Naavi.org

The Special Task force of the UP Police has arrested one Mr Ram Prakash Singh who had sent fake e-mails to all the aspirants of a job who had to attend an interview stating that the interview had been postponed and getting himself selected unopposed.

It is unfortunate how the intelligent MBA graduate who applied for a position of Allahabad University thought that he could get away with the fraud. Now the person has permanently damaged his career for which he must have worked hard for the last two and half decades.

See report here

The incident shows how “Lack of Awareness of Cyber Laws” pushes people to take risks that they would not otherwise take if they had known that a strong law exists against such acts and our Police are capable of solving such mysteries.

At the same time, it is necessary for authorities such as the Registrar of the University in this case to adopt such practices that provide a proper authentication to the recipients of their official e-mails which would have enabled them to identify the fraud.

The discussion in this context comes back to the use of digital signatures which unfortunately has become more an instrument which is being used very inefficiently and in-appropriately. I anticipate that this case has the potential to snowball into another “Basheer Case” bringing into open a legal requirement which most people failed to see for decades after ITA 2000 was enacted.

The tragedy is that the system of digital signatures as provided in the ITA 2000/8 has not been properly implemented even by the licensed Certifying Authorities and presently even the CCA does not seem to exercise the required control. It is therefore time that some body brings to open the inadequate and illegal practices that prevail in the use of digital signatures in India.

Just as the Section 65B certification of electronic documents suddenly became critical to for all litigations because the Supreme Court suddenly spoke about it in one of its judgements, there will be some case in which the Supreme Court may make a reference to the need for the use of digital signatures in responsible communications and suddenly every body will wake up to the reality which the undersigned has been mentioning as an essential ITA 2008 compliance requirement for a long long time.

However, when such a realization dawns on the society, even CCA will be found wanting since at present the institution of CCA is just considered as another cabin in the Ministry of Information Technology rather than a statutory authority which has its own place in the Indian Cyber Law domain.

Recently, I had raised an objection that CCA had “De-Recognized” digital certificates issued earlier by the authorized Certifying authorities (CAs)  and advised them not to consider it valid for KYC for making online subscription applications for renewal.

On the other hand, CCA  had allowed the CAs to use  authentication for KYC based on OTPs sent to the mobile numbers which was only as good as the KYC of a mobile service provider who had no contractual obligation to the CAs and the Digital Signature system. This subordinated the new Digital Certificates issued by CAs to the verifications done by the mobile companies before they issue SIM cards.

Most CAs allow their RAs to process the new CA applications where the RA gets the OTPs over phone, downloads the certificates on Cryptographic keys at their end and deliver it to the subscriber. In the process they are compromising the private key ab-initio and also making the subscriber liable for punishment under the ITA 2000/8.

Does CCA know that the system of Digital Signature Certificate issue is being abused? .. Certainly… But Have they taken any steps to correct it ? …Certainly not.

If therefore Supreme Court asks CCA that if in the Allahabad Case, the e-mails had been sent under the digital signature of the registrar, would it have constituted a valid legally binding instruction to the candidates and whether such a system is tamper proof, can the CCA affirm before the Court and state that digitally signed e-mails are tamper proof?

I hope CCA gives a thought on how it will respond when it will be before the Supreme Court and is quizzed for its actions under the Act to protect the integrity of the system of digital signatures. The citizens of India will also ask the CCA if it has discharged its duties as envisaged under law and created the right foundation for the “Digital India” with “Less Frauds” ( since no-frauds is only a myth).

I understand that today the position of CCA is not being recognized as a body that is independent of the MeiTy and CCA is a protected contractual appointment without the power of removal etc., which makes it a powerful quasi-judicial body.

I suggest that CCA should form a Sub Committee (The first CCA had formed such a committee) consisting of experts which can go into all aspects of how Digital Certificates are being used in the system and how the regulation has functioned and how it has to be improved etc. and thereby undertake a complete review of the system as it should develop in the coming days. This would be a proactive measure of Compliance which may prevent future embarrassments.

Naavi

Just as I was completing my writing on the jioupgrade fraud, I received another whatsapp message with a link that looks like bsnlexpress.com. This is another phishing attempt as the link is not bsnlexpress.com. It is bsniexpress.com.

We had seen such a phishing earlier in the name of ICICI Bank where one of the I s was actually a Capital l.

Some research is required to find out what are the motives behind these organized spamming in the name of telecom companies in India.

A word of caution to all companies with L as their domain name component. Watch out for phishing.

(Ed: Applies to the undersigned since both Naavi.org and Ujvala.com is susceptible to this risk. Check NAAVl.ORG and ujvala.com which appear similar to the genuine domain names but are not. In certain fonts it is completely indistinguishable. Similar problems may be seen in “O” and “0” -zero).

Naavi

Phishers and Scammers look out for every opportunity to fool gullible people by sending out messages which appear to come from some well known companies or entities.

The objective of such hoax messages may be

a) Just spam for fun

b) Spam so that the ISPs benefit with better bandwidth usage, say by asking people to spread the message through WhatsApp

c) Collect information about users

d) Make users click on malicious links and implant trojans for committing further frauds ..etc

One such message surfaced today on a Whats App group with the following message.

Quote:

Good News For Jio Users

Activate Jio Sim Unlimited Data with EXTRA 1 YEAR Validity FREE with unlimited 4G till DECEMBER 2017 Click here to Activate Now
? www.jioupgrade.com

Share with your friends and groups so They also can get extra 1 year Free . Thanks friends !

Unquote:

Obviously, the message is well timed to attract the users who might have missed the Jio Offers lapsing on March 31st.

However, this message appeared to be a fraudulent message aimed at attracting users to share their telephone numbers with the website.

The website is mirrored from “jiosim-extra-1year.ml/ by HTTrack Website Copier/3.x [XR&CO’2014]” .

The website is registered in the name of naman.arora21134@gmail.com, with telephone number 9876543210, with a vague address, “Jio upgrade, 5th Hyderabad, 500013”

It is interesting to note that the site resolves to a https address which makes some believe that this is a genuine secure website.

.ml refers to Mali and it appears that jiosim-extra-1year.ml has been registered by some fraud syndicate which runs a service to mirror another website and run it along with Google Ad scripts to generate ad revenue. Obviously, it can also be used to commit phishing attacks and DDOS attacks. The identity of the owners of this website with .ml extension is being guarded by the service providers and in my view are considered part of the fraud syndicate.

The exact benefit this naman.arora21134@gmail.com would like to derive from this fraudulent spamming is yet to be ascertained. I request security experts to check the source code on the page available here 

At first glance it appears to be an attempt to steal the telephone numbers, E Mail address and internet access details of the person responding to this invitation. I suppose this will later be exploited for further spamming through SMS /Email messages and possibly with malicious code injections.

If both the email address and mobile numbers are registered for banking transactions, we must be alive to the possibility that the spammer may get opportunities to inject malware to commit financial frauds by taking over the Bank account.

At this point of time, there is sufficient indication to believe that several offences under ITA 2000/8 have been committed primarily by naman.arora21134@gmail.com whose real identity can be obtained from Google along with his bank details to which the ad revenues are being programmed to be credited.

Hyderabad police needs to act and they also have a mobile number to start their investigation apart from the gmail address and Google Analytics ID.

Jio also should file a complaint as this is an impersonation and an offence under Section 66C ad 66D of ITA 2000/8. If Jio ignores the impersonation, any affected party may claim the damages that he may suffer from Jio for not exercising due diligence even after it was brought to their notice through this public blog post.

I wish Hyderabad police start their investigation without waiting for Jio to file its complaint or even register a complaint for enquiry and send notice to Jio why action should not be taken against Jio for not taking efforts to prevent such impersonation through public notices.

I agree that there are many such frauds but the beneficiaries of such fraud such as the intermediary hosting organizations, domain name registrars etc must be made answerable. Without pulling up such intermediaries and make them exercise caution before registering fraudulent website names, internet frauds cannot be checked.

I request receivers of this email to ignore the message and not circulate the message further.

Naavi

CyAT was established to settle the appeal regarding civil disputes between an IT User and any person who might have caused a wrongful loss to him which is adjudicated by an adjudicator or the CCA. Essentially the disputes involved a “Cyber Crime” leading to a loss of money.

TDSAT on the other hand was established to settle the disputes between the Telecom service providers and  between the Service provider and the Government. As regards the consumers the Act provided only for  disputes between a “Group of Consumers” and the service providers.

In other words, TDSAT did not envisage dealing directly with the Consumers. The consumer disputes were outside the jurisdiction of the TDSAT.

The work of the TDSAT also does not involve evaluation of any crime.

The qualification criteria for the post of the Chair person of CyAT was that the person should have been eligible to be appointed as a Judge of a High Court. The Criteria for TDSAT is that he has been a Judge of a Supreme Court or a Chief Justice of a High Court.

It is therefore evident that the cadre of the Chair person of TDSAT is a few notches above that of the CyAT.

The appeal from the CyAT was to the High Court of the appropriate jurisdiction namely the State from which the adjudication was referred to. In the case of TDSAT, the appeal goes to the Supreme Court.

Hence the High Court has been completely taken out of the equation in case of Cyber Crime related civil disputes.

If one takes a look at the type of disputes that are there in the two tribunals, disputes at TDSAT are big ticket disputes while the CyAT disputes are small ticket disputes.

However the nature of disputes are completely different. While the TDSAT disputes are more contractual disputes, CyAT disputes revolve around nuances of Technology law and its interpretation. Though small in value, CyAT disputes are perhaps as complicated if not more as the TDSAT disputes.

Expertise required for resolving CyAT disputes is different from the expertise required for resolving TDSAT disputes.

We can therefore consider that the culture presently built up in TDSAT both by the bench as well as the administration will be alien to the culture of the CyAT.

This will reflected in all aspects of interaction between the CyAT parties and TDSAT. It could result in higher fees, more rigid implementation of procedural documentation,  (such as how many copies are to be filed, whether the copies should be bound in a particular manner, whether the pages are in legal paper size,whether the applications are to be affixed with stamps, notorized), etc. The emphasis may be more on the adherence to the procedures and individual who would like to appear in person will find it difficult not to annoy the senior Supreme Court judges who will handle the bench.

It is likely to be intimidating to the ordinary members of the public to represent themselves before TDSAT when compared to CyAT.

Given the low ticket value of the disputes, there is also the danger of CyAT cases getting a step motherly treatment in terms of listing and other priorities.

At this point of time, these are apprehensions and I wish they remain apprehensions. But given the unfortunate precedence where some of my unpleasant predictions have become true, I am keeping my fingers crossed and wish my apprehensions remain as such and don’t turn out to be the reality.

We will have a better reflection of what will happen when the rules for CyAT cases to be handled by TDSAT are formulated. We will wait for that.

However, experts in traditional jurisprudence and Constitution may reflect whether between the “Enquiry” of the “Adjudicator” to the “Supreme Court” only one judicial process of the TDSAT would be considered a good judicial practice and whether this is a wise way of structuring the Cyber judicial system in proper hierarchical steps. It is like jumping from the Magistrate’s Court to Supreme Court in one single step.

Though the TDSAT has the powers to define its own procedures which can make it  less complicated than the Civil Procedure Code, unless TDSAT starts a “Roving Bench” for CyAT cases where the bench sits in different State Capitals as a matter of routine and also makes provisions for “Online Hearings”, TDSAT will be considered as less people friendly than CyAT.

I feel that Mr Jaitely and his team has erred on this aspect of looking for the perspective of the litigants,  just chasing cost reduction or to cover up their inability to find a Chair Person for CyAT.

While I still wish some sense will return to those who drafted this amendment and they would drop this idea of merger and instead focus on finding a suitable Chair Person for CyAT as it exists, the possibility that this will be cry in the wilderness is very high.

If unfortunately the merger proposition goes through, I call upon the TDSAT Chair person to work with the MeiTY and the current CyAT Registrar to form a sub committee to draft the rules regarding how the CyAT disputes will be handled by TDSAT.

I also call upon the Government and TDSAT Chairperson to seriously explore means of creating a “Sub-Bench” exclusively for CyAT which holds sittings in State Capitals in frequent intervals and allows Online interaction and introduce other measures including a lower filing fees and formalities in conducting of the hearings.

Naavi

The Government of India has moved an amendment to the Finance Bill 2017 in which it is proposed that the Cyber Appellate Tribunal (CyAT) constituted under Section 48 of Information Technology Act 2000/8 would be merged with Telecom Disputes Settlement & Appellate Tribunal (TDSAT) constituted under Section 14 of the TRAI Act.

The CyAT had not been functioning since June 2011 after the then acting Chair Person Mr Rajesh Tandon attained super annuation and the then prevailing UPA Government in which Mr Kapil Sibal as the Minister of IT did not see eye to eye with the Chief Justice of India to find a substitute.

It must be noted for the sake of history that the appointment of the Chair Person of CyAT became a battle of prestige between the UPA Government and CJI and continued even after the Modi Government took over. Mr Ravishankar Prasad was unable to sort out the differences with CJI since this Government was caught in the NJAI dispute with the Judiciary. This was a bigger  battle between the Judiciary and the Legislature and there was no agreement on the appointment.

It was a matter of shame for Mr Modi’s Government that even after coming to power in 2014, until now they were not able to appoint a Chair Person to CyAT and make it functional.

Naavi.org has been vocal in its views on this matter and how the Cyber Crime victims have been put to unjustified harassment because of the failure of the successive Governments as also the honourable Supreme Court in settling their inter-se disputes and consequentially holding the Cyber Crime victims to ransom. (See past articles here)

Now the honourable Minister of Finance, Mr Arun Jaitely who is also the defacto second in command in the Modi Government, seems to have come up with what he may consider as a “Master Stroke” and proposed a merger of CyAT with TDSAT.

The principle adopted here is:

“If we cannot find a Chair Person, then the solution is to simply abolish the Tribunal”… “It is as simple as trying to cure cold by cutting off the nose”

Advisors to Mr Jaitely might have felt that it may make political sense also since we already have a Tribunal called TDSAT (where fortunately there is a functioning body) we can hide CyAT under TDSAT and no body will know the difference. Hence this grand idea.

In order to avoid any discussion about the proposal, the amendment has been brought to the Finance Bill so that the proposal will sail through the Parliament. Most MPs except perhaps Mr Rajeev Chandrashekar would not understand the implications and the Government can claim credit that they have solved the problem of CyAT which was in existence since 2011.

I will not be surprised if the equally ignorant Media persons also hail this as a great development to control the raising incidence of Cyber Crimes in the country such as the Card data breach of State Bank of India and other Banks. There will be Delhi based legal experts who will endorse the decision or oppose it based on their political affiliations without addressing the real issues of the public.

But, the undersigned would like to go on record to state that this move to merge CyAT with TDSAT is not a wise move. It is a knee jerk reaction and not well thought out. It is anti-consumer and will make justice in-accessible to the Cyber Crime victims.

I am aware that Mr Jaitely will not change his decision now and Mr Modi will not know the real impact of this decision. So the decision is a fait accompli.

What is now left for Cyber Law Activists is to focus on the rules and regulations that need to be notified for the activities of TDSAT related to the CyAT and salavge some consumer orientation in the rules.

This is unlikely to happen in a hurry but is the only opportunity to ensure that the merger move does not permanently damage the Cyber Judicial structure in the country envisaged by ITA2000/8 and set the country back in terms of Human Rights and Ease of Doing business.

It must be also noted that the Finance Ministry headed by Mr Jaitely could not force RBI to operationalize the August 11, 2016 draft circular on Limited Liability for Customers in Bank frauds because the Bankers could bring their influence on the RBI. Now it is the same Banking lobby who are behind this move to put a hurdle on Bank Fraud victims who have been knocking the doors of CyAT for relief.

I wish Mr Jaitely takes these accusations seriously and takes some corrective measures as I presume that the decision is not based on proper understanding of the problems involved and otherwise the intentions of the Government are noble.

I have already sent a brief personal appeal to Mr Jaitely as well as TDSAT on the expectations of Cyber Crime victims though I am not sure it will be responded to.

I will expand my views on my concerns in these columns and request other Cyber Law Specialists to contribute their views so that damage to the Cyber Crime victims of India can be limited.

Naavi

Related Article:

Congress Questions the move...

Bitcoins are internationally exchangeable into foreign currency of different countries and to some extent even in India. Hence at a time when the Government may be trying to force foreign Governments to share information on Benami Bank accounts in foreign Banks, it is natural that Bitcoin appears to be a good commodity to hold black money.

The recent raise in exchange rate of  Bitcoins indicates such a the possibility that black money owners are migrating from other assets to Bitcoins. It is interesting to note that between November 8, 2016 when demonetization was announced and today, Bitcoin has appreciated from around $713 to $1155. This price movement is an international price movement and cannot entirely be attributed to Indian Black Money Diversion. However the possibility that Indian Blackmoney might have contributed to this cannot be ruled out.

RBI after its initial knee jerk crackdown on Bitcoin has softened its stand now and appears to be reluctant to take any action that is negative to the Bitcoin industry. At the same time, the technology behind Bitcoin namely the “Block Chain Technology” is often spoken about by official banking circles as a technology that can be used in the Banking industry. ICICI Bank even claims to have tried it out in some form.

It is however necessary for us to clearly distinguish between Bitcoin as an existing Crypto Currency and the “Block Chain Technology”. The official response should take cognizance of this distinction and accordingly RBI and the Finance Ministry needs to formulate appropriate policies before things get complicated.

Naavi has been advocating that India can consider starting its own Crypto Currency under the regulation of RBI itself where every Crypto Currency mined under this scheme will have the stamp of RBI and a record at RBI. This would be a useful “Digital Currency” to support our digital initiatives.

On the other hand, allowing Bitcoin to gain currency may not be a wise move since it is not a “Currency” in the traditional sense and as a “Commodity” it carries the baggage of being a currency of the underworld.

Legally, Bitcoin which is freshly mined in India is a valid electronic asset and can be exported for a clean profit. Similarly, buying Bitcoins from miners in India is also not unacceptable. The quantum of stock is however too small and most Bitcoin stocks are traded stocks where people buy and sell Bitcoins through different exchanges.

Technically, buying Bitcoins from international sources is an “Import” of a “Commodity” which needs to be examined for FEMA issues.

At present, Bitcoin has not been identified it as a “Commodity” nor as a “Currency”.  It does not figure in the “Negative list” for imports nor in the white list of  foreign currencies that can be exchanged by Authorized dealers.

Hence, importing Bitcoin could be  considered not yet a clear violation of the import regulations. But at the same time, there is no guarantee that it cannot be ruled as a “Black Currency” in future either by RBI itself or by any Court.

Policy makers need to therefore consider if they should allow accumulation of Bitcoins by Indian residents or not, At the same time  the economic impact of not regulating Bitcoin acquisition and trade in India and by Indian residents need to be evaluated and responded to.

If holding of the Bitcoins accumulate in the hands of honest citizens in India, there is a possibility that sooner or later it will be sought by those who have to pay ransoms to criminals  or for use in funding terrorists. If an exchange market develops in India where Bitcoins can be sold and bought for rupees widely, terrorists and havala operators will use it to meet their requirements. Inevitably there after, Government will have to “demonetize” Bitcoins to ensure that there is no damage to the economy.

This could put the honest holders of Bitcoin into difficulty and force a sharp drop in its prices.

I therefore urge RBI and Government not to remain complacent , let Bitcoin stocks accumulate and subsequently force the Government to initiate a crack down. Such a move will adversely affect innocent citizens while the criminals and terrorists simply move off into another mode of funding.

Recently, I  came across a situation where a person had sold bitcoin for Indian rupees only to find that the rupee was transferred to him from a hacked Bank account. When police contacted him, he had to part with the money to the account holder. But he  could not take legal action against the fraudster since the asset (bitcoin) he had sold against the fraudulently acquired money was gone to the anonymous world of Bitcoins.  He had received Indian rupees which was part of a fraud and had to face the criminal charge of having been an accomplice though by innocence. Since the commodity dealt with has no recognition either has currency or commodity law may neither protect such persons nor help them take action against the real fraudsters.

I therefore feel that lack of regulation of Bitcoins is more harmful than a benefit to the community of honest citizens who may buy Bitcoins as an investment attracted by the sharp gain over the past few months.

One way to ensure that genuine holders of Bitcoins who have imported Bitcoins from their hard earned money are not subjected to problems on a later date, is for RBI/Government to regulate Bitcoin import by restricting its imports only through “Authorized Bitcoin Changers” so that every Bitcoin transaction is reported to RBI.

Holders should also be required to declare their Bitcoin assets in the Income Tax returns  and account for short term or long term gains.

By these twin measures, honest citizens who want to invest in Bitcoin may do so at their own price risks but without the additional risk of a Government crack down on the legality of the transaction.

If however, RBI does not consider Bitcoin acquisition by Indian residents as desirable, they should include “Crypto Currencies” in the negative import list or “Restricted Import list” so that requests can be handled on some reasonable criteria.

Doing neither….and drifting…. is not advisable.

Naavi