Naavi.org

Today is the 15th anniversary of the Digital Society Day which marked the beginning of the legal recognition of electronic documents in India.

In order to mark the day, Naavi has been initiating new activities in different years basically to spread the awareness of Cyber Law in India.

This year, Naavi will rededicate his efforts towards better Cyber Law Awareness through the following two projects.

1.Cyber Law Compliance Center for Mobile Apps

2.Techno Legal Information Security Awareness workshops for Corporates in Bangalore

Both projects are initiated by Naavi but its implementation depends on others joining the initiative.

My thoughts on the projects are explained below.

1.Cyber Law Compliance Center for Mobile Apps:

Technology practitioners have a general dislike for regulation. Most Indians believe that India developed into a significant IT power because of the lack of regulation. The fact that Internet itself is an example of growth without regulation is a vindication of this belief.

However, once Internet usage crossed into the business domain, regulation became a necessity to prevent the “jungle Raj” setting in. ITA 2000 was born because e-Business and e-Governance could not be conducted in an unregulated environment.

But the fight between Regulation and Freedom continues unresolved. One example of such fight is between Privacy and Freedom of Expression  with the Social media users demanding “Freedom” even to misuse while some are wary of reputation loss due to irresponsible defamatory posts.

Today is 17th October, the “Digital Society Day” first declared and celebrated by Naavi through specific activities geared towards better awareness of ITA 2000. It is now 15 years since ITA 2000 became effective with legal recognition of electronic documents, enabling contract formation online and introducing the concept of Cyber Crimes, vicarious liabilities on intermediaries etc. It is more than 6 years since ITA 2000 was amended and the concept of “Reasonable Security Practice” and other enhancements to mandated Information Security prescriptions became effective.

But the question remains..  Do we have adequate awareness of  ITA 2000/8 ? Let’s forget Police who make mistakes and Judges who are not cyber savvy. Let’s us reflect whether there is adequate knowledge of ITA 2000/8  at professional levels in Companies? My own impression is a firm No.

We have miles to go before we sleep ..with the comfort that “All is Well”.

I recently referred to Indian Financial System  being at the “Napster Moment” indicating the possibility that lack of Cyber Law Compliance may force businesses to shut down when business prospects may otherwise be booming.

The present situation as I see it is that a company doing business with the use of electronic documents is exposed to “Techno Legal Risks” which could be crippling at times. They may manifest as a “Cyber Attack” leading to reputation damage, data theft etc or as a “Regulatory Ban” leading to closure. In either case, there could be a risk of both civil liabilities to the company and also a criminal liability on the CEO, the Directors etc.

A prudent business manager should therefore ensure that this “Techno Legal Risk” is assessed well in time and addressed before it manifests into a liability.

The best time for a business owner to look at Techno Legal Risks is right at the beginning of the project, namely at the “Start Up” phase. This however is also the time when a company would be starved for funds and would like to focus only on essentials such as building the technology infrastructure. It is therefore natural for entrepreneurs to ignore any activity or expense which is not directly related to the functionality of the project and its early take off.

However, there are some Cyber Law issues which are better sorted out right at the beginning in the “Feasibility Evaluation” stage of the project itself. Hence along with the traditional four dimensions of project feasibility, such as Market Feasibility, Technical feasibility, Financial feasibility and the managerial feasibility, a fifth factor namely “Techno Legal Feasibility” needs to be undertaken so that the Start Up does not spend time, effort and money only to find at the take off stage or soon after, an unsurmountable legal hurdle.

Also, just like it is prudent to attend to security right at the software architectural level, even the legal aspects of security should be attended  right at the time when the business architecture is taking shape. Any attempt to ignore this at this stage and go for patching up the systems later would be less efficient and more expensive.

While this is the wise advice which security professionals always provide, the entrepreneurs do not always appreciate the advice and go ahead with their own ideas of “Business First, Compliance Later”. As long as our Police are ignorant and can be managed both by bullying them with technology terms as well as other influential factors, it was possible for businesses to do what it wants and manage the mistakes if it was found out later.

But the times are changing. Police are becoming more knowledgeable and can catch omissions and transgressions of law even under complicated concepts such as “Reasonable Security Practice” or “Due Diligence” and question the corporate officials why they should not be held liable.

The emerging Cyber Insurance industry will also demand “Proof of compliance” before and after a Cyber Insurance contract is written.

In view of these developments, it is not possible for businesses to ignore Cyber Law Compliance any longer.

With most businesses now moving onto the mobile platform and some companies preferring to offer services in the “Mobile Only”  mode, the need for Cyber Law Compliance for “Mobile Start Ups” has become a necessity.

Unlike other industry start ups, mobile start ups are normally a single techie venture and often lack the benefit of an adequate  managerial infrastructure to guide them on what is required for compliance of Cyber Laws.

Recognizing this emerging need, Naavi has started a new service aimed at making mobile business start ups Cyber Law Compliant.

The service is aimed at providing consultancy to companies to develop “ Cyber Law Compliant Apps” for their business. Since an App is actually an enterprise level business management tool, it is a micro replica of an ERP system. It has several sub functionalities and all the legal risks arising out of the use of the app for business cannot be covered by a one page privacy permission statement when the app is installed. Further, the app based business model is likely to keep modifying rapidly as the business grows and hence the legal risks need to be dynamically assessed and patches applied without much delay.

Some of the apps like the payment bank apps such as Paytm or Pockets are functionally as huge as an independent Bank itself. If these apps are to be made Cyber Law Compliant, it is like rendering a  Banking institution cyber law compliant. It is a massive job which requires continuous attention. If the organization is big and the business is critical, there needs to be an in-house team attending to this.

“Naavi’s Cyber Law Compliance Center for Mobile Apps” will try to provide necessary support to start ups through its development phase to be Cyber Law Compliant from day one.

Companies which will be using Finance and Health care apps need this service immediately.

Before the market is flooded with non cyber law compliant apps making it difficult to weed out non conforming apps, it is better for the mobile eco-system to adapt to being compliant  so that the environment will be healthy from the beginning.

Naavi will try to carry this thought and put it into action and hopefully the companies will realize the need and make proper use of the services.

This will be the new project of Naavi initiated on this 15th anniversary of Digital Society of India. I invite other professionals who would like to be part of this initiative to contact me so that we can together help build a Cyber Law Compliant Mobile App eco system

2.Techno Legal Information Security Awareness Workshops for Corporates in Bangalore

This is a simple program where on invitation Naavi would like to conduct half day workshops for companies both in the IT and non IT sector explaining the provisions of ITA 2008 and its impact on Information Security Management in the corporate environment.

The idea is to conduct 100 such workshops in the next one year (This was the rate of my awareness activities in the first five-six years after ITA 2000 came into being before tapering off) as part of the Secure Digital India initiative.

Obviously, this is the intention and self imposed target. First of such meetings should start next week. But it all depends on how the industry responds and if there can be any sponsors for this program from commercially sound stake holders in the information security industry including the Cyber Insurance industry who are the likely beneficiaries of such largescale awareness programs.

Naavi

Two years back we wrote the following posts:

RBI and ECGC should consider trade remittances to Hong Kong as Highly Risky : July 14, 2013

Syndicate Bank loses Rs 1.13 crores of customer’s money: November 26, 2013

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud: November 27, 2013

In these articles, attention had been drawn on Companies as well as RBI and ECGC about the e-mail identity hijacking fraud which had become a convenient tool of Cyber Fraud. I donot accept that these articles have escaped the  notice of RBI and ECGC. It should not have escaped notice of even large companies which have professionals working as legal advisors, information security professionals, compliance professionals etc besides the finance professionals. Some of these companies might have kept “Fraud Mitigation Advisors” under retainership who are supposed to audit the business process and advise the companies on reduction of fraud lossses.

But it appears that ONGC has suffered a loss of Rs 197 crores to a simple impersonation fraud as this report indicates.

See report here

In Information Security, we often talk of the importance of “Awareness Building”. The above articles did try to build such awareness. But unfortunately, it has proved once again that “Awareness Building” is only the first little step and as long as there are irresponsible and uninterested people around, frauds will continue to happen.

What irks people like us is that the fraud that has happenned in ONGC did not involve any sophisticated trojans and viruses nor a cyber army or cyber terrorist attacks. It could have been done by an ordinary fraudster who was aware of the business processes used by the Company. That’s why I called it a silly fraud. If we cannot defend against such simple frauds, we donot have right to talk about Stuxnet or Zeus or other more sophisticated attack vectors.

The modus operandi of the fraud was,

A website was registered in the name of ognc.com probably by our own Indian ISP, Net4domains.com  recently on 19th September 2015, as indicated by the following Whois information:

Domain ID:D9853385-AFIN

Domain Name:OGNC.CO.IN

Created On:19-Sep-2015 02:36:10 UTC

Expiration Date:19-Sep-2016 02:36:10 UTC

Sponsoring Registrar:Net4India (R7-AFIN)

Status:TRANSFER PROHIBITED

Registrant ID:R15091904345215

Registrant Name:Robert Knowles

Registrant Organization:

Registrant Street1:116 Street NW

Registrant Street2:

Registrant Street3:

Registrant City:Edmonton

Registrant State/Province:AB

Registrant Postal Code:t6j6x5

Registrant Country:CA

Registrant Phone:+91.7804377824

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant Email:aditi.morex@gmail.com

Admin ID:A15091904345215

Admin Name:Robert  Knowles

Admin Organization:

Admin Street1:116 Street NW

Admin Street2:

Admin Street3:

Admin City:Edmonton

Admin State/Province:AB

Admin Postal Code:t6j6x5

Admin Country:CA

Admin Phone:+91.7804377824

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:aditi.morex@gmail.com

Tech ID:T15091904345215

Tech Name:Robert Knowles

Tech Organization:

Tech Street1:116 Street NW

Tech Street2:

Tech Street3:

Tech City:Edmonton

Tech State/Province:AB

Tech Postal Code:t6j6x5

Tech Country:CA

Tech Phone:+91.7804377824

Tech Phone Ext.:

Tech FAX:

Tech FAX Ext.:

Tech Email:aditi.morex@gmail.com

Name Server:NS1.NET4INDIA.COM

Name Server:NS2.NET4INDIA.COM

E Mails have been sent in the name of patel_dv@ognc.co.in to a customer namely the Saudi based Aramco with whom perhaps an executive of ONGC was in touch with an email address of patel_dv@ongc.co.in with an order to deliver 36000 metric tons of Naftha

On September 7, ONGC dispatched the order, worth Rs 100.15 crore, from Hazira port in Surat. According to the police, the company usually transferred payments to ONGC’s State Bank of India (SBI) account, but did not do so this time.

ONGC was to send a second batch of naphtha to Aramco on September 22. However, since they had not received the earlier payment, they enquired with the Saudi-based company. On being told that the delay was on account of public holidays and bank holidays, ONGC dispatched the second batch of Naptha worth Rs 97 crore on September 22. Again, ONGC e-mailed a scanned copy of the tax invoice with its SBI account number to the company.

An e-mail ONGC received on October 7 from Aramco stating that the money had been transferred to a new account. Obviously such a change of bank name had been sent to Armaco from the alternate email ID. As of now the identity of that Bank is not known.

It is clear that the fraudster has started his action after the first batch of the order had been delivered and the money was due from the other end.

It is possible for us to blame Aramco that it was their negligence in not identifying the change in e-mail and remitting the money to a new account. It is also possible to blame the Bank which could have been used for completing the fraud by opening the account of the fraudster.

It is possible that ONGC may ultimately recover its money and the loss may have to be borne by Aramco.

I wish Dr Triveni Singh the celebrated police officer attached to UP cadre and who even yesterday busted a huge employment racket in Noida is made the special officer in charge for investigating this ONGC fraud.

But negligence should be recognized by ONGC on account of not using digital signature in communicating with its customers.  Not identifying the presence of a confusingly similar domain name (Though the fraud has occurred immediately after the registration and perhaps it was too early for the recognition of the registration) could also be an area of negligence.

Net4Domains will also share a good part of the blame since it has unwittingly become a tool of this crime. I will not be surprised if Aramco files a case against this company and it will be tough for them to defend.

In summary we can again highlight that “Cyber Law Compliance” in business is being ignored by large companies and it is resulting in such frauds. Sooner they realize the need to have the right kind of advisors who understand Cyber Laws and how they impact the business in a verity of ways, better it is for the company

We may also highlight here that ONGC is a listed company and its CEO and CFO are signatories to the Clause 49 declaration of the listing requirements. How did they give a declaration without adequate security in their communications will be a point which the shareholders of the company need to raise in the next AGM.

Shareholders need to also watch out for the remedial steps that ONGC needs to take after the incident including whether they have Cyber Insurance and question the directors.

At the same time, I also would like to draw the attention of the Controller of Certifying Authorities (CCA) that while people like us are placing faith on the digital signature system since that is part of ITA 2008, CCA itself is diluting the legal validity of digital signature system as I have explained in greater detail in an earlier article on esign. This is a great disservice CCA is doing to ITA 2000/8 loyalists like the undersigned and CCA should call for a meeting of experts to discuss how it can resolve the esign issue and other issues that dilute the legal validity of digital signature and its non repudiable nature.

Naavi

Visitors to this site are aware of the several approaches the undersigned has made regarding the delayed appointment of the Chair person for Cyber Appellate Tribunal. (CAT)

The CAT which is the body which has to adjudge appeals against the decisions of Adjudicators in each State and Union Territory of India has been without a chair person since June 2011.

Today, I am in receipt of a communication from the Ministry of Communications and IT that the Chair person has been identified and recommended for confirmation on 29th September 2015, to the CJI.

We hope that soon the CJI’s approval will be received and the Cyber Judicial system becomes active once again.

Naavi

 

I refer to the earlier post on “WhatsApp moment in Indian Financial Services”  in which the views of Mr Nandan Nilekani on how the financial services market in India is transforming.

One of the changes that the new mobile payment systems such as Paytm has done is that a user gets on to this system merely by downloading the app and identifying himself with the mobile number. In a way the mobile service provider completes the KYC process which identifies the customer. If the KYC  verification system of the Mobile Service Providers (MSP) is deficient, the deficiency will reflect as a security vulnerability in the financial system. There have been many instances where SIM cards have been issued to fraudsters with the use of fake ID instruments and therefore there is a serious concern if the financial services system becomes dependent on the MSPs for its security.

Mr Nandan Nilekani has indicted two other means of ID verification that is likely to support the Indian Financial system embracing the mobile payment systems. One is the e-KYC using Aadhaar and the other is using of the e-sign system.

Aadhaar based e-KYC System

The e-KYC system means, submit the Aadhaar number to UIDAI and obtain a copy of any Aadhaar holder. In practice most service providers donot make a query to the Aadhaar data base using biometrics of the person to be verified. They simply take a photo copy of the Aadhaar certificate and keep it along with the other documents.

This system deserves to be banned. If the Aadhaar based KYC is done on the basis of a real time verification of the biometrics with the Aadhaar data base, then the system would be more reliable. However, the Aadhaar based KYC  may still be subject to risks such as the MIM attack and the confirmation received from the Aadhaar server lacks acceptable authentication.

e-Sign System

e-Sign system is being presently used in the DigiLocker system but in future could be used by others. This is a system where a user obtains digital certificate for one time use at a cost much less than obtaining the normal digital certificate valid for one year or more which is used for other purposes.

 DigiLocker is a system introduced by the Government of India where a user can open the account quoting his Aadhaar number.  The account can be used to store documents and shared with other authorized agencies whenever required with an authentication in the form of e-Sign.

Since opening of the DigiLocker account is based only on the quoting of aadhaar number and confirmation through OTP,  the system is dependent on the mobile service provider’s KYC process. (DigiLocker provides for biometric based authentication but it is not mandatory).

Errors in the System

In order to verify the e-sign process, I applied  e-sign on a document earlier uploaded to the store and then downloaded it. But the signature on the document stated “validity unknown”. When I explored the signature properties,it stated that “The signer’s identity is unknown because it has expired or is not yet validated”. The certificate itself showed validity for 30 minutes and the certificate was issued by e-Mudhra. However the revocation was not checked and showed up as an error. In other words, the e-sign on the document was not in a status to be relied upon.

Since this is an issue with the Digi Locker system, if a similar error is observed by a service provider relying on the e-Signed document submitted to him, he is likely to ignore the error.

We can however justify the errors as teething problems in a  system under implementation, (or because the system is only on a test bed at present). But  there is a deeper problem with the legal validity of of e-Sign system itself and if the Indian Financial Services system has to rely upon the DigiLocker system as Mr Nandan Nilekani expects lot of ground is yet to be covered.

Legal Validity of e-Sign System

The validity of the e-Sign system is supported by the notification dated 28th January 2015  which added a new item into the Schedule 2 of ITA 2008. This notification should be read with guidelines issued by CCA in June 2015 on the e-Sign process.

I have made an attempt here to decypher these two documents and understand the legal implications. It is possible that the intention of the Government might have been different and it might not have been properly worded in these documents. We may therefore  be coming to an incorrect evaluation. But it is necessary for us to debate this issue since e-Sign process is likely to become the backbone of Digital India in due course and it needs to be legally on a sound footing.

We therefore look forward to receiving clarifications from relevant authorities to ensure that public have a correct understanding of the legal position of e-Sign as a valid authentication of digital documents under Section 3A of ITA 2008.

Notification of 28th January 2015:

The notification of 28th January 2015 under ITA 2008 states as follows.

Quote:

e-authentication technique using Aadhaar e-KYC service

Authentication of an electronic record by e-authentication Technique which shall be done by-

(a) the applicable use of e-authentication, hash, and asymmetric crypto system techniques, leading to issuance of Digital Signature Certificate by Certifying Authority

(b) a trusted third party service by subscriber’s key pair-generation, storing of key pairs on hardware security module and creation of digital signature provided that the trusted third party shall be offered by the certifying authority. The trusted third party shall send application form and certificate signing request to the Certifying Authority for issuing a Digital Signature Certificate to the subscriber.

(c) Issuance of Digital Signature Certificate by Certifying Authority shall be based on e-authentication, particulars specified in Form C of Schedule IV of the Information Technology (Certifying Authorities) Rules, 2000, digitally signed verified information from Aadhaar e-KYC services and electronic consent of Digital Signature Certificate applicant.

(d) The manner and requirements for e-authentication shall be as issued by the Controller from time to time.

(e) The security procedure for creating the subscriber’s key pair shall be in accordance with the e-authentication guidelines issued by the Controller.

(f) The standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 shall be complied with, in so far as they relate to the certification function of public key of Digital Signature Certificate applicant.

(g) The manner in which information is authenticated by means of digital signature shall comply with the standards specified in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 in so far as they relate to the creation, storage and transmission of Digital Signature Certificate.”

Unquote:

The key points noted in this notification are:

1) e-authentication, hash and asymmetric crypto systems are three elements to be used.

2) Key pair to be stored on a hardware security module

3) Trusted third party shall be offered by the Certifying Authority which shall send the application form and certificate signing request to the Certifying authority

4) Issue of digital certificate shall be based on e-authentication

5) Form C information to be digitally verified from Aadhaar e-KYC service

6) Electronic consent of the Digital Signature Certificate to be obtained from the applicant

7) e-authentication guidelines to be issued by the CCA

Validating Aadhaar through ITA 2008

The first thing we observe in this notification is that the notification issued as a part of statutory law and added as a schedule to the ITA 2000/8 relies on Aadhaar e-KYC service. While the Supreme Court is yet to validate the legality of the UIDAI itself, the Government has already validated the Aadhaar e-KYC service for issue of Digital Certificate by a licensed Certifying Authority.

Use of HSM

The second key factor in this notification is a reference to a system of generation of the Key Pair on a HSM maintained by the Certifying Authority and not under the control of the digital certificate holder.

Both the above aspects need to be discussed in detail to assess the legal validity of the e-sign system.

Other observations

The  notification envisages that there would be a trusted third party who would be “offered” by the Certifying Authority but would be a different entity which would send the application form and certificate signing request to the Certifying Authority. The word “offered” may actually mean “appointed” or “sub licensed” but there is a clear indication that the trusted third party mentioned here has to be an entity different from the Certifying authority. In other words, a “Registration Authority” has to be licensed as a “Trusted Third Party” to operate the system including the HSM.

In the e-sign system in DigiLocker, there is no party other than the Certifying Authority apart from DeitY which should be considered as owning the system. Since the notification itself was issued by DeitY, it can be presumed that it cannot be the trusted third party envisaged in this notification.  From the copy of the digital certificate shown here, it appears that the digital certificate is issued by the Certifying Authority itself  as a “Sub CA”. This does not seem to be in tune with the intention of the notification.

Circumstances indicate that the DigiLocker itself operates as the agency that submits the application form to the Certifying authority and is therefore the “Registration Agency”.

DeitY which operates as a part of the Government which has appointed the CCA and has a division namely NIC which itself is a licensed Certifying authority, being a Registrar for e-Mudhra appears to be a strange public private partnership.

Verification of Information in Application Form

The information in the digital certificate application needs to be verified from Aadhaar e-KYC service. We may note that we are talking of an application form to be submitted before the e-Signing certificate is to be issued to the aadhaar holder. Also the notification indicates that the information has to be “digitally verified”. It does not say “information should be authenticated”. In other words, the notification is suggesting that the application form need not be “Digitally Authenticated” either by the applicant or the Registrar such as the DigiLocker. In practice, the application form may get filled up directly from the aadhaar information already available with the DigiLocker. It is not completed by the applicant and verified by any trusted third party. This again appears to be a violation of the intention of the notification.

Electronic Consent for Digital Certificate

The notification also envisages that the Certificate should be “Consented” to by the applicant. This is equivalent to “acceptance” and “Publishing” of digital certificate as referred to under “Duties of the Subscriber” in ITA 2008.

However, the e-signing process in the Digi Locker does not (presently) go through the process of obtaining the consent of the applicant either with or without digital signature.

Inherent Contradiction

Since both the application for digital signature certificate as well as consent for digital certificate has to be “Digitally Signed” according to ITA 2008,  the current process adopted by Digi Locker does not meet the requirements of law. These requirements cannot be met in future as well (without amendment to ITA 2008) since  these are requirements prior to the activation of e-signing powers of the customer and cannot be authenticated by e-signing.

CCA Guidelines

The issue of digital certificates under the e-sign system is mandated to use “e-authentication” process which is described more fully in the CCA document on e-authentication. There is no indication that existing digital certificates of a subscriber (if any) can be used for e-sign process and the existing process is not enabled for the use of digital certificates already issued. The e-authentication process is therefore mandated on all users of DigiLocker.

The CCA’s document needs to be separately vetted for security considerations by Information Security professionals in detail and I invite the readers to submit their views for publication here. My own preliminary views on the guideline more from the ITA 2008 perspective is provided below.

Legal Validity of the CCA Guidelines

The CCA guideline identifies the trusted third party referred to in the notification as the eSign Service Provider or ESP. It also uses a term “Application Service Provider”. There is no clarity whether the Application Service Provider (ASP) and ESP are same or different. We can presume that ASP should be approved by the ESP through an approval process. There is a mention “agreement” (Refer para 2.1) without specifying between whom. We presume it is the agreement between the ASP and the ESP. Additionally there is a mention of an AUA (Authentication user Agency) and e-KYC agent of UIDAI. The ESP will be the AUA and e-KYC agent of UIDAI. In the Digi Locker case, there needs to be clarity on whether DigiLocker (or DeitY) is the ASP or ESP or both?

The CCA guideline says (Para 2.2.1) that the mode of e-authentication should be in accordance with Aadhaar e-KYC Services.

It appears that the Aadhaar  e-KYC services envisaged in this guideline is different from what is otherwise defined by UIDAI. According to UIDAI, a KYC query is one where the information submitted by a user for verification which is queried with the UIDAI data base (preferably using the biometric) and obtaining the information which can be compared with what is submitted.

If the query is responded to based on OTP and not on biometric request, the system will in turn be dependent on the KYC of the MSP. Banks have adapted e-KYC system as detailed in the RBI Circular which envisages downloading of e-Aadhaar and using it as KYC document.

However, it appears that while making e-authentication subordinate to the Aadhaar e-KYC services, CCA presumed that e-authentication is some thing  more than merely checking the information with the data base.

According to para 2.2.2 of the guideline, Aadhaar e-KYC service should provide digitally signed information which is also fulfilled when an e-aadhaar copy is downloaded.

What is additionally required under the e-authentication is perhaps the issue of a “Response Code” which should be recorded on the e-signing certificate application and should be preserved for 6 months online and further 2 years offline.

The application form should be electronically generated and programmatically filled up and submitted to the ESP.

According to para 2.2.3., the application form should be “authenticated by Aadhaar e-KYC services”. Aadhaar e-KYC service does not envisage digital signing of any content. It is only provision of confirmation of information available in the Aadhar records of a person. So what the guideline mean by “authenticated by Aadhaar e-KYC services” is difficult to understand.

Further the consent of the subscriber for getting a digital signature certificate should be obtained electronically. Currently the process of e-signing a document uploaded on DigiLocker indicates that  no consent is sought from the document holder for the digital certificate.

The digital certificate issued for e-Sign is issued with a validity of 30 minutes but otherwise it is similar to the digital certificates that are issued for other purposes and valid for 1 or 2 years. If a user has to apply e-sign on a document, he has to first get the e-sign digital certificate. For this he has to first make an application to the ESP. It is obvious that any application made in the form of an electronic document needs to be authenticated by a digital/electronic signature. Hence unless a person already has a digital certificate, he cannot make an application for e-signature online. This is a fundamental flaw in the design of the e-sign system.

From the system as designed, it appears that the e-Sign digital signature application is submitted by the DigiLocker authorities and not the applicant. The locus-standi of the DigiLocker authorities to submit an application on behalf of the digital certificate applicant is questionable. The e-sign digital certificate would therefore be considered as “issued” without a valid application from the applicant and hence it would be not in accordance with ITA 2008.

Why CCA gave permission to the system as presently being suggested is intriguing and we need more clarification from CCA on their logic why they consider that the system is compliant with Indian law.

The legal validity of the HSM system

According to para 2.3 of the CCA guidance, the ESP should facilitate generation of key pairs on their Hardware Security Module and the Private key will be destroyed after one time use.

So far under the Digital Signature system, the generation of the private key-public key pair was done solely under the control of the subscriber and the Certifying authority would not have access to the private key even at the time of key pair generation. It was for this reason that the digital signature was considered “Non Repudiable” in law.

In the e-sign system, the HSM is maintained under the control of the ESP. Hence it is impossible for judiciary to consider that the private key was always under the control of the subscriber. Hence the non repudiable nature of the e-sign is not sustainable on a Court of law.

e-Sign is therefore an inferior form of authentication and cannot be equated to digital signature in terms of evidence in a Court of law. In a way the introduction of such a system by the Government actually dilutes the credibility of the digital signature system in general and Courts may decide to question the non-repudiable nature of the digital signature system in India.

The provision on destruction of private key after every use is also little suspect in law.  Obviously it has been suggested as a measure of security. However, “Private Key” belongs to the subscriber and the ESP has no right either to create it nor to destroy it.

According to Section 43 of ITA 2008, it is the duty of the subscriber to  exercise reasonable care to retain control of the private key  and take all steps to prevent its disclosure. Also, If the private key has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority .

Further without the private key it is difficult to understand how the e-sign can be verified subsequently.

The CCA guideline is therefore directly in conflict with ITA 2008 and has no legal validity.

In fact, the system as suggested may impose criminal liabilities under ITA 2008 on the innocent subscriber of e-sign merely because the private key compromise is not reported and revoked. If any fraud occurs with the use of e-sign, the primary liability of the fraud would be on the ESP.

It is surprising that CCA should have over looked this provision of law.

Security Requirements

The CCA guidance lists certain essential security requirements under para 2.7.

I request my friends from IS community to analyze and comment on the same.

I look forward to CCA providing necessary clarifications or withdrawing the e-sign notification. CCA should also immediately revamp is advisers who are giving them wrong advises which are contrary to ITA 2008 .

Coming back to Mr Nandan Nilekani’s prediction that we are in a WhatsApp moment in Financial services, I would rather say that we may be in a Napster moment where the business may pick up fast only to be shot down because the foundation may collapse due to legal considerations. Just as Napster collapsed because of Copyright violations, systems built on e-Sign validation may collapse because Courts may hold it illegal sooner or later.

I wish Digital India managers recognize that DeitY is making mistake after mistake, identify who is responsible for series of mistakes  and take corrective steps.

Epilogue

The concept of e-sign as a low cost option to digital signatures available on call is good. But the way it is suggested to be implemented is incorrect and ultra-vires the ITA 2008.

I am not discussing here what could be an ITA 2008 compliant system which meets the requirements of e-Sign but if any Certifying Authority is interested in developing such a system, I would be willing to discuss the structuring of such a system.

Naavi

P.S: The part of the article referring to HSM stands corrected after the revised notification of 30th June 2015 deleting the use of HSM.

 

 

One of the issues that the Government of India is now trying to address is reduction in Black Money in the system.

E Banking and Mobile Banking are expected to assist in the reduction of use of cash in the economy as record keeping becomes easier for the Government. In fact it has become easier for the Income Tax department to keep a tab on transactions when they are done through e-banking. Extending the same logic, the use of “Crypto Currencies” which can replace the physical currency should not be harmful to the economy as long as the regulator can keep a watch on its usage.

One issue that bothers the regulators on the Crypto Currency system is that it tries to create a mining environment where non Government persons will become owners of the currency. This concern needs to be addressed.

I would like Regulators to exercise a thought… “In what way mining of Crypto Currency different from manufacture of a commodity like say a new mobile phone?

For example, I manufacture a mobile phone and sell it to those who want. I make a profit and pay tax to the Government.

The buyer may use it or re-sell it at either a profit or a loss and account for it in his tax payment. For manufacturing, I may obtain some kind of license so that Government knows what I am doing, how many mobile phones I am manufacturing, how much profit I am making etc.

In a similar scenario, If there is a crypto currency mining system in which Government (say RBI) knows who is mining, how much he is mining, what is he doing with his stocks, is he paying his taxes etc., why should any Government or a regulator have objection to such a system?

Whenever we think of Crypto Currency, we always think of Bitcoin. No doubt Bitcoin is important because it represents 95% market capital of Crypto Coins and is widely held, very popular, already recognized by a few , already banned by many Governments etc. But there could be a world beyond Bitcoin.

Bitcoin has already penetrated deep into the Crime syndicates and it is difficult to retrieve it from its taint. But it is definitely possible for us to think of a new Crypto Currency which is designed to ensure that RBI retains control on its gross stock and encourage public to use it, then we can reduce the printing and management of physical currency.

I am sure that there are pros and cons of introducing a new currency which is mined (or printed) by the public and mining of such crypto coin itself becomes a “Vocation”. Government can even consider legislating that all Crypto Coins are deemed to be owned by the Government though stocked by the miners.

Since the Government knows exactly how much of currency is there in the system and what is happening to it during transactions, it can have its monetary control exercised directly. Presently RBI controls inflation in the economy by regulating liquidity or  money availability in the market through its banking regulations such as CRR and SLR.

If Government wants to reduce Crypto Currency availability, it can use measures such as “Deposits out of every transaction” so that those who actually use Crypto Currency and disturb the liquidity alone are taxed for increasing the liquidity when the economy wants it to be reduced. At the same time,  if more liquidity is required, stocking may be penalized to discourage hoarding and transactions can be eased.

Today currency is printed by RBI and gets accumulated with the public who “Earn” it through various services they render either to the Government or others who already have earned it. Like the Bitcoin stock, this stock of currency already has a fair share of unaccounted and criminally gained wealth as well as fake currencies.  One way of reducing this is by “Demonetizing” certain currency denominations. This however creates needless inconvenience to genuine people who hold the demonetized currency.

Introducing a “RBI regulated Crypto Currency” on the other hand will start from a clean slate where every bit of the currency is accounted right from its creation through its  use and re-use.

The issue to be discussed however is whether a suitable system can be built which cannot be cheated in such a manner that currency is created without the knowledge of the regulator, which is similar to the issue of fake currency printing. Secondly, whether the system is secure enough that it cannot be hacked and misused. Technology experts need to answer this question and also whether the peer controlled approval mechanism can be good enough to secure misuse.

Look forward to more debate on this issue.

naavi

Speaking on a program on BBC, Edward Snowden the well known security specialist who brought to open the US spying on Internet across the globe has  highlighted the risk of Smart Phone hacking through a simple SMS message. He says that UK intelligence agency has a suite of products identified as “Smurf suite” which has different tools that can enable switching on a phone and listening in without the knowledge of the user.

Article in independent.co.uk

It is interesting to note that Mr Snowden has expressed a view that iPhone has a special software that can activate itself without the owner having to press a button and gathering information and hence he prefers not to use an iPhone.

The issues that Snowden has brought to light is a result of inherent technical issues in the mobile system according to experts and cannot be easily secured except by the use of proper encryption when the instrument is used. The “Laws on Encryption” therefore become important.

According to technologists smart phones work on two sets of software one being the “Baseband Computer” which controls the radio communication and the other the smart phone computer. The Baseband computer follows the communication standards by the network such as GSM and are amenable for hacking.  (See the technical explanation here).

While for many snooping by Government agencies is not a real concern, the possibility that the malicious code used for snooping can leak out of the security agencies or can be developed in the underworld separately (If not already done) and hence it can be misused by fraudsters. Here in lies the risk of using Smartphones particularly for critical financial uses such as banking.

The revelation throws up an important question on the right of people to use “Encryption”. Recently India tried to formulate an encryption policy which envisaged that text messages in unencrypted form should be stored by the user for at least 90 days and shared on demand with the security agencies. However, the revelations which indicate a “Security Risk” in not encrypting changes the logic for the use of encryption. In fact it appears that mobile users can exercise a “right of self defense”  to secure their instrument and communications must be recognized.

Naavi