Naavi.org

Around 2003, the undersigned had come up with a solution named “Digital Value Imprinted Instrument System” (DVIIS). This was a “Brick and Click” solution to many of the problems of physical instruments which have a monetary value including “Currency”, “Stamps”, “Tickets” etc. (One of the representative solutions is available here). The system could not be commercialized by the undersigned since proper support could not be gathered. At least two major IT companies who were privy to the idea could not see the commercial prospect and failed to take it up for implementation.

One of the implementations of the DVIIS was in what was called “ZE-MO Cards/Coupons”  (named as such because it was a Zero Memory smart instrument replacing the smart cards with larger memory).

It appears now that the idea was a little too early for the market at that time. But now when the country is struggling to find a solution to the currency shortage after demonetization, it appears that the Ze-Mo coupons are ideally suited to resolve many of the practical problems that we face today.

The essence of the Ze-Mo  system was that there would be a Zero Value physical instrument which would carry its value on the digital server mapped to the instrument. The instrument would be used to transfer value from one to other and could be used for “Digital Stamps”, “Tickets” and also as a “Currency Substitute”. When this concept was being discussed, we did not have the concept of “Pre paid, refillable” cards as we have today.

The “Ze-Mo” cards were promoted as thick paper labels with almost zero material cost (compared to smart cards which were expensive ) which would be distributed free by sponsorers who will have advertisement space on the label (Like UNO cards?) and let people fill it up with money before being handed over to the next person. The value would be verifiable at the server with reference to some code imprinted on the instrument. (It was suggested that this could include an invisible hidden code in addition to a visible code.)

At that time I had also suggested Ze-Mo coupons as a “Verifiable Currency” particularly of high value and repeated the suggestion in 2014 in my article “Black Money Policy of Narendra Modi.. Here is My Idea”. This was also published in naavi.org. At that time nothing was known about the demonetization that occurred on November 8, 2016.

Presently, we are struggling to ensure that the shortage of cash that has resulted from the demonetization does not derail the economy more than what we can bear comfortably. The opposition parties are doing their bit to not only create panic in the minds of the public so that they will hoard available new currency notes but also encouraging all kinds of malpractices in converting black currency stocks to new currency stock with the help of Banks and political party donations etc.

There is therefore an urgent need to energize  the system of “Digital Payment Infrastructure” and make it more efficient and secure.

It appears that the Ze-Mo system was well designed for this purpose and even now is well suited to quickly replace the withdrawn currency provided we pep up the earlier suggested instrument with

a) KYC back up

b) Slightly better security than what was envisaged.

One implementable solution is to permit all Banks to print of Ze-Mo slips/coupons like the Cheque leaves in all the security printers available which will look better than the simple labels that I had proposed earlier and sell/distribute it only to identified individuals who provide their Aadhaar number or their Bank number. (Cost of Ze-Mo coupons can be about 20-25% of the cost of printing of a cheque leaf even if similar security printing technology is used).

Banks can issue books of 100 such leaves to their customers which will be equivalent to any currency they wish to hold in any denomination as long as they have the funds in the back end account. (P.S: It may look similar to the Sodexo Coupons but the value would not be printed on the instrument and would only be available for online verification). Customers can use the 100 leaves as different denominations of currency in any mix as they like. Hence the question of shortage of any particular denomination does not arise at all.

The coupons will remain zero value until it is filled up by transfer from the account like charging a prepaid instrument. The difference between a Prepaid card and this coupon is that this would be handed over by the person making the payment to the person to whom the payment is being made.

Holders of these Ze-Mo Coupons would use either a mobile app or internet to transfer money from their existing bank account to the Ze-Mo coupons using the serial number as the mapping. Any person to whom it is handed over can simply check the same App or on the internet, what is the value of the coupon before he accepts it.  The query could be made available both on smart phones and on USSD codes so that the recipient gets an SMS as soon as he sends the number of the coupon to the server.

The coupons can later be either used as such for further transfer or extinguished. It is one of the suggestions that the coupons will have a validity period for transfer which will be short (say one month) so that it cannot be used for hoarding cash but has to be in circulation or extinguished.

Compared to the current system such as the mobile wallets, the UPI and USSD, the Ze-Mo system has a significant advantage in the sense that it gives a “Feel of Currency”. Most people would be very comfortable holding the coupon that looks like a bank cheque than nothing at all as in the case of pure digital wallet transaction.

Ze-Mo coupons also reduces the transaction load on the server at the time of transaction since the process of transaction validation by the recipient has to just verify a static data on the server  such as  (the hash value of the input) instead of validating a payment instruction on the fly and transferring the money from one account to another.

The actual money transfers occurs at a time different from the time of the transaction both for loading and unloading the money to the coupon from a bank account (at the payer’s end )and from the coupon to a bank account at the recipient’s end. This would address the problem of “Transaction peaking” at different points of time during the day creating server crashes.

Additionally, Ze-Mo coupons would reduce the number of digital transactions by at least a factor of two or three if we presume that the coupon is used for payment by the first recipient to at least one other person before it is extinguished.

The only risk is that some may forget to credit the coupon to his bank account and allows it to expire.

In such cases, an exceptional system can be made for the holder to go over to a Bank, submit his identity and get the money credited to his account. Obviously he will be answerable to the tax authorities if required.

Thus the Ze-Mo coupon system if introduced can quickly address the issue of shortage of currency which will be a huge political issue after 31st December 2016.

Naavi

More information on how ZeMo system can be adopted to banks (ppt prepared in 2003)

When a hosting company hosts user content, there is always a risk of the hosting company being charged for abetting the copyright infringement if any by the user. In India, intermediaries are subject to the “Due Diligence” requirement under Section 79 of ITA 2008 which inter-alia requires them to respond to a notice such as a “Take down notice” within 36 hours.

This “Act within 36 hours” does not mean that the hosting company needs to take down any content for which he has received a notice of objection from a member of public. It applies when a competent Court issues an order. There could be some doubt as to an action required when a notice comes directly from the police without a Court order. Normally the Police should respect the tradition of getting a Court order in case of either a suspected defamatory post or a copyright infringement. Neither the Police nor a complaining individual nor even the hosting company has the right to take a judgmental view about any content as to whether it is defamatory or infringing any copyright.  However, it would be necessary for the hosting company to reach out to the accused person who has posted a disputed content and initiate a “Show Cause” process followed by a mediation or arbitration before the next level of action is contemplated. In the meantime, a “Notice” may be displayed that the content is disputed so that visitors are informed and put on notice.

Obviously, copyright owners would not be satisfied with any half measures and would not only require a take down but also further action both civil and criminal on the person who infringed. As regards the hosting company, most copyright owners would be satisfied if a  quick action is taken to take down the offending content.

Under DMCA, four safe harbors have been provided for the service providers according to which the liability of the intermediary would be limited if certain precautions are observed. They are

a) Transitory digital network communications (eg:Network service providers who only transmit data)

b) System caching (eg: ISPs who cache content temporarily)

(c) Information residing on systems or networks at the direction of users

d) Information location tools (eg: Search Engines)

Each of the above have a set of particular conditions, all of which must be met to enjoy the protection of that safe harbor. Each safe harbor addresses a different aspect of potential copyright liability, and meeting the conditions of any one is sufficient to receive protection for the acts included in that safe harbor.

In order to address the concern of the copyright owners, Congress instituted a “Voluntary” notice and take down system so that the allegedly infringing material is removed quickly and then any infringement can be adjudicated in a copyright infringement suit. This system of “notice and take down” starts with a service provider designating an agent to receive notices by filing a form with the copyright office. Then copyright owners who believe that their works are available on a service provider’s system can send a notice to that service provider at the address available in an online database on the Copyright Office’s Web site.

Recently the copyright authorities have simplified the system by introducing an online facility to designate an agent and also reduced the fees for the registration.

Once a service provider wanting to avail itself of the safe harbors knows that its system has infringing material, that service provider must expeditiously remove or block access to the allegedly-infringing material. That knowledge can come from a proper notice from the copyright owner, or when the service provider is aware of facts or circumstances from which infringing activity is apparent. It is not necessary for a service provider to police its users, or guess that something may be an infringement.

In a case in which the notification that is provided to the service provider’s designated agent fails to provide the necessary knowledge, the service provider needs to promptly attempts to contact the person making the notification or takes other reasonable steps to assist in the receipt of notification that substantially complies with all the provisions.

Further, a service provider shall not be liable to any person for wrongful deletion of the content done in good faith when a proper notice has been received.

The service provider must notify the subscriber of any take down, and if the subscriber contests the take down, must restore the material within 14 business days. That provides the copyright owner time to file an infringement suit and get a temporary injunction ordering the continued removal of, or blockage of access to, the alleged infringing material.

There are some legal experts in USA suggesting that DMCA provisions need to be honoured by all service providers who may be serving content to US citizens. If this is true, then there will be need for affected Indian content providers to register their “DMCA agents” with the DMCA authorities.

Generally the provisions of DMCA also constitute the “Due Diligence” under Section 79 of ITA 2008. However, in the case of websites where the content is available to global audience, the risk of DMCA exercising its jurisdiction on Indian service providers is a cause of worry. There have been atleast two instances where DMCA has struck on people outside India. First was the case of a Russian programmer who was a project lead of a product infringing DMCA which was developed in Russia and distributed through a website in which the programmer was arrested while on a tour of USA. Second was a professor working in Japan who was extradited by the friendly Government to face the trial in USA. There is no reason to believe that such things would not recur in future also.

Hence the Indian copyright authorities need to ensure that DMCA is not applied to Indian conent providers bypassing the local laws.

For this purpose, it is necessary for the Indian Copyright Authorities to declare that “No action will be initiated against Indian constituents under any copyright law except through the Indian copyright authorities”.

Simultaneously the CERT IN should coordinate with the Indian Copyright Authorities in ensuring that those who follow ITA 2008 should not be harassed under the Copyright Act with “Take down notices” and “Penal action for not adhering to take down notices”.

This point had been made here several years back but the need for such “Indian Safe harbor” has not been addressed so far.

Naavi

One of my friends and a prominent Cyber Security specialist Dr Rakesh Goyal of Mumbai has released a valuable article on “Challenges for digital India“ a copy of which is available here.

Dr Rakesh has brought out the many challenges that are before us and also provides some of the solutions he thinks should be considered.

The paper is an excellent read and needs further discussion at the Government level.

Today, I also went through a video received through WhatsApp about a “Chaiwala educating the public on the need for a surgical operation to remove black money”. This video in Kannada with English subtitles captures the mood of the ordinary men on the street and underscores several truths which some of us may fail to notice. I wish viewers need to go through the video and capture at least the essence of the narration.

Coming back to Dr Rakesh’s paper, it is interesting to note that he compares the cost of digital transactions vs savings of the Government if we move towards cashless society and makes a case for Government bearing part of the transaction cost. This will be one “Subsidy” which will be progressive.

Obviously Dr Rakesh raises the need to focus on interoperability and cyber security. These are not only concerns but also tremendous opportunities which I am sure IT savvy people will harness. Though in India we have so far seen little effort to invest in security, this time we hope things will be different. May be Government subsidy scheme can also consider how to drive the incentives towards a secure platform vs an insecure platform.

User awareness is ofcourse a challenge which is being addressed now through advertisements in the TV and Radio and should continue with the schools and colleges. Perhaps the public have a role in this education also.

Dr Rakesh also speaks of the legal issues and the need to protect the consumers. He points out the absence of a proper Cyber Insurance scheme for protecting the consumers. Government has a ready solution for this which is only being held up by the IBA and influential bankers. RBI is presently under pressure not to operationalize the August 11 2016 circular on Limited Liability which is a good starting point for protecting the interest of the consumers. The undersigned is trying to push RBI into taking a decision but so far not been able to persuade Dr Urjit Patel in taking action. Hopefully some thing is brewing and may happen soon.

Discussing the solutions, Dr Rakesh has suggested many measures which require a serious thought.

Hopefully the Government will take note of some of these suggestions and try to act on the same without any further delay.

Naavi

CERT-IN has today released some advertisements in news papers reiterating the rules that require mandatory reporting of cyber incidents. The circular makes a reference to the notification dated 16th January, 2014 titled  “Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules ,2013” (Copy available here) in which under Section 12(1)(a), it is stated that “Any individual, organization or corporate entity affected by cyber security incident may report the incident to CERT-IN” .

Types of cyber security incidents that need to be reported to CERT-In are

1. Targeted scanning/robing of critical networks/systems
2. Compromise of critical systems/information
3. Unauthorized access of IT systems/data
4. Defacement of website or intrusion into a wbsite and unauthorized changes such as insertion of malicious code,links to external websites etc.
5. Malicious code attacks such as spreading of cirus/Trojan/Botnets/Spyware
6. Attacks on servers such as Database, Mail and DNS and network devices such as Routers
7. Identiy Theft, Spoofing and Phishing Attacks
8. Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
9. Attacks on Critical infrastructure, SCADA Systems and Wireless networks
10. Attacks on Applications such as E Governance, E Commerce etc.

To facilitate such reporting CERT-In was to maintain an Incident Response Help Desk on 24 hour basis on all days including holidays .

The system incident reporting form can be downloaded from here. 

Incidents may be reported by the victims.  But for Service providers, Data Centers and Body Corporates, reporting of Cyber Incidents as per list provided under this rule is Mandatory”. Reporting should be done within a “reasonable period”.

If one peruses the reporting format, it is clear that it is drafted with a trained CISO in mind Small Companies Ordinary individuals  may not be either capable of identifying “Cyber Incidents” nor reporting properly in the form in which it is indicated.

The report may be sent to the helpdesk whose contact details are given below.

E-Mail: incident@cert-in.org.in

Ph: +91 1800 11 4949

Fax: +91 1800 11 6969

Now that CERT-In has issued a public advertisement, it is essential for them to exempt “Individuals” and “Non Corporate entities” as well as “Corporate entities with a turnover less than a reasonable amount” from this mandatory reporting system.

Though this rule was in existence since 2014 and CERT-In has the quasi judicial powers to start prosecution proceedings leading to imprisonment of upto 1 year for non submission of information, neither CERT-In nor the public had taken this rule seriously. They therefore were mostly non-compliant.

However, now there may be an increased attention of the industry on correcting the situation….thanks to de-monetization and consequent promotion of digital payments followed by a realization of the increased risks…

Naavi

The Indian Election Commission has been suggesting that the Government should initiate measures to ensure that funding of election parties is properly accounted so that black money transactions are reduced. The present Government of Mr Modi has also shown a greater resolve than earlier Governments to tackle the issue of election funding. It is therefore time to find a proper solution to ensure that black money does not get generated in the election process.

For this issue there are two requirements that the EC and Government should address. First the artificial restriction on election expenses can be removed. Let political parties spend money as long as they account for it. Unaccounted cash expenses can be reduced to some negligible amount less than the current expenditure limits as a drive towards cash less election spending. At the same time the spending limits through digital payments which can be traced and accounted can be completely removed.

Having provided the freedom to spend the resistance of political parties to account the donations received can be reduced. Then the Government can reduce the unaccounted cash donations to some ridiculously low level of say Rs 100/-. Anything above Rs 100 has to be through digital payment system so that it is accounted. No more should an option be created for donations in cash upto Rs 20000/-.

However, the excuse for anonymous donations based on possible retribution by political opponents still remains to be tackled. Here we can adopt the time tested principles of “Privacy Protection” through de-identification of information for which ready tools are already available.

The essence of this election funding system is a “De-identification Portal for Election Funding” which runs like the “Anonymizer” as both a mobile App as well as a desktop tool. Any person who wants to contribute will open the app and will be allocated a transaction ID. The server issuing transaction ID does not know what is the amount of contribution but only maintains a mapping of the transaction ID to the Aadhar ID of the contributor or his finger print for aadhaar invocation.  The app will then connect to the payment gateway and complete the payment against the transaction ID. The Transaction ID server and the Payment gateway will both report the transaction to the tax authorities which alone will have the real identity of the contributor and the contribution. This is of course inevitable if we want to eliminate black money.

The de-identifcation transaction server can be maintained by the Election Commission or the IT auhorities. Private agencies may also be allowed to maintain such servers on a distributed service model so that the transaction IDs are handled randomly by different servers defusing the identification possibilities. There are more robust anonymization strategies through “Multi-split ID Management for anonymization” which Naavi has discussed earlier, to completely eliminate any private agency coming to know the real identity of the contributor so that there is no reason to fear any retribution.

If therefore there is a political will to eliminate black money in election process without the obnoxious suggestions such as “Public Funding” etc, here is a solution. Let the Election Commission and Mr Modi both consider this and adopt if they have the resolve.

Naavi

Five years after the Cyber Appellate Tribunal (CyAT) became dysfunctional because the earlier Chair Person retired, it is now reported that the Government may merge CyAT with TDSAT (Telecom Disputes Settlement and Appellate Tribunal).(View Report here)

According to the Government they are looking at rationalizing the tribunals and this move is keeping with that principle.

The move is at first glance to be welcomed from the point of view of reviving the dead CyAT. However, the TDSAT has so far been involved in high profile multi crore cases where as the CyAT normally handles small ticket cases in comparison. The difference in the culture of the two organizations needs to be taken note of before such a move is attempted.

Also, since CyAT is part of the ITA 2000, there will be a major amendment that would be required at ITA 2000 level and the merger cannot be a simple administrative note.

It appears that unable to find a Chair person and irked by the CAG report questioning the idle expenditure, Government has give an off the cuff answer without considring the pros and cons and more particularly how it may affect the interest of the cyber crime victims.

The TDSAT does not appear to be the forum which cyber crime victims will be comfortable with. From the Adjudicator to the TDSAT it would be a jump similar to going from a district court to supreme court. Victims would find the expense and procedures of TDSAT overwhelming.

I would urge the Government to drop the idea.

We may wait and see how the things develop.

Naavi