State Bank of India ready for a major scam

Posted on April 8, 2018 by Vijayashankar Na

I have been informed by some customers of State Bank of India, particularly in the Srinagar Branch of Bangalore that the Bank is asking for e-mail ID from its customers who want to file 15G certificate.

It is said that many of the account holders who donot have e-mail addresses have been told that it is mandatory and otherwise the TDS the form will not be accepted. Not sure if this is an attempt at a systematic loot of people or it is a method of discrediting BJP and Mr Modi before the elections in Karnataka.

From the perspective of information security, it appears that many of the customers some of them not fully aware of the implications have been told that any e-mail address can be given if they donot have an e-mail ID.

More importantly, some of them have been directed to the nearest Cyber Cafe to open an e-mail account. The Cyber Cafe owner has given them some chit which the customers have given to the Bank. The Chit would have the e-mail address and God knows who knows the password. At least, my housemaid who opened one such e-mail account did not know anything about the password and what the e-mail address is for.

Firstly this is an unfair demand made by SBI to insist that e-mail address is mandatory along with the mobile number. It is dangerous to let the customers who donot know about e-mail management to open accounts with the Cyber Cafe.

There is every possibility that the staff of the Bank and the Cyber Cafe owner would collude and change PIN of the ATM cards and cheat the customers.

I therefore request that an investigation be carried out to find out why State Bank of India, Srinagar branch of Bangalore (Donot confuse with J&K) is insisting on such a procedure unmindful of the risks.

Are they so naive?… If so they deserve to be removed from their positions immediately. If not the possibility of a scam brewing should be recognized and corrective action taken.

If there are political reasons for this, I request the BJP MLA Mr Ravi Subramanya to enquire and find out.

Naavi

On 10th April 2018, I received a call from SBI stating that through an error in programming, the particular e-mail field had been rendered “mandatory” and hence there was problem. They confirmed that action will be taken to correct the same. Also the Bank officer who called profusely thanked for bringing the problem to their notice. We appreciate the immediate action taken by the Bank….. Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Bitcoin gets the Boot

Posted on April 5, 2018 by Vijayashankar Na

Naavi.org has been consistently voicing its demand that Bitcoins should be banned in India and instead RBI should consider floating a crypto currency regulated by RBI.

At last RBI seems to have taken one decisive step which has been interpreted by the media as “Banning of Crypto coins”.

In a statement released by RBI it has been stated that

“Reserve Bank has repeatedly cautioned users, holders and traders of virtual currencies, including Bitcoins, regarding various risks associated in dealing with such virtual currencies. In view of the associated risks, it has been decided that, with immediate effect, entities regulated by RBI shall not deal with or provide services to any individual or business entities dealing with or settling VCs. Regulated entities which already provide such services shall exit the relationship within a specified time.”

At the same time, RBI has also indicated that it is exploring the possibility of introducing its own Crypto coin for which a committee will be formed to give its recommendations.

Naavi.org welcomes both the developments.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

Posted on April 5, 2018 by Vijayashankar Na

Supreme Court has now come to the end of hearing the PIL on the Aadhaar. Whatever be the actual petition it is clear that the opposition to Aadhaar stems mainly from the Black Money holders and Benami property holders who are threatened out of their existence with the identification of their misdeeds and Black wealth accumulated over time.

India having been corrupted systemically by the ruling Congress Party since the days of Mrs Indira Gandhi (as people of our generation know of), there is corruption in every aspect of our life. Our politicians, Bureaucrats, Police and even the Judiciary is exposed to the menace of corruption though different segments have absorbed it to different extent.

Businessmen also have accumulated black wealth but their accumulation is because of tax evasion. Otherwise the black money of businessmen is generated out of their hard work  or business. The Black wealth accumulated by the officials and politicians on the other hand is of a different nature. It has originated out of corruption and additionally continued with tax evasion.

Now all these persons who are threatened with the loss of their ill gotten wealth have come together to petition to the Supreme Court that mandatory linking of Aadhaar to Bank accounts and the proposed property registrations is opposed to “Privacy” and hence it should be scrapped.

Privacy is not a shield for Corruption

Without any doubt, “Privacy” is being used as an excuse to cover up illegal accumulation of Black wealth and the Supreme Court cannot be seen as supporting this cause.

All Privacy regulations provide an exception that “Privacy” is not a right that can be used by a citizen when the State has to consider” Public Interest” and “National Security”.

We are not sure if the lawyers who will be arguing for the Government will not collude with the opposition and put up a weak argument to enable the Judiciary to scrap Aadhaar linkage to basic services.

A Citizen has no right to claim immunity from being punished for the larger good of the society. The judiciary has its role in checking the misuse of any law including the Aadhaar law just as the SC/ST atrocities Act.

Hence the Supreme Court Bench has to place the national interest paramount and not be swayed by the arguments of the Aadhaar opponents. I have some faith that the current CJI will ensure it. It should be done before the “Dissenting” judges take over our system and politicize the judiciary.

Virtual ID eliminates most of the concerns against Aadhaar

In this context, the much awaited Virtual Aadhaar ID scheme of UIDAI has now become operational. Under this scheme all services which require Aadhaar number will now use the “Pseudonomized ID” which is the 16 digit Virtual ID which the Aadaar holder picks up on the Aadhaar website. The original aadhaar number remains confidential with the user.  The intermediary who uses the virtual ID will not have the demographic data mapped to the original Aadhaar ID and hence the kind of data breaches that happenned at the intermediary end in the past for which UIDAI is being blamed cannot happen in the future.

This Virtual ID is not a permanent ID and can be regenerated randomly every time the aadhaar holder wants to use it. He can use it as a single purpose ID and ensure that no two intermediaries have his data mapped to the same Aadhaar ID.

This system therefore addresses the concern on Aadhaar security at the intermediary end for all future transactions.

Of course some critics may still ask what about the past?. There could be solutions for the same which could be considered in future.

Critics will also ask what is the guarantee that the data may not be leaked from the UIDAI itself. There will of course be security at the UIDAI so that no single person will be able to leak Aadhaar information since multiple levles of authentication would be required.

If the critics still ask whether it is not possible for multiple persons to collude and commit a fraud, I would say if a day comes to that then we the Indians donot deserve the Aadhaar.

We know that when the previous Congress regime was in place,  the country was run in the name of PM by a coterie which was Pro Pakistan and Anti India. It can be speculated that several of the national secrets could have then been shared with the enemy during this time. Conspiracies could have been  hatched to put our Military to shame and create a bogey of Hindu terrorism. In future also, if those who want to destroy our country come to power, we are not sure if they will rule in the interest of the country.

The opposition political parties in India which are behind the Anti Aadhaar discussion in Supreme Court had once given Supari to eliminate Mr Modi much before he became PM. Now they are trying to use the Supreme Court as the weapon to kill the ambition of Mr Modi to eliminate corruption in India.

Hence the Aadhaar case has become a symbol of a fight between those who despise corruption and those who worship it.

If the opposition comes to power, there is the danger that they may themselves access Aadhaar data and hand it over to Cambridge Analytica so that they will never lose the election again.

Supreme Court has to show its character

I hope the final decision of the Supreme Court will prove that India still retains the ability to stand up to all divisive forces and show character that has made this country survive against the onslaught of foreign invasions time and again.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Posted in Cyber Law | Tagged , | 1 Comment

Data Portability under GDPR… Is it Your Data to be ported or My Data?

Posted on April 3, 2018 by Vijayashankar Na

Data Portability is one of the contentious issues of the GDPR from the compliance angle. We had discussed the “Theory of Dynamic Personal Data” in one of our previous articles. That concept would be relevant to address the issue of Data Portability as envisaged in GDPR.

Article 20 of GDPR states as follows:

Article 20: Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. (Ed: Right to Erasure). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The industry is struggling to understand how it can possibly tune up its processing system so as to keep the “Personal Data of the Data Subject” in one compact identifiable package so that when necessary it can be “Ported” or “Erased”.

If a Data Processor is setting up a new system for processing the data, it would be perhaps easier to design the system to meet this objective. But if he is already processing data and is now trying to implement GDPR over the existing set up which includes past stored data and the processing system, it would be a challenge to comply with the provision.

One of the key aspects of implementing Data Portability and Data Erasure is to ensure that a data subject’s personal data is always identifiable in a package and can be dealt with together when required.

In practice however, the complete set of personal data about a data subject gets acquired over a  period of time and in bits and pieces. In this kind of “Data Aggregation”, there is one part of personal data which the data subject has handed over after an informed consent. This is a “Property” of the data subject and he has every right to deal with it as he likes.

But once this raw data is received by the data processor, it may be mixed with other data, analyzed, filtered, processed using intelligent data mining and analytical algorithms and another set of data which has a link to the raw data supplied by the data subject emerges. In course of time, the data subject also adds further data about himself which is another set of raw data that gets added.

At this point of time, the data with the data processor has two components namely raw data supplied by the data subject from time to time and the value added secondary data  in which the raw data is embedded but there is much more value because of what has happened to the raw data with the processing. It is like the data subject has given the data processor, water, fruit juice concentrate and sugar in separate packets and the data processor has created a bottle full of juice with it.

Now the data subject comes and says, please “Port” my data to another “Data Processor”. Now the problem is for the data processor to separate the water, juice concentrate and sugar from the Bottle of juice and return the “Data of the Data Subject”. Any thing else is a different data and if that has to be transferred to another data processor, it will go along with the technical know how used by the first data processor to add value to the data. Obviously this is not acceptable to the data processor since it would dilute his IPR.

The key to GDPR data portability management is to develop a data processing model which keeps a tag on the “Raw data supplied by the data subject” even when it is being churned into a value added data by the data processor, so that when required, we can pull out the raw data and return it to the data subject.

If the system is designed intelligently, the data processor may still keep the value added data with himself but return the raw data components to the data subject. It will be like having the Cake and eating it too.

In order to design such a magic system, we may have to develop a suitable system on a case to case basis. But as indicated earlier, it is easier to introduce such systems prospectively and not retrospectively.

Hence it is better if GDPR liability is accepted only for the future personal data inflow and existing system which was in place is retained for Data Protection in respect of the past data.

It does not appear that GDPR has been conceived taking this “Prospective” or “Retrospective” implementation since the authorities seem to be oblivious to the practical issues involved in implementing some of the recommendations which appear good to read but impossible to comply.

In this discussion, we have assumed that the Data Subject does not lay claim for the value added part of the processed data and would be satisfied if his own raw data is returned to him. Hence in future we may have to differentiate data as “My Data” and “Your Data” and apply different privacy and security rules for them.

The technical implementation of this concept needs development of a middle ware data processing strategy which is out of scope of this article and also involve IPR in the design.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

Definition of Undertaking under GDPR and its impact

Posted on April 3, 2018 by Vijayashankar Na

GDPR is liked by some as a good law to protect privacy of individuals and is often looked upon as an “Emerging Standard”.  Many companies are working towards calling themselves “GDPR Compliant” since it makes a good marketing sense though GDPR does not apply to them. Even the Whitepaper on Data Protection Law which the Justice Srikrishna  Committee made references to GDPR frequently giving a perception that Indian Data Protection law will be a reflection of GDPR in some way.

At the same time GDPR is hated by the IT Companies because it increases their cost of Privacy compliance and also holds the Damocles sword on their head with the obnoxious penalty clause of Administrative Fines.

In most privacy laws, the emphasis is to provide direct protection to the data subject by giving him compensation for adverse consequences of data breach. In order to reduce the possibility of privacy breach, the law also provides certain standards of compliance and to goad the companies to take compliance seriously, imposes fines and penalties for non compliance. The fine is meant to act as deterrence against neglect of “Due Diligence” requirements.

GDPR has used Administrative fines as a means of causing a “Chilling Effect” on the industry that they are at the mercy of the “Supervisory Authorities” who have been given powers to impose unreasonably large penalties.

Article 83 (4) and 83 (5) prescribe the penalties.

Under Article 83(4), certain infringements will be subject to administrative fines upto 10 million Euros (1 Euro=Rs 80) or in the case of an undertaking , upto 2% of the total worldwide annual turnover  of the preceding financial year whichever is higher. 

Under Article 83(5) certain infringements will be subject to administrative fines upto 20 million Euros (approx Rs 160 crores) or in the case of an undertaking , upto 4 % of the total worldwide annual turnover  of the preceding financial year whichever is higher. 

The lower fine is in respect of  the following articles

Article 8: Child’s Consent

Article 11: Processing which does not require identification

Article: 25 to 39: Various obligations such as privacy by default, impact assessment, data breach notification failure etc

Article 42 and 43 : Certification related

The Higher fine is in respect of the following articles

Articles 5,6,7 and 9: violation of basic principles for processing including consent

Articles 12 to 22: Infringement of Data Subject’s Rights

Articles 44 to 49: Transfer of personal data to third countries

and non compliance of member state laws and order of a supervisory authority

In the penalty clause what strikes the eye is that in case of an “Undertaking” the penalty may be 2% or 4% of the total worldwide turnover.

To understand the impact of this clause, we need to understand what constitutes an “Undertaking” under the law applicable in this context.

The meaning of “Undertaking” is defined under articles 101 and 102 Treaty On the Functioning of European Union (TFEU).

One obvious way of determining the scope of this word is to consider that where one company exercises “Control” over another company, they form a single economic entity and hence are part of the same undertaking.

This means that if a company is a holding company and the subsidiary company is the one subject to penalty, the holding company may become part of the global undertaking. If the holding company is in EU and the subsidiary companies are in one or more other countries, then all of them will become part of the “Undertaking”.  Beyond this, it would be the specific ruling that any Court may give or which the supervisory authority may imply.

If therefore, Infosys (an example only) is an Indian company and has subsidiaries in EU where it is a Data Controller and is subject to some fine, then the turnover of Infosys becomes part of the turnover of the undertaking. Now if Infosys subsidiaries in other countries also hold cross holdings in the EU entity, then some crazy EU court may add the global turnover of Infosys as the turnover of the undertaking to determine the fine.

This may mean that the revenue generated by the employees of the Company in India out of their operations here which have no relevance to EU operations will be taxed in EU.

The legality of such a measure is considered debatable.

Also, when Infosys-EU signs a Data Controller contract and creates a charge on the earnings in India which are enforceable against the EU subsidiary, the share holder’s of the Indian Company may have reasons to ask if their wealth gets eroded.

At first glance, the addition of “Global Turnover” in the computation of the penalty appears to be an over reach in law and may not sustain a proper scrutiny. But this is some thing which NASSCOM has to address and consult international law experts such as Harish Salve and clarify.

In the meantime, Indian companies having some operations through EU subsidiaries need to ensure that the “Holding Company Turnover” does not become a factor that increases the potential liability of the EU subsidiary. This can be done through shedding the “Holding Company Status” and ensuring that the EU subsidiary and the Indian parent (hitherto) company maintain an arms length relationship without any director level control or shareholder level control.

When companies who donot require to follow GDPR want to adopt GDPR as a “Standard” they should ensure through proper disclosures that “The adoption of GDPR compliance as a business strategy across all the global units of the undertaking” is not treated as a prima facie admission that there exists a global networking relationship across all such companies exposing the aggregate turnover of all such companies to the risk of being considered for fine computation.

I look forward to a response from NASSCOM on this matter.

Naavi

Posted in Cyber Law | Tagged , , , , | 1 Comment

In the wonderland of Quantum Cyber Law, Physics is part of Law specialization

Posted on April 3, 2018 by Vijayashankar Na

Ever since Law entered Cyber space and the term “Cyber Law” was coined, the field of law has been shaken up.

When ITA 2000 (Information Technology Act 2000) was notified and conventional lawyers started reading it they soon encountered right under Section 3, terms such as “Asymmetric Crypto system” and “Hashing”. Immediately it was clear that their years of study of LLB and experience in the Bar was of little relevance in the new emerging world of “Cyber Law”.

At this point of time, a breed of “Cyber Law Specialists” were born who studied ITA 2000 from its birth and had no prior in depth knowledge on Civil or Criminal law. Gradually, many of the “Computer Savvy Lawyers” who could understand some computer terms such as hard disk, memory, hacking, denial of service etc graduated as “Cyber Law Specialists” with different degrees of specialization in civil or criminal law along with an awareness of computer technology.

Simultaneously, pure technology specialists working in the area of “Cyber Forensics” also graduated into a multi discipline specialization by acquiring awareness of ITA 2000 or Cyber Laws.

With this convergence of technology knowledge/specialization with law specialization/awareness was born a new breed of specialists who could describe themselves as “Techno Legal Specialists”.

In the Information Security domain, these specialists became “Techno Legal (TL)  Information Security Specialists”.

Some of these specialists like the undersigned recognized the importance of “Behaviour Science” in Information Security area just like in the case of “Criminology” and added the “Behaviour Science Specialization” to their forte to create a “Techno Legal Behavioural Science Specialization” to be used both for Cyber Criminology and Information Security.

We may recognize these developments as different generations of Cyber Law specializations that are developing not only in India but also elsewhere.

When we look at some of the emerging problems such as Section 65B of Indian Evidence Act and the struggle of the community to handle the Cyber Crimes emanating from the deep web, it is clear that we are still a long way off from mastering the art of “Techno Legal Behavioural Science (TLBS) Specialization” either in the Information Security area or in the Cyber Law area.

Failure to acquire this TLBS specialization in the Information Security domain results in increasing Cyber Crimes, data thefts etc including the Cyber Analytica kind of issues.

Failure to acquire this TLBS specialization in the Cyber Law domain results in increasing cases of bad Judgements such as the Section 66A and Shafhi Mohammad judgement by the Supreme Court of India or the Shapoorji Pallonji case judgement by Mumbai High Court.

Emerging Cyber Law Scenario

While there is a need to continue our work on creating better awareness and better understanding of the TL and TLBS concepts through our education system both in Law Education and in Engineering education and let it percolate through the practicing lawyers to the Judiciary, the environment has moved further with the advent of Artificial Intelligence and Quantum Computing making further changes to the interpretation of Cyber Law principles.

Just as Digital Signature concepts which included Asymmetric Crypto System and Hashing which are mathematical concepts into the domain of Cyber Law, the development of Quantum Computing has now brought “Physics” directly into the domain of Cyber Law.

Now a full rounded Cyber Lawyer needs to not only know law, computer technology and behavioural science, but also Physics.

We must remember that what we were calling as “Computer Technology” so far already incorporated “Physics” because every “Bit” that held the data in a computer device was actually a “Transistor” in miniature form and every processing on a computer happened with “Electronics” in the back end.

But just as “Classical Physics” was disrupted by “Quantum Physics” and the laws of Classical physics including the famous laws of Newton had to be re-written in the Quantum world and even the geniuses like Albert Einstein were proved wrong in parts in the Quantum Physics domain, all the current laws which we codify as “Cyber Laws” may need a complete re-look in the Quantum computing environment.

We must therefore recognize that the next generation of Cyber Law specialization is now here. I will call this the “Quantum Cyber Law Specialization”.

The Quantum Cyber Law (QuCL/QCL) specialists need to not only understand the depths of Law along with “Transistor based Classical Computers” but the emerging “Qubit based Quantum Computers” where the “Qubit” is not a transistor but a Nucleus or an Electron.

Just as the Classical Computer works on a transistor representing a “Bit” which can be either with a charge or no charge representing the binary states of one or zero, the Qubit represents an electron or a nucleus which is spinning either in the clockwise or anti clockwise direction representing the two states Zero or One.

The enigma of Quantum Computing however is the “Principle of Uncertainty” that a spin state of an electron can be one and zero at the same time but collapses into one of the two states at the time of measurement.

The readers of this blog consists mainly of Classical Cyber Law Followers. Some of them may find the concept of Quantum Computing a bundle of scientific fiction. They may have to chose to ignore some of the articles that may appear here on this “Emerging Technology” concepts and focus on improving their understanding of the “Transistor Based classical technology” and how it affects Section 65B etc .

But those crazy technology buffs who would like to explore the computer world of the future, it is necessary to slowly start grasping some of the new concepts to stay relevant in the post 2030 Cyber law world.

The undersigned is also in the process of exploring the Quantum Computing principles and is experimenting with some thoughts not all of which may be considered “Definitive”. Errors and mis-interpretation could be expected since this is considered as a learning process.

Readers may therefore treat some of these articles more as as hypothesis to be tested and tuned. The presented hypothesis may be debunked and improved. by Quantum Cyber Law (QuCL) watchers.

Understanding QuCL requires even more depth of technical knowledge than what is required for understanding Cyber Law as we know today.

Further the technical knowledge required for understanding QuCL would include the knowledge of Quantum Physics and its application to the creation of logic gateways and data store techniques which is more than what most computer science specialists possess in the natural course of their development.

I am yet to find a term to describe this “Multiple Domain Experts who know Computer Technology, Law and Physics”.

Probably they should be called “Techno Legal Physicists” or “Quantum Physics Technology Law Specialists” (QPTLS) and this specialization should be termed as Quantum Physics Techno logy law (QPTL) specialization.

Like many things in the life of Naavi, perhaps Naavi will be the first to describe himself as a Techno Legal Physicist or Quantum Physics Technology Law Specialist  (now in the process of graduation).

Even today, many of the lawyers ask me in a cross examination in a Court  “Where did you get your Cyber Law Degree” to make you an “Expert”. I normally reply that “In 1998 when I started studying Cyber Law and in 2000 when I started Cyber Law College, there was no other university or college which was qualified to give Cyber Law degrees (at least in India) and hence my Cyber Law specialization had to be and is self acquired”.

Similarly, now I have to say that the new specialization of “Techno Legal Physicist” or “Quantum Physics Technology Law Expert”  will have to be a self acquired skill which I will endeavour to acquire through self study.

With this, I have a message to the Cross examining lawyers who try to embarass me on a witness box with questions that I donot have a law degree or a computer science degree and cannot call myself as eligible to give evidence on computer aspects. They must remember that I have a Master’s degree in Physics with a specialization in nuclear physics itself that makes me eligible to talk on law that depends on transistors and quantum mechanics, as an expert.

However, I humbly submit that “Expertise” is a “Relative expression”. Knowledge is so huge that no person can call himself an “Expert”. One can be more an expert than the other in a given niche area and may be a novice at the same time in another aspect.

The description of an “Expert” under Section 45/45A of Indian Evidence Act has to absorb the “Quantum Principle” that a witness may be an “Expert” or a “Novice” at the same time and it is only when his knowledge is measured against a specific question that his “State” will collapse into either “Expert” or “Not an Expert”.

Next time when a cross examining lawyer asks me, “Are you an Expert?” “Do you know technology?” etc., I may answer, “I am an expert or a novice at the same time like a Qubit being in the state of one of zero at the same time. You try to pose a question and I may collapse into either being an expert or not”.

Problem however is that the Judge may immediately say.. Please donot argue with the counsel and put counter questions… answer Yes or No not Both…..

Practicing lawyers specialized with court procedures may kindly advise me what would be the correct answer to the question that witnesses cannot be in quantum state and say “Yes and No” but  have to be always in either “Yes” or “No” state.

In the wonderland of Quantum Cyber Law , a new specialization of Techno Legal Physics needs to be recognized to answer such questions.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment