Naavi.org

The Cyber Appellate Tribunal (CyAT) which was envisaged under ITA 2000/8 as the national appeal authority over all the adjudication offices is finally confined to history.

Despite being in existence from 2000 upto 2017, the CyAT could not come to a single valid decision. The one decision in which CyAT was close to a decision was ICICI Bank Vs S Umashankar which was posted for judgement on July 3, 2011 when everybody know that the then Chair person was retiring on June 30, 2011. Since then, untill now, Governments could not find a Chair person and CyAT remained non functional.

Now with the passage of the Finance Act 2017, CyAT has been legally closed and merged with TDSAT. (Telecom Disputes Settlement Appellate Tribunal).  TDSAT  needs to formulate its procedures to hear the past cases which are pending before CyAT (Closed) and to take up future cases.

It is observed that while appeals from TDSAT in its current Telecom related disputes go to the Supreme Court, the appeals of CyAT cases will under Section 62 of ITA 2000/8 will go to the High Courts as in the past. Currently the Chair person of TDSAT is a ex-Supreme Court judge or at least a Chief Justice. How would he like his decision to be reviewed by the High Court without feeling uncomfortable?… is one of the several issues that we may need to resolve to ensure smooth transition of CyAT into TDSAT.

While the TDSAT and the Government sort out these issues, it is time for Citizens and other Stakeholders to make their own efforts to ensure that the interests of the Cyber Crime victims are protected and there is a functional Cyber Judicial system in India accessible to all.

In this context, I would call upon interested persons to join hands in setting up a “Cyber Disputes Mediation and Arbitration Center” and try to provide an alternate mechanism of dispute resolutions outside the statutory bodies such as the “Adjudicator” and the “TDSAT”.

Obviously, if the mediation fails, the other alternatives including Adjudication remain open.

If the arbitration is agreed upon but later challenged, there is already a mechanism where by the High Court comes into the picture and the dispute resolution gets back on the statutory platform.

There would be some questions raised as to whether an “Arbitration Contract” would be ultra vires the Information Technology Act 2000/8. Section 61 of ITA 2000/8 bars the jurisdiction of the Courts. But “Compounding” is part of ITA 2000/8 and is available for all Civil disputes and most of the Criminal charges under the Act. Hence, an “Arbitration Contract” or a “Mediation Settlement” must be considered as being well within the provisions of the Act.

Keeping the tradition of Naavi in setting up services based on the concepts that are futuristic, Naavi now intends laying the foundation stone for a “Alternate Disputes Resolution Center” for Cyber Disputes. Presently, it will be developed under www.adr.ind.in  (under construction)

It is intended that it will use the services of odrglobal.in as a platform for online dispute resolutions and may also use physical meetings.

This is a concept being seeded now and it requires mentors and participants to make it take root and grow into a full grown tree that can provide shelter to the Cyber Crime victims.

The first set of participants to this endeavour that I am looking forward to are the Cyber Law experts who have the capability of being the “Mediators/Arbitrators” or helping the parties to the dispute as counsels. They can register themselves as “Counsellors” and offering their services for Mediation or Arbitration to the disputing parties.

Naavi will be the promoter and administrator who would like to develop this ADRC for Cyber Disputes as a Mediation cum Arbitration Council with its own set of model rules.  This will take time and also needs assistance from like minded persons.

ADR-C-FCD is intended to function as a “Not for Profit” organization, though ODRGlobal.in which is presently owned by Naavi will continue to be a commercial proposition providing its services at a cost.  This limited conflict is considered inevitable at this point of time.

Initially,  adr.ind.in will focus on spreading the ADR knowledge and function as an ADR Knowledge Center. This may remain the main activity of the Center until this concept which is revolutionary in certain respects gains acceptance of the community.

The acceptance will be visible when some of the “Intermediaries” such as Banks or Mobile Wallet service providers etc start accepting this Center as a part of their grievance redressal mechanism. I am prepared to wait for this to happen over a period of time.

I look forward as always for comments from other domain experts in the area of Cyber Law, ADR and Information Technology to nurse this thought further towards practical implementation.

With the presidential assent given to the Finance Bill 2017, the amendments to some other Acts including the “Merger of Cyber Appellate Tribunal with TDSAT” is deemed to have been enacted.

Now it is necessary for the Government to pass necessary rules and also operationalize the amendments to individual section of the Information Technology Act 2000/8.

We need to watch out how this process would be rolled out.

One option would be to retain the current provisions of Cyber Appellate Tribunal as it exists in Chapter X of ITA 2000/8 and only replace the earlier notified rules with new rules stating that TDSAT will henceforth administer also as the Cyber Appellate Tribunal. The Chair person of TDSAT may himself be also appointed as the Chair person of CyAT (New) and the entire proceedings of CyAT(Present) can be handled by TDSAT as CyAT (New).

It is also possible that TDSAT may designate a separate bench for CyAT operations and one of the current members of the TDSAT may be also appointed as the CyAT chair person.

Let us observe how the operational matters would be addressed.

Naavi

Reference:

Finance Act 2017

Pages 59-60 of Finance Act 2017

The Special Task force of the UP Police has arrested one Mr Ram Prakash Singh who had sent fake e-mails to all the aspirants of a job who had to attend an interview stating that the interview had been postponed and getting himself selected unopposed.

It is unfortunate how the intelligent MBA graduate who applied for a position of Allahabad University thought that he could get away with the fraud. Now the person has permanently damaged his career for which he must have worked hard for the last two and half decades.

See report here

The incident shows how “Lack of Awareness of Cyber Laws” pushes people to take risks that they would not otherwise take if they had known that a strong law exists against such acts and our Police are capable of solving such mysteries.

At the same time, it is necessary for authorities such as the Registrar of the University in this case to adopt such practices that provide a proper authentication to the recipients of their official e-mails which would have enabled them to identify the fraud.

The discussion in this context comes back to the use of digital signatures which unfortunately has become more an instrument which is being used very inefficiently and in-appropriately. I anticipate that this case has the potential to snowball into another “Basheer Case” bringing into open a legal requirement which most people failed to see for decades after ITA 2000 was enacted.

The tragedy is that the system of digital signatures as provided in the ITA 2000/8 has not been properly implemented even by the licensed Certifying Authorities and presently even the CCA does not seem to exercise the required control. It is therefore time that some body brings to open the inadequate and illegal practices that prevail in the use of digital signatures in India.

Just as the Section 65B certification of electronic documents suddenly became critical to for all litigations because the Supreme Court suddenly spoke about it in one of its judgements, there will be some case in which the Supreme Court may make a reference to the need for the use of digital signatures in responsible communications and suddenly every body will wake up to the reality which the undersigned has been mentioning as an essential ITA 2008 compliance requirement for a long long time.

However, when such a realization dawns on the society, even CCA will be found wanting since at present the institution of CCA is just considered as another cabin in the Ministry of Information Technology rather than a statutory authority which has its own place in the Indian Cyber Law domain.

Recently, I had raised an objection that CCA had “De-Recognized” digital certificates issued earlier by the authorized Certifying authorities (CAs)  and advised them not to consider it valid for KYC for making online subscription applications for renewal.

On the other hand, CCA  had allowed the CAs to use  authentication for KYC based on OTPs sent to the mobile numbers which was only as good as the KYC of a mobile service provider who had no contractual obligation to the CAs and the Digital Signature system. This subordinated the new Digital Certificates issued by CAs to the verifications done by the mobile companies before they issue SIM cards.

Most CAs allow their RAs to process the new CA applications where the RA gets the OTPs over phone, downloads the certificates on Cryptographic keys at their end and deliver it to the subscriber. In the process they are compromising the private key ab-initio and also making the subscriber liable for punishment under the ITA 2000/8.

Does CCA know that the system of Digital Signature Certificate issue is being abused? .. Certainly… But Have they taken any steps to correct it ? …Certainly not.

If therefore Supreme Court asks CCA that if in the Allahabad Case, the e-mails had been sent under the digital signature of the registrar, would it have constituted a valid legally binding instruction to the candidates and whether such a system is tamper proof, can the CCA affirm before the Court and state that digitally signed e-mails are tamper proof?

I hope CCA gives a thought on how it will respond when it will be before the Supreme Court and is quizzed for its actions under the Act to protect the integrity of the system of digital signatures. The citizens of India will also ask the CCA if it has discharged its duties as envisaged under law and created the right foundation for the “Digital India” with “Less Frauds” ( since no-frauds is only a myth).

I understand that today the position of CCA is not being recognized as a body that is independent of the MeiTy and CCA is a protected contractual appointment without the power of removal etc., which makes it a powerful quasi-judicial body.

I suggest that CCA should form a Sub Committee (The first CCA had formed such a committee) consisting of experts which can go into all aspects of how Digital Certificates are being used in the system and how the regulation has functioned and how it has to be improved etc. and thereby undertake a complete review of the system as it should develop in the coming days. This would be a proactive measure of Compliance which may prevent future embarrassments.

Naavi

Just as I was completing my writing on the jioupgrade fraud, I received another whatsapp message with a link that looks like bsnlexpress.com. This is another phishing attempt as the link is not bsnlexpress.com. It is bsniexpress.com.

We had seen such a phishing earlier in the name of ICICI Bank where one of the I s was actually a Capital l.

Some research is required to find out what are the motives behind these organized spamming in the name of telecom companies in India.

A word of caution to all companies with L as their domain name component. Watch out for phishing.

(Ed: Applies to the undersigned since both Naavi.org and Ujvala.com is susceptible to this risk. Check NAAVl.ORG and ujvala.com which appear similar to the genuine domain names but are not. In certain fonts it is completely indistinguishable. Similar problems may be seen in “O” and “0” -zero).

Naavi

Phishers and Scammers look out for every opportunity to fool gullible people by sending out messages which appear to come from some well known companies or entities.

The objective of such hoax messages may be

a) Just spam for fun

b) Spam so that the ISPs benefit with better bandwidth usage, say by asking people to spread the message through WhatsApp

c) Collect information about users

d) Make users click on malicious links and implant trojans for committing further frauds ..etc

One such message surfaced today on a Whats App group with the following message.

Quote:

Good News For Jio Users

Activate Jio Sim Unlimited Data with EXTRA 1 YEAR Validity FREE with unlimited 4G till DECEMBER 2017 Click here to Activate Now
? www.jioupgrade.com

Share with your friends and groups so They also can get extra 1 year Free . Thanks friends !

Unquote:

Obviously, the message is well timed to attract the users who might have missed the Jio Offers lapsing on March 31st.

However, this message appeared to be a fraudulent message aimed at attracting users to share their telephone numbers with the website.

The website is mirrored from “jiosim-extra-1year.ml/ by HTTrack Website Copier/3.x [XR&CO’2014]” .

The website is registered in the name of naman.arora21134@gmail.com, with telephone number 9876543210, with a vague address, “Jio upgrade, 5th Hyderabad, 500013”

It is interesting to note that the site resolves to a https address which makes some believe that this is a genuine secure website.

.ml refers to Mali and it appears that jiosim-extra-1year.ml has been registered by some fraud syndicate which runs a service to mirror another website and run it along with Google Ad scripts to generate ad revenue. Obviously, it can also be used to commit phishing attacks and DDOS attacks. The identity of the owners of this website with .ml extension is being guarded by the service providers and in my view are considered part of the fraud syndicate.

The exact benefit this naman.arora21134@gmail.com would like to derive from this fraudulent spamming is yet to be ascertained. I request security experts to check the source code on the page available here 

At first glance it appears to be an attempt to steal the telephone numbers, E Mail address and internet access details of the person responding to this invitation. I suppose this will later be exploited for further spamming through SMS /Email messages and possibly with malicious code injections.

If both the email address and mobile numbers are registered for banking transactions, we must be alive to the possibility that the spammer may get opportunities to inject malware to commit financial frauds by taking over the Bank account.

At this point of time, there is sufficient indication to believe that several offences under ITA 2000/8 have been committed primarily by naman.arora21134@gmail.com whose real identity can be obtained from Google along with his bank details to which the ad revenues are being programmed to be credited.

Hyderabad police needs to act and they also have a mobile number to start their investigation apart from the gmail address and Google Analytics ID.

Jio also should file a complaint as this is an impersonation and an offence under Section 66C ad 66D of ITA 2000/8. If Jio ignores the impersonation, any affected party may claim the damages that he may suffer from Jio for not exercising due diligence even after it was brought to their notice through this public blog post.

I wish Hyderabad police start their investigation without waiting for Jio to file its complaint or even register a complaint for enquiry and send notice to Jio why action should not be taken against Jio for not taking efforts to prevent such impersonation through public notices.

I agree that there are many such frauds but the beneficiaries of such fraud such as the intermediary hosting organizations, domain name registrars etc must be made answerable. Without pulling up such intermediaries and make them exercise caution before registering fraudulent website names, internet frauds cannot be checked.

I request receivers of this email to ignore the message and not circulate the message further.

Naavi

CyAT was established to settle the appeal regarding civil disputes between an IT User and any person who might have caused a wrongful loss to him which is adjudicated by an adjudicator or the CCA. Essentially the disputes involved a “Cyber Crime” leading to a loss of money.

TDSAT on the other hand was established to settle the disputes between the Telecom service providers and  between the Service provider and the Government. As regards the consumers the Act provided only for  disputes between a “Group of Consumers” and the service providers.

In other words, TDSAT did not envisage dealing directly with the Consumers. The consumer disputes were outside the jurisdiction of the TDSAT.

The work of the TDSAT also does not involve evaluation of any crime.

The qualification criteria for the post of the Chair person of CyAT was that the person should have been eligible to be appointed as a Judge of a High Court. The Criteria for TDSAT is that he has been a Judge of a Supreme Court or a Chief Justice of a High Court.

It is therefore evident that the cadre of the Chair person of TDSAT is a few notches above that of the CyAT.

The appeal from the CyAT was to the High Court of the appropriate jurisdiction namely the State from which the adjudication was referred to. In the case of TDSAT, the appeal goes to the Supreme Court.

Hence the High Court has been completely taken out of the equation in case of Cyber Crime related civil disputes.

If one takes a look at the type of disputes that are there in the two tribunals, disputes at TDSAT are big ticket disputes while the CyAT disputes are small ticket disputes.

However the nature of disputes are completely different. While the TDSAT disputes are more contractual disputes, CyAT disputes revolve around nuances of Technology law and its interpretation. Though small in value, CyAT disputes are perhaps as complicated if not more as the TDSAT disputes.

Expertise required for resolving CyAT disputes is different from the expertise required for resolving TDSAT disputes.

We can therefore consider that the culture presently built up in TDSAT both by the bench as well as the administration will be alien to the culture of the CyAT.

This will reflected in all aspects of interaction between the CyAT parties and TDSAT. It could result in higher fees, more rigid implementation of procedural documentation,  (such as how many copies are to be filed, whether the copies should be bound in a particular manner, whether the pages are in legal paper size,whether the applications are to be affixed with stamps, notorized), etc. The emphasis may be more on the adherence to the procedures and individual who would like to appear in person will find it difficult not to annoy the senior Supreme Court judges who will handle the bench.

It is likely to be intimidating to the ordinary members of the public to represent themselves before TDSAT when compared to CyAT.

Given the low ticket value of the disputes, there is also the danger of CyAT cases getting a step motherly treatment in terms of listing and other priorities.

At this point of time, these are apprehensions and I wish they remain apprehensions. But given the unfortunate precedence where some of my unpleasant predictions have become true, I am keeping my fingers crossed and wish my apprehensions remain as such and don’t turn out to be the reality.

We will have a better reflection of what will happen when the rules for CyAT cases to be handled by TDSAT are formulated. We will wait for that.

However, experts in traditional jurisprudence and Constitution may reflect whether between the “Enquiry” of the “Adjudicator” to the “Supreme Court” only one judicial process of the TDSAT would be considered a good judicial practice and whether this is a wise way of structuring the Cyber judicial system in proper hierarchical steps. It is like jumping from the Magistrate’s Court to Supreme Court in one single step.

Though the TDSAT has the powers to define its own procedures which can make it  less complicated than the Civil Procedure Code, unless TDSAT starts a “Roving Bench” for CyAT cases where the bench sits in different State Capitals as a matter of routine and also makes provisions for “Online Hearings”, TDSAT will be considered as less people friendly than CyAT.

I feel that Mr Jaitely and his team has erred on this aspect of looking for the perspective of the litigants,  just chasing cost reduction or to cover up their inability to find a Chair Person for CyAT.

While I still wish some sense will return to those who drafted this amendment and they would drop this idea of merger and instead focus on finding a suitable Chair Person for CyAT as it exists, the possibility that this will be cry in the wilderness is very high.

If unfortunately the merger proposition goes through, I call upon the TDSAT Chair person to work with the MeiTY and the current CyAT Registrar to form a sub committee to draft the rules regarding how the CyAT disputes will be handled by TDSAT.

I also call upon the Government and TDSAT Chairperson to seriously explore means of creating a “Sub-Bench” exclusively for CyAT which holds sittings in State Capitals in frequent intervals and allows Online interaction and introduce other measures including a lower filing fees and formalities in conducting of the hearings.

Naavi