The T K Vishwanathan Committee on ITA 2000 amendments is presently working on amendments to the ITA 2000. ITA 2000 was notified with an intention to “Enable and Promote E Commerce”. However, the amendments of 2008 shifted the focus from E Commerce Enablement and Promotion to “Information Security”.

Now the proposed 2017 amendments may have to keep in mind both E Commerce promotion as well as Information Security However, there is a need to enlarge our focus and recognize that “Computer” and “Information” has acquired a much larger meaning in 2017 than it ever had and hence the thrust of the law should also shift its focus.

The theme of the ITA 2017 (proposed) should be to “Enable”, “Promote”, “Regulate” and “Secure” …. “Digital India” as it emerges.

The “Digital India” that we need to Enable, Promote, Regulate and Secure consists of amounts other things, the IOT world, Big Data, Globalized Cyber Crime Syndicates and the Dark Web, the FinTech Companies, the Digital Payment Systems and so on. The IPR regime as applicable to Cyber Space which covers the domain name disputes, the copyright on social media disputes and the Patents of cyber processes, the issues such as Data Protection, Privacy etc all need to be kept in the radar.

Will the proposed amendments recognize this larger role of regulation of Digital India in an emerging Digital World? or will it be another attempt at simply tinkering the existing legislation with some new Cyber Crime definitions, changing the punishments from 3 years to 2 or five etc (many of which are also required) needs to be seen.

While it is easier to look at the changes to be made to the current framework, it requires a “Vision” of the “Future India” if we need to amend ITA 2000/8 in such a manner that it will be respected and complied with by the industry in the coming days. If the amendments are not handled with “Vision”, the law will become messy. A messy law will not be complied with voluntarily and will be abused both by the crooked and the corrupt.

We, the people of India need to do whatever is required to ensure that the proposed amendments are an improvement of the current regulatory regime and does not become a wasteful exercise complicating the law further.

It is however the duty of every Citizen of India on this 68th Republic Day to take a pledge that in the spirit of “Ask Not what the Country has done to you, but Reflect what you have done to the Country” to keep expressing what they think is good for the country in the form of the “New” and “Improved” ITA 2000/8.

Some of the general principles that the “Amended ITA 2000” should incorporate is

a) It should be simple and understandable by the common man

b) It should lay down the broad principles and leave the detailing to the rules

c) It should cover the interests of all stake holders such as the Citizens, Netizens, Cinizens (Citizens who are also Netizens), Information Intermediaries including Internet and Mobile service providers, Banks, E Commerce Companies etc as well as the Government.

It is important to ensure that the law should be “Cinezin Centric”,  because in the coming days there will be no pure Citizens or no pure Netizens.

We should recognize that Citizens who are not Netizens may continue to exist for some more time and we need to give suitable time for them to transform from the Physical world to the Digital World.

At the same time Netizens who exist in the borderless Cyber Space to the extent they influence and interact with Citizens need to understand that law cannot be entirely made for the benefit of Netizens only.

Naavi.org invites “Visionaries” and thought leaders to contribute their thoughts on the required amendments through these columns.

Of course we cannot assure that these thoughts will be taken into consideration by the ITA 2000 amendment committee, but we hope the committee does give a glance to it.

Naavi

 Related Articles

Proposed Amendments to ITA 2000 and Privacy Protection

Redefining the scope of ITA 2008.. in the amendments..

Suggestions on Modification of ITA 2008

Domain Name Regulation in ITA 2000..to be amended

Last year, the Finance Ministry constituted a committee under the chairmanship of the former Finance Secretary, Mr Ratan P Watal, to review the framework related to Digital Payments. The committee submitted its report last month ahead of schedule probably in view of the accelerated implementation of the digital payment framework after the demonetization.

The committee’s recommendations are of wide significance and could make substantial difference to the system of regulation of digital payments as we know today. In view of the criticality of some of the recommendations, it is necessary that the recommendations are widely discussed and debated before adoption. 

We shall attempt to discuss the provisions bit by bit through a series of articles here to commence a healthy debate. This is the first of such articles in the series.

Naavi

Copy of the Report

The Watal Committee has submitted its report to the Finance Ministry on different aspect of the Digital payment infrastructure in the country. The Committee identified four factors which have led to the phenomenal growith of digital payments namely,

(i) digital and technology revolution,

(ii) entry of several non banking PSPs into payments space,

(iii) customers becoming more demanding and expecting instantaneous and one-touch payment solutions and

(iv) progressive changes in the regulatory framework.

The Committee has expressed its vision  to set a roadmap for digital payments to grow substantially over the next three years. It is desired that India’s cash to Gross Domestic Product (GDP) ratio should be reduced from about twelve percent to six percent.

The Committee has taken note that at present about 65% of population have access to mobiles and around 95% have Aadhaar identity. It is also noted that about 35% use Internet and Social media and these should be helpful in achieving the said goal.

The committee recognizes that Banks have been currently managing the payment systems and regulated by RBI. But the role of FinTech companies as Payment Service Providers (PSPs) has gathered momentum in the recent days and there is overlap of the activities of FinTech PSPs with the Banks.

In this context the committee has found it necessary to recommend that the regulatory framework needs to be changed to provide for increased participation of FinTech PSPs in the traditional Banking system. (It may be recalled that Naavi had several years back advocated that RBI should introduce a new licensing category for E Banking companies and not allow the current system to be diluted. A move in this direction appears happening now in the PSP industry).

The Committee suggests that the recommendations may be put into implementation over the next thirty to ninety days.

The measures indicated to be inroduced include

(i) placing the proposed legislative changes before the Parliament,

(ii) regulatory changes by RBI within the current legislative framework and

(iii) implementing the policy and executive steps by Ministry of Finance (MoF) and other nodal ministries.

The Committee has made a total of 13 recommendations as follows, which will be discussed in detail subsequently.

1. Make regulation of payments independent from the function of central banking.
2. Update the current Payments and Settlement Systems Act, 2007
3. Promote digital payments and receipts within Government
4. Create a fund proposed as DIPAYAN from savings generated from cash-less transactions
5. Create a ranking and reward framework
6. Implement other measures to promote digital payments including  promoting Aadaar based eKYC etc
7. Consider outsourcing the function of operation of payment systems
8. Upgrade payment systems like RTGS and NEFT to operate on 24×7 basis in due course of time.
9. Allow non-bank PSPs to directly access payment systems
10. Require NPCI, to be payments centric in its ownership and objectives.
11. Enable payments to be inter-operable between bank and non-banks as well as within non-banks.
12. Create a formal mechanism to enable innovations and new business models
13. Implement other measures to promote digital payments including issuing regulations on Systemically Important Payment System (SIPS) and Systemically Important Financial Institutions (SIFIs) etc.

As one can observe, the recommendations are far reaching and could in the terms commonly used in the industry, “Disruptive” of the financial regulatory systems. Recognizing the impact of these suggestions and the problems of its improper implementation, there is need for all stake holders to deliberate in depth the action plan under this report.

Let’s start the debate here and now.

Naavi

After the demonetization of Rs 500 and Rs 1000 currency on November 8, 2016, we have all been discussing cashless and less cash digital payment systems. Presently there are several options beyond the Cheques, NEFT, RTGS ,IMPS as well as the “Cards”, in the form of the new generation of  mobile Apps.

While more than 38 Banks have their own UPI s, there is BHIM as a common platform and USSD system to support the Mobile wallets of PayTM and its siblings.

Behind all this the Aadhaar Based Pinless system threatens to engulf all others once it is introduced and accepted.

The Consumer in the meantime is confused as to how to approach the coming digital payment/receipt scenario and which platform to prefer.

While the initial attraction would be to the most heavily advertised, it is necessary for consumers to in due course pick a good option based on some criteria.

It is not easy to pick the right option and even selecting the right criteria and evaluating the several options available.

However the principal factors that Consumers need to see are

a) Convenience

b) Cost

c) Security

Presently, consumers are just learning how to use these Mobile Wallet and UPI apps and hence “Convenience” is in the forefront of selection. Most of the apps require internet connection and a few have now crossed this barrier with the introduction of “Interactive Voice Response”.(IVR). The IVR system of say PayTM scores over many other systems including USSD because of its ease of use and familiarity with the IVR system in the ordinary customer.

Additionally, PayTM has a wider reach amongst the merchants and hence will lead the pack for some time as the preferred Mobile Wallet . Presently PayTM can be linked to the credit card or net Banking of the user so that there can be a seemless transfer of money to the wallet on the fly. Probably it will be linked to UPI and BHIM shortly and also interest may be paid on the balance in the wallet since PayTM is now a Payment Bank.

On the cost front, things are yet to settle down since UPI charges are currently being subsidized by the Government and the charges on the cards are on the flux. Soon, RuPay cards may come on stage as credit cards breaking the monopoly of VISA/MASTER and then the acquiring Banks and Issuing banks may be able to rationalize their charges.

However, as long as the Government does not withdraw the service tax on digital payments, it will continue to be the tax which will keep irritating the consumer and make him delay the adoption.

Presently the Mobile wallets/UPI are not charging the customers directly and hence they appear to be the nearest to cash transactions.

In the coming days, Government may introduce disincentives for Cash and incentives for digital payments and until there is clarity on this issue, Cost remains an enigma in different options.

Last but not the least, the consumers are concerned with the security of the new payment systems. The continued reluctance of RBI to notify the August 11, 2016 circular and the risks of frauds in the use of Mobile based systems continue to be a threat that can upset all the calculations of the “Less Cash Society”. One major scam will push all consumers back to cash usage once the shortage of currency is sorted out.

In the meantime alert consumers would consider

a) Limiting the risk by opting for wallets which donot provide a seemless link to the Bank account (Trading off convenience to security)

b) Avoiding new mobile apps for fear of embedded malware

c) Using Prepaid Physical cards and Prepaid Virtual Cards as substitutes for wallets.

d) Opting to continue to use cash unless forced.

The only way by which RBI and the Government may be able to push greater adoption of the digital payment systems is to be able to reduce the cost of online transactions to such levels where the consumer will feel the benefit and then provide the security back up in the form of either a blanket Cyber Insurance against frauds at the cost of the Banks/Government or the quick implementation of the “Limited liability” concept.

In the meantime, the “Watal Committee Report” has made many recommendations which we shall analyze in the coming articles.

Naavi

Naavi.org has been from time to time bringing to the attention of the public the urgent need for RBI to issue a confirmatory circular regarding the “Limited Liability” it proposed through a draft circular No RBI/2016-17/DBR. No. Leg. BC/09.07.005/2016-17.

In this circular, RBI had stated that

” With the increased thrust on financial inclusion and customer protection as the two crucial pillars of financial stability and considering the recent surge in customer grievances relating to unauthorised transactions resulting in erroneous debits to their accounts/cards, the criteria for determining the customer liability in these circumstances have been reviewed. The revised directions in this regard are set out below.”

The circular further stated that

a) The liability of the customer for unauthorized debits will be restricted and will be “Zero”  in the followign cases.

i)  Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)

ii) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

Further, there would be limited liability of the customer in following cases.

a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

(b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or ₹ 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy. Banks shall provide the details of the bank’s policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.

Overall liability of the customer in third party breaches, as detailed above, where the fault lies neither with the bank nor the customer but lies elsewhere in the system, is summarised in the following table:

In addition, it was stated that

“The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank”

The circular was considered beneficial to the customers since in most cases of frauds, the customer is the victim who has lost money because of reasons beyond his control and hence it is the “Insecure System of Banking” that causes the risk. If the economy benefits by this “Digital banking Systems” then the economy has to bear the cost and not the bank customers.

The circular mentioned that public comments could be sent upto August 31 which indicated that soon there after RBI would confirm the circular as “Operational”.

Unfortunately, months have passed and despite registered notice to none other than the Governor of RBI, the Finance Minister and the Prime Minister, the circular remains to be notified in operational form.

Recently therefore, I had asked an RTI query about the reasons why this circular has not yet been operationalized and I have received the following response

“The feedback/suggestions/comments on the said draft circular received from various stake holders, public are being examined”

The RTI reply is silent on the reasons for the delay.

It is not conceivable that RBI has received such large number of responses that it could not analyze in the last 6 months. They cannot even blame the demonetization on the delay since the demonetization happenned on November 8th and RBI had more than two months time before this to take its decision on the circular.

It is therefore clear that the influential Banks have brought pressure on the RBI not to operationalize the circular since they want to continue to make customers liable for the mistakes of the Banks.

I therefore call upon RBI once again not to hide behind excuses and political statements such as “being examined” and take a bold decision. If it is subservient to the IBA and Banks and cannot over ride their objections, RBI may say so. At least we will then know where our regulator stand in relation to the customer’s interests. If otherwise, RBI is committed to “Safe Banking” in India, they should issue a circular stating that the circular is operative and also make it applicable to all pending disputes between customers and their Bankers as of date.

I wish the media which runs behind non issues such as Jallikattu should ask questions of RBI about the delay. I hope CNBC TV and ET Now as well as other financial channels take it up as their mission to reflect the voices of the customers. Now that Mr Arnab Goswami is still in the background, it is an importunity for other journalists to raise the pitch and ask “Nation wants to know…what is holdign up RBI?”

Naavi

Cert-In has issued an order that suggests that  “Any Individual, “organization” or Corporate entity” affected by Cyber Security Incidents may report the incident to CERT-IN. (Copy of the Order)

However some types of incidents need to be reported mandatorily. The incidents that need to be mandatorily reported are

1. Targeted scanning/probing of critical networks/systems
2. Compromise of critical systems/information
3. Unauthorized access if IT systems/data
4. Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to exerternal websites etc.
5. Malicious code attacks such as spreading of virus/worms/Trojans/Botnets/Spyware
6. Attacks on servers such as Database, Mai and DNS and network devices such as Routers
7. Identity Theft, Spoofing and Phishing attacks
8. Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
9. Attacks on Critical infrastructure, SCADA Systems and Wireess networks
10. Attacks on Applications such as E-Governance, E-Commerce etc.

Since the order is being sent to industry associations with an instruction that it should be sent to all major organizations, it appears that this is also meant for the private sector companies (though not specifically mentioned) besides Government departments and corroborates the advertisement that CERT-IN had released recently.

While the intention behind the order is understandable and was under powers available under Section 70B, there is need for more clarity to ensure that the circular is properly interpreted. It was already available under the Section 79 guidelines for intermediaries.

Firstly, the order need to be interpreted as applicable for “Service Providers”, Intermediaries”, “Data Centers” and “Body Corporates” and not to “Any Individual”.

Secondly, the word “attack” could mean both an “attempted attack” and “successful attack.”. Attacks are attempted always on every network and hence it is not possible to report all attempted attacks. The key therefore is to define what is an “Incident”.

Companies may normally define an “Incident” with reference to an adverse event that has the potential to cause either a liability on the organization or disruption of its service.

It is necessary for CERT-In to provide its own definition which is appropriate to its objectives. Otherwise there will be confusion for compliance managers.

Hopefully the clarification would be issued in due course.

Naavi

Recently there was a WhatsApp message that UIDAI is offering a new service to enable an Aadhaar holder to block use of his biometric authentication requests  through a mandatory OTP. The message indicated that the service is provided through https://resident.uidai.net.in/biometric-lock. This would mean that no agency could check biometric of an aadhaar user without his knowledge. (Assuming that an OTP message to the mobile is equal to such “Knowledge”). It was of course a security feature which can be welcomed.

However, on verification, the undersigned flagged the message as “Possible Phishing” on the basis of a couple of observations. The first was that the domain name was registered in the name of an individual and not the organization It was registered with a private sector registrar and not NIC where as the website is actually maintained by NIC . The telephone number did not appear to exist in the directory and e-mails were unanswered.

Further when the SSL certificate for the site was viewed, it was observed that the certificate was not issued by the Indian authorities but a US based private sector Certifying Authority called Geo Trust.

Also the service of locking did not appear to work since no OTP was being generated.

Considering these facts, it was reasonably suspected that the website may be a phishing site.

However, when examined further, it was found that uidai.gov.in was also registered in a personal name and had also obtained its Digital Certificate from Geo Trust. Also an acknowledgement was received from UIDAI authorities that the site is not a phishing site and is in fact genuine. It was also surprising to observe that the main UIDAI site was running in a folder named “beta” indicating that the site was not yet launched properly. For a service on which 1.2 billion Indians are registered and conducting secure transactions of all kinds including payment settlements, it was unthinkable that the site could still be in a “beta”state.

While we leave it to UIDAI to migrate to what it considers as the operating website, we need to raise the issue of

a) Why should a Government Property in the form of Domain Names uidai.gov.in or uidai.net.in be registered in the names of individuals and not the organizations.

b) Why should UIDAI get its Digital Certificate from a US based private agency and not NIC or other licensed Certifying authorities in India which includes CDAC and IDRBT which work in the Government sector.

If Government agencies donot respect the system of “Licensed Certifying Authorities” in India as per ITA 2000/8, why at all the system of licensing of Certifying Authorities exist. Is it a show of no confidence in NIC or other licensed CAs or on the CCA itself? Or is it an “Ego” issue between UIDAI and CCA or NIC?

There is already allegation that UIDAI was constantly using the hardware suppliers from US and compromising the security of the Country. Now even in the matter of digital certificates, this trend seems to continue.

I have heard of the technical arguments that Indian digital certificates throw up an error in the Web Browsers and hence the US certificates work better. But security professionals know that this happens because the root certificates of the CA and CCA are not installed in the browser by default and hence the errors do come up.

Government of India needs to persuade the browser manufacturers to incorporate the necessary root certificates as an OEM configuration and not allow Government agencies to bypass the security by allowing a foreign agency to hold the decryption key to be able to observe all transactions that happen in the UIDAI system.

I look forward to the CCA, the Ministry of Information Technology, CERT-IN, the Ministry of Home Affairs and the PMO to clarify their stand on this issue.

Comments are welcome

Naavi