Naavi.org

It is a grim reminder to the hard times we live in that a threat has been made to WIPRO stating “If a ransom of Rs 500 crores is not made in “Bitcoins”, there would be a “Bio Attack” on Wipro employee’s through a poisoning of their  food chain system or through a drone dispersion of poison through air”. The implication of the threat received by WIPRO seems to be that RICIN,  a “Poison” extracted from castor seeds would be used to cause extensive death within WIPRO.

I consider this not as an issue concerning only WIPRO. This is a Terror threat and the risks may extend far beyond WIPRO. Hence let us proceed to start an extensive debate on the subject starting with this article.

What is RICIN Threat?

“RICIN” is a natural extract from Castor beans and is said to be easily extracted from waste dumps from castor oil processing industry. It can be transmitted through food, water, air or touch and causes death if ingested in lethal dosage. There is no antidote or vaccine available at this point of time to public for Ricin poisoning. But flushing out the poison from the system may help in survival of the victim if undertaken quickly.

Ricin became a household name because of a popular TV serial “Breaking Bad”  aired in US channels. In this serial, it was repeatedly referred to for killing some body without leaving a forensic trace in the body. It can be used as a powder, a mist, a pill or pellet, and can be dissolved in water and other liquids. This means that a person can contract Ricin poisoning via inhalation or ingestion or through touching a poisoned material such as a letter.

From the medical information available about RICIN poisoning, we understand that

The initial symptoms of Ricin poisoning depend upon both the degree and route of exposure.  It may include Fever, Vomiting, Nausea, Severe cough, Abdominal pain, Diarrhea, Dehydration, Flu-like symptoms. Symptoms may occur 12-24 hours after exposure and death can be caused within 72 hours.

(Hence doctors do not have sufficient time to exhaust all “Tests” before deciding on the course of treatment and should not waste time in recommending tests of various kinds.)

Symptomatic poisoning requires to be treated by giving victims supportive medical care to minimize the effects of the poisoning. It is suggested that Care could include such measures as helping victims breathe, giving them intravenous fluids giving them medications to treat conditions such as seizure and low blood pressure, flushing their stomachs with activated charcoal (if the Ricin has been very recently ingested), or washing out their eyes with water if their eyes are irritated.

(This means that the patient should be immediately moved to a proper hospital and medical practitioners should avoid taking the risk of waiting for the symptoms to subside in the ordinary course.)

The medical fraternity may take suitable steps to spread awareness of RICIN poisoning and its symptoms to all medical practitioners.

Now let’s come back to the news report and what the Police can do following the reporting of the incident. The threat has come through an e-mail in the name of Ramesh2@protonmail.com which obviously is a fake ID and requires effort to decypher.

Incidentally, the “Privacy” supporters who often cry foul whenever “Security” concerns are raised and swear by the ToR browsers and the anonymization of internet communication, should now realize what is the threat of such unhindered anonymity.

Similarly, the “Bitcoin” supporters also need to realize how “Bitcoin” has irrevocably become the currency of the terrorists.

Our security response to the incident should be comprehensive and address all direct and indirect issues that enable such terror threats to be held out even in future.

We may try to understand the full details of information available in public domain through this  news report

According to this report,

The anonymous email has been sent to multiple recipients, including senior officials of the firm, on 5th May 2017 and claimed that if the Rs 500-crore payment was not made within May 25, the sender would attack Wipro offices in the city using Ricin. The email has reportedly stated that Ricin would be used through food served at the cafeteria, disperse it using a flying drone or even on the toilet seat or the toilet paper etc”

The sender has also reportedly claimed that he has isolated 1 kg of high-quality Ricin and would be sending 2 grams in envelopes to one of Wipro’s offices in the city in the coming days to prove that he was not bluffing. He has also cautioned the firm to be careful while dealing with his ‘sample dose’.

The email according to the report also contained the link to a news item about the mysterious death of 22 stray dogs at Baranagar in Kolkata, uploaded on the portal of a leading English news daily. The incident occurred on January 21 in Baranagar locality where the carcasses of 22 dogs were found on the road near a construction site. The sender claimed that he had isolated a high-quality, beta strain of the toxin and had tested it on those dogs.

Now it is reported that a case has been registered by Bangalore Police under as a “Cyber Terrorism” (Section 66F of ITA 2000/8).The threat to use  a Drone to sprinkle RICIN is interesting as it amounts to use of a “Cyber Tool” to intrude into  WIPRO territory without authorization. Additionally, the threat will also be considered as a “Terrorist Act committed with the use of electronic documents” under other Acts. However there is a need to ensure that the Police donot stop serious action after the registration of the complaint.

Considering the complexity of the investigations, there is a need to declare a “Serious Terror Threat Alert” across Bangalore, and a massive effort to be launched to identify the root of this e-mail threat.

In my opinion, the threat is serious enough to call the NIA and also invoke international cooperation forthwith.

It is recognized that the e-mail is a “Terror Threat” and those who have sent the e-mail and all their accomplices would face a “Life Imprisonment”. If even one person dies from RICIN poison, then the sender of the e-mail and all his accomplices would face “Death penalty”.

In this context, there are several initiatives that the Bangalore Police need to take, some of which I try to list here.

1. Police should first declare the implication of the case being registered as a terrorist act through a public notice in all TV channels and Press. It should be made clear in this notice that the e-mail threat is being considered as a “Terror Threat” and the perpetrators face the prospect of “Life Imprisonment” and “Death Penalty”.
2. Police should also make it clear that any person who has information leading to the detection of the sender of the e-mail would be rewarded if he comes up with the information and shares it with the Police.
3. Police should also make it clear that those who may have information about the sender of the e-mail and does not share it with the Police voluntarily will be considered as “Co-Conspirators”, “Preventing Law Enforcement from catching terrorists” and would be considered as guilty of the same offence which has “Life Imprisonment” and “Death Penalty” as possible punishments.
4. Police should also make it clear that “Persons who may have information about the sender of the e-mail” could be his friends, colleagues, family members and even the several service providers involved in sending of the e-mail which could include Protonmail.com since the e-mail is said to have been sent from an address “Ramesh2@protonmail.com”
5. It is possible that the sender of the e-mail could be an “Insider” and there is a reasonable probability that the threat might have come from one of the frustrated dismissed employee or any of the current employees who is disgruntled in some way.
6. It is possible that it is only to create panic and the threat may not be executed.
7. If the perpetrators are only disgruntled employees and not hard core terrorists, Police clarification that this is a “Cyber Terrorism” may make them realize the enormity of the problem that they have unleashed on themselves.(May be by ignorance)
8. If the Police promise that any person who voluntarily gives himself up may be considered as “Not having the malicious intention to carry out the threat”, and therefore charges under Cyber Terrorism would not be pressed, perhaps the persons who have committed the offence or any of their friends and family members who wish that the person would at least not be tried for a “Life Imprisonment” or “Death Sentence” even if they have to face the charge for a financial crime involving “Extortion Threat”, may be willing to surrender with information.

If the above strategy fails to make the sender of the e-mail come out within the next 24 hours, we should escalate the issue from local police to NIA and treat is as a national emergency.

The CERT-In should also walk in today voluntarily to assist WIPRO information security team, the local Police team as well as the NIA and help forming a multi disciplinary “Crisis Management Team”.

If the matter is left to the Police alone, there is a possibility that the investigation would drift. There will also be inter agency rivalry and other issues that may interfere in quick resolution of the problem. Country cannot afford any such inefficiencies to affect this investigation.

Some of the actions that need to be taken in the context of this threat could be…

1. We should recognize that though the threat has now been made to WIPRO as a financial ransom call,  this could be used by a terror organziation (Such as ISIS) without a financial motive to cause indiscriminate loss of life.
2. If so, this threat to WIPRO could be a diversion and the real attack may come elsewhere..could be another IT company, another industry or a five star hotel or any other large congregation of people.
3.  Action should be initiated to ensure that any such organization of large gatherings where there would be central food distribution is aware of the threat.
4. Advisory should be selectively issued to all organizations managing centralized kitchens serving food to a large number of persons. The food managers of these establishments have to be called for an awareness briefing and security hardened across the State.
5. The medical community in Bangalore and hopefully across the State should be alerted about the “Symptoms” and “Response to a suspected RICIN poisoning case”. It is generally understood that if a lethal dose of RICIN is ingested either through food or through air or skin, there is no antidote. However according to some medical advisory, an immediate attempt to remove the poison from the body could help. (Refer here for more details)
6. We should be alert to other forms of RICIN attacks through letters etc which have been reported earlier in USA (Refer article in slate.com)
7. India should immediately make a firm declaration that “Bitcoin” is a “commodity” that is banned in India and anyone who is in possession thereof must surrender it to the Government for exchange or face criminal action for possessing a “Banned Tool of Crime”.
8. Police should alert all Castor oil processors to account for waste disposal and also identify if any large stock of Castor Oil waste having been bought by any person and if so whether such purchase is linked to this threat. (Or could in future become another threat unconnected with this).
9. There is a report that antidote has been developed by UK and US Military though they might not have been tested on humans properly. Indian Government should get in touch with these authorities and invite them to join the disaster management team with some stock of sample antidotes so that they can be used if necessary.
10. There are many leads that the reported incident provides from which it should be possible to identify the sender of the e-mail even if he has used a proxy server. These cannot be discussed in a public forum. Also the Police investigators are much more intelligent than what observers like us can ever be and they should be already on their job. The only thing required is to give them a free hand in the investigation.
11. I therefore reiterate that giving assistance to Cyber Police of Bangalore in all manner is the prime responsibility of any citizen of Bangalore who is alarmed by the threat.

There could be many other angles that need to be explored. But the key evidence lies with WIPRO which is reportedly is “Tightlipped” about the incident. While being “tightlipped” with the media is fine, WIPRO should voluntarily invite CERT IN and NIA to join the probe immediately and share the evidence available with it. It should be ensured that no evidence is destroyed during the internal investigation either by mistake or deliberately.

It would help the investigation if all available resources national and international are gathered for effective investigation. I call upon the PMO to advise the necessary agencies to set up a “Serious Cyber Incident Management Team” and proceed for investigation.

As regards trying to persuade the offenders to surrender, even if the Police fail to issue their own public notification as I have suggested,

this article published on the internet is a public notice. Hence any person having a knowledge of the crime should consider themselves notified that they would be considered accomplices of the terrorist act if they donot immediately disclose information within their knowledge to the appropriate authority.

This is also a friendly advise to the person who has sent the e-mail and his friends and relatives, that if any of them come out voluntarily and disclose useful information, and/or surrender, the charges on “Cyber Terrorism” may either be dropped or may not easily sustain in further trials and they will face a lesser charge and lesser punishment than life imprisonment  or death penalty.

In particular, I request the family members and friends of the sender of the e-mail to either persuade him/her to surrender or voluntarily disclose his identity for his/her own good. If they have any difficulty contacting the Cyber Crime Police of Bangalore for this purpose, they are welcome to contact me for guidance.

Hope this incident will not materialize in all its ugly manifestations that it threatens. But there should be no complacency either by WIPRO, CERT IN or other establishments including the State and Central Governments.

I am forwarding a copy of this article to the new CERT IN Director General and hope he would swing into action before the end of the  day if he has not already done.

Naavi

Also Refer:

Regarding the stray dogs killed

Beware of Cyber Stone Pelters

Update: 8th May 2017

The complaint has now been transferred from the Cyber Crime Police Station to Bellandur Police Station and the investigation is likely to continue as a terror threat in the physical space. It is likely to be treated as one of the many e-mail threats that float around.

The charges under Section 66F are likely to be replaced with Section 66C/66D along with sections from IPC and Unlawful Activities Prevention Act. There is no indication at present of the incident being treated seriously and hence no NIA angle is likely to be there.

Let’s hope that the threat remains a prank and does not escalate.

 Update: 11th May 2017

Also see report in ISMG

US and Australia are talking of tightening their VISA rules to protect their domestic employment and in the process are hurting the profitability of Indian companies.

At this time it is necessary for Indian Government to come to the assistance of Indian companies in such a manner that the Indian companies are not unduly hurt by the unfair policies followed by the foreign Governments.

While US and Australia will hurt India through the VISA policies, EU will hurt India through its GDPR imposition which will increase the cost of data processing in India. Cumulatively, Indian IT industry is facing a challenge ahead which will reflect in lower employment in the Engineering sector in the immediate future.

Initially, I was under the impression that the Indian IT companies may be able to convince their customers to “Work from India” which would have actually increased the employment potential here. It would also prevent the brain drain and hence I considered that the Trump measures would actually benefit India.

However, from my preliminary interaction with some software professionals, it appears that the existing clients in US or elsewhere are unlikely to agree for the work to be shifted to Indian centers as an outsource contract so that the cost structure can be preserved in the existing contracts. They would like the work to be done at the existing cost parameters absorbing the higher costs of VISA or higher cost of local employment.

This is unfair but is a factor which industry competition alone can resolve. But Indian Companies donot seem to have the courage to take on their clients and would prefer to buckle under pressure. Considering the recent announcement that INFOSYS would create 10000 jobs in US, it appears that these IT companies will not use this opportunity to increase the employment opportunities in India. Instead they will become employment creating agencies for the US and Australia.

It is therefore necessary for Mr Arun Jaitely to find some means by which incentives are created for Indian companies to create jobs in India and disincentives for the IT companies preferring to work as job creating agents for foreign Governments.

At the same time, we need to create incentives so that foreign companies interested in creating employment in India are encouraged.

If the objective is recognized and accepted, I am sure that Mr Jaitely can find the means of incentivisation and disincentivisation through his next budget to ensure that more IT jobs are created in India than what is lost through the new immigration policies in USA and Australia.

The EU has indicated a new principle where by the “Global Turnover” is taken as a basis for imposing penalty for data breach or non compliance of GDPR regulations. If EU can dip into global activities of a company for data breach affecting the privacy of EU citizens, we should take a cue and take cognizance of companies both Indian and foreign making profits by creating jobs in India or in their own country in a proportion that shows discrimination.

In general, if a Company enters into a contract where by a work which can be done by a work force X of which x1 is employed in India and x2 is employed in another country of the contractor’s choice, the global employment potential of a contract and how it is distributed between the two countries should be taken note of in imposing a “Balancing Tax” so that the profitability of the contract is neutral to the distribution of employment expenditure between the two countries. If the global manpower expense under the contract is N and n1 and n2 are the expenses in each country, then the “Employment Balancing Tax” should be levied on the company in the proportion in which the manpower productivity is distributed.

I am aware that the proposal may be considered bizarre, complicated and even be questioned under the international treaties. But  we need to make US and Australia realize that we want to be fair in promoting free trade and only want freedom to shift the work to India if it is technically and functionally feasible.

Obviously, we cannot shift physical construction work from one country to another but the IT work can be shifted since today Virtual Workers can be as effective as physically present workers.  The proposal is therefore more directed towards IT companies and IT contracts.

Hence I suggest that “Anywhere Employment” should be the basic theme of all international contracts and any contract which forces a skewed distribution of manpower should be considered as a violation of free trade principles.

All contracts will have a “Body shopping” component where it can create jobs in either country without affecting the functionality of contract execution. We can therefore consider as in the case of “Transfer Pricing”, subjecting all International contracts of “Body shopping” to some taxation based control that brings a balance in the employment creation in both India and the contracting country.

Comments are welcome….

Naavi

Recently, a question was posed to the undersigned about the acceptability of evidence when there is a challenge that the evidence was obtained through illegal means. Following is my reaction to the query.

There have been many occasions in which an Indian Court had to debate whether an evidence can be admitted when it is brought to its notice that the evidence was obtained illegally. Most of these cases in the past have arisen on account of the Government tapping the telephone conversations and it has been challenged either as “Improper” or “Illegal”.

Illegality arises when the person has obtained an evidence by deceit, stealing or in the case of Cyber Evidence, by “hacking”. Impropriety may arise when there was a legal means and a procedure for collection of evidence which was not followed.

Obviously, it is easy to assume that “Procedural Irregularities” can be condoned but human rights activists often raise objection when evidence has been obtained through illegal means.

The opposition to the Courts accepting an illegally obtained evidence stems from the fact that it may violate the “Constitution of India”, the “Right to Privacy” and such other principles which are dear to some activists and even some Judges.

In many cases of matrimonial disputes, the spouses often plant spyware in the other spouse’s phone or computer and gather incriminating evidence. We had recently reported a West Bengal Adjudication verdict  in which a husband was fined for violating the privacy of his wife when he extracted evidence supportive of his matrimonial dispute case by means which were held violative of the privacy of his wife.

There are also instances when some resort to hacking of face book or gmail accounts to extract evidence.

In all such cases the counter party has a case against the party which has obtained evidence that it was obtained illegally and hence should not be admitted.

However, a series of Indian judicial decisions have held that an evidence is admitted if it is “relevant” though it was obtained improperly or illegally.

Hopefully the matter is considered a settled view since according to this Business Standard Report, the Bench headed by Justice B.S. Chauhan has stated,

“It is a settled legal proposition that even if a document is procured by improper or illegal means, there is no bar to its admissibility if it is relevant and its genuineness is proved. If the evidence is admissible, it does not matter how it has been obtained,”

It must however be noted that once a person adduces some evidence, it is an admitted evidence  against him and  can be used against him if required.

Hence when an evidence is presented which has been obtained illegally, it is open to the Court to accept it and proceed with the trial in the subject case where it was presented as evidence. At the same time  a separate action may lie against the person who obtained the evidence in violation of some law.

Hence parties should weigh the pros and cons of presenting an evidence obtained illegally before a Court. Police may however use the evidence during the preliminary investigation and for interrogation so that they may be able to unearth further evidence through legal means which can be used in the Court.

Considering the inconsistency that prevails in the Judicial system and the views of different judges, it cannot however be ruled out that Judges may selectively accept or reject evidence based on whether it was obtained improperly or illegally and the degree of illegality involved.

In some of the matrimonial cases as was referrred to earlier (West Bengal Adjudication) the illegality was only restricted to using of a shared password between husband and wife or “access to a system exceeding the authority provided by the owner” (Section 43). Such contraventions may be considered as “Technical Overreach” by one party and is unlikely to be strong enough a reason for rejecting the evidence (if it is relevant).

However, an operation like a “Sting Operation” where inducements are thrown out to tempt a party to transgress law (eg: corruption cases) which are similar to operating “Honey Pots” or policemen trapping sex predators on the chat rooms, could be falling in the grey area of whether the evidence should be accepted or not since these could be “evidence that is created by the person when it did not exist in the first place”.

Again, when an evidence which is present some where (say a Computer or Mobile or Private page of a Facebook, Encrypted Message etc) is extracted for presentation in a Court  as defense in a case brought on the person who is presenting the evidence, it should be considered as a legitimate reason where the evidence should be admitted even if the manner in which it was obtained was not entirely above board.

In the case of offensive action based on such evidence, Court may exercise its discretion whether the evidence was collected as it was present and not created out of an inducement and therefore there was a duty to bring out truth before the Court of an offence already committed by the accused for which the evidence was collected.

Comments welcome

Naavi

Also Read :

A Research report  on 2013 Law Commission report 

1983 Law Commission report

Reference Article-1

Reference Article-2

Reference Article-3

Delhi High Court Judgement-2012 (Digambar Khattar Vs Union of India)

Globalization of Indian IT business has created many challenges to the Indian economy as a whole and in particular to certain domain specific regulators. One such regulator who finds himself frequently under a bind is RBI while regulating the Foreign Exchange transactions. Over the years the strict regulations under FEMA have been diluted and great freedom has been given to the Indian public to purchase foreign exchange and also retain it abroad and use it for specified purposes.

In the Free Trade environment, there are many instances where an Indian company enters into a business contract in which it commits itself into certain obligations which directly or indirectly are convertible to payment of compensation to a foreign company in foreign exchange. In the process the regulatory functions of RBI gets disturbed.

As long as the compensation is reasonable and is directly related to and is a part of the revenue proposed to be earned through the contract, it is a fair proposition.

However, in the recent days, we know that “Indemnity” obligations under certain contracts far exceed in value to the actual revenue gained in the contract. One example of this was the claim made on SIFY (Before its merger with TechM) of US$ 1 billion for violations in its software development contract and failure to provide appropriate documentation for the beneficiary (UPAID) to obtain a valid Patent in USA. This is reported to have been finally settled for US $ 70 million in the dispute resolution process.

TCS also faced a situation where a claim of US$ 940 million was made on it by an US Company Epic for a data breach incident, which again must have been reduced to around $200 million in subsequent discussions.

Recently, Tata Group had to face litigation to meet its obligations under a contract with DOCOMO which involved payment of compensation in foreign exchange.

These are instances which indicate that Companies land up confronting RBI in seeking foreign exchange remittance arising as a contractual obligation about which RBI had no inkling until the liability has matured. Given the comfortable FE reserves at present, RBI may be able to meet the requirements without fuss but it is bad in principle that RBI should be unaware of such liabilities until they fructify.

With the onset of GDPR which speaks about a penalty level upto 4% of global turnover of a data controller/data processor coming directly under the jurisdiction of EU, the rules of the game have changed. The EU companies will without doubt incorporate compliance obligations along with indemnity clauses in their contracts with Indian sub contractors who are “Non EU Data Processors”.

Some Indian companies may come directly under the regulation if they are providing any services to EU citizens including “Monitoring” the activities of EU data subjects. All other data processors in India who enter into a contract with any international data controller is also exposed to the indemnity liability by virtue of the contracts signed.

Some of these contracts may appear to emanate from say US but the US client himself may have a back to back processing contract with the EU countries and hence the Indian Companies have to cover themselves for the GDPR risk even in these contracts.

Hence the “Liability Risk arising out of data breaches, for Indian companies acting as Data Processors” is a universal risk that cumulatively add up to several billion US dollars. It cannot be ignored.

Remember that the indemnity clause may simply say “..shall indemnify any loss caused to Party A by Party B not complying with the provisions of this contract..” (or equivalent) and not specify any limits.

We are therefore exposing ourselves to a risk of 4% of global turnover of the international vendor and not limited to 4% turnover of the Indian company.

GDPR also provides for the EU data subjects themselves claiming compensation from the subcontractors of a data controller also and hence some maverick may file a class suit on an Indian Company for a mass data breach running to a claim of compensation of billions of dollars.

In this context, we need to take a look at some of the clauses which are there in the Model Standard Contract Clauses which have been issued by EU earlier which were already part of some Business Process Contracts or may be incorporated in the contract now renewed under GDPR in a contract under article 46(2)(a).

Some of these clauses are as follows:

“…The data subject can enforce against the data importer this Clause, ….(Ed: when a remedy may not be easily available against the data controller)”

“…The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law”

“.. The data importer agrees and warrants:….that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract…” etc

Without going into further details, we can very well see that these contractual terms try to override the Indian laws.

We should not consider that these are normal clauses under a contract where the jurisdiction for dispute resolution is normally switched from Courts to Arbitration or from one country to another country. These clauses determine the liability which is “Indeterminable” at the time of signing of a contract and on which the contracting parties may not have a “meeting of mind”.

Secondly, India has a financial regulation under which RBI is regulating the flow of foreign exchange. While in pursuance of the overall economic objectives of the country, RBI has provided for many free remittance options, some with a mere reporting or approval from an Authorized dealers, remittances that may run to millions of dollars cannot be delegated to Authorized dealers or brought under free contractual remittances.

Hence when a data processor company in India receives a notice from a EU regulator or a Data Controller to pay a few million US dollars as compensation or attend an arbitration which eventually may lead to a similar decision, even if the company has foreign exchange balances earned through its exports and held in approved Foreign Currency accounts (Exchange Earner’s Foreign Currency Account or EEFC) , it cannot take a decision to make the payment without referring the matter to RBI.

The permissible debits to an EEFC account are as follows. (Refer here)

i) Payment outside India towards a permissible current account transaction [in accordance with the provisions of the Foreign Exchange Management (Current Account Transactions) Rules, 2000] and permissible capital account transaction [in accordance with the Foreign Exchange Management (Permissible Capital Account Transactions) Regulations, 2000].

ii) Payment in foreign exchange towards cost of goods purchased from a 100 percent Export Oriented Unit or a Unit in (a) Export Processing Zone or (b) Software Technology Park or (c) Electronic Hardware Technology Park

iii) Payment of customs duty in accordance with the provisions of the Foreign Trade Policy of the Central Government for the time being in force.

iv) Trade related loans/advances, extended by an exporter holding such account to his importer customer outside India, subject to compliance with the Foreign Exchange Management (Borrowing and Lending in Foreign Exchange) Regulations, 2000.

v) Payment in foreign exchange to a person resident in India for supply of goods/services including payments for airfare and hotel expenditure.

Permitted current and capital account transactions under FEMA are described below.

A Current Account Transaction has been defined as a Transaction other than Capital Account Transactions, means all transaction which do not alter assets or liability outside India of resident or assets or liability in India of Non Resident .

such transaction includes,

-Payments due in connection with foreign trade, other current business, services, and short term banking and credit facilities in the ordinary course of business.

-Payments due as interest on loans and as net income from investments,

-Remittances for living expenses of parents, children, and spouse residing abroad,

-Expenses in connection with foreign travel, education and medical care of Parents, Spouse and children’s.

Capital Account Transactions are classified into two classes:

(i). Capital Account Transactions of person resident in India.

-Investment in foreign securities
-Foreign Currency loans raised in India and abroad
-Transfer of Immovable properties outside India
-Guarantees issued by a person resident in India in favour of a person resident outside India.
-Export, Import and holding of currency/currency notes.
-Loans and overdrafts (borrowings) by a person resident in India from a person resident outside India
-Maintenance of foreign currency account in India and outside India by a person Resident in India.
-Taking out a insurance policy form an insurance company outside India.
-Loan and overdraft to a person resident outside India
-Remittance outside India of capital assets of a person resident in India.
-Sale and purchase of foreign exchange derivatives in India and abroad and commodity derivatives abroad

(ii). Capital Account Transactions of person resident outside India.

(a) Investment in India by way of Issue of securities by a body corporate or an entity in India and investment therein by a person resident outside India; and
Investment by way of contributions by a person resident outside India to the capital of a firm or proprietorship concern or an association of person in India.

(b) acquisition and transfer of immovable property in India in favour of, on behalf of a person resident in India.

(c) Guarantee by a person resident outside India in favour of, or on behalf of a person resident in India,

(d) Import / Export of Currency/Currency Notes/ into/from India by a person resident outside India

(e) Deposit between a person resident in India and person resident outside India.

(f) Foreign Currency Accounts in India of a person resident outside India

(g) Remittance outside India of a capital assets in India of a person resident outside India.

All payments in foreign exchange other than what is mentioned above require “Prior Approval” of Government of India.

However, in the case of liabilities arising out of the Standard Contractual Clauses in a data processing contract, a Company approaches the Government or RBI as a post-facto request that it has to remit foreign exchange and RBI or the Government will be in a dilemma of how to deal with this fait accompli.

In my opinion, a Company entering into a contract knowing fully well that it does not have a prior approval of the Government for the contingent event of performance of one of the contractual clauses arises, amounts to entering into a “Fraudulent Contract”.

It is neither enforceable by the Data Controller nor it is executionable by the Indian data processor.

Should we place our Indian companies in such a situation?…… there is need for NASSCOM and the Government to ponder over the issue.

On my part, I suggest companies to ensure that the contracts are all made “Subject to laws prevailing in India” . In other words, it contracts should include “GDPR Exclusion Clause” where

a) the liabilities are limited to a particular amount for which the Company should have a prior permission from the Government or

b) Liabilities are subject to the laws in India including FEMA.

I am sure that the business managers will raise a hue and cry on rejecting the standard contractual clauses suggested by the clients and the corporate legal advisors may be brushed aside.

However, from the compliance angle, I would advise the legal advisors and compliance managers to raise an alert so that the top management takes a decision based on its risk appetite. The CFOs and the Financial Auditors should qualify the accounts for both balance sheet purpose and SEBI purposes that “Certain liabilities committed by the Company are not quantified and not provided for”.

Alternatively, NASSCOM, RBI and the Finance Ministry need to sit together and find out a solution. Presently, it is a good time to find a solution through the proposed Indian Data Protection Act which is under drafting by the Ministry of IT in consultation with NASSCOM. This law will introduce a super regulator for data protection who may be called the “Data Commissioner of India” who will be responsible for all “Data” processed in India.

ITA 2000/8 tries to provide protection for data from the perspective of an Indian data subject whose personal and sensitive personal information is processed by an Indian company. It indirectly addresses the rights of international bodies by suggesting that “Reasonable Security Practice” under Section 43A is as defined in a contract between the data subject/data controller and the data processor. This will enable an international data controller to seek remedy for his losses under ITA 2000/8 when there is a breach of contractual terms of security. This opens up a door for the indemnity clause to be enforced with the support of Indian judiciary. (Adjudicator).

The proposed Data Protection Act of India may go a step further and make all data processors in India subject to a registration/licensing process with the data commissioner. This office can if necessary also be made responsible to vet the data processing contracts and ensure that there are no inherent conflicts.

Alternatively, the Data Commissioner of India should be given a mandatory power by which no legal action can be initiated against a registered data processor in India without the permission of/intervention of the Data Commissioner. In such a case this office will act as a filter between the Indian data processors and the foreign Data controllers/Data subjects and ensure that no unreasonable liability suit is hoisted on Indian companies.

I request the MeITy, NASSCOM and RBI/Finance Ministry to quickly start negotiating on this matter before the law is frozen (before October as the Government has indicated).

An opportunity missed now will be an opportunity lost for ever.

Naavi

Police in Lucknow have raided several Petrol Bunks in Lucknow who were using a Chip inside the dispensing unit to dispense less petrol for every litre dispensed and systematically siphon off about 50 ml for every litre of petrol.

This is similar to a fraud discovered some time back in Bangalore where Auto meters were tampered with a Chip which made the meters run faster than they should.

In fact Chinese are known to master the “Manchurian Chip” fraud where by they insert chips inside computers for the purpose of creating a backdoor. This has been confirmed earlier by Scotland yard in POS machines where credit card information was being stolen and forwarded to China from UK.

Refer this Article of 2008

Both these cases are clearly “Tampering with a Computer device” and amount to a cyber crime under Section 66 of ITA 2000/8 besides other sections of IPC.

So far it appears that Police are hunting only for the person who fitted the Chip in the bunk. They need to actually arrest the Petrol Bunk owners who are the financial beneficiaries of the fraud.

It is possible that some of them might have removed the chip by this time. However, if the petrol purchase and sale quantities are audited and reconciled over a period, it is possible to observe if the total sale is more than the petrol purchased by the bunk and this should be sufficient to book the owners for a criminal offence both under ITA 2000/8 and also under the Income Tax act for suppression of income.

Hope Police will act in this direction.

Naavi

When a Palghar girl posted a message on her Facebook raising a query …Why there should be Mumbai Bundh if Mr Bal Thakrey has died? and another Palghar girl clicked on “Like” button against the message, Police in Palghar moved in at the pressure of Shiv Sena activists and perhaps in a bid to prevent a law and order situation arrested the two girls and the Magistrate remanded them to 15 days judicial custody. Unfortunately, the girls belonged to the minority community and media went berserk along with the pseudo secularists. Naturally, it became an issue for national debate culminating in the scrapping of Section 66A of ITA 2000/8 by the Supreme Court.

Unfortunately, the debate was not on the excess committed by the Police in arresting the girls for the innocuous posting on Facebook or liking. The wrath was on the law, more specifically the Section 66A under which the case had been booked and there was the uninformed pseudo intellectuals who wanted the offending law to be scrapped.

Our honourable Courts, both the High Court in Mumbai and subsequently the Supreme Court seemed to agree that there was something wrong with the law, (implying that there was nothing wrong with the Police in interpreting the law) and finally  the honourable Supreme Court cited this incident as creating a “Chilling Effect” on the fundamental right of “Freedom of Expression” enshrined in our Constitution and declared that there is no way that this can remain in our law.

There were several brownie points gained by the persons involved in ensuring that Section 66A was scrapped including Police officers, activists, advocates and media persons and even the Judges.

The Government also caved in to the popular perception that Section 66A as it was drafted was at fault and not its interpretation by the Police, prosecutors and the Judges at all levels.

Soon after Section 66A was scrapped, people including the Police, Government and Supreme Court realized that it was a mistake to have scrapped the section and are desperately looking for its reintroduction. A separate expert committee has now been formed to amend ITA 2008 to bring back Section 66A in a face saving manner. The T.K.Vishwanathan Committee is working on this along with other changes that may be required.

In the meantime, WhatsApp has been in the news not only for having been banned in Kashmir for its misuse by Terrorists, but also elsewhere where Admins are being threatened of legal action for offensive messages in a group.

The latest such report comes from Varanasi,  according to a joint order issued by the district magistrate of Varanasi and the city’s police chief, FIR can be filed against the Administrator of a WhatsApp group for the posting of an offensive content in the group.

According to the news report, concerns are often raised about fake news, morphed photos and offensive videos circulated on social media that can potentially trigger tension and even communal strife in a region. To address this, an order has been issued jointly by the Police and Magistrate in Varanasi that an FIR (first investigation report) can be filed against a group administrator if factually incorrect, rumour or misleading information is circulated on his/her social media group.

There is no doubt that WhatsApp as well as other messaging solutions and the social media in general can be misused by deviant minds to commit crimes of different sorts including inciting the community.

We take strong objection to the Magistrate and the Police Officer threatening the WhatsApp admins and creating a “Chilling Effect” across the country targeting the WhatsApp admins in general.

We have a law in India called the ITA 2000/8 and the Magistrate and the Police are bound to follow the law and not create their own laws however well intentioned their “order” may be.

Police often give advisories to the public about various crime situations, and an “Advisory” to WhatsApp Admins that they should be careful when adding members to a group to avoid bad elements who try to incite passions and to take counter action if any body is trying to circulate fake news for the purpose of inciting violence in the community.

But an “order” is completely out of place and is ultra vires the law. It must be withdrawn to limit the damage.

In this context it is necessary for us to reiterate that we need to distinguish what is a “Message” and What is “Publishing” and how even the Supreme Court missed this point when they ruled on Section 66A in the Shreya Singhal Case that Section 66A addresses “Free Speech” and makes it punishable.

Notwithstanding the value of this judgement as a “precedent” that can be followed by lower Courts, I would like to state that there is a need to reject this judgement and re-establish a correct understanding of the position of WhatsApp and other messaging systems.

Let me clarify before I am misunderstood that I am completely against the action taken by the Police on the Palghar girls as well as other cases cited in the Shreya Singhal case. But I hold the “Uninformed, ignorant Police” for the plight of innocent citizens and not Section 66A.

Section 66A addressed what we need to recognize as “Messaging” and there are other sections such as Section 67, 67A and 67B which address what we need to recognize as “Publishing”, though the Courts missed this point all together.

Messaging is a communication from one person to another directly with the use of a device such as a mobile phone sending SMS, or E Mail. A message sent to one person is not expected to be available to another person unless the same message is duplicated to the other person in the form of “Group Messages”.  “Publishing” on the other hand is a message that is in public domain and is available for any body who is able to access it. Section 66A was meant for messaging and not for publishing. Twitter and Facebook is “Publishing” and not “Messaging” and hence the Supreme Court was wrong in using the Facebook and Twitter cases brought wrongly under Section 66A to scrap Section 66A.

Now in the case of a group message, the law enforcement would be concerned in the case of say a group which meets privately and discusses some criminal activity. Here all the group members have assembled for a common purpose including the Admin who is like the person who organizes a meeting in his house.  Though the discussion happens under close doors, if the  law enforcement comes to know of the use of a meeting for any anti social activities, it can take action not only against the owner of the house, but also the person who sent out the invites, the person who gave the objectionable speech.

But if a meeting has been organized for some other purpose and some body stands up and shouts say an anti social slogan, then one has to be careful in defining what is the action that the owner of the house where the meeting is taking place and the person who called the meeting and other participants need to take and whether the Police and the Magistrate issue an order that they will be arrested under a charge of organizing the entire event only for the purpose of committing an illegal act.

If so, in the Kannhaiya Kumar case, even the Vice Chancellor of the University and other administrators should be equally guilty.

Police and the Judiciary should recognize that “WhatsApp” is a “Platform” that enables people to send messages from their device to another member’s device. If the addressee is online, the message may reach him immediately. If not, the message would be “in transit” and be delivered to the addressee when he reconnects. In the meantime it is in temporary storage as a “Cache” in the whatsapp server.

WhatsApp is not  “Publishing” and the members join voluntarily and are not public. Hence any message exchanged in WhatsApp should be considered as a “Private” communication between two consenting individuals. However, if some body comes before me and shouts/whispers  anti national slogans, you cannot hold me responsible for it. Similarly, the members of a Whats App group are not responsible individually for the views expressed by anybody else.

The Administrator is also a “Listener” in this context. His role in administration does not include “Moderation” of a message before it is posted. His powers are limited to removing a member.

The responsibilities of a Admin is therefore

a) to ensure that the group members who donot follow certain standards of communication should not be allowed to remain. (Finding out if a message is fake or not is not an easy responsibility even for the Police and it is not fair to assume that the Admin would be capable of investigation about the correctness of any message posted.)

b) to ensure that before admitting a member into a group,  he knows some thing about the person

 These two responsibilities need to be incorporated as a “Group Policy” and Naavi.org has given a “Model WhatsApp Admin Policy” to be followed.

I would have appreciated the Police in Varanasi and the Magistrate if they had formulated a similar policy and advised the Admins to adopt the same.

They could also have called a public meeting of “WhatsApp” admins (Which should extend to Telegram, Snapchat etc) in which the concerns of the law enforcement were discussed and these model policies presented.

Since Admins may not always be online when an offending message is posted, I normally advise any body else who consider the message as offending to post their objection. This should atleast absolve them from the responsibility of being complicit in the mis-information campaign.

I suppose that at least now, the concerned persons will take steps to withdraw what they have called as an “order” and make it only as an “advisory” and instead try to conduct an awareness program for the public to appraise them of their responsibilities both as members of a group as well as an admin. If not, the mistake of the Police will once again create a new law which is not supposed to be there where by Administrators of WhatsApp group are required to be police officers themselves.

We should stop the practice of ignorant Police Creating Laws through misinterpretation which gets validated through the ignorant judicial process that follows establishing a “Fake Law” as “The Law”.

Naavi