Section 65B in the Quantum Computing Scenario

Posted on March 16, 2018 by Vijayashankar Na

I must admit here my excitement about Quantum Computing and discussing the impact of a principle of Physics for Cyber Law development, since I left my formal college education as a student of Physics, when the Quantum Mechanics was at its infancy and it is a feeling like being “Back to the Past” .

Though I had my post graduation in Nuclear Physics and studied Particle Physics to some depth, specialized in subjects such as Nuclear Forces etc., the subject of Quantum Physics was still new and not understood properly at that time. I  had even baffled everybody including myself in an interview at Physical Research Laboratory (PRL) in Ahmedabad when I solved a quantum physics question in real time put to me by the interviewers  who were interviewing me for the post of a “Scientific Assistant”  which most other interviewees had failed to do.

Though I refused the offering despite repeated requests to join and turned my back to the pure science, I never imagined that after 40 years I will return to study the impact of Quantum Mechanics to the present domain of my specialization which happens to be the Techno Legal aspects of Law.

But it appears that Cyber Law in India and elsewhere will be deeply impacted with emerging technologies of which Quantum Computing is one which will over turn many of the present concepts of law.

Hence study of “Cyber Laws in the Emerging Technology Scenario” will be the new focus which we should term the “Quantum Cyber Law Specialization” or “Futuristic Techno Legal Specialization”.

Naavi

Today I have taken one topic for discussion which is the interpretation of Section 65B of Indian Evidence Act (IEA) and to examine if Naavi’s Interpretation of Sec 65B survive the Superpositioning concept of Quantum Computing.

The legal and Judicial community has struggled to interpret the section even after 18 years of its existence and it would be a further challenge to interpret Sec 65B in the emerging quantum computing age. For a large part of these 18 years since Section 65B (IEA) came into existence,  few recognized its existence and hence there was nt much of a debate on the topic. It is only in the recent past that the community has started discussing the issue many times with a wrong perspective.

During most part of this time, Naavi’s interpretation of Section 65B was not seriously challenged. In the recent days there are a few law professionals who would like to interpret things differently. They may draw support from some Judges who are dishing out judgements without fully understanding the impact of their wrong decisions on the society. This tendency comes from the inability of some to un learn what they have learnt for the last 3 or 4 decades of their legal career. They are therefore uncomfortable with what the Supreme Court stated unambiguously in the Basheer Judgement and want to interpret things in their own way.

Naavi has been saying, wait… it took 14 years for Supreme Court to realize the existence of Sec 65B and it may take a few more years for the entire community to come to the same understanding which Naavi has been advocating since 2000.

In this connection, I have tried to give a thought to what will happen to my interpretations of Section 65B when Quantum Computing comes into play.

Quantum Computing is not an easy concept to understand even by specialists in Physics. Hence for the lawyers and judges to understand Quantum Computing would be understandably challenging. It is possible that I also may have to refine some of my own interpretations presented here and I reserve my right to do so. I will however explore all the Cyber Law challenges presented by the Quantum Computing. For the time being, I am only looking at the concept of “SuperPositioning” and its impact on Section 65B interpretation.

What is SuperPositioning

SuperPositioning is a concept in Quantum Computing.  In the classical computing scenario, a Bit can have a value of either 0 or 1. The Quantum Bit or Qubit can however have a value of 0 and 1 at the same time. When you measure the value, it will show either 0 or 1 but when you are not measuring it can hold two values simultaneously.

This “Dual State capability” of a Qubit may be fascinating for the scientist who swears by the concepts such as Heisenberg’s principle of uncertainty, multiple quantum energy levels of the electron in a hydrogen atom, quantum energy state of the nucleus of a Phosphorous atom, the direction of spinning of a sub atomic particle, light being both a wave and a particle at the same time, there being a parallel universe, time being a new dimension, Worm-hole being a tunnel to future, etc.,.

But to a judge who is looking for “Evidence beyond reasonable doubt” and for the criminal justice system where a witness is expected to answer only in the binary- “Yes” or “No”, the uncertainty inherent in the Quantum Computing will be a huge challenge.

In fact, at present we can state without battling an eyelid that if I stand on the witness box and start talking of the “SuperPositioning” and more specifically on the “Entanglement” aspects of Quantum Computing and how it requires a re-interpretation of Section 65B, I will be thrown out of the Court as some body who has lost his mind.

Since no body can throw me out of this blog, let me take the courage to proceed further and try to raise some issues which may be academic discussion points as of now but will be important for the Cyber Lawyers of the future.

But in the days to come, Cyber Law will be revised to accommodate the “Uncertainty Principle of an Electronic Document”. The time to recognize this concept has already come in respect of Section 65B.

Current Dilemma in Section 65B Yet to be resolved

From the years since ITA 2000 came into being and until the Supreme Court judgement in the P.K.Basheer case on 18th September 2014, there was little discussion on Section 65B of Indian Evidence Act (IEA) in the higher echelons of the Indian judiciary.

The decision of the Chennai AMM Court accepting the first Section 65B certificate issued by Naavi and convicting the accused in the historic Suhas Katti case (Refer here), was perhaps too insignificant in the eyes of the many senior advocates to take note of and hence was not noticed.

Since there were no debates in the august Supreme Court about Section 65B, “Eminent Advocates” who had gained their eminence through their expertise and years of work in “Non cyber law” domains such as Constitutional Law or Law of Evidence did not take time off to discuss the implications of Section 65B in right earnest. One opportunity that was presented in the case of Afsan Guru case in 2005 was lost because the case was a high profile case of terrorist attack against the Nation in which technical issues could not be given too much of importance. Hence when Mr Prashant Bhushan raised the technical issue of non availability of Section 65B certificate for some of the evidence, Court considered the other evidence before it and proceeded with the case.

This was interpreted as a rejection of “Mandatory requirement of Section 65B certificate” under Section 65B and became a precedent that prevailed until the Supreme Court over turned it in the P.K.Basheer case. 

However, Naavi continued to hold his forte and did not accept the Afsan Guru judgement in respect of mandatory requirement of Section 65B certificate for electronic evidence admissibility as correct.

We have discussed several the issues arising out of P.K.Basheer judgement both in naavi.org and ceac.in and readers may refer to them for more clarity.

We have held that the P.K.Basheer judgement has provided judicial support to most of the views of Naavi regarding Section 65B. There was only one aspect of the judgement where we have pointed out that a clarity remained to be exercised. It was in the view expressed in the judgement as follows:

“The situation would have been different had the appellant adduced primary evidence, by making available in evidence, the CDs used for announcement and songs. Had those CDs used for objectionable songs or announcements been duly got seized through the police or Election Commission and had the same been used as primary evidence, the High Court could have played the same in court to see whether the allegations were true. That is not the situation in this case. The speeches, songs and announcements were recorded using other instruments and by feeding them into a computer, CDs were made therefrom which were produced in court, without due certification.”

Naavi has consistently held that “Electronic Record” is a third type of evidentiary object that is different from “Oral” and “Documentary” as provided in Section 17 of IEA and should be considered as a special category whose admissibility is under the provisions of Section 65B alone.

While interpreting Section 65B, some of the “Eminent Non Cyber Law Jurists” have still not reconciled to the unlearning of the concept of “Primary Evidence” and “Secondary Evidence” where “Primary Evidence” lies inside a CD or a hard disk and “Secondary evidence” is a copy that is produced since primary evidence cannot be produced in the court.

In the electronic document scenario, the original document is a “Binary Expression”. The binary expression which we call as an “Electronic Document” is a sequence of bits which is present either in the form of magnetic states of a unit of a magnetic surface or as the depressions on a CD surface which reflect light in a manner different from its neighboring unit. The stream of such bits when read by a reading device associated with a software running on a hardware interprets the sequence of binary expressions as a “Text”, “Audio” or “Video” which we, the humans call as “Electronic Documents” and debate if it is “Primary Evidence” or “Secondary Evidence”.

The “Original Electronic Document” is an expression that can only refer to the first creation of a given sequence of bits which constitute an electronic document being interpreted as evidence. For example when a digital camera captures a picture, it first creates a sequence of bits in the RAM space. This is however not a recognized electronic document where it is in a state not “meant to be accessible so as to be usable for a subsequent reference”. (Sec 4 of ITA 2008).

When this sequence of bits gets transferred to  a “Stored Memory” in a device such as a “memory card” or a “hard disk” etc., that represents the first instance of the electronic document that came into existence. Before this, the magnetic/optical surface on which the document is recorded was in a  “Zero State”. Every bit on the surface was designated “Zero”. When the electronic document is being etched on the surface some of these “Zero” s were converted into “Ones” and the “Unique sequence created” was subject to a “Protocol”. This sequence of bits stored subject to a “Protocol” is what we call as “Original Document”.

But this “Original Document” has no meaning without being read in devices which understand the protocol and renders the information in a human understandable form. For example, if the image has been captured in a .txt or .doc or .mp3 or .avi or .mp4 or formats, then the electronic document has a sequence of zeros and ones which conform to the respective protocols. It is not possible to separate the protocol information from the electronic document itself and hence the document remains in a given format along with the protocol information.

When a reading device is presented with the electric/electronic impulses generated by such a sequence of bits, if the device is capable of interpreting the protocol, it will convert it into a humanly experience document which we may call as Text, Audio or Video which a judge can view and take action. If the device is not capable of understanding the protocol, the document would be rendered in an un-intelligible form. If it is a text, it will appear as gibberish, if it is an audio we may here a meaningless echo sound, if it is a video we may see only lines on the screen. If a sequence of bits need to be experienced by a human being, we must use a device which understands the protocol and converts the bits in a specific manner into an humanly readable/hearable/viewable form on a computer screen or a speaker.

So, even if in the Basheer case the original CD had been produced or in the case of Suhas Katti, the hard disk with yahoo.inc had been produced or in other cases, the memory card of a video camera is produced as “Original Evidence”, the judge can view it only if he uses a device which is configured to the protocol to which the sequence of bits corresponds. If the judge takes a view of the document as he is seeing on a computer, he is responsible for the protocols that have been used in rendering the sequence of bits to a humanly understandable document.

In a comparable environment, if a “Forged” signature is being questioned before a Court, the judge can himself view the signature and form his own opinion on whether the signature is forged or not. But prudence requires that the Court will ask another expert to give it a certificate whether it is forged or not so that the Judge does not become the witness and will only try to interpret the evidence with reference to the law.

The same principle applies to electronic documents viewed by a Judge without insisting on a Section 65B certificate from another.

This aspect was recognized by the magistrate Thiru Arul Raj of the Chennai AMM court in the Trisha defamation case referred to by me in my article on “Arul Raj, the Unsung Hero” (Refer here) in which the principle was laid down that even when the so called “Original” electronic document is before the Court, it has to be Section 65B certified by a third party.

In this background we can now appreciate why the Section 65B certificate requires that it has to be produced in the manner in which it is required to be produced namely

“identifying the electronic Documents rendered in the computer output”,

“Indicating the process by which the computer output was produced”,

“Providing certain warranties on the production of the Computer output” and

then considering the “Computer Output” as “Admissible Evidence” without the need for producing the original.

In this process the Certifier is stating that when he followed a certain protocol which is indicated in the certificate, he was able to view the electronic document in the form in which it has been presented in the computer output and he is responsible for the faithful reproduction of what he himself saw or heard into the format in which he has rendered the computer output.

I wish all eminent jurists including the Judges of Supreme Court go through the above multiple number of times to appreciate why I have been stating that Section 65B certificate can be produced by any third party (subject to a level of credibility) who has viewed the document and not necessarily the administrator of the device (as wrongly indicated in the SLP order in the case of Shafhi Mohammad).

This also underscores my view that in the case of electronic document, we always deal with the “Secondary Document” which  is a rendition of the original etching of the binary sequence and humans are incapable of viewing the “Original” which is a binary expression mixed up with the viewing protocol. We should stop comparing the “Computer Output” under Section 65B with a photocopy of a paper document and talk as if both are same.

Quantum Computing Era

Now, let us turn our attention to the main object of starting this post which was to look at Section 65B in the context of the emerging technologies such as “Quantum Computing”.

The legal professionals may find the earlier paragraphs hard enough to digest and may not have the stomach to start debating what would be Section 65B interpretation in the Quantum Computing era. May be this is too early to discuss the Cyber Law requirements for the emerging technologies since even scientists have tried to start understanding Quantum Computing only now.

But a “Futuristic Cyber Law Specialist” (whom we may also call “Quantum Cyber Law Specialist” or a “Futuristic Techno Legal Specialist”),  needs to tread a path which no body else has tread and therefore we shall continue our exploration.

We must realize that Quantum Computers are expected to work along with Classical computers and hence the current concepts of data storage in bits with “0 or 1” state may not vanish with the advent of Qubits with “0 and 1”. But data may be processed in an “Artificial Intelligence Environment” using “Quantum Computing” and presented in a classical computing environment.

In view of the above, Quantum computing will be part of the process but the  human interaction with the electronic document which will be certified as a computer output in a Section 65B certificate would be in a classical computer.

Additionally, “Quantum Computing” may sit in between two classical computing scenarios. For example, data may be captured by a classical computing system and become part of the “Big Data” which is processed by a Quantum Computing system and results rendered back in Classical computing environment.

Though the journey of the “Electronic Evidence” from birth as the “Original binary impressions on the first classical computing device passes through the “Worm-hole like” quantum computing environment, it comes back into the Classical computing environment when the Sec 65B certifier views it and converts it into a Computer output.

I therefore consider that Section 65B certification interpretation of Naavi will survive the Quantum Computing age. Lawyers may however raise certain forensic doubts regarding the reliability of an electronic document certified under the Section 65B and Forensic witnesses under Section 79A may need to answer them to the satisfaction of the Court.

However Section 65B certification being a matter of fact certification of what is viewed as a Computer output in the classical computer of the observer will not be vitiated by the complexities of the processes that go behind the scene.

Courts should understand that they are not entitled to confront the Section 65B certifier to a cross examination on the reliability of the back end processing systems as long as they are the standards the industry of computing adopts as technology.

I look forward to views from both my legal and technology friends regarding the above.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

Quantum Computing and Emerging Cyber Law Challenges..Are we ready?

Posted on March 10, 2018 by Vijayashankar Na

Cyber Laws have been in discussion in India since around 1998 when the first draft was published. After the passage of Information Technology Act 2000, the laws came into existence and started affecting every one of our activities on computer including personal activities such as E Mails, Web activities, Mobile phone communication, etc as well as commercial activities such as  E banking, E Commerce, E Governance etc.

However after 20 years since the draft E Commerce Act 1998 was released by the Government of India, our Courts and Police as also the Lawyers are still struggling to understand and interpret the law. We therefore have difficulties in understanding Section 65B certification of electronic evidence, the legal implication of digital and e-sign, understanding certain crimes such as hacking,  the man in the browser attacks, Viruses, Trojans etc.

Indian judicial system however being an adversarial system, is capable of absorbing inadequate understanding and interpretation of law since the responsibility of the judge is to interpret evidence and arguments as presented by the parties. . At higher levels, Judiciary is comfortable with a state of inconsistency so that every judge takes his own decision based on what he understands of the law and leaves it to the higher judicial authority to correct mistakes if required.

This means, Garbage in Garbage out principle is applicable for our Judicial verdicts. This is acceptable to the Judicial system. But should it be also acceptable to the victims of bad judgements?…a point to ponder

In some strange way, being a country where citizens are tolerant of inefficiency and corruption in all affairs of the Government, Police and Judiciary, we simply shrug off a bad decision and move on.

But one thought comes across my mind when we observe some of the latest developments in technology around us.

First is the advent of  Big Data, Data Analytics, IoT, Artificial intelligence etc which are common discussion points today in the IT industry. We have been discussing what happens to the concept of “Privacy” when “Aadhar” is used as an Universal ID as if it is the biggest challenge before humanity. Silently however, Artificial Intelligence and humanoid robots have made their appearance which will create many new challenges to the Cyber Law makers and Cyber Law interpreters.

Some of the challenges in application of Cyber Law to the current technological developments have manifested in the domain of Banking and Finance. The debate on Block Chain technology Bitcoins, etc are issues that have presented the complications that the new technologies may be creating in the economic world. If a simple negligence in technology implementation in Banking such as not linking SWIFT messaging system to the CBS system, and providing access without robust security  in Banks can give raise to frauds worth thousand of crores and destabilize our economy and stock markets, we can imagine what kinds of upheavals may be caused in the society when the new technology developments such as Artifical Intelligence and humanoid robots take over key decision making process in say our Governance and Military operations.

Parellelly the manufacturing industry is also transforming itself into the Industry 4.0 state where Cyber Physical systems take over manufacturing processes with Artificial Intelligence and Data Analytics supporting the back end decision making process. The manufacturing industry is much less Cyber Law aware than the Banking and IT industry and hence the legal implications of frauds as well as the probability of frauds and crimes occurring in the manufacturing sector is much higher than in the Banking and IT industries.

I therefore anticipate a higher level of problems in the Manufacturing industry in India when the IT professionals try to push through “Disruptive Innovations” unmindful of the “Destructive Impact” on the society.

The Information Security focus therefore needs to be re-directed to address the requirements of the manufacturing industry even while we tackle the issues in the IT and Banking/Finance domains.

The fact that even after 20 years of introduction of Cyber Laws in India, our Legal and Judicial system is yet to understand the law and implement it in a consistent manner makes me wonder, how the Cyber law creators and Cyber Law interpreters would react when the new developments such as “Quantum Computing” becomes a reality.

A few month’s back, I remember that one technologist did ask me in a meeting if Indian Cyber Law is ready to face the challenges posed by Quantum Computing. Though I did state that a “Proper Interpretation” of the current laws could help us interpret the laws whether the information is processed in a classic computer system where data is stored in “Binary” language or in Qubits where the data is stored or processed differently, considering the inability of the system to understand even the current system of laws, it appears as if my optimism may perhaps be misplaced.

For those who struggle to interpret an electronic document created as a sequence of binary interpretation of the state of a transistor, it would almost be impossible to even imagine that a “Transistor” will now be replaced by a “Quantum Energy State” which can take the uncertain  value  of one or zero or both. In such a situation if a hacker has manipulated the back end process and generated a fraudulent output, how do we recognize the “Unauthorized Manipulation of data”, “how do we produce forensic evidence of the manipulation” etc will be a challenge that is not easy to solve.

Add to this “Super positioning” prospect in Quantum computing to the “Entanglement” concept where two states of a data holder can be in physically separated but the state of one could be modified by changing the other, the problem becomes more fuzzy.

If nothing else is certain, the quantum increase in the computing powers of the future generation of computers (working as back end systems driven by quantum computing processing) would need a change in our perception of “Probability of a Cryptographic key being broken”. If the current key strengths become unreliable, we may need to re-think on many of the concepts of information security and make corresponding changes in out laws.

Even today, the Criminal Jurisprudence principle that all evidence should be “Proved  beyond Reasonable Doubt” poses huge challenges when applied to Electronic Evidence. In the Quantum computing era, such issues would be even more challenging.

If therefore we want to upgrade our Cyber Laws from the current state of Cyber Law 1.0 to the era of Artificial intelligence which could be Cyber Law 2.0 and subsequently to the era of  Quantum Computing which could be called Cyber Law 3.0, then our Cyber Law makers need to start acting today in understanding the problems that the new technologies will pose to our Judges who are now in the very initial stages of appreciating the current version of Cyber Law.

Will the Government understand the challenge that the emerging technology in Computer software and hardware will pose?… if so…. when? ….is the question that remains unanswered in my mind.

I welcome the view of the readers… if any

Naavi

Posted in Cyber Law | Tagged , , , , , , , , | Leave a comment

Does this Revenge Porn Judgement inspire confidence?

Posted on March 10, 2018 by Vijayashankar Na

On 7th March 2018, in the Court of Judicial magistrate, 1st Class, 3rd Court, Tamluk, Purba Medinipur, pronounced a judgement  in the case of State of West Bengal Vs Animesh Boxi. (Case no GR 1587/17).

See Report here

The essence of the case pertained to a complaint from a girl that the accused had uploaded certain nude photographs of her in a porn website.

The accused was convicted under Sections 354A, 354C, 354 and 509 of IPC as well as Sections 66E, 66C, 67 and 67A of ITA 2008. The case involved presentation of electronic evidence of different kinds and forensic investigation online and on a mobile device, a Computer etc.

Obviously the judgement which runs into 129 pages has attracted attention of Cyber Crime experts and academia and will be debated even in the coming days.

While on the face of it, it appears that a girl was adversely impacted and deserves sympathy and the boy deserves to be condemned for his action, from the perspective of judicial dispensation of the case, the judgement does not inspire confidence that proper justice has been done.

We are presently in the midst of another complaint in the case of the cricketer Shami, again in the courts of West Bengal where a woman has used the provisions of gender biased law to charge Mr Shami of “Rape” and “Murder”. She has also roped in some of the relatives of Mr Shami to ensure that he is condemned for life.

See the report on Shami here

In the midst of a genuine need to prevent atrocities on women, the misuse of law meant for addressing genuine grievances of an exploited woman being used by the rich and powerful to take undue advantage is a matter of concern for the society. When law is misused repeatedly, the public confidence on such laws and the enforcement mechanism dwindles.

The Police and the Judiciary therefore has an additional responsibility in such cases to ensure that without in any way negating the spirit of the law to protect oppressed women, they donot impose the law with a harshness that is not deserved under the given circumstances.

Naavi.org has been in the forefront of a “War on Cyber Pornography” for the last two decades and hence will always be supportive of oppressed women. However when privileged women tend to settle their personal revenge misusing legal provisions, and the Police and Judiciary turn a blind eye or abets such a misuse, there is a need to raise a voice of protest.

I would like to refrain from a discussion on these cases in these columns because any thing said is likely to be mis-interpreted. From the information available in the media it must however be put on record that both the complaint registered against Mr Shami and the above Judgement of “Revenge Porn” donot inspire confidence that proper justice has actually been done.

I leave it to the future to determine if events that may unfold substantiate this view.

Naavi

 

Posted in Cyber Law | Tagged , , | Leave a comment

Information Security for Industry Managers… CII Puducherry program on 21st march 2018

Posted on March 6, 2018 by Vijayashankar Na

This is for general information of the public:

One Day Training Progamme on Information Security for Industry Managers

Wednesday: 21 March 2018: Hotel Accord, Puducherry

CII Puducherry is organizing an One Day Training Programme on Information Security for Industry Managers on Wednesday: 21 March 2018: Hotel Accord, Puducherry

 

This session is meant for all Business, IT and IS managers.

The workshop will be conducted by Na.Vijayashankar, Information Assurance Consultant, popularly known as Naavi and  is a pioneer in Cyber Laws in India ( https://in.linkedin.com/in/naavi)

Date & Timing :    Wednesday, 21 March 2018 – Starting from 0900 to 1700 hrs.

Venue :   Hotel Accord, No. 1, Thilagar Nagar, Ellaipillaichavady, (Near Rajiv Gandhi Statue & Opp to Muruga Theatre).

Those who are interested may contact CII, Puducherry. (www.cii.in)

Naavi

Posted in Cyber Law | Tagged , , , , | 1 Comment

Self Loans!… A New Dimension of Bank Frauds

Posted on March 4, 2018 by Vijayashankar Na

After the PNB Fraud in which over Rs  11400 crores are suspected to have been lost came to light, many other frauds are slowly tumbling out the closets of E Banking.

Leaving aside the fact that the lenders of different Banks who lent money to Mr Nirav Modi and Mehul Chokshi failed to check the “End Use” of funds and allowed renewal of LOUs without checking the previous utilization and need for extension, it was also realised that PNB had even allowed the Nirav Modi employees to directly access the SWIFT messaging system of the Bank.

The system of the Bank was so configured that SWIFT system could be accessed from outside the banking network. The operating officials of the Bank gave away passwords of multiple officials  to the Nirav Fraud team.

The system had no control that could detect that the log in was from outside the Bank’s network, multiple passwords were entered from the same computer and the messages did not reflect in the CBS system, nor created vouchers for commission or margin collection.

This was a gross failure of the Bank staff and the information security configuration of the systems.

It is true that any IS control can be defeated if the employees are dishonest. But still, the system design should be such that even if some of the employees are dishonest, the fraud should be detected, if not for the first time, in subsequent times.

Unfortunately the creators of the software in Infosys who sell FINACLE and supply it to a number of Indian Banks, are not aware of the intricacies of Banking transactions and how frauds could be committed. Hence their design is a faulty design and Banks are saddled with this defective product.

Now yet another fraud has come to the open in State Bank of India, Chennai where also it appears that the passwords of the Bank staff has been used by an outsider to divert over Rs 3.2 crores of money (Refer article here) meant for purchase of Cars as an unsecured cash advance which was used for funding a Film production. Here again, the security configurations of the CBS software has failed to recognize that Cars were not purchased, money was not credited to a Car dealer’s account, documents such as RC book etc was not submitted, asset inspection did not take place etc.

In all such cases, it is clear that it is not only the Software that failed, but also the internal audit system.

It is high time that Indian Banks rethink on how their “Internal Auditors” are equipped to conduct audits in the Computerized environment.

If internal audit cannot identify this new generation of Bank frauds where the customer himself is given access to the Bank’s systems to design his own loan sanctions, create approvals of several layers of bank officers and take the money out, then there is no need for such audits.

Where such “Self Loans” are used in the “Kite Flying Mode” and repaid with a roll over loan, it is very difficult for normal audit processes to find out the anomaly. There is definitely a need for Computer Assisted Audit techniques either with in built features of the core banking software or through specialised audit tools.

FINACLE Strengths and Weaknesses

The Banking software like FINACLE which costs a fortune for the Banks should have an inbuilt, non-tamperable audit module that should be effective in preventing such frauds to continue beyond the first couple of occurrences if not the first time.

FINACLE boasts of an Audit module as part of its system but it is clear that it has failed in the context of not only PNB Brady Branch but also SBI Chennai branch and in the many other similar cases that have come to light now.

If the Indian Banking system is in doldrums today, a large part of that responsibility should be boarne by the CBS software suppliers who have supplied defective products to the industry.

RBI has failed to subject the software itself to an audit of IDRBT which is mandatory and hence part of the responsibility for the use of defective software lies on the RBI also.

While checking on the Audit capabilities of FINACLE, I came across an article describing the audit capabilities of FINACLE.

Some key FINACLE menus and their use for an auditor has been described in this article. Some of them are briefly reproduced here.

  1. Account Leger Enquiry (ACLI)
  2. Customer Account Leger Print and Office Account Ledger Print (ACLPCA and ACLPOA)
  3. Audit File Inquiry (AFI)
  4. Average Balance (AVGBAL)
  5. BCREPORT
  6. Customer Master Inquiry (CUMI)
  7. Report on Expiring Documentary Credits (DCEXPLST)
  8. Query on Documentary Credit (DCQRY)
  9. Exception Report (EXCPRPT)
  10. Generate Report (GR)
  11. Financial Transaction Inquiry (FTI)
  12. Accounts Due for Review (ACDREV)
  13. Inward/Outware Remittance Maintenance (IRM/ORM)
  14. Outstanding Items Report (MSGOIRP)
  15. NPA Report (NPARPT)
  16. Letter of Acknowledgement of Debt Report (LADRPT)
  17. Loan Overdue Position Inquiry (LAOPI)/Ttemporary OD Report (TODRP)
  18. Print Reports (PR)
  19. Guarantee Issued Liability Register (GILR)
  20. Partywise Overdue Packing Credit (POVDPC)

The above list indicates that there should have been several reports that should have thrown up audit queries in respect of PNB Fraud as well as the SBI Fraud.

Now what we need to check is why did the discrepancies were not thrown up by the audits?

The reasons could be many.

  1. First reason could be that no audit was at all conducted. In PNB we are told that RBI did not audit the branch for more than 9 years. It is not clear if the internal audit was also bypassed. If so was there any declaration in the annual reports to the share holders providing the list of branches which were not audited for the last 1/2/3 or more years?
  2. If an audit was conducted, it is possible that the auditors were not aware of all these modules andhow to use them appropriately
  3. Perhaps there was lack of adequate training of  the auditors.
  4. It is also possible that FINACLE comes with some base module that does not include all features and a higher priced module that may include additional modules and the Bank could have not taken the full module for cost considerations.
  5. It is also possible that the FINACLE system itself might not be able to properly analyze the data in the above modules though it may create some printable reports.

Need for Data Analytics in Audit process

Computer Assisted Audit Techniques that are essential for proper auditing of any Computerized data environment requires a capability to

a) Acquire data of different types from across the network available in different platforms and collate it into a common platform for analysis

b) Extract, Classify and Re-classify data into different groups which create new meanings not visible in the direct report

c) Search data across multiple categories and filter them against some specific risk identifying algorithms

d) Use known statistical methods such as Benford law to check on potential frauds

e) Use Forensic audit tools to discover evidence that has been buried by the fraudsters

f) Use “Checking of Controls” as a part of the audit including the Information Security controls such as “Access Control”, “Log Analysis”, “Incident Management System” etc.

It is clear that the current Internal Audit process in Banks is not equipped to conduct an audit outside what reports are submitted by the Branch to the auditor. If the Auditor audits only what the auditee wants him to see, then the value of such audit is low. Perhaps it is what statutory auditors do. But Internal auditors have to go beyond checking the arithmetic accuracy of the transactions and go into an in-depth fraud possibility analysis.

Cost and Training Hurdle

In examining the solutions that the Auditors could use, it was observed that the tools normally considered as reputed “Computer Assisted Audit Tools” or CAATs are prohibitively expensive and require a rigorous training both of which seem to create a hurdle for Banks.

However, it is possible for RBI to equip itself with such tools (ACL, IDEA, ARBUTUS etc) and use it in its audit as a starting point. Other Banks may start using it depending on their size. Obviously the larger Banks donot have any constraint on budget nor ability to train the auditors, But smaller Banks may have a problem.

I therefore suggest that smaller Banks create a “Technology Resource Pool” in a “Centralized Fraud Investigation Center” which should be equipped with such tools and talent and conduct audits of member Banks as a service.

I hope RBI will take such steps to ensure that in future the audit system is strengthened to such an extent that the frauds such as what we are now seeing does not go undetected before it balloons into a huge scam.

Naavi

(P.S: I have been an ex-Banker and therefore may not be fully aware of the current situation in the Banks about how audits are conducted in the Computerised environment.

But looking at the frauds that are surfacing, it is clear that the system is not working properly and hence some of the observations made above may be true though I may not be able to give evidence of the same. If we want to clean up the Bank system, Bankers need to do a self evaluation of their systems and check if some of the points made here are relevant or not.

I invite comments and suggestions on how to improve Audit systems in Banks in the computerized environment… Naavi)

Posted in Cyber Law | Tagged , , , , , , , , , , , | 1 Comment

Cyber Law College starts a new In-College Course at BMS Law College, Bangalore

Posted on February 27, 2018 by Vijayashankar Na

Cyber Law College will be starting a compressed course on Cyber Laws for the students of BMS Law College, Bangalore starting from March 1st.

This course will cover an over view of Cyber Law in a course that extends to 10 sessions to be conducted in the college to students of different semesters.

In the past, Cyber Law College has conducted 3 courses each in KLE Law College, Bangalore and Hubli, SDM Law College Mangalore and JSS Law College, Mysore. These courses were of a longer duration and extended to about 60 to 70 hours of class room teaching. The BMS law college course is planned as a 25-30 hours of class room teaching.

Naavi is also associated as guest faculty with NLSUI, NALSAR. MSR Law College and other institutions and continues to contribute to the mission of “Cyber Law Awareness”.

Naavi is looking for more initiatives of this nature particularly a “Course for Law Faculty” so that Cyber Law Courses can be started in all Law Colleges in Karnataka.

Naavi is also looking for initiatives on “Cyber Law for IS Professionals” at Bangalore if there is a demand.

Naavi has already created online courses in Cyber Laws and HIPAA through apnacourse.com. Now a Course on GDPR is under preparation and details will shortly be announced.

Comments and suggestions are welcome.

Naavi

Posted in Cyber Law | Leave a comment