Naavi.org

Controller of Certifying Authorities can improve security of Digital Signatures

Posted on September 17, 2018 by 98410spice

Digital Signatures are the legally recognized means of authentication of electronic documents in India. Though many companies including Banks ignore that Password is not the legally acceptable authentication, it is being widely used for many authentications including the financial transactions. While some Banks have started offering digital signing options for Banking transactions, most of them are banking only on the OTP system to secure the authentication.

The e-KYC system used by Banks is also dependent completely on the security of the OTP system and even though e-KYC can be used for e-Signing which is legally equivalent to digital signature, is still not secure enough beyond what OTP provides.

Most Banks use OTP only on mobiles and the OTP message is sent through an unencrypted SMS message. In such cases, if there is a compromise of mobile through SMS reading apps, or when the customer is subjected to a Voice based phishing, the OTP will be compromised and could lead to frauds.

While it is necessary that Banks need to anticipate such risks of compromise at the user device level and initiate the security measures which overcome OTP compromise risks or bear the responsibility for the fraud losses, we can independently look at one measure which the Controller of Certifying Authorities (CCA) can initiate to improve the reliability of the Digital Signature system.

The CCA should take a leaf out of UIDAI in this regard where some measures have been initiated which appear to be also good for the CCA to introduce.

Firstly, just as UIDAI uses a system of biometric lock, CCA can through the Certifying Authorities provide an option to the digital signature user to lock and unlock his digital signature through the repository maintained by the parent Certifying Authority (CA).

Secondly the usage of every digital signing incident where a verification call is made on the repository could be logged with useful meta data and made available to the digital certificate subscriber. This also has been done by UIDAI though the information logged is sketchy and could be improved.

If such a facility is available, the application developers may also use a “Verification Call” as a mandatory requirement before a digital signature is applied in any usage scenario.

Probably in the case of offline digital signing there could be an issue but such situations can still be logged with a post signing verification whenever the digitally signatory is connected on the internet.

When such verification calls are made, there could be practical issues including privacy issues to be considered but the concerns can be handled since we are verifying through a secure connection between the digital signer and the CA.

I hope the CCA would consider some of these measures as a part of its rule making power until such time that the ITA 2008 itself can incorporate such measures as part of the law.

I look forward to suggestions from security experts in this regard. The request has already been made on the CCA and I am awaiting the response.

P.S: This suggestion arose due to a query from Mr Uday Gupta, one of the readers of an article on this site on digital signatures and I thank him for raising this issue.

Naavi

Posted in Cyber Law | Tagged CCA, digital signature | Leave a comment

Section 498A: Why Supreme Court cannot be consistent?

Posted on September 16, 2018 by 98410spice

[P.S: This may not be a Cyber Law Issue but is a matter of concern to the youth in the IT industry and reflects the personal experience of the undersigned in interacting with several young persons in the IT industry with whom the author interacts as a part of his Cyber law activities. This should also not be considered as anti women …. Naavi]

The recent decision of the three member bench of the Supreme Court holding that there is no need for a Family welfare committee to advise the Police before an arrest can be made under Section 498A may be technically justifiable. But the view of the Supreme Court over turning the earlier decision of a two member bench to meant to prevent abuse of the provisions of the Section 498A and introduce some safety measures is not consistent with the aggressive view taken in respect of other issues such as in the case of Section 377, or even Section 66A of ITA 2000/8.

In the cases of Sec 377 (IPC) or Sec 66A (ITA 2000/8) the Court went ahead with striking down earlier legal provisions and change the law in the Court without waiting for the legislature alone to do it. But when it comes to 498A, it tries to make the Government responsible to change the law. If it can change IPC or ITA 2000/8 in other cases, it is not clear why it cannot change the law in the case of 498A.

Merely making a lofty statement that the Court is aware of the abuse does not suffice to show the concern for justice and fairness which should be the hallmark of the Apex Court.

Making such statements for records but following them with measures to remove the safeguards introduced by another bench of the Supreme Court itself and enhancing the scope of misuse of law is not a welcome development.

Section 498A has been so much abused that it has already dented the confidence of the Indian male on the Indian marriage system. Many young males are refusing to get married because of the “Risk of Marriage”. There are many professional extortionist young girls who use dowry harassment and domestic violence to extract unreasonable damages in cases of normal domestic differences of opinion.

This argument against 498A is not a bias against women because in all the cases of 498A, along with the husbands and the father in law, it is the women in the house like the mother in law or the sister in law who gets dragged into being accused as accomplices. The cases are often propped up not by the wife who may actually want to compromise but by her parents who for their ego try to show their power.

This objection to the supreme court decision should not be confused as reflecting any intention to deny that there is a need to protect women in genuine cases of dowry harassment. There is definitely a need to prevent such harassment and victims do need protection of law.

But there is a need for the law to learn from the past experience and ensure that there is a balance which prevents misuse. Also , it is agreed that divorce may the preferred solution in cases where the boy and the girl have an irretrievable break down of relationship often because of their relationships outside marriage. Hence a forced compromise is not a solution to broken marriages. It can only lead to further domestic violence. Hence divorce requests are to be handled realistically and facilitated. But when it comes to settlement, the Courts should recognize that one of the strong motives for divorce could be the ability of the girl to extract a large compensation. Hence many girls who are financially better than the husband often ending up claiming damages to which they should not be eligible.

The divorces become acrimonious because the girls have the practice of invoking Domestic Violence case complaints as part of every divorce. This should be seriously discouraged.

The Supreme Court bench does not seem to have considered the plight of innocent senior citizens who have been dragged to jail by violent daughter in laws.

If the Supreme Court does not show consistency and uphold justice to common man in every aspect of law whether it is 498A or 66A or 377, it is the reputation of the Court which is in jeopardy.

It is unfortunate that in the Section 498A issue, the Supreme Court has already declared its intention that it prefers to follow it’s own whimsical ways of deciding on different issues, some times being logical and humane and some times adopting a completely irrational approach to problems.

Now the current ruling will only increase corruption in the Police but the damage has already been done. The solution to the problem now lies either with the Government at the Center or in the States.

First and foremost the higher officials of the Police in the States should themselves initiate a proper process to ensure that Section 498A is not used to harass innocents. It should not allow arrests without the intervention of a higher level officer preferably beyond the Station level.

Probably the State Police should create a special committee of police officers to replace the Family welfare committee which was proposed by the earlier Supreme Court which should direct the station level investigating officer if arrest is required or not. I suppose this will be permitted within this judgement.

This could be within the administrative powers of the State police and the political sanction of the State Government. Since the issue is not political, I suppose there should be no problem in the State Governments taking a quick stand in this respect.

The second solution is for the Central Government to move in quickly if required through an ordinance to ensure that the imprisonment provision in Section 498A is softened by reducing the maximum imprisonment to some thing like 3 months and allowing quick bail. It should only be for deterrence.

In case of exceptional cases where there is real harassment leading to a dowry death there are other provisions under which the accused can be punished for life or with death sentence.

While the Supreme Court conveniently says that there are alternate provisions of getting a bail and hence there is no need of the safety clause, the same logic applies to the fact that there are alternative measures to punish the really guilty and there is no need to arrest the poor husbands when his newly wed wife runs away to her parent’s place and launches litigation alleging all kinds of torture on every known relative of the husband when there is no real threat to her. It appears that the judges had not made a proper assessment of such cases before arriving at their current decision.

I hope that the Central Government of Mr Modi and the different State Governments try to address the issue with necessary changes in law to prevent abuse of Section 498A.

Naavi

Posted in Cyber Law | Tagged 498A | 3 Comments

Johari Window… and the Story of the Emperor’s New Clothes… Perhaps the Supreme Court should take a lesson about

Posted on September 14, 2018 by 98410spice

“Johari Window” is a well known principle used by behavioural scientists and known to most of the Corporate managers. The recent happenings in the Supreme Court of India indicate that the Judges who head constitutional benches need to be given a lesson on what this concept means. Mr K.K. Venugopal, the Attorney General, Mr Abhishek Manu Singhvi and most importantly the fire brand TMC MLA Ms Mahua Moitra should also be invited to a workshop on Johari Window to make all of them realize how they are together mis-interpreting the UIDAI and I& B Proposal on Media Monitoring.

However, the situation is like the proverbial “Emperor’s New Clothes” . Nobody dares to use their “Freedom of Expression” which is a fundamental right guaranteed by the Indian Constitution to tell either the Judges, or the Senior advocates that their perception on what constitutes “Media Monitoring” and how it is not amounting to “Surveillance on the Citizens” and why the RFP on media monitoring cannot be considered as an attempt to infringe on the privacy of Indian Citizens and more particularly that of the petitioner.

However, in the interest of Justice and fair play, some body has to bell the Cat…. the Cat called “Privacy” which seems to be able to approach business from any direction and in any form. Even after the specific law will be passed in India for this purpose based on the Personal Data Protection Act 2018, (PDPA 2018) “Privacy” would continue to be used as a a convenient political stick to beat the Government at the pleasure of the opposition parties. The Privacy activists therefore are unhappy to bind the monster called “Privacy” into a framework called “PDPA 2018” and are using all means to oppose the passage of the Privacy Act.

Keeping the PDPA 2018 opposition to a different discussion, let us now focus on what is Johari Window and why there is a need for the Supreme Court to understand it.

According to the Google and Wikipedia,

The Johari Window is a technique that helps people understand their relationship with themselves and others.

All of us whether we are citizens of India or the politicians or lawyers or Judges in the Supreme Court of India, need to make continuous efforts to know ourselves and others better because it is an eternal need of a human being from birth to death. Unfortunately, in most of the humans, self realization dawns only on the deathbed. The Shivaparadha Kshmapana Stotra and BhajaGovindam created by Adi Shankaracharya amply captures this human tendency to ignore truth until it is too late, though it is stated in a different context.

The psychologists Joseph Luft and Harington Ingham propounded the principle of the “Johari Window” way back in 1955. The essence of the theory is that the awareness grid of human beings can be classified into four zones as represented in the diagram shown here.

The Johari Window concept illustrates a simple method to recognize that in order to improve our relationship with others, we need to be aware that there is a “Blind Area” about ourselves which others know but we ourselves donot know. This is what needs to be addressed in the UIDAI RFP.

The area about ourselves which is known to us and also known to the world is the “Public” domain.

The area which is known only to us and not to others is the zone of “Privacy”.

The Privacy zone is the one which the law of Privacy should protect and prevent information to move from this privacy zone to the Public zone. On the other hand, it should be the endeavor of every responsible individual or corporate to ensure that the “Blind Zone” is made smaller and smaller by moving what others know about ourselves which we ourselves donot know to the zone of “Public” which is known both to self and others.

( P.S: I admit that this applies as much to me as an author of this article and welcome constructive suggestions. But self improvement presupposes that the ignorant seeks the knowledge from outside and for this purpose, we need to expose our thoughts to the world and try to get feedback. eg: This article)

There is however a zone which neither the self knows nor the public knows and this is what introduces a certain level of “Uncertainty” while designing “Privacy laws” and defining “Privacy”. Privacy Laws essentially tries to protect that aspect of human behaviour about which the individual himself is not aware but the Privacy Activists and the Courts sit in judgement thereof.

The Puttaswamy judgement is hailed as a “Landmark judgement in India”. But it only confirmed the known fact that “Privacy is a fundamental right of Indian citizens” but failed to define “Privacy”. (Refer the set of articles on this issue written earlier).

In the part of the discussions recorded in the judgement to which Justice D Y Chandrachud subscribed to, it was recognized that “Privacy is a State of Mind of an individual”. Hence the limitations of the law in designing a means of protecting the “State of Mind” was recognized and the focus of the judgement therefore remained only on “Information Privacy”.

The judgement also quoted “… privacy is the expectation that information about a person will be treated appropriately. This theory of “contextual integrity” believes people do not want to control their information or become inaccessible as much as they want their information to be treated in accordance with their expectation (Nissenbaum 2004, 2010, 2011)”

The judgement also recognized that “Privacy is the best friend of terrorists..” and there is a duty cast on the State to balance National Security even while designing Privacy laws.

It is surprising that it is now the same judge D.Y.Chandrachud who is thinking that the RFP of UIDAI is likely to infringe on the Privacy of an individual. There is no doubt that he is being perhaps mislead by the petitioner’s advocates who are high profile politicians.

In our opinion it is the legitimate right and more appropriately the duty of UIDAI to know “What others know about itself but it itself does not know”. This is the “Blind Zone” in the Johari Window. It is the corporate wisdom that the authority takes all efforts to shrink this zone by trying to know what people are talking about itself.

As a citizen I would consider it the duty of UIDAI to monitor the media not only for its own reputation management but also to identify leads to potential attempts at hacking into different agencies and sub systems of Aadhaar. I believe this is what is attempted in the RFP.

“Surveillance” is the speculation which is in the minds of Mahua Moitra and Abhishek Manu Singhvi and is being transferred to the minds of the benches. The AG is not helping the judges arrive at a correct decision by refusing to point out to the judges that the perception that Mr Singhvi is trying to create is wrong and cannot be accepted. Perhaps he needs to be reminded of the story of the “Emperor’s new clothes”

AG by his silence is actually making the Court to come to a wrong conclusion. I wish the Communication industry professionals wake up and see what a wrong judgement in this case can do to their business.

The way the discussions are progressing, the Court is likely accept that the current RFP is actually infringing on the privacy of the petitioner. If so, the activity envisaged in the RFP which we have called “Media Monitoring” will be deemed as equivalent to “Surveillance”.

By deduction therefore, in future, if any PR agency undertakes the task of News Paper Clipping services and monitoring social media on behalf of a Company, it would be termed illegal. The business of “Reputation management” will be illegal. The same way, the media monitoring by political parties including BJP and Congress both of whom maintain what they call “Media Monitoring Cells” will also become illegal.

If either of the political parties say they saw a news report and are reacting to it, the immediate counter would be “How did you know?…Did you monitor the Media?… Have you not given an undertaking to the Supreme Court that you would not do it?”

In this respect, Congress can continue to lie about everything because they have not given any undertaking to speak truth before the Court or the Public but if these lies are monitored by the I & B Ministry, Supreme Court will cry foul.

Presently, UIDAI is receiving threats from all over the world with motivated hackers trying to discredit the agency. It is not difficult to corrupt one or more of these Aadhaar user agencies, compromise their end point system either in collaboration or otherwise and then claim that UIDAI is compromised.

This is exactly what happened in the Abhinav Srivatsava incident where hospital systems were the source of access to UIDAI but it was called “hacking” of the UIDAI. It was the same case in respect of the Chandigarh journalist case and the more recent HuffpostIndia revelations.

Even Naavi.org has recently highlighted how the the e-KYC system can be misused because of the Aadhaar Authentication trusts the simple OTP over mobile as a means of authentication and enables Banking frauds to happen.

But these are not reasons to consider that this RFP is wrong. The security vulnerabilities are there in the Windows system itself and the way Internet is designed. All applications have to use appropriate security measures during the usage of the applications to reduce the risks. This applies to UIDAI as well as to others.

In order to understand what are the risks in the operation of any Company or an online service such as Aadhaar authentication, the Company has to carefully monitor the Internet and find out if any phishing websites or Apps have been in circulation, whether any of the citizens are experiencing any difficulties, whether there are any complaints registered under complaints.com or naavi.org or glassdoor.com etc.

Many times, it is the twitter and facebook which first reveals to the public that a particular vulnerability has been discovered. Before this, the deepweb would have discussed it and some hacks would be put on sale in the “Virus on Sale” list and these need to be monitored by a responsible agency.

Tomorrow if some body reports on a facebook page, that the Supreme Court judgement on its site can be modified and re-uploaded, Supreme Court should be the first agency which should watch out. That is “Media Monitoring” and not “Surveillance”.

It is regrettable that people want to mislead the public that the RFP of UIDAI is not media monitoring but is surveillance. Mr Singhvi is pointing out to the word “Listening” as one one of the specifications of the software. Let Mr Singhvi understand that there is some thing called Intrusion Detection Systems which often work along with Firewalls whose job is to “Listen” . The word “Listen” is used in the context of “Filtering” and not “Snooping”. Nevertheless, if internet packets going through a particular ISP system is “Listened to”, it may be a kind of snooping. But still it will be snooping into the corporate entity not subject to Privacy Rights but protected by the other laws.

Tomorrow, these advocates without technical background may interpret a “Handshake” between two systems as “Collaboration and Conspiracy and invoke Section 120 of IPC”!. Let us understand that techies have some terminologies that sound similar to popular words used elsewhere but have a different contextual meanings.

But what the RFP wants to do is not “Snooping into the packets” as they traverse the internet. It is scanning the published content ,from the published content identifying if the article is relevant for UIDAI and if so, list it out.

The Google Search Engine does exactly this. All robotic searches do the same. If a common Google search is termed as “Invasion of Privacy” of Mahua Moitra, and the Court wants to accept it, then the Court has to kill the internet itself.

Supreme Court cannot be selective and object only to UIDAI and I& B Ministry and block their need to monitor the media (Print, Electronic and online) without also blocking Google and other search engines as well as the Intrusion detection systems which are essential for protection against DDOS attacks.

If done, it will indicate that the Court is biased.

When does “Media Monitoring” becomes “Surveillance”? and infringe Privacy?

The dictionary definition of surveillance is:

“close observation, especially of a suspected spy or criminal.
eg: “he found himself put under surveillance by British military intelligence”

synonyms: observation, scrutiny, watch, view, inspection, monitoring, supervision, superintendence; spying, espionage, intelligence, undercover work, infiltration, reconnaissance; informal bugging, wiretapping, phone tapping, recon”leading members of the party were to be kept under surveillance”

The Cambridge dictionary definition is

“the careful watching of a person or place, especially by the police or army, because of a crime that has happened or is expected.

The essence of considering a Media Scanning as “Surveillance” is when an individual is tagged and the Government observes him, considering him as a potential criminal. If a Non Government entity does a similar act, we may call it as “Stalking”.

If a person is closely observed to the extent it creates harassment of the individual, then it becomes a ground for judicial intervention provided there is no prima facie reason to believe that the person is likely to endanger the national security.

If there is any “Suspicious” movement of a person in a street or in Cyber street, the Government not only has a reason for but also a duty to carry out “Surveillance”.Cyber Intelligence is part of the “Intelligence” activity that the Government intelligence agency has to undertake. if they are not doing it, they are committing dereliction of duty.

Now it is for the Supreme Court to read through the RFPs and identify if there is any “Surveillance” indicated. In the UIDAI RFP there is certainly nothing even closely remembering “Surveillance” and if Ms Moitra thinks so, it is the figment of her imagination.

The Supreme Court cannot undertake roving enquiries and conduct contentious litigation against the Government and paralyze Governance just to satisfy the ego of politicians working as advocates and looking for media sensitive bytes from the Judges to carry out their political agenda.

If the Supreme Court was serious, they should have called a media expert and checked if the RFP is meant to cause surveillance of the masses or some thing else.

I wish that the Public Relations Society of India impleads itself in the hearing and educates the Supreme Court.

Without considering the contents of the RFP and relying entirely on the pleadings of a petitioner, it is improper for the Supreme Court judges to pass comments in front of the press and allow the Press to pronounce as if “Supreme Court has slammed UIDAI”, “Supreme Court has called the RFP as E Spying” etc.

In our adversarial system of Jurisprudence, it is the responsibility of the defending counsel to highlight what all we are stating here.

I wish the AG brings home these points and let the Court come to a correct decision that RFP in question does not amount to Surveillance and there is no need for the Court to interfere in the day to day management of UIDAI. It is his duty to do so even if there is a possibility that the bench will hit back in the Aadhaar judgement which is now being held in reserve.

Fine should be imposed on the petitioner for bringing up a frivolous litigation and trying to mislead the Court. The petitioner’s advocates should be warned that they have to be more discrete in interpreting the commercial documents and consult relevant experts before jumping into conclusions and bringing it before the Court as truthful grounds for interference by the Court.

Naavi

P.S: EU parliament in the meantime seems to have passed a copyright rule which may mandate that internet platforms have to filter every piece of content from copyright angle. This means that the alternate presence of the content elsewhere in the Internet needs to be identified and the authorship also has to be tracked. Will this not be directly in conflict with what the above view of the Court may be suggesting? (Refer article here)

Posted in Cyber Law | Tagged Aadhaar, johari window, uidai | 1 Comment

Fake Bank accounts being opened by RBL in Bangalore

Posted on September 13, 2018 by 98410spice

In the recent days some of the new generation banks have been opening Bank accounts for customers online with an Aadhaar based eKYC.

Naavi has highlighted several times that eKYC is only as secure as the security of a mobile and if the mobile of a person gets compromised, eKYC is compromised. If Banks open accounts on the basis of eKYC, then the integrity of the Bank account will also be diluted to the level of the mobile security. The OTP which is used for verifying the mobile is itself a degraded security system in US and it is unfortunate that we in India are according it a status which has made OTP a replacement for digital signature.

Recently, Naavi has come across a complaint that RBL, has been opening Fake Bank accounts in the name of fraudsters who are using the accounts to transfer fraudulent crime funds from other Banks. In other words, these Bank accounts are being used for “Money Laundering”. This will render RBL liable both in civil and criminal terms.

RBL may not be alone in this game and there could be other Banks. But in order to verify the same, I checked out the process of opening of a Bank account in Kotak Bank, Axis Bank and in RBL.

Out of these and several other Banks procedures screened, only Kotak was accepting Virtual Aadhaar ID and set up a call from the Bank.. Axis and RBL are taking the real Aadhaar ID. Some Banks like Central Bank of India require visit to the Branch.

In the case of RBL, the account is opened with an eKYC based on the Aadhaar and opened with minimal restrictions as shown below.

The Complete terms are available as a hyper link here This indicates that the account is a limited KYC account with relevant restrictions.

As a matter of convenience, this online opening of account may be fine. But it appears that this facility is being misused by fraudsters and dragging these Banks into picking up liabilities on behalf of the fraudsters.

It is necessary for these Banks to ensure that there are robust security processes to ensure that the process is not misused.

I draw the attention of the Reserve Bank of India also to instruct the Banks to follow proper security measures to ensure that the online e-KYC process is not misused. For this purpose the following procedures need to be introduced.

Banks should stop obtaining the real Aadhaar numbers and work only with Virtual Aadhaar number.
UIDAI should cancel the authorization provided to Banks for e-KYC unless they are registered for full KYC process using biometrics which require the physical presence of the Aadhaar owner at the branch where the account is being opened
The OTP system should be ideally discontinued completely or at least restricted for use in non critical services and not for opening of Bank accounts.
Banks should be reminded that as per the comprehensive reading of the RBI guidelines, Banks are liable in case of such misuse of the Aadhaar ID and they need to bear the loss and cover it with Cyber Insurance.

I personally warn the Bank officials that they will be liable for criminal prosecution in cases of fake accounts being opened by fraudsters which may send them to jail for a term of 3 years and above.

In such cases, even UIDAI and the e_KYC agent will also be liable for being complicit in money laundering through forged documents.

Naavi

Posted in Cyber Law | Tagged fake Bank account, RBL | Leave a comment

Supreme Court should make public the suggestions made by Abhishek Manu Singhvi

Posted on September 12, 2018 by Vijayashankar Na

Yesterday, there was a hearing in Supreme Court about the RFP Tenders released by UIDAI and the objections raised on them by an MLA of TMC by name Mahua Moitra who is known as an “Aggressive” politician. The petition was argued by none other than the senior Advocate Mr Abhishek Manu Singhvi who is a loyal Congress member and also a person who has faced the trouble of black money investigation in the Mohul Chokshi/Nirav Modi case.

On the part of the respondent, the Attorney General Mr K.K. Venugopal appeared. This objection on “Social media Hub” by Mahua Moitra was the second such application as she had earlier opposed another RFP released by the I & B Ministry dated 25th April 2018. In that instance, the Supreme Court bench had made caustic remarks during the hearing which was reported in the press as ” Social media hub: E Spying like a Surveillance State says Supreme Court“.

Fearing that these remarks indicated a pre-conceived state of mind of the bench, Government of India withdrew the proposal to avoid further confrontation and did not allow the trial to take place.

Now on 18/7/2018, UIDAI released a tender RFP titled “Request for Proposal (RFP) for Hiring of Social Media Agency of UIDAI HQ New Delhi”

Again another RFP Tender was released on 19/7/2018 titled “Request for Proposal (RFP) for hiring of Media Monitoring Agency of UIDAI HQ, New Delhi

The list of tenders can be seen here below.

It is not clear if the RFP of 18th has been scrapped and replaced with the RFP of 19th though we can go with this presumption.

The petitioner promptly approached the Court once again objecting to the RFP of 18th. Since the Supreme Court is very sensitive to any Aadhaar related petitions and also since Mr Singhvi is a senior politician of the Congress which can raise an impeachment motion on the Judges in the Parliament the Congress party is unhappy, the petition was once again heard on 7th September and again on 11th September on an emergent basis.

If the RFP of September 18th has already been scrapped, then the petitioner will have to file a third petition on the RFP of 19th.

The current developments in the Supreme Court does not clarify if three or atleast two separate petitions have been filed or the discussions are continuing on the old petition only.

If the discussions are continuing on the basis of the first petition as it appears to be from the media reports, AG need to seek fresh petitions from the petitioner rather than discussing the new RFPs based on the old petition. Supreme Court should also insist on a new petition based on the grounds relevant to the RFP of UIDAI of 19/7/2018.

Even during the current hearings, on September 7th , the bench made instantaneous comments which media was happy to report with headlines such as “SC slams UIDAI tender to conduct online surveillance”. indicating that the bench is again pre-judging the issue before it hears the arguments of both sides.

Again, the AG was nodding his head in obedience and agreeing without any discussion that the suggestions of the Petitioner would be taken note and the RFP would be revised.

Reserved Aadhaar Judgement is casting its shadow

The way the AG is responding indicates that the fact that the judgement on constitutionality of Aadhaar has been reserved is holding the Government back. It is as if the Government is under a perceived threat that if it confronts the Supreme Court at this stage, an adverse Aadhaar judgement may be released immediately which is most likely to bring down the Modi Government .

Even if the judgement is not released immediately, the indication is that the judgement would go against the Government and the Court has to only decide on the timing of the release of the judgement. Just as the previous CJI went out with a bang on a hurriedly released judgement on Privacy in the Puttaswamy case, the current CJI may be holding the Aadhaar judgement as the grand finale of his term and a judgement against the Government will derive a very high praise from the section of the media which is part of the Anti Aadhaar brigade.

We can recall that one judgement against Jayalalitha was reserved and kept under reservation until it was no longer relevant for Jayalalitha and she passed away. Similarly the sensitive judgements like the National Herald case and the Ram Mandir case are being delayed until perhaps this Government exits and the more favourable Congress or a Kichdi Government comes into rule. We can expect a similar finesse in the timing of the release of the Aadhaar judgement.

If the Aadhaar judgement goes against the Government as it appears to be likely, it will be a big blow for Mr Modi’s black money and corruption elimination drive. Consequently the corruption syndicate which may include men in high places and politicians will be extremely happy and claim that “Democracy is saved”.

It is also possible that scrapping of Aadhaar could completely break down the uneasy calm being maintained by the Government and the Judiciary ever since the friendly Congress Government went out of power and the no-nonsense Modi Government came to power.

It could even make this confrontation an election issue and the role of politician advocates and their influence on the judiciary will be one of the main points which will have to be debated by the Indian public through the ballot box.

Some may argue that I am unnecessarily giving a political colour to this “Media Monitoring” debate. But we need to take note that the petitioner in this case is a politician and the advocate is a hard core politician and hence it is difficult to keep politics out of the debate.

Nevertheless, let us keep the politics aside for now and get back to the legal aspects of the debate.

Next Steps

From the information that is available in the media (Refer: Deccan Chronicle:“Will file affidavit on UIDAI plan, Center tells Supreme Court”) it is clear that the Government has no defence argument and acting like a school boy before the head master and nodding its head on everything Mr Abhishek Manu Singhvi wants to say through the obliging bench.

What is not clear to us is that there were three RFPs. The first one was from a Government department but the other two are from a statutory body called UIDAI. Out of the two RFPs of the UIDAI, only the latest namely the RFP of 19th is relevant for discussion.

We donot know what are the suggestions that Mr Singhvi has made and what is that which Mr Venugopal will advise the Government to incorporate.

This issue cannot be settled in private discussions between the two advocates Mr Singhvi and Venugopal and in camera discussions with the judges. There is national interest involved and there should be transparency in the proceedings.

We urge the Supreme Court therefore to make public the petitions filed by Mahuta Moitra in respect of each of the three RFP s and the latest suggestions that might have been made. We also would like to know why UIDAI as an authority is not representing itself as an independent body with a Corporate identity.

The conduct of UIDAI actually gives credence to the opposition charge that UIDAI is nothing but a mouth piece of the ruling Government and does not hold any independent operational freedom.

I would like the CEO of UIDAI to explain whether every corporate decision of UIDAI and every one of its tender documents are subject to the scrutiny of the Ministry and are not professional decisions of the UIDAI. If this is so, he should resign and let a committee consisting of a Supreme Court judge, the politicians of the Government and the opposition to run the operations.

Why the Media Monitoring by UIDAI is a National Security Issue

As a citizen of India, I would like to place some points of view for the UIDAI and the AG to take note of when it tries to make changes to the RFP based on the suggestions of Mr Abhishek Manu Singhvi.

These views are on the basis of Information Security best practice perspective.

Aadhaar is know to have many enemies. Most of these are those who are unhappy with its ability to track black money. There are also many security professionals and Privacy activists who oppose Aadhaar because of its perceived potential for misuse. Their view point cannot be brushed aside since if Congress comes back to power, they may certainly use Aadhaar to brow beat the citizens into submission like the 1975 emergency days.

Modi may use it for fighting corruption but his control will extend only as long as he is in power but Aadhaar may continue as a system even after Mr Modi is out of office. The Urban Naxalites are trying to push him out of office as early as possible and though they may not succeed for now, there is no guarantee that the Caste corrupt Indian society may gang up against the honest performance oriented Modi and ease him off the power in the elections and bring back a Kichdi Government.

The conspiracy to oust Mr Modi is also reflecting on the opposition to Aadhaar. In fact the current proposal of UIDAI is only to scan the media about how the reputation of UIDAI is getting reflected. Actually these measures which UIDAI is suggesting is insufficient and needs to be bolstered further.

The petitioner, the AG and the Supreme Court is wrong to speculate that this “Media Monitoring” amounts to “Surveillance” and is related to Privacy infringement. It is clear that none of these people have really understood the proposal but are speaking from their prejudiced minds.

The proposal (please refer to the RFP of 19th July) is to mainly observe what has been published as “News” in the media. It would scan

a) Print Media: All DAVP empanelled national, regional and vernacular dailies and all magazines including news magazines

b) Electronic media: All National and Regional TV news channels

c) Digital/Online media: online news and magazines, facebook, twitter, blogs, micro-sites, social network sites etc.

The contracting agency is expected to prepare a media monitoring report on daily basis and post it online to the UIDAI officials as per the list provided by the UIDAI (Media Division) time to time and also provide Newspaper Clippings/ Clips of Electronic coverage as and when asked for within the specified time limits.

I want the Supreme Court to clarify which of these are infringing the Privacy of Indian Citizens and their fundamental rights. This sort of reputation management exercise is a routine media relation management exercise which every sensible public facing organization undertakes and is expected to. By passing adverse remarks on these with reference to UIDAI, the Court is actually passing a judgement on Corporate Media operations and rendering their activities seemingly illegal.

Supreme Court and Mr K K Venugopal has to come to an agreement on what is “Surveillance in violation of privacy of an individual” and what is “Monitoring the reputation of an organization through the media citing”. They cannot go by the interpretation of a Congress politician and make it mandatory for UIDAI and other Corporates in this regard. If this is not challenged then every corporate media house need to re-think on their media scanning contracts and many Public Relations agencies need to close down.

The Supreme Court and Mr Venugopal seem to be confused between monitoring of public information on Facebook and Twitter with the “Private” designated messages like WhatsApp. Intruding into WhatsApp or the Private messages in Facebook will amount to Privacy infringement. But the RFP does not suggest it. It is only in the mind of Mr Singhvi and without further verification has been assumed by the Court. It is a shame that the AG has not pointed this out.

Even in the case of the I &B RFP, the confusion was created because the proposal had two dimensions. On the first dimension it was media scanning (call it monitoring if you like). On the second dimension, the RFP wanted the agency to develop a platform like the “Local Circles” (Check www.localcircles.com). Further we can say that the attempt was to create a captive communication platform between the Government and its citizens where various issues could be discussed. Monitoring this was part of the RFP.

From the news reports it appeared that the SC thought and believed that the RFP was to pry into the private messaging platforms like WhatsApp, private messages in Face book, hack into e-mails of citizens etc. This was no where evident in the proposal and only prejudiced minds could think that the RFP was exactly meant for that. It is acceptable for Mahua Moitra and Singhvi to think and act with such prejudice but the Supreme Court has to raise above such prejudice and evaluate the petition independent of the Media representation of what the intention of the Government could be. It appears so far that the bench has not applied its mind and is reacting to popular perceptions.

It must be brought to the attention of the Supreme Court that since Aadhaar is considered as one of the keys to bringing down Mr Modi and the opposition politicians and motivated hackers are engaging in attacking the Aadhaar system only to deface the reputation of Mr Modi. It is therefore not only necessary for UIDAI to understand the mood of the world opinion on Aadhaar but also engage specialists to scan the deep web to identify specific attack vectors that are being prepared by hackers to break into Aadhaar.

If the Supreme Court places barriers on UIDAI in monitoring even the public media, then UIDAI will have no courage to monitor the deep web. Hence emerging threats may go unnoticed and the responsibility for engineering such a situation may be attributed to the inability of the Supreme Court to understand the intricacies involved in monitoring a system as critical as Aadhaar.

I therefore consider that the current developments are creating a serious national security issues which even Mr Singhvi may not have recognized. It is the duty of the Government however to bring it to the notice of the Supreme Court that it is part of the recommended Information Security management strategy of any entity to not only scan the media but also manage “honeypots” to gather threat intelligence. If UIDAI does not do it, then it will be failing in its duty to the nation to secure the system.

If the Supreme Court does not allow UIDAI to secure the system, then history will hold the members of the bench who are creating a situation where by UIDAI will default on their security obligations.

It is the responsibility of Mr K K Venugopal to make an effort to bring these views to the Supreme Court and let them make an informed choice. By being super obedient, the AG is not serving the interests of either the Government or the general public.

Naavi

Posted in Cyber Law | Tagged Aadhaar, media monitoring, RFP, uidai | Leave a comment

Surveillance and Monitoring are not the same

Posted on September 11, 2018 by Vijayashankar Na

When the honourable Supreme Court considered the issue of Section 66A of ITA 2000/8 and ended up scrapping the section as being violative of the Indian Constitution, we had raised the objection to the decision on the ground that the Supreme Court had failed to distinguish between “Publishing” and “Messaging”.

Section 66A of ITA 2000/8 was all about “Messaging” using “Communication device” and stated that if it is used for certain purposes in a certain manner, it would amount to an offence. At the same time ITA 2000/8 also had section 67/67A/67B which addressed the offence created by “Publishing” and “Transmission” of electronic information.

Under Section 67/67A/67B, publishing and transmission of “Obscene” information was an offence. Other types of publishing were not included in the section. However, since offences regarding publishing in paper form were already covered under IPC, publishing offences related to electronic publishing could be covered under IPC read with Section 4 of ITA 2000/8.

The problem with “Messaging” was considered different since “messaging” involved a communication from one individual to another and its effect is directly on the recipient individual and could be objected to only by him. If A sends a message to B, C cannot take a view on whether it is harassing or threatening etc unless B is a minor and C is the guardian. It is B and B alone who has to decide whether the message causes him mental disturbance and has to be considered as a “harassment” or “threat” etc. What may be a loving message sent from A to B may be misconceived by B as a harassment either because a wrong word has been chosen by A or because of any other reason.

Offence under Section 66A was therefore not at all a publishing offence though the police in Palghar and several other places wrongly considered so and filed cases under the section for publishing offences. Several lower courts continued the litigation under the premise that Twitter and Face Book, liking and tweeting or re tweeting are all “Messaging” activities and the matter had reached the Supreme Court for its view.

Not withstanding that the section 66A had been used to harass innocent web users like Aseem Trivedi, the girls of Palghar, the business rival of Karti Chidambaram etc., Supreme Court was obliged to look beyond the politics behind the police action and interpret Section 66A on the basis of law.

Ideally, it should have come to the conclusion that Section 66A is only about sending message from one person to another through a communication device and whether it was causing harassment or threat to the recipient is for the recipient alone to judge and court can intervene if necessary. It should have held that Face Book or Twitter is a “Publishing” activity and the information sent for publishing were technically called “messages” because it was short and went in a burst from the sender to the platform where it was automatically displayed. Otherwise it was actually content in a web page which was open for view not by the recipient alone but by many and in most cases by the public.

Every web content is a similar “TCP/IP Message which goes from the sender to a server and gets displayed and it should be classified as “Publishing” and not “Messaging”.

The Supreme Court appeared to completely miss this point or did not wish to give a proper interpretation because it was blinded by the mouth watering opportunity to assert its position on upholding “Freedom of Speech” and hence declared that the issue on hand was an issue of “Freedom of Speech” and if Section 66A is allowed to remain in the statute, it would create a “Chilling Effect” etc.

All this is now history and Cyber Jurisprudents can only regret that the then Government advocates did not appraise the Supreme Court properly and remove the widely prevailing ignorance which resulted in Section 66A being ejected from ITA 2000/8 and thereby “harassment by electronic messages and spamming and phishing” went out of the coverage of ITA 2000/8.

Now history seems to be returning to haunt us and the Supreme Court is in the verge of making a mistake similar to what it did in the Shreya Singhal case. This time it is the case of the Mahua Moitra petition against UIDAI in which instead of the “Freedom of Speech” issue, it is the “Privacy Issue” which is blinding all the people concerned.

Supreme Court has conveniently shifted the responsibility to the Attorney General (AG) and sought his help instead of scratching its own brains and come to a decision. The AG and the Government behind him are wary of the black mail that the media will launch based on false narratives and want to avoid controversies. Just a few weeks back the Government chickened out of the litigation in the objection raised by the same petitioner in respect of an RFP for media monitoring by the I& B Ministry by withdrawing the RFP which was under objection.

It would not be surprising if the Government again adopts the same strategy and forces UIDAI to withdraw the RFP. The “Chilling Effect” created by the Supreme Court through its shrill comments during the preliminary hearings blown up further by the media are too powerful to let the Government stand its legitimate ground rather than chose a tactical withdrawal.

So we can anticipate that Mahua Moitra can claim another victory. But this will be a victory of the evil forces using black mail technique against the Government and not a victory for justice. It will be a victory of mis-interpretation of the “Privacy” right by mis-interpreting “Media Monitoring” as “Surveillance”. It will be a victory of ignorance of technology platform and failure of the Supreme Court to take the responsibility of interpreting the law.

It will once again show that the Supreme Court instead of collaborating with the Government for the benefit of the Citizens of India will be acting like an adversary asking the Government to interpret the law and then take the high moral ground of saying it is incorrect. Government should avoid this trap and ask the Court itself to interpret the RFP and guide them if it amounts to surveillance.

I wish that the Supreme Court actually uses this opportunity to legally differentiate between “Surveillance” and “Media Monitoring”.

“Media Monitoring” means watching what is published in different media vehicles about a company, about a product, about an issue, about UIDAI, about Government etc. This requires scanning of all media vehicles and if the media vehicles are online, it requires software for the purpose. It is actually the duty of every company to know what others are talking about itself and react it in a positive manner. This is “Due Diligence” under Section 79 of ITA 2000/8. It is “Prudence” in Governance.

What the petitioner is asking the Supreme Court to do is to order the Government to close its eyes to media reports and let opposition continue its fake news campaign and dis-information campaign and donot react to them.

The Judiciary is expected to be blind to public comments about itself and not get influenced. But the Government is expected to be alert to such public opinion and take corrective steps. In the past we are aware that Kings used to travel their kingdom in disguise to know what the citizens think about the King. They also used messengers to report to them about the public opinion. This was prevalent even the days of Lord Rama and during Rama Rajya.

What we are seeing here is “Aadhaar bashing” by political opponents who donot want Aadhaar to be an instrument that prevents them to hold black money and benami properties. Mr Modi is seen as the brain behind this use of Aadhaar to root out black money and hence TMC MLA who is the petitioner and the Congress worker who is the advocate are trying to beat Aadhaar with the hope that it will hurt Modi in the background. These politically motivated advocates are using all their legal intelligence in trying to convince the Supreme Court that “Surveillance” and “Media Monitoring” are synonymous.

If the Supreme Court goes by its earlier record on Section 66A, it may come out with a slamming judgement saying that the Government is causing a “Chilling Effect” through surveillance and gain some brownie points.

But I hope against hope that this will not happen and the Supreme Court shows true character, sees through the opposition game and try to treat the petition only on legal merits and not on speculation.

Surveillance is a term when an honest citizen without any past adverse history of criminal records is being tracked and using the tracked data to harass him. Unless the tracked data is used against the person, no offence is made out and it will remain an intelligence activity in the interest of security of the state. Section 69/69A/69B and 70B of ITA 2000/8 has necessary legal controls for such an exercise. The new Privacy law can certainly address this.

But every action of the Government cannot be called “Surveillance” and the Supreme Court cannot be expected to have a daily hearing of the petitions raised by dubious political persons and interfere with the daily functions of the Government.

There is no doubt that journalists and opposition parties can indulge in speculation that what starts as “Media Monitoring” can become “Surveillance”. But this is speculation that cannot be indulged in by the Supreme Court.

The Court has to wait until it sees the evidence that the Government misuses “Media Monitoring” and intrudes into the private life of citizens. It needs hard evidence before intruding into the day to day management of UIDAI and its corporate activities.

The RFP may not be critical to the functioning of UIDAI and the Government may not lose much by withdrawing the RFP. But if this litigation takes that route, then the Government of Mr Modi will show that it is buckling under the pressure of the unfair opposition campaign. It will allow the political opponents to flood the Supreme Court with more litigation leading to the election and make Supreme Court dysfunctional along with the Government.

If the Supreme Court pushes the Government to such a decision, it would be a tragedy. Then the differences between the Supreme Court and the Government will no longer be speculative and will become the debate among the citizens. This should be avoided at all costs and even the Supreme Court has a responsibility in ensuring that it does not come out as a constant threat to the Government causing a “Policy Paralysis”.

On the other hand here is an opportunity for the Supreme Court to clear the air once for all on the difference between “Surveillance” and “Watching the Citizen’s reactions to Government activity as reflected in the media”.

The way Supreme Court responds to the situation will also determine and establish that the supreme Court is not a servant of the opposition to beat the Government at every turn creating hurdles in the operation of the Government and its agencies.

If the Supreme Court quashes the RFP, the traditional media lead by senior journalists like Shekhar Guta and Sagarika Ghosh may hail it as a ” Victory to Privacy”. The Supreme court and the judges of the bench may also be hailed as saviours of democracy. But history will judge the judges perhaps differently.

Does the bench have the character to stand up on the side of the justice and fairplay without being bothered by the Media and political opposition which has a threat of impeachment held against the judges? or will it bat for TRP? is what is bothering conscientious citizens like me.

Let us watch the day as the drama at the Supreme Court unfolds.

If the Supreme Court agrees with the arguments of Mr Abhishek Manu Singhvi and quashes the proposed RFP of UIDAI, I will be the first person to congratulate Rahul Gandhi and his advisors that his tactics of Modi Bashing through Aadhar bashing and arm twisting of Supreme Court through the impeachment threat is working well and he may continue the same as his election strategy.

Naavi