This is a continuation of our discussions on proposed amendments to ITA 2000 presently under consideration by the T.K.Vishwanathan Committee. For further discussions henceforth we shall refer to the proposed amendments as ITAA2017(p) and the new Act as ITA2017(p).

The ITA 2000 pursued the objective of E Commerce promotion by providing legal recognition to Electronic Documents and the method of authentication through Digital Signatures. It also addressed some aspects of Cyber Crimes which were expanded in 2008 along with more on compliance requirements.

However both ITA 2000 and the 2008 amendments did not in any way looked at the regulation of “Domain Name” which is the key property of any  E-Business. Additionally, today we see a number of Cyber Crimes being committed under fraudulent websites whose domain names are registered so as to cheat public, registrant’s information hidden under the false pretense of “Privacy” and ownership often determined more on the basis of “Trade Mark registration” than any other logical consideration.

Naavi has been in the forefront of the debate for the concept of “Resolving Confusing Domain Names through a system of a trusted third party disclaimer” (Refer: lookalikes.in) . The idea here is that if two persons have legitimate interests in a particular domain name and there is neither an attempt to cheat public by “passing off” a service as similar to a more popular service or to cause confusion and obtain undue advantage there of, then we should allow the two otherwise similar domain names to co-exist with disclaimers on both sites preferably corroborated by a trusted third party.

What presently happens is that a genuine person who wants to start business under a domain name will never get a name which is free of disputes because every name will be similar to some name already registered elsewhere in the world. The very system of ICANN allowing multiple TLDs means that different entities may hold the same name in different TLDs if they have a reason. Today one company cannot register all domain names in all the 200 plus extensions that are available and therefore allow others to register the names and then hound them like a prey. The UDRP process and the INDRP process is heavily skewed towards the more wealthy disputant and holder of a trademark.

In US, the Anticybersquatting Consumer Protection Act (ACPA), provides some protection to domain name owners in addition to the remedies provided under the UDRP though even this law favours the US trademark owners. In India we donot have a similar law.

In many cases, the disputes are raised after a business builds up a brand value in a domain name since when the domain name is registered, no registrar alerts the registrant about the possibility of a challenge coming up later. Both the registrars and the ICANN make money by letting people register names which are patently undefendable if challenged by the earlier registrant of a similar name.

At the same time, those who want to register phishing domain names are not concerned with either the trademark law nor the Cyber squatting law and register domain names in patently confusing names.

Thus the current system does nothing to prevent fraudsters and only hurts genuine registrants who pick up an available name because it suits them for promoting their business without any intention of taking advantage of the existing brand name owned by some body else.

ITA 2000 as proposed for amendment should therefore try to provide a solution in this regard. The suggestions I have in this regard has been discussed in detail several years back in this site (see the old articles under the link “Old Posts“). It is time for others to add their views to the debate. In short, my suggestions are

a) Given the existence of a number of options for the TLDs in the generic and CcTLD type it is not possible to prevent registration of names which may be in conflict with others.

b) The use of “Internationalized domain names” in different languages such as Hindi or Chinese and the Phonetic similarities which are also a cause of action in trademark disputes make the current system of allowing registration of any domain name without the registrant being checked at the time of registration is a completely unacceptable system.

c) The system of “Registering a Lookalike Domain Name” with a disclaimer publication was suggested so that the affected domain name owner can object if there is a real need but genuine registrants would feel safe to develop their brand in an otherwise risky domain name.

d) The practice of hiding the name of the registrant of a domain name in the disguise of “Privacy” should be discouraged and eliminated since it puts a barrier on quick investigation of frauds.

e) The registrars should be considered liable (Even now they are liable under Section 79 of ITA 2000/8 as intermediaries but this is rarely recognized) for any frauds where the registration of a fraudulent domain name was used as a tool of cyber crime.

Incorporating the above requirements we need to develop a new system of domain name registration initially within the jurisdiction of India and provide protection to the Indian registrants with the concept of the “Regulatory Gateway” discussed in the earlier article.

In our first article on the modifications ,we suggested introduction of the following section in Chapter XI..

(..) Whoever, in bad faith and with the intention to cause disrepute, harm to another person or cause disruption of any legitimate business or cause confusion in the minds of the public, who having regard to the circumstances, are likely to be influenced registers a domain name shall be liable to pay damages to the person so affected not exceeding Rs 10 lakhs and for the purpose of this section, a person not being a resident of or a citizen of India shall also be liable even if no computer or computer system located in India is used for the contravention.
Explanation:
For the purpose of this section exercising of due diligence including appropriate disclosures shall be considered as indications of good faith.

This could be a starting point to develop the appropriate penalties either in the form of civil penalties only or with a criminal punishment also.

I leave it for further discussion by the T K Vishwanathan Committee.

Naavi

P.S: 27/10/2017: A case similar to the case of cgtmse.govt.in where a fraudulent website in the name of the Government was run to cheat public has been reported again in the name of nmcsm.in (See here ).

 Highlights the need for making domain name registrars liable for the irresponsible registration of domain names. Simultaneously it also highlights the need of Government websites like UIDAI to follow certain domain name registration policies which provide confidence to the public that the sites are genuine…as pointed out in an earlier article.

Thinking about the proposed amendments to ITA 2008, my attention was today drawn to the “General Data Protection Regulation (GDPR)” which is the new Data Protection Regime being promoted by the European Union. Europe is known to be in the forefront of protecting the “Privacy” of individuals and has often crossed swords with even US when it comes to enforcing its Data Protection Regime in the information world.

The GDPR which is replacing the EU Data Protection regulation of 1995 has already come into existence with its adoption in 27th April 2016 and application from 25th May 2018 after a two year transition period.

The GDPR attracts attention across the globe and particularly the Indian community in view of its unrealistic penalty regime and the arrogance with which it is sought to be enforced.

For example, it is proposed that “Non Compliance” could result in penalties of upto 4% of Global Turnover of a company or €20 million (approx Rs 146 crores) whichever is greater. The regulation applies if the data controller or processor or the data subject is based in EU. If the regulation had used the term “if the data controller, the processor and the data subject” are all based in EU, it would have been a reasonable regulation. But expecting the regulation to be applicable to companies outside EU is inviting international litigation that could cause extreme disruption in global business.

Indian IT Companies should be more worried about this than the changes in immigration laws that may be brought in by the new US President.

Even if there are any doubts about the jurisdiction of EU Courts on non EU country resident companies, it is evident that contractual obligations between EU Companies and the non EU entities will hoist liabilities and indemnities for non compliance and hence if any Indian Company wants to do business with EU countries involving processing or storing or transmission of personal data from the EU residents, GDPR would be considered applicable. Hence the 4% Global turnover  penalty will loom large on such companies.

This tendency of one country trying to impose its law on another country is most relevant for the borderless Cyber Economy. We have seen how US has imposed its jurisdiction on Dmitry Sklyrov of ElcommSoft and innumerable litigations on cross border Cyber crimes. While the need for controlling Cyber Crimes and Cyber terrorism has established the need for cooperation between multiple countries with or without underlying treaties, there is a tendency in the IPR and Data Protection regulation to use the international jurisdiction to unreasonable levels.

GDPR is emerging as the next threat in this direction.

I therefore urge the ITA 2000 amendment committee to recognize that we cannot allow unrestricted international hegemony to play over the Indian regime and threaten the growth of E Business in India.

I therefore propose that in the new ITA 2000, a proposal is made to establish an ” International Cyber Law Regulator for India” who will be the sole authority to adjudicate if in any specific instance international jurisdiction should be allowed. This regulator need to work as a gateway to ensure that unreasonable international regulation does not hurt Indian interests while at the same time not preventing any reasonable compliance regulations promoted by international organizations to be complied with even in India.

The authority should register Indian players who would like to be protected under any international regime passing laws that may affect the Indian entities and manage the information flow in respect of all “Compliance related regulations”. At the same time, it should be mandated that any international organization that wants to take legal action against an Indian Citizen or Organization should have first registered their international legislation with the authority and obtained its consent to make it applicable to Indians and also route any complaints of non compliance entirely through this regulator.

This regulatory authority can be a multi member authority and not the CERT IN. It should have people who know Cyber law and International Law  besides Technology and the compliance regime.

This authority would be a protective umbrella that provides some relief to the Indian entrepreneurs to focus on their business rather than watching over their shoulders for all the international laws many of whom are only meant to be self serving for the advanced countries to build their colonies of influence using information technology as an excuse.

Naavi

Related Articles:

The Applicability Of EU Data Protection Laws To Non-EU Businesses

Does GDPR apply to organizations outside the EU?

The T K Vishwanathan Committee on ITA 2000 amendments is presently working on amendments to the ITA 2000. ITA 2000 was notified with an intention to “Enable and Promote E Commerce”. However, the amendments of 2008 shifted the focus from E Commerce Enablement and Promotion to “Information Security”.

Now the proposed 2017 amendments may have to keep in mind both E Commerce promotion as well as Information Security However, there is a need to enlarge our focus and recognize that “Computer” and “Information” has acquired a much larger meaning in 2017 than it ever had and hence the thrust of the law should also shift its focus.

The theme of the ITA 2017 (proposed) should be to “Enable”, “Promote”, “Regulate” and “Secure” …. “Digital India” as it emerges.

The “Digital India” that we need to Enable, Promote, Regulate and Secure consists of amounts other things, the IOT world, Big Data, Globalized Cyber Crime Syndicates and the Dark Web, the FinTech Companies, the Digital Payment Systems and so on. The IPR regime as applicable to Cyber Space which covers the domain name disputes, the copyright on social media disputes and the Patents of cyber processes, the issues such as Data Protection, Privacy etc all need to be kept in the radar.

Will the proposed amendments recognize this larger role of regulation of Digital India in an emerging Digital World? or will it be another attempt at simply tinkering the existing legislation with some new Cyber Crime definitions, changing the punishments from 3 years to 2 or five etc (many of which are also required) needs to be seen.

While it is easier to look at the changes to be made to the current framework, it requires a “Vision” of the “Future India” if we need to amend ITA 2000/8 in such a manner that it will be respected and complied with by the industry in the coming days. If the amendments are not handled with “Vision”, the law will become messy. A messy law will not be complied with voluntarily and will be abused both by the crooked and the corrupt.

We, the people of India need to do whatever is required to ensure that the proposed amendments are an improvement of the current regulatory regime and does not become a wasteful exercise complicating the law further.

It is however the duty of every Citizen of India on this 68th Republic Day to take a pledge that in the spirit of “Ask Not what the Country has done to you, but Reflect what you have done to the Country” to keep expressing what they think is good for the country in the form of the “New” and “Improved” ITA 2000/8.

Some of the general principles that the “Amended ITA 2000” should incorporate is

a) It should be simple and understandable by the common man

b) It should lay down the broad principles and leave the detailing to the rules

c) It should cover the interests of all stake holders such as the Citizens, Netizens, Cinizens (Citizens who are also Netizens), Information Intermediaries including Internet and Mobile service providers, Banks, E Commerce Companies etc as well as the Government.

It is important to ensure that the law should be “Cinezin Centric”,  because in the coming days there will be no pure Citizens or no pure Netizens.

We should recognize that Citizens who are not Netizens may continue to exist for some more time and we need to give suitable time for them to transform from the Physical world to the Digital World.

At the same time Netizens who exist in the borderless Cyber Space to the extent they influence and interact with Citizens need to understand that law cannot be entirely made for the benefit of Netizens only.

Naavi.org invites “Visionaries” and thought leaders to contribute their thoughts on the required amendments through these columns.

Of course we cannot assure that these thoughts will be taken into consideration by the ITA 2000 amendment committee, but we hope the committee does give a glance to it.

Naavi

 Related Articles

Proposed Amendments to ITA 2000 and Privacy Protection

Redefining the scope of ITA 2008.. in the amendments..

Suggestions on Modification of ITA 2008

Domain Name Regulation in ITA 2000..to be amended

Last year, the Finance Ministry constituted a committee under the chairmanship of the former Finance Secretary, Mr Ratan P Watal, to review the framework related to Digital Payments. The committee submitted its report last month ahead of schedule probably in view of the accelerated implementation of the digital payment framework after the demonetization.

The committee’s recommendations are of wide significance and could make substantial difference to the system of regulation of digital payments as we know today. In view of the criticality of some of the recommendations, it is necessary that the recommendations are widely discussed and debated before adoption. 

We shall attempt to discuss the provisions bit by bit through a series of articles here to commence a healthy debate. This is the first of such articles in the series.

Naavi

Copy of the Report

The Watal Committee has submitted its report to the Finance Ministry on different aspect of the Digital payment infrastructure in the country. The Committee identified four factors which have led to the phenomenal growith of digital payments namely,

(i) digital and technology revolution,

(ii) entry of several non banking PSPs into payments space,

(iii) customers becoming more demanding and expecting instantaneous and one-touch payment solutions and

(iv) progressive changes in the regulatory framework.

The Committee has expressed its vision  to set a roadmap for digital payments to grow substantially over the next three years. It is desired that India’s cash to Gross Domestic Product (GDP) ratio should be reduced from about twelve percent to six percent.

The Committee has taken note that at present about 65% of population have access to mobiles and around 95% have Aadhaar identity. It is also noted that about 35% use Internet and Social media and these should be helpful in achieving the said goal.

The committee recognizes that Banks have been currently managing the payment systems and regulated by RBI. But the role of FinTech companies as Payment Service Providers (PSPs) has gathered momentum in the recent days and there is overlap of the activities of FinTech PSPs with the Banks.

In this context the committee has found it necessary to recommend that the regulatory framework needs to be changed to provide for increased participation of FinTech PSPs in the traditional Banking system. (It may be recalled that Naavi had several years back advocated that RBI should introduce a new licensing category for E Banking companies and not allow the current system to be diluted. A move in this direction appears happening now in the PSP industry).

The Committee suggests that the recommendations may be put into implementation over the next thirty to ninety days.

The measures indicated to be inroduced include

(i) placing the proposed legislative changes before the Parliament,

(ii) regulatory changes by RBI within the current legislative framework and

(iii) implementing the policy and executive steps by Ministry of Finance (MoF) and other nodal ministries.

The Committee has made a total of 13 recommendations as follows, which will be discussed in detail subsequently.

1. Make regulation of payments independent from the function of central banking.
2. Update the current Payments and Settlement Systems Act, 2007
3. Promote digital payments and receipts within Government
4. Create a fund proposed as DIPAYAN from savings generated from cash-less transactions
5. Create a ranking and reward framework
6. Implement other measures to promote digital payments including  promoting Aadaar based eKYC etc
7. Consider outsourcing the function of operation of payment systems
8. Upgrade payment systems like RTGS and NEFT to operate on 24×7 basis in due course of time.
9. Allow non-bank PSPs to directly access payment systems
10. Require NPCI, to be payments centric in its ownership and objectives.
11. Enable payments to be inter-operable between bank and non-banks as well as within non-banks.
12. Create a formal mechanism to enable innovations and new business models
13. Implement other measures to promote digital payments including issuing regulations on Systemically Important Payment System (SIPS) and Systemically Important Financial Institutions (SIFIs) etc.

As one can observe, the recommendations are far reaching and could in the terms commonly used in the industry, “Disruptive” of the financial regulatory systems. Recognizing the impact of these suggestions and the problems of its improper implementation, there is need for all stake holders to deliberate in depth the action plan under this report.

Let’s start the debate here and now.

Naavi

After the demonetization of Rs 500 and Rs 1000 currency on November 8, 2016, we have all been discussing cashless and less cash digital payment systems. Presently there are several options beyond the Cheques, NEFT, RTGS ,IMPS as well as the “Cards”, in the form of the new generation of  mobile Apps.

While more than 38 Banks have their own UPI s, there is BHIM as a common platform and USSD system to support the Mobile wallets of PayTM and its siblings.

Behind all this the Aadhaar Based Pinless system threatens to engulf all others once it is introduced and accepted.

The Consumer in the meantime is confused as to how to approach the coming digital payment/receipt scenario and which platform to prefer.

While the initial attraction would be to the most heavily advertised, it is necessary for consumers to in due course pick a good option based on some criteria.

It is not easy to pick the right option and even selecting the right criteria and evaluating the several options available.

However the principal factors that Consumers need to see are

a) Convenience

b) Cost

c) Security

Presently, consumers are just learning how to use these Mobile Wallet and UPI apps and hence “Convenience” is in the forefront of selection. Most of the apps require internet connection and a few have now crossed this barrier with the introduction of “Interactive Voice Response”.(IVR). The IVR system of say PayTM scores over many other systems including USSD because of its ease of use and familiarity with the IVR system in the ordinary customer.

Additionally, PayTM has a wider reach amongst the merchants and hence will lead the pack for some time as the preferred Mobile Wallet . Presently PayTM can be linked to the credit card or net Banking of the user so that there can be a seemless transfer of money to the wallet on the fly. Probably it will be linked to UPI and BHIM shortly and also interest may be paid on the balance in the wallet since PayTM is now a Payment Bank.

On the cost front, things are yet to settle down since UPI charges are currently being subsidized by the Government and the charges on the cards are on the flux. Soon, RuPay cards may come on stage as credit cards breaking the monopoly of VISA/MASTER and then the acquiring Banks and Issuing banks may be able to rationalize their charges.

However, as long as the Government does not withdraw the service tax on digital payments, it will continue to be the tax which will keep irritating the consumer and make him delay the adoption.

Presently the Mobile wallets/UPI are not charging the customers directly and hence they appear to be the nearest to cash transactions.

In the coming days, Government may introduce disincentives for Cash and incentives for digital payments and until there is clarity on this issue, Cost remains an enigma in different options.

Last but not the least, the consumers are concerned with the security of the new payment systems. The continued reluctance of RBI to notify the August 11, 2016 circular and the risks of frauds in the use of Mobile based systems continue to be a threat that can upset all the calculations of the “Less Cash Society”. One major scam will push all consumers back to cash usage once the shortage of currency is sorted out.

In the meantime alert consumers would consider

a) Limiting the risk by opting for wallets which donot provide a seemless link to the Bank account (Trading off convenience to security)

b) Avoiding new mobile apps for fear of embedded malware

c) Using Prepaid Physical cards and Prepaid Virtual Cards as substitutes for wallets.

d) Opting to continue to use cash unless forced.

The only way by which RBI and the Government may be able to push greater adoption of the digital payment systems is to be able to reduce the cost of online transactions to such levels where the consumer will feel the benefit and then provide the security back up in the form of either a blanket Cyber Insurance against frauds at the cost of the Banks/Government or the quick implementation of the “Limited liability” concept.

In the meantime, the “Watal Committee Report” has made many recommendations which we shall analyze in the coming articles.

Naavi

Naavi.org has been from time to time bringing to the attention of the public the urgent need for RBI to issue a confirmatory circular regarding the “Limited Liability” it proposed through a draft circular No RBI/2016-17/DBR. No. Leg. BC/09.07.005/2016-17.

In this circular, RBI had stated that

” With the increased thrust on financial inclusion and customer protection as the two crucial pillars of financial stability and considering the recent surge in customer grievances relating to unauthorised transactions resulting in erroneous debits to their accounts/cards, the criteria for determining the customer liability in these circumstances have been reviewed. The revised directions in this regard are set out below.”

The circular further stated that

a) The liability of the customer for unauthorized debits will be restricted and will be “Zero”  in the followign cases.

i)  Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)

ii) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

Further, there would be limited liability of the customer in following cases.

a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

(b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or ₹ 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy. Banks shall provide the details of the bank’s policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.

Overall liability of the customer in third party breaches, as detailed above, where the fault lies neither with the bank nor the customer but lies elsewhere in the system, is summarised in the following table:

In addition, it was stated that

“The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank”

The circular was considered beneficial to the customers since in most cases of frauds, the customer is the victim who has lost money because of reasons beyond his control and hence it is the “Insecure System of Banking” that causes the risk. If the economy benefits by this “Digital banking Systems” then the economy has to bear the cost and not the bank customers.

The circular mentioned that public comments could be sent upto August 31 which indicated that soon there after RBI would confirm the circular as “Operational”.

Unfortunately, months have passed and despite registered notice to none other than the Governor of RBI, the Finance Minister and the Prime Minister, the circular remains to be notified in operational form.

Recently therefore, I had asked an RTI query about the reasons why this circular has not yet been operationalized and I have received the following response

“The feedback/suggestions/comments on the said draft circular received from various stake holders, public are being examined”

The RTI reply is silent on the reasons for the delay.

It is not conceivable that RBI has received such large number of responses that it could not analyze in the last 6 months. They cannot even blame the demonetization on the delay since the demonetization happenned on November 8th and RBI had more than two months time before this to take its decision on the circular.

It is therefore clear that the influential Banks have brought pressure on the RBI not to operationalize the circular since they want to continue to make customers liable for the mistakes of the Banks.

I therefore call upon RBI once again not to hide behind excuses and political statements such as “being examined” and take a bold decision. If it is subservient to the IBA and Banks and cannot over ride their objections, RBI may say so. At least we will then know where our regulator stand in relation to the customer’s interests. If otherwise, RBI is committed to “Safe Banking” in India, they should issue a circular stating that the circular is operative and also make it applicable to all pending disputes between customers and their Bankers as of date.

I wish the media which runs behind non issues such as Jallikattu should ask questions of RBI about the delay. I hope CNBC TV and ET Now as well as other financial channels take it up as their mission to reflect the voices of the customers. Now that Mr Arnab Goswami is still in the background, it is an importunity for other journalists to raise the pitch and ask “Nation wants to know…what is holdign up RBI?”

Naavi