Naavi.org

The Payment Instruments industry which consists of many of the mobile wallet operators have raised objection to the recent Master Guidelines issue by RBI on several counts such as

a) KYC requirement made more or less mandatory for all Semi Closed and Open system PPIs

b) Phased introduction of interoperability

c) Restriction of peer to peer fund transfer in Semi KYC wallets

Out of these, KYC requirements are essential to prevent frauds and is non negotiable. Funds transfer for KYC done PPIs provide for transfer “Back to Source” and “Own Bank Account” and hence should not be an issue beyond that it is a little inconvenient for customers.

Transfer from one PPI to another actually creates a problem in understanding the usage pattern and creates double counting for statistical purposes. If both accounts are KYC enabled, RBI can consider relaxing this provision and managing its statistical problems by tweaking its system.

Interoperability is a technology issue and would perhaps introduce some costs. It may require a discussion at technical levels but it is desirable in the long run.

I presume that more than the above publicly expressed grievances of the PCI, (Payment Council of India) what has made them squirm is the reiteration of

a) Security and Fraud Prevention Management Framework

b) Customer Protection and Grievance Redressal Framework

c) Information System Audit

in the Master Directions.

Let’s now look deeper into these provisions as contained in the Master Directions.

a) Security and Fraud Prevention Management Framework

The Security measures envisaged in the guidelines include development of a “Board Approved Information Security Policy” which should be the starting point. The security measures need to be reviewed on an ongoing basis but atleast once a year, after any security incident or breach and before/after a major change to their infrastructure or procedures.

Apart from the usual security measures such as monitoring invalid log in attempts, time out, beneficiary creation alerts, cooling period etc the guideline requires that

“Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent”

Presently the OTP is used more as a pre-transaction second factor authentication. Will this double up as “Explicit Customer Consent”? needs to be discussed.

“Cards (physical or virtual) shall necessarily have Additional Factor of Authentication (AFA) as required for debit cards, except in case of PPIs issued under PPI-MTS.”

Some PPIs at present donot have second factor authentication at the time of usage transaction though they may have authentication at the time of loading. This may require some modification of the system.

” Issuers shall provide customer induced options for fixing a cap on number of transactions and transaction value for different types of transactions / beneficiaries. Customers shall be allowed to change the caps, with additional authentication and validation.”

This is an important requirement that was first suggested by the Damodaran Committee on Customer relations way back in 2011 and has not been fully implemented. This is an important risk control measure and should be welcome. However it requires some support since hackers can easily modify it once they have access to the system.

“Issuers shall put in place a mechanism to send alerts when transactions are done using the PPIs. In addition to the debit or credit amount intimation, the alert shall also indicate the balance available / remaining in the PPI after completion of the said transaction”

This “Alert” is also a requirement under the “Zero Liability Circular of July 6, 2017. Some PPI issuers have not incorporated the “Balance” aspect and need to incorporate it now.

“Issuers shall put in place mechanism for velocity check on the number of transactions effected in a PPI per day / per beneficiary.”

This is an important aspect of “Adaptive Authentication” which many have ignored. It however requires a proper system for identifying a risk and responding to it appropriately.

“Issuers shall also put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions including loading / reloading funds into the PPI.”

This is an open ended requirement that requires a proper risk assessment including threats and vulnerabilities in the environment. Adequacy of this should be seen through the IS policy.

” Issuers shall put in place suitable internal and external escalation mechanisms in case of suspicious operations, besides alerting the customer in case of such transactions.”

This needs to be addressed through the Grievance Redressal Mechanism which was also part of the Section 79-ITA 2008 requirement which many of these PPI issuers did not recognize and implement. Now they cannot ignore the requirement.

” PPI issuers shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN.”

This is the most annoying requirement as far as the PPI issuers are concerned. But this is the only control that will ensure that PPI issuers take the directions seriously. It will also retain the hold of CERT-IN on the PPI issuers as envisaged in the ITA 2008.

b) Customer Protection and Grievance Redressal Framework

The guidelines are supported by a stringent Customer protection and Grievance Redressal Framework.

The framework includes “Disclosure” of important terms and conditions, creating awareness on secure use of PPIs and conform to the RBI’s “Zero Liability Circular”

It is interesting to note that the directions indicate that “In case of PPIs issued by banks, customers shall have recourse to the Banking Ombudsman Scheme for grievance redressal.”

Otherwise the grievance redessal framework needs to include:

a formal, publicly disclosed customer grievance redressal framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible. The framework shall include, at the minimum, the following:

a) PPI issuers shall disseminate the information of their customer protection and grievance redressal policy in simple language (preferably in English, Hindi and the local language).
b) PPI issuers shall clearly indicate the customer care contact details, including details of nodal officials for grievance redressal (telephone numbers, email address, postal address, etc.) on website, mobile wallet apps, and cards.
c) PPI agents shall display proper signage of the PPI Issuer and the customer care contact details as at (b) above.
d) PPI issuers shall provide specific complaint numbers for the complaints lodged along with the facility to track the status of the complaint by the customer.
e) PPI issuers shall initiate action to resolve any customer complaint / grievance expeditiously, preferably within 48 hours and resolve the same not later than 30 days from  the date of receipt of such complaint / grievance.
f) PPI Issuers shall display the detailed list of their authorized / designated agents (name, agent ID, address, contact details, etc.) on the website / mobile app.

These are areas in which lot of action is still required for many Mobile wallet operators.

c) Information System Audit

The Master directions has also included a detailed guideline on the Information Security Audit requirements for the PPI issuers.

The directions make reference to the “Cyber Security Framework”  which is a comprehensive guideline which even the best of Banks are struggling to meet. PPI issuers who are banking on Mobile Apps will find meeting these guidelines challenging.

The Audits need to be conducted by CERT-IN empanelled auditors within two months of the cose of their financial year and submit reports to RBI.

In particular, the master directions indicate that

All PPI issuers shall, at the minimum, put in place following framework:

a) Application Life Cycle Security: The source code audits shall be conducted by professionally competent personnel / service providers or have assurance from application providers / OEMs that the application is free from embedded malicious / fraudulent code.

b) Security Operations Centre (SOC): Integration of system level (server), application level logs of mobile applications (PPIs) with SOC for centralised and co-ordinated monitoring and management of security related incidents.

c) Anti-Phishing: PPI issuers shall subscribe to anti-phishing / anti-rouge app services from external service providers for identifying and taking down phishing websites / rouge applications in the wake of increase of rogue mobile apps / phishing attacks.

d) Risk-based Transaction Monitoring: Risk-based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system.

e) Vendor Risk Management:

(i) PPI issuer shall enter into an agreement with the service provider that amongst others provides for right of audit / inspection by the regulators of the country;

(ii) RBI shall have access to all information resources (online / in person) that are consumed by PPI provider, to be made accessible to RBI officials when sought, though the infrastructure / enabling resources may not physically be located in the premises of PPI provider;

(iii) PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders;

(iv) PPI issuer shall review the security processes and controls being followed by service providers regularly;

(v) Service agreements of PPI issuers with provider shall include a security clause on disclosing the security breaches if any happening specific to issuer’s ICT infrastructure or process including not limited to software, application and data as part of Security incident Management standards, etc.

f) Disaster Recovery: PPI issuer shall consider having DR facility to achieve the Recovery Time Objective (RTO) / Recovery Point Objective (RPO) for the PPI system to recover rapidly from cyber-attacks / other incidents and safely resume critical operations aligned with RTO while ensuring security of processes and data is protected.

Obviously these are the matters that non Banking PPI issuers may not be prepared. It will also involve expenditure and management attention.

I suppose that these are the issues that is making PCI uncomfortable.

However, we welcome the stringent regulations which are in the interest of the general public. If only they had specified a mandatory Cyber Insurance aspect, it would have been even better.

Anyway let us now watch and observe how these guidelines are implemented by the industry and how RBI will enforce them.

Interesting days are ahead for Cyber Security professionals.

Naavi

Earlier Articles:

New RBI Norms for Prepaid Instruments make Digital payment Companies squirm

The PPI Ecosystem and the Power of the industry to lobby

Understanding the types of Prepaid Instruments under Payment and Settlements Act

Under the Master Directions for PPIs (MD-PPI), three types of PPIs are recognized namely

a) Closed System PPIs
b) Semi-Closed System PPIs
c) Open System PPIs

Closed System PPIs are those PPIs  which are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments is not classified as payment systems requiring approval / authorisation by the RBI.

Semi-closed System PPIs  are those  PPIs  which are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks,

Open System PPIs are those PPIs  which are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs).

PPIs may be “Reloadable” or “Non Reloadable”. Some PPIs may permit “Cross Border outward Transactions” and some may not. PPIs may also be issued  against inward remittance to the beneficiaries under Money Transfer Service Scheme of RBI. Some PPIs may be denominated in Foreign Exchange also.

PPIs may be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein.

PPIs may be issued under Co-Branding arrangements. If one of the Co Branding partners is a Bank and the other is a Non Bank, the Bank will be the PPI Issuer. If both are non Bank institutions, or both are Banks, then one of them shall be designated as the PPI issuer.

Paper based prepaid meal instruments shall be discontinued from December 31, 2017 and semi closed PPIs shall be issued for such purpose.

The Regulations

Most of the regulations in the Master Directions relate to Semi Closed PPIs.

According to the guidelines, PPIs upto a monthly usage limit of Rs 10000/- can be issued on the basis of self declaration of name and an ID along with OTP on a mobile. Essentially these are non_KYC compliant instruments.

Funds in these non KYC PPIs can be used only for purchase of goods and services and money cannot be transferred back either to Bank accounts or to other PPIs.

These PPIs need to be compulsorily converted into KYC type within 1 year. If KYC is not provided, no further credit would be allowed but the balance can be used.

If the PPI is closed at the request of the user, money can be transferred back to the own bank account of the PPI holder for which KYC would be required or “Back to Source”. (P.S: Not clear if KYC is not required for Back to Source transfer on closure).

The PPI issuers need to ensure that same category PPI is not issued against the same mobile number. (P.S: There is an ambiguity whether a second non KYC PPI can be issued against the same mobile number if the name and ID is different. Ideally this should not be allowed).

PPIs for transaction upto Rs 1 lakh are KYC compliant PPIs. Money can be transferred to own bank account or Back to source.

“Pre registered beneficiaries” can be allowed for these KYC PPIs and money can be transferred to them upto the limit of Rs 1 lakh per month.

Fund transfer limits in the case of non pre-registered beneficiaries is limited to Rs 10,000/- per month.

Open Systems

The “Open” systems are permitted only to be issued by Banks and with KYC. Here also there can be pre-registered beneficiaries and others and transfer to others is restricted to Rs 10000/- per month.

The only difference between the Pre-closed and open systems is that Funds transfer for Open PPIs shall also be permitted to other open system PPIs, debit cards and credit cards as per the limits such as Rs 10,000/- except to pre-registered beneficiaries.

Gift and MTS PPIs

Other than the above three main categories of PPIs, specific PPIs such as Gift Instruments (Maximum value Rs 10,000/- without cash-out or refund or reloading).

But KYC would be required on a risk based approach if multiple Gift cards are required to be issued to one person. (P.S: This is tricky and needs some policy guidelines to be formulated by the PPI issuer)

PPIs can also be issued for Mass Transit Systems which may be Semi Closed PPIs usable only for the transit systems and allied merchants. They are re loadable with a maximum outstanding or Rs 3000/- at any point of time.

Conversion of Existing PPIs

According to the directions, PPI issuers shall give an option to all PPI holders to convert the existing semi-closed and open system PPIs issued to them  into any type of the PPIs as indicated in the directions.

After carrying out the applicable due diligence for that type of PPI, this conversion shall be completed on or before December 31, 2017 . Where PPI holders have not exercised the option  the PPIs issued to them shall mandatorily be converted into minimum detail PPIs  on January 01, 2018 with all the applicable features.

Looking at the regulations above, except for mandatory KYC after 1 year for all Semi Closed PPIs there is no major change from the current system.

Fraud control is through limiting of the fund transfer limit to the non pre-registered beneficiaries to Rs 10,000/-. Restriction of transfer and withdrawal by cash is essential for controlling the Black Money and hence, there should be nothing much for the PCI to object on the KYC aspect.

The argument that frauds happen at the loading time at the Card end and not at the Wallet/PPI end is not tenable since both need to share the responsibility and liability since fraud is facilitated because the Wallets/PPIs have no KYC and it escapes detection of the end user of fraudulent transfer from a Card. We need to take all steps to prevent frauds and losses and it is unfair that all the liabilities are to be boarne only by the Card issuers.

In view of the “Zero Liability” aspect, Banks need to bear the cost of frauds and there is a need for the PPI issuers in the private sector to also take precautions by proper KYC so that the losses can be recovered and possibilities of fraudsters repeating their fraud with different PPI issuers and multiple non KYC PPIs is prevented.

It is necessary for RBI to insist that both the Banks and the PPI issuers obtain necessary Fraud insurance so that their risks are covered and customers are not put into difficulty.

(To Be continued)

Naavi

The Prepaid Instrument Eco System in India under the Payment and Settlements Act 2007 has licensed several “Payment System Operators” under the Act. The list of such operators is available here.

The list consists of

1. Two Financial Market Infrastructure operators namely the Clearing Corporation of India Limited and the National Payments Corporation of India (NPCI),
2. 5 Card payment networks including the Amex, Diners, VISA, Master, etc
3. 9 inbound Cross border Money Transfer Systems including Western Union etc
4. 6 ATM Networks
5. 55 Prepaid Instruments
6. 9 White Lablel ATM Operators
7. One Instant Money Stransfer system of Empays Payment Systems
8. Three Trade REceiviables Discounting Systems
9. Eight Bharat Bill Payment Operating Units

The entities who have been “Payment Bank” licenses such as Airtel Payment Bank Ltd, India Post Payments Bank Ltd, Paytm Payments bank Ltd, and Fino Payments bank Ltd are other entities in the Digital payment domain.

Licensed Scheduled Banks are also in the digital payment system with their UPIs, Wallets, Virtual and Physical Prepaid Cards, Debit Cards, Credit Cards etc. (Refer article in livemint). It appears that out of the eleven provisional licenses issued for Payment Banks, others have not yet operationalized their licenses.

The October 11, 2017 master directions of RBI apply to the 55 Prepaid Instrument operators which includes Aircel, Amazon Pay, Mannapuram, Muthoot, Mobikwick, Oxigen,PhonePe, Jio money, Sodexo, m-Pesa,etc.

On March 9, 2017, the Ministry of Information Technology had issued certain draft guidelines constituting “Reasonable Security Practices” applicable to the e-PPI instrument issuers. It was called  “Information Technology (Security of Prepaid Payment instruments Rules 2017-Draft.

At that time, some of the operators had raised objection on the rules and its requirement to interact with CERT IN to report security breaches etc.

Unfortunately, the Ministry succumbed to the industry lobby and there was no follow up on the draft guideline which was well within the powers of the Ministry.

The e-PPI operators are “Intermediaries” under ITA 2008 and they always had the obligation for “Reasonable Security Practice” whether they were defined by a rule or not.

Hence there was no reason for the Ministry to buckle under pressure except for the reason that the responsibility to issue the guideline could be delegated to RBI.

Now the Master Direction of RBI of October 11, 2017 is a follow up of this and represent among others the “Reasonable Security Practice” to be followed by these e-PPI operators.

The objection raised by the PCI is therefore yet another attempt to influence the policies in their favour. Hopefully RBI is made of tougher material and commitment to the security of the financial system rather than the Ministry of Information Technology and we can hope that it withstands the pressures from the industry.

We need to however watch the developments to see if the industry lobby is able to get any dilutions that may adversely affect the Consumer interests.

We have noted that in the past, the industry is only interested in “Exploitation” of the citizens and technologists are unmindful of the fraud possibilities in the new Digital payment eco system.

The Government appears to be only interested in only raising the “Revenue” by taxing the public for the digital transactions and levying “Cess” for security and is not genuinely concerned about the security of the public. We have seen this in the Bitcoin scenario where the Finance Ministry has been sympathetic to the criminal elements endorsing Bitcoin legalization rather than taking a quick decision to ban it. It is therefore not surprising that the MeiTy quietly withdrew the security rule notification.

It is only RBI which from time to time shows a commitment to securing the financial eco system though they are often over powered by the Banking industry lobby such as IBA.

Hopefully the PCI is not as powerful as IBA and hence it may not be easy to make RBI change its stance on the Master directions. But in the past we have observed that RBI has without diluting its stringent guidelines, turned a blind eye to contraventions and be good to the industry while also appearing to take care of the public interest.

I hope in this instance RBI will remain firm and impose the security directions in the interest of the public.

(More about the security requirements under the directions would be discussed in the continuation article)

Naavi

On 11th October 2017, RBI came out with a comprehensive “Master Direction” applicable to all Prepaid Payment Instrument Issuers, System Providers and System participants. This was mainly a consolidation of all earlier guidelines. However, it appears that some of the participants have already felt the need to approach RBI for diluting the norms.

See Article in Economic Times

The Payment Council of India, (PCI) an industry organization has represented that “Some of the new norms could severely cripple the industry and make the wallet business unviable,”

It is reported that among the major points of concern, according to industry members, are the demand for a mandatory full KYC or know your-customer certification, phased introduction of interoperability and restriction of peer-to-peer fund transfer in semi-KYC wallets.

The objection has been raised on the point “Another major hurdle for payment companies is prohibition of inter-wallet transactions, along with transfer of funds from bank account to wallet from semi-KYC accounts, which the companies believe will destroy the relevance of mobile wallets.”

According to the spokesperson, “The scope of fraud is more in moving money through debit or credit cards into wallets and then siphoning it off to other bank accounts. P2P fund movement is not risky that way. We had made multiple representations to the RBI on this,”

They feel that “doing a full-KYC to open a digital wallet every time will be a major hindrance for smooth business”.

The PCI representatives are likely to meet RBI officials and lobby for dilution of the norms.

In the light of the above, we need to take a comprehensive analysis of the objections raised by PCI vis-a-vis the guidelines and the risks faced by the public and whether there is actually scope for further hardening of the security measures.

We shall analyze the Master directions and the objections raised in the articles to follow.

Naavi

What can be done to improve the number of successful investigations of Cyber Crimes in India? is a question most observers of the Cyber Crime scene in India are struggling to find answer to.

The T K Vishwanathan Committee has recently seems to have suggested three improvements namely

a) Creation of a post of State Cyber Crime Coordinator at the level of the Inspector General of Police (Suggested new Section 25B of CrPc)

b) Providing powers to the Sub Inspectors of Police to investigate offences under ITA 2000/8 (Suggested amendment to Section 78 of ITA 2000)

c) Creating “District Cyber Crime Cell”consisting of a DySP as the head with as many Sub Inspectors as may be required and at least three experts in Information Technology, Mobile Telephony, Digital Forensics, Cyber Law or such other Experts with such qualifications to be appointed by the State Government in accordance with the rules.

(P.S: These are presently recommendations and are yet to be confirmed)

Once these suggestions come into practice, there could be a great improvement in the way Cyber Crime investigations progress.

However, it is necessary for us to flag one of the major stumbling blocks to the speedy investigation of Cyber Crime Cases and that is the non cooperation of intermediaries such as Google, Yahoo, WhatsApp, Face Book, Twitter etc followed by the local ISPs such as the Airtel, Reliance or others.

I recall the early days of Cyber Crime investigations that I was personally involved in Chennai

a) A case in which I located an IP address of a suspect and within the next 20 minutes, I and the DySP converged on to the ISP’s office and got the address of the dynamic IP address user from the RAS server almost instantly and landed up in the scene of crime in the next 10 minutes to find the perpetrator still in front of the computer. The person could be apprehended and investigation could go ahead. In this case the IP address was related to the e-mail recipient. (I suppose it was a Yahoo email).

b) Another case in which a threatening e-mail had been received by a Government official and was reported around 4.00 pm on a particular day and within a few hours it had been resolved to an office address and next day before the office was to open, Police were ready at the site to arrest the employee responsible for the offence and continue the investigation

c) The third was the historical Suhas Katti Case in which again the undersigned started with a Yahoo group message which provided an IP address and resolved it to MTNL Mumbai. Then the Police got the resolution of the MTNL IP address within perhaps a day and were ready to travel to Mumbai for further investigation. With all the formalities for travel and travelling by train, the Police were in Mumbai for further investigation on the 7th day after the complaint had been received to continue with the arrest of the accused and further investigation which finally resulted in the first conviction under ITA 2000.

All the above three incidents happened before 2004 when the Police were still very much ill equipped as to the Forensic part of investigation even at the State Forensic Labs. But they represented very successful investigations.

In comparison, after more than 12 years since these investigations, today, except in the case of celebrity complaints or when national security issues are involved, the first step of getting IP resolution of emails from the service providers such as Gmail takes a much longer time.

The local ISPs are better but even they take their share of time to reveal what is instantly available on their records.

As a result of this loss of action during the golden hour of a Cyber Crime, investigation trails go cold and become unsuccessful.

A similar problem is seen when Police are trying to investigate use of mobiles through the Tower dump analysis or Call Record details.

I am presently struggling with a case in Mumbai where Police is unable to get the information from Google for more than 10 days and I presume that it is Google which is holding up information for no specific reason.

If Cyber Crime investigation has to improve in India therefore, there is a need to make these service providers change their attitude towards their role in Cyber Crime prevention.

What is Required to Change

Firstly it is an obnoxious practice that the service providers follow where they hide the “Originating IP Addresses” from the header information and substitute it with a proxy IP address.

Every e-mail contains a “Sender’s Address” (consisting of the name and signature line) and hence any genuine e-mail sender is voluntarily giving his identity in the header information and the body of the message.

Hence email senders would not have any objection if their IP address is revealed in the header information. At the same time the E-mail recipients would consider it as their  “Legal Right” to know who has sent them the e-mail.

On the other hand the Service providers may have a wrong notion of “Privacy” and think that substituting the real originating IP address with a proxy address is “Protection of Privacy”.

I completely disagree with this view and demand that the Honorable Supreme Court clarify this if required.

Only persons who want to send an e-mail or a message so as to deceive the recipient and mislead him/her about the origin of the message would want their IP address to be protected by a proxy address.

This was actually a recognized offence under Section 66A of the ITA 2008, which our  Supreme Court unfortunately decided to scrap under the wrong notion of protecting Freedom of Speech.

“Attempt to deceive” the recipient of a message is itself an “Attempt to commit an offence” in all cases where the recipient has filed a complaint in which the IP address resolution is one of the requirements of investigation.

In view of this, every time Google or other service providers suppress the real IP address, they are “assisting” the suspect in escaping the legal consequences of “attempt to deceive with false recipient ID”. This is a contravention of Section 43/66 of ITA 2000/8.

Under Section 69B and 70B, Government agencies such as the IT Secretary and DG CERT IN have statutory powers to seek the information and if the intermediaries donot cooperate, prosecute them for imprisonment of 1-2 years.

Despite these strong provisions of ITA 2000/8, the Service providers are not responding to requests from the Police which should happen in real time.

I have suggested in an earlier article that Under Section 69B and 70B, the Government can authorize many officers other than the Police also to issue “Demand for IP Address Resolution” so that the burden on the Police would come down.

In the meantime, I would like Google in particular to respond and show cause why their substitution of originating IP address with their own IP address should not be considered as an open support to the criminal activities and why Google Inc should not be made liable for any delay in the resolution of IP address.

I also urge the Ministry of Information Technology to expand the rules of “Due Diligence” under Section 79 of ITA 2000/8 through a notification/clarification to include that

” When it is brought to the knowledge of the intermediary that their proxy IP address is a subject of an investigation of a contravention of ITA 2000/8, they shall  submit the Original IP address to the complainant on production of a reasonable evidence of contravention, within one hour of receipt of the notice, “.

Google should also introduce other measures to respond to complainants as per provisions under Section 79  in real time basis by designating the “Grievance Officer” under ITA 2000/8 and displaying his contact details prominently on their website.

I urge Supreme Court to take Suo moto action to immediately issue a clarification that “Hiding the Originating IP address” in e-mails and other web/Telecom based transactions including the  “Who Is information” is not considered as “Protection of Privacy” and not revealing the same on demand would be considered as a contravention under Indian law as abetment to a suspected offender.

This may not be an issue of interest to celebrity advocates like Prashant Bhushan or Kapil Sibal, who are able to make Supreme Court to take up petitions at the drop of a hat, or from the Government lawyers who want to avoid any confrontation with the Judiciary on a subject with a tag “Privacy”, but it is a matter of public interest in which the CJI himself should move without waiting for an influential “Celebrity Advocate” to approach them.

In the meantime, I request Google to let us know what is the average time they take in providing the IP resolutions when received from the Police and whether they can improve upon their current performance. 

Naavi

Wishing All a Happy Digital Society Day of IndiaWe need not reiterate here that we try to celebrate October 17 every year as the “Digital Society Day of India” because the judicially acceptable “Digital Society” was born in India on this day with the notification of the Information Technology Act 2000 (ITA 2000) which brought legal recognition to electronic documents in India. As Netizens, we are all irretrievably associated with the Digital Society of India for our existence and prosperity and a good supporting legal regime is the foundation for our future.

On October 17, 2017 Information Technology Act 2000 completed 17 years of its existence. Let us recall some of the major developments that Naavi.org captured during the last year when ITA 2000 moved from an age of 16 to 17 and also reflect on what lies ahead.

War on Ransomware

The year began with a fight on Ransomware which was creating havoc in India and elsewhere. There was need for creating awareness of the risk of not following basic security hygiene such as having a good back up and not inviting malware by clicking on malicious links by computer users. The problem of ransomware however did not abate and during the year we saw several attacks including the WannaCry and Petya. CERT reported 26 ransomware attacks in 2016 in India which jumped up to 37 till June 2017.

The proliferation of ransomware attacks also brought focus on Crypto coins such as Bitcoins which was the preferred currency of the attackers for collecting ransom. Naavi.org took up the fight on Crypto Currencies calling for a ban on Bitcoins and the Government to consider its own Crypto Coin managed by RBI.

The debate on Bitcoin Ban 

The Bitcoin debate has reached war proportions during the year since there was clear indication that the Government of India and particularly the Finance Ministry under Mr Arun Jaitely was dithering on taking a proper decision on the issue of whether Bitcoins had to be banned or not.

Any intelligent observer can see that while RBI is against the legalization of Bitcoins, the Finance Ministry appear to be in support of regularization of Bitcoin as a “Currency” despite the dangers that this view presents.

After Mr Modi took the bold step of demonetizing currency despite the political risks just to ensure that Black Money in India is reduced, the dithering of the Finance Ministry about the banning of Bitcoins and creating a speculative situation where investors are being attracted to invest in Bitcoins is an indication that the Finance Ministry is unable to resist the lobbying of the vested interests and wants to at least give enough time to make profits at the cost of Indian Citizens who are getting attracted to Bitcoins like the proverbial “Attraction of a butterfly to light”.

While it is clear that Bitcoins are the currency of the Criminals and a great mode of saving Black Wealth and also used by terrorists funding error sponsors in India. But even after releasing a request for public comment  Finance Ministry seems to have held up the final decision on Bitcoins and prefer to carry on the absurd “We Will Observe” argument.

Naavi.org has written many articles and even provided its views on what the Government needs to do  but so far there is stoic silence from the Government even at the PMO level prompting us to say “God Save India From Bitcoins”.

We sincerely hope Lord Krishna will take the next Avatar in India to save India from the menace of Crypto Coins. Otherwise the Government of India led by Mr Modi but guided by Mr Arun Jaitely may be consumed by the “Bhasmasura Syndrome” 

I hope that at least after the Gujarat Elections, Mr Modi will have time to address the need for “Demonetization of Crypto Currencies in India”

Zero Liability for Bank Frauds

Just before the year began, RBI had started an initiative on “Limited Liability for Cyber Frauds” with a draft circular issued on August 11, 2016 where in it had declared “Zero Liability” on frauds for customers to “Zero” if reported within 3 days. RBI had called for public comments before August 30 and created an expectation that relief would be available to the customers soon there after from Banking Frauds. However, it was not until 6th July 2017, that RBI notified the circular .Banks are yet to fully operationalize the circular and no Bank appears to have come up with policy guidelines as required under the circular. However a base for “Zero Liability” has been set and other teething troubles will get sorted out in time. Naavi.org continued to needle the Banks for not following up on the Cyber Security Framework and RBI for not being able to enforce it. The intransigence of Banks however continues.

In July 2017, Government has also proposed setting up a CERT-FIN specifically for the Financial Sector and several other sector specific CERT s to improve the disclosure of security incidents and also find solutions within the sectoral regulatory requirements. More developments on this front may be visible in the next year.

Social Media Issues

The year also saw continued attack on WhatsApp admins for objectionable posts. Naavi.org released a model WhatsApp Admin policy through its Cyber Law Compliance Center to enable Admins to mitigate the risk of being held liable for the posts of the members. Naavi advocates that the Admins should personally approve only identified members  and ensure provision of  proper profile information apart from following a good security policy as advised.

Social Media Abuse continues to be a hot topic of debate and the Supreme Court judgement on “Privacy is a Fundamental Right” has only accentuated the problem.

Cyber Crime Complaints

As Cyber Crimes increased during the year, the plight of Cyber Crime Victims not being able to register Complaints and the problem of Police not undertaking investigations continued through the year. Though the Government of India gave an assurance to the Supreme Court that “Online Filing of Cyber Crime Complaints”  would be facilitated through a Citizen Portal, it appears that not all States have set up follow up facilities for online filing of Cyber Crime complaints.

Naavi.org has therefore taken up the “Improvement of Cyber Crime Complaint Management System” as the mission for the next year.

The Government of India through the recommendations of the T K Vishwanathan Committee also appears to have taken some steps in improving the Cyber Crime Complaint system by suggesting appointment of a “State Cyber Crime Coordinator” and “District Cyber Crime Cells” by amending CrPc and introducing new sections. When implemented this could be a game changer.

Naavi.org will continue to follow up this development in order to ensure that apathy and corruption at the Complaint registration level does not frustrate the Cyber Crime victims.

In particular, Naavi.org will follow the systems currently in place for online filing of complaints

Prepaid Instruments

During the year, we saw the “Demonetization” of notes of Rs 500 and 1000 denomination in India which created a huge chaos in the money supply in the country. At the same time it gave a boost to the use of digital payment systems of all kinds. Though the efforts of NPCI in introducing UPI and BHIM applications were laudable, the AEPS system (Aadhaar based payment system”) is causing concern of  frauds committed with fake or stored biometric being used for drawing money fraudulently from Banks.

The watal committee report on Digital Payments laid a well defined path for introduction of proper guidelines for the Digital Payment systems in India and RBI came up with  a comprehensive guideline on Prepaid Instruments on 11th October 2017 and laid the ground for further development of the system under the umbrella of the security measures suggested for banks under “Cyber Security Framework” and “Limited Liability”.

Section 65B of Indian Evidence Act

After the PK Basheer Vs Anvar judgement of September 18, 2014 continued to find traction during the year with many in the legal community becoming aware of the mandatory need for Section 65B certification of electronic evidence for admissibility.

Subsequently the Sonu@Amvar judgement created a flutter but the confusion settled down.

On January 2, 2017, Government also issued a new notification under Section 79A of ITA 2000/8 regarding the accreditation of “Digital Evidence Examiners” which also created a further debate on how Section 65B of IEA will apply to Forensic labs etc.

The Judgement of a Puri Court  provided further clarification and there was a lot of progress in development of Cyber Jurisprudence during the year regarding Electronic Evidence issues. Naavi has also intensified his activities in Cyber Evidence Archival Center  and recently introduced the CEAC DROP BOX as a service which will be further developed in the coming year.

Amendments to ITA 2008

The activity of T K Vishwanathan Committee set up to suggest modifications to ITA 2008 also drew attention of the Cyber Law and Cyber Security professionals during the year.

Towards the end of the year a brief note on the recommendations involving Section 78 amendments to ITA 2008, introduction of two sections in CrPc to introduce State Cyber Crime Coordinator position at the IG level and District Cyber Crime Cells involving experts to be involved in advising the Police along with introduction of two sections into IPC to bring in some of the lost provisions of the scrapped Section 66A emerged. Naavi.org had expected a more comprehensive amendment and provided suggestions which may not materialize now.

However, the Government is presently also addressing introduction of a “Data Protection Act” and a “Health Care Data Privacy Act” and there can be more legislation affecting ITA 2008 indirectly through these legislation which may come forth in the next year.

The threat of GDPR being imposed by EU on Indian corporates handling EU citizen’s personal data would be accelerating the need for our own Data Protection Act and it is expected that this will be one of the biggest developments of the next year.

In the meantime, following the proposal of an amendment of the Indian Registration Act 1908 by the Karnataka Government which is ultra vires the ITA 2008, even the Parliament appears to be contemplating some amendments to Indian Registration Act over looking the provisions of ITA 2008 which are expected to give raise to another series of Cyber Frauds that will affect property owners in India.

The issue has been brought to the attention of Dr Ponnuswamy Venugopal an MP who is the Chairman of the Standing Committee looking at the issue and we hope some developments may be there on this front in the current year.

The Cyber Appellate Tribunal Issue

Naavi.org has been fighting on the need for reactivating the Cyber Appellate Tribunal (CyAT) for a long time. This key Cyber Judiciary organization envisaged under ITA 2000 has remained defunct since June 2011 for the sheer inability of the Governments of UPA and even Mr Modi to find a proper Chairman.

In a bizarre reactive decision, Mr Arun Jaitely decided that “If we cannot find a Chair Person for CyAT, why have CyAT at all?”. He therefore decided to merge CyAT with TDSAT through the Finance Bill as if the Government needed to save money by closing down the CyAT.

For a Government which was capable of introducing GST at an enormous cost and able to spend Rs 650 crores in a contract to monitor Social Media, it was a shame to say that there was no money to support CyAT.

As a result, CyAT got merged with TDSAT and at present has gone into oblivion. For records we can note that a case has been pending against the constitutional validity of the merger at the Madras High Court.

But Cyber Law Observers will note that this was one of the biggest mistakes committed by the Modi Government in creating a hurdle for Cyber Crime victims to seek justice.

Mr Arun Jaitely also had other controversies surrounding his department including the Bitcoin decision which is being held in abeyance to promote speculation and profiteering by clever manipulators of the market.

History will judge Mr Arun Jaitely’s negative contribution to the Cyber Law regime in India and determine whether it was his pre occupation with GST or Ignorance of the impact of the wrong decisions of his department in the case of CyAT and Bitcoins or the inability to control the influential lobbies with vested interest that may thrive around the department or any other reason that contributed to the set back on Cyber Legal Regime in India caused by the Finance Ministry.

We will not mince words in criticizing the action or inaction of the Finance Minister until Mr Arun Jaitely wakes up and takes appropriate positive decisions and this debate will continue in the coming year.

The response of Naavi.org is therefore to forget Cyber Dispute Resolution through the Adjudication and CyAT fast court system created by ITA 2000 bot to promote Cyber Mediation and Cyber Arbitration and Cyber Disputes Mediation Center Hopefully these may see traction in the coming years.

Internet Addiction

One of the other matters of concern to the Cyber Society during the year was the emergence of the “Blue Whale” game that claimed many lives in India.  The need to address Internet addiction in children and to develop solutions to secure our children from the kind of games like Blue Whale has been engaging the attention of the Cyber Law observers in India. Probably in the  coming days we may see the emergence of a “Cyber Game Regulation Authority” to monitor the Cyber Space for such games.

A Bad Precedent emerges from Mumbai Court

Towards the end of the last year, an interesting but disputable judgement came from Mumbai High Court in an E-Tender dispute raised by Shapoorji Pallonji against MHADA. It was a huge contract of over Rs 11000 crores in which the petitioner was disqualified for not following the e-Tender process. There was a huge commercial stake involved and the petitioner challenged that he could not complete the tender process as expected by the tender authority because the technology failed. It stated that they uploaded the tender documents but could not confirm the tender application and blamed the system for not presenting the final screen which contained a clickable button “Freeze the Application”. It was not clear and there was no evidence that proper admissible evidence was presented to support the claim.

The Court however approved their objection and ordered that “Technical Errors are to be over raided by manual intervention” introducing a new “Cyber Jurisprudence” that an “Electronic Contract defined by a process” had no sanctity which we consider as not a welcome view.

Hopefully this will be reviewed some time later because it contradicts the provisions of ITA 2000/8 which clearly defines how an electronic message is attributed under law.

The Aaadhaar Security Debate

Through out the year the debate on the use of Aadhaar and the security issues continued to be debated.

Naavi.org has been highlighting the risks of the Aadhaar Enabled Payment System as NITI Ayog started promoting PIN less and Card less system of payment.  However the Government continues to promote AEPS and frauds using “Stored Biometric use” and “Fake Biometric use” have already surfaced.

In Bangalore there was much noise made about a mobile App which extracted Aadhaar authentication information through the e-hospital application  A techie who had released the app was arrested and the case is going on. The incident however demonstrated the inherent weakness in the security of the Aadhaar eKYC system and the possibility of its misuse which is now surfacing in the form of financial frauds.

Naavi.org has brought the risks to the attention of the Government but vested interests around the decision makers may be preventing a proper assessment of the security risks resulting in exposing the Indian citizens to greater and greater financial risks as we move more and more into the Digital payment use.

We hope that the Government will realize the risks and act to mitigate them perhaps through mandatory Cyber Insurance or otherwise, before it is too late.

When we reflect back on the year that has gone by, it appears that there are many developments in the Cyber Law scenario in India. Some of these need to be followed up during the next year as well.

…So as ITA 2000 continues to say… “I am on 17 and going on 18…” we will see many more interesting things unfolding.

Naavi

(This is an attempt to capture the major cyber law events in India during 17th October 2016 to 16th October 2017 through the eyes of Naavi and Naavi.org. There could be more that can be added to the above and I welcome the readers to add them through their comments)