Section 65B clarified… e-book

Posted on February 11, 2018 by Vijayashankar Na

 

 

Naavi has published a few e-books as detailed here

Additionally, e-book exclusively on Section 65B titled “Section 65B of Indian Evidence Act clarified” has been published.

This book is available at Rs 150/- as an E Book.

This  book can also be a useful add on book along with other E books such as Cyber Crimes & ITA 2008 and Cyber Laws for Engineers.

A limited copies of print version of this book are available at Rs 200/- per copy  and they may be delivered only within India.

Hope readers would find this  useful.

Naavi

Posted in Cyber Law | Tagged , , , , | 2 Comments

Recipe for corruption in Judiciary- Supreme Court judgement in Shafhi Mohammad V State of Himachal Pradesh

Posted on February 8, 2018 by Vijayashankar Na

Viewers would have observed several News paper reports in the last few days with headlines such as 

-“Courts can rely on Electronic Records without Certificate: SC” (Deccan herald), (Free Press Journal)

-“Party Not In Possession Of Device From Which Electronic Document Is Produced Need Not Produce Sec. 65B Certificate: SC …” (Livelaw.in), 

-“Supreme Court says certificate not mandatory for making electronic evidence judicially admissible” (Firstpost)

-“SC clears air on electronic records” (Telegraph)

…..etc., etc

The report originated from a PTI report and has been diligently carried by many publications. There is no doubt that this report has created a perception in certain circles that the Supreme Court has issued a judgement that in effect over rules the three member judgement in the case of P V Anvar Vs P.K Basheer.

The perception however is incorrect. It is false and incorrect to state that Section 65B certificate is no longer required for admissibility of electronic documents.

This order of the Supreme Court in a Special Leave Petition (CRL No 2302 of 2017) signed by a two member bench Adarsh Kumar Goel and Uday Umesh Lalit must be seen in the limited context of the SLP.

A two member SLP order cannot be accepted as an over ruling of a three member judgement as has been explained in our earlier article.

It is amusing to see the Court accepting the argument of the Senior advocate Jayant Bhushan who is stated to have said that section 65B of the Evidence Act was a “procedural provision” intended to “supplement the law” by declaring that any information in an electronic record, “is admissible in any proceedings without further proof of the original”.

We must state that Section 65B is part of the Indian Evidence Act in the main and not in any supplementary rule and hence has the same judicial value as any another section of Indian Evidence Act.

The Court itself quoted

“whether a person who wants to take a recourse of alibi in a criminal trial with the help of boarding pass of a flight, where there was no signature and was just a printout from a computer, can that document be not relied by the court for want of such certificate.”

but went ahead to state

“These are the questions, which we need to deliberate,” the bench said, and added that courts cannot afford to deny acceptance of such documents for want of certificate under section 65B.”

The senior counsel suggested that

” the evidence should be accepted by the court and later sent for verification to technical labs to see if it was tampered or not”.

This argument is fallacious and puts the defence in an untenable position as to justify an electronic evidence that might have been totally fabricated.

One report quotes that the bench of Justices A.K. Goel and U.U. Lalit said

“if this were not permitted, it would be denial of justice to the person who is in possession of authentic evidence/witness….Thus, requirement of a certificate under Section 65B(4) is not always mandatory,”

The order indicates that the honourable judges have not properly appreciated the need for Section 65B certificate in the case of Electronic evidences and the harm that it would create to the system of justice.

According to the report, the Court had considered the views of four senior advocates who had been appointed amicus curie to assist in the interpretation of the provision and the result is a disappointing reflection of the understanding of the requirements of Section 65B by the amicus curie.

Mr. Jayant Bhushan,  Ms. Meenakshi Arora,  Ms. Ananya Ghosh,  Mr. Yashank Adhyaru and Ms. Shirin Khajuria, learned counsel, appearing for Union of India have been quoted in the judgement as having assisted the Court.

The order is a recipe for corruption in judiciary where corrupt advocates can collude with fraudulent litigants and produce false evidence and the corrupt judges admitting the evidence and challenge the defense to prove that the electronic evidence is wrong.

The bench appears to have only tried to facilitate production of false evidence and change the onus of proving that it is in admissible on the defense. This is highly dangerous and bad in law.

The earlier provision where a Section 65B certificate was required introduced an intermediary to assist the Court who could be liable for false evidence if the certificate was “Not in good faith” and the content was fraudulently constructed. Now this thin layer of security has vanished. It appears that the Judges did not have the vision to look beyond the air line boarding ticket and thought that if necessary they can summon an airline official to corroborate the evidence.

But they seem to be unaware that electronic evidence may consist of e-mails and websites and in many cases the evidence could have been removed after they have been certified by a 65B certifier and in such cases the credibility of the Certifier was alone the trusted support for the Court. Now the Court seems to accept the electronic evidence as presented and let the adversary prove that it is wrong.

The Court has forgotten that there is no Section 79A certified Digital Evidence Examiner at present and there will never be sufficient number of such organizations in future to forensically examine the “Genuineness” of the document. The Basheer judgement had clearly segregated the “Admissibility” from the “Genuineness” and had indicated how the two should be handled by the Court. The current order has completely ignored this part of the Basheer judgement and has gone on its own line of thinking which is wrong.

If this rule is honoured, falsification of electronic evidence will be a rule and judicial process can be easily frustrated and production of false evidence and false witnesses will proliferate. Honest persons will be left to fight the false evidence presented by dishonest advocates and accepted as admissible by corrupt judges and incur disproportionate cost of litigation.

It is possible to ignore this order since it cannot over rule the larger bench order. But the misperception created by this order and the ignorant media stating it many times over is likely to mislead many judges in lower courts to believe that this is an operative order.

This order is an open challenge by the two member bench on a larger bench decision and has the effect of disrupting the judicial process.

The media blitz is perhaps orchestrated by some vested interests with an intention to slip in some Electronic documents as evidence in their respective cases where Section 65B evidence is not available and cannot be produced now.

Courts have allowed the earlier presented evidence to be resubmitted with Section 65B certificate but in some cases the evidence may be no longer available for certification.

No doubt some genuine parties would have been affected by this. But if so, such cases are because they did not know the law and ignored the need for Section 65B certificate and submitted their evidence earlier.

If law is sought to be changed because these parties and their advocates were ignorant, we will be opening doors for a large scale fraud in presentation of false and manipulated electronic evidence. It should not be done.

I request the Chief Justice of India to take steps to limit the damage caused by this order.

Naavi

 

Posted in Cyber Law | 5 Comments

Two Member Bench of Supreme Court Vs Three member decision on Section 65B

Posted on February 3, 2018 by Vijayashankar Na

On September 18, 2014, the famous P.V.Anvar Vs P.K Basheer judgement was delivered by the three member Supreme Court bench consisting of the then CJI, Kurien Joseph along with Justices R.M. Lodha and Rohinton Fali Nariman in which it was unambiguously declared as follows:

“Any documentary evidence by way of an electronic record under the Evidence Act, in view of Sections 59 and 65A, can be proved only in accordance with the procedure prescribed under Section 65B.”

“The very admissibility of such a document, i.e., electronic record which is called as computer output, depends on the satisfaction of the four conditions under Section 65B(2). Following are the specified conditions under Section 65B(2) of the Evidence Act:”

“Only if the electronic record is duly produced in terms of Section 65B of the Evidence Act, the question would arise as to the genuineness thereof and in that situation, resort can be made to Section 45A – opinion of examiner of electronic evidence.”

“The very caption of Section 65A of the Evidence Act, read with Sections 59 and 65B is sufficient to hold that the special provisions on evidence relating to electronic record shall be governed by the procedure prescribed under Section 65B of the Evidence Act. That is a complete code in itself. Being a special law, the general law under Sections 63 and 65 has to yield.”

“the statement of law on admissibility of secondary evidence pertaining to electronic record, as stated by this court in Navjot Sandhu case (supra), does not lay down the correct legal position. It requires to be overruled and we do so.”

The judgement in the Basheer case clarified the law as it existed since 17th October 2000 and was not a new law. It was unfortunate that though Thiru D. Arul Raj a magistrate of the Chennai AMM court had correctly interpreted Section 65B way back in 2004, other judges of even higher Courts including in the case of Navjot Sandhu (alias Afsan Guru), were unable to understand and interpret the Section 65B of Indian Evidence Act properly. Basheer case judgement was therefore a milestone in the interpretation of Section 65B as it stands today.

It is therefore surprising that in the case Shafhi Mohammad vs State of Himachal Pradesh SLP (Crl) no 9431/2011 and SLP (crl) No (S) 9631-9634/2012, the Supreme Court bench of two judges namely Justices Adarsh Kumar Goel and Uday Umesh Lalit has passed an order date January 30, 2018 which apparently not in agreement with the Basheer Judgement.

Earlier there was another judgement Sonu@Amar Vs State of Haryana which was instantly interpreted as rejecting the Basheer judgement. But actually this was a very measured judgement in which the Judge had acknowledged that it was a special circumstance in which he was rejecting the appeal which sought relief on the ground that an earlier completed trial and conviction should be reviewed because the electronic evidence was not certified under Section 65B. He stated in no unclear terms that Basheer judgement is effective as on the date but it would not be practical to review all completed judgements and hence would not agree for the review.

Shahfi Mohammad order

The current case of Shahfi Mohammad should be also looked at in the context of how the two judge bench justifies a rejection of an earlier three member bench and whether there are any “Exceptional circumstances” for the same. Otherwise, it is difficult to see how a smaller bench is over ruling the larger bench.

Let’s however analyze what the Court has stated in this case.

Para 12 of the order states:

“Accordingly, we clarify the legal position on the subject on the admissibility of the electronic evidence, especially by a party who is not in possession of device from which the document is produced. Such party cannot be required to produce certificate under Section 65B(4) of the Evidence Act. The applicability of requirement of certificate being procedural can be relaxed by Court wherever interest of justice so justifies.”

We must first note that this is an observation on a SLP and does not constitute a law overturning the Basheer judgement. Hence the position as stated in the Basheer judgement remains as the precedent as of date.

Being an order on an SLP, the order should be considered as an observation applicable for the specific context and is not a precedent set.

In this case the question that arose was whether the videography of the scene of crime captured during investigation as a part of Standard operating Procedure could be used as evidence. In the process there was a misunderstanding about how the admissibility has to be proved and who has to issue a Section 65B certificate.

My views on “Who can provide a Section 65B Certificate” been explained earlier and going through the explanation given earlier, it is clear that  the reference in this case itself was misplaced and the order could have been disposed off differently if the Court had rightly recognized the essence of the section which it did not.

The Court has worked under the premise that it would be procedurally difficult if the person who did the videography, (which would be the law enforcement person in the case of body cameras) is to be considered as the person who has to provide the Section 65B certificate. If this view is taken, then there would certainly be operational issues. In order to avoid this, the Court went ahead and declared that the Basheer case judgement was to be ignored and Afsan Guru case judgement has to be recognized.

It went ahead to state

“If the electronic evidence is authentic and relevant the same can certainly be admitted subject to the Court being satisfied about its authenticity and procedure for its admissibility may depend on fact situation such as whether the person producing such evidence is in a position to furnish certificate under Section 65B(4). ” 

“Sections 65A and 65B of the Evidence Act, 1872 cannot be held to be a complete code on the subject. In Anvar P.V. (supra), this Court in para 24 clarified that primary evidence of electronic record was not covered under Sections 65A and 65B of the Evidence Act. Primary evidence is the document produced before Court and the expression “document” is defined in Section 3 of the Evidence Act to mean any matter expressed or described upon any substance by means of letters, figures or marks, or by more than one of those means, intended to be used, or which may be used, for the purpose of recording that matter. “

The applicability of procedural requirement under Section 65B(4) of the Evidence Act of furnishing certificate is to be applied only when such electronic evidence is produced by a
person who is in a position to produce such certificate being in control of the said device and not of the opposite party.

In a case where electronic evidence is produced by a party who is not in possession of a device, applicability of Sections 63 and 65 of the Evidence Act cannot be held to be excluded.”

The reason given out by the bench that we should not make it difficult for law enforcement to produce the electronic evidence captured with the body cameras by procedurally putting them in a spot that only the person who is the lawful owner of the body camera should provide the certificate is acceptable.

But we disagree with the Court’s resolution of the problem by invoking Sections 63 and 65 and bringing in the discussion of the primary and secondary evidence.

This was not necessary since Section 65B does not place the restrictions which the Court believed that existed.

Section 65B clearly stats that it is not necessary to produce the “Original” electronic document that is the “Evidence”, to be admissible. It is sufficient to produce the “Computer Output” in its place.

The “Original” document is a “Stream of binary data” when it was first created in a device used for creating the “Original” electronic document that is the subject matter of admissibility as evidence.

It is always the “Secondary rendition” of an electronic document that is made available to the Court as evidence in the form of “Computer Output” as defined in Section 65B. The “Computer Output” is produced by the person who views the “Original Stream of Binary Data” and makes a copy either on another media or as a print out. (In the instant case since the document is a video, it is more appropriate to consider an electronic copy).

The person who makes this electronic copy as  a “Computer Output” is the person who has to provide a Section 65B certificate stating where he saw the original version of the document, what device he used to view it and how he converted it into a copy as produced.

This person could be the video operator back in the Police control room to whom the video recordings are deposited by the field personnel and not necessarily the field personnel himself.

If we accept this interpretation of Section 65B being a certification of the computer output and not certification of the original binary stream, the Court would have realized that the apparent issue referred to it was not a matter of concern at all in developing a standard operating procedure.

The field personnel may deposit the first container of the electronic document (which contains is the Original stream of data) like depositing any hardware or article collected from the crime scene with a certificate. At best each day when they submit the “Memory Card or  Tape”, they may record the “hash value” of the document.

The deposit letter may state, “I deposit herewith a tape marked ……. with hash value under SHA-256 alogorithm of ……” and carry his signature.

If the person who is depositing an electronic document does not want to deposit the whole container but only a document which is part of the data contained there in, then he has to make a copy of the document into another media device with a  hash which needs to carry a Sec 65B certificate. This process can be automated so that as soon as the field operative returns to the lab, he connects his equipment to a storage device which downloads the data, calculates the hash value and incorporates the Section 65B clauses and obtains the digital signature of the person before archiving the deposit.

Most disk cloning hardware has this facility of making a copy along with a hash and a certificate slip that can be signed.

Any subsequent retrieval of the deposit can be made by the back room person who can provide his Section 65B certificate starting from what he saw in the archival computer. (As suggested by the concept of contemporaneous certification by the  High Court of Madhya Pradesh at Jabalpur, S.Tiwari Vs Arjun Ajay Singh in an order dated 17th January 2017, regarding E.P. no 01/2014).

I therefore consider that the objective of the order on SLP was fine but the order itself was incorrect.

I am sure that many who think that the Court can do no wrong may object to my view and say irrespective of what is my opinion, it is the opinion of the Supreme Court which matters. I agree. But any order even from the Supreme Court is valid only until it is over turned by a superior court or the bench.

The subject order is an order on an SLP from a 2 member bench against an earlier judgement by a three member bench. Hence its validity is restricted to the specific context and I urge everybody including the Supreme Court to re consider the order because it is likely to be mis-interpreted by many other lower courts in future.

Further, when an electronic document is in the custody of either the respondent or with an intermediary, there is provision for demanding presentation of the document and hence the question of a required electronic evidence being contained in a device not under the control of the presenter does not arise unless the person who is in possession of the original recording refuses to cooperate with the Court.

Since the procedure for allowing the electronic document to be lead in evidence is simple and only requires an access to be provided to the document for certification to an independent trusted party, there should be no objection by the holder of the evidence to provide the evidence.

In some cases because the Police try to demand that the entire hard disk or the computer has to be seized instead of simply capturing the piece of document that is an evidence, the holder of the document may hesitate to deposit the device or participate in the process of providing the evidence.

If the Standard operating procedure recognizes that for provision of an electronic document (which is a stream of binary data), it is not necessary to seize and produce the entire hard disk, then the procedure for getting such documents from the person who is holding it would be easy.

If however the document does not exist as claimed one party, nothing can be done to produce it. In such cases, the presenter of the document cannot be allowed to present any copy that he claims to be the correct electronic copy to the Court and claim that he is not under an obligation to provide a section 65B certified copy as per the SLP order, it will enable fraudulent electronic documents to be produced in the Court.

The bench which has given this order has not recognised this risk and hence the order should be rescinded at the earliest.

P.S: 

My view above is contrary to what the head line of a corresponding article in livelaw.in suggests. The article is titled “Party Not In Possession Of Device From Which Electronic Document Is Produced Need Not Produce Sec. 65B Certificate: SC [Read Order]…”

I request the readers to consider the view point mentioned here before jumping into any conclusions.

I welcome comments and would be happy to elaborate further if required.

Naavi

Also Refer:

Special Leave Petition in Indian Judicial System

HCs can hear petition even after an SLP is dismissed

Posted in Cyber Law | Leave a comment

MHA advisory on Cyber Crime Prevention and Control

Posted on January 31, 2018 by Vijayashankar Na

The Ministry of Home Affairs released a circular on 13th January 2018 to all the State Governments and UT Administrators recommending some measures towards better Cyber Crime prevention in the respective Sstates and UTs.

Copy of the Advisory

The Circular took forward a couple of recommendations which the T. K. Vishwanathan Committee on amendment to ITA 2008  was supposed to have proposed.

In particular, it has now proposed that the States should act on the setting up of

a) State Cyber Crime Coordination Cell and

b) District Cyber Crime Cells

This was proposed as a suggested amendment to the Criminal Procedure Code. Instead of the Center attempting to make amendment to CrPc, it appears that the responsibility has now been cast on the respective State Governments.

We need to wait and watch which State Governments are more concerned about Cyber Crime prevention and take action.

In these suggestions, it is proposed that the State may set up a State level coordination cell headed by a senior police officer of the ADGP/IG rank and ensure a district level, station level facilitation of cyber crime prevention activities. This will ensure that a police officer with the right kind of orientation to Cyber issues can be assigned this responsibility and the legacy system which is burdened with physical security responsibilities is not burdened with Cyber Crime prevention management which is alien to their culture. It is a great opportunity for the Police system to bring about a seminal change in the way Cyber Crimes are presently handled in the States.

The second suggestion to form District level Cyber Crime cells is also a significant step in the direction of better Cyber Crime Prevention since it envisages a support system for the SPs in the districts in which at least three domain experts in Information Technology. Mobile Telephony, Digital Forensics and Cyber Laws hired from the market. This is an acknowledgement that it is not always possible to get the expertise from within the recruits to the Police system and there is a need for public-private partnership.

The procedure to be adopted for involving the external persons need to be properly conceived. It is preferable if these “Experts” are not on an employment contract. If so it will become another Government job and will be decided on the basis of money and influence. Instead the SP should be given powers to recruit the assistance of experts by creating an expert panel and pay consultancy fees on short term contract basis. Only then the services of real experts would be available. Otherwise the system would degrade over a system into yet another Government department and will not be of use.

The Advisory of the MHA highlights the need for inter-state cooperation in Cyber Crime investigations which should be facilitated to a large extent if the State level Coordination cell becomes operational in most of the State. Naavi.org had tried to convince TN and Karnataka Cyber Crime Police Stations to take an initiative in this direction more than a decade back to bring together all the four southern states into a monthly meeting. But the idea was not taken up formally to higher levels by the then officers though I had received a positive response from both TN and Karnataka officers.

The idea of “Mobile” Cyber Forensic labs proposed is also a recommendation that had been made to Karnataka Police long time back and it is good to see the idea being revived now. The Mobile units would assist in “Quick Response” to Cyber Crime complaints so that evidence should be secured at the earliest. It is needless to say that the evidence gathering team should be fully aware of the legal issues involved in maintaining the Chain of Custody and the Section 65B evidentiary certification requirements so that they donot accidentally render evidence un-usable.

The Advisory also suggests use of BPR&D resources for capacity building and release of funds for training of Police on Cyber Crime related skills. Hopefully it would be put to good use by the States.

Another important suggestion made by the advisory is to set up a “Cyber Intelligence” system to monitor the Internet including the “Deep Web”. This brings us back to another ancient suggestion made by Naavi to set up a “Friends of Cyber Police” system where voluntary members from the public would assist the Cyber Crime Police with information and assistance to track crimes.

We must however recall the recent incident where a hacking group had stated that when they had penetrated several sleeping terror cells and wanted to pass on the information to the Government, there was lack of interest . This was perhaps in Kerala where the State Government is known to be supportive of some communal forces and hence might not have shown interest. But I hope MHA must have by this time taken up the matter under their investigation and the Central Government should take steps to see that such complaints should not arise in future.

As regards “Online Complaints”, it appeared that the website mentioned in the advisory is still not functioning. I had recently put out a detailed article How Do We Improve Cyber Crime Management System in India?.. and also suggested a procedure  to Relieve Cyber Police in India of needless burden and make them more focused.I wish the suggestion is taken up for immediate implementation at least by some of the States.

This suggestion was based on an actual experience where it was found that Mumbai Cyber Crime Cell was reluctant to initiate an investigation of a complaint by issuing an IP resolution request and the delay will ensure that the tracking trails vanish. The Mumbai Cyber Crime Police were therefore guilty of deliberately allowing the potential accused to get away and the top management of the Mumbai Police were unable to take preventive action. This will remain an example of how corruption in the Cyber Crime policing system affect the success of Cyber Crime investigations and Naavi.org will continue to talk about this though it may not be palatable to MHA both in the center and Maharashtra state.

The suggestion of the online complaint receiving system along with the suggested “Friends of Cyber Police” and “Raising of IP resolution request by designated NGOs” would go a long way in addressing the issues raised by Naavi in the Mumbai Cyber Crime investigation fiasco.

I hope the MHA takes up follow up action on the Advisory and push at least the BJP ruled states to start implementing the suggestions.

Naavi

Reference Articles

How Long Will Google take to resolve an IP Address?… Make all intermediaries pay for the delay
I was on 16 and Going on 17….I need everyone….to know me and comply…says ITA 2000/8 Proposed Amendments to ITA 2000 and Privacy Protection
Redefining the scope of ITA 2008.. in the amendments..
Suggestions on Modification of ITA 2008
Domain Name Regulation in ITA 2000..to be amended
Police, Prosecutors and Judiciary: Please Don’t Create Fake Laws out of your misinterpretation
How to Relieve Cyber Police in India of needless burden and make them more focused

Posted in Cyber Law | Tagged , , , , | Leave a comment

Corporate Governance and GDPR risk

Posted on January 30, 2018 by Vijayashankar Na

As the D-day  for GDPR (25th May 2018) approaches, many of the Indian companies are busy with their preparation for implementing GDPR in their processing activities. At the same time, there is also a question in the minds of most of the Indian companies about how the GDPR provisions would be made applicable to them by the respective EU authorities and whether the EU authorities are likely to pass any orders against the Indian company any time  in the future and impose liabilities.

GDPR essentially is a Data Protection law and has a penalty clause that if there is non compliance there could be a penalty which we all know is huge. But being a law of the EU it does not have direct enforcement jurisdiction on Indian Companies.

Article 3 of GDPR has created extra territorial jurisdiction as follows.

GDPR is applicable  “regardless of whether the processing takes place in the Union or Not” 

1. Provided the “processing activity” is related to the offering of goods or services to data subjects in the Union

2.Provided the “processing activity” is related to the monitoring of their behaviour as far as the behaviour takes place within the Union

This is similar to the ITA 2000/8 which also has an extra territorial jurisdiction (Section 75 of ITA 2000/8) and many other Cyber crime laws across the world. This provision provides a legal long arm jurisdiction but it is not feasible for EU authorities to extend enforcement jurisdiction or conduct direct audits of Indian Companies unless the Indian entity is a part of a EU Company.

However, the EU based Data Controllers will in their contracts with the Indian Data Processors have “implementation of Privacy and Security provisions as per GDPR” as a necessary condition and also have an “Indemnity Clause” to make the Indian company liable for “Any loss that may arise due to any act attributable to the Indian Company that may result in either a penalty imposed by GDPR or any other Judicial authorities”.

Hence more than the direct impact of the GDPR on Indian processors, it is the contractual liabilities that the Data Controller imposes on the Data Processor that will determine the liability of the Indian processor .

If there is a possibility of any liability arising on the Indian Company, there is a need for the Board of Directors to make an assessment and disclose the risks that may arise in the next Financial year 2018-2019.

GDPR also mandates a Data Protection Impact Assessment (DPIA) which is an obligation of the Data Controller. If there has been a DPIA conducted by the Data Controller, the Data Processor will be presumed to be aware of the DPIA. Hence the management needs to take note of the DPIA results and admit knowledge of the risk associated with the processing.

From the point of view of an Indian Data Processing company therefore, the moment they accept a contract which has a GDPR stake, then the liability risk attached to it needs to be assessed and value assigned. The Company also needs to undertake Risk mitigation measures determine how much of risk has to be absorbed after mitigation, avoidance and insurance.

So far, Indian companies have never made an assessment of financial risks that may arise on account of legal risks.  If this was so, Companies would have estimated the risks even for non compliance of ITA 20008 and made adequate disclosures and provisions. In the case of GDPR however, the risks are high and is documented through the DPAI process. Hence  the potential liability cannot be swept under the carpet.

Whether the Absorbed risk is small or even zero, it would be obligatory from the point of view of Corporate Governance that Indian companies disclose their “GDPR Risk Liability” in their share holder disclosures from the immediate next financial year.

We need to wait and see whether these companies will be compliant to this requirement or not.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

How Aadhaar security reaches a new dimension with Virtual Aadhaar ID

Posted on January 29, 2018 by Vijayashankar Na

Aadhaar has been the center of Privacy debate for quite some time in India and has even attracted international attention. Amidst the criticisms that Aadhaar system is not properly secured and therefore it may lead to loss of privacy of the citizens, Supreme Court took up a petition on whether Aadhaar infringes Indian Constitution and should be discontinued. Initially, the Aadhaar baiters scored a victory as Supreme Court under the previous CJI hurriedly constituted a 9 member bench and passed a judgement stating “Aadhaar is a Fundamental Right”. It appeared as if the judgement was a tool given to the smaller bench which was hearing the Aadhaar constitutionality issue to scrap Aadhaar.

However things have changed in the last few weeks. First the new CJI shuffled the bench and case allocation rules so that politician advocates who wanted to get the Aadhaar case heard by a bench of their choice were frustrated in their design.

The case is now being heard in a more neutral bench than what the politicians intended.

At the same time, UIDAI came up with its own master stroke introducing the “Virtual Aadhaar ID ID (VAID) proposition which has changed the scenario of security in such a manner that one of the key argument against Aadhaar that it leads to breach of privacy has been put to rest.

Naavi had been suggesting for a long time that the principle of “Regulated Anonymity” should be applied to secure Aadhaar and actually hoped that this would be a good commercial business proposition to be used by an enterprising private business entity. Now Aadhaar by introducing the system of VAID has come up with its own version of “Pseudonomization”   which would perhaps take the Privacy protection up by several notches.

The VAID system is expected to be in operation by March 2018 on trial basis and mandatorily by June 2018 unless some extension is given. Once the system comes into use, all KYC agencies will have to be prepared to use the VAID which may be a 12 digit randomly generated number which is mapped to the real Aadhar ID of an individual for all their KYC enquiries.

In other words, the KYC authority will not receive the real Aadhaar ID  for its KYC purpose but receive only a randomly generated, changeable VAID number. This may perhaps be forced  by UIDAI by mandating that the AUA/KUAs donot shall stop using the real Aadhaar ID for any KYC queries.

As for the users, they will have the option of generating a VAID against their real Aadhaar ID and ascribe it a date of expiry or designate a specific one time purpose. Such number would meet the requirement of SIM card verification or even Bank account verification.

How Virtual ID secures the system

The exact architecture that UIDAI may use for the purpose is not known and need not be made public. However, it may consider the following features.

(P.S: This diagram is only an illustrative representation of a suggested architecture. This is not what UIDAI may implement)

The first change could be that access to CIDR will be only through an internal system and access by AUA/KUA would be stopped at an intermediary server.

Public will access a Virtual ID generator (S-1) service as and when they want. They will provide the real Aadhaar ID to this server and obtain a Virtual ID. This ID will be randomly generated and will have an expiry tag and stored in another system. S-1 will then deposit the information to S-2 where a map of Real Aadhaar ID and Virtual Aadhaar ID is maintained and updated with a history of VAIDs associated with a given Real Aadhaar ID.

When a user requires a service, he will provide only his VAID to the AUA/KUA who will send their request to another exclusive server of UIDAI where the request will be processed (S-3). This server will push a request to S-2 which will re-identify the VAID and forward the KYC request to CIDR,(Central Identities Data Repository).  CIDR will push the required information back to S-3 for onward transmission to the AUA/KUA.

In this structure, S-2 which holds the map of the real Aadhaar ID with the Virtual Aadhaar ID will be accessed only by internal servers one accessible to Aadhaar users and the other accessible to the AUA/KUAs.

S-1 will only generate VAID and does not store any data after the process is over. CIDR is accessible only from S-2. S-2 will not hold any data other than the mapping of the real ID and Virtual ID. S-3 will allow passing through of  Virtual ID and the KYC information but will never access the real ID.

S-1 and S-3 will be only transaction servers and need not store any data except in transit. Firewalls will manage the access to different servers and ensure that Aadhaar demographic or Biometric data is not accessed by any outsiders except through queries passed through S-2.

How Biometric Security Can be fortified

Presently, the Aadhaar has a record of 10 finger prints and iris scan for biometric identity purpose. To this multiple face parameters may get added with the new addition of the Face recognition feature. Face recognition in intended to be used as an alternative biometric in cases where finger print recognition fail so that false rejections can be reduced.

Additionally, we can consider that one or more Face parameters would be an add on to the many biometric identification parameters (10 finger prints+Iris scan). Totally therefore there may be around 11 plus biometric parameters which can be used for authentication.

Considering the possibility that as of now some biometric data might have been compromised, or biometric devices may be manipulated for a store and replay attack, UIDAI may consider a “Double/Multiple biometric authentication” on an “Adaptive Authentication Principle”.

Under this system, biometric of one finger is first obtained. When this is successful, the server may randomly chose another biometric feature to be provided with or without mobile OTP as well. With such a system there would be simultaneously three parameters that are verified for authentication and the second authentication would be a random variable and provide a defense against most of the normal attacks.

Assuming that UIDAI has other security features already installed for preventing the store and replay attack, the addition of a random additional biometric parameter based authentication will fortify the current system and make an enormous improvement in the system.

Since it is possible to get the biometric device ID and its location as a transaction input, the adaptive authentication can be configured with the known behavioural pattern of the user as is done in credit card transactions.

One issue that needs to be tackled in the suggested system is the latency of the transaction and connectivity. But this is a challenge that can be handled and should be handled in the interest of security.

(P.S: I presume that the current team of UIDAI consists of more accomplished information security experts than the author and hence what is discussed above may be steps which are already in place. They are however discussed here to inform  public  that security of aadhaar is feasible.)

Naavi

 

Posted in Cyber Law | Tagged , , | 3 Comments