Here are some of my views expressed in an interview with ISMG Asia on the recent TCS-Epic episode.
The interview can be accessed here:
P.S: Kindly note that the voice is slightly distorted and looks hurried through. I suppose it is because of some technical issue in recording.
Naavi
Over the last decade and more specifically over the last few years, there has been a tremendous development in the use of ICT with the mobile technology taking firm roots. On the one hand Mr Modi has been promoting the “Digital India” concept and going all the way to promote the use of digital technology such as Aadhar.
Naavi.org has been cautioning the over use of the technology without appropriate safeguards such as information security and Cyber Insurance. However, certain types of regulation need to be cleverly drafted so that there is no misuse of technology but the regulation does not hurt development. Drafting of such legislation requires a knowledge of both the domain of legislation as well as the technology. Lack of such professionals in the bureaucratic circles appears to be creating situations where some decisions are taken at different ministries which directly affect Mr Modi’s development agenda.
There appears to be a set of people in the Governments who are hurt by the beneficial aspects of e-Governance and would like to curb the power of technology through new regulations. They seem to be targetting Cyber technologists with a vengeance by introducing restrictive laws that betray lack of understanding of the Cyber Business model solely to meet their short term goals some of which may be sinister Anti-Modi designs.
Two examples that stand out in recent times is the Arvind Kejriwal’s fight agaisnt Uber in Delhi and Karnataka Government’s bill on Aggregators of Taxi services. In both cases new laws have been passed to curb the growth of the new business.
Surge Pricing was bad to some extent but it had some logic. It could be regulated to prevent fraudulent pricing instead of bringing down the system itself. Karnataka’s law on taxi aggregators also tries to hit out at the new business model because the Government feared losing revenue from taxi operations.
Now a third fight has opened up in the new “Map Law” which imposes hefty fines upto Rs 100 crores for erroneous “Geo Spatial Information” besides possible 7 year imprisonment.
While the apparent intention was to ensure that India’s borders are not wrongly depicted by Google Maps, the law appears to actually hit the domestic start ups and small companies which are developing new business around the location of the user.
The new law would seriously hurt many mobile app operators who could be could be a taxi operator or a medical service or an ambulance service or a catering service or a grocery supply service. Today every business wants to know the location of the customer and make services available on “Near You” basis. Probably it could hit you and me who may use WhatsApp to share our location.
The draft law has now drawn the attention of the public that it may introduce an unintended licensing system that could kill many small businesses and go completely against the “Start Up” concept that Mr Modi is promoting under the Digital India concept.
According to Section 4 of the proposed law,
“Dissemination, Publication or Distribution of the Geo-spatial Information of India.-Save as otherwise provided in this Act, rules or regulations made there under, and with the general or special permission of the Security Vetting Authority, no person shall disseminate or allow visualization of any geo spatial information of India either through internet platforms or online services, or publish or distribute any geo spatial information of India in any electronic or physical form. “
Under Section 9
“Any person who wants to acquire, disseminate, publish or distribute any geo-spatial information of India, may make an application along with requisite fees to the Security Vetting Authority for security vetting of such geo-spatial information and licence thereof to acquire, disseminate, publish or distribute such Geo-spatial Information in any electronic or physical form. “
Under Section 3,
“Save as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geo spatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”
Under Section 13
“Whoever disseminates, publishes or distributes any geo spatial information of India in contravention of section 4, shall be punished with a fine ranging from Rupees ten lac to Rupees one hundred crore and/or imprisonment for a period upto seven years. “
It is noted that the law criminalizes the dissemination of information without license by a stringent 7 year imprisonment term without even any hint of a need to prove some criminal intentions.
There is no “Exemption” provision that exempts users and any body else without malicious intentions from penalty.
There is no doubt that the law in its present form is absurdly draconian and will be struck down if challenged in a Court of Law. I hope the Government withdraws the law or makes substantial correction without exposing itself to another embarrassment in the Supreme Court.
If the law makers had any sense of the market place they would have restricted the penalty to only cases where the depiction of wrong borders was intentional and use of maps was for some anti national purpose. In every other case, a wrong map is a consumer protection issue and it would suffice if the consumer interest is protected with a penalty in the form of damages.
For example, if a map on a mobile App depicts there is an Adigas hotel in 5th Main, Chamarajpet, Bangalore and I search for the hotel for half an hour and cannot find it, it would suffice if I can collect a “Free Meal Coupon” as a compensation. There is no need for the app developer to be jailed for 7 years under a cognizable offence.
The law makers are simply unaware of how many of our businesses would be facing 7 year imprisonment term for their routine business activities on account of this new proposed law.
I cannot but think that the law has been framed only to defame Mr Modi and his efforts to promote Digital India by some bureaucrat who sits in the Government as a mole of Congress. Already a campaign has been mounted in Washington Post citing the absurdities of this law.
I wish Dr Subramanya Swamy finds out who actually was responsible for framing such a draconian law.
On the contrary, if this is simply a case of over enthusiasm and a blinkered vision that “Maps” means “Google” and “Apple” and hence one can think of Rs 100 crore penalty, then the concerned official should admit his ignorance and resign from his responsible position immediately or else removed.
It is well known that this law will not deter Pakistan or China from depicting the maps of Indian Border as they wish. Hence the law will not have any effect but to make innocent Indian businesses to pay. It is expected that Apple or Google will pay whatever license fee is imposed on them and pass on the burden to the users such as the Zomatos, the Olas etc. The cost of doing business will therefore go up and the Ease of Doning Business index of India will dive down.
Hence there is a need for Mr Modi to immediately initiate corrective action.
I Invite public to send their views on this draft bill to jsis@nic.in within next 30 days to protect Digital India
Naavi
Related Article : Livemint
It has been reported that the IRCTC servers have been hacked and data base of millions of users compromised.
It is also learnt that the information is available on CDs for Rs 15000/- . (From unconfirmed private sources)
The fact that IRCTC has been hacked is no surprise. It perhaps happened long back and we have come to know of it only now.
The point that IRCTC does not have proper Information Security systems is being discussed in other fora.
At this point of time, it is not clear what information has been compromised and made public. If it is only the personal information about the name and e-mail address and used for spamming, it is perhaps tolerable.
However, if sensitive personal information including the Password, the PAN card detail, the Credit Card or Bank details have been compromised, it is unpardonable.
In such a case action should be initiated by Police and there is a need to send some body in IRCTC to jail.
It is a failure of the reasonable security practice under ITA 2008 and an assistance to commission of further frauds through recklessness with or without financial benefits.
At the same time, we cannot estimate when a past customer of IRCTC would be hurt. His confidential data may be used any time in the future to commit a fraud. Hence there is a need to protect every customer of IRCTC from possible future loss.
For this purpose IRCTC must immediately pick up a Cyber Insurance Contract and cover all their account holders against possible identity theft related losses in the next 3 years upto say an amount of Rs 5 lakhs. Whatever be the cost of such an Insurance must be boarne by IRCTC.
IRCTC should also immediately give a notice to all its customers by individual e-mail as per standard “Data Breach Notification Policy” (Please see CLCC for a draft of a model policy).
If such a policy has not been adopted, it confirms the lack of “Due Diligence”.
In January, TOI carried an article titled “IRCTC website a sitting duck for Hackware”. This was a notice on which remedial action should have been initiated.
Naavi.org has itself raised the possibility of hacking way back in August 2010 and also recently asked if IRCTC should have taken Cyber Insurance.
However, IRCTC has not taken any remedial measures and even now a google search on “IRCTC hacking” reveals many sites promoting hacking of IRCTC.
All this indicates complete negligence of the Information Security responsibilities at IRCTC for which the persons responsible must be held accountable.
I suppose some body should take up a PIL on this account.
The Supreme Court takes up many less worthy cases on Suo Moto basis and there are activists who hoist PIL litigation for innocuous matters which Courts spend time on.
Will any responsible Judge consider it worthwhile to take up this case on a Suo Moto basis and ensure that people who have shared their personal data with IRCTC are protected against losses arising out of the identity theft?
The PRO of IRCTC seem to have given a statement that the “Website of IRCTC is not hacked”
The PRO may not be aware that it would not have mattered much if the website had been defaced rather than the data having been compromised. He is either unaware of the damage or has not shared the info with the public. Hope IRCTC releases a note through their website what exactly has happened and what are the risks to the public.
P.S: Will Aadhar data base be the next on CD on the streets?
Naavi
Naavi.org has several times brought to the attention of the public that certain certifying authorities are not following proper procedures for issue of Digital Signature Certificates and this can lead to frauds.
Earlier, one person associated with a Registration Authority had been alleged to have misused the digital signature of a Company Secretary in Bangalore to sign MCA certificates for a fee. Another instance from Delhi had been reported where directors of a Company were alleged to have used the digital signature of a deceased director and transferred the ownership.
Now, another allegation has surfaced in Bangalore where Dr Madhukar Angoor, Chancellor of Alliance University has stated in a Press Conference that his family members have forged his digital signature to record resignation of himself and his wife to transfer the control of the University when he was abroad. (The case also involves the apparent misuse of laws meant for protection of women where false rape charges are routinely filed to defame and trouble innocent persons, which is outside the scope of this article.)
Also See Article in Deccan Herald: Indian Expres
It appears that the English press seems to have not noticed the Cyber Crime angle while Kannada Prabha has reported the misuse of digital signature. This would involve Section 66C and 66D besides, several other sections of ITA 2000/8 and IPC.
It may be easier to investigate the Cyber Crime which may also be a proof of the property motive that could be behind the “rape” charge. The investigation may also expose some Certifying Authority and their Registration Authority who might have abetted the crime.
It is interesting to note from this earlier article in Bangalore Mirror that the sister who has lodged a rape complaint on behalf of her daughter is the “Wife of an IPS Officer”.
Justice therefore awaits overcoming the barriers of conflicts of interest in investigation.
Naavi
In what may be described as an unfortunate but grim reminder of the risks that we run in the Cyber Space, American Dental Association (ADA) appears to have exposed itself to a risk of a hefty fine from the Department of health and Human Resources (HHS) which regulates HIPAA and HITECH Act implementation in USA. (P.S: I thank Mr Avkash Kathariya for bringing the incident to my notice)
The Association recently sent a soft copy of CDT 2016 manual through a flash drive.
It was found that the flashdrive contained a link to a website which is known for distribution of malware. This article in krebsonsecurity.com indicates that the fact that a malware was contained in this official communication was detected by a security professional who checked the flash drive.
In an inevitable “disclosure and Remedial Action”, the Association released an e-mail alert on the incident.
A copy of an e-mail which the center for Informatics and Standards in American Dental Association has sent to their customers recently is reproduced below.
HHS normally imposes hefty fines for potential or real disclosure of PHI by Covered entities and Business Associates. This incident exposes the possibility that a malware could have been injected into the systems of any of the users and has to be recorded as a “Suspected Security Breach Incident” at every one of the users who may be exposed to HIPAA compliance requirement. Whether or not there has been any actual data breach, it would be necessary for these entities to document the incident, conduct an appropriate internal investigation and record (hopefully) “There was no breach of unsecured PHI”.
The incident could have been a major disaster in the health care industry resulting in unprecedented levels of PHI data breach. We should be relieved that it has been detected at the earliest and the security specialist responsible for the detection identified as “Mike”, a member of a forum titled DSL Reports deserves to be given a major bounty by ADA and HHS.
In India, “Distribution of a Computer Contaminant” would invoke action under ITA 2008 both for civil and criminal action. The Computer Abuse act in USA may have similar provisions and action can be taken on ADA for payment of damages and for criminal negligence while HIPAA itself may not be able to impose penalty on ADA.
The incident however is a big lesson to every organization that some times distributes useful data with good intentions loaded onto a CD or Flash drive. The work is often sub contracted to some supplier who may not have any idea of the security issues involved in distributing a malware along with the intended content.
The least that a content provider may do in such circumstances is to take care to digitally sign his file and include a disclaimer and alert that enables the user to scan the data before use for malware.
Naavi
During a recent meeting of Chief Justices of High Courts, the Chief Justice of India, Mr T.S.Thakur broke down emotionally with the burden of a perceived guilt of the Judiciary in not being able to reduce the pendency of cases.
While this brought out the frustration of an honest Chief Executive of the system, I could not miss a feeling that the solution is staring at us and we have not perhaps identified it.
The solution lies squarely in an aggressive promotion of the system of ADR (Alternate Dispute Resolution). Being from the IT enabled legal services industry, it was natural for me to immediately feel the increased need for the use of ODR to accelerate the ADR process itself.
Afterall, the Modi Government passed the Amendment Act to the Arbitration and Conciliation Act 1996 on 31st December 2015 enabling the use of electronic means for conducting ADR. The amendment also contained what may be considered as revolutionary proposal to fix specified time limit for completion of Arbitration and incentives and disincentives for variations.
Now all those Advocates and Professionals who have the necessary legal and domain experience and the “Urge to Resolve Disputes” should consider setting up their own “Dispute Resolution Centers” (also identified as Arbitration and Mediation Centers) so that in the next couple of years, we have a huge capacity build up in Dispute Resolution which will at least ensure that there is no further build up cases in the overworked Judiciary.
Naavi’s ODRGLOBAL.IN proposes to provide the technical infrastructure to enable and empower such professionals so that they can conduct online dispute resolutions and apply their arbitration and mediation skills to good use.
Ofcourse, skills in Arbitration or Mediation are to be nurtured. They are different from what advocates learn while acquiring LLB or practicing in a Court of Law. Perhaps we may consider that Mediation is more an “Art” than a tought and learnt skill. However, efforts are to be made by professionals to polish their dispute resolution skills before they plunge full scale into this new profession.
The first thing an “Arbitrator” or an Advocate participating in Arbitration proceedings or even the Litigant parties need to understand that in a “Litigation” it is more often a “Win-Lose” fight where as Arbitration and more so the Mediation is a “Win-Win” negotiation.
Further, the Judge in a litigation is strictly constrained by the inefficiency of the counsels and cannot go beyond the evidence and argument provided by the counsels even if it is inefficient and incorrect. Arbitrator has a greater freedom to find a solution and can intervene more pro-actively than in a litigation.
In a mediation, the emphasis is driving towards a mutually agreeable conclusion and not being correct to a point of law.
If this principle of “Win-Win” is understood and implemented, then the society will be lot better in the next decade when the pending 3 crore cases are resolved by Courts since they will not create 3 crore dissatisfied losers trying to take revenge on other 3 crore winners, rather than having 6 crore happy resolved formerly disputing parties.
(P.S: I agree that all disputes are not amenable to a Win-Win solution. But the principle needs to be appreciated).
If we agree, the question then arises….
a) If I am a professional advocate or a domain specialist
Should I become an Arbitrator?
Should I ask my clients to include an arbitration clause in the agreement providing for “Online Arbitration on the technology platform of www.odrglobal.in”?
…. perhaps it is time to consider.
b) If I am a Consumer facing organization, say a Bank or a White Goods manufacturer or a Service provider, or an e-Commerce player,
Should I start incorporating the ODR clause into my contracts?…..(with odrglobal.in as the technology platform)
…. perhaps it is time to decide
This transformation from a “Litigation Mindset to ODR Mindset” could be an innovation in the dispute resolution industry that can wipe “Every tear from Every eye”….an evergreen mission for all nation builders.
Whenever we discuss an “Innovation” with established industry practitioners, we come across a dilemma.
They often ask….
Should I be the first to try out? Are there some unknowns which I cannot identify?.
Most of the conservative practitioners come to the conclusion, let me not be the first.. Let me wait for others to implement the innovation and then come in.
No doubt this is a common human trait and we need to respect the cautious attitude of such “Safety First-Innovation Next” kind of professionals.
But behind this attitude lies the quality of management .. “Should I be a Leader or Am I content being a “Follower”.
The entire “Start Up ” industry is built on this premise that “Innovation is the Key to Success”. No doubt some or even many innovations may fail. But as long as the innovator hedges his risks to the extent that he will not go down with a failed innovation, there is no reason for not trying to be an innovator.
In fact it is the few innovators who succeed who turn out to be the industry leaders and icons.
Today, I would like to ask a question to all the Legal heads of companies including the Infosys, Wipro, Flipkart , as well as the Toyotas, Whirlpools, Citi Bank or State Bank etc, or for that matter any consumer facing Company why they should not take the lead in using ODR as a dispute resolution mechanism between themselves and the Customers.
It would be an “innovation” that may distinguish them as a leader rather than a follower. Will these companies who are known leaders in their respective fields bogged down by the thought “Let others try…then I will follow..”. I hope not.
I call upon all the legal heads and business heads of companies to step into this new world of ODR and contribute to the vision of “India as a Global Hub of ODR”.
I request all readers to forward this post to any of their known legal contacts in the industry and seek their response and feedback which may be sent to Naavi
Naavi
