Naavi.org

Today’s Deccan Herald reports that the Abhinav Srivastava case may result only in a fine and not in imprisonment as per sources inside the Police. It says “IITian may walk free as he only developed ‘innocuous app'” making everyone sit up and wonder what is happening.

If this is true, then did all the media make a hue and cry about nothing? Or is it possible that there is some confusion within the Police circles themselves about how to proceed with the case.?

For the time being I rule out the possibility of media being used by the Police to plant stories so that some information can be elicited from public which can make it possible for them to correct the mistakes in the way the complaint is being handled at present. This is a strategy often used by Police in other criminal investigations.

Probably the media is also confused about the nature of the incident, whether it is a crime? if so is it a civil wrong or a criminal offence? whether it should be the Adjudicator who should lead the investigation or the Police? …etc

Yesterday, we accessed a copy of the FIR filed by the High Grounds Police Station. This was dated 26/07/2017 and records crime number 0130/2017. It is based on a complaint filed by one Mr Ashok Lenin whose address is given as the address of UIDAI at Khanija Bhavan, Reace Course Road, Bangalore.

The details given of the complaint in the FIR are sketchy and indicate in summary that

“one Mr Abhinav Srivastava using a company by name Qarth Technologies Private Limited created a Playstore App and through it misused the information in Adhaar website and was giving it out as e-kyc in association with some unknown person and thereby is creating leakage of Adhaar data.”

The FIR was registered under Sec 65/66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. While the complainant seems to have indicated that Sections 37 and 38 of Aadhar Act has been contravened, the FIR itself does not include these sections. The FIR has been submitted at 8th Addl CMM Court, Nrupathunga Road, Bangalore.

However, after this was published in the website of naavi.org, information was received that this FIR is no longer valid since a new FIR has been filed by the Cyber Crime PS after the case was transferred to them. Since ksp.gov.in website does not list Cyber Crime Police Station and its FIRs, the new FIR filed by Cyber Crime PS is presently not available with us. We can neither confirm or deny if the new FIR exists and if so whether any change has been made in the FIR of High Ground PS or will be made in future after another round of investigation.

While investigations will be continued by the Cyber Crime PS and appropriate action will be initiated, from the academic perspective some points come for discussion.

The complaint was filed by a person who is an official of UIDAI. According to the Aadhar Act, complaints under the Act can only be taken note of if filed by UIDAI or by an official under its authority. The FIR does not indicate that the complaint was made by Mr Lenin along with a letter of authority signed by the CEO of UIDAI. So whether it was a personal complaint or a complaint under the Aadhar Act needs to be ascertained. Probably a letter from UIDAI either by the CEO or through a resolution of the Board is required to be filed by who so ever signs the complaint and submits it to the Police. Without this, the FIR/Chargesheet could be considered invalid.

Further UIDAI has made a public statement by the CEO, Ajay Bhushan Pandey himself stating

“No one could get data of any other person through this app. Even though residents were downloading their own demographic data such as name, address etc., yet legal actions were initiated against the owner of the app since it was not authorised to provide such services to people and such acts are criminal offence punishable action as per Aadhaar Act, 2016. It is further reiterated that data of not even a single non-consenting resident has been given by UIDAI through this app.”

Once UIDAI confirmed that there was “no unauthorized data access”, it was clear that the foundation of the complaint itself had become hollow. From the revelations made by Mr Abhinav Srivastava, it was clear that the App would access other websites where there was no restriction on accessing the “Appointment Request through e-hospital app” and place a request along with the Adhar number. This would generate an OTP to the Aadhar owner and once provided, some demographic data would get displayed on the website which can be parsed, filtered and presented in a user friendly format.

The App was actually being used by the Adhar owner himself and hence it was an authorized Aadhar user who was actually using a tool developed by Mr Abhinav and downloading his own data instead of going to the Aadhar website himself and downloading the information.

(P.S:This is based on the information now available unless Police unearth any other way Mr Abhinav was collecting the data for use at his end)

In this process, it was clear that the very basis of the complaint that there was “Unauthorized Access” was perhaps incorrect. Hence the complaint was filed on a wrong understanding of what had happened. Because the complaint had been made by UIDAI, it was immediately acted upon by the Police. While registration of the complaint was fine, the need for actioning an immediate arrest and including clauses from IPC such as 468 and 471 was perhaps unwarranted. An FIR under Section 66 of ITA 2000/8 with a bail in the station would have been a reasonable response from the Police if they had not been pushed by some panic stricken UIDAI official that some national calamity had happened.

Now we understand that the total commercial benefit that the person gained was around Rs 40000/- from advertisements running on the App and not from selling of unauthorizedly accessed data. This also is insignificant for any serious commercial gain case to be made out.

The Complaint said “Some unknown person” collaborated with Mr Abhinav. But where was this “Unknown person”? ….. Is it the Hospital? Is it the NIC? Is it Google Ad supplier? or is it the persons who downloaded the App? or is it the company Qarth technologies which is a subsidiary of Ola Cabs (ANI Technologies Ltd)?. It appeared that this “Unknown Person” was added only to ensure that Section 120B could be added and a “Conspiracy” could be brought in.

When the case was transferred to Cyber Crime Police Station, we can expect that they identified that the FIR was not properly filed and without the case being also filed on the e-Hospital website and/or NIC as the e-Hospital platform owner, the complaint only against Abhinav would be difficult to sustain. They also would have pointed out that if UIDAI maintains that “There is no data loss, No data Breach” etc., then the Courts may frown at the Police for registering a Case against a “Zero Loss” incident.

It is also necessary that information was available in the public domain through an article in www.naavi.org which was a reasonable notice of such incident occuring several months ago. This article was  titled “Online Registration System for Indian Hospitals.. No Privacy Policy?” and was published on  4th November 2016. On the same day, I had sent an e-mail to info@nimhans.kar.nic.in and ms@nimhans.ac.in drawing their attention to the article and expecting them to check with their Information Security department on the issues raised. The article focussed on the lack of a “Privacy Policy” but any professional Information Security professional in say NIC would have understood that the application enables dispensation of aadhar information without the information seeker committing himself to any terms of use or NIMHANS protecting itself with a privacy policy/privacy statement.

Though everybody in the information security loop had a notice through this published article nearly 9 months ago, no body seems to have had the intelligence to recognize that there was a vulnerability in the system which could create a risk.

If the Police now try to pursue the case, there will definitely be a question of the role of “Lack of Due Diligence” by the Hospital site/s which were accessed by the Abhinav App and in the absence of any “Terms of use” how it can be considered as a criminal offence that Mr Abhinav created an app to help the Aadhar owner to access their personal data through the use of these websites.

We can question that Mr Abhinav was also not aware of Cyber Law Compliance as otherwise he should have sensed that he should have sought some kind of permission to use the hospital app for a purpose other than seeking an appointment for which it was primarily meant.

But if the hospitals as an organization, NIC as an institution and UIDAI as a National Critical infrastructure with the nation’s best security officials in their roles did not recognize any threat nor had the system to monitor such articles which  can be accessed simply with a google alert in the name of UIDAI or e-Hospital or NIMHANs etc , then how can an individual like Abhinav be more resourceful?..could be his defense.

If Police pursue their case against the intermediaries such as the hospitals and NIC and ask them questions on “Lack of Due Diligence” or “Negligence”, there will be embarassment for these organizations. At the same time, without the UIDAI admitting that there was some kind of a breach, it is difficult to question any downstream user including NIC, Hospitals or Abhinav.

If the Police try to pursue the case only against Abhinav and does not open the pandora’s box of “Due Diligence by Intermediaries”, then obviously there will be a charge of unfair targetting of the individual in a discriminatory manner which would be an embarrassment for the Police itself.

If the Case needs to be pursued therefore UIDAI should first admit that there has been a “Security Breach” with or without “Data Breach”.

If not, they should withdraw their complaint and a fresh complaint has to be filed by all the hospitals which have been used by the Abhinav App on different occasions which should say that their platform was not meant for public to use it as an aadhar information extraction device even if it was their own. But then they will have to answer why they could not say so on their website in the form of terms of use or privacy policy document. Will they admit that all these organizations donot know the basics of Section 79 requirement of ITA 2000. Their pride will not allow them to admit.

Hence they may not be interested in filing a complaint.

If UIDAI withdraws its complaint and no body else is prepared to register the complaint, what action can the Police take?… They also would not perhaps be interested in inventing some reason to keep the case going since anyway at some point of time in future it may be dismissed by some Court with perhaps some strictures.

In the light of the above, I am not surprised at the indication of the Deccan Herald Report that the complaint would be reduced into a non criminal violation. May be it may be diluted further and even be dropped altogether.

We need to wait an watch…

Naavi

Irrespective of what happens later in the complaint of UIDAI against Mr Abhinav Srivastava, a software engineer working at Ola Cabs (ANI Technologies Pvt Ltd), the fact is that he has now been booked as a “Prime Accused” in a “Conspiracy” which resulted in the theft of 40000 aadhar records and has been remanded for custody by a magistrate recognizing the prima facie commission of offence. This remains a stigma in his career and would hurt him throughout his life.

The offences according to the media reports have been alleged under two sections of Aadhar Act (Sections 37,38), two sections of ITA 2000/8 (Sections 65/66) and three sections of IPC (Sections 120B,468 and 271). Cumulatively the total imprisonment under these 7 sections could be 19 years and 6 months with a maximum sentence of 7 years under Section 468 of IPC.

In view of the section 468, he could not get immediate bail and we need to see whether he would get Bail when it comes up for hearing in the Court when the remand ends. It all depends on whether the complainant UIDAI and the Prosecution on their behalf opposes the bail or not.

Some of the criminal cases booked under ITA 2000 around the year 2000 and later are still pending in courts in Karnataka and hence it should take at least 5 to six years (if not more) for this case to be decided one way or the other. If convicted, he may get a minimum of 3 years imprisonment.

Even if the person gets acquitted, it will not help him to resurrect his career since he will be unemployable by any organized sector companies.

Mr Abhinav’s LinkedIn profile says

“High impact software engineer with strong zeal for innovation and entrepreneurship. Selfdriven individual passionate for solving challenging technology problems in corporate or individual context. Successful track record of building complex multi-tiered distributed systems from concept to launch. Expertise in web application security, cutting edge cloud and mobile technologies and front end development.”

I wish he does not get frustrated and develop negative thoughts in using his technical skills because of this experience and comes out of it stronger and maintaining the ethical balance of mind.

So, with this complaint of UIDAI (which they may later withdraw since they now say that there is no “Breach” or “Data Loss”) and the enthusiastic response of the Police in hoisting sections from all known laws to get Mr Abinav arrested, the official career of one of the promising software engineers is considered as over.

Ola will also have to find a replacement and also deal with the shock and demoralizing impact it will leave on its entire technical team….unless their stars are bad in which case the impact could me more adverse.

It may be noted that the Company Qarth Techologies Pvt Ltd which is also the co-accused in this case is reported to have been acquired by Ola and is therefore a subsidiary company under the management of Ola. If this company is now accused of offences then by virtue of the operation of Section 85 of ITA 2000/8, it would be natural for the offence to be escalated to the “Persons in charge of Business”, including “CEO” and “Directors” of the “Company”. The “Company” in this case hopefully is only “Qarth technologies” and does not extend to the holding company “ANI Technologies Pvt Ltd”.

Qarth Techologies Pvt Ltd was acquired by Ola in March 2016 and the Ola Money application is the result of this acquisition. It is an important component of Ola which has added value to ANI Technologies Ltd from the investor’s perspective. In the process co founders of Qarth Abhniav Srivastava and Prerit Srivatsava both IITans from Kharagpur joined Ola. It is perhaps a relief  to note that they might not have joined the Board of ANI Technologies which should be a blessing in disguise now. It is also interesting to note that the Board of ANI Technologies has among others a familiar name  “Avnish Bajaj”. ( I suppose he is the same Avnish Bajaj who was once the CEO of bazee.com and was haunted by another IIT Kharagpur student in the infamous DPS video case). Hence the Board must have adequate exposure and experience to the consequences of “Non Compliance of ITA 2000/8 and this should come in handy now.

If however, the Directors of ANI Technologies are considered the ultimate bosses of Abhinav Srivastava, there is a possibility that Police may extend the case to Ola as the “owner of Qarth”. In that case there would be a serious erosion of the value of Ola in the VC market.

I suppose Qarth Technologies has been made the Co-accused because the Ad revenues arising out of the Abhinav App must have been received and used through Ola Money account. Abhinav would be one of the customers of Ola Money and Ola Money (Qarth) would be perhaps accused of not following “Due Diligence” just like baazee.com was accused of lack of due diligence in the DPS-MMS case where Mr Ravi Raj, the student of IIT Kharagpur used the bazee.com as a platform to sell an obscene video.

The indications are therefore that this case may become one of the landmark cases in Cyber Crime investigation and prosecution in which UIDAI and NIC and the Government hospitals will defend their right to follow discretionary security practice  while the private sector companies like Ola and Qarth along with its employees will be expected to follow strict levels of “Due Diligence”.

However, for those who have heard me speaking on “Cyber Law Compliance” either at Engineering Colleges or in Companies, this experience of Mr Abhinav would be precisely what I would have stressed time and again as a possibility if the techies donot understand the law and learn to be compliant.

I would have also given the examples of the IRCTC hack in which a Satyam senior executive would have faced a similar fate as Abhinav but escaped since he responded to the alert sent from my end and fortified by a TOI journalist from Chennai. I would have also given the example of another senior techie from Chennai who could have got entangled in the Trisha Video case had be not been Cyber Law aware.

Many of the organizations in which I have tried to get ITA 2008 compliance program going might not have become fully compliant but the employees who have heard me would not have missed the examples of people in high places who have lost their career because they transgressed law out of ignorance (not out of malicious intentions).

I suppose that this awareness would have saved a few careers though it could not help Abhinav since Ola like many start ups perhaps did not consider “Cyber Law Compliance” as part of its Information Security requirements. There are many more such organizations all over the country and we will have many more Abhinav’s also.

However, a “Wise man always learns from other’s mistakes” and Abhinav’s mistake should be a lesson for all techies on what they should not do. It is also the responsibility of all HR professionals and Corporate CEOs and Directors to ensure that “ITA 2008 compliance” be part of their corporate Governance policy at the Board level.

There is a proverb in Kannada ” KambaLinOnige hodedare, shalinOnu echchettugonDa” (ಕಂಬಳಿನೋನಿಗೆ ಹೊಡೆದರೆ, ಶಾಲಿನೋನು ಎಚ್ಚೆತ್ತುಗೊಂಡ) (Meaning, if the person in a rug is hit, the person in a Shawl woke up).

Accordingly seeing the plight of Abhinav Srivastava and Ola, it is expected that other IT employees and Companies would now realize the importance of understanding what is the likely impact of ITA 2008 ignorance and non compliance on its business. Just as the Bazee.com incident created a high level of awareness around 2004 in Delhi, the Abhinav incident is likely to create a new sense of awareness in Bangalore.

This is unfortunate and perhaps a cynical view but still could be the positive impact of the incident for which Mr Abhinav has sacrificed his career.

Whenever I write about the Suhas Katti case in which I was part of the Police team in getting the person prosecuted as the “First Prosecution in India under ITA 2008”, and I as well as others keep quoting this as a historical case, I also feel discomfort that the poor Suhas Katti must be turning in his chair and wishing that he would be forgotten. However since “Right to be Forgotten” is not a recognized right in India, the only option for him is to change his name and identity rather than expect the history of Cyber Crime in India to be re-written by erasing his name.

Similarly, Abhinav would also wish that his name does not become a liability for himself (in future) and others in the IT job market. Unfortunately it is in the public space now and nothing can be done to protect the Privacy of the accused. My sincere apologies to him for making his name a center of public debate. But I hope this debate would save many other techies from similar plight.

Naavi

7th August 2017: 19.00 hrs: PS: I have just accessed the FIR copy and would like to make a correction in the sections used in the case. As against the earlier asianet report based on which the sections have been indicated in the above article, the FIR indicates the following sections now: Sections 65 and 66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. The complaint has been made by UIDAI but the sections of aadhar act seems to have been removed. Some of the comments made in the articles therefore stand corrected.

The earlier report of the sections used was based on the following news report in asianetnews.

Naavi

India has been taking significant strides in popularizing Alternate Dispute Resolution mechanisms such as Arbitration and Mediation because of the special interest shown by the Modi Government. On 31st December 2015, the Indian Arbitration and Reconciliation Act 1996 was comprehensively amended (w.e.f. 23rd October 2015) which brought in significant changes to the system as has been prevailing in India. (Check for details at Naavi’s the ADR Knowledge Center). The changes were aimed at reducing delays in the arbitration process, bringing in higher level of discipline among the Arbitrators, Reducing the Cost and also encourage the use of electronic documents in the conduct of ADR.

On January 13, 2017, the Department of Legal Affairs, Ministry of Law and Justice formally constituted a ten member High Level Committee under the chairmanship of retired Judge of Supreme Court, Justice B.N.Srikrishna.

The committee was to look into various factors to accelerate arbitration mechanism and strengthen the arbitration ecosystem in the country as well as examining specific issues and drawing up a roadmap required to make “India a robust centre for international and domestic arbitration”. In particular the committee was required to suggest measures for institutionalization of arbitration mechanism, national and international, in India so as to make India a hub of international commercial arbitration.

After considering views of existing arbitral institutions in March 2017, the Committee has now come up with its recommendations which were released by the Honourable Minister Ravi Shakar Prasad today.

 The detailed report is yet to be available for discussion. However, as per the press reports the following recommendations have been made by the committee.

• Setting up of an autonomous body, styled the Arbitration Promotion Council of India (APCI), which would recognize institutes providing accreditation to arbitrators, hold training workshops for advocates.
• Creation of a specialist Arbitration Bench to deal with commercial disputes. Judges hearing such matters should be provided with periodic refresher courses in arbitration law and practice.
• Creation of a specialist Arbitration Bar by encouraging the establishment of fora of young arbitration practitioners.
• Changes in various provisions of the 2015 Amendments in the Arbitration and Conciliation Act to make arbitration speedier and more efficacious.
• Declaring International Center for Alternate Dispute Resolution (ICADR) as an institute of National Importance and takeover of the institution by a statute.
• Creation of the post of an ‘International Law Adviser’ who shall advise the Government and coordinate dispute resolution strategy for the Government in disputes arising out of its international law obligations particularly arising out of bilateral investment treaties (BIT).
• Permission to foreign lawyers to represent clients in international arbitrations held in India and promoting India as a venue by easing restrictions related to immigration, tax etc.
• Promotion of ADR mechanisms including provisions of mediation facilities by arbitral institutions and considering a separate legislation governing mediation

The changes proposed are of far reaching effect and requires to be closely followed.

We shall await the availability of the detailed report to comment on specific parts of the recommendations in due course.

Naavi

All Articles

Amendments to ACA 2015 suggested by Srikrishna Panel on Arbitration
Srikrishna Panel: Donot make Arbitration the exclusive preserve of Lawyers and Judges
Two Major Failures of the SriKrishna Committee on Arbitration
Ten Commandments of the Justice Srikrishna Committee… and where the Committee has failed?
Justice Srikrishna Committee on Arbitration Submits its report

The so called “Aadhar Hacking Case” filed in Bangalore on Abhinav Shrivastava, has also revealed two important lessons for organizations such as UIDAI, NIC and Hospitals on the one hand and also the Police and the Adjudicator of Karnataka on the other hand. I hope these lessons will be learnt.

Techno Legal Vs Technical Information Security: 

Today’s reports  corroborate the views expressed yesterday in these columns (Refer :The Aadhar unauthorized access case in Bangalore.. Requires More Debate)in which a tentative modus operandi was indicated.

This is a vulnerability in the systems operated by the e-Hospital application owner and shows lack of due diligence under Section 79 of ITA 2000 and lack of “Reasonable Security Practice” by that organization under Section 43A.

The modus operandi as indicated by the accused in his demonstration indicate the vulnerabilities in the system which not only the e-Hospital app user (eg Hospital like NIMHANS), but also NIC and UIDAI who should have been aware of. It is this kind of threats and vulnerabilities that need to be identified in ITA 2008 compliance audits which these agencies are failing to conduct.

I consider that this incident has given a good example of how “Techno Legal Information Security Incident Management” is different from what people (Information Security professionals who use the Uni-dimensional Information Security approach) call as “Incident Management today”.

I hope that this is the first lesson we need to take note from this incident.

Human Rights Violations by Unwarranted Aggression by Police

Police however have not so far initiated any action on the organizations who contravened provisions of  Section 79 and Section 43A of the ITA 2000/8. UIDAI also has not made any complaint against NIC or the e-Hospital application user whose app was used by the Abhinav App.

Instead, both the UIDAI and Police are after the techie who created the app that enabled the release of the aadhar data of individuals on specific request by the mobile owners whose mobile is linked to the aadhar.

On August 4th itself TOI reported  that UIDAI chief AB Pandey said, “The UIDAI would like to inform and reassure the public that there is no breach of any Aadhaar data and compromise of individuals’ privacy and security in this case.”

In view of this admission the very basis of complaint by UIDAI can be declared as unfounded and wrong. They rushed to complain before understanding in full what had happened and the Police blindly acted. Ignorant media persons naturally went to town stating that there was a breach of Aadhar security etc.

All this sensationalism will influence the Supreme Court hearing on the Privacy issue. We know that it was one such indiscretion committed by some constables in Palghar who booked Section 66A case against two girls for their Face Book post/like that made the great Supreme Court ultimately coming down heavily on the Section 66A and scrapping it. A similar over reaction of the Judiciary cannot be ruled out because Bangalore Police is making a mountain out of the mole hill in this case.

Now that UIDAI says there is no breach, it is inappropriate for the Press to continue describing this incident as a “Hacking” incident and they should stop this representation. This is actually a “Security Breach” incident in the e-hospital platform which was exploited by a Techie to create an App which was used by about 50000 persons to check their demographic data as available in the Aadhar data base.

This incident was similar to an earlier case which the undersigned had brought out when a Hyderabad techie had created an application for booking of train tickets through IRCTC bypassing some server restrictions and Captcha. In that case the concerned person was informed by the undersigned and reminded by a TOI reporter that what he did in posting an IRCTC booking application for public download was wrong in law. Fortunately, he understood the error and removed his web post before anybody complained to IRCTC. This saved the career of an otherwise intelligent techie.

As per the original report on the Aadhar case, the Police had booked a complaint under Aadhar Act Sections 37 and 38, ITA 2008 Sections 65 and 66 as well as IPC Section 120B, 468 and 271. (P.S: Sections used has been corrected as indicated at the end of the article. IPC sections used are Sections 34, 120B, 468 and 471. Aadhar Act sections are not there.)

Now that the complainant (UIDAI) admits that there was no breach of Aadhar data, it is difficult to see the logic of how the Police can apply the Aadhar Act sections.

Section 120B of IPC is for “Conspiracy” which should include multiple persons acting together for common criminal intent. This also is absent in this case and hence this section is not applicable.

Section 271 of IPC is completely off the mark and I cannot understand why it was used. This section states as under:

Section 271 of IPC: Disobedience to quarantine rule.—Whoever knowingly disobeys any rule made and promulgated by the Government for putting any vessel into a state of quarantine, or for regulating the intercourse of vessels in a state of quarantine with the shore or with other vessels, or for regulating the intercourse between places where an infectious disease prevails and other places, shall be punished with imprisonment of either description for a term which may extend to six months, or with fine, or with both.

(Ed: 7th August: As per the copy of the FIR accessed just now, it appears that Section 271 is not added in the FIR. Instead Section 471 (IPC) is present. The error is due to the wrong reporting by a news paper and regretted)

Section 468 of IPC pertains to “Forgery” which also is difficult to be proved.

As regards Section 65 of ITA 2000, it is strange that this section continues to be mis-understood and misapplied in cases where  there is no requirement by law for information to be retained for a certain period of time.

The only section that is relevant to Abhinav Shrivastava, incident is Section 66 of ITA 2000 where one can allege that there was an “Un-Authorized Access”. This also can be disputed as to whether the unauthorized access was to a e-Hospital application or Aadhar server and whether there was a dishonest and fraudulent intention.

We also should not forget that in Karnataka, there is a decision of the Adjudicator of Karnataka that Section 43 (and therefore section 66) cannot be applied when the person who has committed the offence or the entity on whom the offence (Unauthorized access) has been committed is not an “Individual”.

Hence under this precedence, Section 66 also may fail in this particular case.

Thus it appears that the entire case is built on fancy interpretation of different sections all together made to appear as if it is a serious and heinous crime deserving a huge punishment.  In the process the Police have arrested the person in a good technical position and permanently damaged his career prospects.

Probably all the sections were added so that no bail could be granted to the person. Otherwise when people with thousands of crores frauds are roaming freely both inside and outside prisons in Karnataka, there was no justification that Abhinav should have been remanded to custody and could not have been interrogated without arrest or under house arrest.

If the Police had understood the problem properly and not swayed by the name of the complainant, they could have handled this with finesse without unnecessarily hurting the accused to the extent they have done.

Probably this calls for a review of the police action from the “violation of Human Rights” angle. Unfortunately all our Human Rights activists are only interested in protecting Terrorists and Naxalites and this techie will not be considered as a fit case for them to step in.

I am reasonably confident that some of the more informed persons in the Cyber Crime police station in Bangalore would have felt that the arrest might not be necessary in this case but some body must have persuaded the Police to make this a demonstration of what would happen if some body meddles with the UIDAI system.

“Consistency” is the hallmark of good Policing and unless this is maintained, public will not be able to trust the law enforcement system. I hope that Cyber Crime Police in Bangalore tries to maintain this consistency and stand up to pressures from vested interests.

I request the Police to revise their approach and let this techie out on Bail to mitigate part of the wrong they have already committed.

This is the second lesson we need to learn from this incident.

A Note to the Principal Secretary IT of Karnataka

At the same time, I would like to use this opportunity to remind the Principal Secretary IT, Government of Karnataka, who is also the “Adjudicator of Karnataka” that it is a standing precedence created by a past Adjudicator that Section 43 cannot be applied to anybody other than an “Individual” and hence section 66 also becomes a section that can be invoked only of the victim is an “Individual” and not UIDAI or NIC or a NIMHANS hospital.

The current Adjudicator has the responsibility to review this precedence and correct the past mistake. I request him to take this up suo-moto without waiting for any body to file a petition in this regard.

A Note to the Techies, OLA and other Start Ups

I have repeatedly highlighted the necessity of techies to be aware of the Cyber Law related risks that they may ignorantly transgress leading to a permanent loss of career as this incident would mean to Mr Abhinav Srivatsava. The responsibility lies on the educational institutions (like IIT Kharagpur in this case) and the Companies (like OLA in this case) to ensure that those who are trained to create Cyber products are aware of the ethical ways to use their skills.

Just as I have earlier stated that had TCS conducted a “HIPAA Awareness Training” for its employees who were involved in the EPIC case  could have saved the $940 million liability, if OLA had conducted an ITA 2008 awareness training for its key executives, they would have been able to retain Abhinav as their  key employee and avoid a shock to its entire work force which would have a very demoralizing impact on the organization.

Perhaps this incident in which OLA was not involved will however reduce its valuation of the because the company they acquired (Qarth Technologies Pvt Ltd) is now an “Accused” in a Cyber Crime. Other Start ups need to take note.

Naavi

P.S: The above article is based on the news paper report on the sections under which the arrest has been made. Also, it is possible that Police may have information that we donot know. These views may therefore be taken as a view based on available information in the public and stand corrected if required.

7th August 2017: 19.00 hrs: PS: I have just accessed the FIR copy and would like to make a correction in the sections used in the case. As against the earlier asianet report based on which the sections have been indicated in the above article, the FIR indicates the following sections now: Sections 65 and 66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. The complaint has been made by UIDAI but the sections of aadhar act seems to have been removed. Some of the comments made in the articles therefore stand corrected.

The earlier report of the sections used was based on the following news report in asianetnews.

Naavi

“Data Theft”, “Hacking”, “Aadhar Data Breach” etc have been the terms used in describing the instance where a person by name Abhinav Srivatsava, who was working as an executive in Ola Cabs created a mobile app and enabled e-Kyc to the App users by linking it to the e-hospital platform created by NIC and used by the National Health portal.

On November 4th 2016, an article had been published in this site titled: Online Registration System for Indian Hospitals.. No Privacy Policy?

In this article, it was pointed out that the Online Registration System used by hospitals (50 plus hospitals are using such applications) enabled e-Kyc through Aadhar but did not care to post even a Privacy Policy.

Today this appears relevant in the context of the accusation of Abhinav Srivatsava that he had made an “Unauthorized use of the application”.

From the available records it seems that the accused seems to have created a mobile app which would go through one of these hospital management websites and fetch the demographic data of persons whose aadhar number is provided on the website.

The aadhar server (CIDR) is connected to only designated agencies who are called Aadhar Service provider(ASA) or KYC service provider (KSA) and any body else including the hospitals are either called the Aadhar User Agency (AUA) or KYC service user agency (KUA) who have to access the data through their contractual agreement with an ASA/KSA.

In the instant case, the e-KYC app of Abhinav seems to have accessed the hospital management system and filled up the aadhar number and captcha to trigger the OTP. If the OTP is provided, CIDR would dispense the details to the hospital website. If one completes the appointment request, the details of the name, Date of Birth, Gender, Address gets displayed in the appointment before confirmation. If it is not confirmed, the data may get discarded. However, before the cancellation, it should be possible to scan the web page and copy the demographic data.

Who ever designed this system should know that it is possible to write some scripts to enter the user inputs and extract the final data without any great “Hacking skills”.

While technically we can call this as “Unauthorized” use, the question that needs to be raised is where is the terms of usage of the page which says that such use is “Unauthorized”?.  Privacy Policy and Terms of Use of the Service are conspicuously absent and “Cyber Law Unaware” techies like Abhinav would not even understand that what they may be doing is punishable.

I therefore consider that to be fair, the managers of these websites should also be booked for “Lack of due diligence under Section 79 of ITA 2008” and “Lack of Reasonable Security Practice under Section 43A” (considering them as deemed body corporates) which should put civil and criminal charges on the e-hospital users.

UIDAI has also been negligent since it was not able to enforce security in its downstream users and remained blind to such possibilities. When we raised the issue of Bank of Maharashra UPI fraud, NPCI came up with the same defense that the fault was in the UPI interface of the Bank and not with NPCI.

Similarly here UIDAI is taking a stand as if it has no fault on its side and even filed complaint against the accused though the cause of action lies with the particular e-hospital application that was used by Abhinav’s App (which should be available from the code).

After the NPCI-Bank of Maharashtra event, if UIDAI people were intelligent enough, they should have foreseen the possibility of Abhinav App kind of possibilities and ensured that the user end security is tightened up. They didnot become wise after the NPCI event.

Also when Naavi.org type of websites place some critical articles like the November 4, 2016 article, they are meant to be read by authorities who are affected and corrective action initiated. We have seen that on several occassions in the past, Government agencies have not taken corrective action and later the dooms day prediction made by us have actually become true. This is not something that we are proud of. It is disheartening to note that the security managers who scout international websites for threat and vulnerability identification are unable to identify that threats and vulnerabilities are also pointed out by authors like the undersigned.

Now the Police in Bangalore who did not want to go against a more serious threat like Wipro Ricin threat, are working overtime to book this IITan techie with several offences under Aadhar Act and ITA 2008. They may technically succeed in proving “Unauthorized Access” but may still fail to prove “mens-rea”. It is doubtful that sections from the Aadhar Act and “Conspiracy” etc will stand scrutiny in a Court. Also if they launch proceedings against Abhinav without including the hospital system that was actually breached, it would amount to being selective in prosecution.

I hope all concerned would debate the root cause of this fraud and take action that would prevent future breach rather than trying to train all their guns against Abhinav only to hide the ignorance and inefficiency of the Government officials.

Naavi

Reference Articles:

Aadhaar data theft: Techie tells police he did it just for kicks, to make an extra buck

UIDAI says no breach of Aadhaar data through the app

What may have made hacker’s task easier

ALSO READ A TECHNICAL ANALYSIS HERE

The tragic news of an young person in Mumbai committing suicide following the game of Blue Whale Challenge is shocking to say the least.

When we learn that more than 130 persons have similarly committed suicide in Russia, we may take comfort that we have taken note of the danger of this “Game” early and possibly we can prevent any more deaths arising due to this menace.

For records “Blue Whale Challenge” is touted as a “Game” and people are enticed into downloading it through Chats on social media. It is not available for download in Google Play Store and hence it targets those people who are deep into Social Media chatting.

There is a view that victims may be chosen based on profiling of the victims from  their Face Book or other similar platforms.

The persons who download the game are given one task per day as a “Challenge” for 50 days culminating with the suicide. Every task need to be recorded as a video and sent to the game controller.

The Complete list of 50 tasks that the BlueWhale Challenge proposes as one task per day:

1. Carve with a razor “f57” on your hand, send a photo to the curator.
2. Wake up at 4.20 a.m. and watch psychedelic and scary videos that curator sends you.
3. Cut your arm with a razor along your veins, but not too deep, only 3 cuts, send a photo to the curator.
4. Draw a whale on a sheet of paper, send a photo to curator.
5. If you are ready to “become a whale”, carve “YES” on your leg. If not, cut yourself many times (punish yourself).
6. Task with a cipher.
7. Carve “f40” on your hand, send a photo to curator.
8. Type “#i_am_whale” in your VKontakte status.
9. You have to overcome your fear.
10. Wake up at 4:20 a.m. and go to a roof (the higher the better)
11. Carve a whale on your hand with a razor, send a photo to curator.
12. Watch psychedelic and horror videos all day.
13. Listen to music that “they” (curators) send you.
14. Cut your lip.
15. Poke your hand with a needle many times
16. Do something painful to yourself, make yourself sick.
17. Go to the highest roof you can find, stand on the edge for some time.
18. Go to a bridge, stand on the edge.
19. Climb up a crane or at least try to do it
20. The curator checks if you are trustworthy.
21. Have a talk “with a whale” (with another player like you or with a curator) in Skype.
22. Go to a roof and sit on the edge with your legs dangling.
23. Another task with a cipher.
24. Secret task.
25. Have a meeting with a “whale.”
26. The curator tells you the date of your death and you have to accept it.
27. Wake up at 4:20 a.m. and go to rails (visit any railroad that you can find).
28. Don’t talk to anyone all day.
29. Make a vow that “you’re a whale.”

30-49. Everyday you wake up at 4:20am, watch horror videos, listen to music that “they” send you, make 1 cut on your body per day, talk “to a whale.”

50. Jump off a high building. Take your life

It is clear that the game’s objective is to lead the target to his death. The series of steps and messaging creates a situation where the victim gets hypnotized and follows the suggestions scrupulously.

The person who has created the sick game, who has been arrested in Russia says that these people donot deserve to live and hence he is relieving the earth of “Useless lives”.

Obviously this creator himself is a psychologically deviant person. He is supposed to be a student of psychology, aged only 21 years and reported to have been a failure in his career.

Just as a dejected software professional turns into a malicious hacker, this person has turned himself into a psycho killer.

The victim is also perhaps a depressed individual who takes into online chatting in search of a friend to pour his feelings out.

The entire game is therefore not a typical cyber crime but a psychological problem of the society.

It cannot therefore be addressed as a Cyber Crime and remedy sought from the Cyber Crime police in Mumbai or elsewhere.

Blocking the Dark Web:

The remedy from the policing angle is how to block the “Dark Web” which if done, will protect people from not only this Blue Whale problem but many other Cyber Crimes.

For this purpose we need to create a separate Internet network like a “White Web” where only verified websites and servers are allowed to be accessed. Websites may be allowed to register themselves with the authorities for a “White Web Pass”. At the same time identified “Dark Web” needs to be blocked leaving a middle range of “Grey Web” as it is now.

The children may be allowed through their restricted device to access only the White Web, create some kind of alerts through the ISPs when notified devices access Grey web or try to access Dark web. This requires the ISPs to create a filter which the parents can activate for specific devices such as mobiles or laptops used by their minor children.

This solution will be opposed by the ISPs and many technology intoxicated persons who believe that it is their birth right to do whatever they want on the Internet.

Let’s therefore leave this for further debate on a different occasion and focus on what we can do even while the Blue Whale Challenge or any other game of this type is still accessible to vulnerable children.

Addressing the Psychological Issue

Since the creator was arrested some time in May, it appears that there were other “Administrators” who had taken over as “Mentors” and managing the victims such as the Mumbai boy. Hence mere arrest of one individual would not bring an end to the menace and we should be ready for more such games to hit the market as long as the sadist technologically savvy creators are out there in the wild.

These creators and the administrators are hard core psychos and we can do nothing to reform them. If they are caught, then they should be permanently put behind the bar or even eliminated with a death sentence.

In the meantime we can address what can we do to prevent our children from falling prey to this game.

The first task is to identify potential victims through our own social media profiling of children, supervision of their web activity, changes in behaviour etc. Part of this can be done by the parents and more can be done through whistlebowing by friends through the Schools.

The Schools should not only undertake awareness creation for Children and the Parents on the menace and try to mitigate the risk but also create a “Whistle blower” mechansim for friends to report any abnormal behaviour of their co-students and also create a “Internet Counsellor” to address the children’s problems.

Children are more cooperative with their schools and amenable to receiving suggestions from their teachers rather than from their parents. Hence the schools have a big role in ensuring that the Internet addiction risk of every kind is mitigated.

The Maharashtra CM has sought guidance from the Central Government on how to address the issue but it appears that the solution lies in the Maharashtra Government (and also other State Governments) to mandate the schools that all of them should mandatorily conduct

a) An awareness program for children within the next one week

b) An awareness program for parents within the next fortnight

c) Introduce a “Whistle Blower” scheme where students report to the authorities about any abnormal behaviour of other students.

d) Appoint a psychology expert as an “Internet Counsellor” to visit the school once in 15 days, to spend some time addressing the students and to meet any children who would like to seek guidance. He/She could also be the Ombudsman for the whistle blower program

e) Report to the compliance through the website of the School.

I hope some NGOs take up the responsibility to coordinate and guide the schools in this regard. The above set of requirements can be considered as “Compliance Requirement” for the school.

Caution: For those adventurers who will try to download the game and check what it is, I would like to caution that the program would come with a trojan which would steal data from your computer or mobile, would be impossible to un-install and could cause other problems related to identity theft including theft of Banking and other financial information related to the mobile owner.

Naavi

Refer:

Man behind Blue Whale suicide ‘game’ says he’s ‘cleansing society’

Beware! This Blue Whale online suicide challenge is scaring parents world over

The truth of ‘Blue Whale’ challenge: A game said to ‘brainwash’ teens into committing suicides