Naavi.org

The Government of India has moved an amendment to the Finance Bill 2017 in which it is proposed that the Cyber Appellate Tribunal (CyAT) constituted under Section 48 of Information Technology Act 2000/8 would be merged with Telecom Disputes Settlement & Appellate Tribunal (TDSAT) constituted under Section 14 of the TRAI Act.

The CyAT had not been functioning since June 2011 after the then acting Chair Person Mr Rajesh Tandon attained super annuation and the then prevailing UPA Government in which Mr Kapil Sibal as the Minister of IT did not see eye to eye with the Chief Justice of India to find a substitute.

It must be noted for the sake of history that the appointment of the Chair Person of CyAT became a battle of prestige between the UPA Government and CJI and continued even after the Modi Government took over. Mr Ravishankar Prasad was unable to sort out the differences with CJI since this Government was caught in the NJAI dispute with the Judiciary. This was a bigger  battle between the Judiciary and the Legislature and there was no agreement on the appointment.

It was a matter of shame for Mr Modi’s Government that even after coming to power in 2014, until now they were not able to appoint a Chair Person to CyAT and make it functional.

Naavi.org has been vocal in its views on this matter and how the Cyber Crime victims have been put to unjustified harassment because of the failure of the successive Governments as also the honourable Supreme Court in settling their inter-se disputes and consequentially holding the Cyber Crime victims to ransom. (See past articles here)

Now the honourable Minister of Finance, Mr Arun Jaitely who is also the defacto second in command in the Modi Government, seems to have come up with what he may consider as a “Master Stroke” and proposed a merger of CyAT with TDSAT.

The principle adopted here is:

“If we cannot find a Chair Person, then the solution is to simply abolish the Tribunal”… “It is as simple as trying to cure cold by cutting off the nose”

Advisors to Mr Jaitely might have felt that it may make political sense also since we already have a Tribunal called TDSAT (where fortunately there is a functioning body) we can hide CyAT under TDSAT and no body will know the difference. Hence this grand idea.

In order to avoid any discussion about the proposal, the amendment has been brought to the Finance Bill so that the proposal will sail through the Parliament. Most MPs except perhaps Mr Rajeev Chandrashekar would not understand the implications and the Government can claim credit that they have solved the problem of CyAT which was in existence since 2011.

I will not be surprised if the equally ignorant Media persons also hail this as a great development to control the raising incidence of Cyber Crimes in the country such as the Card data breach of State Bank of India and other Banks. There will be Delhi based legal experts who will endorse the decision or oppose it based on their political affiliations without addressing the real issues of the public.

But, the undersigned would like to go on record to state that this move to merge CyAT with TDSAT is not a wise move. It is a knee jerk reaction and not well thought out. It is anti-consumer and will make justice in-accessible to the Cyber Crime victims.

I am aware that Mr Jaitely will not change his decision now and Mr Modi will not know the real impact of this decision. So the decision is a fait accompli.

What is now left for Cyber Law Activists is to focus on the rules and regulations that need to be notified for the activities of TDSAT related to the CyAT and salavge some consumer orientation in the rules.

This is unlikely to happen in a hurry but is the only opportunity to ensure that the merger move does not permanently damage the Cyber Judicial structure in the country envisaged by ITA2000/8 and set the country back in terms of Human Rights and Ease of Doing business.

It must be also noted that the Finance Ministry headed by Mr Jaitely could not force RBI to operationalize the August 11, 2016 draft circular on Limited Liability for Customers in Bank frauds because the Bankers could bring their influence on the RBI. Now it is the same Banking lobby who are behind this move to put a hurdle on Bank Fraud victims who have been knocking the doors of CyAT for relief.

I wish Mr Jaitely takes these accusations seriously and takes some corrective measures as I presume that the decision is not based on proper understanding of the problems involved and otherwise the intentions of the Government are noble.

I have already sent a brief personal appeal to Mr Jaitely as well as TDSAT on the expectations of Cyber Crime victims though I am not sure it will be responded to.

I will expand my views on my concerns in these columns and request other Cyber Law Specialists to contribute their views so that damage to the Cyber Crime victims of India can be limited.

Naavi

Related Article:

Congress Questions the move...

Bitcoins are internationally exchangeable into foreign currency of different countries and to some extent even in India. Hence at a time when the Government may be trying to force foreign Governments to share information on Benami Bank accounts in foreign Banks, it is natural that Bitcoin appears to be a good commodity to hold black money.

The recent raise in exchange rate of  Bitcoins indicates such a the possibility that black money owners are migrating from other assets to Bitcoins. It is interesting to note that between November 8, 2016 when demonetization was announced and today, Bitcoin has appreciated from around $713 to $1155. This price movement is an international price movement and cannot entirely be attributed to Indian Black Money Diversion. However the possibility that Indian Blackmoney might have contributed to this cannot be ruled out.

RBI after its initial knee jerk crackdown on Bitcoin has softened its stand now and appears to be reluctant to take any action that is negative to the Bitcoin industry. At the same time, the technology behind Bitcoin namely the “Block Chain Technology” is often spoken about by official banking circles as a technology that can be used in the Banking industry. ICICI Bank even claims to have tried it out in some form.

It is however necessary for us to clearly distinguish between Bitcoin as an existing Crypto Currency and the “Block Chain Technology”. The official response should take cognizance of this distinction and accordingly RBI and the Finance Ministry needs to formulate appropriate policies before things get complicated.

Naavi has been advocating that India can consider starting its own Crypto Currency under the regulation of RBI itself where every Crypto Currency mined under this scheme will have the stamp of RBI and a record at RBI. This would be a useful “Digital Currency” to support our digital initiatives.

On the other hand, allowing Bitcoin to gain currency may not be a wise move since it is not a “Currency” in the traditional sense and as a “Commodity” it carries the baggage of being a currency of the underworld.

Legally, Bitcoin which is freshly mined in India is a valid electronic asset and can be exported for a clean profit. Similarly, buying Bitcoins from miners in India is also not unacceptable. The quantum of stock is however too small and most Bitcoin stocks are traded stocks where people buy and sell Bitcoins through different exchanges.

Technically, buying Bitcoins from international sources is an “Import” of a “Commodity” which needs to be examined for FEMA issues.

At present, Bitcoin has not been identified it as a “Commodity” nor as a “Currency”.  It does not figure in the “Negative list” for imports nor in the white list of  foreign currencies that can be exchanged by Authorized dealers.

Hence, importing Bitcoin could be  considered not yet a clear violation of the import regulations. But at the same time, there is no guarantee that it cannot be ruled as a “Black Currency” in future either by RBI itself or by any Court.

Policy makers need to therefore consider if they should allow accumulation of Bitcoins by Indian residents or not, At the same time  the economic impact of not regulating Bitcoin acquisition and trade in India and by Indian residents need to be evaluated and responded to.

If holding of the Bitcoins accumulate in the hands of honest citizens in India, there is a possibility that sooner or later it will be sought by those who have to pay ransoms to criminals  or for use in funding terrorists. If an exchange market develops in India where Bitcoins can be sold and bought for rupees widely, terrorists and havala operators will use it to meet their requirements. Inevitably there after, Government will have to “demonetize” Bitcoins to ensure that there is no damage to the economy.

This could put the honest holders of Bitcoin into difficulty and force a sharp drop in its prices.

I therefore urge RBI and Government not to remain complacent , let Bitcoin stocks accumulate and subsequently force the Government to initiate a crack down. Such a move will adversely affect innocent citizens while the criminals and terrorists simply move off into another mode of funding.

Recently, I  came across a situation where a person had sold bitcoin for Indian rupees only to find that the rupee was transferred to him from a hacked Bank account. When police contacted him, he had to part with the money to the account holder. But he  could not take legal action against the fraudster since the asset (bitcoin) he had sold against the fraudulently acquired money was gone to the anonymous world of Bitcoins.  He had received Indian rupees which was part of a fraud and had to face the criminal charge of having been an accomplice though by innocence. Since the commodity dealt with has no recognition either has currency or commodity law may neither protect such persons nor help them take action against the real fraudsters.

I therefore feel that lack of regulation of Bitcoins is more harmful than a benefit to the community of honest citizens who may buy Bitcoins as an investment attracted by the sharp gain over the past few months.

One way to ensure that genuine holders of Bitcoins who have imported Bitcoins from their hard earned money are not subjected to problems on a later date, is for RBI/Government to regulate Bitcoin import by restricting its imports only through “Authorized Bitcoin Changers” so that every Bitcoin transaction is reported to RBI.

Holders should also be required to declare their Bitcoin assets in the Income Tax returns  and account for short term or long term gains.

By these twin measures, honest citizens who want to invest in Bitcoin may do so at their own price risks but without the additional risk of a Government crack down on the legality of the transaction.

If however, RBI does not consider Bitcoin acquisition by Indian residents as desirable, they should include “Crypto Currencies” in the negative import list or “Restricted Import list” so that requests can be handled on some reasonable criteria.

Doing neither….and drifting…. is not advisable.

Naavi

In a bid to reactivate the Cyber Appellate Tribunal, the Government of India has decided to merge it into a single larger entity with Airports Economic Regulatory Authority Appellate Tribunal will be merged with the Telecom Disputes Settlement and Appellate Tribunal.

The proposal is being introduced as part of the Finance Bill 2017 which will be passed during this budget session and hence will be a reality soon.

The details of how the operations will be structured will perhaps be released in the form of a new set of rules.

It is good that CyAT is being re-activated. But we need to wait and see how it will be useful to the Cyber Crime Victims as a flexible low cost operation.

Naavi

Recently UIDAI filed a criminal case against three entities namely Axis Bank, Suvidhaa Infoserve and e-Mudhra and temporarily barred them from using the Aadhaar authentication services.

The allegation was, that these agencies had indulged in “Unauthorized Access” of the UIDAI server and committed “Impersonation” with “Forged Digital Identities”.

What these entities did can be called “Stored Biometric Attack” where the biometrics of a valid user given for a valid transaction is copied and stored unauthorizedly and used subsequently for other transactions.

We can appreciate UIDAI for having identified the unauthorized nature of the transactions by a statistical evaluation of the biometric parameters.

It was obviously a violation of the contractual arrangement between the UIDAI and the authenticators and  UIDAI can take both civil and criminal action.

Under Section 34 of the Aadhaar act, the offence was punishable with imprisonment upto 3 years and a fine.

At the same time under ITA 2000/8, the offence could be charged under Section 66, 66C and 66D each having an imprisonment of upto 3 years.

Though the accused defended their position by stating that they were only doing a testing of the process and hence there was no fraudulent intentions, primafacie offence was established.

Under any due diligence process therefore, the regulators namely RBI for Axis Bank and CCA for e-Mudhra had to take some action that justified that they had also taken note of what could be potentially called a “Criminal Breach of Trust” and “Contravention of multiple statutes”.

Since UIDAI server is also a “Protected System” under Section 70 of ITA 2000/8, even an attempt to access it except in an authorized manner is an offence which may invoke imprisonment of upto 10 years and arrest without bail provisions.

We however donot know if UIDAI, RBI and CCA have all agreed to ignore the serious nature of the offence and condoned the offence. Since a complaint has already been filed, Police should also agree to look at the other way and probably a competent Court needs to approve the compromise as a compounding under Section 77A of ITA 2000/8 and or other provisions of law.

In the meantime it is observed that e-Mudhra website shows that CCA has initiated some punitive action against the Certifying authority by disallowing renewal of earlier digital signature certificates issued by the Company while not yet barring issue of new digital signature certificates.

The note on the website states “As per the latest CCA Identity Verification Guidelines, renewal of digital signatures is no more permitted. It is required to carry Fresh identity proofing for each DSC to be issued till further orders.“

It is not clear if this is a fall out of the UIDAI case or it was for some other irregularity in e-Mudhra’s KYC process observed by CCA.

However, this opens up a debate on what the order could mean for the present and immediate future for e-Mudhra customers and holders of digital certificates issued by e-Mudhra in the past.

Firstly, if any current holder of a valid digital certificate issued by e-Mudhra approaches them for renewal, they are advised to submit physical documents of identity and address proof duly attested by a Bank Manager or a Gazetted officer etc. In other words, the earlier digital certificates issued by e-Mudhra and confirmed by CCA is not accepted as valid for the parameters represented there in which are presumed to be “Un Trustworthy”.

If so, it means that the digital certificate is being declared void or “revoked”. Hence any contracts, tenders etc signed using these certificates in the past may also be considered invalid. All these contracts need to be re-signed to protect the contractual interests of the parties.

Secondly, e-Mudhra has the responsibility for KYC but it is  refusing to do its own KYC or accept the past KYC represented by the current digital certificate and instead pushing the applicants to Bank Managers who charge commission for attestation from the customers. In other words, the cost of KYC is being pushed to the customers besides making the Bank Manager responsible for the validity of the digital certificate issued by the Certifying authorities.

This is an anti-consumer issue which CCA should not allow.

Also, if the Certifying authority wants to use the attestation of a Bank Manager, it needs to enter into a contractual arrangement with the Bank and consider the Bank as its “Agent for KYC” and also incur the expenditure directly. This was the system when digital signature certificates were originally issued in and around the time of their origin in India around 2002.

Since e-Mudhra does not have the specimen signature of any Bank Manager, the KYC has no legal footing and it would be easy for fraudsters to forge the signature of Bank Managers and obtain digital certificates completely eroding the sanctity of the digital signature system in India.

This is a serious fraud risk to the digital signature system in India.

Companies like e-Mudhra does not have an adequate process of Grievance Redressal as per Section 79 of ITA 2000/8 and CCA has not so far asserted its authority and ensured ITA 2000/8 compliance by these agencies. Hence I have not been able to get official clarifications directly from the company in this regard.

In case there is any doubt about  e-Mudhra’s past certificates being tainted according to CCA, there is a need for CCA to disclose the circumstances under which e-Mudhra has been advised not to renew the old digital certificates except with a new set of physical KYC documents.

If however, irregularity if any is not serious, but the CCA took the extreme step of disallowing the renewal not recognizing the legal effect of casting a doubt on the reputation of e-Mudhra as a “Trusted” party and a custodian of the identity of all its existing digital certificate owners, it should admit its mistake and immediately revoke its order so that e-Mudhra can start renewing its current digital certificates online.

At the same time, e-Mudhra needs to also disclose on the website the position of the UIDAI complaint and its implications on the criminal liability which extends through Section 85 of ITA 2000/8 to all the Directors and the officials in charge of the business.

It should also be a disclosure under corporate Governance both at E Mudhra and its holding company, failing which it may attract attention of SEBI.

I have tried to obtain clarification on this matter from both e-Mudhra and CCA over the last one week but it is clear that the seriousness of the issue has not been recognized. My queries have not gone beyond the customer service executives to the senior management.

I hope that at least now, both e-Mudhra and CCA would move fast and try to resolve the issues raised here. In the meantime, I have raised a formal Adjudication complaint against e-Mudhra with CCA and awaiting the response. I suppose this will perhaps be the first adjudication application filed with CCA and hence some procedural precedence need to be established for future guidance.

I regret the inconvenience/embarassment this may cause to e-Mudhra which in the past was actually better than some other Certifying authorities in following good practices. But in the interest of the digital certificate environment in general and the interests of adoption of the right practices in the interest of Indian consumers, we cannot brush under the carpet the current issues and hence I am bringing this to public knowledge.

Naavi

As a part of the “Reasonable Security Practices” under Section 43A of ITA 2000/8, Government of India has released draft rules called “Information Technology (Security of Prepaid Payment Instruments) Rules, 2017” for public comments.

A copy of the draft rules is available here: 

(P.S: The draft has since been removed from the website of MeitY. A copy is now available here)

The comments may be sent to Shri Prafulla Kumar. Scientist-G, at pkumar@meity.gov.in  before 20th March 2017.

Summary of recommendations with our immediate comments :

1. The Central Government may further specify by notification security standards to be adopted by e-PPI (electronic Prepaid Instrument) issuers. It is also possible that the Government  may also designate some other security standard. (Comment: Will some ISO standards be imported?.. Will a new set of standard based on PCI DSS be developed? …)
2. e-PPI issures need to develop an IS policy in tune with these rules and any further IS guidelines that may be issued.(Comment: Will there be an audit? or a Self Declaration?..)
3. Privacy Policy and Terms and Conditions for use to be published on the website and mobile applications. (Comment: This is also required under Section 79 of ITA 2000/8)
4.  Grievance Redressal officer need to be designated, contact details disclosed. (Comment: This is also required under Section 79 of ITA 2000/8. Additionally, the process of Grievance redressal needs to be developed and incorporated by reference in the terms and privacy policy. Perhaps it is time for these companies to use ODR as described in www.odrglobal.in)
5. The e-PPI issuers shall mandate its sub contractors who handle authentication data to have necessary security measures in place to protect such data. (Comment: Always considered as required security policy)
6. End to End Encryption needs to be ensured to safeguard the data exchange in the application. (Comment: Some e-PPI issuers might have introduced such encryption. But most have not. Hence this will be one of the key areas of change to be incorporated by the operators. A welcome move)
7. Every e-PPI issuer shall have adequate processes to trace the transactions.  (Comment: Some e-PPI issuers might have introduced such measures. But most have not. Hence this will be another key areas of change to be incorporated by the operators. A welcome move)
8. e-PPI needs to retain the data related to payments for periods as may be specified. (Comment:. This is reiteration of Section 67C of ITA 2000/8. Again, no specific period is mentioned. But the retention period has to be “reasonable”. Considering that there is a law of limitation that provides an option to raise civil disputes within a period of 3 years, the minimum period of retention cannot be less than 3 years. It would be a best practice to retain it for atleast 6 years in such format where it is not dependent on any application. Such information has to be securely archieved. Most 3-PPIs donot have a proper Data Retention Policy and will need to put it in place now.  It would be better if the minimum period of 6 years is also designated with the additional words “Six years or as otherwise may be required under law”. This will be another area of compliance that operators need to take a relook.)
9. The e-PPI issuers need to adopt an incident management policy that includes a data breach notification policy. This will require reporting of incidents to CERT-IN as per the policy already in place. Some new specific guidelines may be issued by CERT-IN specifically for e-PPI operators in due course.(Comment: Most e-PPI issuers are presently ignoring the current requirements of CERT-IN. They need to take this more seriously now)
10. e-PPI issueres are also required to take measures to educate the users of their services to use the services in a secure manner. (Comment:This will require some action and cost which e-PPI issuers need to initiate)

General Comments: Most of the guidelines are reasonable interpretation of the current ITA 2000/8 compliance guidelines though the ignorant operators are better served with a specific notification that they can take notice of. This notification will therefore get into the compliance manuals of the e-PPIs and their advisors who so far had little respect for ITA 2008 compliance.

The notification is therefore a good move.

However, if the operators are to be serious, CERT-IN needs to make it mandatory that the managements file a voluntary disclosure that they are in compliance with the provisions of ITA 2000/8 and the rules made there in. This should be made a statutory mandated clause in all terms and agreements on the lines similar to the declarations that CFOs and CEOs are required to make under corporate Governance requirements in their share holder’s reports.

We donot recommend a “Licensing” or mandated audit from “Accredited auditors” both of which are ineffective and give room for corrupt practices. But a voluntary disclosure of compliance and an indemnity to the customers under Section 79 of ITA 2000/8 should be more effective.

Additionally, the operators should be mandated to secure their customer’s interest by a group insurance scheme under which every user should be covered by a Cyber Insurance plan upto at least an amount of Rs 10000/- per incident.

Also, all e-PPI operators should provide a warranty on their applications to be free from known vulnerabilities and also have a reasonable  Bug bounty program to crowd source security knowledge.

Any other comments that readers want to contribute are welcome. Naavi.org will consolidate and send its recommendations to the Ministry in the next few days.

Naavi

According to the ad, the Government has now decided to license public & private agencies to provide Digital Locker Services, as licensed Digital Locker Service Providers (DSLP) and invited applications.

Applications can be made either by an agency of the appropriate Government or a body corporate meeting the following criteria.

1. Minimum Paid up capital Rs 5 crores
2. Minimum Networth Rs 50 Crores
3. Foreign equity not to exceed 49%

The business of a DLSP may include “Portal Services” and “Access gateway management services” related to the Digi Locker scheme.

Naavi expects this business to be huge and requires a high level of skills in managing a secure electronic cloud environment.

It is possible that some of the existing Certifying Authorities who are managing Digital Certificate related business may try to get into this business. However it is not clear if the capital criteria required for the Certifying Authority business and Digi Locker business can be merged or they should be considered separate.

This business is a good opportunity for start ups who have the backing of a group which can provide the initial capital.

Otherwise the NBFCs  may also consider this as a good opportunity to diversify into this area.

It would be interesting to know which type of organizations have the vision to see the business prospects that this new line of activity presents.

Naavi