Naavi.org

In the past we have highlighted the three dimensional approach to Information security which combines Technical, Legal and Behavioural science as the dimensions of Information Security.

Uni-Dimensional Approach

Information Security has often been approached as a “Uni-Dimensional” concept based on “Technology”. Under this concept, Information Security is often defined as “Preserving the Confidentiality, Integrity and Availability” of information. This is often referred to as the CIA principle.

Of late the Information Security community has extended this three component based technology approach to the fourth component of  “Authentication”.

This “Uni Dimensional” approach works on the end objective of “Protecting Data” and “Restoring it in the event of a loss”.

The approach therefore depends on the DRP-BCP principle where there is a good (if possible concurrent) back up of data which can be restored “Fully” within a short time. The Backing up process and the Recovery from Back up also needs to be “Verified” with hash check.

In these days when “Trojans” are programmed to activate themselves on pre-determined time and day, it is also necessary for the restoration from back up to be done as a “Clean Back up” ensuring that no dormant malware is present in the back up copy and using a clone copy for restoration if required.

This Full, Verified and Clean back up process can solve the problem of data loss and if the BCP process is set to low RPO and RTO (Recovery point objective and Recovery Time Objective), the Uni dimensional information security approach of “Protecting the Data” can be reasonably satisfied.

The implementation of the Uni Dimensional technology based approach is through the Firewalls and IDS systems as well as the Access Control and Encryption kind of technology applications. Hashing and Digital Signature technologies are used to ensure integrity and authentication.

The ISO27001 and PCI DSS type of information security audits are normally considered as the final word on information security in this Uni-Dimensional approach.

Dual Dimensional Approach

The Uni-Dimensional approach essentially tries to protect the “Data” from being lost through unauthorized access or through other technical issues including malware attacks such as the ransomware.

However when the unauthorized access results in ex-filtration of data or compromise of confidentiality, mere restoration of lost data may not provide a relief to the information owner. When data held in trust by a company is compromised, then there is an issue of third party liabilities arising out of privacy protection laws or contractual obligations.

There could be also vicarious liabilities arising on the information owner due to the legal provisions such as under Section 79 or 85 of ITA 2000/8.  Essence of such legal provisions is that if an organization that collects information from the public suffers a data breach through external attacks or insider threats, if it cannot prove that it has observed “Due Diligence” and/or “Reasonable Security Practice”, the liabilities will crystallize on the organization and its executives.

Such liabilities (Section 43 read with Section 66, Section 43A, Section 72A, Section 65 and Section 67C) could result in bot civil liabilities and criminal liabilities.

Hence a DRP-BCP which results in restoration of data and continuity of business systems does not protect the information owner from either being liable to pay damages or even go to jail.

The Second dimension of information security therefore is the “Techno Legal Approach” which tries to protect the information owner from liabilities arising out of data breach incidents. Such protection arises from the organization being “ITA 2008 compliant” and also documenting its compliance process to be produced as its defense when the requirement arises.

Being able to protect one self from liabilities is the “Defensive Legal Remedy” (DLR) that companies may seek from its compliance activities under the Techno Legal Information Security approach.

Apart from being able to defend the company from liabilities, being compliant with cyber laws ensures that the company may be able to use the same law to recover damages from others (eg sub contractors and ultimate offenders who committed the crime) through invoking a litigation process. This is an “Offensive Legal Remedy” (OLR) that becomes available to the company which has suffered a data breach.

It is clear that no company can claim to be legally compliant under “Due Diligence” or “Reasonable Security Practice” if it has not implemented the technical security measures including obtaining certification of ISO 27001 or its equivalent.

However the technical security measures are considered “necessary but not sufficient” to provide the liability protection for the information security owner.

Thus the Dual Dimensional approach extends its scope from protecting the information along with the information security owner.

The Preservation of Confidentiality, Integrity and Availability of information still prevails along with Authentication which should be legally sustainable and “Non Repudiable”.

Undersigned believes that the management approach to information security could be prioritized based on the following hierarchial prioritization of the different components of Techno Legal Information Security.

The Third Dimension

Whether the approach is Uni-Dimensional or Dual Dimensional, the implementation always requires the support and complete willingness of the people. The technical aspects such as access control often fail because the users tend to be ignorant and negligent. Policies and procedures prescribed for legal compliance which may include sanctions also fail through ignorance and unwillingness to adhere to rules and regulations.

Information Security professionals do recognize the role of “People” in information security and try to address the “Social Engineering” attacks through appropriate awareness building exercises within their employee fold.

However, problem with “People” is that same persons behave differently at different points of time and different persons behave differently for the same stimuli. It is for this reason that the undersigned considers “Behavioural Aspects of people” as the third dimension of information Security and not merely the “people”.

“Ignorance” can be reduced by “Awareness” building which is through training of various types that are part of the information security practices.

However, Awareness Building is another “necessary but not sufficient” factor in information security implementation. Awareness needs to be converted into “Acceptance” and there after into “Commitment” if the information security controls are diligently to be followed by the people who are responsible for the implementation of information security.

Since law attributes the automated actions of a system to the “Person who caused the system to behave in the particular manner”, the software creator or the owner of the system who takes over the software/system along with its default configurations become the human elements who are responsible for the actions of the automated systems. But the software developers may not foresee the vulnerabilities nor feel the effect of the vulnerabilities since they successfully pass on the liabilities to the user. Law hurts the user of a software and the intermediary who provides the platform for the software. It does not touch the software developer who developed and released a defective software with vulnerabilities. Though the software developer may later identify the bugs and send “Patches”, the liability on “Zero Day Liabilities” still remains with the software user which is an unfair burden to some body who has paid for the software.

Some software developers have the ethical attitude to at least run “Bug Bounty” programs which acknowledges the limitations of the testing process before release of the software but tries to provide some cover to the crowd sourcing of testing process. But since Bug Bounty programs are not mandatory, most software developers release untested defective software and start counting cash before the product is patched for basic defects.

“Security By Design” and “Secure Coding Practice”  is known to most software professionals but they still ignore. This is a serious issue that the software industry has not been able to tackle effectively.

This attitude to ignore security issues is more a result of the “Attitude” of the software professionals rather than a function of “Ignorance”.  There are issues arising out of “Technology Intoxication” and some times a deviant mindset such as the “Cyber Offendo Mania” (an Obsessive compulsion to commit an offence).

In the Cyber Crime scenario, attitude of users to “Blindly Trust” the software and an urge to “Be the first to test a new introduction” often makes people invite compromise of identity and opening up doors of opportunity for attacks.

The attackers are also emboldened through the “Anonymity” and “Asymmetric advantage” that the he may use for planning and executing the attacks while the security professionals are constrained by the uncertainty and unpredictability of the nature or source of the next attack.

The attackers are also persons who are “Technologically intoxicated” and hence are prone to irrational decisions besides calculated motivated attacks.

The behavioural aspects of unknown attackers is not amendable to be mended except by creating a “Deterrence” through well publicized exploits of police in busting criminal rackets. However we can try to mitigate the risks of insider attacks by trying to modify the behavioural traits of people who work for an organization.

For this purpose, we need to be able to identify “Deviant Minds” and put in place strategies to mitigate the risks through counselling, advanced training etc.

Addressing the “Mitigation of Information Security Risks arising out of Behavioural Traits of employees” is a subject which is far removed from the skill sets that an information security professional is normally endowed with. Management/HR professionals may posses such skills but technical experts have skills which may be diametrically opposite to the requirements of observing and reacting to psychological infirmities of the subordinates.

This area is still in a developing stage and Psychological and Sociological experts need to research in the area of Information security challenges arising out of behavioral traits of people.

Naavi tries to incorporate principles of Behavioural Science solutions such as ego-gram mapping and script mapping of Eric Berne and identifies the requirements as part of his “Pentagon Theory of Information Security Motivation”. Under this theory, it is considered that Information Security motivation is bound by Five parameters namely Awareness,Acceptance,Availability, Mandate and Inspiration arranged as the boundary walls forming a pentagon rather than the hierarchial pyramid model of motivation used by Dr Maslow in his theory of motivation.

There are several issues of this theory which needs further examination by Techno Legal Behavioural Science Experts who are the Information Security professionals of the coming era.

The Plus One Dimension

Naavi has been discussing the three dimensional approach to Information Assurance for several years now and hence it is not new. The information security professionals in general have already moved from the Uni-dimensional approach to the dual dimensional approach. The hurdle to absorb and assimilate the third dimension will take some more time and will require managerial acumen to be imbibed by the CISOs. It will take its time and we need to wait for this maturity to be reached.

In the meantime it has become necessary to point out to another dimension which is relevant for the current scenario.

While the earlier approach covers protection of data and the protection of the data owner, there is also a need to consider whether it is the responsibility of the information security community to grow out from being selfish and always looking inwards to being more responsible to the community they serve by being a little more outward looking.

In this approach, it is necessary for the Information Security to consider if there is any risk for the eco-system caused by the information security failure and whether some thing can be done to protect the eco-system.

One example that comes to the mind is the discussions we are now having on “Bitcoin”. There are many information security professionals who endorse Bitcoin because they like the “Block Chain technology”. Some are even thinking as if Block Chain technology is a “Information Security Tool” since it can be used to “Build trust from out of an Untrusted resource”.

However, if Bitcoin is an “Anonymous” and “Unregulated” currency that can replace the legal tender of a country, the impact that it may leave on inflation, Black money creation, Terrorist funding etc needs to be taken into account. If these negative concerns outweigh the positive aspects of the technology, we should be prepared to reject the innovation. This is like the “Risk Absorption Capacity” of the society that needs to be kept in mind at the time of chosing risk mitigation strategies. If a certain risk is beyond the risk appetite of an organziation, such risk needs to be eliminated by avoiding the risk rather than trying to mitigate it through other measures.

The rush to implement Aadhar Based Payment Systems could be another innovation that we need to check under this Plus-one dimension. “Regulated Anonymity” vs “Absolute Privacy Protection as a Fundamental Right” could be another example that we need to check under this concept.

This concern for society and incorporating the “Social Cost Benefit” to our equation of information risk management is the “Plus One” dimension that I would advocate for the industry of information security professionals to consider.

Even the Cyber Insurance professionals should consider this as a necessity since the aggregated risks arising out of such damage to the society makes re-insurance more expensive.

This Plus-One dimension opens up a discussion on Technology innovators who tend to introduce  “Irresponsible Innovation” that can cause “Disruption” which may actually lead to destruction of the society.  Some of the Cybertariat issues that I have discussed earlier actually stem from the fact that technology innovators often blinded by their “Technology Intoxication” ignore the debilitating effect of what they do on the society of which they are also a part. This is the “Bhasmasura Syndrome”(Call it Frankenstien Monster if you like) which I espoused in an earlier article.

We as a community of Cybertariats including the software developers, information security professionals, management professionals, Cyber law professionals, Psychology/Sociology professionals etc should all start debating on the need to recognize and factor in “Social Cost” to technological innovations so that progress does not come at the cost of the society.

Naavi

IEEE had organized a one day symposium at IISC, Bangalore on 29th July 2017 to discuss various issues that confront Netizens (Cybertariat). During this symposium, issues such as Cyber Crimes and Information Security was discussed.

There was also a focus on “Ethics for Cybertariats” as a concern for the society. Dr Gopal of Anna University, Chennai and Dr Srinivas of ECE department IISc, Bangalore took the lead in organizing the symposium. Mr Pavan Duggal, and the undersigned were among the speakers who shared their experience to the audience drawn mostly from academic circles.

I am separately sharing the brief of the presentation made in this symposium. In the meantime however, I would like to share an article that I had contributed to one of the publications of International Review of Information Ethics (IRIE). 

This article has become more relevant today after Mr Donald Trump took over as President of United States.

LAG Neutrality Challenges and Solutions

The growth of Cybertariats as a new class of workers who represent an integration of the Cyber Society work with existence in Physical space has opened up new challenges in the management of the work force.

The key concerns or issues are those which  arise in the world of Cybertariats  because of the  “LAG neutrality” namely the “Location Neutrality”, “Age Neutrality” and “Gender Neutrality” of a Cybertariat worker.

Impact of Location Neutrality

The first and foremost issue regarding the rise of Cybertariat workforce is the impact on the local employment and the issues arising therefrom.

The Cybertariat workforce is location independent since they can work from anywhere and anytime and still are virtually present in the workplace. The industry loves them because they can hire them by shopping economically  across the globe and also fire them without as much of an impact as it creates when they fire the  physical workforce. The industry can keep only the “Work Goal” as the criteria for maintaining the Cybertariat work force and free themselves from other distracting aspects of human management.

The Cyberetariat workforce essentially works on a Virtual identity. In  many instances the real identity may not matter at all. Most commercial workforce which are distant from the national security domains donot need either an identified work force nor a permanent workforce. They can be hired and fired like a “Job Worker”.

What makes an economic sense for the businessmen to hire Cybertariat workers instead of the physical workers, creates a serious ethical issue of whether industries can be oblivious of the social impact of local job losses to technology workers from another place.

The frequent references of Obama and now Donald Trump to Bengaluru IT industry as a threat to US economy stems from the fact that, for a Chicago company, the remote Bengaluru worker may be more efficient and more economical than a comparable worker sitting in Chicago. While this does affect the employment potential in the physical space of Chicago, the profitability and global competitiveness of the US Company which opts to use a Cybertariat Bengalurian instead of the US based Chicago resident, improves.

Whether the trade-off of possible local un-employment with more profit generation for the company/country is beneficial or not is an economic decision. However, this also raises the ethical issue of whether it is the responsibility of the industry to share its prosperity with the local community by providing a stable employment scenario to the community so that the community lives in harmony.

In the recent days, concerns to the Cybertariat hiring are arising because of the “Security Issues”. Any cyber work involves handling of data which is personal and some times also sensitive. The security of such data is therefore a concern for “Privacy” as a part of the democratic tradition and also as a means of preventing Cyber Crimes.

A standing example of how “Privacy” and “Security” concerns affect the Cybertariat workforce is evident in the fact that after the increasing number of data theft reports from USA, the flourishing “Home Based Medical Transcription Industry” in India seems to be withering away.

A workable solution towards balancing better economic sense with softening of the local sentiments is to be worked through a “Corporate Social Program” which makes it obligatory for the Cybertariat employer to contribute to the development of alternate employment opportunities for the local workforce.

If for example, the cities of Bengaluru and Chicago enter into a Cybertariat Workforce Treaty, they can ensure that Obama need not introduce a “Bengaluru Tax” nor Trump needs to put an embargo on “Export of Data” to Bengaluru but negotiate a reverse flow of benefits from Bengaluru to Chicago either in the form of cyber related work at a different level or even through import of say manufactured goods from Chicago to Bengaluru.

Age Neutrality Impact

As compared to the Location Neutrality, the Age Neutrality raises an issue of whether “Earning Potential” of an individual needs to be “Retired” after a person attains a particular age. In a society where “Old Age Security” is important with raising life span and decreasing family support at old age, it is some times cruel to retire an otherwise able and efficient worker just because his age certificate indicates that he has crossed a certain age.

Cybertariat workforce are free from this obligation of “Retirement” both because they work on short term assignments as well as with a focus on work output rather than other considerations.

The Cybertariat employers however have not yet fully exploited the potential of “Age Neutrality” of workforce as we still see them going with the normal recruitment norms applicable for the physical world. They therefore look at providing “Work From Home” option to persons who love to drive to their office rather than being confined to within their homes in front of their parents. On the otherhand, a middle aged person who loves to work from home and also attend to some obligations associated with staying at home would love the work from home concept more than driving down to work. Work from home for such middle aged and seniors would be a blessing and they would provide better output per unit of investment to the hirer.

Again this age neutrality could raise an ethical issue of the obligation of industry to support the younger generation who is looking for a “Primary Source of Income” for earning a livelyhood rather than providing additional revenue as a supplementary income to a middle aged or senior worker who already have enough savings for his basic necessities .

Balancing the requirements of the young society with the senior society is therefore an obligation that the Cybertariat industry needs to manage.

Again, the solution lies in generating specific alternate avenues of employment which the younger generation consider it an enjoyable occupation in replacement of the not so enjoyable nine to five office job  which can be split into two or three slots and filled up by multiple senior persons working from home.

Gender Neutrality Impact

The third key aspect of Cybertariat workforce is the fact that the concept of “Good Looking”, “Male or Female” has no relevance to the work.

In certain types of work, “Voice” could be a factor of employment but with some voice changing software available in the market, real time voice changing could be a technically and commercially feasible option to be used by Cybertariat workers to completely negate the advantages or disadvantages of the gender of a Cybertariat worker even when the work involves a voice interaction.

In countries like India, we are still struggling with concepts such as “Gender based Reservation” and “Gender Based Discrimination” in workforce policies. Rise of Cybertariat workforce kills the concept of such gender based discrimination and brings in an equality between the male and female workforce. It eases the obligations of the employer such as extending leave to employees beyond certain limits only on gender based considerations and generally helps in improving the productivity of the entire workforce.

Again the advantage that the Gender Neutrality provides to the Cybertariat employer also provides a challenge to the ethical obligations that the society may like to pursue in providing employment based on the gender of the employee.

While the gender neutrality may reduce the preference that the society now provides to women in the form of easy working hours and longer maternity leave etc., Cybertariat workers simply donot care about working hours and maternity leave since they can work as long as their health permits and be beneficial to both themselves and the employer.

In summary we may observe that there are several ethical issues that arise out of the rise of Cybertariat work force. But these provide several economic benefits to the employer and the disadvantages are often a reflection of our expectations created because of our experience with the workspace in the physical world. As we get used to the Cybertariat work space, we can certainly find a balance between the economic advantages and ethical challenges and perhaps achieve a better harmony and benefit to the society on the whole. Managing the transition without being bogged down by the old principles of what is an ideal work space is however a necessity to harness the benefits of Cybertariat work culture.

Naavi

Smart City Council India, conducted an event in Bangalore on 28th July 2017 in which a report on  “Role of Surveillance in Securing Cities” was released. The program was sponsored by Western Digital Technologies one of the leading commercial stake holders in the business of selling storage devices and CCTV devices.

Several prominent persons from mainly government agencies in Bangalore participated in the program which was titled as a “Round Table” but turned out to be a sort of seminar on smart city surveillance issues. Some interesting aspects of surveillance came out of the discussion. Mr Gaurav Gupta, the Principle Secretary IT, Government of Karnataka also was briefly present and addressed the gathering.

Mr Kwaja Saifuddin, senior Sales Director-South Asia of Western Digital highlighted the growing demand for data storage arising out of the explosion of CCTV devices that are part of the “Surveillance” in cities both because the number of CCTVs is on the increase but also the required quality of imaging has been increasing.

The need for Smart City surveillance strategies to be “Citizen Centric” was highlighted by Mr R.Srikumar, former Vigilance Commissioner (CVC) and DGP of Karnataka and founder of www.indiancst.in

A panel of experts consisting of Mr Srinivas Reddy, Director, Karnataka State Natural Disaster Monitoring, B.N.S.Reddy, Director, Security and Vigilance, KSRTC and Professor T.Shankar, IISc and moderated by Mr Sanjay Sahay, ADGP, Karnataka shared specific experiences and issues arising out of the surveillance. The panel underscored that surveillance does not end with CCTV cameras alone and there is an important role for “Sensors” in the smart city management. Discussions were informative.

The report on “Role of Surveillance in Securing Cities” indicated that the global video surveillance industry is expected to grow at a CAGR of 11.87% to reach a total market size of US$ 48.69 billion by 2021. The current market in India was placed at $952.95 million and projected to grow at CAGR of 13% between 2016 and 2022.

Shift towards IP surveillance, lack of standardization broadly characterized the Indian Surveillance Market according to the report. Report urged that Governments should focus context specific needs and should invest in highest resolution cameras, best quality analytical tools and highest capacity storage.

Unfortunately the event did not provide much scope for discussion and hence it ended up being a one way presentation that highlighted that there is a tremendous scope for the industry surrounding CCTV cameras.

The “Round Table” failed to discuss the security issues such as the Denial of Service Attacks that could be launched by botnets created out of the CCTV cameras or failure of sensors in critical activities or the privacy issues involved in surveillance. The limitation of time could be one of the plausible excuses for leaving out discussions important to the community.

However, being a sponsored event, the lack of interest in highlighting unpleasant issues of surveillance could also be the reason.

When an event is titled “Round Table” and several Government officials and Police officials are invited for the event, it was disappointing that the event failed to make a whole some discussion of the “Surveillance” though as a special guest Mr Srikumar did point out the need for “Smart City Governance to be Citizen centric”.

Hopefully Smart City Council corrects this imbalance in their next event or call it an “Industry interaction on Business opportunities in Video surveillance” instead of a “Round table”.

(P.S: This is only a report on the event. Will present some of my views on surveillance separately)

Naavi

Bitcoin is now at cross roads. Which direction it may take globally is not clear. Indian regulators should consider themselves fortunate that they have not yet committed themselves to issuing of their guidelines despite pressure from different directions.

Currently the Bitcoin price has fallen from around Rs 210000/- to around Rs 162000/-.

One of the respected investors Mr Howard Marks has stated 

“In my view, digital currencies are nothing but an unfounded fad (or perhaps even a pyramid scheme), based on a willingness to ascribe value to something that has little or none beyond what people will pay for it,”

Simultaneously, a Bitcon laundering ring has been busted and a Russian (Alexander Vinnick)  has been arrested in Greece for being a suspected master mind behind a $4 Billion bitcoin laundering ring.

In the midst of these developments, the Bitcoin Improvement Proposal which was a proposal to make some code changes because the block chain storage capacity was getting congested. Over 93.8% of the Bitcoin nodes supported a modification of the code which will be implemented from 1st August 2017.

This will mean that a majority of the current nodes will upgrade themselves to the new protocol. However some will not. This will create two block chain forks to come into existence. The new block is referred to as “Bitcoin Cash”.

The creation of a new forked block chain which is referred to as a “Hard Fork” will mean that those who donot update to the new protocol will continue to be working on the old Blockchain fork. This could also create some transactions which may continue as a second version of the Bitcoin and there could be two market rates in the exchange. To avoid problems holders may sell out their bitcoin holdings and convert them into other AltCoins as soon as possible. However many Bitcoin holders have been defrauded recently in their transactions and hence there is lot of confusion in the holders about what action to take  while the conversion of Bitcoin to Bitcoin+Bitcoin Cash may happen on August 1st. Probably they need to rely on their exchanges to give out a solution. But it is clear that many may face problems and we will have lot of complaints surfacing after August 1st from those investors who were risking their hard earned money in Bitcoin as an investment proposition.

In the meantime there is another news item today that Karnataka Government is separately considering issuing some guidelines on Crypto Currencies. (Refer report here).

It is stated that the Government will host a seminar towards the end of August to discuss the issue with stake holders.

According to the minister  “”The seminar will give a perspective on whether Bitcoin should be used as a digital currency or as a securities or commodities”. He also said  “We will also see whether the platform of blockchain, which boosts efficiency in government administrations, can be used. Based on the inputs we receive from the stakeholders, we may consider a policy.”

In the past there have been several instances when Karnataka Government has taken decisions on Cyber Law which are ultra vires the Information Technology Act 2000.

Legislation on Crypto Currency is not in the domain of the State laws and hence it would be better if the State Government refrains from doing anything which is ultra vires the powers of the State Government at the behest of the Bitcoin Exchanges.

I would like to caution the Government that giving any kind of acceptance space to Bitcoin is harmful to the society. I am aware that many technologists are strongly supporting Bitcoins as well as the Block Chain technology. In my opinion this is representative of their myopic view that technology and innovation are welcome unmindful of its adverse impact on the society. If the Government falls prey to the PR efforts of the Bitcoin Exchanges, they will be damaging the economic framework and destroy the society.

This tendency to adopt measures which look attractive at first glance but could lead to self destruction is what I call  “Bhasmasure Syndrome” of creating a monster and later running to save our skin. People who advocate “Disruption” through “Innovation” should remember that disruption is welcome as long as there is no destruction. Otherwise it will be like the legendary story of Lord Eshwara giving a boon to Bhasmasura that if he places his hands on the head of any person, he would be burnt…. only to find that he wants to test it on Lord Eshwara himself.

I hope Karnataka Government does not invite problem by creating a Bhasmasura called Bitcoins.

Naavi

Times of India carried a report today headlined ‘Banks lost Rs 88553 an hour to Cybercrime in last 3 years”. According to the report, the total money lost from April 1, 2014 to June 30, 2017 due to Cyber Crime was Rs 252 crores.

Data computed from the reports made to RBI has reportedly indicated that nearly 40 cases of cybercrime costing Rs 21.24 lakh a day on an average has occurred in India. This is the data of 102 banks of all categories obtained from the Reserve Bank of India. In all, 46,612 cases were reported in the said period.

We have always disbelieved the statistics reported by the Banks to the RBI since Banks for a large part have disowned frauds and always blamed the customers for parting with the credentials for a phishing attack and declined to register customer complaints as “Bank frauds” and report it to RBI.

Hence we consider that the above statistics only includes the losses that the Banks have not been able to push off to the shoulders of the customers since they were frauds involving ATM where no customer might have been targeted or where the frauds were due to reasons which directly indicted the fraud within the Banking system.

The actual frauds and the loss that the customers have suffered would be much more than the amount which the article mentions.

They need protection and it is heartening to take note that there is some thinking int he Government to consider mandatory Cyber Insurance at least to some categories of customers as Naavi has been suggesting for a long time provided the unwilling Bankers can be tamed.

What is surprising is that Banks continue to suffer because they have been grossly negligent on the security measures that have been mandated on them by RBI. Hence there is no need to be sympathetic to the losses suffered by the Banks. It is a their own creation.

Just to give an example, we can look at the cloned cards that have been used to withdraw money from the ATMs. What prevents the banks from having active CCTV cameras and using face recognition as additional authentication to allow a transaction and disable the transaction if CCTV and face recognition is not functioning?… Is it cost?…then let them spend Rs 88553 per hour in the future also… It is for the share holders of the Banks to question the Banks about the loss caused by the negligence of their CEO.

Most of the Banks are yet to implement the RBI instructions on the July 7 circular on “Limited Liability for Frauds”. ..Probably they are building a case for some kind of sympathy through articles such as these.

Customers have been fleeced by these Banks in the form of increased cost of E-Banking and Banks have collected enormous money directly in the form of service charges without being able to improve security.

In this respect Banks have become like politicians who keep on raising taxes and fill up the coffers of the Government only to increase the salaries of MPs, MLAs and Government employees while all the services are being implemented on “Toll charge basis”.

Why should there be a Government and Taxation system if the taxes are not being made available except to pay the Government employees and politicians? … is a question all honest citizens often ask. Now, a similar question can be asked for Banks. It is necessary for Banks to account for all the increase in service charges they have made since last one or two years and provide an account of how the increased revenue has been used.

I urge RBI to audit the increases in service charges made by Banks in the last three years and how the revenue has been deployed to improve security of transactions.

Naavi

This is to ensure that we donot mis-interpret the judgement in the Sonu@Amar Vs State of Haryana going only by the discussions on legal issues that the Judge has added in the Judgement before arriving at the final judgement.

My first reactions on the Sonu@Amar case was based on the article titled : Evidence Law; Sonu @ Amar Vs. State of Haryana [Supreme Court of India, 18-07-2017], Published by Legal India on July 18, 2017.

It went on to present an abstract stating: Evidence Act, 1872 – S. 65B (4) – Interpretation of – Certificate for Proving Electronic Records – Criminal cases decided on the basis of electronic records adduced in evidence without certification have to be revisited as and when objections are taken by the accused at the appellate stage.

The report prominently highlighted the quotes from the judgement “…There is no doubt that the judgment of this Court in Anvar’s case has to be retrospective in operation unless the judicial tool of ‘prospective “overruling’ is applied.

The Social Media immediately picked up this lead and spread the words that old judgements delivered by the Courts between 04.08.2005 and 18.09.2014 (Between the Afsan Guru Judgement and basheer Judgement) need to be revisited because of the Sonu@Amar judgement.

We consider that this view is misplaced.

We need to observe that the Sonu@Amar judgement has also stated  “retrospective application of the judgment is not in the interests of administration of justice as it would necessitate the reopening of a large number of criminal cases“

Hence it went on to dismiss the appeal.

It appears that many have read this judgement ignoring that the Court rejected the appeal and did not agree for whatever was the reason that there is a need to revisit cases where Section 65B certificate was not submitted and evidence was accepted by the Courts.

Many WhatsApp sharing messages highlighted the view that all old cases should be “re-visited” according to the Court. This is not the correct inference that we should derive.

Secondly, the Sonu@Amar Judgement gives an impression that law on Section 65B was created by the Afsan Guru judgement and changed by the Basheer Judgement. This is not entirely correct.

Law was created with ITA 2000 and Supreme Court interpreted in one manner in the Afsan Guru case and corrected it in the Basheer case….It is only the Cyber Jurisprudence that is developing…

Judgements can change law where the the judgement adds or delets to the law as written… When it is only a realization and interpretation of law as it is, we need not treat as if law came into existence only because of the judgements….

Afsan Guru judgement did not create the Section 65B certification hence it is not only the cases between the two judgements that the Sonu@Amar judgement should debate revisiting, but all bad judgements since 17th October 2000 where Courts have ignored presentation of Sec 65B certification. This view would have created more problems than it could solve. 

Now Sonu@Anvar judgement follows the Basheer judgement but only says that it would be impractical and hence un necessary to give it a retrospective effect and revise the earlier judgement of the High Court on which the appeal was made.

We agree that it would have created a chaos if a decision had been taken to re-visit earlier cases on this ground though we regret that the Courts were not interpreting the law properly at that time. This is one of those exceptional cases where the Courts erred and the error cannot be easily corrected by a general order to annul the earlier judgement.

Though the Court under a similar argument where the legislators were not clear in wording Section 66A, slapped the legislators and scrapped the section,  we cannot slap the Courts for their ignorant interpretation of Section 65B in the past and argue for scrapping all the old judgements. We have to let it pass.

I am however sure that in deserving cases where the evidence has been tampered with and Courts went on to base their judgements on “tampered uncertified electronic evidence“, it should be possible to challenge the judgement.

The cause of action for seeking such review may not be primarily for the technical reason that the evidence was not certified, but for the reason that the genuiniity of the evidence is questioned.

Naavi