Virtual Cards for Credit Cards also

Posted on January 10, 2019 by 98410spice

RBI has issued  guidelines on tokenisation for debit / credit / prepaid card transactions as a part of its s endeavour to enhance the safety and security of the payment systems in the country.  Accordingly RBI will permit  authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to certain conditions.

This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained.

 All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.

All other instructions related to card transactions will continue to be  applicable.  for tokenised card transactions as well.

The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks.

No charges should be recovered from the customer for availing this service.

Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers.

This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to.

A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations.

The move is welcome since it is expected to enhance the security from the consumer’s point of view.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Limited Liability also for Cyber crimes in PPI

Posted on January 8, 2019 by 98410spice

The Reserve Bank of India has issued a circular “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Payment Transactions in Prepaid Payment Instruments (PPIs) issued by Authorised Non-banks” on January 4, 2019.

This is similar to the circular earlier issued for Banks and cooperative Banks

Accordingly, if the victim of a Cyber Crime informs the PPI issuer within 3 days, there shall be no liability.

Naavi

Posted in Cyber Law | Leave a comment

An innovative way of implementing the Intermediary Guidelines under Section 79

Posted on January 8, 2019 by 98410spice

We are all aware of UDRP or INDRP which is a Dispute Resolution Policy adopted by all Domain Name Registrars for resolving disputes arising out of conflicting domain name registrations. The policy is embedded into all domain name registration contracts and resolved through an Arbitration process.

This procedure  which has been in existence since August 1999  and has been in use across not only the GTLDs but also the other TLDs and CCTLDs. The domain name registrations of these different TLDs are under several complicated covenants built into the domain name contracts and disputes arising thereof are resolved through mediation and arbitration.

A similar procedure appears to be also good for imposing the “Due Diligence” requirements under the Intermediary Guidelines under Section 79. Since the Government is now considering some modifications in the Intermediary guidelines, it is a good time to think about introducing this IDRP (Intermediary Dispute Resolution Policy) procedures as explained briefly below.

  1. The IDRP process would envisage that all intermediaries in their terms and conditions add one clause that the provision of the service and dispute resolution arising there of will be subject to IDRP.
  2. IDRP will be drafted by the Accredited IDRP Management Centers(like the WIPO arbitration center in case of domain names). These IDRP management Centers would be like “Accredited Arbitration Councils” and will adopt a well developed system of “Providing an Ombudsman”, “Mediation” and “Arbitration” as per the arbitration act of India.
  3. These IDRP s will incorporate all the Due Diligence Clauses which are included in the Intermediary Guidelines and hence without the entire list of clauses being repeated in all the terms and policy documents across websites and Apps the single clause of IDRP adoption will adopt the entire due diligence requirements.
  4. The Intermediaries should then be required to register themselves with the Government. Since according to the newly proposed guidelines, large Intermediaries need to have an establishment in India and those handling personal information will be subject to data localization, registration of significant and guardian fiduciaries etc., this proposal to get registered so that the Government has an inventory of such intermediaries is not difficult. Apart from the voluntary registration from the intermediaries, the IDRP Resolution Centers may be tasked at ensuring that an awareness is created and all identifiable intermediaries are registered and undertake to add the IDRP clause in their terms.
  5. In case any intermediary does not want to register and add IDRP clause, it will still be subject to the intermediary guidelines which they need to adopt and comply with but without the benefit of the ADR process.
  6. The IDRP process should be made entirely online and ODR mechanism (See www.odrglobal.in for more information) should be adopted. [P.S: Adoption of ODR mechanism in this process will provide a leadership status for India in adoption of this emerging best practice in dispute resolution and reduce the burden on the Indian Courts.]
  7.  The terms and conditions that the intermediaries will be required to handle after adoption of this practice will consist of only the business related issues and the intermediaries will find it convenient to ensure that the burden of drafting a compliance related terms and conditions by availing the services of a Cyber Law expert  is fully eliminated.
  8. The IDRP Resolution Center will be a new business opportunity for interested firms specializing in Cyber Laws applicable to intermediaries.
  9. By using the expertise available with the IDRP Resolution Centers, the terms can be well drafted not only to include the ITA 2000/8 requirements but also the IPR requirements, the PDPA requirements, the GDPR requirements and other laws that may have impact on the Intermediary-user relationship.

I therefore suggest that this idea can be incorporated in the proposed amendment to the Intermediary guidelines 2018.

(Comments welcome)

Naavi

 

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Posted in Cyber Law | Tagged , | Leave a comment

Why Pull Up Central Government when the mistake lies with the State Governments?

Posted on January 7, 2019 by 98410spice

The Supreme Court of India is hearing a petition filed by the Internet Freedom Foundation on an allegation that 22 people have been arrested under Section 66A of ITA 2000/8 which has been scrapped by the Supreme Court in the Shreya Singhal case in 2015. (Refer article here).

A bench consisting of Justice Rohinton F Nariman (who was also the author of the Shreya Singhal judgement) has reportedly made angry comments at the time of admission such as … “We are Shocked”, “We will jail the officials”…etc.,  and ended up sending a notice to the Central Government to file a reply.

Obviously it appeared as if the Supreme Court has come to a conclusion that a grave mistake has been done by the Central Government.

Actually, the arrests have been done by different State Governments and the notices should have been sent to the state Governments and not to the Central Government. Just because the office of Central Government is in Delhi, Supreme Court cannot make it a party to this complaint. The Central Government can only be a postman in this case and forward a circular to the State Governments and get a reply and thereafter file it with the Court. If the Court expected that the Central Government had to take steps to prevent the State Governments in this regard, it is expecting the Central Government to intervene in the law and order decision of the State.

Further if officials are to be jailed, then the Court may have to jail some magistrates and Judges also since they are equally responsible as the Police and not the “Officials” of the Government. The Supreme Court bench appears to have erred seriously in issuing the notice to the Central Government….unless there is some thing in the petition which we donot know.

We should recall that even the earlier decision to scrap Section 66A was done because some state police did not understand Section 66A and applied it wrongly in some cases. Unfortunately even the Courts did not understand that the error was with the Police and instead  of admonishing the Police went on to scrap the section.

The Court is again making the same mistake now and reacting against the Central Government  for mistakes which the state police, state prosecutors as well as the judicial authorities have committed.

We recall here our earlier article in April 2017 where we had referred to the judgement of a Telengana Court sentencing a navy person to two years imprisonment under Section 66A.  (Refer here).

It was pointed out that in that case the cause of action had arose in 2010 much before Section 66A had been scrapped. It is a matter of a separate debate if the Supreme Court judgement actually had retrospective effect or not.

The problem again has to be laid at the doors of the Supreme Court and Judge Rohinton Nariman himself since while delivering the Shreya Singhal judgement there was no clarification if the decision had a  retrospective effect. In such an event all trials and convictions that could have happened earlier should have to be reversed. This is certainly not a desirable option and the precedence in such cases is to always provide prospective effect to such decisions.

In the present instance, it is to be checked if out of the 22 cases being referred now, how may are cases where charge sheets have been filed after the relevant Supreme Court judgement and how many before it.

The Court has no reason to get angry if the cases turn out to be offences committed before the Shreya Singhal judgement.

If not, then it has to question the “continuing education” in the Police and more particularly among the public prosecutors and action has to be initiated on this front.

There is also a possibility that apart from Section 66A, some other section of ITA 2000/8 or IPC might have been included in the chargesheet and the arrest could be attributed to that.

If the defense counsel and a judicial officer has been a party to the decision in addition to the prosecutor and the IO, then the possibility of a reason behind the decision however absurd it appears at first glance is high. Hence the Supreme Court should be patient enough to wait for the replies to be received before jumping to conclusions.

In fact the Supreme Court should send notices to Police academies and Judicial academies to find solutions  besides the State Governments for getting more facts about the cases and not to the Central Government.

Believing the petitioner and expressing anger to make news headlines does not indicate that the Court will look at this case impartially. In fact the reading of the news paper reports suggests that the petition has pointed out that it is the trial Courts and prosecutors who are not implementing the Supreme Court decisions. But instead of pulling up these people, Supreme Court issued a notice to the Center for reasons best known to itself, as if the Central Government is the whipping boy for every petition received.

This reflects an invitation for an unwarranted confrontation with the Central Government. This could also lead to confrontation between Center and the States given the kind of State Governments we have in India which see nothing but politics in every decision.

Central Government in its reply should therefore point  out its objections to the Supreme Court’s notice being issued to them and request the Court to send notices directly to the concerned State Governments.

We may also recall that when the Shreya Singhal petition was admitted, the bench said “We were waiting why no body had approached us so far…” and hinted that they had already half decided that the petitioner was right and the law was wrong.

The media reporting on such lose comments can create a wrong perception about the neutrality of the Court when a petition is admitted and it is better avoided. In order to ensure that decisions are not biased by the fact that the same judge had given a previous judgement related to the case, the Supreme Court will do well to change the bench hearing this case.

Naavi

Reference Articles

Telegraph

NDTV

 

Posted in Cyber Law | Tagged , | Leave a comment

Is Bigbrother Watching you?

Posted on January 7, 2019 by 98410spice

Here is a link to an article published in India Legal on Sec 69 and Sec 79 ITA 2008 controversies which are doing the rounds.

http://www.indialegallive.com/cyber-security/is-big-brother-watching-59021

Naavi

Posted in Cyber Law | Leave a comment

Allahabad High Court admits PIL against Section 69 notice …2

Posted on January 7, 2019 by 98410spice

[This is in continuation of the earlier article]

The Allahabad High Court accepting the petition challenging the MHA notification on Section 69 is typical of the cases that display an attitude of some petitioners to move the top courts on flimsy grounds just linking any issue to Right of Privacy and Right to Freedom of Expression and the attitude of the Court to admit worthless petitions just because the petitioner quotes some article of the constitution.

The failure of the Court to vet the petition at the time of the admission and identify cases which indicate only a political motive or a publicity motive results in the Courts being clogged with less important cases while cases which really involves the public interest getting piled up.

Analysing the Grounds of PIL

Let’s see the grounds on which this petition has been admitted and evaluate if it could have been dismissed without a notice being sent to the Government.

Ground 1:  Section 69 of ITA 2000/8 is prima facie “seems” to be in violation of Article 14 as being arbitrary for the reason it gives “sweeping power” to the executive, is “irrational” and there is no nexus to justify the power which would result in impinging upon constitutional protected rights of person  with impunity”

Comment: It is surprising that the petitioner has woken up after 18 years since Sec 69 came into existence and 9 years since an amendment was made and 7 years after the rules were first framed to now think that the section 69 of ITA 2000/8 violates the constitution.

The petitioner has not understood the nature of the MHA order of 20th December 2019 which is only a sub notification under a notification, under a section of the law which was passed in 2000.

Article 14 of the Constitution states:

Equality before law: The State shall not deny to any person equality before the law or the equal protection of the laws within the territory of India Prohibition of discrimination on grounds of religion, race, caste, sex or place of birth.

Section 69 of ITA 2000 as is prevalent now indicates as follows:

The petitioner seems to be in a fantasy world of his own to see  a connection between Article 14 of the constitution and “Discrimination” on the basis of religion, race, caste, sex or place of birth in this section.

Ground 2. The petitioner goes on to give a sermon that “any power exercised by the executive should always be within the bounds of the constitution… and concludes that the language of Section 69 clearly manifests arbitrariness and is violative of Article 14”.

Comment: It is not clear which English Language the petitioner is referring to and deriving the meanings that he is imputing to the words.

Ground 3. The section 69 “purports” to curtail the freedom of speech and expression guaranteed by Article 19(1)(a) and makes the State a “Surveillance State”.

Again the ground stated is completely arbitrary and imaginary. The Section provides powers to the State to intercept communication only “if the person authorized for the purpose is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence”. As per the procedure the reason for interception has to be recorded in writing and is subject to review.

The section has no relation to curb the “freedom of expression”. If any body perceives that the ability of the Government to intercept for the reasons stated above means that the person is admitting that he is indulging in any of these unlawful acts or atleast behaving in such a manner that there is a prima facie indication that he is transgressing law.

Hence the apprehension is only an argument made on behalf of self admitted criminals and has no relationship to the “Freedom of Expression”.

In fact not curbing such activity would be an affront to the rights of honest citizens who need to be protected by the Government as a part of its constitutional duty.

A Government which abdicates this responsibility has no right to be in the Government. A Citizen who wants the Government to abdicate its duty is himself failing in his duty as a citizen.

Ground 4:  There is enough possibility of this law being misused by the executives as in the absence of any safeguard the fundamental rights of the citizen are at risk of being impinged by the executive.

Comments:  The petitioner has no basis for bringing a speculative argument that the law will be misused  or that there are no safeguards.  It must be noted that the  Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, which were notified on 27th October 2009 has elaborate safeguards indicated to prevent misuse of the powers and even punish an executive who violates the rules.

The petitioner appears to be unaware of the existence of the rules. Beyond the law as represented by the section and the rules, “Misuse” is of course possible of any law. The envisaged safeguards along with the punishment for any violation are meant to be a deterrent for such misuse.

In the event of any misuse, the petitioner is welcome to raise the issue and send any offending executive to jail .

Ground 5: What Section 69 purports to do is to “Impinge upon natural right to privacy” and the “sweeping Powers” to intercept, monitor, decrypt data is a violation of Article 21 of the Constitution.

Comment: This is yet another false and irresponsible Rahul Gandhi like statement that has been added under the grounds.

What the section “Purports” to do is to have a provision in  law to enable use of powers of interception, monitor and decrypt data either in transit or at rest when there is a need for the purposes provided under the Constitution as “Reasonable Restrictions” that can be placed on any fundamental right of a citizen. Its principal aim is to seek the cooperation of data holders to assist the competent authority in relevant investigations.

Without such an enabling provision, the state cannot discharge its duties as the authority that can provide the safety and protection to the liberty of its citizens and their rights to own property and carry on a peaceful living.

If the Court comes in the way of enabling  provisions relevant for public administration,  it would be  like Judicial Naxalism to prevent the normal functioning of the elected Government and would be ultra vires the judicial powers as provided in the Constitution. 

Since the Supreme Court judges themselves once went to the people with their grievance with a press conference, accepting the primacy of “People”, if the Judiciary over reacts to the situation and strikes down Section 69, it will be an act which will be “Ultra vires the people of India”.

Those who swear by the constitution has to swear by the “Primacy” of “We the People” and cannot ignore the security of people even before worrying about providing guarantee of the “Right to Privacy”.

This situation does not change because of Puttaswamy judgement.

Further if the Court decides to object to Section 69 in respect of electronic documents, it will be necessary to scrap all similar provisions in other laws including IPC or POTA and make India a haven for Criminals, Naxalites and Terrorists. It will prevent Police from undertaking any search or preventive arrests, impose restrictions on public for prevention of offences  etc., since all such provisions will be restrictive of the Right to Privacy in one sense.

Law cannot be discriminative for offences with Electronic Documents  being considered as objectionable and not other non electronic forms of interception, monitoring and decryption.

It is therefore not feasible for the Court to consider scrapping of Section 69 without being self contradictory.

Ground 6:. There has been no safeguard provided for exercising such powers.

Comment: The petitioner has to read the MHA order once again and understand that it is in exercise of the powers under Section 69(1) read with rule 4.

The professors of IIT Kharagpur appears to have not been consulted by the petitioner before he drafted this petition. Otherwise they would have told him that this order is subordinate to Section 69(1) as well as the Rule 4.

Section 69(1) itself has safeguards limiting the powers to exceptions provided under Article 19(2) of the Constitution. It also restricts the powers to be executed only by “an officer specially designated for the purpose”, mandates that the reasons “to be recorded in writing” and “subject to the procedures and safeguards as prescribed under Section 69(2).

The procedure has been prescribed under the rules notified on 27th October 2009 which contains 25 different paragraphs detailed in one of the earlier articles here. It contains the review process, punishment if violated etc.

Under Rule 3 of the October 27 rules,

“no person shall carry out interception except with a written order issued by the “Competent Authority” which should note the purpose, the designated person etc.

The Competent Authority has been defined to be the Secretary of Home.

Under Rule 4,  The competent authority may authorise an agency of the Government to intercept, monitor or decrypt information generated, transmitted received or stored in any computer resource for the purpose specified in sub-section (1) of section 69 of the Act.

Reading 3 and 4 together, it is clear that the Competent authority has the authority and it exercises it through the authorized agencies with a written order.

So far, no list of such agencies had been notified and therefore the Competent Authority had the power to authorize any agency either public or private, either the CBDT or CDAC or a CFSL or a TCS or Infosys and it would be well within its powers.

Now this MHA order has actually restricted this power to appoint “any agency” to only the designated 10 agencies. Petitioner and the Court have to understand that far from creating a “Surveillance State”, this MHA order brings focus and order to the use of power and is a significant step towards creating a healthy and organized system in which the power can be exercised according to the Constitution and the laws made there under.

The other grounds are a repetition and hence the above comment is sufficient to dismiss the petition without any detailed trial.

The order is Praisewothy

In fact, if the Courts understand the situation without a political bias, they would actually praise the Government for bringing this order.

Now that 10 agencies alone are to be used by the competent authority, and each of these will have a designated “Nodal Officer” who will be accountable for executing the interception order as per the rules such as rule 11, 15, 16,18,23, 25 etc and face the liabilities under rule 24,  there is a greater control on the  possibility of Government misusing the provisions.

So, even if malicious and Crazy political parties take over the administration of the Government in the next election, (which I hope will not happen) they cannot create a surveillance state as we had in 1975.

Professionals not to play into the hands of politicians

In the meantime, professionals who have not understood the law properly should not play into the hands of these political opponents by wrongly interpreting the Privacy and Freedom of Speech issues and obstructing the legitimate Governance functions and the security interests of the honest citizens.

Courts should also be more responsible and should refrain from encouraging such elements by admitting all such petitions and issuing notices. Such notices only work at waste of public resources and effective Governance time.

Courts are not enemies of the Government nor should  function  like political opposition. Courts are part of the Governance of the Country and should understand Governance and interpret law in the right perspective. If they assume that they are in an island of their own and ignore the context in which a law or a procedure is made and guide the Government if they need assistance, then they will stand out as a hurdle against development.

A few years back, there was a practice for the Government to make a reference to the Supreme Court if there was a complex piece of legislation. But today, Supreme Court refuses to be drawn into such advisory role and insists that the Government has to make a law and the Court will then review it and strike it down if required. In the process they will prevent the Government to progress at a rate which this Country demands.

Inconsistency is the bane of Judiciary

At the same time, we need to recognize that Courts are also not consistent with their decisions. In some cases they are ready to read down law but in some cases they want it to be struck down. In some cases they allow urgent mention and in some other cases they deliberately delay the matters.

The delays by the Supreme Court in respect of Jayalalitha Case, the Ram Mandir Case, the National herald case etc against the urgency they showed for the Sabarimala issue (while not showing the same urgency for the review petition), indicates how the Supreme Court can be considered by the citizens as inconsistent and biased.

Apart from the wrong or inconsistent decisions, Courts have in the cases like Aadhaar as well as the Puttaswamy judgement itself displayed a blinkered approach to a decision ignoring the multifaceted nature of the issues that often come up in this complicated technological world.

For example, Aadhaar decision never considered the impact on e-Sign which was a method of authentication in the digital world. If the Court had understood the link between e-KYC and e-Sign, they would have atleast read down the Aadhaar Section 57 with exemptions for the use of Aadhaar by private sector in certain functions of national importance to be declared by the Government.

The Supreme Court also went wrong on petitions opposing the tender documents floated by the I& B ministry and UIDAI without understanding the difference between “Scanning of published reports in the media” and “Interception”, just as they failed in the Shreya Singhal case in differentiating between “Publishing” and “Messaging”.

Similarly the Puttaswamy judgement itself was unclear and vague adding to the confusion of legal interpretation of what is Privacy. It went to the extent of stating that even the words mentioned in the Constitution are not sacrosanct and can be interpreted by the Judges in any manner they like (See Justice Chelmeshwar part).  There was therefore confusion confounded by the judgement which is generally hailed as “Historic”.

It would have been better if the judgement  had categorically mentioned that

“Privacy is a State of Mind of an individual and external laws cannot predict and protect the dynamic state of mind  and therefore the judgement is nothing more than expressing the intention of the constitution and the need for appropriate measures to protect information that is relevant for privacy rather than the privacy itself”.

By not defining Privacy and expecting it to be protected by the Government and also restricting the operational freedom of the private sector by a completely vague prescription, the Puttawamy judgement only created a platform for any body and everybody to link anything and everything to infringement of privacy and knock at the doors of the Court.

The current PIL is a classic example of how the Puttaswamy judgement itself will be used and reused for flimsy and motivated litigation.

There is a need to put an end to this practice by actually reading down the Puttawamy judgement itself and providing the guideline to the lower courts not to allow the hijacking of our judicial system with the PILs of the kind we are now seeing on this MHA order .

My Apologies

As a teacher of Cyber  Law, I understand and appreciate the urge of the petitioner (who I recognize  is a student of Cyber Law),  to test his knowledge and skill in litigation by launching a PIL.

I have no intention of discouraging his enthusiasm through the words used in this article. I however request him to take a second look at his petition and if he agrees with my views , consider withdrawing the petition rather than pursuing it.

There are better PIL s that need support and many Cyber Crime victims who need the support of public spirited advocates and he can focus on such issues rather than the PILs which are essentially serving the political interests of the opposition parties in India who are opposed to the current Government for vested interests of their own.

Also my remarks against Judiciary in the article, should be seen in the context of preserving the sanctity of the system in the larger interest of the country in the long run and the need for “We the People” to exercise our “Freedom of Expression” in good faith for what we consider is for the good of the nation.

Lastly, I would like my critics to consider that  though they may not fully agree with my views, they can at least try to take this into consideration as one point of view before formulating their own views. I have no objection if they want to support the opposite view.

If any body is hurt by my views expressed here, my sincere apologies.

Naavi

Reference

The MHA Notification
Section 69
Section 69 Rules of 2009

Report at bar and bench

Posted in Cyber Law | Tagged , | Leave a comment