Naavi.org

CDMAC is the proposed “Cyber Dispute Mediation and Arbitration Center”,  promoted by Naavi, a pioneer in Cyber Laws in India  and founder of www.naavi.org and its associate services. (Check www.adr.ind.in)

This Center proposes to offer Mediation and Arbitration Services mainly for disputes arising out of any contravention of Information Technology Act 2000 (ITA 2000) as amended from time to time.

ITA 2000 envisages that disputes arising out of any contravention of the Act leading to a claim of damages by any person against another is resolved through an “Adjudication” process under Section 46 of the Act. Under this provision, the IT secretary of each State or Union Territory have been designated as the Adjudicator with a jurisdiction extending to that particular State or Union Territory. The process of adjudication is an “Enquiry process” leading to an award which is enforceable like a revenue recovery. An appeal on the decision of the Adjudicator lies with the “Appellate Tribunal.

(P.S: Until 31st of March, the appellate authority was called Cyber Appellate Authority or CyAT with an office at Delhi. This has now been merged with Telecom Disputes Settlement and Appellate Authority or TDSAT and is referred to as the “Appellate Tribunal”).

The parties to an adjudication are open to enter into compounding any time before, during or after the adjudication process. (Section 63) The Compounding is arrived between the parties and placed before the Adjudicator for ratification.

Ideally, the compounding is amenable to “Mediation”. However, if the parties agree to voluntarily subject themselves to arbitration and for placement of the arbitration decision before the adjudicator for ratification, the Adjudicator has no reason to object.

It will be necessary for the mediation agreement or the arbitration award to be within the limits of penalty set in the Act.

In the case of criminal prosecution where the Police file a charge sheet in the magistrate’s court, under Section 77A, compounding is permissible excepting for offences under certain sections. Again the compounding application has to be made to the competent Court which may agree.

Therefore in both the Civil and Criminal cases, the disputing parties may come to an agreement between themselves so that they can agree to avoid or cut short the litigation process which is painful for both. Such an agreement of compounding has to be conducted under supervision to avoid coercion, misrepresentation and other illegal methods of arriving at an agreement. It is therefore preferable if such a process is managed under the guidance and supervision of a “Mediation and Arbitration Center” following certain norms which are fair and legally correct.

In the past 17 years since ITA 2000 has been in operation, the Adjudication system and the Appellate System have both had a checkered history. While Adjudication did take off in 2008 in Chennai and later continued well in Mumbai, presently, it is in a limbo everywhere. CyAT on the other hand was unable to settle even one appeal brought before it properly after adjudication.

The present scheme under which the TDSAT would be the appellate authority will be increasing the cost and inconvenience of Cyber victim litigants. Hence there is a dire need for an Alternate Dispute Resolution Mechanism to be developed for Cyber Disputes so that the agreed settlement can be presented to the Adjudicator or a Criminal Court for quick settlement where possible.

In the last 17 years this thought has never been brought before the Government and this is the first time such a proposition is being made.

Obviously, the first reaction could be skeptical. But if one thinks a little deep into the benefits of this system as proposed here, Government, the Judiciary, the Police and the litigants will all consider it a good solution to squeeze out a number of disputes from being held up in Courts over a long period with no benefit to anybody.

I request experts including Mr T.K.Vishwanathan who is now heading a Committee for amending ITA 2000/8 to consider this proposal and facilitate its acceptance.

Since the proposition is well within the legal provisions as of today, Naavi declares a  launch of this Mediation and Arbitration service straightaway and will wait for disputing parties to realize the benefits and approach the Cyber Disputes Mediation and Arbitration Center as indicated here.

As of now the rules of mediation and arbitration of the center has not yet been announced and will be presented soon.

Comments are welcome.

Naavi

The Cyber Appellate Tribunal (CyAT) which was envisaged under ITA 2000/8 as the national appeal authority over all the adjudication offices is finally confined to history.

Despite being in existence from 2000 upto 2017, the CyAT could not come to a single valid decision. The one decision in which CyAT was close to a decision was ICICI Bank Vs S Umashankar which was posted for judgement on July 3, 2011 when everybody know that the then Chair person was retiring on June 30, 2011. Since then, untill now, Governments could not find a Chair person and CyAT remained non functional.

Now with the passage of the Finance Act 2017, CyAT has been legally closed and merged with TDSAT. (Telecom Disputes Settlement Appellate Tribunal).  TDSAT  needs to formulate its procedures to hear the past cases which are pending before CyAT (Closed) and to take up future cases.

It is observed that while appeals from TDSAT in its current Telecom related disputes go to the Supreme Court, the appeals of CyAT cases will under Section 62 of ITA 2000/8 will go to the High Courts as in the past. Currently the Chair person of TDSAT is a ex-Supreme Court judge or at least a Chief Justice. How would he like his decision to be reviewed by the High Court without feeling uncomfortable?… is one of the several issues that we may need to resolve to ensure smooth transition of CyAT into TDSAT.

While the TDSAT and the Government sort out these issues, it is time for Citizens and other Stakeholders to make their own efforts to ensure that the interests of the Cyber Crime victims are protected and there is a functional Cyber Judicial system in India accessible to all.

In this context, I would call upon interested persons to join hands in setting up a “Cyber Disputes Mediation and Arbitration Center” and try to provide an alternate mechanism of dispute resolutions outside the statutory bodies such as the “Adjudicator” and the “TDSAT”.

Obviously, if the mediation fails, the other alternatives including Adjudication remain open.

If the arbitration is agreed upon but later challenged, there is already a mechanism where by the High Court comes into the picture and the dispute resolution gets back on the statutory platform.

There would be some questions raised as to whether an “Arbitration Contract” would be ultra vires the Information Technology Act 2000/8. Section 61 of ITA 2000/8 bars the jurisdiction of the Courts. But “Compounding” is part of ITA 2000/8 and is available for all Civil disputes and most of the Criminal charges under the Act. Hence, an “Arbitration Contract” or a “Mediation Settlement” must be considered as being well within the provisions of the Act.

Keeping the tradition of Naavi in setting up services based on the concepts that are futuristic, Naavi now intends laying the foundation stone for a “Alternate Disputes Resolution Center” for Cyber Disputes. Presently, it will be developed under www.adr.ind.in  (under construction)

It is intended that it will use the services of odrglobal.in as a platform for online dispute resolutions and may also use physical meetings.

This is a concept being seeded now and it requires mentors and participants to make it take root and grow into a full grown tree that can provide shelter to the Cyber Crime victims.

The first set of participants to this endeavour that I am looking forward to are the Cyber Law experts who have the capability of being the “Mediators/Arbitrators” or helping the parties to the dispute as counsels. They can register themselves as “Counsellors” and offering their services for Mediation or Arbitration to the disputing parties.

Naavi will be the promoter and administrator who would like to develop this ADRC for Cyber Disputes as a Mediation cum Arbitration Council with its own set of model rules.  This will take time and also needs assistance from like minded persons.

ADR-C-FCD is intended to function as a “Not for Profit” organization, though ODRGlobal.in which is presently owned by Naavi will continue to be a commercial proposition providing its services at a cost.  This limited conflict is considered inevitable at this point of time.

Initially,  adr.ind.in will focus on spreading the ADR knowledge and function as an ADR Knowledge Center. This may remain the main activity of the Center until this concept which is revolutionary in certain respects gains acceptance of the community.

The acceptance will be visible when some of the “Intermediaries” such as Banks or Mobile Wallet service providers etc start accepting this Center as a part of their grievance redressal mechanism. I am prepared to wait for this to happen over a period of time.

I look forward as always for comments from other domain experts in the area of Cyber Law, ADR and Information Technology to nurse this thought further towards practical implementation.

With the presidential assent given to the Finance Bill 2017, the amendments to some other Acts including the “Merger of Cyber Appellate Tribunal with TDSAT” is deemed to have been enacted.

Now it is necessary for the Government to pass necessary rules and also operationalize the amendments to individual section of the Information Technology Act 2000/8.

We need to watch out how this process would be rolled out.

One option would be to retain the current provisions of Cyber Appellate Tribunal as it exists in Chapter X of ITA 2000/8 and only replace the earlier notified rules with new rules stating that TDSAT will henceforth administer also as the Cyber Appellate Tribunal. The Chair person of TDSAT may himself be also appointed as the Chair person of CyAT (New) and the entire proceedings of CyAT(Present) can be handled by TDSAT as CyAT (New).

It is also possible that TDSAT may designate a separate bench for CyAT operations and one of the current members of the TDSAT may be also appointed as the CyAT chair person.

Let us observe how the operational matters would be addressed.

Naavi

Reference:

Finance Act 2017

Pages 59-60 of Finance Act 2017

The Special Task force of the UP Police has arrested one Mr Ram Prakash Singh who had sent fake e-mails to all the aspirants of a job who had to attend an interview stating that the interview had been postponed and getting himself selected unopposed.

It is unfortunate how the intelligent MBA graduate who applied for a position of Allahabad University thought that he could get away with the fraud. Now the person has permanently damaged his career for which he must have worked hard for the last two and half decades.

See report here

The incident shows how “Lack of Awareness of Cyber Laws” pushes people to take risks that they would not otherwise take if they had known that a strong law exists against such acts and our Police are capable of solving such mysteries.

At the same time, it is necessary for authorities such as the Registrar of the University in this case to adopt such practices that provide a proper authentication to the recipients of their official e-mails which would have enabled them to identify the fraud.

The discussion in this context comes back to the use of digital signatures which unfortunately has become more an instrument which is being used very inefficiently and in-appropriately. I anticipate that this case has the potential to snowball into another “Basheer Case” bringing into open a legal requirement which most people failed to see for decades after ITA 2000 was enacted.

The tragedy is that the system of digital signatures as provided in the ITA 2000/8 has not been properly implemented even by the licensed Certifying Authorities and presently even the CCA does not seem to exercise the required control. It is therefore time that some body brings to open the inadequate and illegal practices that prevail in the use of digital signatures in India.

Just as the Section 65B certification of electronic documents suddenly became critical to for all litigations because the Supreme Court suddenly spoke about it in one of its judgements, there will be some case in which the Supreme Court may make a reference to the need for the use of digital signatures in responsible communications and suddenly every body will wake up to the reality which the undersigned has been mentioning as an essential ITA 2008 compliance requirement for a long long time.

However, when such a realization dawns on the society, even CCA will be found wanting since at present the institution of CCA is just considered as another cabin in the Ministry of Information Technology rather than a statutory authority which has its own place in the Indian Cyber Law domain.

Recently, I had raised an objection that CCA had “De-Recognized” digital certificates issued earlier by the authorized Certifying authorities (CAs)  and advised them not to consider it valid for KYC for making online subscription applications for renewal.

On the other hand, CCA  had allowed the CAs to use  authentication for KYC based on OTPs sent to the mobile numbers which was only as good as the KYC of a mobile service provider who had no contractual obligation to the CAs and the Digital Signature system. This subordinated the new Digital Certificates issued by CAs to the verifications done by the mobile companies before they issue SIM cards.

Most CAs allow their RAs to process the new CA applications where the RA gets the OTPs over phone, downloads the certificates on Cryptographic keys at their end and deliver it to the subscriber. In the process they are compromising the private key ab-initio and also making the subscriber liable for punishment under the ITA 2000/8.

Does CCA know that the system of Digital Signature Certificate issue is being abused? .. Certainly… But Have they taken any steps to correct it ? …Certainly not.

If therefore Supreme Court asks CCA that if in the Allahabad Case, the e-mails had been sent under the digital signature of the registrar, would it have constituted a valid legally binding instruction to the candidates and whether such a system is tamper proof, can the CCA affirm before the Court and state that digitally signed e-mails are tamper proof?

I hope CCA gives a thought on how it will respond when it will be before the Supreme Court and is quizzed for its actions under the Act to protect the integrity of the system of digital signatures. The citizens of India will also ask the CCA if it has discharged its duties as envisaged under law and created the right foundation for the “Digital India” with “Less Frauds” ( since no-frauds is only a myth).

I understand that today the position of CCA is not being recognized as a body that is independent of the MeiTy and CCA is a protected contractual appointment without the power of removal etc., which makes it a powerful quasi-judicial body.

I suggest that CCA should form a Sub Committee (The first CCA had formed such a committee) consisting of experts which can go into all aspects of how Digital Certificates are being used in the system and how the regulation has functioned and how it has to be improved etc. and thereby undertake a complete review of the system as it should develop in the coming days. This would be a proactive measure of Compliance which may prevent future embarrassments.

Naavi

Just as I was completing my writing on the jioupgrade fraud, I received another whatsapp message with a link that looks like bsnlexpress.com. This is another phishing attempt as the link is not bsnlexpress.com. It is bsniexpress.com.

We had seen such a phishing earlier in the name of ICICI Bank where one of the I s was actually a Capital l.

Some research is required to find out what are the motives behind these organized spamming in the name of telecom companies in India.

A word of caution to all companies with L as their domain name component. Watch out for phishing.

(Ed: Applies to the undersigned since both Naavi.org and Ujvala.com is susceptible to this risk. Check NAAVl.ORG and ujvala.com which appear similar to the genuine domain names but are not. In certain fonts it is completely indistinguishable. Similar problems may be seen in “O” and “0” -zero).

Naavi

Phishers and Scammers look out for every opportunity to fool gullible people by sending out messages which appear to come from some well known companies or entities.

The objective of such hoax messages may be

a) Just spam for fun

b) Spam so that the ISPs benefit with better bandwidth usage, say by asking people to spread the message through WhatsApp

c) Collect information about users

d) Make users click on malicious links and implant trojans for committing further frauds ..etc

One such message surfaced today on a Whats App group with the following message.

Quote:

Good News For Jio Users

Activate Jio Sim Unlimited Data with EXTRA 1 YEAR Validity FREE with unlimited 4G till DECEMBER 2017 Click here to Activate Now
? www.jioupgrade.com

Share with your friends and groups so They also can get extra 1 year Free . Thanks friends !

Unquote:

Obviously, the message is well timed to attract the users who might have missed the Jio Offers lapsing on March 31st.

However, this message appeared to be a fraudulent message aimed at attracting users to share their telephone numbers with the website.

The website is mirrored from “jiosim-extra-1year.ml/ by HTTrack Website Copier/3.x [XR&CO’2014]” .

The website is registered in the name of naman.arora21134@gmail.com, with telephone number 9876543210, with a vague address, “Jio upgrade, 5th Hyderabad, 500013”

It is interesting to note that the site resolves to a https address which makes some believe that this is a genuine secure website.

.ml refers to Mali and it appears that jiosim-extra-1year.ml has been registered by some fraud syndicate which runs a service to mirror another website and run it along with Google Ad scripts to generate ad revenue. Obviously, it can also be used to commit phishing attacks and DDOS attacks. The identity of the owners of this website with .ml extension is being guarded by the service providers and in my view are considered part of the fraud syndicate.

The exact benefit this naman.arora21134@gmail.com would like to derive from this fraudulent spamming is yet to be ascertained. I request security experts to check the source code on the page available here 

At first glance it appears to be an attempt to steal the telephone numbers, E Mail address and internet access details of the person responding to this invitation. I suppose this will later be exploited for further spamming through SMS /Email messages and possibly with malicious code injections.

If both the email address and mobile numbers are registered for banking transactions, we must be alive to the possibility that the spammer may get opportunities to inject malware to commit financial frauds by taking over the Bank account.

At this point of time, there is sufficient indication to believe that several offences under ITA 2000/8 have been committed primarily by naman.arora21134@gmail.com whose real identity can be obtained from Google along with his bank details to which the ad revenues are being programmed to be credited.

Hyderabad police needs to act and they also have a mobile number to start their investigation apart from the gmail address and Google Analytics ID.

Jio also should file a complaint as this is an impersonation and an offence under Section 66C ad 66D of ITA 2000/8. If Jio ignores the impersonation, any affected party may claim the damages that he may suffer from Jio for not exercising due diligence even after it was brought to their notice through this public blog post.

I wish Hyderabad police start their investigation without waiting for Jio to file its complaint or even register a complaint for enquiry and send notice to Jio why action should not be taken against Jio for not taking efforts to prevent such impersonation through public notices.

I agree that there are many such frauds but the beneficiaries of such fraud such as the intermediary hosting organizations, domain name registrars etc must be made answerable. Without pulling up such intermediaries and make them exercise caution before registering fraudulent website names, internet frauds cannot be checked.

I request receivers of this email to ignore the message and not circulate the message further.

Naavi