Naavi.org

After the demonetization of Rs 500 and Rs 1000 currency on November 8, 2016, we have all been discussing cashless and less cash digital payment systems. Presently there are several options beyond the Cheques, NEFT, RTGS ,IMPS as well as the “Cards”, in the form of the new generation of  mobile Apps.

While more than 38 Banks have their own UPI s, there is BHIM as a common platform and USSD system to support the Mobile wallets of PayTM and its siblings.

Behind all this the Aadhaar Based Pinless system threatens to engulf all others once it is introduced and accepted.

The Consumer in the meantime is confused as to how to approach the coming digital payment/receipt scenario and which platform to prefer.

While the initial attraction would be to the most heavily advertised, it is necessary for consumers to in due course pick a good option based on some criteria.

It is not easy to pick the right option and even selecting the right criteria and evaluating the several options available.

However the principal factors that Consumers need to see are

a) Convenience

b) Cost

c) Security

Presently, consumers are just learning how to use these Mobile Wallet and UPI apps and hence “Convenience” is in the forefront of selection. Most of the apps require internet connection and a few have now crossed this barrier with the introduction of “Interactive Voice Response”.(IVR). The IVR system of say PayTM scores over many other systems including USSD because of its ease of use and familiarity with the IVR system in the ordinary customer.

Additionally, PayTM has a wider reach amongst the merchants and hence will lead the pack for some time as the preferred Mobile Wallet . Presently PayTM can be linked to the credit card or net Banking of the user so that there can be a seemless transfer of money to the wallet on the fly. Probably it will be linked to UPI and BHIM shortly and also interest may be paid on the balance in the wallet since PayTM is now a Payment Bank.

On the cost front, things are yet to settle down since UPI charges are currently being subsidized by the Government and the charges on the cards are on the flux. Soon, RuPay cards may come on stage as credit cards breaking the monopoly of VISA/MASTER and then the acquiring Banks and Issuing banks may be able to rationalize their charges.

However, as long as the Government does not withdraw the service tax on digital payments, it will continue to be the tax which will keep irritating the consumer and make him delay the adoption.

Presently the Mobile wallets/UPI are not charging the customers directly and hence they appear to be the nearest to cash transactions.

In the coming days, Government may introduce disincentives for Cash and incentives for digital payments and until there is clarity on this issue, Cost remains an enigma in different options.

Last but not the least, the consumers are concerned with the security of the new payment systems. The continued reluctance of RBI to notify the August 11, 2016 circular and the risks of frauds in the use of Mobile based systems continue to be a threat that can upset all the calculations of the “Less Cash Society”. One major scam will push all consumers back to cash usage once the shortage of currency is sorted out.

In the meantime alert consumers would consider

a) Limiting the risk by opting for wallets which donot provide a seemless link to the Bank account (Trading off convenience to security)

b) Avoiding new mobile apps for fear of embedded malware

c) Using Prepaid Physical cards and Prepaid Virtual Cards as substitutes for wallets.

d) Opting to continue to use cash unless forced.

The only way by which RBI and the Government may be able to push greater adoption of the digital payment systems is to be able to reduce the cost of online transactions to such levels where the consumer will feel the benefit and then provide the security back up in the form of either a blanket Cyber Insurance against frauds at the cost of the Banks/Government or the quick implementation of the “Limited liability” concept.

In the meantime, the “Watal Committee Report” has made many recommendations which we shall analyze in the coming articles.

Naavi

Naavi.org has been from time to time bringing to the attention of the public the urgent need for RBI to issue a confirmatory circular regarding the “Limited Liability” it proposed through a draft circular No RBI/2016-17/DBR. No. Leg. BC/09.07.005/2016-17.

In this circular, RBI had stated that

” With the increased thrust on financial inclusion and customer protection as the two crucial pillars of financial stability and considering the recent surge in customer grievances relating to unauthorised transactions resulting in erroneous debits to their accounts/cards, the criteria for determining the customer liability in these circumstances have been reviewed. The revised directions in this regard are set out below.”

The circular further stated that

a) The liability of the customer for unauthorized debits will be restricted and will be “Zero”  in the followign cases.

i)  Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)

ii) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

Further, there would be limited liability of the customer in following cases.

a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

(b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or ₹ 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy. Banks shall provide the details of the bank’s policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.

Overall liability of the customer in third party breaches, as detailed above, where the fault lies neither with the bank nor the customer but lies elsewhere in the system, is summarised in the following table:

Time taken to report the fraudulent transaction from the date of receiving the communication	Customer’s liability (₹)
Within 3 working days	Zero liability
Within 4 – 7 working days of receiving the communication	The transaction value or ₹ 5000/-, whichever is lower
Beyond 7 working days of receiving the communication	As per bank’s Board approved policy

In addition, it was stated that

“The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank”

The circular was considered beneficial to the customers since in most cases of frauds, the customer is the victim who has lost money because of reasons beyond his control and hence it is the “Insecure System of Banking” that causes the risk. If the economy benefits by this “Digital banking Systems” then the economy has to bear the cost and not the bank customers.

The circular mentioned that public comments could be sent upto August 31 which indicated that soon there after RBI would confirm the circular as “Operational”.

Unfortunately, months have passed and despite registered notice to none other than the Governor of RBI, the Finance Minister and the Prime Minister, the circular remains to be notified in operational form.

Recently therefore, I had asked an RTI query about the reasons why this circular has not yet been operationalized and I have received the following response

“The feedback/suggestions/comments on the said draft circular received from various stake holders, public are being examined”

The RTI reply is silent on the reasons for the delay.

It is not conceivable that RBI has received such large number of responses that it could not analyze in the last 6 months. They cannot even blame the demonetization on the delay since the demonetization happenned on November 8th and RBI had more than two months time before this to take its decision on the circular.

It is therefore clear that the influential Banks have brought pressure on the RBI not to operationalize the circular since they want to continue to make customers liable for the mistakes of the Banks.

I therefore call upon RBI once again not to hide behind excuses and political statements such as “being examined” and take a bold decision. If it is subservient to the IBA and Banks and cannot over ride their objections, RBI may say so. At least we will then know where our regulator stand in relation to the customer’s interests. If otherwise, RBI is committed to “Safe Banking” in India, they should issue a circular stating that the circular is operative and also make it applicable to all pending disputes between customers and their Bankers as of date.

I wish the media which runs behind non issues such as Jallikattu should ask questions of RBI about the delay. I hope CNBC TV and ET Now as well as other financial channels take it up as their mission to reflect the voices of the customers. Now that Mr Arnab Goswami is still in the background, it is an importunity for other journalists to raise the pitch and ask “Nation wants to know…what is holdign up RBI?”

Naavi

Cert-In has issued an order that suggests that  “Any Individual, “organization” or Corporate entity” affected by Cyber Security Incidents may report the incident to CERT-IN. (Copy of the Order)

However some types of incidents need to be reported mandatorily. The incidents that need to be mandatorily reported are

1. Targeted scanning/probing of critical networks/systems
2. Compromise of critical systems/information
3. Unauthorized access if IT systems/data
4. Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to exerternal websites etc.
5. Malicious code attacks such as spreading of virus/worms/Trojans/Botnets/Spyware
6. Attacks on servers such as Database, Mai and DNS and network devices such as Routers
7. Identity Theft, Spoofing and Phishing attacks
8. Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
9. Attacks on Critical infrastructure, SCADA Systems and Wireess networks
10. Attacks on Applications such as E-Governance, E-Commerce etc.

Since the order is being sent to industry associations with an instruction that it should be sent to all major organizations, it appears that this is also meant for the private sector companies (though not specifically mentioned) besides Government departments and corroborates the advertisement that CERT-IN had released recently.

While the intention behind the order is understandable and was under powers available under Section 70B, there is need for more clarity to ensure that the circular is properly interpreted. It was already available under the Section 79 guidelines for intermediaries.

Firstly, the order need to be interpreted as applicable for “Service Providers”, Intermediaries”, “Data Centers” and “Body Corporates” and not to “Any Individual”.

Secondly, the word “attack” could mean both an “attempted attack” and “successful attack.”. Attacks are attempted always on every network and hence it is not possible to report all attempted attacks. The key therefore is to define what is an “Incident”.

Companies may normally define an “Incident” with reference to an adverse event that has the potential to cause either a liability on the organization or disruption of its service.

It is necessary for CERT-In to provide its own definition which is appropriate to its objectives. Otherwise there will be confusion for compliance managers.

Hopefully the clarification would be issued in due course.

Naavi

Recently there was a WhatsApp message that UIDAI is offering a new service to enable an Aadhaar holder to block use of his biometric authentication requests  through a mandatory OTP. The message indicated that the service is provided through https://resident.uidai.net.in/biometric-lock. This would mean that no agency could check biometric of an aadhaar user without his knowledge. (Assuming that an OTP message to the mobile is equal to such “Knowledge”). It was of course a security feature which can be welcomed.

However, on verification, the undersigned flagged the message as “Possible Phishing” on the basis of a couple of observations. The first was that the domain name was registered in the name of an individual and not the organization It was registered with a private sector registrar and not NIC where as the website is actually maintained by NIC . The telephone number did not appear to exist in the directory and e-mails were unanswered.

Further when the SSL certificate for the site was viewed, it was observed that the certificate was not issued by the Indian authorities but a US based private sector Certifying Authority called Geo Trust.

Also the service of locking did not appear to work since no OTP was being generated.

Considering these facts, it was reasonably suspected that the website may be a phishing site.

However, when examined further, it was found that uidai.gov.in was also registered in a personal name and had also obtained its Digital Certificate from Geo Trust. Also an acknowledgement was received from UIDAI authorities that the site is not a phishing site and is in fact genuine. It was also surprising to observe that the main UIDAI site was running in a folder named “beta” indicating that the site was not yet launched properly. For a service on which 1.2 billion Indians are registered and conducting secure transactions of all kinds including payment settlements, it was unthinkable that the site could still be in a “beta”state.

While we leave it to UIDAI to migrate to what it considers as the operating website, we need to raise the issue of

a) Why should a Government Property in the form of Domain Names uidai.gov.in or uidai.net.in be registered in the names of individuals and not the organizations.

b) Why should UIDAI get its Digital Certificate from a US based private agency and not NIC or other licensed Certifying authorities in India which includes CDAC and IDRBT which work in the Government sector.

If Government agencies donot respect the system of “Licensed Certifying Authorities” in India as per ITA 2000/8, why at all the system of licensing of Certifying Authorities exist. Is it a show of no confidence in NIC or other licensed CAs or on the CCA itself? Or is it an “Ego” issue between UIDAI and CCA or NIC?

There is already allegation that UIDAI was constantly using the hardware suppliers from US and compromising the security of the Country. Now even in the matter of digital certificates, this trend seems to continue.

I have heard of the technical arguments that Indian digital certificates throw up an error in the Web Browsers and hence the US certificates work better. But security professionals know that this happens because the root certificates of the CA and CCA are not installed in the browser by default and hence the errors do come up.

Government of India needs to persuade the browser manufacturers to incorporate the necessary root certificates as an OEM configuration and not allow Government agencies to bypass the security by allowing a foreign agency to hold the decryption key to be able to observe all transactions that happen in the UIDAI system.

I look forward to the CCA, the Ministry of Information Technology, CERT-IN, the Ministry of Home Affairs and the PMO to clarify their stand on this issue.

Comments are welcome

Naavi

There is an exercise going on in Delhi to modify ITA 2008. Last time when ITA 2000 was amended, the trigger was the Bazee.com case where the CEO of baazee.com (now ebay.in) was prosecuted under Section 85 of ITA 2000 read along with Section 67 of ITA 2000. This time, the trigger is the scrapping of Section 66A by the Supreme Court.  In 2005, the DeiTy had set up an “Expert Committee” which consisted of industry leaders who tried to keep the “intermediaries” out of the liability under Section 79. Unfortunately, the committees recommendations were over ruled by the Parliamentary standing Committee which was more sympathetic to the security needs of the law enforcement in the aftermath of the Mumbai terror attack.

This time, MeiTy has set up an internal committee which is going through the amendments. Since it is headed by Mr T.K.Vishwanathan who was the original person involved in the drafting of ITA 2000, we expect that the amendments would try to balance the requirements of the law enforcement and the industry.

Naavi has been expressing his views on the law from time to time on this blog and some of those views have been critical of the interpretation of the law. Hopefully the committee would take some of these suggestions into consideration along with many suggestions which were made in 2005-2008 period which were conveniently ignored by the then “expert Committee” whose sole agenda was “How to bail out baazee.com”.

Now, considering the requirements of amendments, there are a few suggestions that Naavi.org has and are put up here for comments by the public and for the consideration of the committee.

The views expressed here in below are basically on Chapter XI. There are more suggestions which may be released from time to time for records whether they are considered relevant or not by the committee.

I welcome comments of the public on these suggestions.

Some Suggestions:

1. Section 65

This section is often mis-interpreted by Police and several cases have been filed under this section instead of under Section 66.

The reason is that the title of the section uses the term “Tampering with Computer Source Documents”.
“Computer Source Code” is a term used in the IT community for the document that records the “Computer Commands”.

[“Computer Command” itself means “Any instruction meant to be fed into the processor of a computer device (which term includes mobiles and other information processing devices) with the intention of influencing the behaviour of the  Computer, Computer network, computer resource including the connected devices.]

However, when looks at the section closely, it appears that the section was drafted with a different implication since it referred to only “Computer Source Code that is required to be maintained in law for the time being” and also defined the term in the explanation to include certain documents other than the Computer Commands”.

In its present form Section 65 refers to any electronic document (including the computer commands) which is legally required to be kept for a certain time under some law. It therefore provides for protection of “Evidence” and has a close relation to the data retention aspects included in Section 67C.

In one of the cases, Naavi interpreted that the CC TV footage recorded by the camera should be interpreted also as a “Computer Command” since when fed into the video player, the recording displays images. It was therefore argued that the wrongful deletion of a CCTV footage which was known to be an “Evidence” in a registered “Cognizable Offence” should be considered as a Section 65 offence since “Deletion of Evidence” is an offence under IPC.

It is therefore suggested that the title of the section can be changed to

“Tampering with electronic documents required to be preserved under law”

2. Section 66

This section has a wide scope for interpretation since it uses inter-alia the term whoever “diminishes the value or utility of information residing inside the computer or affects it injuriously by any means”.

Since Section 66 is interpreted along with Section 43 for the identification of criminal acts and IPC for the interpretation of the motive, it is amenable for mis-interpretation.

The Karnataka Adjudicator in one of his decisions (challenge pending in an appeal at Cyber Appellate Tribunal) interpreted that the word “Person” used in Section 43 must be restricted to an “individual” and hence no Body Corporate can invoke Section 43 as a complainant nor a Body Corporate can be made a respondent under Section 43. As a result the scope of Section 43 was reduced to only a “individual to individual dispute”.

This also reduced the scope of Section 66 when it is interpreted in the light of this adjudication award.  In the current situation, any accused who is being prosecuted in Karnataka under Section 66 on a complaint by a corporate entity, can defend himself that the offence is not recognized under Section 66 as per the decision of the Adjudicator of Karnataka who has a status equivalent to that of a Civil Court. Though this may not be “binding”, it could sufficiently dilute the criminal charge.

Though this was only an error of one Adjudicator, a further confusion of this nature can be avoided by incorporating the definition of “Person” in the definition clause itself to be in tune with the General Clauses Act.

Accordingly a sub section can be introduced under Section 2 stating

2(1) (…) “Person” means and includes any company or association or body of individuals, whether incorporated or not;

Also the words “By Any Means” are used in several places in the Act including Section 43 (f), 43(i).

An explanation may be added either under the section 43 or elsewhere to state

“By Any Means” includes contraventions committed through means other than the use of “electronic documents” or “electronic signals”, “electronic form”

3. Section 43 linked to 66:

Under Section 43(b), there is some confusion as to the conflict with the Copyright Act which needs to be set right.

Under this section, “Unauthorized Copying” of data is a contravention for which there is a civil liability under Section 43 and a criminal liability under Section 66. This is sometimes mis-understood as a “Copyright Protection” .

However this section addresses issues of “Unauthorized Copying” without the permission of the owner of a Computer, Computer System or Computer network and does not refer to permission from an “Author”. It is not meant to protect the rights of an “Author” which is the objective of Copyright Act.

If a person downloads any material with the permission (active or passive) from the owner of a computer, computer system or computer network (which definition should also mean a website hosting facility) then he is not contravening Section 43.

If the owner of the content has any objection under “Copyright”, it is for him to take up the issue separately with the “Permission Giver” for necessary disclosures or lack of disclosures under the terms and conditions associated with the website.

Also if any owner of a computer system has an objection to such “copying”, he should incorporate his own technical measures (eg: disabling of right click of a mouse) or notice to inform the viewer that the viewer is permitted to read and assimilate the content but not authorized to copy or download (subject to exceptions permitted as fair use in the copyright act).

In order to prevent frivolous copyright charges being made on the basis of downloading of free content floating around the web, there is a need to provide a clarification so that visitors of websites who incidentally copy the content onto a “Cache” or an “Offline Browser” or for any other legally permitted purposes including “Evidentiary requirements” or in what is prima facie a “Fair use” under copyright legislation, are not harassed with copyright litigation.

In the past we have seen the obnoxious practice of “Hyper link providers” being hauled up for copyright infringement under the flimsy grounds of “Contributory Infringement”. These excesses need to be prevented by inserting a suitable clarification into Section 43 or otherwise as an exception under Section 79.

Under Section 43 an explanation it can therefore be added that

“Provisions of subsection (b) above in respect of content hosting devices, relate to the permissions granted by the content hosting device and does not relate to any permissions to be obtained or otherwise from a Copyright owner the content per-se”.

“Mere provision of hyper links to content in a website or a search engine or index of content with or without a brief description of the content is not to be construed as copying or downloading or extracting data under this section.”

4. Definition of Cyber Crime -Section 2 (1)

In the police circles there is always a discussion on what is “Cyber Crimes”.

One of the popular definitions is the adaptations of the FBI definitions that “Cyber Crime means any offence where a Computer is a tool or target of crime”. This definition is restrictive and does not reflect the intentions behind many sections of ITA 2008 including 43(f), 43(i) indicated above as also 43 (d), 43(e), 66 E etc which indicate that contraventions committed with “Devices” that may not be “Computers” is also brought under the provisions of ITA 2008.

Though the definition of what is a “Cyber Crime” is an academical aspect, it often becomes the reference to define the scope of notifications and jurisdiction of police stations.

Also there could be confusion on whether a “Cyber Crime” definition is restricted to crimes in the Internet or also extends to crimes involving air gapped systems and information storage devices.

Hence it is suggested that a definition of Cyber Crime can be inserted in the definitions clause to the following effect.

2 (1)(….) “Cyber Crime” means and includes any contravention of law where an electronic record is a potential or intended target or tool and includes offences committed with the use of a network device or not.

5. Section 66A

Section 66A was scrapped by Supreme Court in March 2015 as it was felt that some of the provisions of the section were infringing the constitutional right of “Freedom of Speech”.

The Government did not challenge the verdict which was built on disputable interpretation of the section and correcting the legal hole created by the removal of this section is one of the reasons for which the act is being amended now.

Section 66A addressed certain issues related to “Sending Offensive Messages through Communication device”. Such messages could be sent as an SMS or MMS or E-Mail from one person to another, one person to a group of persons (eg : WhatsApp) or to a server.

A message sent to a “Server” or to another “person” could be dealt with by the addressee in a manner he thought fit which included further distribution or publishing in a website including a “Face Book Page”, “Twitter Page” or any other “Message Board”.

The action of the addressee when he received the message determined the further consequences arising out of the original message leading to “Defamation” or other offences.

While the original message sender was responsible for the direct consequences to the receiver, unless he had urged the receiver to further distribute the same, it was unfair to hold him liable for the actions of the recipients which were “Not authorized” by the original sender.

The provisions of Section 66A before it was scrapped addressed the adverse consequences of a message for the receiver such as “Being grossly offensive”, “Being menacing” “Causing harassment”, “Causing Annoyance”, “Criminal intimidation”, etc as well as “For deceiving”, “Misleading as to the origin” etc. For “harassment”, “annoyance” etc, it was also necessary for the message to be sent “persistently” and an odd message could not be considered as an offence.

However, the honourable Supreme Court was mislead to believe that this section had the “Chilling” effect as to obstruct “Freedom of expression” and it would criminalize publication of “Any Information” whether it was scientific, educative etc. This was not a correct interpretation and hence the scrapping of the Section 66A was unjustified.

By scrapping Section 66A, offences such as “Spamming” (persistently sending e-mails and causing annoyance), Cyber Bullying/Cyber stalking (Persistently sending e-mail or SMS to harass, intimidate or otherwise annoy the recipient”, Phishing (sending e-mail or SMS messages with a false originator’s identity” were all taken out of the Act.

Subsequent to the scrapping there have been many instances where the Police have found themselves handicapped without appropriate provisions in the law to book cases where the above offences were committed.

Even Supreme Court itself in a subsequent case (Refer here). In particular we can recall that one suicide in Salem in which a girl was harassed with WhatsApp messages and another suicide in Bangalore where another lady got conned by false e-mail messages could be linked directly to the non availability of an appropriate deterrant in the ITA 2000/8 after the scrapping of Section 66A.

Now there is a need for reintroducing all these provisions without being considered as a violation of the Supreme Court judgement in the Shreya Singhal case. There is a need to do this in a manner that the egos of people behind the Sheya Singhal case are not hurt as otherwise they will launch another assault on the new provisions also.

It is suggested that the following changes are made to accommodate this.

a) In the definition clause introduce a distinction between “Publishing” and “Messaging” by mentioning as follows.

2(1)(…..) “Messaging” in the context of an electronic content means sending information from one communication device to another through e-mail, SMS, MMS or other means where the sender intends that the message is read by the designated recipient and includes content sent to a computer device which is programmed to further process the information in any manner by the administrator of the device without being placed for public access as “Publishing” as defined elsewhere under this Act.

Explanation: “Messaging” does not include “publishing” as defined elsewhere in the Act.

Where a “Message” is “Published”, the two actions are distinct and separate and “Messaging” ends where “Publishing” begins.

2 (1) (…) “Publishing” in the context of electronic content means placing of information so as to be accessible by a member of the public and does not include content made available to a designated person through an e-mail or an SMS or other communication devices where the information delivery is restricted to the recipient or to a designated community and accessible only on the basis of an intermediary service involving “Subscription” or “Membership”, controlled and managed by an “Administrator”.

Explanation: “Publishing” does not include “Messaging” as defined elsewhere in the Act.

b) New sections to be introduced under Chapter XI to include the offences of Cyber Bullying, Cyber Stalking, Spamming, Phishing, Causing annoyance to the recipient of a message etc as briefly indicated below.

Suggested New Section 66G:

Offenses related to “Messaging” Not amounting to “Publishing”

Any person who sends a message

a) Which in the opinion of any person of ordinary prudence is likely to cause fear or mental disturbance in the receiver,
b) Which the sender knows to be false but repeatedly sends with an intention to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill-will
c) Which is intended to deceive the receiver as to the origin of the message or its content
Shall be punishable with imprisonment for a term which may extend to three years and with fine.

6. Cyber Terrorism

Section 66F is one section in which there is provision for “Life Imprisonment” and hence should be analysed carefully to check if there is a provision for misuse. Also there is a need to define the term “Cyber Terrorism” properly since it is likely to be a subject matter of discussion in international fora for extradition requests and treaties.

The present section 66F is not considered as properly drafted and needs a major overhaul.

Presently the definition of what constitutes Cyber Terrorism falls into two categories.

Category A requires that

1. there should be motive of

a) threatening the unity, integrity, security or sovereignty of India
b) Striking terror in the people or any section of the people

2. The offense should involve one of the following three means

a) Denial of access
b) Unauthorized access
c) Introduction of virus

3. The effect of the above should result in

a. Cause death
b. Damage or destruction to property
c. Damage or disrupt supplies or services essential to the life of the community
d. Adversely affect the critical information infrastructure designated as “Protected system”

Category B defines obtaining unauthorized access to information restricted for reasons such as

a) Security of State or Foreign relations
b) Likely to cause injury to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states
c) Likely to cause injury to the interests of public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence,
d) or to the advantage of any foreign nation, group of individuals or otherwise

There is a need to modify this section so that the definition of “Cyber Terrorism” is universal and not dependent on just three types of attacks (though they may be comprehensive). It is also necessary to remove offences which donot qualify to be called “Cyber Terrorism” to be brought under this section as there is a high degree of mis-use of this section.

Though some may argue that since 27th October 2009 when this section became operative, there is no reported case of mis-use of this section, the possibility of this section being mis-used is extremely high once vested interests sense the power of this section.

Hence there is a need for complete revision of this section by deleting the entire section and rewording it. One of the suggestion is as follows.

Section 66F (suggested)

Whoever

Uses a Computer, Computer Resource, Computer Network, Communication Device or any associated device or an Electronic Document

by any means including unauthorized access, alteration, deletion of information, denial of access, diminishing the value or utility of any information residing inside a computer, computer device or computer network

with an intention to

threaten the unity, integrity, security of India or to strike terror in any section of people, or to create destabilization of the economy or any segment there of, intimidate or coerce a government, the civilian population, or any segment thereof, or to create disharmony in the society,
in furtherance of any dishonest or fraudulent objectives including financial, political, religious or social objectives

shall be liable for imprisonment which may extend to imprisonment for life and fine.

This open definition ensures that “Cyber Terrorism” is recognized even when non Governmental resources are under attack, even when the attack is not related to physical death, removes contentious words such as “Public Order” “Defamation” etc which can be abused and “Contempt of Court” which is not within the domain of this section.

Where there is a “Contempt of Court” in pursuance of a politico-religious objective, it can still be covered under this modified section.

7. Section 67B

ITA 2008 split the original section 67 available under ITA 2000 into three sections all addressing the problem of “obscenity”. Section 67 and 67A were restricted to “Publishing and Transmission” while 67B addresses more than Publishing and Transmission in the context of “Child Pornography ”.

However, Section 67B has criminalized “Viewing” of content which depicts children engaged in sexually explicit act or conduct.

Since whether the actors of a video are minors or not is not easily ascertained and also since videos in which minors are involved may pop up during a normal browsing session some times without any intentional act of the viewer, it is unfair to make “Viewing” as an offence which imprisonment of upto 5 years and fine upto Rs 10 lakhs.

Despite the good intentions behind this section, it is easily amenable for abuse.

Hence this section should be modified and it is suggested that sub section 67(B) (b) should be modified as under.

Suggested Section 67B (b)

creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

8. Section 67C

Presently there is no notification under Section 67C though it was used to introduce the digilocker service. This section was meant to enable evidences to be preserved for the requirements of the law enforcement.

There is need to operationalize the section by defining that

“ All information in the hands of an intermediary that has evidentiary value in respect of a dispute whether of civil or criminal nature,  such as a disputed content, traffic data, log records, messages, e-mails etc are preserved for a minimum period of 3 years. In the event an evidence is part of a criminal investigation or declared evidence in a civil proceedings, such information shall be preserved in an evidentiary archive with suitable security to preserve it for a period of 10 years ”

This can be notified as a rule under the section and there is no need to amend the Act.

9. Section 69/69A and 69B

The rules under these sections need some revision to clarify the need for “Nodal Officers/Compliance officers” in a private sector environment.

No specific change is recommended in the Act.

10. Chapter XIIA: Digital Evidence Examiners

Under ITA 2008, a provision was made to enable the notification of “Examiner of Electronic Evidence” to assist the Courts. Presently there is a rumour that the Government will notify some of the Central and State Forensic labs as “Digital Evidence Examiner” under this section.

While this was long over due, this notification should not mis-read the section and introduce provisions which are ultra-vires the Act.

At present there is no need to suggest any amendments to this section.

However, it must be clarified

” that notification of an agency under this section for providing “expert opinion” is without prejudice to any of the right of a party to a dispute to counter the evidence produced by these agencies in a judicial proceeding.”

11.Section 80

One of the contradictions introduced by ITA 2008 is regarding the “Power to Arrest without Warrant” as discussed in Section 80.

Though ITA 2000 had stated that the Act would over ride the provisions of CrPC wherever there was a conflict and defined the Power to Arrest without a warrant specifically under Section 80, ITA 2008 proceeded to define “Cognizability” separately in tune with the CrPC.

Section 80 provided the “Power to Arrest without warrant” to Police officers of the rank of Inspectors (as per ITA 2008) as well as any officer of the Central or State Government notified by the Central Government, without reference to the “Period of imprisonment” but only on whether the offence was reasonably suspected to have been committed or of being committed or about to be committed in a “Public Place”.

The new provisions under ITA 2008 however provided the power to arrest without warrant only for offences in which the period of imprisonment was 3 years or more.

As a result under Section 77B, “Powers to arrest without warrant” for a police officer can be claimed only in offences where the punishment is 3 years or more. The earlier provision which is still available under Section 80 provides the same powers which can be exercised for all offences in a public place.

These contradictions may be removed by making a minor modification in Section 80 with a reference to Section 77B.

It is therefore suggested that Section 80 (1) may be modified as follows:

Notwithstanding anything contained in the Code of Criminal Procedure, 1973, and in Section 77B of this Act, any police officer, not below the rank of a Inspector or any other officer of the Central Government or a State Government authorized by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act

Additional Offences that may be considered for inclusion

(…) Sending Unsolicited Electronic Messages:

Except under a valid Bulk E-mail license from an appropriate authority

Whoever,

1) Sends or causes to send an unsolicited electronic message/s of any description with a source identity that is not disclosed, or
2) sends or causes to send an unsolicited electronic message/s of any description after the addressee has duly notified him of his intention not to receive such communication as prescribed under this Act, or
3) Except under an express consent of the recipient, sends or causes to send an electronic message/s of any description containing information that is obscene or offensive, that may defraud or is intended to defraud, that may cause or is intended to cause distress, that may break or is intended to break any law in force or that may otherwise create disharmony in or harm to the society or cause harm to the integrity of the nation and friendly relations with other countries,
shall be punishable under this Act with any or all of the following
a) Payment of compensation or damage to each of the person/s affected by the offence subject to a maximum of Rs 1 lakh per person.
b) Imprisonment subject to a maximum of Two Years
c) Fine subject to a maximum of Rs 2 lakhs

Notwithstanding the punishment or penalties mentioned above, if the offence as defined under (..) above results in or is intended to result in an act that is an offence under any other law in force, the offender shall also be liable for punishment or penalty to which the offender is liable under such laws.

Provided however that if any message is caused to be transmitted by mistake of fact or due to technological factors beyond the reasonable control of the person in whose name the message is sent, no offence would be recognized if such a person proves that the message was sent without his knowledge and he had exercised all due diligence to prevent commission of the offence.

Explanation:

For the purpose of the section (..) above,

a. the disclosure of source identity is considered sufficient if a reply can be sent to the disclosed source address and such reply does not bounce.
b. an addressee may communicate his intention “not to receive” a communication through a digitally signed message or in any other manner that may be laid down for the purpose and unless specified, such notice shall expire after 3 months.
c. the unsolicited message shall be admissible as evidence in a Court of law even if it is not digitally signed.
d. the intermediary who causes the unsolicited messages to be transmitted shall also be liable under the Act as if the offence was committed by them unless he proves that the offence was committed without his knowledge and the intermediary had exercised all due diligence to prevent commission of the offence.
e. a message is considered “solicited” if it may be inferred from the conduct and existing business or other relationship of the recipient that he consented to such messages being sent to him.
f. “Express Consent” in sub clause (3) means only a consent obtained through a manually entered affirmative expression.
g. “Appropriate Authority” for the purpose of this section shall be the “Controller of Certifying Authorities” or any other authority specifically designated for the purpose by an order of the Government of India.

Cyber Squatting

“Cyber Squatting” is related to “Trade Mark Rights”. Further, any law passed on “Cyber Squatting” in India will interfere with the “Uniform Dispute Resolution Policy” which is a contractual obligation to which all domain name registrants are presently subjected to. It will also affect the rights of Indians who have to face charges of “Squatting” in respect of international generic domain names such as dot com, dot org etc.

Any law attempted here should therefore be such as not to unduly create a harassment of Indian Citizens.

It is suggested that a Section may be introduced in Chapter IX to the following effect:

(..)Whoever, in bad faith and with the intention to cause disrepute, harm to another person or cause disruption of any legitimate business or cause confusion in the minds of the public, who having regard to the circumstances, are likely to be influenced registers a domain name
shall be liable to pay damages to the person so affected not exceeding Rs 10 lakhs
and for the purpose of this section, a person not being a resident of or a citizen of India shall also be liable even if no computer or computer system located in India is used for the contravention.
Explanation:
For the purpose of this section exercising of due diligence including appropriate disclosures shall be considered as indications of good faith.

(More suggestions may follow)

Naavi

Recently there is some discussion on whether in the current context of multiple digital payment systems being in place, the “Mobile Wallets” have lost their relevance.

Economic Times carried an article recently  which declared “Here is why the flavour of the season..mobile wallets will die” .The argument was that in the long term systems like UPI stand a better chance as they enable direct transfer from Bank accounts to pay. The lack of “Inter operability” of mobile wallets was one of the reasons cited why people may opt out of mobile wallets. Lack of interest on wallet balance was another reason quoted by the article.

The article quoted PayTM owner Mr Vijay Shekar Sharma stating that they will soon start focussing more on “PayTM account” after which PayTM wallet will become a tool to operate the account. Then the interest may be payable on the main account balance. This is possible because PayTM has received the Payment Bank license and can accept deposits upto Rs 1 lakh.

Presently the Singapore based Bank DBS operates a similar system where it offers to pay interest on the SB account balance maintained which will be linked to a card (like ICICI Bank’s Pocket Card). The DBS account which is accessible through a mobile works like an interest earning mobile wallet besides providing a physical card that can be swiped in the POS machines when required. It looks promising but seems to be still struggling with technical hitches.

Today most Bank applications also provide the option to be used like a mobile app for payment for various bill payments. Many of them offer it directly in the main account management app while some have created add on apps.  One such is HDFC Bank which has adopted a sister App called PayZapp which can be used for online shopping, splitting bills, recharge of mobile accounts etc. Hence a combination of a traditional Bank account and an app can be used for all requirements. SBI has also released such add on apps for handling other connected services.

The advent of UPI including the BHIM has changed the functional convenience when funds are to be transferred from one account to another. There is no doubt that this is more convenient than first transferring money from a bank account to a mobile wallet like PayTM or any other mobile wallet since there is no need to park idle funds in multiple wallets.

However, sooner or later the preference for convenience has to be weighed by customers with a concern for security. In this context, one may prefer a “Mobile Wallet” instead of an UPI medium including BHIM because, it provides for one additional security feature where we park a designated amount into the Wallet and donot expose the entire account balance to the app. In the event of a security breach, while only the mobile wallet amount may be at risk, in the case of an UPI, the entire account balance may be at risk.

I therefore consider that apart from the exclusive marketing features that some wallet providers may offer, the ability to segregate the main account balance from the wallet is a huge advantage in the mobile wallets. This alone may be a reason why Wallets will not die.

On the other hand we may see that UPI app owners like Banks or an inter operable UPI gateway like BHIM may also have to provide a mobile wallet of their own and try to make other wallets redundant just as some of the wallet owners start their own Payment Banks or link up their wallets to one or the other Banks from where funds can be transferred as and when required.

Thus we may see an integration of UPI apps and Mobile apps by both the current UPI owning Banks and Wallet owning companies and they will continue to compete on other commercial considerations. Here the private sector players like PayTM will have an advantage rather than a similar app of a Bank.

BHIM as an inter operable UPI platform when it also launches a mobile wallet as an add on feature will be a formidable product. However, it is unlikely that NPCI will be able to match the rigorous security standards which other private organizations may set and hence a part of the market will continue to favour private sector wallet cum UPI apps.

Within the next few months, I will expect that the private sector mobile wallet owners will come up with their own consortium gateway to provide for an interoperable platform between the different mobile wallets so that the need to sprinkle small un-remunerative balances in different wallets will not arise. All wallets will link to a common pool account of the customer and they will share revenue from the transactions so that all will benefit.

So the future belongs to an innovative combination of different services with “Security and Convenience” continue to be the factors that determine the choice of the consumer.

We look forward to the new evolved Wallets to be released by the current competitors such as PayTM, MobiQuick, PayUMoney, Oxygen, Jio Money, MPesa etc. The survivor will be the one who is more innovative than the others.

Naavi