Bitcoin Theft… A challenge to Law Enforcement…Case should be transferred to CBI

Posted on April 14, 2018 by Vijayashankar Na

We all know that Bitcoin is the popular currency of the criminals. The fact that some honest persons are gullible enough to believe that it is a “Currency” does not create a case for sympathizing with people who might have invested in Bitcoin directly or in a business related to Bitcoin.

While technically, Bitcoin is “An Electronic Document” and is recognized in India as equivalent to a “Paper Document” and the Equivalent Paper document is deemed to say….

“This is a statement that this is a part of a bitcoin issued to wallet ID…. under block chain number…… and that …..bitcoins out of this has been transferred from …..wallet ID to ……..wallet ID”,

some people consider this as “Currency” and many people promote it and deal with it as if it is “Currency”.

However, in India, since RBI is the sole authority to issue “Currency” and it has not issued Bitcoin, making any reference to it as “Currency” is a misrepresentation and an attempt to commit fraud on the society.

Today there are thousands of persons in India who are guilty of this offence and could be rightfully questioned.

However, since the Police themselves have not understood the the real nature of Bitcoin, no action has been taken to prevent frauds on the society by people who advertise Bitcoin business, conduct promotional meetings etc.

There are also many otherwise respectable persons particularly in the tech industry who consider that Bitcoin represents a revolutionary concept of “Decentralized Monetary Control” and protects their investment from inflation, and is a symbol of “Freedom from Regulatory control of personal wealth” etc…

Ultimately, all those who are championing Bitcoin are people who are fighting for their right to hold unaccounted money and ensure that Government should not tax them for the Bitcoin wealth they posses. (Some exceptions could be there to this presumption)

After the demonetization in India, the Black Money holders who are on the run, are the dearest friends of Bitcoin and we can find such friends in many political parties as well as corrupt bureaucrats and perhaps even in the Police and Judiciary.

Recently it was reported that nine rogue police officers in Gujarat, kidnapped a businessman and extorted a ransom of 200 bitcoins (Refer article here). This shows that Police at least some of them, today are aware of the potential of Bitcoin as a proxy for “Black Money” .

Since the entire Bitcoin industry revolves around “Crime”, it is to be expected that “Bitcoin Business” is managed by people who are mentally more friendly with the criminals or are criminals themselves.

I am therefore not surprised when reports emanate that some Bitcoin exchange was hacked, Bitcoin holder was defrauded etc. I donot have much sympathy for those who lose Bitcoins also.

In this background it is interesting to note that a complaint has been filed by Secure Bitcoin Traders Pvt Ltd (Coinsecure.in) by its Director Mohit Kalra that 438.31859715 bitcoins were unauthorizedly moved to a BTC address  as shown below:

The website of the company has put up a notice on its website that users may be assured that their money was safe and action is being taken with investigation authorities.

According to the notice on the website a copy of which is given here, the Company states that the CSO Dr Amitabh Saxena while extracting the coins to distribute to its customer has reported that the private keys have been lost causing the loss of BTCs.

The Company has now filed a complaint, at Delhi and the Police have registered the Complaint as indicated below.

This is not the first time that a Bitcoin Exchange has reported an attack and loss of Bitcoins from its storage.  The value of the Bitcoins reported lost in the current incident is more than 22 crores and as per the above documents, the loss may not be of the individual customers but of the Company.

The Company states that “It feels” that Dr Amitabh Saxena is making a false story and he may have a role to play in the incident.

I am not sure if Police can file an FIR and impound the Passport of the accused based on this “Feeling”. The Company needs to provide some evidence to say that MR Amitabh is the owner of the Bitcoin wallet to which the money has been transferred. Otherwise it is speculation and there could be some other internal rivalry that may be playing out in this case.

I will not be surprised if Mr Amitabh comes out with his own story in which he may reveal that the owners of the Company have many undeclared Bitcoin wallets etc. and some such differences are behind this attempt to fix him.

The ED recently conducted a survey and all the owners of the Company should have given declarations of their own transactions in Bitcoins in the past. Now ED needs to join the investigation and find out if Mr Amitabh has a story of his own to tell.

When a gang of criminals fall out amongst themselves, Police have a field day to unearth many other crimes. In this case also many more Bitcoin deals which represent anti national activities would tumble out during the investigation.

It is likely to be a very sensitive investigation which has to be immediately taken over by CBI since locating the Bitcoin wallet owner is beyond the capability of the Delhi Police.

It’s a Challenge to the Bitcoin Community also

This will also be a challenge to the Bitcoin community itself. Will they help the law enforcement authorities to investigate and unravel the “Privacy” of the Bitcoin wallet? or will they try to preserve the integrity of the Bitcoin system by sticking to the fact that Bitcoin wallet cannot be traced?

Will the “Privacy Activists” who oppose Aadhaar because it can be a Black Money prevention tool come in support of “Bitcoin” ? or remain silent? are the interesting challenges ahead.

I believe that there is a technology (however unreliable it may be) to zero in on the ownership of the anonymous Bitcoin Wallet and if the law enforcement pursues it properly with the help of honest technologists, it may be possible to find out the ownership of the wallet in question and successfully investigate the complaint.

Will it happen? … or some time during the investigations, further flow of Bitcoins to other wallets will result in its closure as “Unresolved”? …only time will tell.

Legal Perspective

While looking at the complaint that bitcoins were “Stolen” from “Company’s Bitcoin wallet”, I am reminded of the complaint in the year 2000 (before ITA 2000) when in Delhi there was a complaint about “Theft of Internet Hours”. At that time there was no ITA 2000 and what had happenned was that a person who installed the internet account for the customer gave away the password to a cyber cafe who cleaned out 100 hours of internet browsing time within a day. The user complained that “My Internet hours were stolen”. I had discussed at that time that it could be a case under “Breach of Trust” etc since it may not fit into  “Theft” under IPC since “Internet Browsing hours” is not a “Movable Property”.

A similar discussion now is relevant. The complaint is that there was an “Unauthorized Electronic Document related activity” resulting in “Wrongful loss to the company”, Suspected to be from one of the employees.

Now the way the Complaint has been lodged by the Company which I consider was not a wise thing for the company to have done rather than gulping down the loss however unpalatable it could have been. According to the complaint, it is a case of “Unauthorized Access” under Section 43 and Section 66 of ITA 2000/8. There could be Section 66C and 66D but it is not clear.

Before the crime is recognized, there has to be an “Evidence of Crime”. We need to know whether 438.31859715 bitcoins were actually available in the Wallet account and it is no longer there. Company has to prove that this wallet account belonged to the Company and it had authorization under FEMA and RBI to open the account and conduct all the transactions it did in the past in the account. This is where ED can catch the company by its scruff and ask for details of each and every transaction that occurred in the wallet and whether they were transactions that were declared in the ED survey or were concealed.

Of course this evidence has to be Section 65B certified.

Then Mr Amitabh has to be questioned on how does he normally extract BTC from the Company’s vault and distributes? … past examples…. (again to be checked and verified with the company’s IT declarations) etc…. again all to be Section 65B certified.

Next is the identity of the Wallet… Who is the Wallet service provider… Is he Indian or not?… Does he come under the jurisdiction of Section 75? … Does it require Interpol assistance for which CBI involvement is mandatory? ..

Overall it is an interesting investigation to follow. Coin Secure by filing the complaint has given an authority for the Police, CBI, Regulators like RBI and the Indian Courts to tear into the  system of Bitcoin management and expose all the nefarious things that happen in the Bitcoin industry.

But the stakes are so high, that unless there is monitoring of the case by public spirited Court and Media, the case will get buried.

Perhaps Mr Modi has to instruct Mr Rajnath Singh to take personal interest in this investigation and take it to the logical end. The Finance Ministry is suspected to have many Bitcoin sympathizers and investigation at their level may not be trustworthy.

Let us wait and watch this interesting battle.

Naavi

(P.S: Parts of the article may be unpalatable to some. Kindly excuse me. Consider that  I am just making a larger point. )

 

 

 

 

Posted in Cyber Law | Tagged , , , , , , | Leave a comment

A Trap is laid for Gullible Bitcoin Investors

Posted on April 11, 2018 by Vijayashankar Na

Just lat week, RBI declared:

 it has been decided that, with immediate effect, entities regulated by RBI shall not deal with or provide services to any individual or business entities dealing with or settling VCs. Regulated entities which already provide such services shall exit the relationship within a specified time.

Most media men interpreted this as a clear indication that no Bank or NBFC or Commodity traders also registered for Foreign Exchange trading, could have any business related to Bitcoins. The earlier action of the ED sending out notices to lakhs of Bitcoin investors who had traded in any of the Indian exchanges to disclose the source of their acquisition and also the details of tax payments on the Bitcoin transactions had also indicated that Bitcoin investors will face both action from RBI and ED if they continue to indulge in Bitcoin.

It is obvious that most Bitcoin investments were made out of black money and hence the investors were trying to hide themselves. The Exchanges are taking steps to move out to other countries such as Singapore and handle the business emanating from India. The Bitcoin holders who have remained underground so far are trying to find exchanges outside India to either sell their bitcoin holdings and quit their positions or continue to invest.

However, any movement of INR to Bitcoins and conversion of Bitcoins to undeclared Foreign Exchange accounts could be violation of FEMA and land the investors in bigger trouble than just surrendering their holdings to the Indian Government and pay whatever tax they need to pay and enjoy what is left. Since however the prices have tumbled from around USD 19000 per bitcoin to less than USD 7000, not much of profit or capital may be left for many of these Bitcoin investors who continued to ignore our suggestions to stay away.

When the situation therefore indicates that no sane investor would like to invest in Bitcoins in India now, it is  surprising that a company called “Synup” which declares itself as a Newyork and Bangalore based startup with operations in US and Canada and founded by a serial entrepreneur, Ashwin Ramesh has issued a Press Release today a launch of a new website coinfriendly.io with  10717 bitcoin accepting businesses listed on its platform. The objective of the website is clearly stted as to allow biticon users across the globe to identify these stores and services in 20 countries and becoming the largest repository of local businesses.

Ofcourse, at present there are no India based  businesses listed on the platform and hence this will project itself more like a directory of Bitcoin companies across the globe excluding India.

If there is no target audience in India to use the platform, it appears strange that the Company should send out the press release to Bangalore based publications.

We have to wait for tomorrow to see which publications carry the press release and what they write. However we can expect at least some of the publications carry the press release even if in the inside pages, without their own comments. Like a typical phishing campaign, message will reach out to Bitcoin sensitive audiences.

The obvious inference is that the publicity is meant to inform the Bitcoin investors that even if India based Bitcoin exchanges shut down their operations, there could be many options in other countries to park their black money. It should also be possible to launder the Bitcoin holdings through many of the businesses listed in the platform to buy goods or simply trade it for foreign exchange.

Gullible investors may therefore fall into the trap for using the services of any of the listed service providers to use their Bitcoins or buy fresh bitcoins if available through any exchanges.

Investors in India are hereby cautioned that any dealings with the entities listed in this website will be in the radar of the ED as people dealing with these entities will clearly be those who will be using black money holdings in the form of Bitcoins.

Such customers may therefore quietly start getting notices as to explain the source of their bitcoins used and whether they have more bitcoins in stock.

If ED has not yet started this activity, they better do it immediately.

In the meantime, Police in Bangalore should also keep a watch on this Company’s activities and whether it will promote Bitcoin indirectly in India.

Naavi

 

Posted in Cyber Law | Tagged , , | Leave a comment

State Bank of India ready for a major scam

Posted on April 8, 2018 by Vijayashankar Na

I have been informed by some customers of State Bank of India, particularly in the Srinagar Branch of Bangalore that the Bank is asking for e-mail ID from its customers who want to file 15G certificate.

It is said that many of the account holders who donot have e-mail addresses have been told that it is mandatory and otherwise the TDS the form will not be accepted. Not sure if this is an attempt at a systematic loot of people or it is a method of discrediting BJP and Mr Modi before the elections in Karnataka.

From the perspective of information security, it appears that many of the customers some of them not fully aware of the implications have been told that any e-mail address can be given if they donot have an e-mail ID.

More importantly, some of them have been directed to the nearest Cyber Cafe to open an e-mail account. The Cyber Cafe owner has given them some chit which the customers have given to the Bank. The Chit would have the e-mail address and God knows who knows the password. At least, my housemaid who opened one such e-mail account did not know anything about the password and what the e-mail address is for.

Firstly this is an unfair demand made by SBI to insist that e-mail address is mandatory along with the mobile number. It is dangerous to let the customers who donot know about e-mail management to open accounts with the Cyber Cafe.

There is every possibility that the staff of the Bank and the Cyber Cafe owner would collude and change PIN of the ATM cards and cheat the customers.

I therefore request that an investigation be carried out to find out why State Bank of India, Srinagar branch of Bangalore (Donot confuse with J&K) is insisting on such a procedure unmindful of the risks.

Are they so naive?… If so they deserve to be removed from their positions immediately. If not the possibility of a scam brewing should be recognized and corrective action taken.

If there are political reasons for this, I request the BJP MLA Mr Ravi Subramanya to enquire and find out.

Naavi

On 10th April 2018, I received a call from SBI stating that through an error in programming, the particular e-mail field had been rendered “mandatory” and hence there was problem. They confirmed that action will be taken to correct the same. Also the Bank officer who called profusely thanked for bringing the problem to their notice. We appreciate the immediate action taken by the Bank….. Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Bitcoin gets the Boot

Posted on April 5, 2018 by Vijayashankar Na

Naavi.org has been consistently voicing its demand that Bitcoins should be banned in India and instead RBI should consider floating a crypto currency regulated by RBI.

At last RBI seems to have taken one decisive step which has been interpreted by the media as “Banning of Crypto coins”.

In a statement released by RBI it has been stated that

“Reserve Bank has repeatedly cautioned users, holders and traders of virtual currencies, including Bitcoins, regarding various risks associated in dealing with such virtual currencies. In view of the associated risks, it has been decided that, with immediate effect, entities regulated by RBI shall not deal with or provide services to any individual or business entities dealing with or settling VCs. Regulated entities which already provide such services shall exit the relationship within a specified time.”

At the same time, RBI has also indicated that it is exploring the possibility of introducing its own Crypto coin for which a committee will be formed to give its recommendations.

Naavi.org welcomes both the developments.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

Posted on April 5, 2018 by Vijayashankar Na

Supreme Court has now come to the end of hearing the PIL on the Aadhaar. Whatever be the actual petition it is clear that the opposition to Aadhaar stems mainly from the Black Money holders and Benami property holders who are threatened out of their existence with the identification of their misdeeds and Black wealth accumulated over time.

India having been corrupted systemically by the ruling Congress Party since the days of Mrs Indira Gandhi (as people of our generation know of), there is corruption in every aspect of our life. Our politicians, Bureaucrats, Police and even the Judiciary is exposed to the menace of corruption though different segments have absorbed it to different extent.

Businessmen also have accumulated black wealth but their accumulation is because of tax evasion. Otherwise the black money of businessmen is generated out of their hard work  or business. The Black wealth accumulated by the officials and politicians on the other hand is of a different nature. It has originated out of corruption and additionally continued with tax evasion.

Now all these persons who are threatened with the loss of their ill gotten wealth have come together to petition to the Supreme Court that mandatory linking of Aadhaar to Bank accounts and the proposed property registrations is opposed to “Privacy” and hence it should be scrapped.

Privacy is not a shield for Corruption

Without any doubt, “Privacy” is being used as an excuse to cover up illegal accumulation of Black wealth and the Supreme Court cannot be seen as supporting this cause.

All Privacy regulations provide an exception that “Privacy” is not a right that can be used by a citizen when the State has to consider” Public Interest” and “National Security”.

We are not sure if the lawyers who will be arguing for the Government will not collude with the opposition and put up a weak argument to enable the Judiciary to scrap Aadhaar linkage to basic services.

A Citizen has no right to claim immunity from being punished for the larger good of the society. The judiciary has its role in checking the misuse of any law including the Aadhaar law just as the SC/ST atrocities Act.

Hence the Supreme Court Bench has to place the national interest paramount and not be swayed by the arguments of the Aadhaar opponents. I have some faith that the current CJI will ensure it. It should be done before the “Dissenting” judges take over our system and politicize the judiciary.

Virtual ID eliminates most of the concerns against Aadhaar

In this context, the much awaited Virtual Aadhaar ID scheme of UIDAI has now become operational. Under this scheme all services which require Aadhaar number will now use the “Pseudonomized ID” which is the 16 digit Virtual ID which the Aadaar holder picks up on the Aadhaar website. The original aadhaar number remains confidential with the user.  The intermediary who uses the virtual ID will not have the demographic data mapped to the original Aadhaar ID and hence the kind of data breaches that happenned at the intermediary end in the past for which UIDAI is being blamed cannot happen in the future.

This Virtual ID is not a permanent ID and can be regenerated randomly every time the aadhaar holder wants to use it. He can use it as a single purpose ID and ensure that no two intermediaries have his data mapped to the same Aadhaar ID.

This system therefore addresses the concern on Aadhaar security at the intermediary end for all future transactions.

Of course some critics may still ask what about the past?. There could be solutions for the same which could be considered in future.

Critics will also ask what is the guarantee that the data may not be leaked from the UIDAI itself. There will of course be security at the UIDAI so that no single person will be able to leak Aadhaar information since multiple levles of authentication would be required.

If the critics still ask whether it is not possible for multiple persons to collude and commit a fraud, I would say if a day comes to that then we the Indians donot deserve the Aadhaar.

We know that when the previous Congress regime was in place,  the country was run in the name of PM by a coterie which was Pro Pakistan and Anti India. It can be speculated that several of the national secrets could have then been shared with the enemy during this time. Conspiracies could have been  hatched to put our Military to shame and create a bogey of Hindu terrorism. In future also, if those who want to destroy our country come to power, we are not sure if they will rule in the interest of the country.

The opposition political parties in India which are behind the Anti Aadhaar discussion in Supreme Court had once given Supari to eliminate Mr Modi much before he became PM. Now they are trying to use the Supreme Court as the weapon to kill the ambition of Mr Modi to eliminate corruption in India.

Hence the Aadhaar case has become a symbol of a fight between those who despise corruption and those who worship it.

If the opposition comes to power, there is the danger that they may themselves access Aadhaar data and hand it over to Cambridge Analytica so that they will never lose the election again.

Supreme Court has to show its character

I hope the final decision of the Supreme Court will prove that India still retains the ability to stand up to all divisive forces and show character that has made this country survive against the onslaught of foreign invasions time and again.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Posted in Cyber Law | Tagged , | 1 Comment

Data Portability under GDPR… Is it Your Data to be ported or My Data?

Posted on April 3, 2018 by Vijayashankar Na

Data Portability is one of the contentious issues of the GDPR from the compliance angle. We had discussed the “Theory of Dynamic Personal Data” in one of our previous articles. That concept would be relevant to address the issue of Data Portability as envisaged in GDPR.

Article 20 of GDPR states as follows:

Article 20: Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. (Ed: Right to Erasure). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The industry is struggling to understand how it can possibly tune up its processing system so as to keep the “Personal Data of the Data Subject” in one compact identifiable package so that when necessary it can be “Ported” or “Erased”.

If a Data Processor is setting up a new system for processing the data, it would be perhaps easier to design the system to meet this objective. But if he is already processing data and is now trying to implement GDPR over the existing set up which includes past stored data and the processing system, it would be a challenge to comply with the provision.

One of the key aspects of implementing Data Portability and Data Erasure is to ensure that a data subject’s personal data is always identifiable in a package and can be dealt with together when required.

In practice however, the complete set of personal data about a data subject gets acquired over a  period of time and in bits and pieces. In this kind of “Data Aggregation”, there is one part of personal data which the data subject has handed over after an informed consent. This is a “Property” of the data subject and he has every right to deal with it as he likes.

But once this raw data is received by the data processor, it may be mixed with other data, analyzed, filtered, processed using intelligent data mining and analytical algorithms and another set of data which has a link to the raw data supplied by the data subject emerges. In course of time, the data subject also adds further data about himself which is another set of raw data that gets added.

At this point of time, the data with the data processor has two components namely raw data supplied by the data subject from time to time and the value added secondary data  in which the raw data is embedded but there is much more value because of what has happened to the raw data with the processing. It is like the data subject has given the data processor, water, fruit juice concentrate and sugar in separate packets and the data processor has created a bottle full of juice with it.

Now the data subject comes and says, please “Port” my data to another “Data Processor”. Now the problem is for the data processor to separate the water, juice concentrate and sugar from the Bottle of juice and return the “Data of the Data Subject”. Any thing else is a different data and if that has to be transferred to another data processor, it will go along with the technical know how used by the first data processor to add value to the data. Obviously this is not acceptable to the data processor since it would dilute his IPR.

The key to GDPR data portability management is to develop a data processing model which keeps a tag on the “Raw data supplied by the data subject” even when it is being churned into a value added data by the data processor, so that when required, we can pull out the raw data and return it to the data subject.

If the system is designed intelligently, the data processor may still keep the value added data with himself but return the raw data components to the data subject. It will be like having the Cake and eating it too.

In order to design such a magic system, we may have to develop a suitable system on a case to case basis. But as indicated earlier, it is easier to introduce such systems prospectively and not retrospectively.

Hence it is better if GDPR liability is accepted only for the future personal data inflow and existing system which was in place is retained for Data Protection in respect of the past data.

It does not appear that GDPR has been conceived taking this “Prospective” or “Retrospective” implementation since the authorities seem to be oblivious to the practical issues involved in implementing some of the recommendations which appear good to read but impossible to comply.

In this discussion, we have assumed that the Data Subject does not lay claim for the value added part of the processed data and would be satisfied if his own raw data is returned to him. Hence in future we may have to differentiate data as “My Data” and “Your Data” and apply different privacy and security rules for them.

The technical implementation of this concept needs development of a middle ware data processing strategy which is out of scope of this article and also involve IPR in the design.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment