AIRTEL Sweeps awards from DSCI…while the AIRTEL Bank CEO resigns….

Posted on December 24, 2017 by Vijayashankar Na

AIRTEL is no doubt the leading mobile service provider in India. However when Airtel swept several awards in the recent DSCI Excellence Awards 2017, several eyebrows were raised. It was clear that the process used by DSCI to confer the awards appeared flawed to say the least.

One of the recipients of the award was “Airtel Payment Bank” which got a “Special Jury Recognition Award” for “Best Practices in Payments Bank”.

The awards were announced in the summit held  between 13th and 15th of December.

On 16th December, as if on cue, UIDAI suspended Airtel Payments Bank’s eKYC license because it had misused the process to open Payment Bank accounts for customers who wanted to link their mobile accounts to Aadhaar without obtaining proper “Informed consent” from the customers. The opening of such accounts had a financial benefit for the Bank since it automatically transferred the Gas subsidies to these accounts. According to the report, more than 23 lakh customers had such accounts opened and over Rs 47 crores were credited to these accounts without the knowledge and consent of the customers.

If there was a Data Protection Act in India, Airtel would have been fined hundreds of crores in penalty for violating the privacy of 23 lakh customers. But DSCI, considered this organization fit for an “Excellence Award”!!!

Now it is reported that CEO of the Airtel Payment Bank has resigned But what this Bank did was a refection of the lack of Privacy and Security Culture in the Airtel family and just because they can produce some nice Privacy policy statements designed by expert professionals, they should not get awards from a discerning institution which DSCI should aim to be.

Apart from this, Airtel also got “DSCI Excellence Award for Best Security Practices in Organization” where Airtel was classified as a “Critical Information Infrastructure”. DSCI Excellence award for Privacy in User industry also went to Bharti Airtel.

It was not surprising to note that the Jury panel had representatives from Airtel who could have directly or indirectly influenced the selection of the winners of the award.

Apart from the Global CIO of Airtel being in the panel, even the Jury Chair Mr Paramod Bhasin the chairman of Clix Capital has a partnership with Airtel to launch a digital payment platform.

DSCI may say that these persons have recused themselves from the selection of winners in the categroy in which Airtel was a winner.  This is not a convincing excuse since Airtel was winner in 2 of the four categories and also got a special jury award which means that the Chairperson should not have participated in selections of 3 of the 5 categories. HDFC Director was also in the panel and it also won an award. CIO f Mahindra and Mahindra wa in the panel and Tech Mahindra won an award. There was only one jury member who did not have any conflict and that was Mr Nandakumar Sarvade of RBI.

The Jury panel constitution itself was inappropriate, though this is not a comment on the achievements and skills of each of the jury members. Conflict of interest is another matter and the Jury panel did not exhibit that it had no conflict.

As public know, Airtel is known for its sharp business practices and has been often accused of committing billing frauds. It was also accused of introducing tracking codes when its users browse through mobile (Refer Article Airtel Does a Maggi). This incident should have resulted in the prosecution of Airtel under Section 66 of ITA 2000/8 but the law enforcement agencies failed to take note and TRAI looked the otherway.

It was therefore unthinkable that Airtel would get “Excellence” awards from DSCI on Privacy and Security. If they have, then it reflects more on the ability of the award giving organisation on framing its policies and selection of Jury.

We also observe that Axis bank which is another notorious Bank known for insider frauds and lack of security was a finalist in one of the categories where as they should have been rejected at the eligibility level itself.

These awards therefore represent a complete farce and if DSCI has to retain its reputation, they need to recall the award granted to Airtel particularly the special jury award given to Airtel Payment Bank.

However it is unlikely that DSCI will have the courage of conviction to recall the award. I urge them to prove me wrong.

Naavi

Posted in Cyber Law | Leave a comment

Black Money gets a Boost from SEBI. Mr Thaygi should be removed as SEBI Chairman

Posted on December 22, 2017 by Vijayashankar Na

 

In a surprising but disgusting news report, Mr Ajay Thyagi, the Chairman of SEBI has come up with a public statement that is intended or likely to move the price of Bitcoin in the Exchanges.

Contrary to the popular opinion,  Mr Thyagi has stated

“Virtual Currencies have not posted any systemic risk to the economy”

“Government Panel is currently looking into the regulation”

Mr Thyagi was speaking at a CII summit when he made these statements. It must be remembered that Mr Thyagi represents SEBI which is the regulator who has so far failed to take any action against the Bitcoin exchanges which deal with the commodity called “bitcoin” without either the sanction from SEBI or from RBI.

By referring to Bitcoin and Virtual currencies as “Currencies”, Mr Thyagi has clearly represented them as “Currencies” which can legally be issued only by RBI. Any commodity touted as “Currency” though not recognized by RBI is just a “bit of paper” (In this case bit of electronic paper) and when value is placed on them, it is pure “Speculation”. The SEBI Chairman is fuelling such speculation and supporting Bitcoins through his irresponsible utterances. The statements can also be challenged as factual inaccuracies or clever manipulation of words that “At present Bitcoin is not a systemic risk” without saying that “In future it can be”.

For a regulator to refer to Bitcoin in a public meeting and to make a statement that Virtual Currencies have not posted any systemic risk to the economy is the height of deliberate misrepresentation to the public.

Bitcoin is an “Anonymously held value proposition” and is being used as a replacement of legit currency.

Can Mr Thyagi deny this?.. if he is put on a witness box in a Court?

If Bitcoin is a value proposition that can replace legit currency like Rupee, how can anybody differentiate it from “Black Money”?.

Mr Thyagi has by making such a statement said something to the effect “Black Money has not posed any systemic risk to the economy”.

Mr Modi and Mr Jaitely should take note of this.

This is absurd. If Mr Thyagi was not speaking from his regulatory position but as a representative of a  Bitcoin start up, his words would have sounded more honest. He needs to immediately clarify his position and in case the media has not represented him properly, he should state so.

Further by stating that the Government Panel is looking into regulation, Mr Thyagi has made it clear that a final view of how to treat Bitcoin has not yet been taken by the Government. This is fuelling the speculation that Bitcoin can still be recognized and will move the Bitcoin price upwards. In the recent days, the move of income tax authorities to ask for information from traders of Bitcoins in India had shaken the market a little and the statement of Mr Thyagi is meant to bolster the market.

It now appears that SEBI is one of the stumbling blocks in preventing action by the Government against Bitcoin. It may be recalled that Naavi.org had pointed out earlier in May 2017 that MCX which works under SEBI was indulging in “Insider Tampering” of the decision of this Government panel (Please read : Is MCX of India involved in insider tampering of the Committee on Bitcoins?.. Directors, Please answer) by posting some supporting views on the MCX letterhead when the Government had called for public opinion on Bitcoin regulation last year. At that time we had demanded an explanation from the Board of Directors of MCX. Subsequently the recommendation was taken down but SEBI did not take any action.

It is now clear that the attempt of tampering of the Panel decision by posting an opinion of MCX in the public forum had the blessings from the highest officials of SEBI.

It is now  not possible to trust SEBI with any credible regulation of Bitcoin Exchange as it has spoken against the RBI and openly supported the Bitcoin community.

SEBI Chairman’s statement  is against known fact that Bitcoin and Virtual Currencies are the “Currencies of Criminals” and is “Black Money” in virtual form whose identity is hidden by encryption so that the holder of Bitcoin cannot be identified and that It can be moved across borders like data and cannot be identified when it moves in and out of the country in the form of data and enables Indians to convert their wealth either in Indian currency or in Foreign currency to Bitcoins or other virtual currencies.

In this context, Mr Thyagi should immediately

a) Declare his holding of Bitcoins even if he wants to say that he does not hold any Bitcoins himself.

b) Resign from his position as the regulator since he has ignored the fact that there are “Exchanges” working in the country, trading in the commodity called “Bitcoin” without license from SEBI and he has failed to take punitive action.

I request Government of India to take immediate action in this regard to ensure that Mr Thyagi is replaced as SEBI Chairman.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Hacking of EVMs is Cyber Terrorism

Posted on December 19, 2017 by Vijayashankar Na

It is unfortunate that many of the politicians are irresponsibly commenting on hacking of EVMs . If anybody has suggestions to improve the security of EVMs, it should be welcome. But making irresponsible statements and spreading rumours is an attempt to undermine the Indian election mechanism and must be stopped.

As we understand, EVMs are manufactured by public sector organizations, shuffled before being issued for any particular booth, and are always under the physical custody of some officials. They are finally tested before they are committed for use. There are some kinds of checks subsequently on the total votes polled.

Naavi has long time back spoken about the Cyber Law Compliance aspects of EVMs and the EC has now introduced the VVPAT system (Voter Verified Paper Trail System) which will become mandatory by the next set of elections. In this system the voter views the printed slip before the completion of voting. Then the slips are collected in a sealed box. These slips will  be counted if there is an election petition which orders the re-counting of the slips. If a person sees that the slip is different, then he can raise his objection then and there.

There is however a system of procedures designed to make it impossible to tamper with the EVMs under ordinary set of circumstances. Making theoretical claims or assuming that several Election Commission officials will collude etc is a mischievous claim not substantiated by evidence.

However, there are many opposition parties including the Congress party which uses EVM as an excuse to cover its losses.

Even when VVPAT system is used, it is possible that some opposition party supporters may simply claim that the slip is different from what he has voted, and it has fallen into the sealed box and cannot be verified, there are situations where false alarms may be raised by unscrupulous supporters of a political party to disturb the election process.

If this has not happened till now, it can be envisaged that it will happen next time. I will be surprised if such tactics are not used to discredit the system during the next elections in Karnataka since the current CM of Congress is himself opposing the EVM system.

In the light of these attempts to discredit the EVM system by unscrupulous politicians, it is necessary for Election Commission to ensure that no political party member or a member of the public makes a dishonest claim that EVM is hacked or is hackable.

In order to ensure that people are serious about EVMs, Election Commission should declare that EVMs are “Protected Systems under Section 70 of Information Technology Act 2000”. EC has already developed the standard operating procedure (SOP) for accessing the systems and hence a notification accompanied by the SOP as required under the Act can be quickly made.

Once EVMs are considered as “Protected Systems”, any attempt to hack any EVM, even by any employee of EC will be considered as an offence carrying a punishment of 10 years.

Additionally, under Section 66F of ITA 2000/8, any action that could damage or disrupt or adversely affect the EVMs can be considered as an offence under section 66F (1) (A). Additionally, any incitement to commit hacking of an EVM or disruption of the EVM usage can be considered as causing injury to the interests of the state and brought under Section 66(F) (1) (B).

In either case, the offence carries an imprisonment of upto life and would be termed “Cyber Terrorism”.

EC has already given one opportunity to those claiming that EVMs are hackable to demonstrate the possibility. This was not used by any of the political parties such as Congress or AAP. Now the new kid called Hardik Patel has started talking of EVMs about which his knowledge may be suspect.

EC can however make another offer to anybody to seek an appointment to demonstrate their claim if they have any credible doubt. Obviously, they should demonstrate that the system can be hacked under the conditions under which they are used and not expect that the hacker would be able to open the machine and insert any chips into it. Such “Request for Demonstration” should be publicised and the person requesting must be made to deposit a security deposit to cover the expenses and prevent frivolous requests which can be returned only if the charge made is proved.

EC can also invite suggestions for improving the security of the system and honestly try to implement suggestions if they are useful.

I am sure that EC would not be averse to these suggestions which they should announce immediately and shut the mouth of irresponsible politicians.

Naavi

Posted in Cyber Law | Leave a comment

Limited Liability on Electronic Banking Frauds also extends to Cooperative Banks

Posted on December 18, 2017 by Vijayashankar Na

On July 6, 2017, RBI released the “Customer Protection-Limiting Liability of Customers in Unauthorized Electronic Banking Transactions”.

The circular indicated that a customer is entitled to “Zero Liability” in case of loss arising out of frauds in E banking in which

a) There is a contributory fraud or negligence or deficiency on the part of the Bank irrespective of whether or not the transaction is reported by the customer

b) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the Bank within three working days of receiving the communication from the Bank regarding the unauthorized transaction

Further the Customer would have a “Limited Liability” of Rs 5000 or 10000 or 25000/- (depending on the nature of the customer) in cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the customer and when there is a delay (of four to seven working days) in notifying the Bank.

If the delay in reporting the transaction where the fault lies with neither the Bank nor the customer, the Bank’s boards were expected to come up with their policies on how much of liability they would bear.

However, even after nearly five months, we donot see any such policy from any of the Banks being announced at least on their websites. (If any Bank disagrees, they are requested to keep us informed so that we can correct this statement). This shows that RBI has not been able to impose its regulation so far on the Banks.

The circular of July 6, 2017 was applicable to all Scheduled Commercial Banks including RRBs, All Small Finance Banks and Payment Banks.

Now, on 14th December, RBI issued a follow up circular extending the applicability of the Circular also to the Primary (Urban) Cooperative Banks, State Cooperative Banks and District Central Cooperative Banks.

While it was natural that all Banks which were in the E-Banking activity had to come under one regulation as regards protecting the Consumers and it was more important in the case of the rural banks such as the Cooperative sector Banks, RBI needs to ensure that the Banks take it’s regulations seriously.

Recently, we came across a fraud in which a well known journalist reported that a supplementary credit card had been issued in her name and an outstanding debit in the card was claimed from her by none other than HDFC Bank. She also reported that the Bank refused to accept her complaint and insisted that the amount was payable by her.

In many instances the frauds happen because of “Phishing”. In some cases the customers do give out their Passwords or OTP without being aware of the possibility of the fraud. It is in such cases that Banks and Customers need to resolve who has to bear the liability. In most cases there would be no doubt that the customer would be a victim but the Bank tries to claim that it also is a victim and hence if the customer is negligent in giving away his credentials then he should bear the loss himself and not the Bank.

However, we need to ask the Bankers whether they are pitting their information security capabilities and knowledge with the awareness of the customer and claiming that the customer has to be more intelligent than the Bank. RBI has clearly advised these banks to adopt “Adaptive Authentication” and a robust Cyber Security Framework which should identify fraudulent transactions before they occur and take measures to prevent a fraud before it occurs. In some cases the money would have been debited to one account but the payment would not have been irrevocably paid out to the fraudster and it may lie in the system with another Banker. In such cases if the paying bank moves the collecting bank immediately and stops the withdrawal, the fraud could be prevented. But the Banks are so arrogant and fraudster friendly that they will raise 100 questions to the customer that he should file a police complaint, give complaint in writing, accept that he has given away the password etc, besides saying my Manager is not available etc… and delay action.

Many banks make their Call center access difficult and not provide specific fraud reporting mechanism directly on the SMS which they must send. If the customer says that they have not received SMS, Banks often refuse to accept.

All these hurdles need to be addressed by RBI by conducting the audit of Banks on the implementation of the July 6th Circular at branch level without which the intentions of RBI will not be implemented in practice.

RBI has also since June 2001, mandated that Customers should be protected by picking up the legal risk themselves and using the Cyber Insurance cover. But none of the Banks have so far sent one SMS to their customers about Cyber Insurance cover they have taken for them though they might have sent scores of messages for not linking Aadhaar.

The Chair persons of the Banks need to be pulled up by RBI for ignoring the RBI guidelines and apart from imposing some fine or the other, they must make an example of some Banks and suspend the Chair person. Banks like Axis Bank which were considered as the habitual offenders during the demonetization days continue to carry on business without paying for their guilt.

The definition of “negligence” in the limited liability circular on the part of the Bank will have to be evaluated in this context of “Not correcting past mistakes” and even in case of Phishing where there is negligence on the part of the customer, “Contributory negligence” on the part of the Bank should be recognized.

It is some time back that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu and made to pay for their negligence in the S.Umashankar case. Perhaps many have forgotten the case and there is a need for other similar judicial interventions holding the Banks liable for Banking frauds before we ensure security in the Banking scenario.

Some of these Banks are even challenging the RBI by adopting to use of Bitcoins and also use of Block chain against the Banking laws. RBI unfortunately is unable to take corrective action and letting the public continue to take risks which they should not take,

Will RBI now wake up and take necessary corrective action so that the Customers feel safe?

Naavi

Posted in Cyber Law | Leave a comment

“Compliance by Design” should be the motto of the Data Protection Act of India

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

“Privacy by Design” is a concept which GDPR expects from Data Controllers and Data Processors.  The concept of Privacy by design basically means that measures for Privacy protection should be initiated right from the inception of a project and during the engineering process. It is not an after thought considered over the layer of processing but should be embedded into the basic framework of processing.

The concept of Privacy by design imposes a sense of responsibility on software manufactures who have a tendency to design software solely for functional purpose and expect Privacy to be taken care of manually at the time of implementation.

This concept needs to be extended to complete compliance of all provisions of the Data Protection Act which can be controlled by technical means by making “Compliance By Design” as a mandatory provision under law so that the responsibility for compliance is shared by both the software developers and the users. This could mean that systems and outsourced services should have mandatory encryption, mandatory authentication in the form of non repudiable digital signature system, mandatory compliance of data retention, mandatory archival of log records etc.

If such “Compliance by design” is mandated, then the quality of software products from the point of view of “Data Security” would increase and in the event of any “Data Breach” caused by vulnerabilities in the software systems, some responsibility may be imposed on the software companies also. This would help SMEs in particular who donot have greater dependency on the software suppliers, who donot agree for source code audit or for source code escrowing and also donot guarantee that their software is free from bugs.

Larger companies may have better ability to take their own measures to secure the systems irrespective of the vulnerabilities they come with. They also have the power to extract maintenance contracts and source code audits better than the SMEs and hence the proposal for Compliance by design should help SMEs more than large entities provided the definition of “By design” is extended to software development.

The new data protection act can consider imposition of “Compliance By Design” as one of the responsibilities of system developers (both hardware and software). In order to incorporate this provision, a separate chapter that defines the compliance requirements of the Data Controllers, Data Processors and Data Managers (as proposed in our previous article) along with how the fact of compliance should be disclosed to the public and to the Data Protection Authority. This should obviously be controlled through Registration and penal de-registration of entities who are Data Controllers/Processors/Managers.

Hopefully Compliance requirements donot simply remain on paper but are followed up for strict implementation.

In order to ensure that Compliance is taken seriously, Cyber Insurance should also be made mandatory so that the Cost of Insurance should incentivise the business entities to invest the right resources in achieving compliance.

The SKC has asked the feed back on whether the law should be made retrospective or prospective. If “Compliance” is an honest expectation, it goes without saying that the law has to be enforced prospectively with reasonable time given for compliance.

In the meantime the regulatory authorities need to even provide guidance and assistance to the Data processors and Controllers in the SME sector so that they can achieve compliance in the specified time. The compliance schedule also need to be extended with an additional time for smaller entities taking into account the incidence of cost as well as scarcity of manpower to assist them in the compliance.

The compliance dead line could therefore be about 1 year for large units and about 2 years for smaller units, with exact definition of what is Small and what is not being decided on the basis of turnover.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

We should forget the “Right to Forget” in Indian Data Protection Act

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The EU law on Privacy under GDPR recognizes the “Right to Forget” which essentially means that the data subject can demand that his personal information should be erased from the records in the custody of the data processor/data controller once the data subject withdraws his consent.

Enabling “Erasure” of data is not as simple as it looks since data has a tendency to multiply and spread in different systems within the processing organization and it is often difficult to even recognize where all the copies of data are present. With need to back up data for reasons of disaster recovery and different versions of data getting created during the course of relationship of a customer with a data processing entity, when a demand for deletion comes up, it is difficult to ensure the complete erasure of data.

Further, since data is related to National Security and Crime control, there is a legal obligation to “Retain Data” in many circumstances. There will therefore be a conflict of interest between the need to erase data on request and the need to retain data for control of criminal activities. Even the need for Governance such as Direct benefit Transfer with the use of Aadhaar requires data to be retained and not erased at the request of only the data subject.

Even when Privacy is considered as a Fundamental Right, the law provides for exemptions for security purpose and hence the “Right to Forget” or “Right of erasure” is a concept which cannot be considered for the Data Protection Act.

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment