Naavi.org

There is a news report today that the Bangalore Police are so impressed with Mr Abhinav Srivastava who was arrested under the charge of hacking into UIDAI data base that there is a discussion on engaging him as a consultant for the Police. (See Report here).

At this point of time, this remains a rumour and could be a fancy wish of some. At least we have seen TV serials about such a practice in USA where “Community Service” is one of the options offered to a criminal as part of the sentence. Hence the Cyber Crime Police could create a structure for using convicted hackers to be part of the Police team for a certain number of years until the sentence runs out.

I am not sure if Criminal Jurisprudence in India provides similar innovative discretion to a Judge. Probably experienced criminal lawyers can clarify.

However, there is nothing wrong that in deserving cases, Courts could consider such innovative punishments which could be the most appropriate in some cases. But if such things are to be properly brought into the system, then we should be sure about Judges not being corrupt. We have several instances in India of Judges faking arithmetic errors and acquitting criminals or granting bail or allow convicts to be on parole on non existing grounds.

If therefore “Community Service” is allowed as a “Punishment”, then many criminals would buy such punishments and later negotiate with their mentors who are supposed to monitor the sentence to go scot free.

However, in the case of Cyber Crimes in particular, it appears that such punishments are relevant since in most cases the accused could be educated and more often becomes an offender either because of “Ignorance of law” or for psychological conditions such as “Technology Intoxication”. Such persons can be perhaps amenable to a reformatory process.

In the case of Abhinav Srivastava, this could have also been suggested as a face saver for the Police/UIDAI since the case is not strong. The case has been booked and the person has been arrested for “Unauthorized Access of Aadhar Facilities”. But actually he has perhaps created a tool which is used by third parties who made use of an “Authorized Access Source” under circumstances that there was no clear bar on his not using the source.

Without adding the 80000 members of the public who downloaded and used the App as the main accused, it would be difficult to blame only the tool manufacturer.

Further, it is difficult to establish the guilty mind (mens-rea) of the accused to bring about a criminal charge. There will be little scope of civil claims since no body may be able to prove “Wrongful loss”.

If the case is pursued further, several intermediaries also need to be considered as Co-Accused and brought to book. This would be embarrassing both for the complainant as well as the Government.

If the case is dismissed, then there is a possibility of a back lash with an accusation of mishandling of the case and possible human rights violation.

Hence some face saving solution which is a Win-Win solution for all could be a good option to consider.

One possible method by which such innovation can be brought into the system would be through a “Compounding Process” where the complainant and the accused come to a written agreement on the basis of which the Complaint is withdrawn. Probably the Police or the Court can mediate in arriving at such a compounding agreement which is acceptable to all.

Hopefully the Abhinav Case becomes a trend setter in this respect and such a compounding arrangement is worked out. Since an FIR has already been lodged in this case, the Court will have to be in the picture for the compounding agreement. In the process it would be better if an SOP (Standard Operating Procedure) would be drawn up by the Court and the Police to be used when required in future to ensure that the system is not misused .

(Since this is more a matter of Criminal Justice system, I would expect readers to correct if my contentions are incorrect and add their own comments… Naavi)

Naavi

Also Read: Bengaluru Police Smitten by Abhinav’s tech skills

Naavi.org had suggested a model Bug Bounty Policy for Private Sector Companies as part of its Cyber Law Compliance Center (CLCC) Activity. Copy of this policy is available through the menu link CLCC. This was drawn in March 2016 specifically for private sector companies. This could act as a guide to a possible Bug Bounty policy that UIDAI could use.

Now after the Abhinav Srivastava incident, questions arise on what “Due Diligence” step should UIDAI take in the light of what has happened. On the one hand UIDAI may maintain rightly that this is not a case of hacking of the CIDR and therefore there is no vulnerability in the access system. They would be correct in claiming that whatever is considered as an “Unauthorized Access” could have taken place at the level of the e-hospital platform used by one of the e-hospital users. NIC may be the organization responsible for the maintenance of the e-Hospital platform.

At present, the complaint against Mr Abhinav Srivstava has been made by UIDAI and if the security breach has occurred not at the level of CIDR, it appears that the complaint should not have been entertained in the first place by the Police. On the other hand, UIDAI could have raised the complaint against NIC or the e-hospital user stating that they had caused defamation of UIDAI and its security by not following adequate security at their end.

Also the KUA agreement with UIDAI as well as the check list for accreditation of KUAs clearly mention that the management of the KUA should give an undertaking to UIDAI that they are compliant with ITA 2000/8. It is however proven that the KUA agencies (Hospital) involved in this case never had a proper Privacy Policy, Terms of use and Grievance Redressal Mechanism in place. Hence, there was a clear violation of the contractual arrangement and lack of “Reasonable Security Practice”.

Police cannot however launch any proceedings based on Section 43A of ITA 2000/8 since it is a matter that should be taken up by individual persons who may claim damages on account of the breach or by the Adjudicator who has suo moto powers to take up the case on behalf of the public.  It is unthinkable that the Adjudicator anywhere in India would take up a complaint against NIC or the Government hospitals using e-hospital application since the Government itself is a party to the management or mis-management of the information security practice in these agencies.

Under Section 79 however, if there has been any criminal offence attributable to the intermediary, the crime can be extended to the organization for lack of “Due Diligence”. If therefore it is felt that in the use of Abhinav App, there was some crime committed either under ITA 2000/8  then it would be feasible for Police to have taken action against such intermediaries. However so far Police have not initiated any action in this direction.

Let’s for the time being forget what the Police may do here after and focus on how should UIDAI respond now with all the experience they have gained in the incident.

Failure of the Incident Management System

The first observation I would like to record is that UIDAI did not wake up the presence of an App in Google PlayStore claiming eKYC through Aadhar until around 80000 downloads took place. In fact there were many more such applications in PlayStore some of which might have been taken off now. The inability to observe presence of such Apps can be considered as the “Failure of the Incident Management System” of UIDAI.

Tomorrow if some body opens a website www.uidai-kyc.in or uidai-kyc.com (Both of which are available for registration) does UIDAI have the measures in place to recognize this and take remedial action?… Probably not.

Hence there is an urgent need for UIDAI to set up policies and procedures to identify such “Attempt to Impersonate” as a “Techno Legal Cyber Security Incident” as part of its “Due Diligence” practice. It should raise an internal ticket and resolve it at the earliest documenting the entire resolution and lessons drawn.

Since such measures donot exist, it is just an indication that UIDAI itself is not ITA 2008 compliant and has not taken “Reasonable” measures to prevent occurrence of Cyber Crimes under different sections of ITA 2000/8.

On September 5, 2009, Naavi.org had published an article titled “Reasonable Security  Practices For UID Project  A Draft for Debate Prepared by Naavi”. In the last 8 years, UIDAI and Aadhar has changed its perspective and hence this draft needs revision. But the fact that UIDAI needs to be itself ITA 2000/8 compliant still exists and such an exercise includes development of such policies and procedures that would identify and mitigate all risks identified below.

Need for Crowd sourcing Risk identification

UIDAI is a service that would be used by more than a billion people and multiple times during the year. It is a service which will be a prime target of hackers around the world including Cyber terrorists and enemy nations such as China and Pakistan interested in Cyber warfare.

UIDAI may be capable of taking care of internal server security preventing unauthorized access. We can therefore accept their contention that the UIDAI systems are safe.

However, risks arising from the negligence of Users and Sub Contractors which may indirectly cause reputation loss to UIDAI and raise National security issues may not be adequately addressed by UIDAI and this is well demonstrated in the past.

The fact that despite Naavi.org raising several issues not only by the Nov 4 2016 article on e-Hospital but also regarding the domain name registration in individual officer’s names and use of digital certificates of US companies etc, UIDAI has not responded promptly to address the potential risks.

We may therefore consider that the internal Information Security team of UIDAI cannot be expected to mitigate such risks nor even identify them in time.

It is therefore essential that UIDAI responds to the present crisis by inviting well intentioned security  professionals who are not in the roles of UIDAI to be part of the security risk identification infrastructure by starting a “UIDAI-Bug Bounty Program”.

UIDAI as a Protected System

The Need for UIDAI Bug Bounty Program also arises from the fact that UIDAI has been declared as a “Protected System” under Section 70 of ITA 2000/8 though the notification

Government of India has notified through Gazette Notification  GSR 993 (E) dated 11th December 2015 that

UIDAI’s Central Identities Data Repository (CIDR) facilities, Information Assets, Logistics
Infrastructure and Dependencies Installed at UIDAI (Unique Identification Authority of India)
locations to be Protected System for the Purpose of Information Technology Act 2000.

Authorised personnel as per Sub-section (2) of Section 70 of IT Act 2000 (amended 2008)
having role based access to UIDAI-CIDR facility are:

1. Designated UIDAI officers & Support Staff.
2. UIDAI authorised team members of contracted Managed Service Provider (MSP).
3. Other authorised third party Vendors and its partners.
4. UIDAI authorised business partners.

Section 70 of the ITA 2000/8 states as under:

Sec 70: Protected system (Amended Vide ITAA-2008)

(1) The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety. (Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)

(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

It is obvious that the Gazette Notification of 11th December 2015 does not fulfill the requirements of Section 70 in full since it does not provide the details of how this protected system needs to be operated. Merely stating that “Role Based Access” would be provided is grossly inadequate to meet the requirements of Sec 70. It is necessary that detailed information security practices and procedures need to be developed.

Normally we say that the detailed Information Security Policy may not be “Disclosed to Public” for security reasons.

However, in the case of Section 70 systems, since “An Attempt to Access” the system is as much an offence as actual access and could result in imprisonment of upto 10 years, public have the right to know what would constitute an “Attempt” to access the CIDR systems and who will be considered as “Not Authorized”.

It is our interpretation that persons who are authorized to access these systems should be identified by name and cannot be described as “UIDAI Business Partners” or “Other authorized third party vendors” and its partners or “Designated UIDAI Officers & Support Staff” or “UIDAI authorized team members of contracted Managed Service Providers” or such other general terms.

If and when Abhinav’s case goes to a Court, there will be a discussion on whether UIDAI has clarified on what is “Authorized Access” to UIDAI systems and in the absence of clarity, whether Mr Abhinav can be said to have “Unauthorizedly accessed” the systems.

In view of the need to clarify what constitutes a crime under Section 70 of ITA 2000/8 when some body accesses the CIDR system, UIDAI needs to define and publish “Permitted Access System” and also take reasonable precautions at their end to ensure that any attempt to access their systems outside these permitted parameters are blocked by their Firewall and also generate appropriate alerts/Notices to the person who is attempting to access the system outside the permitted procedure.

The website of www.uidai.gov.in declares certain website policies which are only related to visit to UIDAI website and even in that respect it is not fully adequate. It does not say anything about the access to CIDR systems. This needs to be corrected.

In view of the above, a properly structured Bug Bounty Policy can be a good tool not only to crowd source the skills of security professionals to harden the security around UIDAI but also  to provide clarity to the access rules under Section 70 of ITA 2000/8.

Essential Features of UIDAI Bug Bounty Program

The Model Bug Bounty Policy for Private Sector published by the CLCC provides a general template under which the UIDAI-Bug Bounty Policy needs to be developed.

It would be inappropriate for me to try and draft a final policy for UIDAI on this website since UIDAI is supposed to have more intelligent and more informed persons at their disposal and can do a better job. I therefore would not try to attempt such an exercise.

However some points that needs be made are

1. In the “Objective Clause” the fact that UIDAI system is a Section 70 declared “Protected System” must be included.
2. The policy should be prominently shown on the UIDAI website.
3. Alerts are to be shown when a visitor tries to get any information from the website including getting his own Aadhar data.
4. The names of authorized persons who have the access rights are to be displayed on the website.
5. Restricted procedure on how the authorized persons can access the systems should also be displayed. (This does not need disclosure of the detailed information security policy that would reveal the network details etc).
6. The definition of “Bug” for the “Bug Bounty” purpose should be defined to include all possible means by which the system could be compromised and data accessed except as provided under Section 70 notification.
7. Being a Bug Bounty program for a “Protected System” where “An attempt to access” can be a crime, it is necessary that any person who would like to check for a “Bug” needs to be first “Registered” as a “Prospective Bug Bounty Hunter”. The registration has to be with UIDAI and obviously with an “Aadhar KYC”. The permission may be restricted to Indian nationals and could be denied on the basis of a background check which the UIDAI can undertake before granting the permission.
8. Any activity of the Bug Bounty Hunter before he obtains the permission could be treated as an unauthorized attempt to access and UIDAI may reserve it’s right to take action though they can use their discretion in this regard.
9. The critical aspect of the program would be how the Bug Bounty Committee would be constituted. Given the fact that the receiver of the Bug report can turn around and charge the reporter of a Crime, the reporting has to be treated like “Whistle Blowing”. The Committee therefore cannot be a committee of the CEO/CTO of UIDAI. It has to be committee of “Respected Members of the community” who anonymize the registrant and also scrutinize the bug without any pre-conceived notions and egos. Only after the bug is accepted by UIDAI management, the committee may reveal the identity of the bug reporter at his option. The committee members should provide the confidence to the public that an honest good faith report even if it is incorrect would not be considered as malicious and would not be proceeded against for punishment.
10. The Bug itself may be never publicized in detail so that UIDAI may retain its reputation and not be open to the charge that several bugs were found to be present. All professionals know that just as there can be no 100% information security, there may not be 100% bug free software service. Hence, mere identification of bugs is not to be considered as a loss of reputation of the IS/IT team of UIDAI. Some politicians particularly in the opposition may not understand this and pass criticisms but such criticisms should be ignored.

Wisemen say

“The Greatness of a person is not that he has never fallen down, but it is how gracefully he gets up”.

This applies to UIDAI after the recent spate of media exposures about the so called Aadhar Data Breach”. It is now in the hands of UIDAI to show if it is a great institution and gets up gracefully or acts mean and crucifies Bug finders.

Naavi

Also Read: The National ID Card Challenge for Nandan Nilekani.. Part I: Part II

“Security is going to be a  Concern” for Aadhar says  Mr Nandan Nilekani, the architect of the system.

Though it has always been a concern for most of the Information Security observers, it is good that now persons close to the project are also realizing that the red flags raised by security observers are not because they were opponents of the scheme but were people who genuinely believed that there was a security issue which was being ignored and brushed under the carpet by UIDAI all along.

Thanks to Mr Abhinav Srivastava, realization has at last come to the UIDAI managers that there is an issue. This is good because “Awareness” is the first step in Information Security implementation. Naavi’s theory of Information Security management identifies “Acceptance” as the second most important aspect of implementation. Mr Nandan’s statement indicates that UIDAI may be in the process of accepting that a Risk exists and it needs to be mitigated. This is a positive development that we need to welcome. Other elements such as “Mitigation through tools that are made available” and “Sanctions and Incentives” need to be combined to ensure that Information security finally becomes a part of the UIDAI structure.

One can always say that “Internet” itself was never designed for secure communication and if it is today used for all E Commerce and E Governance it is an ambitious over reach made to work with tools such as encryption. It is therefore not surprising that Cyber Security has become a problem that all of us are worried about. Similarly, Aadhar system was not created for all the uses that it is presently been put into and the problem actually arises from this aspect.

For example, initially when Mr Nandan designed the system he was very clear that there would be this CIDR server which will receive a structured query from anywhere in the Internet but would give out only a binary reply by just picking the data input and checking with the data base to say either “Yes” or No”. The Aadhar number was to be kept confidential by the Aadhar owner and the verification was always to be done with a biometric input plus one of the several parameters associated with the data base on which the Yes” or “No” reply would be given.

Today the system is used in a completely different manner. Firstly the Aadhar data is printed out and handed over to many KYC users and several copies of are floating around all Gas agencies, Banks etc. During the demonetization days, Banks collected aadhar particulars for deposit of old currency and most of the Bankers have collected photocopies of the aadhar data. Similarly PDS department and Mobile Operators might have collected Aadhar photocopies multiple times. I am sure that many hotels have also collected photo copies for identifying residents when they check in.

Most of the data leaks that the Press is now reporting is from such users of Aadhar information particularly when they put out the data on the Internet as part of their information dissemination to public about their activities (eg: Release of scholarships etc).

The e_KYC process as designed envisages that the KUAs (KYC user agencies) are empowered to get the biometric and the aadhar number and send it to UIDAI for e-KYC. In this process, instead of simply getting the confirmation for individual data elements from UIDAI, the API is designed to extract the data from the CIDR and populate the form at the user end.

In the e-sign process which is the higher end of e-Kyc, the application form to be sent to the Certifying Authority for issue of a Digital Certificate is populated with the data drawn fromt he CIDR by the API and sent on the internet as an undigitally signed application to the Certifying Authority.

Using this “Undigitally signed Application”, the Certifying Authority issues an E-Sign Certificate which is then used to sign the application by the customer of the KUA to deliver any service. It can also be used for signing any contractual document on the web.

Such certificates are being used by Share brokers as well as many websites to e-sign documents on the web for contractual purposes.

How can an e-Signature certificate be issued against an “Unsigned Application from the subscriber”?…. is some thing I have not been able to fully understand till date. But this is the process which the CCA has approved and like the “Telgi Stamp Papers” all such e-signature certificates are considered valid because CCA has not found a better way of handling the problem of authentication before issue of the digital certificate.

Since in the process, the entire Aadhar information gets printed out at the user level, each time an aahdar user uses the e-kyc process, the data keeps printed out at the service provider’s end.

In the e-hospital application, there is no need for the presence of the Aadhar user for requesting the Aadhar information in front of the service provider and no biometric is provided. The query is raised simply on the basis of Aadhar number and acted upon with the OTP verification as if OTP is as good as “Biometric”. This is a much weaker process than the e-sign process.

It is therefore possible for creating a script that can be used in an App and offered to the Aadhar owners to fetch the data as and when required from the CIDR. This is what Abhinav did and called the App as “E-KYC” App. Using this App any owner of Aadhar could fetch the demographic data by just raising a query on the App and providing the OTP. Since in most of the Apps, OTP is automatically read by the App, it does not require any  other affirmative confirmation from the Aadhar owner to fetch the data. Merely invoking the App on the mobile and entering the Aadhar number with a click on the “Submit Request” button is sufficient for the data to be made available to him on the mobile or in his e-mail box.

While in the case of Abhinav, Police are trying to fix him under some sections of ITA 2000 or IPC or Aadhar Act so that he can be jailed as long as possible to create a deterrant, there are many other web based and non web based applications with lakhs of service providers through which a query can be raised for aadhar information and results can be printed out.

When the AEPS (Aadhar Enabled Payment System) comes into use, lakhs of merchants including the neighborhood grocery shop owner will have a Chinese made biometric device connected to a billing software which makes a query to the CIDR for each payment and populates the bill. Any local script kiddie can right a script to extract the demographic data of the AEPS user and give it out as a “E-KYC” document though this does not use the e-Sign system.

Then there will not be one single e-Hospital that can be used by one Abhinav Srivastava but many more channels of accessing the CIDR and many more Abhinav Srivastavas. 

How will UIDAI propose to secure such a system?… no body seems to have an idea.

After the Abhinav case, I had come across one anonymous security professional who was suggesting that he has identified a vulnerability which he wants to report to UIDAI but does not know if any such report would immediately be latched upon by UIDAI to file a criminal case against him like what happened to Abhinav.

He does not even trust reporting to CERT-IN because the Abhinav arrest has created a “Chilling Effect” amongst security professionals to such an extent that they are not going to share any vulnerabilities they may find in Aadhar to either Aadhar authorities or to CERT IN.

This only means that even identified vulnerabilities will go underground and some time later when a black hat hacker finds it out, there will be an attack which could result in greater damage and greater embarrassment.

It is therefore an urgent necessity that UIDAI announces a “Bug Bounty” program and invite “Ethical hackers” to report any observed vulnerabilities. Will they provide any reward? or whether the reward will be good? is secondary.

Naavi has been advocating that “Bug Bounty” programs should be made mandatory in law for all software developers as a part of the Reasonable information security practice and Due diligence under ITA 2000/8 and here is an opportunity for UIDAI to show to the community that it is really concerned in setting things right by being the first Government agency to introduce a Bug Bounty Program.

I call upon Mr Modi to immediately advise UIDAI  to introduce an effective Bug Bounty program which will provide a proper platform for reporting vulnerabilities observed by “Security Professionals” with or without financial incentives.

I also call upon Mr Nandan Nilekani to take up the issue with Mr Modi and UIDAI since his word still carries a very high value with UIDAI as well as Mr Modi himself.

Naavi

Also see:

Three Plus One Dimension of Information Security Management

Bug Bounty Program from Government is required

Today’s Deccan Herald reports that the Abhinav Srivastava case may result only in a fine and not in imprisonment as per sources inside the Police. It says “IITian may walk free as he only developed ‘innocuous app'” making everyone sit up and wonder what is happening.

If this is true, then did all the media make a hue and cry about nothing? Or is it possible that there is some confusion within the Police circles themselves about how to proceed with the case.?

For the time being I rule out the possibility of media being used by the Police to plant stories so that some information can be elicited from public which can make it possible for them to correct the mistakes in the way the complaint is being handled at present. This is a strategy often used by Police in other criminal investigations.

Probably the media is also confused about the nature of the incident, whether it is a crime? if so is it a civil wrong or a criminal offence? whether it should be the Adjudicator who should lead the investigation or the Police? …etc

Yesterday, we accessed a copy of the FIR filed by the High Grounds Police Station. This was dated 26/07/2017 and records crime number 0130/2017. It is based on a complaint filed by one Mr Ashok Lenin whose address is given as the address of UIDAI at Khanija Bhavan, Reace Course Road, Bangalore.

The details given of the complaint in the FIR are sketchy and indicate in summary that

“one Mr Abhinav Srivastava using a company by name Qarth Technologies Private Limited created a Playstore App and through it misused the information in Adhaar website and was giving it out as e-kyc in association with some unknown person and thereby is creating leakage of Adhaar data.”

The FIR was registered under Sec 65/66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. While the complainant seems to have indicated that Sections 37 and 38 of Aadhar Act has been contravened, the FIR itself does not include these sections. The FIR has been submitted at 8th Addl CMM Court, Nrupathunga Road, Bangalore.

However, after this was published in the website of naavi.org, information was received that this FIR is no longer valid since a new FIR has been filed by the Cyber Crime PS after the case was transferred to them. Since ksp.gov.in website does not list Cyber Crime Police Station and its FIRs, the new FIR filed by Cyber Crime PS is presently not available with us. We can neither confirm or deny if the new FIR exists and if so whether any change has been made in the FIR of High Ground PS or will be made in future after another round of investigation.

While investigations will be continued by the Cyber Crime PS and appropriate action will be initiated, from the academic perspective some points come for discussion.

The complaint was filed by a person who is an official of UIDAI. According to the Aadhar Act, complaints under the Act can only be taken note of if filed by UIDAI or by an official under its authority. The FIR does not indicate that the complaint was made by Mr Lenin along with a letter of authority signed by the CEO of UIDAI. So whether it was a personal complaint or a complaint under the Aadhar Act needs to be ascertained. Probably a letter from UIDAI either by the CEO or through a resolution of the Board is required to be filed by who so ever signs the complaint and submits it to the Police. Without this, the FIR/Chargesheet could be considered invalid.

Further UIDAI has made a public statement by the CEO, Ajay Bhushan Pandey himself stating

“No one could get data of any other person through this app. Even though residents were downloading their own demographic data such as name, address etc., yet legal actions were initiated against the owner of the app since it was not authorised to provide such services to people and such acts are criminal offence punishable action as per Aadhaar Act, 2016. It is further reiterated that data of not even a single non-consenting resident has been given by UIDAI through this app.”

Once UIDAI confirmed that there was “no unauthorized data access”, it was clear that the foundation of the complaint itself had become hollow. From the revelations made by Mr Abhinav Srivastava, it was clear that the App would access other websites where there was no restriction on accessing the “Appointment Request through e-hospital app” and place a request along with the Adhar number. This would generate an OTP to the Aadhar owner and once provided, some demographic data would get displayed on the website which can be parsed, filtered and presented in a user friendly format.

The App was actually being used by the Adhar owner himself and hence it was an authorized Aadhar user who was actually using a tool developed by Mr Abhinav and downloading his own data instead of going to the Aadhar website himself and downloading the information.

(P.S:This is based on the information now available unless Police unearth any other way Mr Abhinav was collecting the data for use at his end)

In this process, it was clear that the very basis of the complaint that there was “Unauthorized Access” was perhaps incorrect. Hence the complaint was filed on a wrong understanding of what had happened. Because the complaint had been made by UIDAI, it was immediately acted upon by the Police. While registration of the complaint was fine, the need for actioning an immediate arrest and including clauses from IPC such as 468 and 471 was perhaps unwarranted. An FIR under Section 66 of ITA 2000/8 with a bail in the station would have been a reasonable response from the Police if they had not been pushed by some panic stricken UIDAI official that some national calamity had happened.

Now we understand that the total commercial benefit that the person gained was around Rs 40000/- from advertisements running on the App and not from selling of unauthorizedly accessed data. This also is insignificant for any serious commercial gain case to be made out.

The Complaint said “Some unknown person” collaborated with Mr Abhinav. But where was this “Unknown person”? ….. Is it the Hospital? Is it the NIC? Is it Google Ad supplier? or is it the persons who downloaded the App? or is it the company Qarth technologies which is a subsidiary of Ola Cabs (ANI Technologies Ltd)?. It appeared that this “Unknown Person” was added only to ensure that Section 120B could be added and a “Conspiracy” could be brought in.

When the case was transferred to Cyber Crime Police Station, we can expect that they identified that the FIR was not properly filed and without the case being also filed on the e-Hospital website and/or NIC as the e-Hospital platform owner, the complaint only against Abhinav would be difficult to sustain. They also would have pointed out that if UIDAI maintains that “There is no data loss, No data Breach” etc., then the Courts may frown at the Police for registering a Case against a “Zero Loss” incident.

It is also necessary that information was available in the public domain through an article in www.naavi.org which was a reasonable notice of such incident occuring several months ago. This article was  titled “Online Registration System for Indian Hospitals.. No Privacy Policy?” and was published on  4th November 2016. On the same day, I had sent an e-mail to info@nimhans.kar.nic.in and ms@nimhans.ac.in drawing their attention to the article and expecting them to check with their Information Security department on the issues raised. The article focussed on the lack of a “Privacy Policy” but any professional Information Security professional in say NIC would have understood that the application enables dispensation of aadhar information without the information seeker committing himself to any terms of use or NIMHANS protecting itself with a privacy policy/privacy statement.

Though everybody in the information security loop had a notice through this published article nearly 9 months ago, no body seems to have had the intelligence to recognize that there was a vulnerability in the system which could create a risk.

If the Police now try to pursue the case, there will definitely be a question of the role of “Lack of Due Diligence” by the Hospital site/s which were accessed by the Abhinav App and in the absence of any “Terms of use” how it can be considered as a criminal offence that Mr Abhinav created an app to help the Aadhar owner to access their personal data through the use of these websites.

We can question that Mr Abhinav was also not aware of Cyber Law Compliance as otherwise he should have sensed that he should have sought some kind of permission to use the hospital app for a purpose other than seeking an appointment for which it was primarily meant.

But if the hospitals as an organization, NIC as an institution and UIDAI as a National Critical infrastructure with the nation’s best security officials in their roles did not recognize any threat nor had the system to monitor such articles which  can be accessed simply with a google alert in the name of UIDAI or e-Hospital or NIMHANs etc , then how can an individual like Abhinav be more resourceful?..could be his defense.

If Police pursue their case against the intermediaries such as the hospitals and NIC and ask them questions on “Lack of Due Diligence” or “Negligence”, there will be embarassment for these organizations. At the same time, without the UIDAI admitting that there was some kind of a breach, it is difficult to question any downstream user including NIC, Hospitals or Abhinav.

If the Police try to pursue the case only against Abhinav and does not open the pandora’s box of “Due Diligence by Intermediaries”, then obviously there will be a charge of unfair targetting of the individual in a discriminatory manner which would be an embarrassment for the Police itself.

If the Case needs to be pursued therefore UIDAI should first admit that there has been a “Security Breach” with or without “Data Breach”.

If not, they should withdraw their complaint and a fresh complaint has to be filed by all the hospitals which have been used by the Abhinav App on different occasions which should say that their platform was not meant for public to use it as an aadhar information extraction device even if it was their own. But then they will have to answer why they could not say so on their website in the form of terms of use or privacy policy document. Will they admit that all these organizations donot know the basics of Section 79 requirement of ITA 2000. Their pride will not allow them to admit.

Hence they may not be interested in filing a complaint.

If UIDAI withdraws its complaint and no body else is prepared to register the complaint, what action can the Police take?… They also would not perhaps be interested in inventing some reason to keep the case going since anyway at some point of time in future it may be dismissed by some Court with perhaps some strictures.

In the light of the above, I am not surprised at the indication of the Deccan Herald Report that the complaint would be reduced into a non criminal violation. May be it may be diluted further and even be dropped altogether.

We need to wait an watch…

Naavi

Irrespective of what happens later in the complaint of UIDAI against Mr Abhinav Srivastava, a software engineer working at Ola Cabs (ANI Technologies Pvt Ltd), the fact is that he has now been booked as a “Prime Accused” in a “Conspiracy” which resulted in the theft of 40000 aadhar records and has been remanded for custody by a magistrate recognizing the prima facie commission of offence. This remains a stigma in his career and would hurt him throughout his life.

The offences according to the media reports have been alleged under two sections of Aadhar Act (Sections 37,38), two sections of ITA 2000/8 (Sections 65/66) and three sections of IPC (Sections 120B,468 and 271). Cumulatively the total imprisonment under these 7 sections could be 19 years and 6 months with a maximum sentence of 7 years under Section 468 of IPC.

In view of the section 468, he could not get immediate bail and we need to see whether he would get Bail when it comes up for hearing in the Court when the remand ends. It all depends on whether the complainant UIDAI and the Prosecution on their behalf opposes the bail or not.

Some of the criminal cases booked under ITA 2000 around the year 2000 and later are still pending in courts in Karnataka and hence it should take at least 5 to six years (if not more) for this case to be decided one way or the other. If convicted, he may get a minimum of 3 years imprisonment.

Even if the person gets acquitted, it will not help him to resurrect his career since he will be unemployable by any organized sector companies.

Mr Abhinav’s LinkedIn profile says

“High impact software engineer with strong zeal for innovation and entrepreneurship. Selfdriven individual passionate for solving challenging technology problems in corporate or individual context. Successful track record of building complex multi-tiered distributed systems from concept to launch. Expertise in web application security, cutting edge cloud and mobile technologies and front end development.”

I wish he does not get frustrated and develop negative thoughts in using his technical skills because of this experience and comes out of it stronger and maintaining the ethical balance of mind.

So, with this complaint of UIDAI (which they may later withdraw since they now say that there is no “Breach” or “Data Loss”) and the enthusiastic response of the Police in hoisting sections from all known laws to get Mr Abinav arrested, the official career of one of the promising software engineers is considered as over.

Ola will also have to find a replacement and also deal with the shock and demoralizing impact it will leave on its entire technical team….unless their stars are bad in which case the impact could me more adverse.

It may be noted that the Company Qarth Techologies Pvt Ltd which is also the co-accused in this case is reported to have been acquired by Ola and is therefore a subsidiary company under the management of Ola. If this company is now accused of offences then by virtue of the operation of Section 85 of ITA 2000/8, it would be natural for the offence to be escalated to the “Persons in charge of Business”, including “CEO” and “Directors” of the “Company”. The “Company” in this case hopefully is only “Qarth technologies” and does not extend to the holding company “ANI Technologies Pvt Ltd”.

Qarth Techologies Pvt Ltd was acquired by Ola in March 2016 and the Ola Money application is the result of this acquisition. It is an important component of Ola which has added value to ANI Technologies Ltd from the investor’s perspective. In the process co founders of Qarth Abhniav Srivastava and Prerit Srivatsava both IITans from Kharagpur joined Ola. It is perhaps a relief  to note that they might not have joined the Board of ANI Technologies which should be a blessing in disguise now. It is also interesting to note that the Board of ANI Technologies has among others a familiar name  “Avnish Bajaj”. ( I suppose he is the same Avnish Bajaj who was once the CEO of bazee.com and was haunted by another IIT Kharagpur student in the infamous DPS video case). Hence the Board must have adequate exposure and experience to the consequences of “Non Compliance of ITA 2000/8 and this should come in handy now.

If however, the Directors of ANI Technologies are considered the ultimate bosses of Abhinav Srivastava, there is a possibility that Police may extend the case to Ola as the “owner of Qarth”. In that case there would be a serious erosion of the value of Ola in the VC market.

I suppose Qarth Technologies has been made the Co-accused because the Ad revenues arising out of the Abhinav App must have been received and used through Ola Money account. Abhinav would be one of the customers of Ola Money and Ola Money (Qarth) would be perhaps accused of not following “Due Diligence” just like baazee.com was accused of lack of due diligence in the DPS-MMS case where Mr Ravi Raj, the student of IIT Kharagpur used the bazee.com as a platform to sell an obscene video.

The indications are therefore that this case may become one of the landmark cases in Cyber Crime investigation and prosecution in which UIDAI and NIC and the Government hospitals will defend their right to follow discretionary security practice  while the private sector companies like Ola and Qarth along with its employees will be expected to follow strict levels of “Due Diligence”.

However, for those who have heard me speaking on “Cyber Law Compliance” either at Engineering Colleges or in Companies, this experience of Mr Abhinav would be precisely what I would have stressed time and again as a possibility if the techies donot understand the law and learn to be compliant.

I would have also given the examples of the IRCTC hack in which a Satyam senior executive would have faced a similar fate as Abhinav but escaped since he responded to the alert sent from my end and fortified by a TOI journalist from Chennai. I would have also given the example of another senior techie from Chennai who could have got entangled in the Trisha Video case had be not been Cyber Law aware.

Many of the organizations in which I have tried to get ITA 2008 compliance program going might not have become fully compliant but the employees who have heard me would not have missed the examples of people in high places who have lost their career because they transgressed law out of ignorance (not out of malicious intentions).

I suppose that this awareness would have saved a few careers though it could not help Abhinav since Ola like many start ups perhaps did not consider “Cyber Law Compliance” as part of its Information Security requirements. There are many more such organizations all over the country and we will have many more Abhinav’s also.

However, a “Wise man always learns from other’s mistakes” and Abhinav’s mistake should be a lesson for all techies on what they should not do. It is also the responsibility of all HR professionals and Corporate CEOs and Directors to ensure that “ITA 2008 compliance” be part of their corporate Governance policy at the Board level.

There is a proverb in Kannada ” KambaLinOnige hodedare, shalinOnu echchettugonDa” (ಕಂಬಳಿನೋನಿಗೆ ಹೊಡೆದರೆ, ಶಾಲಿನೋನು ಎಚ್ಚೆತ್ತುಗೊಂಡ) (Meaning, if the person in a rug is hit, the person in a Shawl woke up).

Accordingly seeing the plight of Abhinav Srivastava and Ola, it is expected that other IT employees and Companies would now realize the importance of understanding what is the likely impact of ITA 2008 ignorance and non compliance on its business. Just as the Bazee.com incident created a high level of awareness around 2004 in Delhi, the Abhinav incident is likely to create a new sense of awareness in Bangalore.

This is unfortunate and perhaps a cynical view but still could be the positive impact of the incident for which Mr Abhinav has sacrificed his career.

Whenever I write about the Suhas Katti case in which I was part of the Police team in getting the person prosecuted as the “First Prosecution in India under ITA 2008”, and I as well as others keep quoting this as a historical case, I also feel discomfort that the poor Suhas Katti must be turning in his chair and wishing that he would be forgotten. However since “Right to be Forgotten” is not a recognized right in India, the only option for him is to change his name and identity rather than expect the history of Cyber Crime in India to be re-written by erasing his name.

Similarly, Abhinav would also wish that his name does not become a liability for himself (in future) and others in the IT job market. Unfortunately it is in the public space now and nothing can be done to protect the Privacy of the accused. My sincere apologies to him for making his name a center of public debate. But I hope this debate would save many other techies from similar plight.

Naavi

7th August 2017: 19.00 hrs: PS: I have just accessed the FIR copy and would like to make a correction in the sections used in the case. As against the earlier asianet report based on which the sections have been indicated in the above article, the FIR indicates the following sections now: Sections 65 and 66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. The complaint has been made by UIDAI but the sections of aadhar act seems to have been removed. Some of the comments made in the articles therefore stand corrected.

The earlier report of the sections used was based on the following news report in asianetnews.

Naavi

India has been taking significant strides in popularizing Alternate Dispute Resolution mechanisms such as Arbitration and Mediation because of the special interest shown by the Modi Government. On 31st December 2015, the Indian Arbitration and Reconciliation Act 1996 was comprehensively amended (w.e.f. 23rd October 2015) which brought in significant changes to the system as has been prevailing in India. (Check for details at Naavi’s the ADR Knowledge Center). The changes were aimed at reducing delays in the arbitration process, bringing in higher level of discipline among the Arbitrators, Reducing the Cost and also encourage the use of electronic documents in the conduct of ADR.

On January 13, 2017, the Department of Legal Affairs, Ministry of Law and Justice formally constituted a ten member High Level Committee under the chairmanship of retired Judge of Supreme Court, Justice B.N.Srikrishna.

The committee was to look into various factors to accelerate arbitration mechanism and strengthen the arbitration ecosystem in the country as well as examining specific issues and drawing up a roadmap required to make “India a robust centre for international and domestic arbitration”. In particular the committee was required to suggest measures for institutionalization of arbitration mechanism, national and international, in India so as to make India a hub of international commercial arbitration.

After considering views of existing arbitral institutions in March 2017, the Committee has now come up with its recommendations which were released by the Honourable Minister Ravi Shakar Prasad today.

 The detailed report is yet to be available for discussion. However, as per the press reports the following recommendations have been made by the committee.

• Setting up of an autonomous body, styled the Arbitration Promotion Council of India (APCI), which would recognize institutes providing accreditation to arbitrators, hold training workshops for advocates.
• Creation of a specialist Arbitration Bench to deal with commercial disputes. Judges hearing such matters should be provided with periodic refresher courses in arbitration law and practice.
• Creation of a specialist Arbitration Bar by encouraging the establishment of fora of young arbitration practitioners.
• Changes in various provisions of the 2015 Amendments in the Arbitration and Conciliation Act to make arbitration speedier and more efficacious.
• Declaring International Center for Alternate Dispute Resolution (ICADR) as an institute of National Importance and takeover of the institution by a statute.
• Creation of the post of an ‘International Law Adviser’ who shall advise the Government and coordinate dispute resolution strategy for the Government in disputes arising out of its international law obligations particularly arising out of bilateral investment treaties (BIT).
• Permission to foreign lawyers to represent clients in international arbitrations held in India and promoting India as a venue by easing restrictions related to immigration, tax etc.
• Promotion of ADR mechanisms including provisions of mediation facilities by arbitral institutions and considering a separate legislation governing mediation

The changes proposed are of far reaching effect and requires to be closely followed.

We shall await the availability of the detailed report to comment on specific parts of the recommendations in due course.

Naavi

All Articles

Amendments to ACA 2015 suggested by Srikrishna Panel on Arbitration
Srikrishna Panel: Donot make Arbitration the exclusive preserve of Lawyers and Judges
Two Major Failures of the SriKrishna Committee on Arbitration
Ten Commandments of the Justice Srikrishna Committee… and where the Committee has failed?
Justice Srikrishna Committee on Arbitration Submits its report