UIDAI behaving like “Indira Gandhi of the Emergency times”

Posted on January 5, 2018 by Vijayashankar Na

The article in Tribune by a journalist titled “Rs 500, 10 minutes and you have access to billion Aadhaar details” has created a flutter in the Government Circles. UIDAI has promptly come out and filed an FIR. The incident could seriously affect the cause of the Government in its defense of Aadhar system in the Supreme Court.

Leaving all the hype aside, it must be clarified that Aadhaar has long back lost the ability to protect the information of the Aadhaar holders and it is wrong to expect that it can be secured now.

What the incident has indicated is that the Aadhar information was accessible without the OTP being provided by the Aadhaar holder. We are yet to know if the biometric has been compromised.

By passing OTP is not a technological marvel. It could either happen by tricking the Aadhaar server or intercepting the mobile communication at the network level. It is also possible that the data has been acquired by one of the licensed AUA/KUAs who has created a parellel data base from which this information is now being served.

Even if UIDAI successfully prosecutes some persons, it will not be able to bring back the confidentiality of the information.

We should therefore forget protecting the information of the Aadhaar holders linked to a given card number. Presently the Aadhaar card is used like a “Identity card” and in most places such as hotels, they keep a photocopy of the card for their records. Such practice allows the information to float around in a number of places and it is impossible to protect the information.

Since Aadhaar number is meant to be used at a number of outlets including the merchants who may use AEPS, it is impossible to prevent a query being sent to Aadhaar server which returns the information which can be used to create a parallel data base. This is like many e-commerce portals which keep the credit card records of the customers under the pretext that it will speed up the use in future transactions. Just as these transactions are only protected with the entry of CVV, Aadhaar use is protected only with the use of the OTP. Since OTP can be bypassed, Aadhaar can never in the future protect the information of card holders being accessed by third parties including those with criminal intentions.

Any pretension otherwise is not credible.

We need to therefore restrict our efforts to protecting the “Biometric”. If the biometric is also compromised then the Government will have to completely scrap the use of Aadhaar.

As a security observer with knowledge of the Indian political scenario, I anticipate that several opposition political parties are already working on how to compromise Aadhaar system so that Mr Modi can be discredited. If they succeed, this will be a tool in their political game.

In Risk management, “Risk Avoidance” is also a strategy. Under this principle, it is necessary for the Government to ensure that use of “Biometric” authentication for simple things such as making a payment in a merchant establishment must be stopped. The use of Biometric based KYC should also be stopped forthwith since we cannot trust the biometric readers of the users.

Secondly, as a commercial proposition, I have advocated and continue to advocate the use of “Regulated Anonymity Principles” which alone can help us retrieve the situation from the current mess. It is not possible to delve into the details of such a system since if the Government is unable to understand the risks and decide to mitigate/eliminate them, there is no reason why we should discuss the details in public and help criminals to be prepared to counter any further security measures that may be thought of by UIDAI.

It is unfortunate that UIDAI is acting like “Indira Gandhi of the Emergency times” and  unable to shed their ego, refusing to believe warnings held out and and adamant not to change tracks when it is warranted. We should not be surprised if the fate of Indira Gandhi may await even the UIDAI in the days to come. ..

The only hope… as always, is that there is one person called Modi…who may…hopefully….see the truth and take corrective action….

Naavi

 

Posted in Cyber Law | 2 Comments

New Year Resolutions

Posted on January 1, 2018 by Vijayashankar Na

As the new year 2018 dawns on us and we complete the sending of greetings to all our friends, it is time to start thinking how this year will be different from our previous years and how we make it better in terms of the values we cherish.

In pursuance of this objective, we need to set some goals for ourselves in the form of New year Resolutions which are measurable and achievable.

I urge all my friends to start drawing up their New Year Resolutions and share it in the various groups in which they otherwise exchange greetings.

For me, the year behind has been a reasonably satisfying year in which the RBI confirmed the “Limited Liability Circular”. Though it was not entirely satisfactory and the Banks as usual are ignoring it, still it was a major development that was satisfying, after years of struggle on assisting the Bank fraud victims.

The set back however was that the Cyber Appellate Tribunal did not start functioning and having been merged with TDSAT will become further marginalized. May be we need to take up this issue once again in the coming year.

In the meantime, the immediate task is to continue the fight on Bitcoin which is a tough fight since the Finance Ministry is itself determined to legalize Bitcoin and provide an avenue of all Black money in India to be laundered. The attempt to wake up Mr Modi and make him open his third eye will continue.

Year 2017 also saw a perceptible increase in the awareness of Section 65B Certification. This gave a boost to the activities of CEAC after years of hibernation and low growth and the increased level of operations should continue this year as well. Hopefully, the activities should grow at least by 100% during this year over the previous year.

The ODR project (odrglobal.in)  will be another project in long hibernation which forms part of the New Year Resolution of Naavi in 2018 to be pushed up so that it atleast takes some baby steps ahead.

But the next big thing to watch out is the new “Data Protection Act” that will be passed in India and how it works in tandem with the GDPR. HIPAA Audit and compliance has been a good prospect so far and probably GDPR compliance and Data Protection Compliance will be new areas of interest both from academic perspective and business perspective. One of the New Year resolutions to pursue is to develop a compliance framework for these emerging areas.

Hopefully, GOD gives strength and energy to make at least some of these New Year Resolutions to be realized during the year.

I wish all my friends and well wishers a happy new year through these columns and request their support for the future endeavours of Naavi and Naavi.org.

Naavi

 

 

 

Posted in Cyber Law | Tagged , , , , , | Leave a comment

Modi is yet to open his third eye on Bitcoin, the new alternative to Black Money.. Will he wake up in 2018?

Posted on December 31, 2017 by Vijayashankar Na

The Year 2017 saw a big fight against Black money which started in the last months of the previous year with the “Demonetization Drive”. The move was bold and long awaited.

However, two things worked against the complete success of this move. The first was the presence of a large number of fake currency notes in the country, some of which was perhaps produced by well equipped Government presses in Pakistan. This completely foxed even the RBI which lost count of the demonetized currency returned to the Banks. The second was the dishonesty of some of the Banking employees who assisted corrupt persons in the society and exchanged notes even at the Bank and RBI level itself.

Nevertheless, though at first glance it appears that the demonetization move might not have succeeded as expected, there is no doubt that not all persons holding black money earlier in Rs 500/1000 denominations could get it converted into new currencies.  Hence in reality, black money did go down in circulation and much of the idle money held by individuals came out into the Banking system.  Many who used proxy accounts to deposit their monies are now caught in the investigation net of the tax authorities and this should result in higher tax revenue for the Government.

However, the year 2017 also saw the growth of an alternate to Black Money in the form of Bitcoins and a phenomenal growth in its international price. There is definitely a speculation that a large part of the Indian black money must have got itself converted into Bitcoins and this could be one of the reasons apart from the creation of a “Future Trade” that helped the Bitcoin rates to go up.

However, within India, the increased attention received by Bitcoins can be directly linked to the “Power of Black Money” and the related “Power of Corruption”. People who are in the forefront of corruption in India are the politicians and the bureaucrats and it is evident that they have become big supporters of Bitcoins now. The techies who created the Bitcoins and the businessmen who sensed its commercial value earlier are now the conduits for conversion of Black Money to Bitcoins and their laundering into new Bitcoin holdings of public who are being lured into the game as if Bitcoins are an investment avenue.

Recently, Business Standard carried a report on 28th December 2017 which has been reproduced below. This report raises several questions of propriety at the way the Finance Ministry is functioning when it comes to regulation of Bitcoins and indicates the possibility of corruption having been taken over the officials.  I request Mr Arun Jaitely to investigate the matter.

Firstly we note that this report filed by one Mr Shirmi Choudhary categorically states that the “Government has decided” and is “Likely to define crypto currencies and bring in a regulatory framework in the Union Budget 2018-19”.

This means that the Finance Ministry is using its power to bring a “Finance Bill” to over come the objections of RBI and give a legal recognition to Bitcoins.

Though the same ministry cautioned on the next day  by the following report, stating that “Virtual Currencies are like Ponzi Schemes”,  the report quoted above is more specific of the intentions of the Government and quotes “A Government official privy to the developments”. It also quotes that the “Expert Panel” has stated that “These currencies are as good as fiat currencies”. It goes ahead to quote the tax officials as stating that “Due to lack of clarity” the gains in Crypto currencies cannot be taxed.

It is clear that the official has revealed that the Finance Ministry is actually trying to help the Bitcoins being recognized as a “Legal Currency” which could be used instead of Rupees in transactions. Once this is done, the entire Bitcoin market capital and along with it the entire Crypto Currency market capital in the world becomes legal tender in India.

We must note that the estimated market capital of Bitcoins is US $ Rs 217 billion and the estimated market capital of all Crypto currencies is about US# 571 billion. (1 billion USD=Rs 6400 crores). The Bitcoins and other Crypto currencies are fungible and can be converted with each other with no control. Hence if Bitcoins are legalized in India, about Rs 36.54 lakh crores equivalent of Indian Rupees would come into “Currency with the Public” which includes residents and non residents and further includes criminals, terrorists, foreign Governments etc. This is perhaps twice the pre-demonetization currency stock in India, and about six times the floating currency in the country.

What will such flooding of the market with free currency mean to “Inflation”? … economists need to explain.

Since some of this holding will be with foreign countries including China, what will be the impact on our international economic stability? the Finance ministry should explain.

Since part of the holdings will come into the hands of the terrorists including ISIS and LeT, what will be impact of this on terrorism in J& K, our home ministry should explain.

Does the Secretary of the Ministry of Finance explain whether there is any possibility of legalization of Bitcoins in the next budget?. If not what do you mean by “Regulation of Virtual Currencies”?

I demand that the Finance Minister Mr Arun Jaitely has to explain to the public of India if anything is cooking up in the background and the honest Citizens will be surprised during the budget session with a decision which will favour Dishonest Citizens of India?. 

If not, how come Business Standard reporter quotes an official of the Finance Ministry on the budget provisions?

If Crypto currencies are recognized under the Finance Bill, there will be no parliamentary debate on the matter and even if it is debated, the opposition is more keen than the ruling party to have an avenue for black money and all our MPs will unanimously pass the resolution to legalize Bitcoins just as they come together for passing a raise in their salaries.

Only Kirit Somayya and Rajeev Chandrashekar would be the MPs who may like to fight against Bitcoins but they will be in complete minority.

The Finance Ministry at present does not even know how to distinguish Crypto Currencies from “Digital Currency and Virtual currency”. They refer to Bitcoin as “Virtual Currency” which itself betrays the confusion of the officials.

Some officials in ED appear to be looking only at the revenue potential of taxing the Bitcoin transactions. We need not be surprised if these officials look at legalizing drug trade and gun trade so that government revenue can be increased.

The SEBI Chairman who should have swung into imposing penal action on Bitcoin exchanges,is completely sold out to Bitcoin recognition to the extent that when MCX posted a message in the MyGOV.in site arguing for legalization of Bitcoins, no action was taken on MCX officials. Shame on them.

The Finance Ministry officials including SEBI are guilty of not taking penal action against the entities which are calling themselves “Bitcoin Exchanges”. The ED has conducted a survey and confirmed that there are more than 4 to 5 lakh perople who have done transactions in Bitcoins. If the exchange is not licensed either by RBI or SEBI and was an “Illegal Exchange”, why is RBI, ED and the Finance Ministry keeping quiet?

I suspect that many of these officials have been corrupted with “Bitcoin Gifts” and cannot be relied upon. The Government has not asked these officials to declare their Bitcoin holdings despite a call for the same. The reluctance itself tells a story of its own.

Is this not a dereliction of duty on the part of SEBI Chairman and also our honourable Minister Mr Arun Jaitely?

The time has passed for Mr Arun Jaitely to say that he is on the side of curbing black money. By not taking any action on Bitcoin exchanges and simply fuelling speculation on whether Bitcoins will be regularized or not for more than six months, Mr Jaitely has become the central figure of “Lack of Action Against Bitcoins”. Today, I may be the only person who have lost confidence on the Finance Minister. But soon there will be others…unless he acts decisively to completely shut off the speculation in Bitcoin trade by announcing the ban on Crypto currency trading in India before the budget.

The year 2017 will not go down as the year of achievement for Mr Jaitely because of GST. It will go down as an year of lack of action against Black Money by allowing the growth of Bitcoins.

I urge Mr Jaitely to clarify that my conclusion is wrong.

I therefore urge Mr Modi to open his third eye and destroy the evil called “Crypto Currency” (I refer to the privately managed crypto currencies like the Bitcoins”. If he does not wake up, all his work against Black Money will be ground to dust under the growth of Bitcon usage in commercial transactions.

This is what I look forward to in 2018.

Naavi

 

Posted in Cyber Law | Tagged , , , , , , , | 4 Comments

Fake Goods on E Commerce Platforms… need for consumer empowerment and meaningful due diligence

Posted on December 27, 2017 by Vijayashankar Na

Today, CNN News carried a report on sale of fake goods on E Commerce platforms at heavy discounts. E Commerce platforms such as Flipkart, Amazon, Snapdeal and ShopClues were highlighted as platforms in which fake sellers are selling sports goods such as Footballs. The presentation of the program was clearly to blame the online platforms as instruments of violation of intellectual property rights.

The program was led by one of the “Brand Protecting service” companies. During the program, it was stated that many test purchases were made and fake footballs in a well known brand name were recovered by conducting raids on stockists at Meerut.

There was one firm voice in the panel of speakers which was from the CEO of mouthshut.com which was drowned by the anchor who was not interested in any view other than what she had set to hear. She was one of the new breed of inexperienced but arrogant journalists who invite specialists as guests but think that the anchor knows more than anybody else.

What this CEO was trying to make out was that the problem of “Fake Goods” was a problem which also applies to offline market places and the program should not appear to project online market places as the villains. I do agree with this view which was not properly projected by the anchor.

At the same time, I also agree that the online market places should exercise better due diligence in selection of merchants and also keep advising the prospective buyers to look out for fake buyers and report it to them.

Most online market places offer “Return” options with no questions asked and hence dissatisfied customers have a remedy to tackle “Quality” issues. Some online market places run “Rating of Dealers” and “Product Reviews” which try to provide information to the buyers.

Finally, coming to the legal issues,

I believe that the present laws under Section 79 of ITA 2000/8 are good enough to bring “Negligent” market places to book and make them responsible for selling of spurious goods. But the argument and suggestions should be on the basis of “What Due Diligence” is required and whether Flipkart of Amazon are following the best practices. There is certainly no reason for new laws to be framed just to tackle E Commerce issues. 

The marketing platforms should look at their systems on how to ensure that bad dealers are identified and eliminated without discouraging small traders without an offline brand image also using the online platforms as instruments of marketing their products.

There are many success stories of unknown individuals harnessing the global marketing opportunities provided by the Flipkarts and Amazons and this should not be discouraged.

I feel that some of the products sold by small traders are as good as branded items and the brand owners may be making unfair trading profit which should be discouraged.

For this purpose, every online platform should offer their small unknown dealers to sell goods under “Unbranded” category and where possible under a “Verified” tag where the platform takes some responsibility to set quality parameters and test the products before they tag them. There could be different rating systems that can be tagged along so that the buyer knows from whom the product is being delivered and serviced before making the buying decision.

Since there are lakhs of products being sold, it may not be practical for the market place to provide such verification tag to all the products but an attempt can be done in this direction with the help of consumers and consumer organizations. There are many individuals who voluntarily test products and put out YouTube videos. The online platforms can tag the product reviews to such online reviews and incetivize feedback on products from genuine customers.

In fact, mouthshut.com itself is a platform which many online buyers check before making a purchase. May be there could be more of such online review posting mechanisms so that they provide unbiased views on a product sold by a market place and donot become platforms that can be compromised by the product sellers.

The effort therefore should be to have more “Consumer Awareness” and “Consumer Empowerment options” supplemented by a robust grievance redressal mechanism.

The Consumer awareness option will work if used before a purchase. In case the buyer has  problems after the purchase, there should be a proper grievance redressal mechanisms other than the “Free Return” option if required. Such options should be only by ODR mechanism (Online dispute resolution mechanism). The Consumers who really have a problem that has to be resolved  beyond the “Return” option need to ensure that there is proper “Evidence” of what they bought in. It is in this context that they need to explore the use of services like “CEAC-EDB”. (Evidence Drop Box Service of CEAC.IN)

Unfortunately the program on CNN IBN did not have a single word on what can be done by the online market places to improve the consumer interest.

The Government of India as I understand has issued some instructions on product presentation which will come into effect in the next few months which include guidance on what information needs to be presented as a product label.

Additionally, all “Branded Product Suppliers” who are concerned about the online market places being misused should provide an online reporting system where consumers can report “Suspected Fake Product” sold on any platform so that they can respond quickly and stop the sales quickly.

In a bid to promote this culture, a free,  single window service would be provided from CEAC-EDB that if any consumer reports a “Suspected Fake Product sold on an E Commerce Website”,  CEAC will forward the report to the concerned Brand owner…

-provided the brand owner registers his interest to receive such reports from consumers.

(I invite the brand owners to first send a designated e-mail address through which CEAC can deposit the Suspected Fake Product Report. If they donot respond and provide a contact e-mail, it will be difficult for CEAC-EDB to continue this offer.)

Once a report on a suspected fake product report is received by CEAC from a consumer, the consumer would be asked to provide supporting information before it is registered and action initiated. Full process for this would be developed in due course and would be posted on CEAC website and also informed to the complainant through e-mail.

The fact that a “Suspected Fake Product Report” was sent to the brand owner would be kept on record and if the brand owner does not reply and take counter action, it may be deemed as “Lack of Due Diligence” by the brand owner and demonstration of “Forbearance” in any trade mark related disputes that may follow.

May be more is required to be done in this direction rather than media simply projecting that the E Commerce websites are the villains who engage in “Fake Product Marketing”.

If the online platform adopts meaningful due diligence and the consumer is properly empowered with pre-sale information and post sale service, then E Commerce the problem of fake goods sale can be effectively tackled.

Naavi

(Comments welcome)

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Certifier under Section 65B need not mandatorily be a witness also

Posted on December 26, 2017 by Vijayashankar Na

Recently, I was posed a question as follows:

Quote:

Mr A who produced the CDR from SERVER with Sec. 65B certificate which was filed in the court by IO. However, since Mr. A was not produced as witness, both the CDR as well as Sec. 65B certificate issued by Mr. A were not proved in court. The prosecution produced Mr. B in the court as witness to prove the CDR. Mr. B brought a fresh printout of the CDR from the computer where Mr. A had saved it, before leaving the MSP. The fresh printout of the CDR and the earlier one, both are exactly identical and both carry the same date on which the first person (Mr. A) had produced the CDR from SERVER. Mr. B also brought a fresh Sec. 65B certificate, signed by him. He also stated that in his testimony that the CDR had been transferred from SERVER to the computer by Mr. A, and now he (Mr. B) has brought a printout of the same. In this scenario, when the original Sec. 65B certificate issued by Mr. A has not been proved, although on record, how the court will hold the subsequent Sec. 65B certificate issued by Mr. B valid in law.

Unquote:

P.S: My views on the above are given below. It may however be noted that-

I am aware that there are a few professionals who may not agree entirely with what is stated here. However, I consider that we are still in the process of crystallising the Cyber Jurisprudence regarding submission of Section 65B certificates and some differences of opinion are natural and are also welcome.

I am also aware that some Courts have accepted certificates under Section 65B under circumstances that are contrary to my view also. Even such decisions are part of the development of Cyber Jurisprudence.

We must not forget that even the honourable Supreme Court in 2005 made a mistake in the Afsan Guru case which was corrected in the Basheer case on 18th September 2014.  In 2004 itself honourable judge of AMM Egmore Court, Chennai in the Suhas Katti case and Trisha defamation case had established certain principles consistent with the views held by me since 17th October 2000 till date. Some experts argued that after the Afsan Guru judgement, my views were incorrect at least partially. But they had to accept the views after the Basheer judgement.

Similarly, what I am stating here could be disagreed with by some advocates and even by some Courts. Even in such a circumstance, I expect that these views will prevail in due course…. Naavi

Under Section 65B it is not mandatory that the certifier has to be a “Witness”. Even if this is so, the only requirement is to identify the person who has signed the report and to confirm to the Court that the report itself is not forged. If however, there are means for the Court to establish that a given report is not forged, then there is no need for the person to be also produced as a witness.

In fact, “Oral Evidence” with respect to an “Electronic Document” is not acceptable. When the signatory of a Section 65 B certificate stands as a Witness, he cannot therefore provide any information other than what is already written down in the certificate.

He can only  say “This is my signature. This report does not appear to have been tampered with”.

If he starts saying anything outside the written report, it could either be considered as “Irrelevant” or “An Opinion for which the witness has to be considered as an Expert Witness under Section 45A of IEA”.

The structure of Section 65B Certificate, if submitted in the correct format, is such that it would indicate the process by which the “Computer Output produced for Evidence” was produced and if any other person of ordinary prudence under similar circumstances repeat the process, he should get similar results.  The exception would be when the evidence in the original binary form has been erased by some body in which case it would be a section 65 and Section 67C offences under ITA 2000/8. Then the Court has to admit or reject the computer output based on the establishment of the fact whether the witness is reliable or considered unreliable. If considered unreliable, the witness could be charged for perjury and hence Court has to be reasonably convinced that the witness is falsifying the document before rejecting the certificate or atleast qualify the rejection suitably so as not to endanger an honest witness who has produced the certificate in good faith.

In the instant case, it was not necessary for A to be produced as a “Witness” and hence the contention that because he was not available as a witness, the document is not proved is in my opinion incorrect, though it may be an age old practice in respect of paper based documents.

We are here not discussing evidence which is “Oral” or “Documentary” but another category of evidence which under Section 17 of IEA is classified as a document “contained in electronic form” (Electronic Document).

Rules for admission of an “Electronic Document” is based only on Section 65B and other sections and prior practices are irrelevant.

Prosecution may therefore argue that the rejection of the first certificate was itself not correct, though I am not aware if it was produced and presented as per the standards which I recommend under Cyber Evidence Archival Center. (Naavi: Other experts are open to disagree that the standards set by CEAC need not be accepted and reject my views if they so desire. ).

Additionally, B has two options. Since he is an authorized person to log in to the server and view the CDR once again, he can do so and produce another Section 65B certified Computer Output which should be admissible in the proceedings. He can testify his signature to the report and that the report has not been tampered with by personal deposition and the Court would be comfortable.

Alternatively, his certificate can create a new Computer Output which may say, ” I observed a document in xxx computer, which contained a document named……….. which has been produced here under the process described……..” etc.

The defence may after admission, question the genuinity of the  original binary document on the basis of which B’s certificate was produced. If the Court has reasons to accept the objection as reasonable and relevant, it can then call another expert under Section 45A to enable the Court to take a final decision. Court in my opinion need not reject B’s certificate for admission but accept the defence plea to call in another expert to assist the Court in examining the genuinity of the document.

This will naturally rise another question whether such an “Expert” should necessarily be a Section 79A accredited Government agency. Since no such entity exists as of now and also that Section 79A does not necessarily say that any evidence given by any other expert is null and void, it is open to the Court to call an expert on whom they can rely on and satisfy itself about the genuinity of B’s certificate.

I hope this satisfies the query.

(Kindly note that this is only the opinion of the undersigned as a person who has a demonstrated experience in the field related to Cyber Evidence and has submitted over 105 Section 65B Certificates since 18th February 2004 when the first certificate was produced and I was examined as an “Expert” in the Court on a subsequent date.)

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

Awards are perceived as an endorsement and hence care is required before selection.

Posted on December 25, 2017 by Vijayashankar Na

Recently, there has been a debate in the professional circles whether the multiple “Awards of Excellence” in Privacy and Security  won by AIRTEL is an endorsement of its Privacy and Security practices by the organization giving out the award. The awards were granted by DSCI which is part of the Ministry of Information Technology and sponsored by NASSCOM. (Refer our previous article for details)

It was a fact that the day after the awards were announced,  license of AIRTEL Payment Bank was suspended for a gross misuse of the Mobile_Aadhaar linking process to make profits. The accusation was that Airtel opened Payment Bank accounts for those who linked aadhaar to their mobile accounts and by another faulty system, the Gas subsidies payable to each of the 23 lakh such mobile subscribers were transferred to Airtel Payment Bank accounts. The Bank therefore got deposits of around Rs 47 crores without any efforts and expenditure to acquire customers. Airtel Payment Bank could have taken a consent for opening the account by a fine print mention some where in an un-digitally signed electronic consent form but most customers were not properly informed that the consent went beyond the linking of Aadhaar to the Mobile and opened new Bank accounts.

This was a deliberate action on the part of Airtel to cheat the public and make financial gain out of the act. In other words this was a fraud and betrayed lack of integrity of the organization. If Government of India is really concerned about “Privacy”, they should have launched prosecution of not only the Airtel Payment Bank but also Airtel. However, we know that Airtel has too much of a clout in Delhi and therefore no action would be taken. The award giving organization and the Jury failed to capture this aspect of the organization to which a “Special Jury Award” was being conferred.

While this issue was in public domain several days prior to the announcement of the award, it appeared that the awards were announced so that it could  influence UIDAI to soften its stand or atleast create a public perception that everything is hunky dory with Airtel. For records, Airtel Payment Bank’s CEO resigned so that MeitY can feel comfortable and not initiate any further action.

Airtel is a known serial offender which has been not only accused of customer billing frauds but also hacking into the mobile browsing of its customers.  We have discussed this in our earlier article “Airtel does a Maggi” where Airtel was accused of introducing a script into the browser used by mobile customers.

This  was also an incident that could be considered as a cyber crime in which the company could have been prosecuted but was not.

In the light of these known facts, it was a surprise that Airtel got three coveted awards from DSCI in its annual award ceremony. Obviously the question was whether  the system of selection of the Jury or the system by which the finalists were identified or the system by which Jury conflict was avoided was faulty.

It appears that DSCI based its assessment on the basis of applications submitted. No body doubts the ability of organizations like Airtel to put up a fantastic presentation that can floor anybody. Though the jury are expected to be intelligent and informed not to be swayed by presentations, they are also human and know that Airtel kind of companies are required as sponsors to many of the other activities of organizations like DSCI and has to be treated with respect. Hence without raising too many questions the presentations can be accepted as given and awards can be based on such self certifications.

One of the suggestions the undersigned put out was that the assessment should have been carried out based on monitoring the activity of an organization over a period and not based solely on the application.

For records, officials of DSCI maintain that “Award is not an Endorsement” and hence they should not be blamed for an awardee being underserving.  Yes we agree. But has any disclaimer been put up on the Certificate making such a statement? Will the awardee be prevented from using the award for its publicity?.  …….Probably not.

In fact every award is a recognition which the awardee should be able to use it for its publicity and as a motivation for further similar good work.  Otherwise the purpose of an award would be defeated.  At the same time, when an award is used in publicity, it will automatically be perceived as an endorsement. It is natural and cannot be avoided.

The award giving organization should therefore consider it as its responsibility to have a proper system of selection which is not amenable to manipulation.

I therefore suggest DSCI that for the coming year awards, make some changes to the system of selection.

They can announce the categories and eligibility criteria for different awards well in advance, receive advance applications and disclose the applications received it to public or atleast to the community of Privacy and Security professionals. Also the awards should be based on consistent performance over a period and not solely on the presentation made in an application.

In order to assess the performance and to enable monitoring of such activity, DSCI may create an “Opinion Drop Box” to which public/Privacy and Security professionals can drop their views from time to time, whenever  positive or negative events are noticed which can be taken into account by the jury.

This Opinion drop box can be activated along with the disclosure of the application information to bring about greater transparency to the system, at least for a period of one month before the finalists are presented to the Jury . This would prevent false claims being made by the applicants misleading the jury.

This would enhance the value of the awards , bring better acceptance and should make DSCI itself more respectable in the community. It will also help the Jury avoid mistakes which hurt their own personal reputation.

I am not expecting that these suggestions would be heeded by DSCI, but the suggestion of creating a monitoring mechanism over a period before an award is given is an idea which even other organizations can follow and hence using this award process as an example, I am putting it out. Hope it would be useful for other organizations.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment