Naavi.org

As the new Finance Minister in India takes over the reigns of managing the economy,  the Bitcoin industry has scaled up its efforts to some how bring in some semblance of regulatory recognition to Bitcoin and leaving no stone unturned to reach its goals.

Three events will attract attention on Bitcoin and Crypto currencies in the immediate future in India. They are

1.On July 23, the honourable Supreme Court is said to hear a petition.

2. On July 27, Alliance University, Bangalore will host the Bangalore Blockchain summit

3. On September 5th and 6th National Police Academy is set to conduct a two day “Educational” program on Crypto currency

Naavi.org would like to place its views before the public on each of these three events so that these views are not ignored in the discussions.

Supreme Court has to avoid a Trap

Supreme Court has in the past projected a face of opposition to Black money in India. It is well known that Bitcoin or Crypto currency in general is a representation of “Digital black Money” and hence any view expressed by the Supreme Court is a view against “Legitimization of Black Money”.

 All the opposition to Aadhaar and the support to Bitcoin that some activists are expressing and expecting support from the Supreme Court is a result of the fight of the Government to reduce black money. The moment Aadhaar was to be used to fight “Benami” properties, it was attacked as if it was the greatest evil legislation in India. The Supreme Court went along with this view almost till the end though in the final stage yielded to the Government a leeway. Now with the new Aadhaar legislation, there is some calm that has descended on the Aadhaar front.

But the support to Bitcoin legitimization continues to be fought on all fronts and at present there is some concern that the Supreme Court  may be manipulated by clever lawyers to come in support of Bitcoin.

In all our discussions, we need to remember that “Bitcoin” and “Crypto currency” has to be seen as indistinguishable since the 1000+ crypto coins are convertible with Bitcoin and hence recognition of “Private Crypto Currency” of any description will automatically provide recognition to Bitcoin. Hence all our discussion on “Bitcoin” is relevant for other Crypto currencies such as “Ethereum”,  Ripple, Bitcoin Cash, EOS or others.

The discussion on “Blockchain” is often used as a cover to promote Bitcoin and hence “Legitimizing Blockchain as a technology” is often a proxy discusssion on “Legitimizing the Bitcoin” and we need to keep this in mind.

We also need to remember that “Regulating” is possible only after “Recognizing”. It is not possible to regulate Bitcoin without first recognizing its existence. Once RBI or the Finance Ministry accepts that there is a need to regulate crypto currency, they will have to start with a deemed acceptance that Crypto Currency like Bitcoin is deemed as “currency”.

What is not recognized cannot be legitimized. What is not recognized cannot be de-legitimized as well.

Hence the Supreme Court should be wary of making any comments either in its order or on the comments in the sideline that could be taken as its support to Bitcoin.

If the discussion is Crypto Currency as a “Currency”, the one line judgement is that

“Any instrument that is deemed to be a “Currency” is the exclusive preserve of the RBI in India and any person exchanging any “commodity” as “Currency” is deemed to commit an offence against the State”.

In as much as introducing a parallel currency in the country will de-stabilize the economy, it is anti-national activity. In as much as Bitcoin or other Crypto currencies are used as the currency of  Cyber Criminals, as Currency of Terrorists, any dealing with Crypto Currency should be deemed as an act of terrorism and dealt with legally in that perspective.

Mrs Nirmala Sitharaman as Finance Minister and Mr Amit Shah as Home Minister and Mr Ravishankar Prasad as Law and IT Minister needs to recognize their individual responsibilities in convincing the Supreme Court that the Court in its ignorance should not legitimize this tool of terror.

Alliance University may endorse the digital Tukde Tukde Gang

The Blockchain summit 2019 in Bangalore is being hosted by a private university namely “Alliance University” and organized by KPI Consuling Services Pvt Ltd and is supported by a host of industry players. There will be discussions on “Block chain technology” as the Next Gen technology with a special emphasis on it being a platform for Crypto Currencies.

In the course of the discussions, the virtues of Bitcoin and how the Indian Government talking of 10 year imprisonment for dealing with Bitcoin etc will come for discussion.

What may start as a technology discussion may actually end up as a camouflaged attack on the Indian Government blocking the legitimization of Bitcoin. In this respect the summit has the potential of turning out to be like the JNU meetings that turned out to be a call for breaking up India.

Bitcoin and Crypto currency is an instrument of the break up of the Indian financial system and  a means of terror funding and hence any promotion of Crypto Currency would be an endorsement of the Tukde Tukde gang.

It is therefore essential for the organizers to ensure that the discussions, deliberations and recommendations during the summit does not cross the boundaries of Blockchain as a technology and Crypto currency as a Currency substitute.

I wish the RBI and the intelligence agencies send their observers to the summit to keep track of what the industry is upto.

If a “University” has to be engaged in an activity such as promoting “Blockchain Technology” then there should be discussions on the adverse effect of Crypto Currencies on the environment by highlighting the power consumption by the industry. It is alarming to know that even at present Bitcoin mining industry consumes more energy than a nation like Switzerland as indicated by a recent study.

At present Bitcoin accounts for roughly 0.25 % of the world’s entire energy consumption. If there is a legitimization of Bitcoins in India and everybody starts mining some form of Crypto Currency, then this power consumption will break the backbone of India. As an academic institution, Alliance should be concerned in such aspects and ensure that the summit does not gloss over the concern.

Similarly, as an academic institution, Alliance should be also concerned of the effect on the financial structure of the country and its economy when the entire market capitalziation of Crypto Currency comes into the liquidity in the country and adds to the physical currency in circulation and how it affects the inflation and legit currency value.

I am reasonable sure that the organizers of the summit would not focus on such issues which are a real concern for the society. The Alliance University on the other hand should be concerned about these issues more than the commercial aspect that Bitcoin price is Rs 7 lakhs today and may go up further etc.

I request the Vice Chancellor of the Alliance University to keep a close watch on the deliberations and ensure that what happens in the summit is a healthy debate on technology and not a promotion of Bitcoin.

I request journalists in Bangalore to who attend the event to take note of this and cover the event appropriately ignoring the free Bitcoin coupons that would be showered on all the participants during the event.

National Police Academy needs to focus on Crypto Crimes

In the light of this background if we look at the proposed “Course on Crypto Currencies” that the NPA has planned for its senior officers, there is a need to raise a concern whether there is adequate focus on “Crimes related to Crypto Currencies” in the course.

It is accepted that without knowing what “Crypto Currency” is, Police cannot understand how to investigate Crypto Currency crimes. Hence, the course to understand Crypto Currency is essential.

We are however not aware of the details of the two day course and the emphasis that it lays down on the “Misuse of Crypto Currencies”.

At present “Cryptojacking” is a serious concern of the industry and huge losses are occurring to individuals and organizations by the malware that hides inside many computers and works as a botnet mining crypto currencies for others.

Such Bitcoins mined in India are going out of the country and therefore constitute “Virtual Smuggling”. Bitcoin ATMs are being set up as “Virtual Havala Centers”.

Bitcoins are bought and sold for extortions both in physical kidnapping as well as ransomware and are therefore the “Currency of the criminals”.

Dishonest businessmen are committing frauds using Bitcoin as a bait and setting up exchanges only to declare a “hack” later to leave the holders of the crypto currency high and dry.

The involvement of so many criminals world over in the Bitcoin industry has made it easy for some of these criminals to set up wallet agencies and exchanges and later hack into the same making the entire Crypto Currency industry completely unreliable.

The managers of Crypto currencies have not been cooperative in any investigation and the Police will find more than normal resistance in investigations that involve Bitcoins or other crypto currencies. If bitcoin is legitimized, it will become even more difficult for the Police to investigate

Anonymity is the main selling point for Crypto currencies and hence tracing the Crypto Currency transaction will never be supported by the industry. Breaking the encryption forcefully is an impossibility.

Hence if the Police allow the entry of Bitcoin in any form of legitimacy, tracing the use of crime funds becomes an impossibility. If this continues to be a requirement of criminal prosecution in cases of frauds and corruption, then the criminal justice system will fail.

I wish the NPA understands the dangerous consequences of Crypto Currencies and not allow itself to be sweet talked by the industry that Block chain is a great technology.

I wish the concerns expressed above are taken note of by the Government of India if it is serious about eliminating Black money in India.

Naavi

Reference Articles:

India addresses cryptocurrency scam wave with new police training course

India to Educate High-Ranking Police Officers on Cryptocurrency

Bangalore Blockchain summit 2019

There are several earlier articles on this site  which may be also researched by interested persons.

The Aadhaar Amendment Bill was passed by the Rajyasabha today and brought in many important changes that would off set the restrictions that the Supreme Court had placed on the use of Aadhaar.

The main objection of the Supreme Court was that Aadhaar should not be used by the private sector since it could compromise the privacy of the individual. Even during the time the Supreme Court considered the objections raised by the opposition that sought to attack the Aadhaar scheme as a proxy attack on Mr Modi, UIDAI had introduced the “Virtual Aadhaar ID” as well as offline authentication. If these had been considered by the Supreme Court, at the time of its earlier decision, it would not have been necessary for the Court to send shock waves through the industry by banning the use of Aadhaar by private sector.

Now in the amendment, the Virtual Aadhaar ID  has been also recognized as the “Aadhar Number” making it usable instead of the original aadhaar number. Since the virtual Aadhaar ID can be changed from time to time, the user can use different Virtual IDs for different transactions and protect the real ID.

The system of “Offline verification” has been defined as a process of “Verifying” the identity of the Aadhaar holder without authentication.   The system which UIDAI has implemented requires the Aadhaar holder to download the Offline e-KYC document and submit the same to an agency which needs to conduct a KYC. The document downloaded is an XML document with the digital signature of the UIDAI which should be used by the verifier. Where demographic information is shared the user will be obligated not to use it for any purpose other than for which it was provided.

Further the Aadhaar holder can voluntarily use Aadhaar number to provide his authentication to the user agency based on an “Informed Consent”. This enablement will meet most of the requirements of the user industries though the Privacy Activists may still raise issues of whether an “Informed” consent was obtained or not. Once the PDPA comes into effect, the agency using the Aadhaar number for authentication will have a larger responsibility as a “Significant Fiduciary”.

The Act will by a regulation mandate user agencies that would use only a Virtual Aadhaar ID and not the main Aadhaar ID. It is expected that most of the private sector players may be placed under this mandatory use of Virtual Aadhaar ID which should satisfy the Supreme Court on the Privacy protection. This notification may come as rules that will follow.

The Aadhaar authenticating agency is also expected to indicate alternate measures other than the use of Aadhaar for the purpose of authentication and does not make it a mandatory condition for delivery of any service.

The Act also makes some changes in the penalty clauses to deter any misuse. Disputes would be settled through Adjudication followed by the appeal with TDSAT.

Additionally the amendment to the Telegraph Act indicates that the Telecom operators may use the Aadhaar as a means of authentication for their services. This will be part of the telecom licensing provision as if it is a special category of license. It is expected that the TRAI will specify further safeguards as may be necessary when licenses are issued with the use of Aadhaar as an identity parameter. It appears that the current license holders may have toseek for a special endorsement for the use of Aadhaar agreeing to whatever additional conditions that TRAI may place.

In summary, it can be stated that one of the dark phases of Aadhaar usage has perhaps passed off. Hopefully the Fintech industry which had been severely hit by the Supreme Court judgement can feel more comfortable now.

(P.S: This is the immediate impression on the Bill as passed and may need a review when more details are available)

Naavi

Whenever a fraudulent withdrawal occurs on a Bank account, it is a common practice for the Bank to allege that there was a phishing mail which the customer answered and therefore he has compromised the access credentials to the account and responsible for the unauthorized access and the consequential loss.

The limited liability circular of RBI also limits the protection under the automatic zero/limited liability on reporting of a disputed transaction within the specified time only to cases where there are no “Proof” of the customer sharing the payment credentials. In such cases the scope of the circular is limited to the debits that occur after the reporting. The “Burden of Proof”  of sharing of payment credentials have to be provided by the Bank.

In a practical situation it so happens that when an incident of fraudulent withdrawal is noticed, the customer is under a panic situation. He first calls the Bank to tell them that he is either not able to access the account or the balance in the account is less than what it should be.

In such cases, the complaint is registered and a number is allocated which needs to be kept safely as evidence of reporting (Naavi has suggested using the service of CEAC for sending such notices to bring a trusted third party evidence into the equation).

Normally in the subsequent discussions, the Bank will advise the customer to file a Police complaint and follow the incident with the Police as a crime against the customer.

The Bank in the course of the conversation may also ask “Have you received any mail recently from the Bank asking for your password? ” or “Did you give your OTP to any body” etc.

If the customer has received a mail which we normally refer to as the “Phishing Mail” or a “Vishing Call”, he will say he has received. Some of such customers may say that they had received such communication but they did not respond.

This conversation is normally recorded by the Bank but not the customer. Hence the evidence of this conversation is available with the Bank but not the customer.

The customer often goes to the Police and files a complaint making the unknown fraudster as suggested by the Bank as the accused and does not include the Bank as the main accused or as a person who has abetted the crime.

We have recently come across an allegation by a customer that the Bank asked him to delete the phishing e-mail and he deleted it. Later in the judicial proceedings it has  become an evidentiary requirement.

During the proceedings in the Court, the Bank may simply deny that it has asked the customer to delete the mail and the customer will be left high and dry to prove that he is speaking the truth.

As a general warning to the Bank customers who may be victims of frauds, I would like to therefore request that they should not delete the phishing e-mail. It is a potential evidence of an attempted crime even when no loss occurs and is actually the evidence of crime if the fraud happens. Deletion is removal of evidence and is punishable under Section 65 of ITA 2000/8 and Section 204 of IPC.

If the bank suggests this, the bank is guilty of destruction of evidence or an attempt to fraudulently mislead the customer to commit such an offence.

Further the Customer should request the Bank to produce the recording of the conversation to prove or disprove whether there was such a phishing e-mail etc. Bank is bound to provide such evidence or shall admit that it itself is liable for destruction of evidence since the recording itself is an evidence.

Customer should insist that the Bank produces the recording as a Section 65B (IEA) certified evidence as otherwise there is a possibility of tampered evidence being produced.

Further even when the Limited Liability Circular fails to protect the customer, it does not foreclose the legal options of recovery which is through Adjudication where the customer may still hope for a remedy even in case of the so called phishing.

This is for the general information of the public.

Naavi

Out of the several “Vision” statements included in the budget proposal of 2019-20, one particular proposal which attracts the attention is the proposal to start a television program exclusively for the start ups.

Naavi.org has been engaged in “Awareness Building” on Cyber Law Compliance since 1998 and with the enactment of the Personal Data Protection Act (PDPA), there will be more of such awareness activities that needs to be done. This objective of Naavi.org which has been carried over to the organizations like the FDPPI (Foundation of Data Protection Professionals in India” now may have an additional tool to reach out to people through this very unexpected budget proposal namely “Start UP TV of India”.

This Channel is supposed to be started as part of the Doordarshan Boquet  and is expected to serve as a platform for promoting start-ups, discussing issues affecting their growth, matchmaking with venture capitalists and for funding and tax planning.

In as much as “Start Up” is a business venture, the entire business domain will come under the scope of this TV. It could be the CNBC TV or ET News without the stock market noise.

I have in the past discussed with some channels about programs on Cyber Security but most of them have felt that the “TRP” for such programs may not be attractive. So, the proposal of “Start Up TV of India” will also face the challenge of commercial viability which needs to be efficiently handled.

It is not clear if this TV will run under the guidance of the Ministry of IT or Ministry of Information and Broadcasting.

Mrs Nirmala Seetharaman stated that the channel will be designed and executed by start-ups themselves.

We donot know if there has already been some discussions in this regard and some body has been assigned the responsibility for the same.

It is however interesting to know how this idea develops in the coming days.

Naavi

Naavi has been an evangelist for Cyber Insurance for a long time. In fact a separate bloc cyberinsurance.org.in was created to have a focussed discussion on Cyber Insurance only to find that the interest level of the market is still too low for the blog to be of interest as a separate entity. In 2015, Naavi conducted an all India survey on the status of Cyber Insurance to understand the status of the industry. It was found that there was a huge gap in the understanding of the user industries on Cyber Insurance as a product. Many had not even considered it as a requirement as part of their IS policy.

However recently it is found that atleast about 350 Corporate Cyber Insurance policies have been issued. About an year back the individual Cyber policies were also introduced by Bajaj Allianz and later HDFC ERGO and it is indicated that there are more than 15000/- individual policies in operation at this point of time. Hence it appears that Cyber Insurance as a concept has atleast taken off.

Over the last two weeks, I have had extensive discussions with many Insurance professionals to understand the “Perception Gap” between the cyber insurance user industry and the insurance companies. I will try to share some of these thoughts and analysis of some of the insurance polices through these columns.

I have set two objectives for this latest activity focussing on Cyber Insurance

1. Bridging the perception gap between the Information Security industry and Cyber Insurance industry by being the conduit of knowledge exchange between these two industry professionals.
2. Developing the possibility of a specific Cyber Insurance Policy extension or a Cyber Policy itself to cover the risks that arise due to the PDPA (Personal Data Protection Act) that is in the offing.

The above exercise involves conduct of many awareness sessions for the Cyber Insurance industry to make them understand the expectations of the IS industry and vice-versa.

The PDPSI (Personal Data Protection Standard of India) security framework which has been announced by the undersigned is ready to be used as a framework for compliance of PDPA. This can also be a guidance for “Cyber Insurability audit” and hence could assist the Insurance companies in assessing the premium.

Watch out for more discussions in this aspect and join me in this new push for Cyber Insurance.

Naavi

Naavi will be meeting a group of IS and Cyber Insurance professionals  in Pune to discuss the impact of PDPA on the Cyber Insurance industry.

Naavi