Naavi.org

RBI needs to Fight with Mazar Virus rather than fighting with the Government

Posted on November 17, 2018 by 98410spice

The Reserve Bank of India is in the news for picking up a fight with the Central Government on the right to use its reserves in a manner it deems fit. The fight whether RBI is over capitalized with the retention of reserves or not and whether part of it should be made available for bridging the fiscal deficit or not is not a debate for this platform. We leave it to the economists to debate and resolve hopefully in the November 19 Board meeting.

However, we would like to point out to the RBI that its functions apart from being Banker to the Government includes as the “Regulator of the Banking System in India”. RBI in this capacity is responsible for the security of the Banking system in India.

Whether RBI should fight to defend its right over the disposal of its reserves or not is left to the economic experts but the Common Citizen who is a customer of the Bank is really concerned that RBI is not perhaps discharging its duty in protecting the interests of the Customers adequately.

We acknowledge that RBI has taken some right steps in the direction of safety of Banking transactions in the Digital Banking era, both by refusing to succumb to the pressure of the Bitcoin lobby and also by issuing the “Limited Liability Circular” to introduce the “Zero Liability” for Banking frauds.

However, the fresh outbreak of the Andorid Virus identified as the “Mazar”now poses a fresh challenge to the RBI and poses a question as to the adequacy of the measures initiated by the RBI.

I feel that RBI should start fighting Mazar on a priority rather than fighting with the Government on the issue of who should have a say in the disposal of its reserves.

The Mischief that Mazar is capable of

Just to make things clear, Mazar is a mobile virus which can be spread through an innocuous SMS message and enables the fraudsters to take over the mobile’s messaging function so that the OTP messages for Banking transactions are compromised.

Since the virus is known to be spread not through the messages linked to Banking transactions but through other messages such as

“The Income Tax Department is pleased to advise you that your return for the FY 2017-18 has been processed and refund has been processed. For details of the refund, kindly check here ……. (A shortened hyper link)”

it is a risk which is considered beyond the scope of normal alerts that the banks normally send to the customer such as “We donot ask for your password ..etc”

As we approach the elections or the IPL, we may see that messages linked to political issues or IPL or even to the controversial decisions of the Supreme Court such as the Sabarimala verdict etc can be used to lure the recipients into clicking such links.

If therefore an SMS is received saying ” Flash news…. Supreme Court all set to ban entry of women to Sabarimala temple. Click here for details…..” or “Virat Kohli meets with an accident in Sydney and hospitalized. Click here for details…”, there would be millions of Bank customers who would click the link in a blink and get their mobiles infected.

Are the Bankers and RBI prepared for such contingencies?

Are our Police and Courts ready to handle the flood of complaints that such messages may generate?

Mazar is a Risk Beyond Reasonable Capability

Mazar is a security risk which is beyond the reasonable capability of mitigation by a customer and has to be recognized as part of the fundamental flaw of the digital banking architecture for which the Bank and RBI are alone responsible.

SMS is not a reliable means of communication

Mazar indicates that the SMS has ceased to be a reliable means of communication between the Bank and the Customer and should be replaced with some other form of communication.

If RBI does not act in this direction and force the Bankers to switch over to a more secured form of communication which legally should be a “Digitally Signed message” or some other form of secure messaging, RBI will be failing in its duty.

I reiterate that RBI has addressed this issue in the past by mandating use of Cyber Insurance by the Banks but Banks have ignored the mandate and they should be pulled up for this lapse.

Adaptive Authentication

Further, Bankers have failed to introduce appropriate methods to identify unusual transactions through “Adaptive Authentication” which has been suggested by RBI earlier. Most of the fraudulent transactions including one which may use Mazar virus often happen at the dead of the night when the customer is not awake to respond to the SMS that may be sent by the Bank.

This “Nocturnal Transactions” need to be flagged by the system and subjected to a higher level of security verification. Banks cannot be blind to the fact that no sensible customer does transactions that wipe out the entire balance in the account through a series of transactions in the dead of the night.

Need to Reject Insecure CBS software

Not programming the CBS system to recognize the location of the origin of the transaction and the time of transaction and linking it to an alert system is a fundamental draw back of the software including the popular Core Banking software systems.

RBI should therefore re-visit its approval of software such as Finacle or Flexcube and any implementation that does not have a proper adaptive authentication system should be declared as unacceptable.

Beware of what happened in Pakistan

We must be aware that recently there has been a large scale hacking of Banking systems in Pakistan and there is no reason why we should not expect a similar attack on the Indian Banking system.

In case the Mazar has already been spread and installed in many mobile devices, it could be a tool to compromise a large part of the Indian Banking system. There could be a serious crisis looming ahead for the Indian Banking system which can be attributed to the failure of the supervisory system.

As has been pointed out in the earlier article Mazar is a notorious risk because it creates “Fake Evidence” against the Customer which Courts may find it difficult to understand.

If the Governor and Deputy Governors of RBI donot recognize that this threat is larger than the “Autonomy to decide on the disposal of the Reserves”, they would be doing a great disservice to the Indian citizens.

Steps which RBI should initiate

As a first step, RBI should warn the Banks about this Mazar Virus and remind them that in all cases of digital frauds the “Onus of proof” rests with the Banks and hence Banks should not unfairly hoist the liability on the customers.

RBI should reiterate the point which it has already made regarding the “End Point Security” being the responsibility of the Bank and such responsibility extends to the user end devices.

Banks should mandate implementation of such security measures as are used by Companies in allowing BYOD devices to securely access Corporate digital assets and stop Mobile Banking transactions until a satisfactory solution is found for Mazar kind of viruses which compromise the OTP system.

I once again reiterate that Mr S. Gurumurthy should raise this issue in the Nov 19 meeting even ahead of the reserve related issue.

P.S: Bank Customers may check their mobiles and deactivate App permissions which have been granted earlier to read SMS for all Apps besides avoiding clicking on any hyper links and more so the shortlinks (eg: bitly..)

Naavi

Posted in Cyber Law | Tagged Mazar, RBI, Virus | 1 Comment

Digital Banking in India is now under a serious threat… RBI needs to wake up

Posted on November 15, 2018 by 98410spice

India has adopted a Governance policy involving high dependency on Digital Banking and this technological shift in Banking has the blessings of the Government, the RBI and also the Banks.

Government is happy with Digital Banking because it is an effective tool for reaching out to the masses with several direct benefit schemes of the Government. Banks are happy because it is cost effective.

But in the process of this digitization, the Bank Customer has been exposed to Risks which are beyond his reasonable capabilities of mitigation.

RBI is caught in between the drive for new technology and its responsibilities to maintain safety in the Banking system. It has not been able to upgrade its own capabilities to suggest appropriate security measures to meet the threats nor ensure that the Customers are properly insured against losses though some efforts have been made through the “Limited Liability System”.

The Banks which are collectively more powerful than the RBI, have successfully blunted the Limited Liability system and trying to push most of the responsibilities to the Customer.

New Strain of Mazar BOT android Virus appears to be on the prowl

A Dangerous Android malware which was first reported in 2016 with a capability of erasing data in the mobile, stealing the credentials and taking over the messaging application so that it can send and respond to SMS messages without the knowledge of the owner, is now again in the news.

A Security Company called Heimdel in Denmark reported this virus that could be sent like a hyperlink to any SMS message and if the Android mobile user clicks on the link, it infects the mobile.

Now in one of the Cyber Crime incidents reported from Bangalore, there is a suspicion that this Virus was probably in play.

After infection, this virus can read the incoming SMS messages and send outward SMS messages at the instance of the attacker besides stealing any other information in the mobile which may have some banking credentials.

It appears that the Virus may not require rooting of the phone and may not even display the permissions screen. It is possible that it may simply ride on one of the Banking applications which is legitimately installed in the mobile.

A research is required to understand the complete working of this virus.

This virus was perhaps countered in some of the anti-virus applications by an upgrade in 2016. But it seems that this has re-surfaced in India probably through an SMS message which appears to come from the IT department and informs that a refund order has been processed and details are available in the link.

We can therefore speculate that a new strain of the Virus must have been developed by the deep web and released.

Mazar is a Banker Friendly Virus !

The problem with the Mazar Virus is that it not only helps the fraudster to steal money from the Banking accounts of the mobile owner, it also creates a fake evidence which will work against the customer and in favour of the Bank.

Earlier we have seen “Coat tailing virus” which operates during a legitimate banking session of the customer and releases unauthorized instructions to the Bank server and transfers funds to the fraudster’s account. We have also seen “Man in the Browser” attacks where the form details entered by the Customer during a legit session for funds transfer is modified just before its transmission to the Banking server. Even in these cases, the evidence created would reflect genuine transactions of the Customer and unless we are aware of the functioning of the virus, we may be fooled by the evidence.

What is further annoying is that the New Mazar virus appears to be able to self destruct and remove itself from the mobile making it further hard to identify the evidence that the virus existed in the device.

There was only one small foot print that the Virus appears to have left which is in the form of “apparent errors” in the messages that can be attributed to a software. Further research may be able to improve our understanding of this virus.

The infected mobile will after the event, retain the SMS messages and even the service provider will show the details of messages sent and received. So, if the fraudster has tried to log into the Bank account of the Mobile owner and an OTP has been sent by the Bank, there will be record of an SMS sent from the Bank and the reply sent by the customer. The transaction therefore gets completed and the Bank can claim that the Customer has responded to the OTP though the response is by the fraudster and not the customer.

When we apply the Limited Liability rules of RBI, the Bank will claim that they are not liable since the OTP was given away by the Customer.

Thus the Virus creates a double jeopardy for the Customer, first by stealing the money and then by faking the evidence against him.

We need to find a solution

It is the responsibility of security specialists to find a solution to this problem.

If we donot find a solution, it is time to stop all Digital Banking Transactions where authentication is based on the OTP.

We are aware that USA has already degraded the OTP system for use in Government transactions because of the security concerns.

In India,

a) Bankers are ignoring the statutory provision of “Authentication through Digital Signatures” and conducting Banking transactions.

b) Bankers are also not resorting to sending encrypted messages instead of the present system of plain text messages.

c) Bankers (excepting a few) are also not using the split OTPs sent through multiple channels such as Mobile and E mail which could harden the security.

d) Bankers are also Not providing Cyber Insurance to the customers for such losses despite RBI mandate in the June 2001 circular.

I therefore urge RBI to either find an immediate solution to this Mazar type of Viruses or stop use of OTP based authentication forthwith.

Responses from the Information Security community is welcome with suggestions.

Officials of RBI like Mr Nandakumar Sarvade, who heads the IT division of RBI and has the experience of the IT environment and Policing need to take such issues seriously and bring it to the notice of the higher ups.

I hope this will be one of the points which the RBI board should discuss as an emergency measure in the meeting on November 19.

I request Mr Gurumurthy, the Director of RBI to specially take up the cause in the forthcoming meeting.

Naavi

Posted in Cyber Law | Tagged Andoriod Virus, Bank fraud, Gurumurthy, Mazar BOT, Nandkumar Sarvade, RBI | 5 Comments

Supreme Court should declare Bitcoin as illegal..to prevent Mr Modi gaining a higher moral ground

Posted on November 11, 2018 by 98410spice

I as a citizen of India place this information for the attention of the honourable Supreme Court and demand that the Court should take into account the adverse effect that the Bitcoin regularization may have on the Indian Society before expressing its views which it may do shortly.

The Supreme Court will soon start deliberating on the issue of whether Bitcoin trading in India should be legitimized or not. When it does so, I urge the Supreme Court of India to act only with the interest of the Indian citizen in mind and not be bogged down in the technicalities of law or political considerations or be swayed by corruption.

This post is a public post and its knowledge cannot be denied by any body who is reasonably exposed to the Internet including the Supreme Court.

I request that honest citizens in the Social Media ensure that this view is also reflected in the deliberations at the Supreme Court.

If sufficient efforts are not taken by honest Citizens, the Supreme Court decision can be manipulated under one excuse or the other since the Supreme Court is not infallible.

The Merchants of Digital Black Money namely Bitcoin have approached the Supreme Court against the RBI directive that no Bank should engage itself with transactions in Bitcoin. The request is like asking the Supreme Court to force RBI to commit suicide and also murder the Indian economy.

As we understand, the Supreme Court has issued a notice in this regard to the Government of India for its views before coming to its own decision.

It is not clear why the Supreme Court wants the Government to provide its views in this regard. The Supreme Court itself can apply its wisdom and determine the legality or otherwise of the Bitcoin.

By dragging the Government into this, Supreme Court is giving an opportunity for political forces to play their part either in support or against Bitcoin.

Once the Government of India gives its views, it will allow the media to play it out as the view of Narendra Modi and bring all Anti Modi forces to oppose it on one ground or the other. There are enough advocates in the Supreme Court to jump in on any issue which is Anti Modi and Bitcoin will also be one issue on which these Anti Modi advocates would jump in.

From the past records of the Supreme Court, it is considered possible that the Supreme Court is used as a tool to bring Anti Modi arguments as part of a legal argument and allow a parallel political game to be played out in the media.

In the current instance, it is possible that the supporters of Bitcoin will bring in arguments of “Demonetization” and create a platform for criticizing the demonetization attributed to Mr Modi and project Bitcoin as a saviour of those who suffered otherwise from the demonetization. Since the political opponents who lost their black money during the demonetization operations are waiting for an opportunity to vent out their anger on Mr Modi, they will gang together to support the concept of Bitcoins.

The stakes are very high and there is no denying my concern that these political forces could corrupt the Supreme Court judgement also.

The Supreme Court should therefore be alert to this possibility and take care that they are not adversely influenced.

In view of this concern, I urge the Supreme Court to conduct this hearing under a live streaming broadcast so that the Citizens of India can view what goes on behind the closed walls of the Court.

We are aware that the Bitcoin merchants are promoting “Bitcoin” as a “Currency” and not as any other innocent commodity.

The fundamental philosophy of Bitcoin is that there should be no central regulatory authority that controls the issue of currency. As a result Bitcoin (and all other privately managed crypto currencies) operate as “Anonymous Assets” whose ownership and transactions cannot be traced.

The creation of Bitcoin is through an arbitrary system where a digital problem of hashing is floated to a set of persons and whoever solves it first is credited with a certain number of new Bitcoins and this adds to the general stock. Such persons called the “Miners” are themselves anonymous and they hold the stock of Bitcoins.

The “Mining” of Bitcoin has long gone out of the reach of any common man and is today an industry as much as the “Printing of Fake Currencies”. Many foreign Governments such as China have deep interest in this industry.

In the past, drug dealers, arm dealers and all hackers have been using Bitcoin as their currency of choice and hence over a period Bitcoin has become the “Currency of the Criminals”.

A large number of existing stock of the Bitcoins in the world which the merchants of digital black money are trying to legitimize through this intervention of the Court have once passed through an illegal and criminal transaction.

Hence when viewed as a commodity…. all Bitcoin stock that comes into trading is a “Tainted” as a stock which has been owned and transferred by a money laundering operation. Since Bitcoin as a commodity is not a “Negotiable Instrument”, the defects of the title once gained will get transferred to every subsequent holder of Bitcoin and hence any current holder of Bitcoin who trades through these exchanges will be trading in a “Tainted Commodity”.

Even if the transaction is recorded with a limited KYC as these Exchanges claim, it does not wash away the taint. The limited KYC system is only a fig leaf which is capable of and will be used to create “Money Mules” who will hide the real owners of the transactions.

The Judges are advised to understand the role of “Money Mules” in Nigerian Frauds to get the hang of why the limited KYC system cannot be relied upon.

Every transaction of Bitcoin is encrypted with its own encryption algorithms. This encryption is not approved by the Government under Section 84A of ITA 2000/8. Hence the block chain that supports the Bitcoin is not legal under the Indian law.

The RBI Act is clear that any “Currency” can be issued only by the RBI and it would be illegal for any body else to generate, promote and use an alternate commodity as “Currency”.

The Bitcoin supporters are clearly projecting it as an alternative to “Currency”. They have recently even set up an ATM in Bangalore and shown the intention of setting up a chain of Bitcoin ATMs across the country to carry on the conversion of Rupee to Bitcoin and vice versa.

Since Bitcoins are further convertible into other Crypto Currencies through exchanges outside India, once an Indian Citizen holds Bit Coin, he has access to global exchanges to convert it further as US Dollars or Japanese yen or Swiss Francs or Canadian Dollars. Hence the Bitcoin ATMs will work as “Virtual Havala Centers” and completely destroy the Indian Financial System.

What is being proposed by the Merchants of Digital Black Money is therefore a war on the Indian Economy and this is a conspiracy to destroy the country.

The Supreme Court has to recognize this ulterior motive behind the promotion of Bitcoin and ensure that these educated techies donot function like the Urban Naxalites.

There is therefore no legal ground for the Supreme Court by which Bitcoins can be declared legal unless it wants to use its power to interpret law in a manner that makes Bitcoin legal.

The Supreme Court has to recognize that if there is a legitimate way to convert Rupees into Bitcoins and there after Bitcoins become available for use as currency either on Amazon or other channels where day to day necessities can be bought and sold, the Bitcoin economy will eat into the real economy.

The Terrorists will find this the most convenient way of funding terrorism in India and even the stone pelters of Kashmir can be easily paid by the ISI through Bitcoins.

The Politicians can use this in the 2019 election and distribute the bribe for vote through Bitcoins. If the Supreme Court legitimizes Bitcoin it will directly aid and abet the corruption of the electoral process in the Country.

Hence legitimization of Bitcoin will result in the destruction of the country through multiple ways.

Supreme Court should therefore save the country by banning the Bitcoin once and for all.

It is considered that there are many in the bureaucracy who are corrupt and would like to ensure that Bitcoins survive. Hence the views of the Government need not necessarily follow the views of an honest Citizen expressed here. We have earlier highlighted how MCX, a wing of SEBI tried to allow its office to be used to corrupt the public consultation process when the Government committee was expected to formulate its views.

After this expose, the Committee never came out with its views. The speculation was therefore that the committee was divided in its views and hence never came out with its clear decision.

Even now the views of the Government may come from bureaucrats who cannot be relied upon as saviors of the country’s financial system.

Supreme Court is therefore the last hope (apart from Mr Modi as a person) to ensure that this Digital Black Money called Bitcoin, which is also the Currency of Criminals, is banished from India.

If Supreme Court does not fulfill its responsibilities and supports the survival of Bitcoin as a legit currency by hiding behind technicalities, it would be solely responsible for the destruction of the financial system in India.

Any such decision by the Supreme Court would provide an opportunity for Mr Modi to project that even the Supreme Court is not serious in eliminating Black money in India and he is the only saviour for the country to be voted back to power .

I have earlier urged the Government to declare that Bitcoin and all “Privately managed crypto currencies” should be declared as “Illegal” and this can be done even now with an ordinance or a law even if Supreme Court decides otherwise.

If this happens, it will result in the lowering of the prestige of the honourable Supreme Court and project Mr Modi to be the only hope for the country.

I therefore urge the Supreme Court not to give an opportunity for Mr Modi to declare “Demonetization of Digital Black Money in the form of Privately Managed Crypto Currencies”.

This will preserve the sanctity of Supreme Court and also prevent the chances of Mr Modi assuming the moral high ground over and above the Supreme Court.

Hence I urge the Supreme Court to declare unequivocally that Bitcoin and every privately managed Crypto currency is illegal in India and take the Government agencies such as RBI and ED to task for not enforcing a complete ban on the use of Bitcoin and Crypto currencies.

Naavi

P.S: The above are the personal views of the author Na.Vijayashankar and does not reflect the views of any organization that he may be directly or indirectly associated with.

Posted in Cyber Law | Tagged bitcoin, modi, supreme court | 1 Comment

“Innovation Behind Bars” … Who is Nakoshi Sakamoto? Time to cancel the Bail for Unocoin

Posted on November 9, 2018 by 98410spice

Cointelegraph.com has carried an article titled “ Innovation Behind Bars: the arrest of India’s first Bitcoin ‘ATM’ Operators”. It has made several comments on the arrest of the founders of Unocoin.com who owned the ATM which was installed in a mall in Bangalore.

The article is credited to one Marie Huillett, who is indicated as “an independent filmmaker, with a background in journalism and publishing. Nomadic by nature, she’s lived in five different countries this decade.” “She’s fascinated by Blockchain technologies’ potential to reshape all aspects of our lives.”..says her profile. The photograph of the author provided is a cartoon picture of a lady. It is therefore possible that even the name could be a pseudonym. After all, Bitcoin is the currency of the criminals and it is not surprising that the author not only hides her identity but also is a “Nomadic” with “cartoon” picture to show.

The article carries the same arguments which have been given earlier to justify the ATM about which we have already clarified in an article here on Naavi.org titled ” Who is lying? Unocoin Advocates? or the Press?” . In this article, it was highlighted that the spokespersons for the Bitcoin ATM owners were trying to wriggle out of the problem by saying that they were talking of a “Kiosk” but the media wrongly highlighted them as “ATMs”. Now Marie Huillet has joined the bandwagon of falsifiers and blaming the media for their “loose media reporting”.

There is enough evidence to state that the owners of the ATM wanted to project Bitcoin as an alternative “Currency” and this “ATM” as the conduit to convert INR to Bitcoin and other Crypto currencies and vice versa. Hence their arrests were justified.

The report of cointelegraph.com quotes one Mr Kashif Raza, and an advocate Mr Prashant Mali who are projected as experts who agree that there was a mistake by the Police arresting the “icons of Crypto world”.

We completely disagree with their views and support the views of the Police in arresting the owners of Unocoin and seizing the ATM.

In fact, we are unhappy that the case was not booked as a more serious crime than what it was made out to be. The threat of setting up a chain of such ATMs across the country could be treated as an act of “Cyber Terrorism” and fortunately Police did not include this section in their charge.

It may be a coincidence that soon after the arrested persons were released on bail, some body posted a comment on Naavi.org for the article “A Virtual Havala Center opens up in Bangalore…” Which many believe triggered the series of events that led to their arrests.

It was interesting to note that the comment was posted under the name “Nakoshi Sakamoto” indicating that he must be a fan of Satoshi Nakamoto. It carried unacceptable expletives that could be termed as “Defamatory” if pursued.

Just like the Cartoon author, this Nakoshi Sakamoto was also a pseudonymous character trying to extend support to the anti socials who are trying to create a Digital Black Currency regime by setting up a Bit Coin empire in India.

Naavi.org has been repeatedly stating that Bitcoin is “Digital Black Money” and a currency of the criminals. Its convertibility to other Crypto currencies and to foreign currencies mean that it is an instrument of “Havala” which is an offence under the laws of India. Obviously the supporters of Bitcoin are angry and must be trying to show their strengths by trolling or by other strong arm tactics.

The “Crypto Currency Supporters” are banking upon the Supreme Court to bail them out when they may hear an application during the next fortnight. Before that, they want to create a positive press report and hence there are a series of articles that are coming up in different pliable publications.

In that scenario, the articles of Naavi must be a thorn in their plans. While Nakoshi Sakamoto is condemning Naavi to his “Karmic doom”, I feel that they may go to the next level of causing damage to Naavi probably by cyber attacks on the site or the bank accounts of Naavi.

I therefore feel that the Police should ask for cancellation of the bail to the accused so that they donot threaten the unconventional social media like Naavi.org.

I consider that there is every possibility that the Bitcoin supporters would be charting an escape route by bribing every decision maker who is likely to have a potential influence on the Supreme Court decision.

The Bitcoin is a tool of the Criminals and the fundamental attitude of Bitcoin supporters are as “Fugitives of Law”. They have no respect for either the Police or the Government or the Courts. Hence we can expect every trick to run their Digital Black Money regime by compromising the system.

Naavi.org urges law abiding citizens to be alert and ensure that the Bitcoin does not get through the scrutiny of the law as either a “Currency” or a “Commodity” and the Havala machine does not go through either as an “ATM” or a “Kiosk”.

I urge the Police as well as the Central Government to be on guard not to let this Virtual Havala Center to raise its head once again.

In the meantime, Cyber Crime Police in Bangalore should investigate the Comment on Naavi.org dated November 2, 2018 and identify the persons behind the comment and take appropriate legal action. (See the link here)

P.S: Considering the defamatory message referred to earlier, I place on record that any further attempts to threaten or defame naavi.org or to carry out any Cyber attacks on the IT assets of Naavi would be seen with suspicion and may be attributed to the Unocoin and its supporters and this shall be taken note of by the Police.

Naavi

Posted in Cyber Law | Leave a comment

Mumbai High Court raises the issue of Double Jeopardy

Posted on November 6, 2018 by 98410spice

[Report in Hindustan Times, Mumbai Edition, 6th Nov 2018]

An interesting judgement has been reported from Mumbai High Court yesterday (5th November 2018) in the case of State of Maharashtra vs Gagan Varma and Shagun Varma which has tried to lay down some Cyber Jurisprudential principles related to application of sections from IPC along with sections from ITA 2000.

The principle question that arise in the present Criminal Writ Petition is whether the invocation and application of the provisions of the Indian Penal Code can be sustained in the facts and circumstances of the case when the offences committed by the petitioners are also sought to be brought within the purview of the Information Technology Act, 2000, in light of the judgment of the Hon’ble Apex Court in the case of Sharat Babu Digumarti V/s.Government (NCT of Delhi)

The accused had been booked by Shahunagar police in Kolhapur under Sections 408 (Criminal Breach of Trust), 420 (Cheating) of IPC and Section 43 ,65 and 66 of ITA 2000/8.

The allegation was that the accused had “lured” some employees of a company namely Manorama Infosolutions Private Limited, to steal the company’s data and healthcare software.

The accused had approached the High Court complaining that invocation of IPC provisions denied them the benefit of availing bail and compounding provisions available under ITA 2000/8 and not available under IPC.

The bench of the High Court consisting of Justice Ranjit More and Bharati Dangre applied the principle of “Double jeopardy” and upheld the objections. In doing so, the Court also mentioned

“The IT Act provides a complete mechanism and therefore invocation of the provisions of the IPC (additionally) is highly unwarranted. “Sections 408,420 and 379 of the IPC are covered by sections 66 of the IT Act and prosecuting the petitioners under both IPC and IT Act would be a brazen violation of protection against Double Jeopardy”. It also said that “allegations related to the use of data code and stealing of data by using computer source code. Unauthorised access to a computer and stealing of data falls under Section 43, and when such an act is done fraudulently, it attracts punishment under Section 66”.

Sharad Digumarti Precedence

It is true that in the Sharad Digumarti case (This is the infamous Bazee.com case in which the General Manager Mr Digurmati had to undergo trial) the Supreme Court held that when the accused has already been discharged under Section 67 of ITA 2000, Section 292 of IPC in the same case does not sustain. However this was the judgement after the trial under both sections. This judgement was relied upon for the current judgement of the High Court.

The High Court also relied on Section 81 of ITA 2000/8 which stated that the Act (ITA 2000) will have an over riding effect against laws for the time being in force (17th October 2000) if there is any inconsistency. The Court came to the conclusion that the incident was covered under the special Act for digital crimes namely the ITA 2000/8 and adding sections of IPC would amount to double jeopardy. Hence the sections of IPC were allowed to be quashed.

Though the judgement may not entirely be agreeable, it must be admitted that the judgement is a well presented speaking order and is a good contribution to the development of Cyber Jurisprudence.

Some Questions needing further debate

However, it is likely that there could be further debate on some of the following questions.

Whether “Inconsistency” mentioned under Section 81 also means “Similar”.
Is it not that “Double Jeopardy” means “Not punishing the same person for the same offence twice”? Does it also mean that the trial cannot be conducted for examining conduct of offences under multiple statutes?
Even if we assume that the interpretation that Section 43/66 of ITA 2000/8 applies to cases similar to Section 420 of IPC, why did the Court agree to delete the stronger sections and retain the weaker sections? and not the other way round?
When an offence is committed, there are multiple steps in the offence. Each step may be a different offence. If that offence falls under different statutes, is it not possible to invoke multiple statutes without the same offence being tried under two different sections? Did the prosecution fail to put different steps under different sections?

P.S: But one thing we need also observe that in this case the Court did not reject the complaint because the complainant was a “Company” and not an “Individual”. This needs to be noted by the Adjudicator of Karnataka who once rejected an application from a Company interpreting the word “Person” under Section 43 as applicable only to an individual and not a “Company”. (Please read this article to understand this issue)

The Mumbai High Court judgement needs to be also appreciated for the reason that the Judges are becoming sensitive to the nuances of the IT Crimes and going deep into the analysis of the anatomy of a Cyber Crime.

Impact on PDPA 2018

There is also a possibility that this judgement may hold a limited precedence in respect of any “Special Law” which has an “Overriding” effect.

For example the proposed Personal Data Protection Act 2018 (PDPA 2018) states under section 110:

“Save as otherwise expressly provided under this Act, the provisions of this Act shall have an overriding effect to the extent that such provisions are inconsistent with any other law for the time being in force or any instrument having effect by virtue of any such law”

The question which will arise is if this PDPA 2018 is passed in 2018, and at that time, ITA 2000 has already been in existence, will PDPA 2018 over ride ITA 2000/8 if there are any overlapping provisions.

In future, this will create some issues since every time a new law is introduced, there will be an argument that it is a special law and it has to be considered as over riding the earlier law.

Speaking specifically of PDPA 2018, all its offences are “Cognizable” even where the offence carries an imprisonment of 3 years like ITA 2000 and the offences relate to “Data Theft” similar to ITA 2000/8.

The prosecution in future should therefore take care of preparing the charge sheet properly by classifying the offence into multiple parts and apply different sections appropriately to avoid double jeopardy and over riding of one Act with another.

Naavi

Refer: Copy of the Judgement

Posted in Cyber Law | 2 Comments

PayTM predicament could be a new “Me-Too” in Data Security

Posted on October 28, 2018 by 98410spice

The developments regarding the PayTM extortion case is a grave development which has huge ramifications to the Indian corporate sector.

For records, PayTM case came to public light with a complaint filed by Mr Ajay Shekar Sharma, the brother of the PayTM CEO, Mr Vijay Shekhar Sharma, on 22nd October 2018 that an extortion claim has been made on Mr Vijay Shekar Sharma initially for Rs 30 crores and later negotiated down to rs 10 crores by a caller from Kolkata named Rohit Chomol, under the threat that some sensitive personal information is in their possession and the money is demanded in that context.

Following the preliminary investigation, three persons have been arrested and one more accused is to be apprehended. The arrested persons include Mrs Sonia Dhawan, Vice President Communications and Secretary of Mr Vijay Shekar Sharma, her husband Mr Roopak Jain and another employee by name Devendra Kumar. All the three have been sent to Police remand. A fourth person namely Rohit Chomol who is supposed to have made the phone call for ransom is still to be apprehended.

The advocates of Sonia have claimed that this is a “Cover-up” and Sonia has been framed. They point out that she was a senior employee getting a salary of Rs 80 lakhs per annum and shares worth Rs 10-15 crores in the Company and it was unthinkable that she would have jeopardized her career by the fraud. Police claim that Sonia’s husband had suffered losses in real estate business and was in need of money.

Mr Vijay Shekar Sharma has hinted that there could be larger conspiracy behind this attempt.

In the meantime, it is not clear what information if at all were stolen by Sonia and whether it was worth Rs 10-30 crores for extortion.

Did it involve PayTm customer data?… Mr Vijay says no…

If as Sonia’s lawyers say that she had stumbled on sensitive information following an investigation entrusted to her by Mr Vijay, they should also explain why was she suspected to betray the trust and enough to be framed?

Police have seized a laptop and electronic information that could be evidence in the case which are yet to come to light.

Could there be business rivalry and espionage behind the controversy?…

The Kolkata Link to the controversy and Mr Vijay Shekar being perceived as close to Mr Modi, the possibility that the stolen information included some communication with the Government agencies also indicate the suspicion that the “Tukde Tukde gang” could be behind a conspiracy to defame the Modi Government. I will not be surprised if the political opponents of Mr Modi jump from Rafeal to PayTm to continue their smear campaigns.

Nothing can be ruled out.

We are seeing an attempt in Bangalore where one actor is being targeted with a Me-Too allegation allegedly because of his BJP leanings. The crooked political brains can do anything to achieve their means and PayTM is a small fry for their designs.

We also have to keep in mind that the Pakistani friends of the political opponents may also have a specific grudge against PayTM because the company provided some details of Stone pelters to the Government recently in Kashmir which would not have gone down well with the sympathizers of the anti national elements. It could be the correspondence between the Government and Company in this regard which Sonia (Not to be confused with another more illustrious political character) could have valued at Rs 30 crores.

Like many other financial crimes, which ever way this is resolved, the immediate reputational and internal de-motivational impact on PayTm is huge enough to be called a “Setback” for the company when it was implementing certain expansion projects. Possibility of business rivalry fuelling the controversy cannot be ruled out.

We keep our fingers crossed and await further developments as they emerge. But there is no doubt that this incident has the potential to be a new “Me-Too movement in Data Security” where any data breach incident could cause upto 4% of Global turnover of a Company in terms of administrative fines besides the other costs which could virtually kill a company.

It highlights that “Trust” is the most scarce commodity to day in the “Greedy world” and Information Security managers cannot trust even a personal secretary with a Rs 80 lakhs package to keep the secrets. The lack of “Ethics” in our young generation and the general corrupt environment that this society represents indicate that there could be many more such internal trusted employees turning into rogues and first demanding un-justified rewards while in service or under severance pay or resort to such extortion.

The solution for this should start with a revamping of our education system that should inculcate “Moral and Ethical Standards of Life” before teaching them “Innovative Disruption” and “Ethical Hacking”.

(P.S: More discussions will follow)

Naavi

At inc42.com : Firstpost.com : At Wire.com

Views expressed here are the personal views of Naavi and does not reflect the views of any organization that he may be associated with.