.

Naavi

Cyber Society of India (CySi) celebrated the Data Privacy Day in Chennai in a colorful event on 28th January 2019.

The event organized under the leadership of  the president Mr S. Balu, reportedly attracted good attention of the industry professionals since it was one of the first such programs to be held in Chennai.

Discussions on Global Trends in Privacy, Impact of GDPR and related issues were discussed during the deliberations.

An interesting caricature on the Right to Privacy shown above attracted the attention.

The caricature (drawn by Mrs Saranya Devi) has captured  the relationship of Privacy Protection in the context of a Citizen of a Physical Society and a Netizen who lives in the Cyber Society and underscored the fact that Privacy of  Netizen is only “Information Privacy” guaranteed by the due diligence of the Netizen and the Intermediary.

While discussing Data Protection laws, we often forget that we are trying to protect a right in one society by a law in another society and this is the root cause of many conflicts. It is like our Parliament passing a law in India for regulating activities in another independent country like Saudi Arabia or Pakistan. Conflicts are bound to arise in the absence of a “Treaty” between the two societies.

Since Privacy is a “State of Mind” of an individual and reflects the perception of a subject such as “I am free”, “I am alone”, “No body is around me” etc., it cannot really be guaranteed by force through a law. Despite this, the entire Data Protection regulatory regime is built on the premise that Privacy of a Citizen can be guaranteed through a regulation of “Information Privacy” which boils down to giving some control to an individual to decide how his “Personal Information” may be collected and used by others.

Naavi has used the Johari Window concept for describing the scope of Data Protection legislation which is reproduced below.

What this “Personal Information Grid” represents is that for every person there are sets of data which he knows and which he himself does not know. Some of this information may be known to others and not known to others. Some information known to the individual but he does not want others to know is the domain of “information privacy”.

The Data Protection law covers how the information may be shared by the individual to others through consent  and who are the agencies who are authorized to collect the data even without such a consent. When unauthorized access of such data occurs, the Cyber Crime laws kick in along with the data protection laws that may provide its own penalties for contravention of the “Data Subject’s Rights” of privacy as defined there in.

The intermediaries who collect the data are being regulated both by the Cyber Crime laws such as (Section 79 of ITA 2000) as also the data protection obligations in the laws such as PDPA 2018 (proposed).

Naavi

[P.S.:Naavi  is the Founder Secretary of CySi]

The Indian Budget proposal presented yesterday had an interesting sidelight. While discussing the proposal on the TV, Mr Piysuh Goyal, the interim Finance Minister  said that the Government is taking steps to ensure that in order to reduce harassment of IT payers if any from the department, the Government would be adopting a new system of assessment of returns.

The minister said

“Within the next two years, almost all verification and assessment of returns selected for scrutiny will be done electronically through anonymized back office, manned by tax experts and officials, without any personal interface between taxpayers and tax officers. “

It appears that the IT department has given a commitment to the tax payers that the principle of “Pseudonymization” as we use in the Data Protection scenario would be applied in the IT assessment arena as well.

In simple terms, the assessment officer would receive the returns in a pseudonymized(de-identified) set of data and make his assessment without knowing who the assessee is. It is however understood that in case the Assessment officer finds reasons to go deeper into assessment, he would recommend the return for a more detailed assessment where there may be a need to know the assessee.

However, this second level assessment will be required only for specific reasons which can be recorded in writing and reviewed if required.

IT department is the most hated of the Government departments when it comes to “Privacy” protection and “Limitation of Surveillance Rights”. It is ironic that it has become the first Government department to have indicated its commitment to the use of Privacy Protection principles in the administrative context. We need to appreciate its innovative use of the thought of de-identification.

We may recall that the Indian IT department was the first to adopt the technology innovation of “Digital Signature”, first to properly bring to the notice of the public, phishing mails in the name of the department. Now being the first Indian Government department to use “pseudonymization” marks another feather in its cap.

This development should also be taken note of by the Supreme Court which is set to hear an objection on the recent notification of the Ministry of Home Affairs about  designating 10 agencies for surveillance under Section 69 of ITA 2000. IT department (CBDT) is one of the designated agencies where there will be a nodal officer and whenever the competent authority under Section 69 of ITA 2000 (viz Home Secretary) has a requirement for interception of any information under the control of the department, the competent authority can invoke its powers.

The Supreme Court is being mislead by some of the petitioners that the MHA order of December 20, 2018 gives roving powers to the IT department to indulge in surveillance. This is a malicious interpretation as the MHA order only restricted the use of powers under Section 69 to only 10 designated agencies and no body else and the IT department was one among them.

Now with the IT department exhibiting its awareness about Privacy Protection and the main tool of such protection in the form of Pseudonymization as well as demonstrated how it can be used innovatively in its administration, the Supreme Court should accept that there is enough awareness in the department to trust it with the responsibility which may be entrusted to them under section 69 of ITA 2000 by the competent authority.

Naavi

State Bank of India Vs P.V.George (Kerala High Court, 9th January 2019, RSA 1087 of 2018) will be a landmark judgement on determining liabilities in Digital Banking frauds,  much like the S.Umashankar Vs ICICI Bank in the adjudication under ITA 2000.

In a highly significant verdict, Kerala High Court has ruled that even when the Customer does not respond to the SMS alerts related to a fraudulent withdrawal, the Bank cannot deny the liability on a fraudulent transaction, despite the limited liability circular of RBI.

Copy of the judgement is here

Honourable Justice Mr P.B. Suresh Kumar delivering his judgement  ruled that the Bank was liable to repay the amount involved in  fraudulent withdrawals through ATM and rejected all the defenses that the Bank put up. (In the instant case, the withdrawals were in Brazil).

Bank defended on the ground that

i) loss was caused not due to any action or inaction of the Bank

ii) loss could not have occurred without the knowledge of the customer

iii) the money could be withdrawn only with the card and PIN known to the customer and hence customer alone is responsible. But this argument was rejected.

iv) When amount is withdrawn by international fraudsters, from ATM counters in a foreign country, Bank cannot be held liable.

v) Customer should have set the criminal law in motion in the foreign country for redressal of his grievance

vi) SMS alerts were given by the Bank to the Customer and the Customer failed to request for blocking of the account.

All the contentions of the Bank were rejected.

The judgement addressed several key issues relevant for Banking which the undersigned has repeatedly been impressing on different judicial authorities such as

a) The relationship between the Banker and Customer even in the digital banking scenario is that of the debtor and creditor and is determined by the contract.

b) Duties of care is an accepted implied term in the contractual relationship between the Banker and Customer. Though it cannot be exhaustively defined, Banks owe a duty to exercise reasonable care to protect the interests of the customer including prevention of unauthorized transactions.

c) It is the obligation of the Banks to create a safe electronic banking environment to combat all forms of malicious conducts resulting in loss to their customers.

d) Bank cannot contend that it is not liable in cases where the unauthorized access was caused by fraudsters abroad or insist that the customer has to pursue criminal case abroad.

e) SMS alerts cannot be the basis for determining the liability of the customer.

The Court therefore confirmed the decree with interest and costs payable by the Bank to the customer.

The judgement is extremely pleasing as it clarifies many issues which I have been personally arguing in the case of S.Umashankar Vs ICICI Bank which was recently settled in favour of the customer in TDSAT.

I suppose that this P.V.George Vs SBI judgement will settle the issue once for all that it is the duty of the Bank to compensate the customer in cases of all frauds. (only exception: where the customer has  personally conspired in committing the fraud)

Hopefully the principles enunciated here becomes the norm for other judicial fora also.

Naavi