Naavi.org

Naavi has been trying to promote “Voluntary Compliance of Cyber Laws” since 2000 when ITA 2000 was notified. The slogan for “Cyber Law Compliance is the Corporate Mantra for Digital Era” was first stated by me in a CII seminar in Chennai in December 2000. Ever since, through various measures such as “Cyber Law Awareness Movements”, “ITA 2008 Compliance Drive” etc, the undersigned has tried to impress upon the Companies the importance of voluntary Cyber Law Compliance.

It is however sad to admit that the success of this campaign has not been anything to write about. Some companies started the compliance activity but could not sustain it since the conventional information security professionals have always considered that “Legal Compliance” is secondary to “Compliance to Technical standards” such as PCI DSS or ISO 27001 and after exhausting their efforts in technical security, they neither have energy nor money left apply legal compliance patch.

What companies and these professionals forget is that “Technical Compliance” is for the sake of pursuing a “Best Industry Practice” while “Legal Compliance” is for avoiding legal penalties. Technical Compliance is fashionable but legal compliance is life sustaining.

The object to pursue is therefore “Techno Legal Compliance” which is technically sound and also compliant with the legal provisions. Where the legal provisions are vague or inadequate, the better technical standards should prevail and vice versa.  Business prudence should therefore be to pick the best of the suggestions from the technical standards and legal prescriptions so that the security is defensible when charged with “Lack of Due Diligence” or “Negligence” when an incident results in a legal claim on the company.

Unfortunately, Indian Businessmen are by nature complacent and think that any legal problem can be tackled after the problem reaches a Court and there is no need for any pro-active measure to prevent and pre-empt a legal problem.

Some are so obsessed with the “All Is Well” syndrome that they think problems arise only for others and not for themselves. Some think that our Police are corrupt, Judiciary is ignorant and Lawyers are brilliant so that any problem can be tackled before it gets out of hand.

But this attitude was perhaps workable as long as the political system was also deeply corrupt so that things could be managed at the highest level. But after the demise of the UPA rule in the country and emergence of Mr Modi as the head of state, the freedom with which corrupt politicians worked around is slowly getting curbed. This has and will even more in the future percolate to the administrative layer where bureaucrats will also have to be less and less corrupt and start enforcing the law of the land.

It therefore does not pay to avoid   “Voluntary Compliance” of law as a deliberate business strategy. The strategy that “We will provide as much information security as is commercially feasible” which some institutions declare in their terms is a clear admission that they are deliberately under-securing their business for commercial considerations and such approach to security needs to be reviewed in the current “Less Corrupt” law enforcement context.

It is therefore necessary for all right thinking businessmen in different domains of activity such as Banking, NBFC, E Commerce, Health Care or any other sector to come together and formulate a “Legal Compliance Network” for their specific domain and guide the business managers. While they often come together for lobbying on commercial benefits, they fail to foresee the legal non compliance problem.

I have highlighted in the past that such lack of self regulation forced unwarranted legislation on UBER, OLA and other taxi aggregators. It also brought unwarranted attention on the E Commerce players such as Flipkart and Amazon. Now even the Health Care mobile app developers are facing the heat of such attention. If left unattended, the problems will not melt away. They tend to coagulate and cause an artery block sooner than later. Then there will be a need for a “By-pass” surgery to survive which could be crippling (Taxi Aggregators are already in this state) or worse result in some companies folding up.

In January 2016, India’s drug regulator namely the Drug Controller General of India has issued an order banning the online sale of medicines. (Refer article here)  Many online mobile app companies involved in such sales had and are still raising venture capital funding for such activities unmindful of the fact that there would be stiff resistance to their business even in the coming days.  Chemists have gone on strike and approached Courts to fight the online pharmacy activity as “Illegal”. (Refer here)

In view of these developments, the Union Minister of Commerce, Nirmala Sitharaman has already announced (Refer here) that the Government is working on regulating web pharmacies.

Now yet another front on which such new regulation is expected is in the area of E Commerce.  Today’s Times of India reports  that the Consumer Affairs Ministry has shared with the Commerce Ministry that 46 e-commerce companies  did not respond to e-mails sent to them for redressal of Consumer Grievances. In the same breath the Ministry has come out with a statement that they would come out with “Rules and Regulations” to regulate the E Commerce industry. (Refer here)

Let’s admit the fact. Our bureaucrats would be too happy to formulate new rules and regulations so that the “License Raj” in e-commerce prevails and booms even of E-Commerce withers.

The responsibility for leading the Government to such a situation lies with the industry which does not consider voluntary self regulation that can make the Government regulation redundant.

There is also a Consumer Protection Bill (A more detailed analysis of the same would be presented separately) that is being introduced in the Parliament to replace the Consumer Protection Act which will also make some significant changes to the lives of the E Commerce players.

I squarely blame the industry for its non-compliance of existing laws,and providing an excuse to the Government for introducing multitude of regulations.

For example, the current Consumer Protection Act automatically applies to E Consumers since “Business done with electronic documents” is nothing different from “Business done with paper documents” and hence all laws applicable for paper based business is also applicable to E-Commerce. Further under Section 79 of ITA 2000/8, E Commerce companies need to ensure that no offences are committed with the use of any message that passes through/processed by them unless they can prove that they have exercised “Due Diligence”.

One of the aspects of “Due Diligence” is providing a “Grievance Redressal mechanism” on the website. If the Government now finds that some E Commerce companies donot have a working Grievance Redressal sysem, it si only the tip of the ice berg. There are many more non compliance issues which if identified, will make these businesses uncomfortable.

And, it will not be just 46 E Commerce companies which are non compliant with laws. Almost all of them are non compliant with the basic aspects of Section 79 of ITA 2000/8 and common consumer law.

Most of these web based businesses donot provide their identity in the form of physical office address to which legal notices can be sent. They donot declare who are their promoters nor their grievance redressal officer. They provide a TOS in electronic form which is not a full fledged disclosure. Many donot provide proper Privacy Policies. Topping it all is the lack of or inadequacy of grievance redressal systems.

Some of these deficiencies can be attributed to the fact that the business managers are ignorant of the laws and are preoccupied with other business priorities. Some are however not because of ignorance but solely because they donot care.

Naavi attributes this to “Technology Intoxication” that makes them blind to the regulatory requirements.

Unfortunately, it is this callous attitude that irks the regulators and makes them wield the stick in the form of new regulations. Once the regulations are out and they start pinching, the businessmen will start complaining that  Government is curbing business through bad laws and cry infringement of their rights.

Now all Taxi aggregators have become “Taxi Operators” and consumers have also lost out in the process because competition is being stiffed out. The “Kala-Peela Taxi Driver’s syndrome” will soon come to the OLA and UBER companies also since they feel empowered that they have been “Licensed to Exploit” and any new entrant will find the barrier to entry too stiff to break. This is the re-entry of license raj in E Business.

Once E Commerce was the entry point for low resource wielding entrepreneurs who could just start any business by just opening a web site. Soon, there will be a plethora of regulations that makes it difficult for small and micro businesses to enter business dominated by the license wielding giants.

We can expect such  license raj in all E Business activities starting with the E Pharmacies and E Commerce.

I however believe that Mr Modi is conscious of the “Ease of Doing Business” concept and If the E-Business industry wakes up from their slumber, they may still be able to work with the Government to avoid setting in of a new license raj in E Commerce which will be detrimental to growth in competition and end up more anti consumer than what it tries out to be.

Will they?…. Oh ..are they listening? or happy counting their Venture fund contributions?

Naavi

Related Article:

Online Pharmacies form an association

Office of Online Pharmacy raided

The Reliance Jio launch on 5th September 2016 will start a new era in Mobile industry in India. The “Mobile” as a concept was a replacement to the phone and the initial positioning of the device was as an “Instrument for talking”. “Voice” carriage was therefore the central purpose of the mobile network and the entire industry built its business on this concept.

Use of mobile for “Data” started with the advent of “Smart Phones” and was secondary to the use of mobile for voice. Most of the mobile network was more robust for voice carriage and data connectivity was always poor. But consumers did not complain too much since the main purpose of them holding a mobile device was for voice interactions and hence they were tolerant of the bad “Data Over Mobile” availability.  Some managed with “WiFi” at home and Office and “Voice Only” when on the move.

Now, suddenly, Jio is changing the fundamental nature of the mobile usage from voice to data usage.  It’s proposition is that all voice will be carried over the IP network only as data. “VoLTE” (Voice over LTE or Voice over Long Term Evolution, similar to VoiIP which is Voice over IP) is therefore their USP. Jio network is an “All LTE” network on the 4G band. (P.S: Refer this article for more technical information)

VoLTE enabled Phones

Jio is also selling LyF brand mobiles which are specially configured for VoLTE. Many of the other  mobiles are also capable of operating in the LTE bands used by Jio.  But at present it appears that only phones with the Qualcomm snapdragon chipset may provide the complete HD voice experience which VoLTE is expected to provide.

Additionally, Jio is introducing a “JioJoin” app which may enable any non VoLTE enabled phone user to make vice calls over the LTE networks. It is however said that the call quality in an VoLTE phone would be far better than through the app. The free offers of 3 month unlimited data is perhaps only for certain declared brands of the phones and mainly the LyF brands. In other phones, Jio SIM may work but the free offer may not be available.

If the user’s phone is not capable of working in the LTE bandwidths of 2300 MHz, 1800 MHz and 850MHz, it may not be able to receive Jio signals. 2300 MHz is critical since JIO has Pan India license in this bandwidth. In the other two bandwidths it has license only in few circles.

With the use of “Free Voice” offer that Jio is offering, it is possible that a large number of voice users from the prepaid segment may switch over to Jio SIMs since they get unlimited voice at Rs 149 per month. If the users prefer data, then they have to move to rs 499 per month scheme where they may get 4GB data under the plan. (Night data would be unlimited). At this rate the cost of using Jio would be about half of the existing plans of other service providers. (They may also drop their rates shortly to retain the customers).

Security Risks of Smart Phone usage

Since Jio will promote a higher use of Smart Phones because of “Free Voice” feature, the risks associated with the use of Smart Phones such as viruses and Trojans that can commit frauds and identity thefts is also going to increase exponentially. We may see this impact in more Bank frauds and Mobile wallet frauds in the coming days.

Government Officials may use 2G phones for better security

Assuming that there will be a largescale migration of users to Jio, then the voice networks on 2G will have a lower bandwidth usage. If other operators also start offering VoIP over the 3G network and free voice calling, then the 2G frequency band may become redundant for most mobile users excepting those who use it only for voice and use the old 2G only mobiles. This would mean an under utilization of the band and unless the license holders find alternate uses, they may prefer to drop their licenses in this frequency bandwidth. Unless the Government reduces the auction prices of these bandwidths to non significant levels, it will remain unauctioned with the Government.

Perhaps the Government may start using this band width more and more for their inter-governmental communication over old non Smart phones which are considered less hackable. If BSNL can use these bandwidths for communication between Government officials with some network level encryption, we may be able to solve the need for a secure communication system in the Government. The quality of voice calls may also improve with lower call drop rates since the usage will be thin.

Interceptions on the Voice over Data transmissions

On the other hand, the service users who start using VoLTE and VOIP will convert all voice transmissions to data and carry it over the networks creating a huge data on temporary transmission and capable of efficient security monitoring through Big Data analytics. From the security perspective this is good but from the privacy perspective, there could be some concerns.

It is understood that Reliance Jio has already installed a Lawful Intercept and Monitoring (LIM) system to make the encrypted flow of information available to security agencies in clear readable form.  (Refer this article)

It is not clear what kind of encryption is used by Jio network and whether it is under the old 40 bit encryption norm applicable for ISPs.  Now, under ITA 2008, Government was supposed to provide new guidelines for encryption under Section 84A which has not yet happened.  Since guidelines under this section are yet to be issued, this is one task which the DeiTy has to address quickly.

Private Encryption of Voice

Since the voice transmissions all happen through data which is amenable for data mining, many users may shift to the use of user level encryption of voice transmissions with the use of Apps. If there is a large scale use of such software, there will be other murmurs and complaints from the law enforcement and perhaps a point of confrontation between the law enforcement and the privacy activists. (We need to check if the current apps for these purposes are compatible with the use of VoLTE and JioJoin apps.).

Whats App Calling

Perhaps many would continue to use WhatsApp calling as a preferred mode in view of the end to end encryption provided by the app.

“WhatsApp calling over Jio network” may therefore provide the security but without the “Free Voice Feature” that Jio offers. Users now have the option to trade data costs for Whats App calling with encryption capabilities to protect their privacy.

According to one estimate,  it costs Re 1 per minute of WhatsApp call on 3G and Rs 2.50 per minute on 2G network. A 4G LTE WhatsApp Call may cost about 50 paise per minute which is more or less equivalent to the current voice tariff. (These cost estimates are on the basis of old data rates which Jio will bring it down to less than half. Hence the cost for a WhatsApp call on Jio could be around 25 paise per minute).

Thus Reliance Jio is causing disruption on many fronts. Apart from shaking up the manufacturers of Mobiles and Processors to make them compatible with VoLTE calling, it is bringing changes in the Mobile Banking Security, Encryption and Big Data Scenarios.

Let’s watch how things unfold.

P.S: I invite technology experts to send their feedback and make corrections on any technical aspects discussed above

Naavi

Related Articles:

Quora

September 1, 2016 will be a red letter day in the history of “Reliance”, which is a household name in India, made so by the great Mr Dhirubhai Ambani. Mr Dhirubhai operated in a different era where licensing was the key to industrial success. Though he stared as a boy who dispensed petrol in petrol bunks, Dhirubhai overcame the odds in the society to raise a large conglomerate. Though some times, his achievements were credited to manipulation of the license raj system, what remained in the end was that Dhirubhai created a huge manufacturing base in India giving employment to thousands of people. He also shared his wealth to millions of his share holders through his own disruptive Stock Market practice of ” Debentures” converted into “Equity”. I would credit much of India’s stock market growth in the 80’s to Mr Dhirubhai’s entrepreneurship and willingness to share the benefits with ordinary people.

The second generation of Mukesh and Anil developed the enterprise though they so far had not established an intention to share the corporate wealth with public the way Dhirubhai did.

Now as the third generation of Dhirubhai family enters the management scene, Mukesh has unleashed the “Reliance Jio” which has the potential to stir up the entire telecom scenario in such a way that we can describe it as a “Disruptive Moment” in the Telecom industry.

Will this “Free Voice” over mobile and “Globally Cheapest Data over LTE network” transform our society as we have never envisaged is the moot point of discussion today.

Yesterday, as Mukesh made his speech at the AGM, the market capital of Airtel, Idea and even RCOM dived by over Rs 13500 crores as doubts surfaced if these companies can exist after the Jio onslaught. But at the same time even the Reliance stocks did dip indicating that the shareholders of Reliance thought that this was a  business strategy to eliminate the competition though it may bleed Reliance itself for some time. Ultimately, whoever has the deeper pockets may survive and Mukesh thinks that he has the deep pockets to ride over a phase where there could be large scale loss of business and revenue for the incumbent operators who have some sunk costs to manage. Survival of these companies will require a high marketing acumen and some innovative as well as painful initiatives that these companies may have to initiate.

Inevitably the Government will be dragged into controversies since while on the one hand the Modi Government should be happy at any initiatives that will help its Digital India Campaign, which Reliance Jio project services would definitely do, there are policy issues of inter connectivity between Jio and incumbent players which will be contested both at the level of the DeiTy as well as in the Courts. Government needs to ensure that it does not get dragged into controversies that it favours either one or the other group in resolving the crises.

Government also has a responsibility to see how its own BSNL services are revamped to meet the competition. During the UPA days the popular thinking was that BSNL was deliberately choked by corruption at political level to provide advantage to the private operators. But in the last few months, the current Government appears to be trying to change this perception and now is another opportunity for BSNL to show that it is not much behind the other Private players when it comes to strategizing on the market issues.

At the Consumer level, if “Voice Calls” are not charged, it would be a great boon to “Predominantly Voice users” such as the College going youth who can be seen endlessly talking on the streets. Soon other operators also need to make “Voice” free.

As regards the heavy users of Data including those who are shifting to making calls on the data network such as WhatsApp or Skype, the reduction in data charges to half of existing levels at the base level and further down at higher levels will be a boon. For most of us the mobile bill will come down by 50% immediately if we shift to Jio services.

We should therefore welcome the entry of Jio into the mobile services market and hope that consumers will eventually benefit.

The services will be commercially launched from September 5, 2016, which is this year’s “Teacher’s Day”. Just as a “Teacher” shapes the future of a student, it is possible that Reliance Jio may shape the future of Digital India through its service.

We may separately look at the technology issues that may arise on account of the Jio strategy in a separate post.

Naavi

In the last two posts, I have highlighted the call for early appointment of the Chair person of Cyber Appellate Tribunal (CyAT) which is vacant since July 2011 and the inadequacy of the NCRB system to recognize the extent of Cyber Crimes that occur in the country.

In this context, there is a need for a total revamp of the Cyber Judicial system in India for which I place some suggestions here. I hope the message will reach the right persons and necessary action will be initiated.

In particular action would be required from

1. Mr Ravishankar Prasad who is the minister for DeITy and Law
2. The Secretaries attached to department of IT, Law and Home affairs
3. Chief Justice of India
4. Chief Justices in the States and Union Territories
5. Chief Ministers of different States
6. IT and Law Secretaries in different States
7. PMO
8. Heads of Police in different States
9. Heads of Institutes of Law Education and Police Training all over India
10. Members of the Media

My suggestions can be classified into following six heads.

1. Awareness Building
2. Crime Reporting
3. Adjudication
4. CyAT
5. Special Magistrate Courts
6. Special Mediation Centers

1. Awareness Building

Whenever we discuss solutions related to Cyber Crimes and Cyber Security, “Creating Awareness” continues to top the discussion table and often ends with it. There is no doubt that “Creating Awareness” is necessary but we need to also address to whom should we create awareness and regarding what.

First level of awareness building is to the public that there is a law called ITA 2000/8 and if they have any issues, they can seek protection from law. But immediately they will ask, which Police Station should I reach out and which Court should I approach. Given the general reluctance of public to step into any Police Station, unless people feel that there would be a definite benefit they will not approach the Police. While there are many knowledgeable Police officers, there are more number of station level policemen who are not familiar with Cyber Crimes and are reluctant to accept any complaints.

There is therefore a need to create awareness amongst all the Police Stations. Despite some efforts there is still a lack of effort in ensuring that our police stations are equipped to accept a Cyber Crime complaint. Today we see a board in most Police stations about the number of complaints received under various types of crimes. I donot seem to have seen the list including any “Cyber Crimes”. In fact I would like to see “How many policemen including constables are there in the police station and how many of them have been trained to understand Cyber Crimes” as part of the information these police stations should display.

I have once suggested Bangalore police to have “Station level Awareness Exercise ” on Cyber Crimes so that every Constable is trained to understand Cyber Crime. Just as we conduct workshops in schools, workshops on Cyber crimes should be conducted in every police stations. Advanced courses can be conducted for SIs and investigating officers but base level awareness is required to every body.

Similarly, awareness need to be created with advocates, Public prosecutors, Magistrates and judges at all levels. CJIs need to monitor how may judicial officers are in the state and how many of them are proficient in Cyber Crimes. Judicial Academies need to work on a specific target in this regard so that 100% of magistrates and civil judges go through at least the base level workshop within the next one year.

An action plan for this can be developed and implemented by every State under the guidance of the Chief Justice of the State High Court.

Awareness also needs to be built for every IT Secretaries in India since they are “Adjudicators” and function like a Civil Judge in respect of all offences under ITA 2000 upto a loss of Rs 5 crores.

Lack of awareness at any level whether it is the victim, or the Police or the Lawyers or the Judiciary should not be a reason why Cyber Crimes donot get registered.

I am sure that budget is not a constraint since we can use an army of Law Professors from different Law Colleges to conduct such base level programs, if necessary by first conducting a “Training for Trainers”.

Naavi has conducted programs under the “Karnataka Cyber Law Awareness Movement “way back in 2005 to spread the Cyber Law Awareness in India and can still contribute to a new wave of such activity if some body in Karnataka or at the Central Government level is interested.

2. Crime Reporting

Assuming that awareness is built up at all levels, the next problem to be tackled is the means of reporting of a Cyber Crime incident. If we want to get the correct picture of the Cyber Crime scenario in the country, we need to break the reluctance to register Cyber Crime complaints at the police level. It is appreciated that if Complaints are registered but not resolved, some may interpret it as an inefficiency of the Police and hence Police are reluctant to register a complaint which they are not confident of resolving.

We therefore need an “Impersonal System of Crime Reporting” where the incident is reported online. Every incident reported should be numbered whether they are converted into a complaint or not. Police should establish a network of “Friends of Cyber Police” in different parts of the City who may be approached by the victims for guidance. These FOCPs can vet the complaint and load it onto the system on behalf of the victim.

The system should escalate the complaint to a suitable Police officer for conversion into a formal complaint and issue of an acknowledgement. The higher authorities in Police may take follow up action as may be required though the first task of recognition of Cyber Crime is achieved through this process.

Every incident may be technically considered as an “Attempt” to commit a crime and therefore can be recognized as a registerable Cyber Crime. Hence there should be no technical issue is mandatory registration of FIRs for all verified complaints.

This will help in the assessment of the resources that need to be committed to Cyber Crime mitigation in the long run.

3. Adjudication

Adjudication was a wonderful system which ITA 2000 suggested for resolution of civil claims for damages arising out of contravention of any provision of ITA 2000. It provided for quick resolution, and suo-moto powers to the adjudicators to take remedial action. In 2003 in view of the fact that the Judicial system was not prepared to take up the challenge of adjudicating on technology related issues, Government made all IT Secretaries of states as “Adjudicators” for the respective state. These officers were tech savvy and senior enough in the bureaucracy to conduct proceedings of adjudication as an “Enquiry” process. Appeals were available to the CyAT.

However over a period the Adjudicators have shown no enthusiasm to take up this responsibility both because they are otherwise engaged in the developmental activities as also because there is a conflict of interest since some of the cases involve business interests of IT companies. Additionally just as Judicial officers were lacking in technical knowledge, the IT Secretaries were also found to fumble with the legal knowledge when required. As a combination of all these factors, today the system of Adjudication is almost non existent.

There is therefore a need to review and revive this system. One way out is for the State Judiciary to train some of their Judicial officers in Cyber Crime related issues and set up a parallel team of Adjudication Empowered Judicial Officers. Once the IT ministry issues necessary notification, these officers can start taking up complaints.

Alternatively, every Adjudication set up which today consists of the IT Secretary can be made a two member bench with the Law Secretary of the State being the second person. This will provide the relief in terms of knowledge deficiency but may not solve the problem of lack of time for these state level senior officers. The team of trained judicial officers may therefore be a better solution to meet the requirements of Adjudication.

These Adjudicating officers should be mandated to use Video Conferencing wherever feasible so that the cost of adjudication is reduced.

Again a suitable framework for training and sustaining this system can be developed if the State High Court Chief Justice takes interest.

4. CyAT

The issue of CyAT has been discussed earlier. Presently there is a set up in Delhi with a good infrastructure and also a technical member. If only a Chair person can be appointed, the system can restart its activities.

However there is a need for CyAT to sit in different States and use Video Conferencing so that victims need not travel to Delhi for their cases.

It should be mandated that the CyAT regularly sits in different State Capitals and conducts its proceedings and also set up at least one bench in South India to enable economical access to the public.

5. Special Magistrate Courts

While the Adjudication and CyAT takes care of the civil disputes, there is also a need to set up special magisterial courts in the States to handle Cyber Crime cases exclusively. This will speed up delivery of justice and also build expertise in specific Judges who can support the system at higher levels as days go by.

This is an action which again needs to be handled by the State High Court.

6.Special Mediation Centers

ITA 2000/8 provides for compounding of most offences including those which come under the category of criminal offences. Hence there is a scope for mediation and Conciliation both in the case of Civil and Criminal proceedings.

If therefore a good system of mediation can be developed, this will reduce the burden in the system of Adjudicators and Magistrates and help in the quicker delivery of Justice to victims.

There could be many other measures that may help in improving the Cyber Judicial systems but what is discussed above is a list of suggestions that can be considered.

It is to be remembered that an efficient Cyber Justice System is not only required for the success of the Digital India program but also is essential for India maintaining a good “Ease of Doing Business ” index on a global scale.

I hope the relevant authorities in the Government take necessary action in this regard and provide some relief to the public reeling under the onslaught of Cyber Crimes.

Naavi

As an annual ritual, National Crimes Record Bureau (NCRB) has released the Crime data for the year 2015 which includes data regarding Cyber Crimes registered and disposed off in India in 2015.

Copy of the Report :  Full Report : Cyber Crime chapter

Many news papers have reported on the data stating that Cyber Crimes have increased by a whopping 225% from 6268 to 14121 by addition of 8045 new cases registered during the year. (This pertains to cases registered under ITA 2000/8)

There have been analysis of which states have registered more cases, which City is int he forefront of Cyber Crimes etc.

According to the report   Uttar Pradesh registered 2208 cases in 2015, while Maharashtra registered 2195 cases in 2015 and Karnataka 1447 cases. On an all India basis, a total of 8045 new Cyber Crime cases have been registered in 2015.

If we also add the cases registered as “Cyber Crimes” but under different sections of IPC, the number of pending cases increased from 8032 last year to 19423 at the end of 2015 with 11592 new cases being registered. This shows an increase of 241% in pending cases.

Out of these cases a total of 276 ITA 2000 cases and 336 cases in total were recorded as “Disposed”  which would include those  dropped or transferred to other types of crimes. The disposal rate works out to 1.95% of the ITA 2000 cases and 1.72% of the total Cyber Crime cases.

We need to appreciate that this is the cases disposed off at the Police level and does not represent the disposal by Courts. It also does not include complaints registered and not converted into registered cases.

It is reported that  charge sheets were filed in courts in 3,206 cases but we may not have more than a few convictions during this period.   The total number of cases pending trial increased from 3917 last year to 7123 during the current year. 48 cases were compounded or withdrawn.

The statistics reveals that in 640 cases, trial were completed with  234 cases convicted and 406 discharged. Of the convictions it is interesting to observe that  143 convictions were under Section 66A which was repealed by Supreme Court in march 2015. 185 cases under Section 66A were acquitted while 2522 cases are still pending.

Deccan Herald has highlighted (See the report) the growing pendency of cases and we need to now look at solutions to address this issue rather than merely counting the arithmetics of crime statistics.

Looking at the motives, 3855 crimes were with the motive of financial gain while another 1097 are listed under fraud/illegal gain. Together 4952 crimes fall under these two categories. Insult to modesty of women, personal revenge and anger etc accounted for 1098 crimes while defamation accounted for 380. Extortion cases were 293 while hacking for fun was around 214.

While the trend in these crimes provide some good indication of what needs to be done to reduce the adverse effect of Cyber Crimes on the society, we need to ensure that these statistics in numbers have to be more reliable and reflect on the actual commission of offences. Otherwise,  the statistics provided by NCRB can be considered as misleading.

A part of this problem should be solved if Banks report the number of Credit Card, ATM card, Mobile wallet and Phishing frauds which will be necessary as per Cyber Security Framework 2016 suggested by RBI. Similarly we need to also record the innumerable Virus incidences, spamming, mobile thefts etc which are offences under Section 66 and 66B of ITA 2000/8 which appear to have escaped the NCRB report.

Obviously if we say the number of Cyber Crimes is not 6000 but 1 lakh, many eyebrows will be raised. But it is important to recognize that the problem of Cyber Crimes is really that large and needs to be addressed with better resource allocation both to the Police and Judiciary.

In fact Police should also take into account the possibility of “Friends of Cyber Police” drawn from the community who can at least help in getting Cyber Crimes reported properly. For this purpose Police should permit private organizations to receive online complaints and forward it to a central data base of the Government from which Police can take it up for investigation without waiting for a complaint directly from the victim. Some acceptable norms for this purpose can be drawn up. These will work like a private CERT in a limited way.

However, we need to point out  a serious flaw in the NCRB report which has been pointed out by us in the past and remains unattended. It also indicate the ignorance of the NCRB in ITA 2000/8.

I refer to table 18.2 on Cyber Crime incidences classified under different sections of ITA 2000/8 and IPC contained in the report which is reproduced below.

If we observe this report, 88 cases have been reported under “Tampering of Computer Source Documents” which we may presume are cases registered under Section 65 of ITA 2000/8.

6567 cases have been reported under IT-Computer related Offences which includes 4154 cases under 66A, 132 under 66B, 1081 under 66C, 1083 under 66D ad 117 under 66E. Offences under Sections 66A,66B,66C,66D and 66E nicely add upto what has been reported as “IT related Offences” which is presumably referring to Section 66.

It is unfortunate that NCRB does not recognize that Section 66 is an independent section and is not the aggregation of other sections 66A to 66E. By using this classification, NCRB is suggesting to all the Police stations that cases under Sec 66A to 66E are actually to be aggregated as offences under Section 66 and no case need to be registered under Section 66. I am sure that most cases that ought to fall under Sec 66 have been registered under Section 65.

If these charge sheets go to Courts, I wonder how the Courts can proceed since informed lawyers will simply demolish the case just stating that a charge listed under the charge sheet under Section 65 does not hold.

I wish NCRB consults NPA and revises the format of the Crime report system so that this error does not continue in the next year.

When we discuss the states where there are more crimes based on this report, we must remember that if the Police and Public are aware of Cyber Crimes and register complaints, it will naturally appear in this list. If they are ignorant and register cases under other laws or donot register cases at all, then obviously it will not reflect in the report. Hence it is not correct to reflect on the state of Cyber Law and Order in a state solely by referring to this list. In fact the reason why Uttar Pradesh tops the list is because they have efficient police officers in Noida who have registered a number of Cyber crime cases which should actually be appreciated.

The report says that 13 cases of Cyber Terrorism under Section 66F have been registered. Since this section carries “Life Imprisonment” it is the most serious offence under ITA 2000/8 and we need to know which are these cases and whether they represent any wrong interpretations. In fact the real Human Rights Activists (Not the Pseudo Activists who consider only terrorists as their subjects) should look at these 13 cases and ensure that there has been no incidence of misapplication of law for political or other considerations.

I request  NCRB to provide the details of these 13 cases to clarify the position.

What   we may however discuss is that while the number of cases registered is far less than the real incidence of Cyber Crimes (if we include the e-banking frauds), the disposal rates are only less than 2 % at the level of the police while at the Court level it is Zero percent.

The lack of a proper Cyber Judicial system in India to address Cyber Crimes is therefore very evident. Since no cases get disposed, it discourages public from reporting cyber crimes and even the Police are disinterested in pursuing investigation since it is a complete waste of time.

I suppose that the responsibility for this situation should be taken by the Chief Justices of State High Courts and the Supreme Court more than any body else. The Supreme Court does not find it inappropriate to spend time and also pull up the executive for their administrative lapses and irrelevant political cases but remains completely unconcerned when the Cyber Crime victim’s interests are involved.

There are several cases not only in Karnataka High Court but also in Nagpur where the non appointment of the CyAT chair person has been raised. But each time the DeiTy has stated that the matter is pending with Supreme Court for approval of a candidate and  State High Courts have simply closed the case. Last time it was even understood that Justice Mrs Vasuki of Chennai was appointed for the post but it never materialized. Now there is no other option left but to move contempt of court petitions against DeiTy which I understand is happening in Nagpur.

However, even if a High Court directs the DeiTy to appoint a CyAT chair person, it is unlikely to make any change to the current scenario of pending cases and non recognition of many incidents as crimes. We need multiple steps to be introduced in this regard to improve the Cyber Judicial system in India.

I will provide some suggestions in this regard in another post and  wish responsible MPs like Mr Rajeev Chandrashekar move a motion in the Parliament for a new Parliamentary committee to be set up to completely revise the Cyber Judicial system.

..Suggestions in the next post

Naavi

Mr Rajeev Chandrashekar, one of the few MPs who understands Cyber Law has rightly drawn the attention of the Government to the need to appoint the Chair person to Cyebr Appellate Tribunal-CyAT. (Refer BS Article).

According to the report, he has written a letter to MR Ravishankar Prasad in this regard and urged early action. I hope the department will take cognizance of this request which comes from an MP with the knowledge of IT.

The problem however does not entirely that of the DeiTy and it appears to lead to the doors of the Chief Justice of India and the inability of the CJI and the DeITy to agree on a candidate given the issues involved in the appointment of Judges in general.

I wish Mr Rajeev Chandrashekar had written to the Chief Justice also.

In the past Naavi has written many letters in this regard both through the web and also directly and neither the CJI nor the Ministers and Secretaries in DeiTy or even the PMO have taken any positive action.

However, as an eternal optimist, I hope  sooner or later, a decision has to be taken in this regard. It has taken more than 5 years now for the appointment and in the meantime the office of CyAT has been spending public money to remain in existence. It now seems to have a good Registrar also but all the expenses are going down the drain. Perhaps the CAG will also ask the question of what is happening to the investments made in CyAT.

I believe that appointing a Chair person for CyAT is only one of the many steps required to bring the Cyber Judicial system in India to acceptable levels and I will in a separate post that will follow outline some of my suggestions in this regard. I request Mr Rajeev Chandrashekar to take up these suggestions also with the Government and Judiciary.

Some of these suggestions will be directed to Karnataka Government and the Chief Justice of Karnataka in particular and the other State Governments and High Courts in general and can be done without much delay. Some may require notification from DeiTy which also should not take time. A few of the suggestions may require longer deliberation but like all reforms, we need to address the low hanging fruits first and let the momentum for reforms build up.

More will follow…(after an analysis of the NCRB cyber crime data of 2015 which has also been published yesterday)..

Naavi