A Trap is laid for Gullible Bitcoin Investors

Posted on April 11, 2018 by Vijayashankar Na

Just lat week, RBI declared:

 it has been decided that, with immediate effect, entities regulated by RBI shall not deal with or provide services to any individual or business entities dealing with or settling VCs. Regulated entities which already provide such services shall exit the relationship within a specified time.

Most media men interpreted this as a clear indication that no Bank or NBFC or Commodity traders also registered for Foreign Exchange trading, could have any business related to Bitcoins. The earlier action of the ED sending out notices to lakhs of Bitcoin investors who had traded in any of the Indian exchanges to disclose the source of their acquisition and also the details of tax payments on the Bitcoin transactions had also indicated that Bitcoin investors will face both action from RBI and ED if they continue to indulge in Bitcoin.

It is obvious that most Bitcoin investments were made out of black money and hence the investors were trying to hide themselves. The Exchanges are taking steps to move out to other countries such as Singapore and handle the business emanating from India. The Bitcoin holders who have remained underground so far are trying to find exchanges outside India to either sell their bitcoin holdings and quit their positions or continue to invest.

However, any movement of INR to Bitcoins and conversion of Bitcoins to undeclared Foreign Exchange accounts could be violation of FEMA and land the investors in bigger trouble than just surrendering their holdings to the Indian Government and pay whatever tax they need to pay and enjoy what is left. Since however the prices have tumbled from around USD 19000 per bitcoin to less than USD 7000, not much of profit or capital may be left for many of these Bitcoin investors who continued to ignore our suggestions to stay away.

When the situation therefore indicates that no sane investor would like to invest in Bitcoins in India now, it is  surprising that a company called “Synup” which declares itself as a Newyork and Bangalore based startup with operations in US and Canada and founded by a serial entrepreneur, Ashwin Ramesh has issued a Press Release today a launch of a new website coinfriendly.io with  10717 bitcoin accepting businesses listed on its platform. The objective of the website is clearly stted as to allow biticon users across the globe to identify these stores and services in 20 countries and becoming the largest repository of local businesses.

Ofcourse, at present there are no India based  businesses listed on the platform and hence this will project itself more like a directory of Bitcoin companies across the globe excluding India.

If there is no target audience in India to use the platform, it appears strange that the Company should send out the press release to Bangalore based publications.

We have to wait for tomorrow to see which publications carry the press release and what they write. However we can expect at least some of the publications carry the press release even if in the inside pages, without their own comments. Like a typical phishing campaign, message will reach out to Bitcoin sensitive audiences.

The obvious inference is that the publicity is meant to inform the Bitcoin investors that even if India based Bitcoin exchanges shut down their operations, there could be many options in other countries to park their black money. It should also be possible to launder the Bitcoin holdings through many of the businesses listed in the platform to buy goods or simply trade it for foreign exchange.

Gullible investors may therefore fall into the trap for using the services of any of the listed service providers to use their Bitcoins or buy fresh bitcoins if available through any exchanges.

Investors in India are hereby cautioned that any dealings with the entities listed in this website will be in the radar of the ED as people dealing with these entities will clearly be those who will be using black money holdings in the form of Bitcoins.

Such customers may therefore quietly start getting notices as to explain the source of their bitcoins used and whether they have more bitcoins in stock.

If ED has not yet started this activity, they better do it immediately.

In the meantime, Police in Bangalore should also keep a watch on this Company’s activities and whether it will promote Bitcoin indirectly in India.

Naavi

 

Posted in Cyber Law | Tagged , , | Leave a comment

State Bank of India ready for a major scam

Posted on April 8, 2018 by Vijayashankar Na

I have been informed by some customers of State Bank of India, particularly in the Srinagar Branch of Bangalore that the Bank is asking for e-mail ID from its customers who want to file 15G certificate.

It is said that many of the account holders who donot have e-mail addresses have been told that it is mandatory and otherwise the TDS the form will not be accepted. Not sure if this is an attempt at a systematic loot of people or it is a method of discrediting BJP and Mr Modi before the elections in Karnataka.

From the perspective of information security, it appears that many of the customers some of them not fully aware of the implications have been told that any e-mail address can be given if they donot have an e-mail ID.

More importantly, some of them have been directed to the nearest Cyber Cafe to open an e-mail account. The Cyber Cafe owner has given them some chit which the customers have given to the Bank. The Chit would have the e-mail address and God knows who knows the password. At least, my housemaid who opened one such e-mail account did not know anything about the password and what the e-mail address is for.

Firstly this is an unfair demand made by SBI to insist that e-mail address is mandatory along with the mobile number. It is dangerous to let the customers who donot know about e-mail management to open accounts with the Cyber Cafe.

There is every possibility that the staff of the Bank and the Cyber Cafe owner would collude and change PIN of the ATM cards and cheat the customers.

I therefore request that an investigation be carried out to find out why State Bank of India, Srinagar branch of Bangalore (Donot confuse with J&K) is insisting on such a procedure unmindful of the risks.

Are they so naive?… If so they deserve to be removed from their positions immediately. If not the possibility of a scam brewing should be recognized and corrective action taken.

If there are political reasons for this, I request the BJP MLA Mr Ravi Subramanya to enquire and find out.

Naavi

On 10th April 2018, I received a call from SBI stating that through an error in programming, the particular e-mail field had been rendered “mandatory” and hence there was problem. They confirmed that action will be taken to correct the same. Also the Bank officer who called profusely thanked for bringing the problem to their notice. We appreciate the immediate action taken by the Bank….. Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Bitcoin gets the Boot

Posted on April 5, 2018 by Vijayashankar Na

Naavi.org has been consistently voicing its demand that Bitcoins should be banned in India and instead RBI should consider floating a crypto currency regulated by RBI.

At last RBI seems to have taken one decisive step which has been interpreted by the media as “Banning of Crypto coins”.

In a statement released by RBI it has been stated that

“Reserve Bank has repeatedly cautioned users, holders and traders of virtual currencies, including Bitcoins, regarding various risks associated in dealing with such virtual currencies. In view of the associated risks, it has been decided that, with immediate effect, entities regulated by RBI shall not deal with or provide services to any individual or business entities dealing with or settling VCs. Regulated entities which already provide such services shall exit the relationship within a specified time.”

At the same time, RBI has also indicated that it is exploring the possibility of introducing its own Crypto coin for which a committee will be formed to give its recommendations.

Naavi.org welcomes both the developments.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

Posted on April 5, 2018 by Vijayashankar Na

Supreme Court has now come to the end of hearing the PIL on the Aadhaar. Whatever be the actual petition it is clear that the opposition to Aadhaar stems mainly from the Black Money holders and Benami property holders who are threatened out of their existence with the identification of their misdeeds and Black wealth accumulated over time.

India having been corrupted systemically by the ruling Congress Party since the days of Mrs Indira Gandhi (as people of our generation know of), there is corruption in every aspect of our life. Our politicians, Bureaucrats, Police and even the Judiciary is exposed to the menace of corruption though different segments have absorbed it to different extent.

Businessmen also have accumulated black wealth but their accumulation is because of tax evasion. Otherwise the black money of businessmen is generated out of their hard work  or business. The Black wealth accumulated by the officials and politicians on the other hand is of a different nature. It has originated out of corruption and additionally continued with tax evasion.

Now all these persons who are threatened with the loss of their ill gotten wealth have come together to petition to the Supreme Court that mandatory linking of Aadhaar to Bank accounts and the proposed property registrations is opposed to “Privacy” and hence it should be scrapped.

Privacy is not a shield for Corruption

Without any doubt, “Privacy” is being used as an excuse to cover up illegal accumulation of Black wealth and the Supreme Court cannot be seen as supporting this cause.

All Privacy regulations provide an exception that “Privacy” is not a right that can be used by a citizen when the State has to consider” Public Interest” and “National Security”.

We are not sure if the lawyers who will be arguing for the Government will not collude with the opposition and put up a weak argument to enable the Judiciary to scrap Aadhaar linkage to basic services.

A Citizen has no right to claim immunity from being punished for the larger good of the society. The judiciary has its role in checking the misuse of any law including the Aadhaar law just as the SC/ST atrocities Act.

Hence the Supreme Court Bench has to place the national interest paramount and not be swayed by the arguments of the Aadhaar opponents. I have some faith that the current CJI will ensure it. It should be done before the “Dissenting” judges take over our system and politicize the judiciary.

Virtual ID eliminates most of the concerns against Aadhaar

In this context, the much awaited Virtual Aadhaar ID scheme of UIDAI has now become operational. Under this scheme all services which require Aadhaar number will now use the “Pseudonomized ID” which is the 16 digit Virtual ID which the Aadaar holder picks up on the Aadhaar website. The original aadhaar number remains confidential with the user.  The intermediary who uses the virtual ID will not have the demographic data mapped to the original Aadhaar ID and hence the kind of data breaches that happenned at the intermediary end in the past for which UIDAI is being blamed cannot happen in the future.

This Virtual ID is not a permanent ID and can be regenerated randomly every time the aadhaar holder wants to use it. He can use it as a single purpose ID and ensure that no two intermediaries have his data mapped to the same Aadhaar ID.

This system therefore addresses the concern on Aadhaar security at the intermediary end for all future transactions.

Of course some critics may still ask what about the past?. There could be solutions for the same which could be considered in future.

Critics will also ask what is the guarantee that the data may not be leaked from the UIDAI itself. There will of course be security at the UIDAI so that no single person will be able to leak Aadhaar information since multiple levles of authentication would be required.

If the critics still ask whether it is not possible for multiple persons to collude and commit a fraud, I would say if a day comes to that then we the Indians donot deserve the Aadhaar.

We know that when the previous Congress regime was in place,  the country was run in the name of PM by a coterie which was Pro Pakistan and Anti India. It can be speculated that several of the national secrets could have then been shared with the enemy during this time. Conspiracies could have been  hatched to put our Military to shame and create a bogey of Hindu terrorism. In future also, if those who want to destroy our country come to power, we are not sure if they will rule in the interest of the country.

The opposition political parties in India which are behind the Anti Aadhaar discussion in Supreme Court had once given Supari to eliminate Mr Modi much before he became PM. Now they are trying to use the Supreme Court as the weapon to kill the ambition of Mr Modi to eliminate corruption in India.

Hence the Aadhaar case has become a symbol of a fight between those who despise corruption and those who worship it.

If the opposition comes to power, there is the danger that they may themselves access Aadhaar data and hand it over to Cambridge Analytica so that they will never lose the election again.

Supreme Court has to show its character

I hope the final decision of the Supreme Court will prove that India still retains the ability to stand up to all divisive forces and show character that has made this country survive against the onslaught of foreign invasions time and again.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Posted in Cyber Law | Tagged , | 1 Comment

Data Portability under GDPR… Is it Your Data to be ported or My Data?

Posted on April 3, 2018 by Vijayashankar Na

Data Portability is one of the contentious issues of the GDPR from the compliance angle. We had discussed the “Theory of Dynamic Personal Data” in one of our previous articles. That concept would be relevant to address the issue of Data Portability as envisaged in GDPR.

Article 20 of GDPR states as follows:

Article 20: Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. (Ed: Right to Erasure). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The industry is struggling to understand how it can possibly tune up its processing system so as to keep the “Personal Data of the Data Subject” in one compact identifiable package so that when necessary it can be “Ported” or “Erased”.

If a Data Processor is setting up a new system for processing the data, it would be perhaps easier to design the system to meet this objective. But if he is already processing data and is now trying to implement GDPR over the existing set up which includes past stored data and the processing system, it would be a challenge to comply with the provision.

One of the key aspects of implementing Data Portability and Data Erasure is to ensure that a data subject’s personal data is always identifiable in a package and can be dealt with together when required.

In practice however, the complete set of personal data about a data subject gets acquired over a  period of time and in bits and pieces. In this kind of “Data Aggregation”, there is one part of personal data which the data subject has handed over after an informed consent. This is a “Property” of the data subject and he has every right to deal with it as he likes.

But once this raw data is received by the data processor, it may be mixed with other data, analyzed, filtered, processed using intelligent data mining and analytical algorithms and another set of data which has a link to the raw data supplied by the data subject emerges. In course of time, the data subject also adds further data about himself which is another set of raw data that gets added.

At this point of time, the data with the data processor has two components namely raw data supplied by the data subject from time to time and the value added secondary data  in which the raw data is embedded but there is much more value because of what has happened to the raw data with the processing. It is like the data subject has given the data processor, water, fruit juice concentrate and sugar in separate packets and the data processor has created a bottle full of juice with it.

Now the data subject comes and says, please “Port” my data to another “Data Processor”. Now the problem is for the data processor to separate the water, juice concentrate and sugar from the Bottle of juice and return the “Data of the Data Subject”. Any thing else is a different data and if that has to be transferred to another data processor, it will go along with the technical know how used by the first data processor to add value to the data. Obviously this is not acceptable to the data processor since it would dilute his IPR.

The key to GDPR data portability management is to develop a data processing model which keeps a tag on the “Raw data supplied by the data subject” even when it is being churned into a value added data by the data processor, so that when required, we can pull out the raw data and return it to the data subject.

If the system is designed intelligently, the data processor may still keep the value added data with himself but return the raw data components to the data subject. It will be like having the Cake and eating it too.

In order to design such a magic system, we may have to develop a suitable system on a case to case basis. But as indicated earlier, it is easier to introduce such systems prospectively and not retrospectively.

Hence it is better if GDPR liability is accepted only for the future personal data inflow and existing system which was in place is retained for Data Protection in respect of the past data.

It does not appear that GDPR has been conceived taking this “Prospective” or “Retrospective” implementation since the authorities seem to be oblivious to the practical issues involved in implementing some of the recommendations which appear good to read but impossible to comply.

In this discussion, we have assumed that the Data Subject does not lay claim for the value added part of the processed data and would be satisfied if his own raw data is returned to him. Hence in future we may have to differentiate data as “My Data” and “Your Data” and apply different privacy and security rules for them.

The technical implementation of this concept needs development of a middle ware data processing strategy which is out of scope of this article and also involve IPR in the design.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

Definition of Undertaking under GDPR and its impact

Posted on April 3, 2018 by Vijayashankar Na

GDPR is liked by some as a good law to protect privacy of individuals and is often looked upon as an “Emerging Standard”.  Many companies are working towards calling themselves “GDPR Compliant” since it makes a good marketing sense though GDPR does not apply to them. Even the Whitepaper on Data Protection Law which the Justice Srikrishna  Committee made references to GDPR frequently giving a perception that Indian Data Protection law will be a reflection of GDPR in some way.

At the same time GDPR is hated by the IT Companies because it increases their cost of Privacy compliance and also holds the Damocles sword on their head with the obnoxious penalty clause of Administrative Fines.

In most privacy laws, the emphasis is to provide direct protection to the data subject by giving him compensation for adverse consequences of data breach. In order to reduce the possibility of privacy breach, the law also provides certain standards of compliance and to goad the companies to take compliance seriously, imposes fines and penalties for non compliance. The fine is meant to act as deterrence against neglect of “Due Diligence” requirements.

GDPR has used Administrative fines as a means of causing a “Chilling Effect” on the industry that they are at the mercy of the “Supervisory Authorities” who have been given powers to impose unreasonably large penalties.

Article 83 (4) and 83 (5) prescribe the penalties.

Under Article 83(4), certain infringements will be subject to administrative fines upto 10 million Euros (1 Euro=Rs 80) or in the case of an undertaking , upto 2% of the total worldwide annual turnover  of the preceding financial year whichever is higher. 

Under Article 83(5) certain infringements will be subject to administrative fines upto 20 million Euros (approx Rs 160 crores) or in the case of an undertaking , upto 4 % of the total worldwide annual turnover  of the preceding financial year whichever is higher. 

The lower fine is in respect of  the following articles

Article 8: Child’s Consent

Article 11: Processing which does not require identification

Article: 25 to 39: Various obligations such as privacy by default, impact assessment, data breach notification failure etc

Article 42 and 43 : Certification related

The Higher fine is in respect of the following articles

Articles 5,6,7 and 9: violation of basic principles for processing including consent

Articles 12 to 22: Infringement of Data Subject’s Rights

Articles 44 to 49: Transfer of personal data to third countries

and non compliance of member state laws and order of a supervisory authority

In the penalty clause what strikes the eye is that in case of an “Undertaking” the penalty may be 2% or 4% of the total worldwide turnover.

To understand the impact of this clause, we need to understand what constitutes an “Undertaking” under the law applicable in this context.

The meaning of “Undertaking” is defined under articles 101 and 102 Treaty On the Functioning of European Union (TFEU).

One obvious way of determining the scope of this word is to consider that where one company exercises “Control” over another company, they form a single economic entity and hence are part of the same undertaking.

This means that if a company is a holding company and the subsidiary company is the one subject to penalty, the holding company may become part of the global undertaking. If the holding company is in EU and the subsidiary companies are in one or more other countries, then all of them will become part of the “Undertaking”.  Beyond this, it would be the specific ruling that any Court may give or which the supervisory authority may imply.

If therefore, Infosys (an example only) is an Indian company and has subsidiaries in EU where it is a Data Controller and is subject to some fine, then the turnover of Infosys becomes part of the turnover of the undertaking. Now if Infosys subsidiaries in other countries also hold cross holdings in the EU entity, then some crazy EU court may add the global turnover of Infosys as the turnover of the undertaking to determine the fine.

This may mean that the revenue generated by the employees of the Company in India out of their operations here which have no relevance to EU operations will be taxed in EU.

The legality of such a measure is considered debatable.

Also, when Infosys-EU signs a Data Controller contract and creates a charge on the earnings in India which are enforceable against the EU subsidiary, the share holder’s of the Indian Company may have reasons to ask if their wealth gets eroded.

At first glance, the addition of “Global Turnover” in the computation of the penalty appears to be an over reach in law and may not sustain a proper scrutiny. But this is some thing which NASSCOM has to address and consult international law experts such as Harish Salve and clarify.

In the meantime, Indian companies having some operations through EU subsidiaries need to ensure that the “Holding Company Turnover” does not become a factor that increases the potential liability of the EU subsidiary. This can be done through shedding the “Holding Company Status” and ensuring that the EU subsidiary and the Indian parent (hitherto) company maintain an arms length relationship without any director level control or shareholder level control.

When companies who donot require to follow GDPR want to adopt GDPR as a “Standard” they should ensure through proper disclosures that “The adoption of GDPR compliance as a business strategy across all the global units of the undertaking” is not treated as a prima facie admission that there exists a global networking relationship across all such companies exposing the aggregate turnover of all such companies to the risk of being considered for fine computation.

I look forward to a response from NASSCOM on this matter.

Naavi

Posted in Cyber Law | Tagged , , , , | 1 Comment