Personal Data should be considered a personal Property

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

Many of the issues connected with Privacy arise out of the complaint that “information collected by a Data Controller” is processed in such a manner that the data subject feels that his privacy has been breached. Hence “Consent” is sought and obtained before collection of information. Section 79 of ITA 2000/8 under its rules has already adopted the procedure of disclosure and consent when an “Intermediary” collects personal data from a data subject in India. The fact that “Consent” should be an “Informed consent” is also well appreciated.

However most data subjects never care to read the Privacy statements or Privacy policies when presented to them before a specific use of a service. Many service providers also take blanket permissions ignoring the principles of minimal collection and purposeful use.

In the absence of proper legal requirements, data subjects can only try to take legal action against an entity that breaches the law if they can claim damages. But in most cases, damages cannot immediately be recognized and evaluated and hence “breach” can be recognized but not its consequences. Hence there can be no legal remedy in most cases.

When a data protection law is in place, the regulator can take action for breaches even when no damage is claimed by any data subject. Though this provision is available even now under Section 46 of ITA 2000/8, it is hardly recognized as existing. When the new law comes in, since there will be a recognized regulator called the “Data Protection Officer of India”, it will be his duty to monitor the industry and initiate action when required.

Some data controllers may blame the data processors for the breach and data processors may allege that the data controller did not indicate the responsibilities properly in the SLA. Even now many of the data processors in India coming under GDPR allege that they donot have a proper Business Associate Contract from their vendors specifying the information security requirements. Hence the responsibilities cast on the data processors is vague and goes without compliance.

The new law should ensure that this “Vagueness” is removed, by making it mandatory that the Data Controller who is the person/entity to whom the data subject provides the personal data and  “Consent” to use that data in a particular manner, take full responsibility for any breach and also mandate that any sub processors are bound with specific instructions which are clear. If the sub processor is also within the Indian jurisdiction, it may suffice to make a reference to the legal provision in toto by referring to the Act. But when the Data Controller and Data Processor are in different jurisdictional areas, it is necessary for the Data Controller to specify in a contract the actual responsibilities related to the processing of any data set/s and not leave it vague.

Assuming that this provision is taken care of, we can expect that all controllers will present comprehensive “Consent Requisitions” whenever online consent is required. They may even justify in the requisition the purpose of collection and how the information will be secured etc. However, in the process the consent requisition will be a long online document which no user is likely to read at length and just proceed to click “I Accept” and start availing the service. In some cases the service provider may say that “Continued use of the service is deemed to be a consent of the privacy policy” and provide a hyper link which the user does not care to open and see.

Such online consents may not be treated as proper  “Informed Consent” because it is not digitally signed and also because the likelihood of it having been read and understood before it is consented to is low. Since India does not recognize the Click Wrap contract  the acceptance of consent by the click of the button has no legal sanctity. The consent therefore only becomes an “Implied Consent of a dotted line contract”, where the fine point details could be considered voidable at the option of the customer.

Even when such consents are treated as contractually acceptable, the data subject may not be able to decypher the intricacies of the contract and take an informed decision. When multiple parties require multiple types of consents and multiple times, there would be inevitably the “consent fatigue” that makes him simply click without a second thought.

Hence the current system of each data controller taking individual consent each time a data is required for a specific purpose is not practically efficient.

One of the ways by which we can overcome this is to treat personal data as a property of value to the data subject and every usage as “Licensed Use” with some kind of rewards to be available to the data subject which is proportionate to the benefits that the data user may enjoy. In this concept the data subject actually sells the right to use his personal data for a consideration. However to manage this system, the data subject needs professional assistance and hence there is a role for an intermediary “Who Collects consents and data, keeps it with himself and releases it on specific request to a user as a personal Data manager of the data subject”.

The “Data Manager” being a professional agency knows the value of the personal data to different service providers and maximize the returns to the data subject. It is not necessary that the reward to the data subject is in the form of direct money. It could be in the form of reward points that are exchanged for some valuable service.

Further, the “Data Manager” as an intermediary can act like the “Personal Data Locker” and offer services such as anonymization and pseudonomization as well as providing limited set data devoid of key identifiers. He can ensure that value addition in the form of data mining and Big data analytics can be conducted without compromising the privacy of the data subject.

In order to provide an opportunity for such intermediary business, Personal property should be recognized as the property of the individual and he should have the right to license it for a price. The proposed data protection act should also recognize and define the role of the “Data Manager” as a business in which the data subject transfers the right to manage his personal data exclusively to one such agency. This role is different from that of the “Data Controller” and “Data Processor” as is used in laws such as GDPR. He should deal with the Data Controllers and ensures that they adhere to the principles such as minimal collection, purposeful use, adequate security, removal on completion etc. When he approves disclosure of personal data of his clients, he can ensure that adequate value is returned to the data subject however small it is.

The Data manager will subsume the role of the Data Controller to the extent that the data subject provides his consent only to the Data manager and all that the data controller gets is a “proxy identity”. The linking between the proxy identity and the real identity is in the hands of the Data Manager and the principles enunciated in our earlier discussions on “Regulated Anonymity” can be used so that only responsible data controllers will get the real identity based premium personal data. Others can get a lower valued proxy identity data. Some others may use limited data set and others the de-identified data. Thus the Data Manager can effectively classify and package data offerings and create value where as today the data subject does not get any value for his personal data which he shares with various service providers.

This type of parallel thinking can be incorporated in the Indian Data Protection Act so that it does not become simply a rehash of the GDPR or other international data protection legislation.

Naavi

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The Justice Srikrishna Committee (SKC) has propounded 7 key principles of the Data Protection Act and proceeded to provide several questions in its report seeking public comments.

The Seven key principles under which the proposed Data Protection law would be based are as follows.

1.Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2.Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3.Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4.Data minimisation– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5.Controller  accountability–  The  data  controller  shall  be  held  accountable  for  any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6.Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7.Deterrent  penalties–  Penalties  on  wrongful  processing  must  be  adequate  to  ensure deterrence.

The above principles may determine the broad contours under which the SKC may work out a draft of the Data Protection Act of India (DPAI). In the background  the Supreme Court’s views on Aadhaar as an instrument of Governance and a potential tool of breach of Privacy will be weighing in the minds of those who will work on the drafts.

One of the first counters to be raised therefore is “Whether these principles need to be expanded? or Modified?”

It is in this context that we raise the first supplementary principle to be added to the list.

“The proposed Data protection Act should be amenable for compliance by all stakeholders with pleasure and appreciation of the purpose. It should not attempt to enforce the law compliance by pain… except to the inevitable minimum required pain that accompanies all changes.”

The second principle which follows the first is that the proposed law should confine itself to the limitations that is inherent in such a legislation. The law is proposed as “Data Protection Act of India” but is it the right defining of the proposed law? or should it be considered differently? is a question to ponder.

When the honourable 9 member bench of the Supreme Court (Puttaswamy Judgement) declared in a hurry that “Privacy is a Fundamental Right under the Constitution of India”, there was no time to deliberate and come to a conclusion on “What is Privacy”. The order did not specify the definition but said Privacy is a fundamental right. So the task before the Data Protection Act legislators include defining what they propose to protect.

A question naturally arises therefore that if the 9 eminent jurists could not define the enigmatic concept of “Privacy”, should the Data Protection Act of India attempt to do it?

Data protection legislation may not be the right law to define Privacy. It should be through a different law under the overall domain of  “Democratic Rights of an Indian Citizen under our constitution”.

On the other hand the Data Protection law can effectively define the “Security to be accorded to Data” of a particular type. “A Data Protection Act” should confine itself to protection of “Data” which may be personal data, sensitive personal data, or even corporate data. Calling an Act as “Data Protection Act” and confining it only to being an “Individual Information Privacy Protection Act” is not warranted.

However, India already has a law called “Information Technology Act” which has several provisions that fall in the category of “Data Protection”. It also has provisions that are meant to protect “Information Privacy” because of Sections 72A and 43A. Sections 43 and 66 along with several other sections such as Section 67C, Section 79, etc define responsibilities of individual information privacy protection. Sections like 69, 69A and 69B also provide the “Reasonable Exemptions”.

Now whatever the new Data Protection Act proposes will be in partial modification of ITA 2000/8 and will introduce a conflict with ITA 2000/8 and perhaps also on the UIDAI act.

The new Data Protection law should therefore decide if it steers clear of the existing ITA 2000/8 or trample upon its provisions and replace them with a new set of the same provisions under a different legal provision.

We should not forget that there is a “Health Care Data Privacy Act” which is also on the drawing board and has already been partially rolled out in the form of EHR guidelines (though the industry has largely ignored it).

One of the other principles that the proposed law should declare for itself is therefore the following:

The Proposed Data Protection Act shall work in harmony with the current established laws in the country such as Information Technology Act 2000Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

The Key principles should therefore be increased from 7 to 9.

The main purpose of the suggestion is that we need a legislation that the stakeholders will absorb as a necessary legislation that is good for our society and hence all of us have a duty to comply with it.

Unlike the GDPR which tries to impose its will through  obnoxious penal provisions, Indian Data Protection Act or Information Privacy Protection Act, or Individual/Personal Information Privacy Protection Act, as it may be called should not bank upon its ability to control the market with its penal provisions. By stating that the penalty can be 4% of global turnover or 20 million Euros, GDPR is showing its muscle. India can counter this by saying that the penalty may be 5% of global turnover and INR 2 billion and make it applicable to any entity in the world. With such a provision we can also make the international community raise eyebrows and recognize our existence.

But is this the way law should be imposed? by threatening to wipe out a company in case of non compliance? and leave it to the mercy of the adjudicator to determine the final penalty and if possible use his discretion as a leverage to ask for favours from the accused?

Penalty should be a deterrent but it should not be so huge that the accused either declares bankruptcy immediately or thinks of bribing his way out. It is in this context that we say law should promote compliance not with pain but with pleasure.

Data Controller is also a stake holder

In the data protection law, the drafting people should also decide who is the stake holder/ or stake holders?. Is the stake holder solely the individual and others like the Data Controller or Data Processor only targets for imposing a penalty if they donot comply? ..when what they need to comply itself is unclear?

We must accept that a Company registered in India is as much an entity that needs Government protection as the individual who is a citizen of India. Hence the law of privacy cannot go over board and look at punishing the Data Controller severely as the EU law tries to do. Of course we donot trust the Companies as also the Government when it comes to Privacy protection and hence the need for the law. Law some times tries to provide protection to the Government separately (eg UIDAI) but imposes hefty fines on the private sector for the same offence. This may not be fair.

What follows therefore is that whatever law which is now being proposed, it should be equally applicable to a Company or the Government or an individual.

Secondly, if Individual’s data needs protection, corporate’s data also needs protection. If one is called “Privacy”, the other may be called “Data Protection”.

Hence if we call this new law as “Personal Information Privacy Protection Act”, then it can confine itself to protecting individuals against invasion of privacy that may arise because such information is not protected by a corporate or Government.

If we call this a “Data Protection Act”, then it should extend to Corporate data as well. Since ITA 2000/8 is already covering this aspect, there is no need to cover security of corporate data through this Act. On the same logic, if this law has to be a comprehensive law on Personal Data Protection, then Section 43A and 72A needs to be removed from ITA 2000/8.

If Section 43A and 72A are to be retained and the new law has to extend to privacy protection, then the law should clearly explain that the new provision is in addition to the earlier provisions in ITA 2000/8 and not in derogation of the earlier provisions present in ITA 2000/8.

If this precaution is not taken into account, we will end up with the argument which was presented by an advocate in an adjudication proceeding in Karnataka and accepted by the then adjudicator that “Introduction of Section 43A applicable for body corporate in ITA 2008 automatically changes the meaning of Section 43 and confines its jurisdiction to individuals only”. Though the undersigned did not subscribe to this view at that time and does not even now, if law is not clear, it enables such manipulation by clever advocates to the detriment of the society.

I therefore urge the SKC to declare that

what they are proposing is not in derogation of any of the existing laws and in particular the provisions contained in ITA 2000/8 on data protection in general and personal data protection in particular.

Jurisdictional Umbrella

It is more or less imperative that the law will define that it is applicable to the processing of data of an individual citizen of India by any person including a Company incorporated in India or otherwise or by Government in India or otherwise.

However, this will naturally lead to a conflict in implementation when the law is breached by a foreign company or a Government. Similarly a foreign Company or a Government may also try to impose its own law (eg GDPR) on an Indian company and claim penalties which may be significant and also involve foreign exchange outflow.

The Proposed law provides an opportunity to ensure that this conflict between different laws applicable to a single company in India is resolved without the company (registered in India and therefore expecting the Indian Government to protect it’s legitimate interests) having to face several international regulatory organizations at a given time.

Typically an organization handling data processing may have personal data from persons of different nationality. Each   now trying to impose its own laws and also extend extra territorial jurisdiction just like what GDPR has done in respect of information that belongs to its citizens. It has therefore become necessary for companies (Data Controllers or Data Processors) to tag every piece of personal information with the citizenship of the individual and try to apply appropriate laws. In one case it may involve “Right to Forget” and in another case there may be an “Obligation to retain”. In such cases, the Companies will be unable to comply with conviction if they donot have a data classification system that tags the information to the country of citizenship. (Hopefully there will be no dual citizenship problem).

This data protection law should recognize this problem of the business community and try to provide a solution.

The solution we suggest is two fold.

  1. Every consent should incorporate a specific clause which states that “This personal data shall be protected as per provisions of personal data protection applicable to ….. country. 
  2. The adjudication and imposition of penalties if any shall be determined as per the personal data protection regulations applicable to India and the Indian Data Protection Authority shall have the final authority in sanctioning any penalty in respect of any individual who is a citizen of India, any corporate or other organization registered and subject to Indian laws.

The jurisdiction clause is proposed as a mandatory part of the consent which itself should be mandatory.

This provision also means that if any EU entity imposes a penalty on an Indian Company, the Indian Data Protection Authority shall intervene to accept or reject the penalty claims.

In order to make the provisions of the new law fair, the law can offer reciprocal arrangements of similar nature to foreign jurisdictions and state

“Where penalties are imposed under the Personal Data Protection Act of India on a person who is either not a citizen of India or is a company registered outside India, then the Indian Data Protection Authority shall provide an opportunity to the Data Protection authority (if any) of the country to which the said company/individual belongs to implead on behalf of the said entity.”

Since some of these suggestions could interfere with international obligations, these may need to be properly drafted. The suggested intent is that no Indian Company will be directly made liable to any foreign authority whether by a contractual agreement or otherwise without a sanction of the Indian authorities. If this umbrella of protection is not created, GDPR will be an instrument that will create colonies in India and allow European companies control Indian Corporate entities.

Naavi

(Discussions will continue)

Posted in Cyber Law | Tagged , , , , , , | Leave a comment

Right to Privacy should cease at death

Posted on December 11, 2017 by Vijayashankar Na

At a time when India is debating a new law on Data Protection, an interesting question has been raised  before the Supreme Court about the “Right of Privacy” and whether it extends beyond death. The recent judgement of a 9 member bench of Supreme Court referred to as “Puttaswamy Judgement” was hailed as a “Land mark” judgement because it held that “Privacy is a Fundamental Right”.

At Naavi.org, we have discussed the Privacy Judgement in detail. In conclusion, we discussed the need for a proper definition of Privacy before we worry about how to protect privacy. (Refer: “The Privacy Judgement… Conclusion.. Need for Definition of Privacy” )

According to us, it was a failure of the Puttaswamy judgement that it did not define Privacy as a Right and only went about beating around the bush on the “Protection of the unknown and undefined right called Privacy”.

How can we protect a Right without defining the Right itself?

It is not prudent to make a law for protecting a concept which itself is not properly understood and defined. If we attempt to do it, then it will provide endless scope for litigation and will not help honest citizens.

Criminals will however take full advantage of such ambiguous law and ensure that they thrive at the cost of honest citizens.

The mistake committed by the 9 member bench to declare Privacy as a Fundamental Right without a definition of Privacy has now opened the question as to whether the “Right of Privacy” extends after the death of a person.

I hope this lacuna will be corrected in the Data Protection Law that the Government is trying to develop.

Background

It must be recognized that the current issue, namely “Whether the Right of Privacy extends beyond death” has arisen because there is a need to access and verify finger print data of late J.Jayalalitha,  available with UIDAI as well as the Jail authorities in Karnataka to decide on an allegation that her finger print was affixed on a document when she was in a state of health where she was either already dead or was unconscious.

There was a reasonable ground to believe foul play since during the entire period of her hospitalization, access to her was not permitted to any body other than a small group of people. Even prominent political leaders including Mr Rahul Gandhi and Venkiah Naidu came to the hospital and returned without even looking at the patient.

The prima facie perception which the citizens carried at that time was that the hospital and the Sasikala faction of AIADMK were in collusion and did not declare the true condition of her health. Even the current dispensation of the TN Government did not know her true state of health.

During such a state of doubtful health, she was supposed to have affixed her thumb impression on one of the documents which has now been questioned.  It was a reasonable doubt in the minds of the public that the thumb impression was not willingly placed by a person in understanding of the document on which it was placed and hence it was a “Forgery” and a “Fraud”. The fraud is on the citizens of India both those who like/d or dislike/d Ms Jayalalitha.

Now the honourable Supreme Court has intervened on a petition before the High Court and stayed a request for verification of the genuineness of the thumb impression.

Unfortunately, by granting a stay, The Supreme Court has intervened in a case where Criminal Conspiracy has to be investigated and the only persons who could benefit from this stay are people who want to hide the actual events that surrounded the mysterious death.

Even the UIDAI has wrongly taken a view that it cannot submit the copy of the thumb impression to help in the judicial process and in the process supporting an attempt to protect the secrecy of the doubtful death rather than bringing out the truth.

By trying to protect this questionable request not to grant access to the finger print and proceed with the investigation whether it was genuine or not under the garbs of a discussion of Privacy the Supreme Court will be further muddying the waters to an extent that people will question the integrity of the Supreme Court. Let us not forget that some of the Judges who will sit in judgement in this case may be persons who could have acted as Jayalalitha’s advocates in her days in power.

What is Right to Privacy

It is necessary for us to first define the “Right of Privacy”. As a fundamental right, Privacy can only be a Right that a Citizen can exercise against the democratic state committed to a constitution. If one “Fundamental Right” is considered the “Right that extends beyond death”, every other Fundamental Right can also extend beyond death.

If we define Privacy as a “Right to Life and Liberty” there is no logic in extending it to a dead person who does not have life or liberty.

Privacy cannot be equated to “Right of Secrecy”.

In a situation where the person has died, “The right to privacy of the dead person” cannot be extended as “Right to secrecy of the people around not to provide truthful information” or “Right to protect the deceased from loss of reputation”.

There is no doubt that the Supreme Court has powers to give any judgement and no body can  question their wisdom if they say Privacy extends beyond death. They may even quote some international practices and justify whatever they decide.

But if they do, it cannot be seen as anything other than an attempt to protect the secrets surrounding the death of Ms Jayalalitha and to protect those who could be implicated for causing her wrongful death and compounding it with fabrication of documents with her alleged finger print. Hence whatever judgement they come to will be seen with a sense of suspicion and distrust.

The feeling that ” I have a sense of Privacy” is a “State of Mind” and not a “State of Physical location”.

Let’s think……

When a person is in the Mumbai local, does he have a sense of loss of privacy because of the proximity of the next person? When a person is all alone in a deserted street in the night, does he enjoy our right of privacy?….

If a human desires to have other people around him in certain circumstances and does not mind them being too close physically, Privacy cannot be a matter that is determined by the physical proximity of the person or Right to access his body or private physical space.

Right to “Peaceful state of mind” is a creation of the person himself and not that of the environment. Hence Privacy cannot be equated to anything physical but can only be a state of mind of a person. If a person feels that he is alone, he will have a sense of privacy even in a crowd. If not, he will not feel “Privacy” even if he is in a graveyard.

Being a “Mental State”, Privacy can only be an experience of a “Living Person” and not a dead person. The Right to protect the information about a dead person can only be a “Right to be protected against defamation after death” and not a “Right to protect Privacy”. Right to be protected against defamation is fine but in the current case, it is not the reputation of Jayalalitha at stake and it is the reputation of the people who were around her at that time which is at stake. This cannot and should not be linked to the Right to Privacy of Jayalalitha living or dead.

It would therefore be appropriate if the stay is vacated forthwith and the UIDAI also directed to assist the judicial process.

I would like to point out that if the Supreme Court makes an exception to this case because they may consider that Ms Jayalalitha dead or alive is a special person, then in every other property case where a dead person’s finger print has been affixed on a document after his death, the perpetrators of the crime will claim protection under “Privacy”. There are many past cases where forensics have proved that such property documents were fraudulent and in future there will be no scope for preventing such frauds.

I hope  Supreme Court will be intelligent and honest enough to understand the consequences of holding the Right of Privacy as subsisting after the death of a person and come to the right decision.

Naavi

Posted in Cyber Law | Tagged , , , , , , | Leave a comment

Magistrate D Arul Raj is an unsung hero in development of Jurisprudence under Section 65B of Indian Evidence Act

Posted on December 9, 2017 by Vijayashankar Na

International Commission of Jurists, Bangalore had organized a lecture on Digital Evidence and Section 65B of Indian Evidence Act at the Karnataka High Court on 8th December 2017.

Speaking on the occasion, Naavi highlighted the evolution of Section 65B as a law since 17th October 2000 when the ITA 2000 was notified till date. He also explained the nuances of Section 65B and why it is a very innovative legal provision that has added great strength to Indian Cyber Law.

In the process, Naavi recalled that the first “Section 65B certified evidence” was produced in a Court of law in the historic case of State of Tamil Nadu Vs  Suhas Katti in AMM, Egmore, Chennai in 2004. This case has been recognized as the first case of conviction in India under ITA 2000. However Naavi pointed out that this case was also historic from the point of view of Section 65B since the evidence presented in the case was a Section 65B certificate submitted by Naavi  dated  18th February 2004 in which content which was present as an electronic document on Yahoo Groups server was brought to the evidence and admitted. This was the critical evidence which evidenced the commission of the crime on which the accused was convicted under Section 67 of ITA 2000 besides Sections 469 and 509 of IPC.

Subsequently, it was only on 18th September 2014 that in the P.V.Anvar Vs P.K.Basheer case in the Supreme Court that the eminent judges led by Justice Kurien Joseph stated that Electronic Documents can be admitted as evidence only if they are accompanied by Section 65B Certificate. In the process, Supreme Court over ruled the earlier judgement in the Afsan Guru case which on 4th august 2005 had held that in certain circumstances electronic documents can be accepted without Section 65B certificate.

While it took 14 years for the larger community of Judges to highlight the importance of Section 65B, it should be recognized that Justice Arul Raj had created history by appreciating such an evidence and accepting it for the trial. At that time it required courage of conviction to accept a piece of paper submitted by a private person in Chennai as convincing evidence that a defamatory electronic document existed in the server of Yahoo in US.

The acceptance of Section 65B evidence was not the only point made out in this case. The defense raised a query if a private person like Vijayashankar could submit the Section 65B certificate and whether it was not necessary for a Government appointed person to submit it. Mr Arul Raj again came to the right conclusion that the section 65B does not restrict the submission of Section 65B certificate only to a Government authority.

The decision of Arul Raj in the Suhas Katti case was not just a flash in the pan or a decision prompted by the circumstances. Some time later in the same year, Mr Arul Raj took another decision related to Section 65B which again was a point that was touched upon by the Basheer case and requires to be highlighted now.

In this case, a case of defamation had been filed by actor Trisha on a Tamil publication which had published some photographs extracted from a video which was in circulation in the internet at that time. A series of screen shots had been printed in the magazine. Police had raided the office of the publication, seized a CD containing the video and filed the charge sheet stating that the content of the CD was printed in the magazine and hence the CD was a prime evidence for the case.

Justice Arul Raj at that time invited the undersigned to the Court and asked me to view the contents of the CD on the computer in the chamber and provide a Section 65B certified print out so that he could proceed with the trial on the basis of Section 65B certified copy.

The logic behind this decision to invite an external consultant to convert the contents of CD which was already on hand with the Court and which many could say was the “Primary” evidence, into a Section 65B certified print out, which many would say is the “Secondary” evidence was a master stroke of understanding of the principle of Section 65B.

I personally feel that Mr Arul Raj should be honoured specially for displaying a vision that though the “Primary” evidence is with the court, it cannot be appreciated by the Court without the assistance of a “Section 65B certified document”.

In the Basheer case a reference has been made that if the original CD in which the recording which formed the evidence for the case had been seized by the Police and presented, it could have perhaps constituted a  “Primary” evidence and non availability of Section 65B could have been condoned.

In many other cases also, we some times see that Courts ask the “Mobiles” containing the evidence to be presented as “Primary Evidence”. Hard disks are often presented as “Primary Evidence” for documents in a Computer.

Even assuming that the original binary impressions which first generated the electronic document which is the evidence in question is in the possession of the Court embedded within the container called the hard disk or a mobile, the Court cannot simply view the content itself and admit the evidence in to the proceedings. If any Judge proceeds to admit the evidence because he himself saw or heard the electronic document, then he is himself taking the responsibility to confirm that the electronic document which he saw or heard based on the computer, the operating system,the application and its configurations etc which all combined to render the binary data of the electronic document into a human intelligible experience was working properly etc., as envisaged in Section 65B.

It is therefore essential for the Court to involve an external person to produce a Section 65B Certificate before accepting the evidence into the proceedings.

Mr Arul Raj had realized this way back in 2004 and that is what I call as a visionary understanding of the challenges involved in appreciating digital evidence presented to a Court in its “Primary” form.

During the last several years, the undersigned has assumed credit for having been the person who first presented a Section 65B certificate in a Court. The Police officer who was involved in the case as an IO, namely Mr Balu Swaminathan (who was the ACP in charge of the Cyber Crime cell in Chennai at that time) has also been commended and recognized for being the first IO to get a conviction under ITA 2000.

But I feel that the magistrate Justice D Arul Raj has not perhaps been properly recognized for displaying his vision beyond the normal call of duty which brought in the conviction as well as the appreciation of electronic evidence in proper form.

Today, we are not aware where is Justice Arul Raj. But Naavi as a person and Naavi.org/ceac.in considers it our duty to record the contribution of D Arul Raj in the development of Cyber Jurisprudence in India and honour him with this article.

We wish that appropriate persons in Tamil Nadu, locate Mr Arul Raj and provide him the due honour that he deserves.

We urge my friends in Cyber Society of India and Prime Point Foundation in Chennai to take the lead in this regard.

Naavi

Posted in Cyber Law | Tagged , , , , , , | Leave a comment

Infosys Finacle.. set to radicalize Indian Financial System.. has Finacle Trade Connect been approved by RBI or IDRBT?

Posted on November 30, 2017 by Vijayashankar Na

The fact that Technologists have scant regard for law is well known. The developments in the Bitcoin scenario is an indication.

Despite Bitcoin is the established “Currency for the Criminals” and “Black Money Hoarding Tool”, technologists say “So What?… I will do what I want.. Let Modi catch me if he can”. Some will say it is “Innovation for Disruption”.

RBI does not have the courage to do what it knows is good for the society…that is banning private Crypto Currencies like Bitcoins like we ban drugs and arms trading.

One of the ways by which Crypto Currency is trying to establish itself is by making Block Chain technology creep into Banking transactions and gain a level of respect that will latch onto Bitcoin as well in due course.

Few in the public will realize that Block chain is a technology and Bitcoin is a product and Blockchain may be acceptable but Bitcoin is not. Bitcoin will be promoted on the adoption of Block chain as a technology under the pretext “Block Chain is adopted by Banks and hence Bitcoin is also likely to be adopted by them soon”… The myth will be corroborated by the news about the price of Bitcoins soaring.

We need to therefore to ensure that Block chain technology does not have an unfettered entry into the system. If Bitcoin has to be blocked, Block Chain’s limitations need to be exposed.

Now we have the dangerous tendency creeping into the Banking system where “Block Chain Technology” is being implemented for different transaction recording. ICICI Bank has reportedly made transfers of Bitcoins from Gulf though the legality of Bitcoin is itself not settled. As long as Bitcoin is being treated as a currency, it is illegal and any Bank indulging in activities related to Bitcoin is violating the RBI Act.

Today, it is reported that InfosysFinacle  has launched a new product “Finacle Trade Connect” incorporating the blockchain based trade finance solution for banks.

Mr Sanat Rao, Chief Business Officer speaking at the time of launch has stated ” the new solution will provide higher automation, increase transparency and enable real-time availability of data”.

Significantly, he has also said

“The framework is ledger agnostic and is capable of working with most industry leading blockchain platforms such as Bitcoin, Hyperledger, Ethereum and Corda”.

This is therefore to be construed as a promotion of Bitcoin, Ethereum and other “Criminal Currency” and Infosys will today join the ranks of terror sponsor organizations like People Front of India (PFI) in radicalizing the Indian Monetary system.

It is unfortunate that the business case made out by Infosys Finacle is to provide a platform for use of Bitcoins and other private Crypto Currencies which are an alternative to holding of Black money.

This is a direct affront to Mr Modi’s fight against corruption and fight against Black money and today Infosys Board including Mr Narayana Murthy and Nandan Nilekani has to explain the statement of Mr Sanat Rao.

I also state yet again, Mr Urjit Patel the Governor of RBI is allowing these developments because he has chosen to remain silent without showing the guts to oppose Bitcoin. I have no expectation from Mr Arun Jaitely and the Finance Ministry because I feel that they are actually in support of Bitcoins and are only held back by RBI’s opposition and possible Supreme Court intervention.

Where does Mr Modi and Amit Shah stand on this? As of now it is not clear. Though I have sent many communications to the PMO, Mr Modi and the PMO has chosen to remain silent because they donot want to go against Mr Arun Jaitely’s advise. I presume that Mr jaitely is still reeling under the pressure of managing the fall outs of demonetization and GST and is unable to take any other hard decisions and will be happy to procrastinate and keep “Observing” how Bitcoin creeps into our economy.

We Indians did the same mistake of allowing terrorism creep into Kashmir and today Kashmir is a problem that has become too difficult to handle politically. Same way Bitcoin if not killed today will eat into Indian Economy and devour our system.

While the politicians wait for the Gujarat elections to be over, I would like to ask some questions to RBI and IDRBT.

  1. Finacle Trade Connect is meant to be a product to be used in the Banking system. Is it not necessary for IDRBT to clear the software? Has it been done?
  2. Block chain is a technology of ledger keeping where there is no central authority for authenticating any transaction. It is a peer to peer authentication. Our Banking system involves a Banker-Customer contractual relationship. If I as a customer of a Bank propose a transaction to the Bank how can some Tom Dick and Harry operating a block chain node approve my transaction? Is it not a power of attorney holder of the Bank alone who has the right to approve my transaction?
  3. Why should every block chain node at all be aware of my transaction even if it is encrypted?
  4. How does Banking law permit disclosure of my confidential transaction to be published on the block chain?
  5. Who will take the liability if the approval is defective?
  6. What if the block chain forks?
  7. Since Block chain is a public chain, is it not amenable for DDOS attacks and malware injection?.. Who will be responsible for such malware attacks?
  8. Is the statement of Finacle indicative that IDRBT has approved Bitcoin as a technology and Banks are preparing for use of Bitcoins in their transactions?
  9. Since Infosys is the organization behind GST which had many technical glitches thanks to their inefficiency, will Infosys also push the Block Chain technology to GST as well?
  10. Dear Mr Modi, are you aware of the implications of remaining silent on Bitcoin introduction into our economy?. I donot see any difference between this and the poisoning of the Indian minds by organizations like Zakir Naik and PFI. Why are you shying away from taking control of this Black money alternative called Bitcoin?

I look forward to agencies like RBI and Finance Ministry to respond to these questions. Honest India wants to know if Corruption has grown so big that even Mr Modi has to bow his head before Bitcoin?

Naavi

P.S: As an honest Citizen of India, Naavi has done enough to highlight the dangers of Bitcoins and why it needs to be banned in India. If the Government, RBI and informed members of Public still wants to embrace Bitcoins it is their choice.

However, if the Indian economy collapses, then even people like us will have to suffer. But if this is the future of India we have to suffer and the concept of Achche Din, perhaps Naavi has to also accept defeat that Corruption in India is the king and Bitcoin which is the most effective tool of corruption cannot be defeated…. 

Hope this is the last article on Bitcoin that I need to write…

Naavi

 

Posted in Cyber Law | Tagged , , , , , | 1 Comment

FKCCI Bangalore discusses Bitcoin as an Investment

Posted on November 28, 2017 by Vijayashankar Na

On 27th, November 2017, a talk had been arranged by the Federation of Karnataka Chambers of Commerce, in the FKCCI building, K.G.Road, Bangalore. The gathering consisting mainly of members of the chamber was addressed by Mr Satvik Vishwanathan, CEO of Unocoin.com, one of the early entrants into the Bitcoin trading in India. He made an excellent presentation on why Bitcoin is a great investment. As could be expected, the talk focused on how Bitcoin price has grown by 9000% in the last few years and how it is a good substitute for fiat currency holding etc.

Many in the audience were perhaps impressed and decided that part of their export sales should be collected in Bitcoins.

After the meeting, promotional vouchers of Rs 500/- were distributed free to all the participants as seed money in the form of “Bitcoins” if they register in the Unocoin.com website.

There was a brief discussion at the end of the talk in which the undersigned cautioned the participants that until RBI and SEBI approve legitimacy of the Bitcoin, investment should not be considered. Some aspects such as the possible use of Bitcoins for Black Money hoarding was also briefly pointed out by some members.

However, the event itself being held in the FKCCI building under the patronage of the Chamber , and the recent two page ad in Sunday Express, indicate that the Promotion of Bitcoins is going unabated while the RBI and the Government is dithering and not coming out with a decision to ban crypto currencies.

Many in the audience were perhaps sold on the dream of Bitcoin soaring to the Moon/Mars faster than NASA’s rockets. The meeting was therefore successful in its objective of promoting Bitcoins as an investment and as an alternative to currency. Mention was also made about some entities in Bangalore receiving Bitcoin as a payment for goods and services as if the practice is welcome.

Will the  dreams of a Bitcoin investment soaring to the skies be a reality? only time will tell. But if people invest their hard earned money and lose, all responsible persons particularly in the regulatory structure in the country should take responsibility.

One of the participants mentioned that when a Malaysian Company made a marketing tour of India and sold the concept of investing in their Gold Coins, many lost money and about 56 persons committed suicide. I recalled that when that meeting was held in Chennai, I had shot off a letter to the DGP there predicting that it would be a scam one day. Ofcourse, DGP did not heed to the caution and investments were made by many. Similarly, today we are looking at another dream called Bitcoin and perhaps one more set of suicides in the coming days.

The RBI Governor and Mr Arun Jaitely will perhaps wake up when there is some major calamity that will result in a number of people losing their investment in Bitcoins. Until then, the dream of a $10000 value per Bitcoin will be attracting greedy people like moths take to light.

On our part, it is a fair speculation that some of the decision makers in the Government are sold out to Bitcoin industry because it represents the cumulative strength of all the black money which Mr Modi wanted to remove from the system. The Politicians, Criminals as well as Business men and IT evaders have all got vested interests in ensuring continuation of Bitcoins in use and are happy with the RBI not coming up with a ban but continuing to make ridiculous statement that “They are observing”.

It is depressing to note that Corruption is showing its strength and even Mr Modi is unable to kill Bitcoin which is the alter ego of Black money.

Hope Mr Modi will wake up from his slumber atleast after the Gujarat elections and talk about demonetization of crypto currencies in his next Man Ki Bat.

Naavi

Posted in Cyber Law | Tagged , , , , , | 1 Comment