Naavi.org

On the historical “GST day” when a One Nation- One Tax system went on stream, a day long conference was held in Chennai about “Cash Less Economy”. Organized by InternetTechies Solutions Private Limited, the program in ITC Chola Grand  discussed several interesting aspects of the emerging Cashless society in India.

One of the topics of discussion was the evolution of Cyber Laws in India and how it impacts the new digital system where “Cash” is being digitized in various forms of digital instruments.

Speaking in the subject, Naavi underscored the different perspectives of principal stakeholders of the Cashless Economy such as the Technologists, The Businessmen and the Regulators a part of which is captured below.

Disruption Without Destruction

While Technologists with their passion for innovation take pride in “Causing Disruption” in the society with their innovative transformation ideas, Businessmen look for profits at every corner, including cutting the corner for an additional rupee of profit. Regulators on the other hand work with less than complete understanding of technology and are often honey trapped by technologists and business entities into taking decisions which are sub-optimal.

In this context it is a challenge to find a balanced path of growth where Innovation towards a disruptive solution that shakes up the society into progress is brought in without causing destruction of those who use very system which we want to take in the path of progress.

A typical example is the push for acceptance of Crypto Coins such as Bitcoin as a “Legally Recognized Digital Currency” which may be a disruptive  innovation that can transform the way we look at currency but in the process make our Banking system redundant and thereby destroy the edifice of the economy.

Hence at every step towards implementation of the concept of Cashless economy, there is a need to watch if the risks are properly covered. The objective is not to reject technical progress but ensure that the security of the users is always at the center of adoption of any innovation.

With the trend in the Digital Cash system in India converging on the NPCI platfom as a common gateway for different  Bank and Card Accounts  and convergence of authentication on the Aadhar  platform, and now convergence of all trade transactions in the GST platform, there is more convenience in the cash less society.

However along with this convenience, comes an “Unification of Risks”. If there is a single vulnerability some where in the system, that can have a highly disruptive effect causing wide spread destruction.

It maybe recalled that the Petya Ransomware spread across Ukraine like wild fire through a widely used tax related software and similar happening in India cannot be ruled out.

In the context of the Risks that can be exploited by criminals, it is necessary to look at how the Indian Cyber Laws address the responsibility of protecting the consumers.

It must also be realized that law may identify two types of Digital Cash namely “Digitization of the current currency/money holdings which a citizen may deposit and hold in the form of balances in the Bank” and the creation of new “Digital Currency” of the BitCoin type.

The two namely the “Digitization of Existing Currency” and “Creating Digital Currency” are not same either for regulatory purpose or for the impact they may leave on the economy. While the Digitization of money in the banking system is achieved through E-Banking and M-Banking where digital modes are used as “Channels of Communication with the Banks”. The extensions such as the ATM or the Cards, or Mobile Wallets are also normal Banking transactions executed with different digital tools. From the legal perspective this “Digitized Banking” is governed by the legacy laws of Banking super imposed with the law such as the Information Technology Act (ITA 2000) which builds a bridge between the existing laws and the electronic way of using money.

On the other hand the Bitcoin type of Digital Currency is a system which may be outside the purview of the definition of Currency under the RBI Act and does not come under the provisions of the existing legal framework.

What may not be within the framework of law may also be outside the purview of law. Some times, such things may be neither within the law nor outside but may fall in the grey area in between. In such a situation, some people start exploiting the opportunities until one day the matter is pushed either inside or outside the legal framework by clarity dawing on the community.

But when the legal framework is unclear, which side to err on is a matter of “Risk Perception and Risk Management Attitude” of a subject. People with n unethical mind (as also the criminals) will jump at the opportunity and try to make hay while the sun shines while conservative people stick to ethics and avoid doing what is not clearly legal.

Some of the people who make gains today may lose it out if the law changes and regret their decision in future. Alternatively, if they are smart, (and also lucky) they may get out in time with profits but not without trapping others. It is for this reason that our MP Mr Kirit Somaiah called Bitcoin a “Ponzi Scheme” and he was not off the mark.

Under existing law in India, Bitcoin is not a “Currency” under RBI Act but may be considered as an “Electronic Piece of Paper recognized by ITA 2000” and interpreted for the meaning contained in the electronic document.

While the principal Cyber Law that we need to look at in this context is the Information Technology Act as introduced in 2000 and amended in 2008, it is also necessary to look at the Payment and Settlement Act 2007 which may undergo further modifications now as suggested by the Watal Committee, the amendments to ITA 2008 itself which is under consideration as well as the newly proposed Data Security Act.

In the back of these laws, one cannot forget the “Negotiable Instruments Act 1881” as amended from time to time and more recently in 2015 and the different regulations of RBI.

The ITA 2000 brought the legal recognition of electronic document with a paper document and the NI amendment Act of 2002 introduced the concept of Cheque in Electronic Form. This concept of Cheque in Electronic form went through a major transformation in the NI amendment Act 2015 which brought Cheque in Electronic Form into the provisions of the NI Act 1881 as amended upto date since Cheque in Electronic Form is part of Section 6 of NI Act.

With this, it may be possible to invoke several aspects of NI Act such as the responsibilities of the Paying Banker and Collecting Banker as well as Payment in Due Course and Collecting Bank’s responsibilities etc which need to be interpreted in the context of electronic instructions that go behind the UPI or Wallet transactions where the customer of one Bank is deemed to have issued an electronic instruction to his Bank to make payment of a certain sum of money to a certain person and the same is collected by another Bank on behalf of the intended payee of the instruction.

To most technologists and even the non Banking regulators, this concept of a “Wallet Transaction” being spoken in the same breath with a “Cheque” may come as a shock.

When the full implication of this comparison dawns on the society, we will know that there are clear interpretation of how a “Forgery” of an electronic instruction  will be a nullity in law and the paying banker will be liable for the payment of such forged instruments.

A more detailed debate may be required on the impact of NI Act on the new instruments of cashless economy including the UPI and USSD, the role of the Banks under Sections 85 and 131 of NI Act, role of the NPCI which is similar to an intermediary in a physical society who carries the cheque from the drawer to the Payee determining whether it was properly “Delivered”.

I am sure that this line of thinking opens up thoughts on how the digital signature or E Sign needs to be used in digital payment instruments in substitution of physical signatures on paper based instruments and how the absence of a legally recognized authentication on “deemed electronic cheques” may affect the liabilities of the intermediaries.

The “Intermediaries” will then also be exposed to the liabilities that arise out of “Non Compliance of ITA 2008” and the impact of Section 85 and Section 79 on vicarious liabilities.

Amidst all these discussions looms the risk of the ignorant regulators trying to fall for the pressure of vested interests and trying to legalize Bitcoins. If done, a flood of around Rs 6.5 lakh crore rupees of digital currency will flow into the Indian floating currency system causing a 50% jump in the floating currency and causing disruption that will actually be destructive.

There are may in the technology industry who are pushing Block Chain technology as an “Authentication Technology” and building a relevance for Bitcoins through this mis-represented logic. “Block Chain Technology” is a “Ledger Keeping technology and cannot be used in replacement of what the law today recognizes as “Authentication” which is “Non Repudiable” under law.

In the light of these developments, the “Risk of Wrong Regulation” also becomes necessary to be taken into account. It is often found that the consultative process of the Government is inadequate and the Consumers are never part of this consultation. We the Citizens therefore are hoisted with law that we were never part of making despite calling ourselves a “Democratic Society”. Laws are made at the instance of business which has an agenda to exploit the innocent public and this trend needs to be changed.

It is therefore essential that more seminars like the Cash Less Economy needs to be held particularly in Mumbai and Delhi to attract the attention of RBI and the Finance Ministry. We need to debate on the theme of “Disruption Without Destruction”. The Government may also pro actively consider Co-opting consumer representatives who are “Techno Legal Economic Experts” so that a proper perspective is considered before key decisions are taken.

Even if all normal business risks cannot be eliminated through better legislative clarity, Government may still consider reduction of the risks substantially through the encouragement to be given to the Cyber Insurance Industry which needs to shoulder some of the liabilities that the consumers need to bear out of the systemic risks that arise as the nation move towards cash less economy.

Naavi

For the last few days, I am having a problem with the Word Press. It appears that a post above a particular size is not getting published or updated.

If I post a screenshot image this post also cannot be uploaded.

The error message says

Quote

Not Acceptable

An appropriate representation of the requested resource /wp/wp-admin/post.php could not be found on this server. Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.

Unquote

Can anybody suggest how this can be rectified?

Help will be highly appreciated.

Naavi

P.S: The problem was identified as a Mod Security on the server. Has been set right now.

Here is a link to the interview of Naavi at ISMG.

http://www.inforisktoday.in/security-privacy-challenges-aadhaar-based-authentication-a-10051

Naavi

Recognizing the importance of GST in Indian economy and particularly for E Commerce, Naavi.org is launching an online education center for GST related information and discussion under the domain name www.gstlaw.ind.in.

I welcome contributions from others so that it can be developed over a period of time into an useful information center on GST Laws.

Naavi

Tomorrow is an important day in the life of the evolution of taxation system in India with the ushering in of the GST system which is termed “One Nation -One Tax” system. Unfortunately, the proposal has been diluted over the months because of the non cooperation of the opposition parties.

Nevertheless, it is a time to recognize the special nature of the occassion.

Naavi.org has been celebrating October 17 as the “Digital Society Day of India” since it was this day in 2000 that electronic documents were first recognized legally in India with the notification of ITA 2000. Similarly July 1, 2017 will in future be recognized as the day when India marched into an integrated tax regime with the introduction of the GST system. It needs to be commemorated despite the reservations one may have on whether it could have been made better than its present form.

Since the entire GST system runs on an IT back bone, IT stake holders are excited about the opportunities of various types that would be unleashed by this monumental change. It is like the UIDAI system in India and the HIPAA in USA which unleashed a whole lot of new business opportunities all round. It may take some time for everyone to recognize the ancillary business potential that a system like this would generate. But the beneficial impact on the IT sector will be seen sooner than we realize.

We have pointed out that there are some issues in “Security” that will emerge when such a huge system with a centralized IT control is established since it also represents a single point of vulnerability which if exploited, can spread across the country in no time. The fact that the recent Petya ransomware was spread through a tax related software in Ukraine should be an eye opener in this regard. At the same time, “GST Information Security Practitioners” who understand GST and its operational aspects along with the principles of Information Security will see a generation of a new service opportunity.

Just like the passing of ITA 2000 gave birth to “Techno Legal Behavioural Science experts”, GST will give rise to the birth of “Techno Tax System Security Experts”.

May the tribe flourish!

Since the entire GST platform runs on an IT backbone, most of the legal provisions related to GST acutally becomes an extension of the E Commerce related laws. As a result GST law is part of the larer canvas of Cyber Laws or Laws of usage of Electronic Documents for business.

Naavi.org will be separately discussing the GST related legal issues under the banner of “GST Knowledge Center” which will be online soon. In the meantime, in the context of the recent discussions we have been having on Bitcoins and Crypto Currencies, it would be interesting to reflect on how the Bitcoin community in India would be affected by GST and its penal provisions for non compliance.

The Central Goods and Services Act 2017 (CGST) envisages that under certain circumstances of non compliance, apart from the financial penalties imposed, there could be liability for imprisonment to the person who contravenes the Act. Hence all Bitcoin players need to take note that GST needs to be complied with.

We need to therefore appreciate how the Bitcoin or other Crypto Currency buyers and sellers as well as the Exchanges like ZebPay, UnoCoin, Coinsure, BTCxindia etc and the Bitcoin wallet service providers may get impacted by the GST.

First and foremost we need to understand that Bitcoin (and other Crypto Currencies) is not “Bank Notes” which come under the provisions of Section 22 (1) of RBI Act.

A “Bank Note” in India by definition is a “Promissory Note payable to bearer where the promise is made by the RBI Governor” and by practice it is issued on a specific format. “Promissory Note” is itself defined in Negotiable Instruments act 1881 as an “Instrument in writing (not being a Bank Note or  Currency Note) containing an unconditional undertaking signed by the maker to pay a certain sum of money only to or to the order of a certain person or to the bearer of the instrument”. A Promissory note is a document which requires compulsory payment of stamp duty under the Indian Stamp Act without which it is not valid. Bitcoin (and other Crypto Coins”) is obviously not “Bank Notes” nor “Promissory Notes”. It is an electronic document produced under a process and contains some information in electronic form.

Bitcoin cannot also be classified also as “Actionable Claim” since there is no contractual offer or acceptance within the Bitcoin document.

Bitcoin  is just a ledger entry and in return to recording an entry and broadcasting it, a person is rewarded with a “Certificate of Merit” which is treated as a saleable commodity.

The Bitcoin community has adopted a format in which this electronic document is created and some people seem to be willing to assign a financial value to it and prepared to trade in it. It has therefore become a “Perceived Currency” within the closed community of Bitcoin users who are now trying to make it an universally acceptable “Currency”.

Information Technology Act 2000 recognizes an electronic document as equivalent to “Paper” and hence Crypto Currencies like Bitcoin is recognized as equivalent to a piece of paper on which some thing is written on.

It may simply say “This is a part of the reward provided to xxx for having created a block number yyy… in the zzz system”… or some thing with a similar meaning.

This document is in electronic form and cannot be denied recognition whether it is digitally signed by the creator or not. In Indian legal system Bitcoin is an “Undigitally signed Electronic document” and has the legal recognition under Section 4 of ITA 2000.

Since Bitoin is only like a piece of paper, it is a “Commodity” which is in electronic form. May be it is similar to a digitally signed e-mail or a webpage where the source can be identified with an “attribution” though in a “Physical De-identified electronic  form”.

In case any person is trying to represent Bitcoin as a “Currency” in digital form, it may be considered as misrepresenting a fact and committing a fraud which is an offence both under the RBI Act and IPC carrying imprisonment of may be upto 7 years.

If however, Bitcoin is a “Commodity” and it is being bought and sold some times from within the country and some times from outside, then the trade would be equivalent to trading of any other commodity.

International transactions would amount to import or export of the commodity. Since our FEMA does not specifically permit import of Bitcoins, it would be necessary to seek the permission of RBI and every purchase of Bitcoin in exchange should be treated as an “Import” with necessary foreign exchange permissions through an “Authorized Dealer”. Every sale is like an Export and must be supported by declaration and recovery of proceeds through an Authorized Dealer. A registration under Import-Export regulations may also be required.

If any body is lucky enough to “Mine” a Bitcoin, it would be treated as a “Manufacture of a Commodity” and is subject to GST as a manufacturer of  goods could be.

Any services related to the Bitcoin would be subject to the Service Tax equivalent of GST. Any trading resulting in a revenue would be a “Business income” and may not be considered “Investment Gains such as Short term or long term capital gains”.

If some body is part of a “Pool” and gets a mining reward, he would be like an “Employee” on part time receiving an income and it would be part of his “Global Income” to be taxed.

Holding of Bitcoins either mined or bought has to be declared in the IT returns as “Inventory” and accounted as “Income from Business” Where the employee contracts donot permit part time employment elsewhere, or trading of commodities as a part time business, they need to seek permissions from their employers.

As regards the chain of trading activities, each purchaser has to pay GST and is entitled to take input credit if the seller provides an “Invoice” in the requisite format showing payment of GST at his end. There is of course an exemption from GST for traders, manufacturers and service providers below a specific limit and if the person exceeds these limits there will be need for GST registration.

Bitcoin exchanges who have not registered under GST and not implemented appropriate procedures need to stop trading from tomorrow as they would be in violation of the law once they exceed to limits specified. Exchanges and Wallet Service Providers who are “Registered” and deal with “Unregistered Bitcoin sellers and buyers” need to pay “Reverse Charge on one leg of the transaction and another normal GST on the other side”.

In the case of inter state transactions, the payment is made as IGST. If the Exchanges structure the transaction as a broking transaction and the seller raises an invoice directly on the buyer, the intermediary may escape with the taxation of his charges only as a “Service Tax”.

Additionally after the initial moratorium period there would be Tax deduction at Source and Tax collected at source in some cases. If contravened, there would be interest, penalty and other liabilities.

The first principle to be remembered in GST is that it is the supplier of Goods or service who would be liable to pay GST. The seller of Bitcoin is therefore liable along with the Exchange and Wallet service provider. If the seller is unregistered, the reverse charge is on the exchange.

Then the Exchange sells Bitcoins to the buyer. If the exchange is registered, then it has to charge GST to the buyer.

If both the buyer and the seller are unregistered (because their turnover is less than Rs 20 lakhs) then there may be exemption of GST. In some cases such as imports, liability can be on the recipient.

GST needs to be paid immediately (by 20th of each month) on sale  and returns need to be filed within a fortnight (deferred now for 2 months).  The Tax collected at source (TCS) in GST means that any E Commerce operator who makes a payment for a transaction needs to withhold a designated percentage from the payment and remit it to GST authorities before the 10th of next month.

Since Bitcoin is not specifically mentioned in the list of Goods and it cannot be treated as an “Essential commodity” which maybe exempted from GST, nor it suffers a tax like the STT applicable for stocks and CTT applicable to commodities traded through exchanges,  the rate of GST on Bitcoins may be treated as 28%.

If the intermediary is liable for GST at both ends he may pay a reverse tax in one case and perhaps be eligible to claim input tax benefit at the other end.

Since Bitcoin is taxed under GST as a normal commodity which is manufactured, imported or exported, bought and sold at each purchase point the buyer is entitled to claim input credit. Hence the exchanges and wallet owners need to incorporate necessary systems in place to enable claiming of such input credits along with payment of GST. It would be interesting how the companies respond to this new challenge.

Naavi

A day after the Petya attack, it is now recognized that those who pay ransom for Petya attack may not be able to get the decryption key and decrypt their system back to action.

The attack is now being dubbed as “Not a Ransomware but a Wiper”.

Experts are now realizing that the malware was by design not meant to restore data on payment of ransom. It could be a mistake that the creators of the malware have committed or it could be an attempt by a state actor who wanted to attack Ukraine and wanted to disguise and mislead the security world that it was in deed a ransomware.

For more details one can refer to this article

According to these experts, unlike other ransomware, this malware does not encrypt at the file level. It encrypts the Master Boot Record (MBR) and makes the computer not bootable. Then it scans through the local network and infects other machines using other exploits. The malware replaces MBR with its own version which displays the ransom message.

It is however observed that the current variant of the malware encrypts the Master Boot Record (MBR) but does not keep a copy of the original MBR. Hence on payment of the ransom, the system cannot be recovered.

It is reported that the first around 45 victims who paid the ransom of around US $10500 in Bitcoins have not received the decryption keys.

There is therefore no hope for Pipavav Port or Jawaharlal Nehru Port Trust (JNPT) or any other victim of Petya (also called NotPetya or GoldenEye) to recover the data. They need to dig into their back ups and re construct their lost data.

However, what we in India need to be concerned more about the future attacks of similar nature that may be more devastating than the WannaCry or Petya. We in India are now on the eve of GST implementation and the Aadhar Based Payment systems, both of which have a highly centralized system structure which if infected, can cause havoc across the country.

It is to be noted that the devastation that occurred in Ukraine by  Petya malware was because the malware first infected a program called MeDoc through an official update from the vendor. This was a tax accounting system perhaps widely used in the country and hence it spread like wild fire.

When our GST is in place, we will have a “One Country- One Tax” system and it could bring in many benefits of its own. But at the same time, it may also turn out to be a “One Malware infection Point” in place and God forbid, if this is infected the country’s economic infrastructure may come down.

In a recent press statement, the authorities in charge of GST have stated that due to lack of time, they were not able even to complete the “Functional Testing” fully after the changes that continued upto the last minute. It is therefore reasonable to expect that “Security Testing” has not been also completed.

It is hoped that nothing will go wrong as we function under the Amir Khan’s “Three idiot’s Principle” that “If you believe All is well, then everything will be fine”.

I am sure that enough Poojas have been conducted across the country to ensure that the system works fine. If not, we need to organize such poojas to coincide with the launching of the GST at the midnight hour tomorrow.

But the Murphy’s law says that “If anything can go wrong, it will” and security observers have more faith in this principle than the Three Idiot’s principle.

In a country like India which has a constant terror threat supported by countries like China, there is every possibility that what may normally not go wrong statistically may also go wrong since there are enemies working on destroying the country both from outside and also from within including the political parties like Congress, TMC, National Conference, Communists etc. Hence even if a small vulnerability is found in a system like GST, the possibilities of it being exploited are near certain.

Our response to Petya should therefore include how we face a situation where a Petya type of destructive malware spreads through the GST system.

The first thing the GST authorities as well as all individual assesses should do is to always keep a 100% back up of every document that is created and processed in the system and that such back ups should be maintained in an off the network system which is well protected with a good malware protection system. GST needs to maintain a robust DRP/BCP system to have a parellel system ready for switch over in case the main system comes under a Cyber Attack.

All businesses should ensure that they donot link their operational computers directly to the GST system but use a separate computer to upload and down load documents to GST. Any transfer of files from their current accounting computers and the GST connected computer should be done securely avoiding spread of any malware during the transfer process. Similarly, the main accounting system should be insulated from normal internet activities including e-mail and web surfing. SMEs may find this burdensome but if they need to avoid regretting later, this is a small investment they need to consider.

Since the GST system was built when WannaCry had not yet been recognized as a big threat, it is possible that it might have used all the vulnerabilities that the recent set of malwares have exploited.

I hope the security agencies will be upto the task to super impose ransomware protection on the current GST system and ensure that our national system is well protected.

Refer articles:

GST Network safe from global malware attack, says CEO Prakash Kumar

No time to test software now, says GSTNetwork chairman Navin Kumar

At the same time, for whatever it is worth, we need to declare the GST system as a “Protected System” under Section 70 of ITA 2008 and also make it public that any attack on the GST system will be considered as a “Cyber Terrorist” attack which can immediately invoke international treaties for both investigation and protection.

Naavi