Naavi.org

There is an exercise going on in Delhi to modify ITA 2008. Last time when ITA 2000 was amended, the trigger was the Bazee.com case where the CEO of baazee.com (now ebay.in) was prosecuted under Section 85 of ITA 2000 read along with Section 67 of ITA 2000. This time, the trigger is the scrapping of Section 66A by the Supreme Court.  In 2005, the DeiTy had set up an “Expert Committee” which consisted of industry leaders who tried to keep the “intermediaries” out of the liability under Section 79. Unfortunately, the committees recommendations were over ruled by the Parliamentary standing Committee which was more sympathetic to the security needs of the law enforcement in the aftermath of the Mumbai terror attack.

This time, MeiTy has set up an internal committee which is going through the amendments. Since it is headed by Mr T.K.Vishwanathan who was the original person involved in the drafting of ITA 2000, we expect that the amendments would try to balance the requirements of the law enforcement and the industry.

Naavi has been expressing his views on the law from time to time on this blog and some of those views have been critical of the interpretation of the law. Hopefully the committee would take some of these suggestions into consideration along with many suggestions which were made in 2005-2008 period which were conveniently ignored by the then “expert Committee” whose sole agenda was “How to bail out baazee.com”.

Now, considering the requirements of amendments, there are a few suggestions that Naavi.org has and are put up here for comments by the public and for the consideration of the committee.

The views expressed here in below are basically on Chapter XI. There are more suggestions which may be released from time to time for records whether they are considered relevant or not by the committee.

I welcome comments of the public on these suggestions.

Some Suggestions:

1. Section 65

This section is often mis-interpreted by Police and several cases have been filed under this section instead of under Section 66.

The reason is that the title of the section uses the term “Tampering with Computer Source Documents”.
“Computer Source Code” is a term used in the IT community for the document that records the “Computer Commands”.

[“Computer Command” itself means “Any instruction meant to be fed into the processor of a computer device (which term includes mobiles and other information processing devices) with the intention of influencing the behaviour of the  Computer, Computer network, computer resource including the connected devices.]

However, when looks at the section closely, it appears that the section was drafted with a different implication since it referred to only “Computer Source Code that is required to be maintained in law for the time being” and also defined the term in the explanation to include certain documents other than the Computer Commands”.

In its present form Section 65 refers to any electronic document (including the computer commands) which is legally required to be kept for a certain time under some law. It therefore provides for protection of “Evidence” and has a close relation to the data retention aspects included in Section 67C.

In one of the cases, Naavi interpreted that the CC TV footage recorded by the camera should be interpreted also as a “Computer Command” since when fed into the video player, the recording displays images. It was therefore argued that the wrongful deletion of a CCTV footage which was known to be an “Evidence” in a registered “Cognizable Offence” should be considered as a Section 65 offence since “Deletion of Evidence” is an offence under IPC.

It is therefore suggested that the title of the section can be changed to

“Tampering with electronic documents required to be preserved under law”

2. Section 66

This section has a wide scope for interpretation since it uses inter-alia the term whoever “diminishes the value or utility of information residing inside the computer or affects it injuriously by any means”.

Since Section 66 is interpreted along with Section 43 for the identification of criminal acts and IPC for the interpretation of the motive, it is amenable for mis-interpretation.

The Karnataka Adjudicator in one of his decisions (challenge pending in an appeal at Cyber Appellate Tribunal) interpreted that the word “Person” used in Section 43 must be restricted to an “individual” and hence no Body Corporate can invoke Section 43 as a complainant nor a Body Corporate can be made a respondent under Section 43. As a result the scope of Section 43 was reduced to only a “individual to individual dispute”.

This also reduced the scope of Section 66 when it is interpreted in the light of this adjudication award.  In the current situation, any accused who is being prosecuted in Karnataka under Section 66 on a complaint by a corporate entity, can defend himself that the offence is not recognized under Section 66 as per the decision of the Adjudicator of Karnataka who has a status equivalent to that of a Civil Court. Though this may not be “binding”, it could sufficiently dilute the criminal charge.

Though this was only an error of one Adjudicator, a further confusion of this nature can be avoided by incorporating the definition of “Person” in the definition clause itself to be in tune with the General Clauses Act.

Accordingly a sub section can be introduced under Section 2 stating

2(1) (…) “Person” means and includes any company or association or body of individuals, whether incorporated or not;

Also the words “By Any Means” are used in several places in the Act including Section 43 (f), 43(i).

An explanation may be added either under the section 43 or elsewhere to state

“By Any Means” includes contraventions committed through means other than the use of “electronic documents” or “electronic signals”, “electronic form”

3. Section 43 linked to 66:

Under Section 43(b), there is some confusion as to the conflict with the Copyright Act which needs to be set right.

Under this section, “Unauthorized Copying” of data is a contravention for which there is a civil liability under Section 43 and a criminal liability under Section 66. This is sometimes mis-understood as a “Copyright Protection” .

However this section addresses issues of “Unauthorized Copying” without the permission of the owner of a Computer, Computer System or Computer network and does not refer to permission from an “Author”. It is not meant to protect the rights of an “Author” which is the objective of Copyright Act.

If a person downloads any material with the permission (active or passive) from the owner of a computer, computer system or computer network (which definition should also mean a website hosting facility) then he is not contravening Section 43.

If the owner of the content has any objection under “Copyright”, it is for him to take up the issue separately with the “Permission Giver” for necessary disclosures or lack of disclosures under the terms and conditions associated with the website.

Also if any owner of a computer system has an objection to such “copying”, he should incorporate his own technical measures (eg: disabling of right click of a mouse) or notice to inform the viewer that the viewer is permitted to read and assimilate the content but not authorized to copy or download (subject to exceptions permitted as fair use in the copyright act).

In order to prevent frivolous copyright charges being made on the basis of downloading of free content floating around the web, there is a need to provide a clarification so that visitors of websites who incidentally copy the content onto a “Cache” or an “Offline Browser” or for any other legally permitted purposes including “Evidentiary requirements” or in what is prima facie a “Fair use” under copyright legislation, are not harassed with copyright litigation.

In the past we have seen the obnoxious practice of “Hyper link providers” being hauled up for copyright infringement under the flimsy grounds of “Contributory Infringement”. These excesses need to be prevented by inserting a suitable clarification into Section 43 or otherwise as an exception under Section 79.

Under Section 43 an explanation it can therefore be added that

“Provisions of subsection (b) above in respect of content hosting devices, relate to the permissions granted by the content hosting device and does not relate to any permissions to be obtained or otherwise from a Copyright owner the content per-se”.

“Mere provision of hyper links to content in a website or a search engine or index of content with or without a brief description of the content is not to be construed as copying or downloading or extracting data under this section.”

4. Definition of Cyber Crime -Section 2 (1)

In the police circles there is always a discussion on what is “Cyber Crimes”.

One of the popular definitions is the adaptations of the FBI definitions that “Cyber Crime means any offence where a Computer is a tool or target of crime”. This definition is restrictive and does not reflect the intentions behind many sections of ITA 2008 including 43(f), 43(i) indicated above as also 43 (d), 43(e), 66 E etc which indicate that contraventions committed with “Devices” that may not be “Computers” is also brought under the provisions of ITA 2008.

Though the definition of what is a “Cyber Crime” is an academical aspect, it often becomes the reference to define the scope of notifications and jurisdiction of police stations.

Also there could be confusion on whether a “Cyber Crime” definition is restricted to crimes in the Internet or also extends to crimes involving air gapped systems and information storage devices.

Hence it is suggested that a definition of Cyber Crime can be inserted in the definitions clause to the following effect.

2 (1)(….) “Cyber Crime” means and includes any contravention of law where an electronic record is a potential or intended target or tool and includes offences committed with the use of a network device or not.

5. Section 66A

Section 66A was scrapped by Supreme Court in March 2015 as it was felt that some of the provisions of the section were infringing the constitutional right of “Freedom of Speech”.

The Government did not challenge the verdict which was built on disputable interpretation of the section and correcting the legal hole created by the removal of this section is one of the reasons for which the act is being amended now.

Section 66A addressed certain issues related to “Sending Offensive Messages through Communication device”. Such messages could be sent as an SMS or MMS or E-Mail from one person to another, one person to a group of persons (eg : WhatsApp) or to a server.

A message sent to a “Server” or to another “person” could be dealt with by the addressee in a manner he thought fit which included further distribution or publishing in a website including a “Face Book Page”, “Twitter Page” or any other “Message Board”.

The action of the addressee when he received the message determined the further consequences arising out of the original message leading to “Defamation” or other offences.

While the original message sender was responsible for the direct consequences to the receiver, unless he had urged the receiver to further distribute the same, it was unfair to hold him liable for the actions of the recipients which were “Not authorized” by the original sender.

The provisions of Section 66A before it was scrapped addressed the adverse consequences of a message for the receiver such as “Being grossly offensive”, “Being menacing” “Causing harassment”, “Causing Annoyance”, “Criminal intimidation”, etc as well as “For deceiving”, “Misleading as to the origin” etc. For “harassment”, “annoyance” etc, it was also necessary for the message to be sent “persistently” and an odd message could not be considered as an offence.

However, the honourable Supreme Court was mislead to believe that this section had the “Chilling” effect as to obstruct “Freedom of expression” and it would criminalize publication of “Any Information” whether it was scientific, educative etc. This was not a correct interpretation and hence the scrapping of the Section 66A was unjustified.

By scrapping Section 66A, offences such as “Spamming” (persistently sending e-mails and causing annoyance), Cyber Bullying/Cyber stalking (Persistently sending e-mail or SMS to harass, intimidate or otherwise annoy the recipient”, Phishing (sending e-mail or SMS messages with a false originator’s identity” were all taken out of the Act.

Subsequent to the scrapping there have been many instances where the Police have found themselves handicapped without appropriate provisions in the law to book cases where the above offences were committed.

Even Supreme Court itself in a subsequent case (Refer here). In particular we can recall that one suicide in Salem in which a girl was harassed with WhatsApp messages and another suicide in Bangalore where another lady got conned by false e-mail messages could be linked directly to the non availability of an appropriate deterrant in the ITA 2000/8 after the scrapping of Section 66A.

Now there is a need for reintroducing all these provisions without being considered as a violation of the Supreme Court judgement in the Shreya Singhal case. There is a need to do this in a manner that the egos of people behind the Sheya Singhal case are not hurt as otherwise they will launch another assault on the new provisions also.

It is suggested that the following changes are made to accommodate this.

a) In the definition clause introduce a distinction between “Publishing” and “Messaging” by mentioning as follows.

2(1)(…..) “Messaging” in the context of an electronic content means sending information from one communication device to another through e-mail, SMS, MMS or other means where the sender intends that the message is read by the designated recipient and includes content sent to a computer device which is programmed to further process the information in any manner by the administrator of the device without being placed for public access as “Publishing” as defined elsewhere under this Act.

Explanation: “Messaging” does not include “publishing” as defined elsewhere in the Act.

Where a “Message” is “Published”, the two actions are distinct and separate and “Messaging” ends where “Publishing” begins.

2 (1) (…) “Publishing” in the context of electronic content means placing of information so as to be accessible by a member of the public and does not include content made available to a designated person through an e-mail or an SMS or other communication devices where the information delivery is restricted to the recipient or to a designated community and accessible only on the basis of an intermediary service involving “Subscription” or “Membership”, controlled and managed by an “Administrator”.

Explanation: “Publishing” does not include “Messaging” as defined elsewhere in the Act.

b) New sections to be introduced under Chapter XI to include the offences of Cyber Bullying, Cyber Stalking, Spamming, Phishing, Causing annoyance to the recipient of a message etc as briefly indicated below.

Suggested New Section 66G:

Offenses related to “Messaging” Not amounting to “Publishing”

Any person who sends a message

a) Which in the opinion of any person of ordinary prudence is likely to cause fear or mental disturbance in the receiver,
b) Which the sender knows to be false but repeatedly sends with an intention to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill-will
c) Which is intended to deceive the receiver as to the origin of the message or its content
Shall be punishable with imprisonment for a term which may extend to three years and with fine.

6. Cyber Terrorism

Section 66F is one section in which there is provision for “Life Imprisonment” and hence should be analysed carefully to check if there is a provision for misuse. Also there is a need to define the term “Cyber Terrorism” properly since it is likely to be a subject matter of discussion in international fora for extradition requests and treaties.

The present section 66F is not considered as properly drafted and needs a major overhaul.

Presently the definition of what constitutes Cyber Terrorism falls into two categories.

Category A requires that

1. there should be motive of

a) threatening the unity, integrity, security or sovereignty of India
b) Striking terror in the people or any section of the people

2. The offense should involve one of the following three means

a) Denial of access
b) Unauthorized access
c) Introduction of virus

3. The effect of the above should result in

a. Cause death
b. Damage or destruction to property
c. Damage or disrupt supplies or services essential to the life of the community
d. Adversely affect the critical information infrastructure designated as “Protected system”

Category B defines obtaining unauthorized access to information restricted for reasons such as

a) Security of State or Foreign relations
b) Likely to cause injury to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states
c) Likely to cause injury to the interests of public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence,
d) or to the advantage of any foreign nation, group of individuals or otherwise

There is a need to modify this section so that the definition of “Cyber Terrorism” is universal and not dependent on just three types of attacks (though they may be comprehensive). It is also necessary to remove offences which donot qualify to be called “Cyber Terrorism” to be brought under this section as there is a high degree of mis-use of this section.

Though some may argue that since 27th October 2009 when this section became operative, there is no reported case of mis-use of this section, the possibility of this section being mis-used is extremely high once vested interests sense the power of this section.

Hence there is a need for complete revision of this section by deleting the entire section and rewording it. One of the suggestion is as follows.

Section 66F (suggested)

Whoever

Uses a Computer, Computer Resource, Computer Network, Communication Device or any associated device or an Electronic Document

by any means including unauthorized access, alteration, deletion of information, denial of access, diminishing the value or utility of any information residing inside a computer, computer device or computer network

with an intention to

threaten the unity, integrity, security of India or to strike terror in any section of people, or to create destabilization of the economy or any segment there of, intimidate or coerce a government, the civilian population, or any segment thereof, or to create disharmony in the society,
in furtherance of any dishonest or fraudulent objectives including financial, political, religious or social objectives

shall be liable for imprisonment which may extend to imprisonment for life and fine.

This open definition ensures that “Cyber Terrorism” is recognized even when non Governmental resources are under attack, even when the attack is not related to physical death, removes contentious words such as “Public Order” “Defamation” etc which can be abused and “Contempt of Court” which is not within the domain of this section.

Where there is a “Contempt of Court” in pursuance of a politico-religious objective, it can still be covered under this modified section.

7. Section 67B

ITA 2008 split the original section 67 available under ITA 2000 into three sections all addressing the problem of “obscenity”. Section 67 and 67A were restricted to “Publishing and Transmission” while 67B addresses more than Publishing and Transmission in the context of “Child Pornography ”.

However, Section 67B has criminalized “Viewing” of content which depicts children engaged in sexually explicit act or conduct.

Since whether the actors of a video are minors or not is not easily ascertained and also since videos in which minors are involved may pop up during a normal browsing session some times without any intentional act of the viewer, it is unfair to make “Viewing” as an offence which imprisonment of upto 5 years and fine upto Rs 10 lakhs.

Despite the good intentions behind this section, it is easily amenable for abuse.

Hence this section should be modified and it is suggested that sub section 67(B) (b) should be modified as under.

Suggested Section 67B (b)

creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

8. Section 67C

Presently there is no notification under Section 67C though it was used to introduce the digilocker service. This section was meant to enable evidences to be preserved for the requirements of the law enforcement.

There is need to operationalize the section by defining that

“ All information in the hands of an intermediary that has evidentiary value in respect of a dispute whether of civil or criminal nature,  such as a disputed content, traffic data, log records, messages, e-mails etc are preserved for a minimum period of 3 years. In the event an evidence is part of a criminal investigation or declared evidence in a civil proceedings, such information shall be preserved in an evidentiary archive with suitable security to preserve it for a period of 10 years ”

This can be notified as a rule under the section and there is no need to amend the Act.

9. Section 69/69A and 69B

The rules under these sections need some revision to clarify the need for “Nodal Officers/Compliance officers” in a private sector environment.

No specific change is recommended in the Act.

10. Chapter XIIA: Digital Evidence Examiners

Under ITA 2008, a provision was made to enable the notification of “Examiner of Electronic Evidence” to assist the Courts. Presently there is a rumour that the Government will notify some of the Central and State Forensic labs as “Digital Evidence Examiner” under this section.

While this was long over due, this notification should not mis-read the section and introduce provisions which are ultra-vires the Act.

At present there is no need to suggest any amendments to this section.

However, it must be clarified

” that notification of an agency under this section for providing “expert opinion” is without prejudice to any of the right of a party to a dispute to counter the evidence produced by these agencies in a judicial proceeding.”

11.Section 80

One of the contradictions introduced by ITA 2008 is regarding the “Power to Arrest without Warrant” as discussed in Section 80.

Though ITA 2000 had stated that the Act would over ride the provisions of CrPC wherever there was a conflict and defined the Power to Arrest without a warrant specifically under Section 80, ITA 2008 proceeded to define “Cognizability” separately in tune with the CrPC.

Section 80 provided the “Power to Arrest without warrant” to Police officers of the rank of Inspectors (as per ITA 2008) as well as any officer of the Central or State Government notified by the Central Government, without reference to the “Period of imprisonment” but only on whether the offence was reasonably suspected to have been committed or of being committed or about to be committed in a “Public Place”.

The new provisions under ITA 2008 however provided the power to arrest without warrant only for offences in which the period of imprisonment was 3 years or more.

As a result under Section 77B, “Powers to arrest without warrant” for a police officer can be claimed only in offences where the punishment is 3 years or more. The earlier provision which is still available under Section 80 provides the same powers which can be exercised for all offences in a public place.

These contradictions may be removed by making a minor modification in Section 80 with a reference to Section 77B.

It is therefore suggested that Section 80 (1) may be modified as follows:

Notwithstanding anything contained in the Code of Criminal Procedure, 1973, and in Section 77B of this Act, any police officer, not below the rank of a Inspector or any other officer of the Central Government or a State Government authorized by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act

Additional Offences that may be considered for inclusion

(…) Sending Unsolicited Electronic Messages:

Except under a valid Bulk E-mail license from an appropriate authority

Whoever,

1) Sends or causes to send an unsolicited electronic message/s of any description with a source identity that is not disclosed, or
2) sends or causes to send an unsolicited electronic message/s of any description after the addressee has duly notified him of his intention not to receive such communication as prescribed under this Act, or
3) Except under an express consent of the recipient, sends or causes to send an electronic message/s of any description containing information that is obscene or offensive, that may defraud or is intended to defraud, that may cause or is intended to cause distress, that may break or is intended to break any law in force or that may otherwise create disharmony in or harm to the society or cause harm to the integrity of the nation and friendly relations with other countries,
shall be punishable under this Act with any or all of the following
a) Payment of compensation or damage to each of the person/s affected by the offence subject to a maximum of Rs 1 lakh per person.
b) Imprisonment subject to a maximum of Two Years
c) Fine subject to a maximum of Rs 2 lakhs

Notwithstanding the punishment or penalties mentioned above, if the offence as defined under (..) above results in or is intended to result in an act that is an offence under any other law in force, the offender shall also be liable for punishment or penalty to which the offender is liable under such laws.

Provided however that if any message is caused to be transmitted by mistake of fact or due to technological factors beyond the reasonable control of the person in whose name the message is sent, no offence would be recognized if such a person proves that the message was sent without his knowledge and he had exercised all due diligence to prevent commission of the offence.

Explanation:

For the purpose of the section (..) above,

a. the disclosure of source identity is considered sufficient if a reply can be sent to the disclosed source address and such reply does not bounce.
b. an addressee may communicate his intention “not to receive” a communication through a digitally signed message or in any other manner that may be laid down for the purpose and unless specified, such notice shall expire after 3 months.
c. the unsolicited message shall be admissible as evidence in a Court of law even if it is not digitally signed.
d. the intermediary who causes the unsolicited messages to be transmitted shall also be liable under the Act as if the offence was committed by them unless he proves that the offence was committed without his knowledge and the intermediary had exercised all due diligence to prevent commission of the offence.
e. a message is considered “solicited” if it may be inferred from the conduct and existing business or other relationship of the recipient that he consented to such messages being sent to him.
f. “Express Consent” in sub clause (3) means only a consent obtained through a manually entered affirmative expression.
g. “Appropriate Authority” for the purpose of this section shall be the “Controller of Certifying Authorities” or any other authority specifically designated for the purpose by an order of the Government of India.

Cyber Squatting

“Cyber Squatting” is related to “Trade Mark Rights”. Further, any law passed on “Cyber Squatting” in India will interfere with the “Uniform Dispute Resolution Policy” which is a contractual obligation to which all domain name registrants are presently subjected to. It will also affect the rights of Indians who have to face charges of “Squatting” in respect of international generic domain names such as dot com, dot org etc.

Any law attempted here should therefore be such as not to unduly create a harassment of Indian Citizens.

It is suggested that a Section may be introduced in Chapter IX to the following effect:

(..)Whoever, in bad faith and with the intention to cause disrepute, harm to another person or cause disruption of any legitimate business or cause confusion in the minds of the public, who having regard to the circumstances, are likely to be influenced registers a domain name
shall be liable to pay damages to the person so affected not exceeding Rs 10 lakhs
and for the purpose of this section, a person not being a resident of or a citizen of India shall also be liable even if no computer or computer system located in India is used for the contravention.
Explanation:
For the purpose of this section exercising of due diligence including appropriate disclosures shall be considered as indications of good faith.

(More suggestions may follow)

Naavi

Recently there is some discussion on whether in the current context of multiple digital payment systems being in place, the “Mobile Wallets” have lost their relevance.

Economic Times carried an article recently  which declared “Here is why the flavour of the season..mobile wallets will die” .The argument was that in the long term systems like UPI stand a better chance as they enable direct transfer from Bank accounts to pay. The lack of “Inter operability” of mobile wallets was one of the reasons cited why people may opt out of mobile wallets. Lack of interest on wallet balance was another reason quoted by the article.

The article quoted PayTM owner Mr Vijay Shekar Sharma stating that they will soon start focussing more on “PayTM account” after which PayTM wallet will become a tool to operate the account. Then the interest may be payable on the main account balance. This is possible because PayTM has received the Payment Bank license and can accept deposits upto Rs 1 lakh.

Presently the Singapore based Bank DBS operates a similar system where it offers to pay interest on the SB account balance maintained which will be linked to a card (like ICICI Bank’s Pocket Card). The DBS account which is accessible through a mobile works like an interest earning mobile wallet besides providing a physical card that can be swiped in the POS machines when required. It looks promising but seems to be still struggling with technical hitches.

Today most Bank applications also provide the option to be used like a mobile app for payment for various bill payments. Many of them offer it directly in the main account management app while some have created add on apps.  One such is HDFC Bank which has adopted a sister App called PayZapp which can be used for online shopping, splitting bills, recharge of mobile accounts etc. Hence a combination of a traditional Bank account and an app can be used for all requirements. SBI has also released such add on apps for handling other connected services.

The advent of UPI including the BHIM has changed the functional convenience when funds are to be transferred from one account to another. There is no doubt that this is more convenient than first transferring money from a bank account to a mobile wallet like PayTM or any other mobile wallet since there is no need to park idle funds in multiple wallets.

However, sooner or later the preference for convenience has to be weighed by customers with a concern for security. In this context, one may prefer a “Mobile Wallet” instead of an UPI medium including BHIM because, it provides for one additional security feature where we park a designated amount into the Wallet and donot expose the entire account balance to the app. In the event of a security breach, while only the mobile wallet amount may be at risk, in the case of an UPI, the entire account balance may be at risk.

I therefore consider that apart from the exclusive marketing features that some wallet providers may offer, the ability to segregate the main account balance from the wallet is a huge advantage in the mobile wallets. This alone may be a reason why Wallets will not die.

On the other hand we may see that UPI app owners like Banks or an inter operable UPI gateway like BHIM may also have to provide a mobile wallet of their own and try to make other wallets redundant just as some of the wallet owners start their own Payment Banks or link up their wallets to one or the other Banks from where funds can be transferred as and when required.

Thus we may see an integration of UPI apps and Mobile apps by both the current UPI owning Banks and Wallet owning companies and they will continue to compete on other commercial considerations. Here the private sector players like PayTM will have an advantage rather than a similar app of a Bank.

BHIM as an inter operable UPI platform when it also launches a mobile wallet as an add on feature will be a formidable product. However, it is unlikely that NPCI will be able to match the rigorous security standards which other private organizations may set and hence a part of the market will continue to favour private sector wallet cum UPI apps.

Within the next few months, I will expect that the private sector mobile wallet owners will come up with their own consortium gateway to provide for an interoperable platform between the different mobile wallets so that the need to sprinkle small un-remunerative balances in different wallets will not arise. All wallets will link to a common pool account of the customer and they will share revenue from the transactions so that all will benefit.

So the future belongs to an innovative combination of different services with “Security and Convenience” continue to be the factors that determine the choice of the consumer.

We look forward to the new evolved Wallets to be released by the current competitors such as PayTM, MobiQuick, PayUMoney, Oxygen, Jio Money, MPesa etc. The survivor will be the one who is more innovative than the others.

Naavi

 

 A group of Cyber Security Volunteers have come together to form a forum called “Cyber Security Alliance of India” with an objective of working towards Information security issues in the context of the current developments in India.

The alliance has started its preliminary activities in Mumbai and is interested in extending its activities to other centers in due course.

A meeting with industry leaders has been called  on 11/01/2017 at Maharashtra Cyber Project office at 32^nd Floor, WTC, Cuffe Parade to take the discussion further.

The alliance was born over a couple of “Chai Pe Charcha” meetings in Mumbai and has the potential of being a positive contributor to the “Security of Digital India”.

Hopefully the authorities will make proper use of the forum which consists of stalwarts in the field of Information Security across the country.

More information will be shared as and when available.

Naavi

Over the last week, the media has been lambasting Bengaluru police for the couple of molestation complaints received during and immediately after the New Year celebrations in Bengaluru. TV channels including Times Now, NDTV, India Today and News X revelled in criticising Bengaluru Police, Karnataka Home Minister and virtually shaming all Bengalurians as if Bengaluru is a hell for women.

Now it is time for some of these critics to eat their words as Bengaluru police have quickly solved two of the molestation complaints, intelligently applying their Cyber Investigation skills.

Firstly, one of the incidents occured in the dead of the night when a girl was returning from a New Year party at 2.45 am when two boys came on a scooter and one of them forcefully kissed the girl and then threw her down violently.

This incident was investigated by checking the CCTV video and also the mobile tower details to track all the mobiles which were present during the time in the vicinity. Since not many people were around at that time the number of devices to be tracked were less in number and hence Police were able to successfully identify the mobile owners who were roaming around and arrest them.

The second case was more interesting. In this case, a burkah clad woman had given a complaint that while she was walking to her work around 6.30 am, she was stalked by a person who kissed her, bit her tongue, and also injured her by trampling her foot and later went away after some dogs started barking. This was sensitive since it involved a muslim woman. The TV critics also commented that the girl was more than decently dressed, it was morning and not the dead of the night etc to say that the incident reflected that Bengaluru has become a really bad city for woman.

Those including the Karnataka Home Minister who felt that the first incident and the New Year celebration related disturbances were caused more because of the circumstances in which people were drunken and not decently dressed etc. had to hide themselves because the second incident was completely out of the pattern.

But here the innate intelligence of the Bengaluru Police came to fore. We are not aware of the individuals who were responsible for this successful investigation but they need to be commended since they used what is considered an advanced form of “Cyber Intelligence” which was “Gait Recognition in CCTV footages”.

“Gait Recognition” is an art and science of identifying the pattern of walking of an individual and identifying him. It is considered as an innovative “Biometric” that can be used to identify people in a crowd using only the CCTV footages. In other countries, research s being done on how to develop an identifiable pattern of the “Gait” of a person through video images available in the public and thereby identify terrorists in a crowd.

Our Bengaluru police may say that even though they might not have used the technology to the level of analyzing the gait movements through software, they were able to spot visually that the walking style of the alleged offender was similar to one of the relative of the victim who also came to the Police station to give a complaint. They also used the mobile records to know that this person had spoken to the alleged victim minutes before the incident in the early morning hours.

It is only a matter of record that the offender was actually a relative of the girl and both had enacted this drama of molestation so that they could convince the elders to their marriage under the pretext that the tainted girl will not be married by anybody else and this relative (husband of the sister of the victim) could marry her as his second wife by convincing his first wife (sister of the victim) that he was doing a service to the victim girl.

What a great plot!… but very disgusting since in future any genuine complaint by a lady will always be seen with suspicious eyes.

Law enforcers are scratching their head on how severe should be the punishment to such persons who tried to cheat the law enforcement machinery and brought shame on the entire population of Bengaluru…

Nevertheless, let us not fail in our duty in saluting the police personnel who in all probability could be just a constable in the Police station who identified the similarity of the walking styles of a living person to the crime video and helped in the successful investigation.

Naavi

Recently, the Ministry of Communications and Information Technology (MeitY) has come out with a notification under Section 79 A of ITA 2008 indicating the norms for notification of a Government agency as an “Electronic Evidence Examiner” who can be called upon by a Court for certification of authenticity of an electronic document which is available to the Court as an “Evidence”.

The eligible organizations are required to make an application with some information about their credentials. All the agencies who may apply now will be other Government agencies only.

One of the requirements specified in the “Scheme” for notification is that the applicant organization has to be compliant with two international standards ISO/IEC 17025 and ISO/IEC 27037.

The notification essentially means that if an organization wants its forensic practices to be in tune with what the ministry expects for notification, they need to first understand what are the specifications under these two standards and then implement the standards and also call one of the accredited ISO certification agencies to review their processes and give a certificate that they are in compliance with the requirements of these standards.

The specifications are “Proprietary documents” protected under copyright and cost in Swiss Francs, CHF 138 and CHF 158 respectively. (1 CHF=Rs 66.98). Therefore, the documents cost around Rs 20,000/- which is the minimum investment that any organization has to incur in foreign exchange just to know what MeitY wants. It is a normal practice in ISO documents where by one standard refers to another and so on so that many times the user needs to buy several ISO documents just to understand one standard. Then even if the organization is compliant, it needs to get certified from an accredited ISO organization for which one has to incur an expense of say around Rs 3 lakhs. A part of this goes to the Indian consultant and a part may be royalty that goes to ISO.

In 2011, the then ministry had notified rules under Section 43A which required “Reasonable Security Practices” to be followed by all Companies who collect personal and sensitive personal information from the public. This will include all companies today who use Aadhaar information which means perhaps lakhs and lakhs of corporate entities. The Ministry in its notification almost made it mandatory that all these companies will use ISO 27001 standards as the requirement of compliance.
As a result of this notification which was also placed in the Parliament and was part of the national regulation, a huge benefit running to thousands of crores was potentially passed on to the ISO organization in foreign exchange. When this was pointed out the ministry officials (refer here) the officials privately agreed that there was no mandate that ISO 27001 compliance could be considered as “Deemed Compliance under Section 43A” but did not make any change in the notification.

Similarly, recently the Union Health Ministry came out with a notification on EHR standards which needs to be complied with all IT companies handling health information as well as all hospitals, pharmacies etc in which reference was made to around 35 ISO standards. Compliance therefore required first acquisition of all these standard specifications at a cost in foreign exchange.

It is considered absolutely criminal to suggest Indian citizens that if they want to follow the laws of the country, they need to buy documents from a foreign agency just to know what the law means. By bringing in such references into notifications that are placed and passed in the Indian Parliament, the ministries are actually making the legislators also part of this siphoning away of our money.

This practice should stop not withstanding the efforts required. In the US, the national agency called NIST (National Institute of Standards and Technology ) has developed and placed all standards required by the IT industry in the website and allow free download to any person. While the standards are mandatory for the US Government agencies, others can use it as the Best Practice. The standard documents are so well written that they are good enough to be followed as a guideline by other countries also.

It is therefore perfectly possible for the Indian Government to completely indigenize the standard specifications by developing our own Information and Information Security standards. It is only in the case of data that needs global mobility that we need to adopt international standards. Some of these may be required in industries such as the health Care processing industry where the health data generated in India may have to be processed abroad. Otherwise none of the “Best Practice Standards” need to be imported. Though there is an attempt to adopt some of these standards under local standard organizations and by nodal agencies, the effort is only half hearted and not fully adopted.

I therefore urge the Government and particularly the Ministry of Information Technology to set up a Committee on IT standards and develop the equivalent of the entire ISO series of standards and the Privacy Standards of various US and EU nations for local use and publish it as a freely available Indian Standard. In order to avoid Copyright Infringement charges, it will be necessary to individually re-write each of the standards in our own words just as what NIST has done and we need to do this immediately when we are moving towards the Digital India concept faster than what we earlier envisaged.

The objective should be that all regulatory requirements are codified as “Open Source” and this should be considered as a “Make in India” project for regulatory standards.
If this is not done, then the payment which we make to buy the standard documents will be considered as a “Tax” levied on Indian citizens to meet compliance of Indian law which is mandatory.

This is unlikely to be permitted within our Constitution and if challenged in the Supreme Court is bound to elicit heated opposition to several of the initiatives of the Government.

Further complications can be avoided if the Ministry of IT moves quickly and adopts a policy of writing all standards of Information Security and Quality under the ISO family as new standards in India and provide it as open source. Otherwise Government should pay some compensation to ISO and provide mandatory compulsory publication of all Standards for free public use.

A decision like this can be taken only by a person of the stature of Mr Modi just as he took the decision on the demonetization. Now Mr Ravishankar Prasad has an opportunity to do what Mr Modi did in the demonetization issue. Will he raise to the occasion?

Naavi

(This is a continuation of the previous article found here)

ITA 2008 introduced a new section Section 79A under Chapter XIIA in which the following was narrated.

Section 79A:  Central Government to notify Examiner of Electronic Evidence

The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

Explanation:- For the purpose of this section, “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence,digital audio,digital video,cell phones,digital fax machines”.

This section enabled the Central Government to notify any organization belonging to either the Central or State Government as an “Examiner of Electronic Evidence” (EEV). The objective of this section was to enable a Court to seek expert opinion on electronic evidence before it. 

The use of the word “may” instead of “shall” indicates that this was an option. being an option, it implies that Court proceedings could have gone on and may still go on even if an “expert opinion” of the notified EEV is not available.

The doubt that now arises is whether it is mandatory that only notified EEVs can be called as “Experts” and no body else?

We may note here that under Section 79A, an EEV is an organization and not an individual. However the one who stands in the witness box and gives evidence is an “Individual”. By defining an organization as an “Expert”, the section enables the notified EEV to send any of its representatives not necessarily the one who actually conducted the forensic examination on the document to represent the EEV and confirm the “Expert View”.

There  is no provision under Section 79A to notify any “Individual as an Expert Witness in relation to an electronic document”.

Hence the present system of “individual Experts” who are persons who have demonstrated expertise in the field to which the evidence belongs (Not necessarily one with a degree or a diploma or a certificate) providing evidence which can be considered as an “Expert Evidence” where the opinion in addition to fact is also material, will and should continue.

We now look at the documents released by the Government for further comments.

The Notification

The notification starts with a wrong statement “Section 79A of the Information Technology Act 2000 mandates central Government to notify…”

We need to note that the section does not “Mandate” but suggests. This is an important aspect which we should note. As a suggested “option” the law does not prohibit a situation where there is no “Notified Electronic Evidence Examiner”. Hence even after a few labs are “notified”, others may continue to function.

The notification says that this is an experimental effort in which 3 to 5 labs will be notified and has encouraged the eligible bodies in Central and State Governments to apply for notification.

The application form for notification is provided in Annexure II

The empanelment will require development of a “Quality Manual” in which SOPs and other documents are required to be presented for the following.

1. Case Acceptance
2. Handling of Exhibits
3. Security and Preservation of Exhibits
4. Analysis of Exhibits
5. Electronic Evidence Analysis Report Format
6. Tools and Equipment Testing
7. Training
8. Internal audit reports specific to scope Quality assurance
9. Any other procedure

The department has also developed a 9 page Scheme for Notifying Examiner of Electronic Evidence

The scheme actually copies ISO 17025 standard on General requirements for the competence of testing and calibration laboratories  and ISO 27037 standard of Information Technology-Security techniques-Guidelines for identification, collection, acquisition and preservation of digital evidence.

The evaluation process will therefore involve a few ISO auditors chosen by the MeiTy.

To understand what the Government of India wants its citizens to do on Cyber Security, we are always required to pay a “Tax” in the form of purchasing an ISO document. This has been a principle followed by the DeiTy officials during Mr Kapil Sibal’s days. The same process is now being continued during Mr Modi’s regime under Mr Ravishankar Prasad.

Hence to know more about the Standards a payment of around 10000/- or more in foreign exchange has to be made to buy the document and then the lab has to pay fees to an ISO auditor to certify if what they are doing is right. A part of this fee will also go out in foreign exchange to the ISO organization as a contribution of the Indian Government.

People like us think this is an unfair “Tax” to be compliant. (Refer my earlier article in the subject here.)

Hope Mr Arun Jaitely will take note that MeiTy is introducing its own Tax on digital transactions such as “Compliance to Cyber Law” without the sanction of the budget. Also the benefit goes abroad. This is an obnoxious practice and needs to be set right as part of “Make in India” campaign where all information security standards are indigenized like NIST and released free of charge to the public.

I request Mr Ravishankar Prasad or any official of the MeiTy to clarify why MeiTy is not in a position to draft its own standards by consulting NPA or CDAC or even FBI, like how NIST does for the US and avoid reference to the documents which are only available on payment of foreign exchange in a Government notification considered mandatory for compliance by Citizens of India and departments of Government itself.

Naavi