SEBI’s inaction on Infy is Fishy…. Nandan Nilekani should avoid passive assistance of the fraud..

Posted on August 26, 2017 by Vijayashankar Na
(This article is based on the copies of the Whistleblower’s letters which have now come to the public domain though they may be considered as not independently verified. In case there is any counter to the letter, we shall be glad to publish the same and make corrections as may be necessary…. Naavi)

The battle between the erstwhile CEO Mr Vishal Sikka supported by the Infosys Board on one side and Mr Narayana Murthy (NRN) supported by the erstwhile promoters of Infosys on the other side, has now reached a decisive stage with Mr Nandan Nilekani taking over as the de-facto head of the Company and Vishal Sikka leaving the Company.

Mr R.Sheshashayee the erstwhile Chairman has also resigned and Co-Chairman Mr Ravi Venkatesan has been relieved of his responsibilities. One more Director has also been relieved and Mr Vishal Sikka is being relieved immediately without waiting upto March 2018 as was originally announced.

Behind the current flare up, was an allegation of a serious mis-management and possible misappropriation of funds by Mr Vishal Sikka and a group of his close associates. This was alleged by an anonymous whistle blower who had written two letters to some of the share holders like NRN which was reportedly also copied to SEBI.  Since SEBI was aware of these letters as far back as February 17, 2017 (See report here) the reason why no action has been initiated so far is intriguing.

Mr NRN was upset that the Board had failed to exercise its due diligence and not taken action to prevent the alleged diversion of funds or necessary deterrant action after a complaint was received by the Board. After the Board released its letter accusing Mr NRN of being power hungry, interfering in management etc, it was clear that the Board was desperate and was acting childishly. It’s action was unbecoming of a professional Board of Directors. It was not difficult to speculate that this behaviour stemmed from a desperation born out of insecurity and guilty mind of the members of the Board.

The complaint had been made “Anonymously” by the whistle blower on two occassions. The complaint had alleged that the Panaya Deal in which an ailing company was taken over by Infosys, the valuation of the company was deliberately hiked to benefit Mr Vishal Sikka personally. Though the Board did order an audit subsequently, it had not made the audit findings public under the pretext that since the complaint was anonymous, there was no need for the audit report to be made public. There is a doubt that the audit itself may be a sham but the reluctance of the Board to make it public has raised further doubts.

This issue obviously became critical in the tussle etween NRN and the Board. In the meantime one of the associates of Vishal Sikka who was part of the Panaya negotiation and considered a very close confidant of Mr Sikka enjoying special privileges in the Company, resigned and walked away. Last week Mr Vishal Sikka also submitted his resignation leaving it to the Board to handle the unfinished battle with NRN and others.

Now the alleged letters written by the Whistle Blower have come to the public domain and raise serious questions not only on Mr Sikka and the Board of Infosys headed by Mr R Sheshashayee but also on regulators like SEBI which has remained silent on the issue so far.

Mr Ravi Venkatesan’s meeting of MR Arun Jaitely last week and a spate of planted stories in the media indicating a public relations exercise in favour of projecting Vishal as a victim of a greedy and haughty NRN had raised further doubt that Mr Sikka and his friends were trying to manipulate people in power. Perhaps Mr Jaitely and BJP may be facing some kind of pressure also from Israel diplomatically because one of their companies is part of the scandal.

Copy of the letters may be found here.

If one goes through the letters, it is clear that the matter is very serious and goes much beyond the “Corporate Governance” issue. It involves unfair payments to Mr Sikka both as fat salary hikes and payment of travel expenses, reimbursement of his personal security expenses etc. It also involves hiring of Sikka’s confidants and payment of huge severance compensation, approval of expenses without the approval of CFO for his select favourite employees etc.

This is certainly not only a “Corporate Governance Issue” and could be a board level fraud like Enron or Satyam and requires some immediate action from the regulators.

The first major allegation was regarding the severance pay paid to Mr Rajiv Bansal, the former CFO who left after the Panaya deal. As per the contract he was to be paid a severance pay of 3 months salary. But he was actually offered a severance pay of 30 months salary far in excess of what he was entitled to (according to the whistle blower’s complaint).

Which fool of a Corporate Director approve such deals unless there is a kickback for all the decision makers? … is a natural question that arises…..But the Infosys Board actually approved it.

This single instance was sufficient to indicate that there was a fraudulent attempt to siphon off share holder’s funds to the outgoing person in a indiscriminate fashion.

After Mr NRN raising his voice, it is reported that the actual payment made was less. Instead of Rs 17 crores proposed, Rs 5 crores was paid to the outgoing employee. But the attempt to pay an excessive amount was real and the Board approval was also real. Hence an Attempt to defraud the company was real.(As per the Whistleblower’s letter).

The speculation therefore is that Rajiv Bansal was sought to be paid “Hush Money” so that he would not go public with the irregularities in the Panaya deal which was over valued just to facilitate kickbacks. The Whistleblower’s letter has full details about what has reportedly transpired between Rajiv Bansal and the Board.

Under these circumstances, an immediate investigation ought to have been ordered by SEBI. But it has failed for reasons it needs to explain. The fact that SEBI is keeping quiet about this does not show SEBI in good light. The fact that the Finance Ministry under Mr Jaitely is also keeping its mouth shut indicates that there is a conspiracy in sweeping the fraud under the carpet and there could be a need for a Court intervention without which politicians and bureaucrats may not do justice.

Possibility of Tampering of Evidence

The whistle blower has also indicated the source of evidence to support his allegations which are a direct charge that the Board of Directors are guilty of serious corporate frauds. He says that there are many e-mails in which evidence can be found.

However since no action has been taken so far, there is every possibility of evidence having been erased compounding the financial frauds with Cyber Crimes which need immediate forensic investigation by a reliable authority.

It is presumed that the e-mails would be in the servers of Infosys only and they have to be now considered as potential evidence in a potential fraud investigation. Any deletion of the incriminating e-mails from the server would render the CTO and CISO of Infosys an accessory to the fraud for deleting and obliterating evidentiary files. Hence the IT department of Infosys should take immediate steps to archive relevant evidence in the custody of an independent custodian who would be outside the influence of the accused.

Modi Government may create another “Vijay Mallya mistake”

The two letters of the Whistle blower have been with SEBI for some time now but SEBI is not interested in taking any action. This is a deliberate inaction that assists Mr Sikka. Now that his resignation has been accepted and his severance package determined, he would not have any reasons to visit India and will remain abroad outside the jurisdiction of Indian law.

Mr Ravi Venkatesan who met Mr Arun Jaitely recently after the resignation of Vishal Sikka could have pleaded with Mr Arun Jaitely to bury the fraud, citing some reason or the other. Mr Jaitely may also be considering the “Israeli angle” as a diplomatic reason to agree not to act at least for now so that Mr Sikka can reach safe havens.

As a result, like Mr Vijay Mallya, Mr Sikka will evade legal scrutiny in India.

Fortunately however, Infy ADRs are listed in USA and there is a possibility that US authorities may move in and take action even if SEBI can be silenced in India and Indian political system is amenable to being bent as required. Already, a class suit has been filed in USA and hence it will be difficult for Mr Vishal Sikka to escape scrutiny in US courts.

However it is necessary for SEBI to show that it is honest and cannot be bribed into silence. I therefore urge SEBI to immediately take all required action including securing of evidence to conduct an independent investigation to find out if the allegations are true.

Further it is also necessary for CBI/ED/Serious Frauds Division of MOF to join in the investigation. Any attempt to tamper with the evidence as we have seen in many other sensitive cases should be stopped by not delaying action.

In the past, the Finance Ministry has shown its adeptness only in bolting the stable after the horses have fled so that it can appear that action is being taken without actually hurting the accused. Same thing may happen even in the case of Infosys fraud.

This is time for Mr Modi’s Government therefore to show that any illegal acts in a Company leading to cheating of share holders which include many public bodies such as LIC and Mutual Funds would not be tolerated.

If no action is taken immediately, it could only mean that the Government is amenable to compromising with corruption in the private sector and this would not be in tune with the image of Mr Modi.

New Management under Mr Nandan should not fall into a trap themselves

As regards the new management under Mr Nandan, I would like to place a word of caution.

There will be a temptation not to go public with all the murky things which has gone behind the scene since the the apparent problem has been removed with Mr Sikka and some Board members going out. Some corporate and legal advisers of the Company will certainly advise Mr Nandan to forget the past and focus on what needs to be done to regain investor confidence and client confidence.

There is no doubt that focusing on new business related issues are important. But it is also not possible not to take action when a Corporate fraud appears to have been committed.

But, if Mr Nandan and his team fail to take action, then they will be guilty of the same offence which the erstwhile Board was guilty of… remaining silent on fraud which is a “Passive assistance” to the fraud.

We may note that Mr Rajiv Bansal who could have been a whistle blower earlier, chose to accept a settlement and became part of the suppression of the fraud exposing himself to being considered as an accomplice to the fraud.

Similarly, not taking action on Vishal Sikka and some of the Board members either for the sake of fear of reputation loss or as a matter of courtesy etc, will make Mr Nandan and his new team  also guilty in the eyes of law of shielding the offenders.

It will also provide a good defense to Mr Sikka in the US Courts where the defense would be “Even the new management did not consider that there was any serious irregularities and allowed Mr Sikka an honorable exit without any disciplinary proceedings”.

There is therefore no alternative to Mr Nandan  but to initiate strict disciplinary action against Mr Sikka and be seen as taking all steps necessary to bring the culprits if any to book.

Any other decision would be a mistake.

We shall keep watching how the situation develops.

Naavi

Posted in Cyber Law | Leave a comment

Concatenating the individual Conclusions of the Privacy Judgement

Posted on August 26, 2017 by Vijayashankar Na

In continuation of our previous article on the “Hashing of the Privacy Judgement” we can now look at the six pieces of individual judgement and the end notes in each of these judgement s that can be considered as “Judgmental Conclusions not forming part of the final order”. This is the second level of the 547 page judgement that we can try to explore.

Before penning down these end-notes, the judges who authored their respective parts of the judgement have presented pages and pages of observations basically recollecting the earlier judgements. Technologists should appreciate the huge efforts involved in “Cutting and Pasting” from volumes of judgements from the early part of the last century to the current days not only in the honourable Supreme Court but also other Courts as well.

Many of these judgements were from other qualified Judges mostly by smaller benches or subordinate Courts. Hence the current consolidation represents an over riding of earlier contrarian opinions and brings the development of Jurisprudence on Privacy Rights in India to a mile-stone stage.

In particular, two judgements namely M.P Sharma (1954) and Karakh Singh (1964) judgements were declared as over ridden. the first – M P Sharma v Satish Chandra, District Magistrate, Delhi1 was rendered by a Bench of eight judges and the second, in Kharak Singh v State of Uttar Pradesh was rendered by a Bench of six judges. These decisions, contained observations that the Indian Constitution does not specifically protect the right to privacy. They were  based on the principles expounded in A.K.Gopalan Vs State of Madras (1950) which construed each provision contained in the Chapter on fundamental rights as embodying a distinct protection. This principle had already been over turned by an 11 member bench in Rustom Cavasji Cooper v Union of India.(1970)(Popularly known as the Bank Nationalization Case).

Hence part of this 9 member bench in this case which can be referred to as the Puttaswamy case was only reiterating that M P Sharma and Kharak Singh  Judgements had already been over ridden in the Cooper judgement if we had not realized it. Since Cooper Judgement was a 11 member bench, there was no way this 9 member bench could over turn it. Had the CJI wanted it to be over turned, he would not have constituted a 9 member bench at all. Hence it was known from the beginning that M P Sharma and Kharak Singh judgements were out of contention and Cooper was in.

The consequence of the Cooper decision according to the Chandrachud (Part I) part of the judgement is that a law which restricts the personal liberties contained in Article 19 (Freedom of Expression) must meet the test of permissible restrictions contemplated by Clauses 2 to 6 in relation to the fundamental freedom which is infringed.

These restrictions are stated as follows:

Nothing in sub clause (a) of clause ( 1 ) namely that  All citizens shall have the right to freedom of speech and expression; shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence… etc

In this background, we can now concatenated all the end notes in the Six parts of the judgement as follows.

Part-I  (Chandrachud, Kehar, Agarwal, Nazeer) : Conclusions: 

1 The judgment in M P Sharma holds essentially that in the absence of a provision similar to the Fourth Amendment to the US Constitution, the right to privacy cannot be read into the provisions of Article 20 (3) of the Indian Constitution. The judgment does not specifically adjudicate on whether a right to privacy would arise from any of the other provisions of the rights guaranteed by Part III including Article 21 and Article 19. The observation that privacy is not a right guaranteed by the Indian Constitution is not reflective of the correct position. M P Sharma is overruled to the extent to which it indicates to the contrary.

2 Kharak Singh has correctly held that the content of the expression ‘life’ under Article 21 means not merely the right to a person’s “animal existence” and that the expression ‘personal liberty’ is a guarantee against invasion into the sanctity of a person’s home or an intrusion into personal security. Kharak Singh also correctly laid down that the dignity of the individual must lend content to the meaning of ‘personal liberty’. The first part of the decision in Kharak Singh which invalidated domiciliary visits at night on the ground that they violated ordered liberty is an implicit recognition of the right to privacy. The second part of the decision, however, which holds that the right to privacy is not a guaranteed right under our Constitution, is not reflective of the correct position. Similarly, Kharak Singh’s reliance upon the decision of the majority in Gopalan is not reflective of the correct position in view of the decisions in Cooper and in Maneka. Kharak Singh to the extent that it holds that the right to privacy is not protected under the Indian Constitution is overruled.

3

(A) Life and personal liberty are inalienable rights. These are rights which are inseparable from a dignified human existence. The dignity of the individual, equality between human beings and the quest for liberty are the foundational pillars of the Indian Constitution;

(B) Life and personal liberty are not creations of the Constitution. These rights are recognised by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within;

(C) Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution. Elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III;

(D) Judicial recognition of the existence of a constitutional right of privacy is not an exercise in the nature of amending the Constitution nor is the Court embarking on a constitutional function of that nature which is entrusted to Parliament;

(E) Privacy is the constitutional core of human dignity. Privacy has both a normative and descriptive function. At a normative level privacy sub-serves those eternal values upon which the guarantees of life, liberty and freedom are founded. At a descriptive level, privacy postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty;

(F) Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy. Privacy protects heterogeneity and recognises the plurality and diversity of our culture. While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to the public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being;

(G) This Court has not embarked upon an exhaustive enumeration or a catalogue of entitlements or interests comprised in the right to privacy. The Constitution must evolve with the felt necessities of time to meet the challenges thrown up in a democratic order governed by the rule of law. The meaning of the Constitution cannot be frozen on the perspectives present when it was adopted. Technological change has given rise to concerns which were not present seven decades ago and the rapid growth of technology may render obsolescent many notions of the present. Hence the interpretation of the Constitution must be resilient and flexible to allow future generations to adapt its content bearing in mind its basic or essential features;

(H) Like other rights which form part of the fundamental freedoms protected by Part III, including the right to life and personal liberty under Article 21, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights. In the context of Article 21 an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment on life and personal liberty under Article 21. An invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them; and (I) Privacy has both positive and negative content. The negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the individual.

4 Decisions rendered by this Court subsequent to Kharak Singh, upholding the right to privacy would be read subject to the above principles.

5 Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. Since the Union government has informed the Court that it has constituted a Committee chaired by Hon’ble Shri Justice B N Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in this judgment.

Part -II (Chelmeshwar) 

Justice Chelmeshwar has not recorded any separate para as “Conclusions”. Hence his conclusion is contained in the final order only. He has generally agreed with the conclusions arrived at Part I.

Part- III (Bobde):

a. The ineluctable conclusion must be that an inalienable constitutional right to privacy inheres in Part III of the Constitution. M.P. Sharma and the majority opinion in Kharak Singh must stand overruled to the extent that they indicate to the contrary.

b. The right to privacy is inextricably bound up with all exercises of human liberty – both as it is specifically enumerated across Part III, and as it is guaranteed in the residue under Article 21. It is distributed across the various articles in Part III and, mutatis mutandis, takes the form of whichever of their enjoyment its violation curtails

c. Any interference with privacy by an entity covered by Article 12’s description of the ‘state’ must satisfy the tests applicable to whichever one or more of the Part III freedoms the interference affects.

Part -IV (Nariman)

This reference is answered by stating that the inalienable fundamental right to privacy resides in Article 21 and other fundamental freedoms contained in Part III of the Constitution of  India.

M.P. Sharma (supra) and the majority in Kharak Singh (supra), to the extent that they  indicate to the contrary stand overruled.

The later judgments of this Court recognizing privacy as  a fundamental right do not need to be revisited.

These cases are, therefore, sent back for  adjudication on merits to the original Bench of 3 honourable Judges of this Court in light of the  judgment just delivered by us.

Part-V (Sapre)

Justice Sapre also has not captioned any paragraph as a “Conclusion” but has identified two specific points of reference and went ahead to give his views there on.

They are

(1) whether the law laid down in the case of M.P.Sharma and others vs. Satish Chandra, District Magistrate Delhi & Ors., AIR 1954 SC 300 and Kharak Singh vs. State of Uttar Pradesh & Ors. AIR 1963 SC 1295 insofar as it relates to the “right to privacy of an individual” is correct and

(2) whether “right to privacy” is a fundamental right under Part III of the Constitution of India?

His views are

1) I entirely agree with their reasoning and the conclusion on question No. 1 (given by others)

2) ..my answer to question No. 2 is that “right to privacy” is a part of fundamental right of a citizen guaranteed under Part III of the Constitution. However, it is not an absolute right but is subject to certain reasonable restrictions, which the State is entitled to impose on the basis of social, moral and compelling public interest in accordance with law….I also hold that the “right to privacy” has multiple facets, and, therefore, the same has to go through a process of case-to-case development as and when any citizen raises his grievance complaining of infringement of his alleged right in accordance with law.

Part -VI (Kaul)

Justice Kaul has also not specifically noted any “Conclusion” but has made a few important observations.

I am in agreement with the view of Dr. D.Y. Chandrachud, J., who in paragraphs 123 & 124 of his judgment, states that the right of privacy cannot be denied, even if there is a miniscule fraction of the population which is affected.

Let the right of privacy, an inherent right, be unequivocally a fundamental right embedded in part-III of the Constitution of India, but subject to the restrictions specified, relatable to that part. This is the call of today. The old order changeth yielding place to new.

If we observe all these concluding remarks together, the majority opinion which is “Unanimous” is that “Privacy is a Fundamental Right subject to Reasonable Restrictions”.

There are many other observations buried inside the pages of this judgement which could be quoted in other litigations in due course as ” views of a Judge in the famous Puttaswamy case”. These will however be “Observations not forming either individual judgements or the Final Order” and will be seen as the third level of what this judgement implies.

Observations which are not part of the final order or individual conclusions may have a limited practical judicial value since they have been deliberately omitted in the conclusions or the final order.

Other observations such as the one on LGBT rights etc are not majority opinions and not also part of the order. Aadhaar has not been specifically commented upon since another bench is anyway looking into it.

Now, the next question that we need to discuss is what will be the take home for the stake holders on account of this Puttaswamy judgement?

Judges are happy about the excellent media coverage that they have got because of this judgement. They have got as much TRP as the media channels. Constitutional experts who practice in High Courts/Supreme Courts are happy that there could be a number of cases they can file directly at the High Courts and Supreme Courts and enjoy locking up our judicial system in a plethora of litigations. Academicians will be happy with the bundle of case laws that can be discussed and re-discussed in class rooms and conferences. It is a Win-Win-Win situation for all.

But at the end of this short term celebration, we need to examine the impact of this judgement on the real stake holders of “Privacy” which we shall explore in subsequent article.

There are three different stake holders to this “Privacy Issue” namely

a) The Citizen of the Country who should feel that he has a “Right to Privacy” in whatever manner the Constitution understands it.

b)  The Government which makes laws and uses services such as Aadhaar which may have an indirect association with the principle of “Privacy”

c) The business entities which use services that have a direct and indirect association with the principle of “Privacy”.

Let’s continue our debate…after a break…because we may have some thing more in the interim to discuss on Infosys Saga….

Naavi

Posted in Cyber Law | Leave a comment

Hashing the 547 pages of Privacy Judgement

Posted on August 26, 2017 by Vijayashankar Na

The 9 Bench judgement of the Supreme Court on “Privacy as a Fundamental Right” following the petition of Justice K.S.Puttaswamy and Others, runs into 547 pages of discussion which makes a great material for law colleges as teaching material on a number of earlier judgements. Some of the judgements such as  M P.Sharma, Kharak Singh, Maneka and Cooper have been referred to repeatedly and final opinion of the 9 member bench rendered as the final wisdom applicable until another day when a 11 member bench may review and over turn the current finding. Probably this may not happen in our life time and hence this judgement can be considered as a judgement that will be etched in stone for the time being.

It is however also important for us to understand the “Essence” of the entire discussion that is presented in the judgement without being confused with the thoughts that ran in the minds of each of the judges when they wrote their judgement.

It is fashionable to hail the Judgement as “Historic”, “Path Breaking”, etc., and let us also add that the “Words of Wisdom will be etched in stone for times to come”.

However, we also need to consider what is the “Net Effect” of this judgement and does it make any significant difference to our life. If so, the benefits have to be identified and presented separately. If not, we need to consider if all this hype was worth the paper in which it was written on.

The Judgement has been presented in 7 parts including the last partwhich is the “Order” signed by all the 9 judges.

Part I (Pages 1-266)  is the common judgement written by four Judges namely Justices  Jagadish Singh Kehar, R.K. Agarwal, Dr Y.Chandrachud, and Abdul Nazeer.

Part II (Pages 267-310) is the judgement of Justice Chelameshwar.

Part III (Pages 311-350) is the judgement of Justice S.A. Bobde.

Part IV (Pages 351-472) is the judgement of Justice R.F. Nariman.

Part V (Pages 472-496)  is the Judgement of Justice Abhay Manohar Sapre and

Part VI (Pages 497-543) is the judgement of Justice Sanjay Kishan Kaul.

Part VII (pages 544-547) is the order signed by all Judges.

In reading the judgement we need to recognize that Part VII is the operating part of the judgement and all other 542 pages are reflections preceding the final order. Some of the individual judgements may express some “Conclusions” at the end of their parts which can be considered as more than “Reflections” in the body of the individual judgements. In interpreting the judgement, we should try to avoid being confused with “Reflections” and “Individual Conclusions” with the “Order”. “Individual Conclusions not also reflected in the Order” (if any) may be collated to find out if they constitute a “Majority Conclusion” or not. If it is a majority conclusion, it may have greater value.

Keeping this view, let us first record here the final order which is the operating part of the Judgement.

It is as follows:

The reference is disposed of in the following terms:

(i) The decision in M P Sharma which holds that the right to privacy is not protected by the Constitution stands over-ruled;

(ii) The decision in Kharak Singh to the extent that it holds that the right to privacy is not protected by the Constitution stands over-ruled;

(iii) The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.

(iv) Decisions subsequent to Kharak Singh which have enunciated the position in (iii) above lay down the correct position in law.

The entire 547 page judgement therefore has just one line of gist namely that in India, “Right to Privacy” is protected as an intrinsic part of “Right to Life and Personal Property” under Article 21 and as part of the freedoms guaranteed by Part III of the Constitution.

This is the hash value of the judgement as per Naavi algorithm!

We need to then start debating on what difference does this judgement make to the life of

a) An Individual on the street who is the common Citizen whose “Right to Privacy” is being defended by the battery of 9 judges.

b) The Corporates who need to struggle with Data Protection obligation under ITA 2000/8 and steer clear of the liabilities under Section 43A or 72A in particular and many other sections of ITA 2000/8 along with the GDPR, HIPAA and a host of international laws that affect the lives of an Indian Registered Corporate entity.

c) The Government which has already made many laws such as Aadhaar, Right to Information, Section 66A of ITA 2008 (now scrapped) and need to make many more laws in future to carry on its Governance amidst the opposition of political parties not in power some of whom like Kapil Sibal was part of influencing this judgement

Let’s try to do it in the future posts.

[Disclaimer: The objective of this discussion is just to add another view point for the academic debate.

It is admitted and declared that these are the views of an ordinary citizen of the country and not an expert in the Indian Constitutional law.

It is also not meant to praise or criticize the judgement in question nor the Government of the day or the opposition though it  may appear so in parts.

It is an opinion on a matter of grave importance to the development of Jurisprudence in India in the spirit of the presumed “Right of Free Expression” in our Constitution as it exists today with more than a century (101*) of amendments since its inception, most of them by the parties who are not in power today but sincerely tried since independence to change the face of India so that they could get more and more votes from the Indian public by dividing the country which was already divided and profess to continue to do so in future also]

Naavi

Reference:

Part-I  (Chandrachud, Kehar, Agarwal, Nazeer) Part -II (Chelmeshwar)  Part- III (Bobde): Part -IV (Nariman)
Part-V (Sapre) Part -VI (Kaul) Part -VII (Order) Full Judgement

 

Posted in Cyber Law | Leave a comment

Good News For Infosys on the Ganesha Chaturthi Day

Posted on August 25, 2017 by Vijayashankar Na

It gives me great pleasure to wish the visitors a Happy Ganesha Chaturthi, a popular festival in India, particularly because it also brings with it the happy news about Mr Nandan Nilekani coming back to Infosys as Executive Chairman. Ganesha is the lord worshipped for removing all obstacles and I wish he would remove all obstacles before Nandan Nilekani to put Infosys back to its past glory.

I am not saying this as a share holder of Infosys but as a Bangalorean who always felt proud that Infosys was more than a “Company”. It was a symbol of pride for all of us as a Company with certain principles and which showed that a promoter who started the company with Rs 10,000/- borrowed from his wife could create a global company. Despite more high profile jet setting CEOs we have seen, Infosys promoters were always considered as well mannered, humble gentlemen who would be respected for what they are as human beings apart from their industry standing.

When the erstwhile Board members decided to attack Mr NRN through the public statement, it was therefore clear that it was their behaviour which came out as disgusting and unbecoming of occupying the position of Directors of a Company like Infosys. Some of them have now resigned and others need to also quit soon. They are neither fit to be Chairman or Co Chairman but also as independent Directors.

I am sure that with the restoration of confidence of the investors on Nandan led Infosys, the employees will work with a new found motivation and even the clients will realize that a company with motivated employees and a management with principles are more trust worthy than a company managed by a scam oriented management team. I wish Mr NRN and other members of promoters who had distanced themselves from the Company in the last three years should do their best to ensure that their child will get back to health soon and become stronger than it ever was.

Naavi

Posted in Cyber Law | Leave a comment

Supreme Court Judgement on Privacy as a Fundamental Right… What changes?

Posted on August 24, 2017 by Vijayashankar Na

The Supreme Court judgement on Privacy delivered today by a 9 Judge bench, has categorically made a statement that “Right to Privacy is a Fundamental Right” under Article 21 of the constitution as part of the “Right to Life and Liberty”.

The media is making a big noise as if some thing fundamental has changed in India. But actually what has come out as a Supreme Court decision today was already a presumption. The difference is that  Supreme Court has now raised it from a “Presumption” to a “Clarification”.

Even after this judgement, “Privacy  is a Fundamental Right” continues to be an interpretation of Article 21 and not an amendment of the Constitution itself.

The 547 page judgement needs to be analyzed in detail, but the first impression is that Supreme Court has reiterated what was already the recommended practice in India. If some of the organizations were not so far giving value to the Privacy principle, they will at least now have to take note of the provisions and cannot continue to act as if they were ignorant. This increased respect for Privacy must be considered as the benefit of this judgement.

So, from today there is no doubt that “Right to Privacy” is a fundamental right of an Indian Citizen and it is also agreed that it will be subject to “Reasonable Restrictions”.

There are two exceptions under which Privacy Rights do not apply and they are:

  1. Any service provider who wants to collect personal information may seek and obtain information from the subject person by a process of “Consent”.
  2. Personal information may also be collected without  consent under the justification that it is covered by the “Reasonable Restrictions”  under which exemptions are provided. One example is that it is required in the interest of security of the State .

The above exceptions continue to be available even after the judgement.

Aadhaar Information for Ticket Booking

Many experts were seen commenting that Government may now not be able to ask for Aadhaar for booking Air Ticket or for Income Tax purpose because it may not be considered as justifiable under “Reasonable Restrictions”.

I however disagree and I will try to explain why.

As a Co-passenger in a common carrier like an airplane, I am interested in knowing if all the other passengers with whom I board a plane are people who can be trusted as “Non Terrorists” or people who will not endanger my security.

I agree that it is not possible to check the antecedents of people on the fly when are booking tickets but recording their identity and later analyzing the travel pattern of different persons is part of creating deterrence and gathering intelligence for prevention of crimes.

I may not want me as another passenger to be provided with the information about the Co-passengers but I consider that my security as a passenger has to be considered as the responsibility of the nation and for that purpose collecting personal information with or without Aadhar may be considered necessary.

Hence I expect that the airline does know the identity of every passenger even if I donot. This is not only required for the Air travel, but even for a Train or Bus travel or even for the Uber Sharing.

This would be a “Process” that is introduced by the Government to discharge its duty of safeguarding the interests of the citizens.

I may also consider it my right to ask my Co-Passenger if he is coughing incessantly whether he has “Swine Flu”? and I at least expect that he commits to saying “No”,  implying  ” I am not a risk for you sitting next to me”. He cannot turn back and say “Privacy” is my fundamental right and I am not going to tell you whether I have swine flu or not.

That in my view is the limitation of the “Privacy Right with Reasonable Restrictions”

It is also possible that the service provider (the airline) may obtain “Consent” at the time of booking of the ticket itself stating the reasons of Co-Passenger security and National security and justify the use of Aadhaar or any other KYC process.

Debate on “Consent”

Under the “Consent” provisions, the debate could  be on

a) Whether the consent has been obtained properly

b) Whether the Consent is being misused

c) Whether the information is properly secured while it is in the hands of the service provider

d) How long the information will be held before it is purged

e) Whether the data subject has the right to ask for deletion of the data and exercise what Europe calls as “Right to Forget”.

While this judgement may provide some grounds for lawyers to file cases against service providers and the Government, it is unlikely to change the legal situation much on the ground.

As regards what is the consequence of a “Privacy Breach”, there should be another law on defining the punishments associated with “Privacy Breach”. At present, ITA 2000/8 already provides both civil and criminal penalties for “Breach of a Consent Provision” related to Personal Information. There are also obligations on “Reasonable Security”, “Responsible Disclosure”. “Purposeful use” etc. under Sec 79 and 43A.

So, in respect of personal information which is the form of “electronic documents”, there is already a system in place to protect the Privacy of an individual. This will be further fortified shortly with a Data Protection Act and Health Care Data Privacy and Security Act.

Information in Non Electronic Form

What this judgement may do is to bring information which is not in “Electronic Form” also into the ambit of Privacy protection. This means that the “Oral Conversation” and “Handwritten information” could be the additional types of information that may come under Privacy regulations.

A Digitally recorded oral conversation and any written paper meant for digital processing is already considered as “Electronic Documents” and hence there is only a small part of the documents that are not in electronic form but contains personal information that may come now under the ambit of “Privacy”.

In practice this is not of much value.

Most of our transactions which are in “Non Electronic Form” are not properly regulated to be able to record a “Consent” from the information receiver. Also when a breach occurs there will be difficulty in providing evidence about the absence of consent.

Hence there will be need to define what is an “Ethical Manner” of collecting personal information in non electronic form and how the Privacy of an individual can be protected in that context.

Aadhar as a KYC instrument

As regards Aadhaar, it will be one of the means of verification of the identity of a person which any service provider like a Bank or the Income Tax department may demand.After this Supreme Court judgement, they may have to justify the need for Aadhaar and obtain a proper consent. If necessary they may have to provide for alternate KYC options for which they may also charge an extra fees.

If for example a phone operator says that KYC is required and if it is provided through Aadhaar, the SIM will cost Rs 50 . Otherwise SIM will cost Rs 250/-, then most customers would still opt for Aadhaar based KYC only.

The critical aspect of Privacy protection is not to blame Aadhaar but ensure that Aadhaar data in the hands of the users is used only subject to the Privacy principles.

This will make life of Aadhar user organizations more complicated but may not affect Aadhaar itself.

Aadhaar authorities may have to however ensure that the users of Aadhar are not allowed to store Aadhaar data under any circumstances.

To that extent Aadhaar needs to change its current practices of dumping the entire Aadhaar information to the intermediary and also change the APIs which “Programatically populate data at the user end just on production of Aadhaar number and OTP”.

In our previous article on Mobile Apps, we discussed in detail the need for regulating and monitoring “Permissions” granted to Apps.

Similarly, even in the case Aadhaar related Privacy issue, there is a need to monitor how the intermediaries handle Aadhaar data and how Aadhaar has structured the responsibilities of the intermediaries in its contract with them.

We need to focus on these solutions instead of simply challenging Aadhaar usage per-se for different services.

Naavi

 

Posted in Cyber Law | Leave a comment

20 Seconds Mobile Hacking scare… Can We look at Solutions?

Posted on August 22, 2017 by Vijayashankar Na

For the last few days, the YouTube video of Mr Saket Modi showing the 20 Sec mobile hack in a TV studio in front of honourable Minister of IT and Law, Mr Ravishankar Prasad with some key officials of Government of India including Mr Sajay Bahl, Director general of CERT-In  in the audience is creating waves in the security professional circles. (See the video below).

Mr Ravishankar Prasad was distinctly uncomfortable that he was sharing stage with an ethical hacker who was demonstrating the hacking of a mobile which could create a scare among the public about the use of smart phones while the PM has so many times gone about advising villagers to use mobiles for payments.

During the demonstration, Mr Saket Modi installed an app on the demo phone from perhaps his own website. The App asked for permissions for access of SMS, Contact list and location etc which was granted by Mr Saket himself since he was holding the mobile for that crucial 20 seconds.  After this, through his laptop he was able to access the SMS, Contact list and location and show it to the public. During the exercise it is presumed that the demo phone was connected to Internet either through Wifi or mobile internet. So also was Saket’s laptop. He also demonstrated the activation of an audio recording service on the mobile.

There is no doubt that the demonstration served the objective of sensitizing the audience about the risk of a malware getting installed in their mobile either through the physical access to the phone made available to a hacker or through a malicious link being opened by the mobile user.

The risk of a “Virus” or a “Trojan” in any computer device is already well known. Whether it can be installed in 20 seconds or more or less depends on the size of the file to be installed and the bandwidth of the internet connectivity.

It is therefore not surprising at all to note that Mobiles have a security risk. In fact every electronic device including the EVMs and Aadhar Biometric Devices have risks that we need to recognize. It is for this reason that the Election Commission refused the request of AAP that the EVMs should be handed over to them to show that it is hackable.

What we need to analyze is how to mitigate such risks. In this respect the Saket’s demonstration fell short of my expectations.

Normally apps are downloaded from the Google PlayStore or Apple Store. In such cases, it is presumed that apps are screened before they are allowed to be uploaded into the PlayStore so that malicious apps can be filtered out. However, except identifying the app with a signature of the app creator as declared (which can be an anonymous or pseudonymous) the app store does little to “Certify the App” as “Reliable”.

Before the App is installed, it asks for certain permissions and if the permissions are not given, the app may not get installed.

The app needs some permissions depending on its functionality. However most apps simply get access to several services in the phone and there is no way Google or Apple may know how the permission would be used subsequently when they allow apps to be uploaded into their stores.

Whether an App is asking for only such permissions that it does require for delivering the services it is supposed to provide and not more is a matter which an ordinary user is unable to find out. At the time of downloading the App he is only interested in using the App and hence he will provide permissions to all services sought by the App.

Some Apps may require what is called “Root Access”. This is normally used when some basic hardware functions need to be tweaked by the App. Most manufacturers block root access by design and void their warranty if this block is removed.  Most hackers therefore try to work within the non root access requiring permissions.

When an app is downloaded from a source other than the PlayStore, it would be necessary to provide additional “Permission to install from unknown sources” by going to “settings”. (unless it has already been in the open status). Obviously, in this case one has to trust the site from which the app is being downloaded and there would be no assurance from the PlayStore about any aspect of the app.

Once the permission/s are granted, the app owner may use it for the functionality for which the user downloaded it and also for any other purpose.

The best practice for App developers is to take one time permission each time a specific functionality is required to be used rather than taking it once and holding it permanently. Though this may slow down the operations a little, it is the best practice which should be followed but no body seems to realize as of date.

Hence app owners easily misuse the permissions and commit frauds against the mobile user.

It is also possible for a malicious person to provide one functional app which the user installs and gives permissions and using the permissions, the app owner may install another malicious app without the knowledge of the mobile owner.

Mr Saket Modi says in his video demo that he is using only such permissions as the popular apps like Uber or True Caller use and nothing more.

His statement may be wrong in at least one respect namely the “Audio Recording Permission”. Normally apps donot ask for this permission unless it is a call recording app. Using this permission,he demonstrated that he could activate the recorder remotely and record the sound from the room where the mobile was present. This could be your confidential conversation with your wife in the bed room or the corporate secrets discussed in the Board room. Since this was a demo of the risks, we can ignore this misstatement of Saket for the time being.

Similarly, when a “Permission to Access Camera” is provided, the app can maliciously switch it on and take snaps or video without the knowledge of the user. A permission to read SMS may be misused for reading the OTP sent by a Bank to push through a Banking transaction. Permission for reading call records etc may not be required for most functions but they are often asked for.

I consider that the limited purpose of the demo was to create awareness that “Smart Phones carry the risk of being hacked easily” which puts the user at great risk. Such risks are higher when the user puts through financial transactions of various Bank applications and the UPI applications.

Sensing the aggressive mood of Mr Ravi Shankar Prasad, Mr Saket Modi was perhaps not very honest in  saying that BHIM or other UPI apps donot carry risks of the type he was discussing. Unfortunately, once a person gets access to SMS and therefore the OTP, most of the financial applications which depend on the 2 Factor authentication are vulnerable.

RBI and the Government may be thinking that 2 Factor authentication is great but the way it is being implemented now is amenable to be misused very easily. In US, OTP based authentication has already been degraded by the Government as per its security policies. But in India we are using OTP even for Aadhar based authentication and for the issue of e-Sign digital certificates with which contractual documents can be signed.

I would like to say that the Government has not fully assessed the risks of OTP based authentication for Banking and Aadhar KYC and its faith on OTP as a 2 factor authentication is misplaced.

Mr Saket Modi was seen assuring the Minister that frauds in India is about a third of what it is in US and got a special applause for the same. Either he did not know or did not want to confide that in India we donot have a proper recording of frauds and hence we record only around 10 to 20% of financial frauds and ignore the others. Our statistics are therefore unreliable.

I consider that the demo was good for awareness creation, but it did not focus on providing a clear picture of what kind of solutions we need to think of to prevent these risks.

Where is the Solution?

As a solution, Mr Saket Modi spoke of on app “Unhack” and there are many other similar apps which basically check the “Permissions Granted” to different apps and list them as risk factors. Some apps may provide you an option to remove permissions already granted.

These apps which monitor “Permissions” do serve a purpose but they cannot prevent the misuse of the permissions granted in good faith and misused later.

If therefore we want to look for solutions, we need to prevent misuse of “Permissions Granted”. In the demo we did not see any useful discussions on such solutions.

Mr Ravi Shankar Prasad repeatedly drew the attention of Mr Saket Modi to the Information Technology Act 2000/8 and Saket also acknowledged it.

It must be noted here that under Section 43 of ITA 2000/8, if the permissions obtained under one pretext are used for purposes other than the disclosed use, it can be considered as “Unauthorized Access” and penalized under Section 43 and Section 66 of ITA 2000/8.

Indian law is robust and does not consider “Permission Granted for a certain purpose as a universal consent for the receiver to do whatever he wants with the information”. Hence if the app owner requires a permission for a certain functionality and obtains it, he cannot use it for any other purpose without being liable under Section 43/66.

The key to this deterrence is to bind the app owner to disclose what permissions he seeks and why he is seeking them before the installation of the App so that if there is any misuse, he can be charged under Section 43/66. 

Mr Ravi Shankar Prasad needs to look at creating a deterrence around this Section 43/66 in ITA 2000/8 by forcing the app owners to disclose the permission information. This is the solution that the Government should work on.

Saket Modi’s own solution “Unhack” is said to be a “Free App” but it asks for permission for IN-app Purchases, Device & app History and Wi-Fi connection information.

I donot know what is the purpose of these permissions in the first place and how can I be assured that these permissions would not be misused later on.

Before these permissions are granted, the App (Unhack) does not display either an EULA (End User License Agreement or Terms of use) or Privacy Policy which commits the app owner either informing the user about what information is being collected, the why and how of it or the security of information collected etc.

It would be unfair to point out that Mr Saket Modi’s application does not have a proper privacy policy documentation because most others also donot have such a policy.

During the discussions, Mr Sanjay Bahl of CERT-IN referred to the C-DAC application called M-kavach and stated that it can be used for mobile security.

 

When we look at this app, we note that it does present an EULA. However the EULA provides “No Warranties” and proclaims “No Liability for Damages”, though it claims Copyright protection.

This is typical of all software providers that they take it as their birth right to place a software product for public use but donot take any liability for any bugs and vulnerabilities in the software.

It is unfortunate that CDAC also follows this principle which I consider as a “Fraud Against People”.

Every software developer must state that to the best of his knowledge and good faith, the software does not contain any bugs.

He should also introduce a “Bug Bounty” program and seek the assistance of the good intentioned security professionals to point out bugs if they find it, for which atleast a nominal reward or recognition may be given.

We had recently pointed out this requirement while discussing the Abhinav Srivastava’s caseIf despite this, bugs are found, it should be examined if the disclosure was made in good faith or recklessly to mislead the users and action initiated under ITA 2000/8.

Further, if he EULA for M-Kavach is accepted ,it immediately asks for  the following permissions such as

  • “Permission to Manage Phone Calls”
  • “Permission to access photos, media and files on the device”
  • “Permission to access contacts”
  • “Permission to Send and View Messages”
  • “Permission to access this device’s location”

Again, there is no “Privacy Policy” for M-Kavach which might have explained why these permissions have been sought for and how it is relevant for the service and how the information is secured etc.

So, it is clear that CDAC (Hyderabd) is no better than Mr Saket Modi in failing to inform the users of the app about why they need permissions of different types.

I request Mr Ravi Shankar Prasad and Mr Sanjay Bahl to ensure that no Government App is placed on public space without a proper Privacy Policy disclosures following the internationally accepted privacy principles which are part of Section 79 of ITA 2000/8. Even Bug Bounty program is considered as a part of “Due Diligence” and it should be made available by the Government agencies.

Only when the Government shows the way, we can insist that private app providers may also follow this good practice.

Since we are discussing the safety of mobile apps who get permission for a functional requirement and use it for a different purpose, the only way security can be provided is to bind the app owner to certain security commitments and then haul him under ITA 2000/8 if he fails.

Safe App Certification Progam

For proper implementation of this requirement, Government may consider introduction of a “Safe App Certification Program” which will ensure that

a) the App owner is known through a KYC process

b) Provides a commitment that he has taken reasonable security measures to ensure that the app is bug free at the time of release,

c) Provides for a bug bounty program to further crowd source the security against bugs and vulnerabilities,

d) Provides appropriate disclosures through a proper privacy policy and EULA/Terms

e) Provides a Cyber insurance cover to the users to atleast a nominal extent to cover losses arising out of the vulnerabilities in the app.

For the solution to be successfully used, there is also a need for creating appropriate evidentiary support  to ensure that the app owner can be hauled up under the Indian law. This can be taken care of by the Safe App certifying agency which can also make periodical re-assessments for continuing the security certification.

The system will be like the ISI mark for manufactured products and the Certifier can digitally sign the registered app and provide a list of such certified products in the CERT-In site or the certifier’s site.

If we think India has to use more of mobile apps for financial transactions and the vulnerabilities as demonstrated exist, the only way by which the Government can assure the public is to introduce such “Safe App Certification”.

While the Government ponders over this thought which I am sure will take its own time….. I urge some enterprising private party to come up with such a certification for which we can draw up certain norms and provide a kind of “Audit Certificate” to say that the App owner follows the recommended process for certification.

In the meantime, if any App owner wants to use a Certified Disclosure through the CEAC service of Naavi, they are welcome.

Look forward to comments…

Naavi

Posted in Cyber Law | 6 Comments