Naavi.org

P.S: This is not a post on Cyber Law and I apologize for the diversion. But I as a citizen of India have my views on some of the recent developments and want to use this platform to record the same. You may ignore it if you donot like. This is prompted by the returning of the awards by many prominent persons which trend has now percolated into the community of scientists. Just as Scientists are also humans and as citizens of India have the right to express their views, I also have my right to express my views and criticize these persons for their action. I am exercising this option.

I was today pleasantly surprised with a report in dnaindia.com where it was stated that an international organization by name “Freedom House”, in its report stated that Internet Freedom in India has improved under the Modi led Government in India. I am not aware of this organization and its credibility but since the view goes with my own view of the Government’s in India since my student days when we saw the pre-Emergency days and followed up with the Emergency days and there after to Sonia Gandhi’s proxy rule, I tend to agree with the report and take this opportunity to add some thoughts on the other burning issue in our media now namely the #Awardwapsi craze.

If we go by the media reports and the noise made by political leaders from the opposition, it appears that India is going through a great time of suppression of freedom and intolerance all because NDA has a majority of 282 Loksabha seats. After the FTII students and Sahitya Akademi winners it is now the turn of scientist community lead by Mr P M Bharghava to return their awards expressing their “Concern” for the “Intolerance” that is prevalent in the society.

The media is holding out as if this is a reflection on the functioning of the Modi Government which on the other hand is going great guns with its African Summit and Easing of Business objectives.

The opposition that is being raised comes bang in association with the Bihar elections and one has to be naive not to see the effort to create a negative PR for the BJP.

In this entire exercise it is the intellectual credibility of these “Award Returnees” that has come in to the public glare. They are reflecting their level of intolerance to a non Congress Government being at the helm and their favourite parties in the opposition becoming irrelevant by the day for reasons of their own.

I suppose that this fervour for returning the awards may wane after the Bihar elections and even those who have announced returning of the awards may not actually return them. I therefore call upon the Government to set up a committee of auditors to follow up the media announcements made by these awardees and create a smooth system for their returning of their awards. They can be collected and put up in a museum. Along with the return of the medals, it is also necessary for these awardees to return the cash benefits they have received which can be put in a fund .

After the disclosures of Netaji Files and other historical documents that were so far buried under a veil of secrecy, it is clear that what we were fed so far as Indian History was a doctored version and  Congress must be blamed for its role in hiding the truth from public. Some of these grey haired intellectuals who are showing intolerance were perhaps aware of these doctoring of Indian history and it makes me sad that they did not have any opposition for this fraud on the Indian society.

I am therefore not unhappy that these people are returning their awards and would like these returns to be meaningful and this event can be preserved as a part of the transformation that is happening in our society now.  Hence the returned trophies deserve to be placed in a museum and public should know who are and who are not with the current transformation from the dynastic rule of the Congress family to the Modi led BJP rule.

Naavi

The scrapping of NJAC Bill by Supreme Court and upholding the system of the Collegium has been debated with muted voice for the last few days in the legal circles.

After Congress announced its politically expedient decision not to back a new version of the Bill, the Government has no option but to stay silent on the issue.

However, no such compulsion is there on citizens of India and one such individual who is aggrieved by the decision on the NJAC Bill has filed a review petition as reported by TOI today. 

( A Copy of the petition is available here)

Naavi.org welcomes this decision for a review since the decision of the bench in NJAC issue is not without its own risk of Judicial over reach.

The tendency seen in the decision to read meanings into common English words which suit the occassion is a dangerous tendency since this creates a precedence that any word in law can be interpreted in any arbitrary manner. Common man will therefore never be able to understand the law as it is intended and will for ever be at the mercy of the Supreme Court to interpret in any manner it likes.

The abuse of this power is no where more evident than in the case of the interpretations on the Constitution which has been amended so many times including the basic structure involving “Equality Before Law”, that the frequently uttered words such as “Constitution is Supreme” sounds hollow.

If the Supreme Court was so concerned about the basic structure of the Constitution, it would not have allowed earlier amendments including discrimination of people on the basis of caste, religion and gender. Today, a ” a  so called Forward Caste Hindu Male in India” is a third class citizen in law and both the vote bank politicians and the accommodating Judiciary are responsible for the status.  No body including the media which boasts itself of being the protector of public conscience seems to be interested in protecting the rights of such Citizens. But when it comes to protecting the appointment of fellow judges, it is strange that the “Basic Structure” of the Constitution is remembered by all.

Naavi.org brought out the aspect of improper interpretation during the Shreya Singhal judgement in scrapping of Section 66A of ITA 2008 and argued that the judgement was incorrect, illogical and involved arbitrary interpretations not consistent with the language used in the law or in a dictionary. This is seen in greater measure during the striking down of the NJAC Bill where the words “In consultation with” is interpreted as if it means “Under directions of”.

As in the case of Shreya Singhal case, there was every opportunity for the Judiciary to read down meanings without being excessively harsh on the legislature and striking down the proposed Act. The Court appeared to show case its power and cause a “Chilling Effect” on the legislature to prove a point that Judiciary is supreme. In the Section 66A case, there was no conflict of interest for the judges and it was only a discussion of whether the Judges understood the technology law as intended or not. But in the current case, there was a clear case of conflict since the Judges were taking a decision that affected their own position as judges.

This was a fit case for a national referendum which the Court could have ordered. Alternatively, Court could have taken a middle path of agreeing for the NJAC with a greater weightage for the judicial persons in the decision making process and a commitment of transparency and avoidance of corruption (financial or otherwise) in the appointment.

Instead, the Court took the decision to strike down a constitutional amendment bill knowing fully well that it would embarrass the current Government more than any body else. In fact the decision has hurt the public confidence on the Judiciary more than upholding it.

We cannot ignore the fact that Supreme Court has faulted during and after “Emergency”, the cause of which was a different set of politicians who ironically are now again benefited politically by the current decision. It is as if Congress is having  its cake and eating it too, thanks to the Judiciary.

When we strongly advocated a review of the Shreya Singhal Judgement, unfortunately there was no support from the legal community since they were perhaps not clear of the law themselves and wanted to avoid confrontation with the Judiciary. However, I am happy to note that int he NJAC case some body has the courage to file a review petition.

I hope this leads to an improvement of the decision and proves one point that even a final judgement from the Supreme Court need not necessarily be correct. This will be a precedent that Supreme Court judgement also can be subjected to a review and roll back.

I wish the petitioners also request the Court to consider ordering a National Referendum on the issue before a final decision is taken and respect the will of the people. This will be a precedence of its own and NextGenIndia  will benefit.

Naavi

Related Articles:

Review plea filed in SC on NJAC verdict

NJAC: The bad bill The poor pill

What did Justice RM Lodha did to clear CIC-verdict on judges’ appointment

Various articles

Petition copy

Data Breach Notification Policy is a mandatory policy under certain regulations such as HIPAA/HITECH Act and is being increasingly used by different regulatory agencies.

The essence of the policy is that when a potential data breach is discovered in a Company, the data subjects whose interests are adversely affected would be informed. Some times it is required to be notified to the regulatory agency and also to the media or placed on the website.

Obviously the companies which suffer a data breach are not happy with such a regulation since it adversely affects their reputation and future business flow. Also it will prompt litigation even in cases which would have normally not be escalating beyond a simple dissatisfaction. The Notification would therefore be like “Inviting Trouble”.

If there is a regulation that data breach notifications are mandatory, then there is no choice for the company. Cyber Insurers would look at it as a part of mandatory legal compliance.

When there is a regulation then probably the industry would have clarity on how to define a “Data Breach” for notification purpose and what procedure to be followed. But when there is no regulation, the Companies would most probably try to avoid notification.

In India where we donot have a Privacy law, the only reference to data breach notification is through the rules under Section 79 of ITA 2008 applicable to Intermediaries. Though there is a mandate under this rule, it is doubtful if it has been recognized and followed.

The Cyber Insurance Company is interested in the notification since it is a good practice and has some specific advantages.

One of the main advantages of the policy is that it instills a sense of discipline in a company for information security. Without the need to disclose the data breach, any company would be interested in brushing the problems under the carpet. If there is a policy then there will be a clear definition of how a breach can be recognized and what needs to be done if a breach is suspected.

The second most important advantage is that when smaller breaches get reported, the company would be hardening its security before anything big hits them. It works as a circuit breaker that defuses the risks instead of allowing risks to accumulate and explode.

For this reason, I advocate that Cyber Insurance Companies need to develop their own Data Breach Notification policies and impose it on the insurers even if there is no law to mandate it.

If a Company already has adopted a Data Beach Notification policy along with a Privacy Policy and Information Security policy, the insurability of the organization actually improves and it should have a positive influence on the insurance proposition.

A Prudent Cyber Insurance Company would be not only interested in imposing a data breach notification policy but also a more comprehensive information security policy of its own to safeguard the interests of itself and the insured organization. Though some companies would prefer to adopt the ISO standards of Information security rather than suggesting anything of its own, it is preferable that the Cyber Insurance companies do suggest some minimum information security standards before considering a proposal. In such a case, the data breach notification policy is one that they should consider.

Naavi’s Cyber Law Compliance Center offers a model Data Breach Notification policy that tries to address the concerns of the regulators without unduly humiliating the company reporting the potential data breach incident. The model policy can be adopted by any user industry if necessary with other associated policies.

In due course it would be necessary for regulators to develop requirements of their own which can be incorporated in such polcies. RBI, SEBI, IRDA and CERT IN are some of the regulators who should be considering mandating imposition of such policies in the larger interest of consumers whose interest they try to protect.

Naavi

Also posted on cyberinsurance.org.in

Naavi’s Cyber Law Compliance Center (CLCC) has so far announced a program to build a Society of Cyber Law Compliant  Netizens/Organizations in India which requires a code of conduct to be developed. We intend suggesting the code of conduct through a series of policy documents published through CLCC which can be adopted as a “Standard”. We have already released a “WhatsApp Group Administration Policy” which may be adopted  by any WhatsApp group admin subject to a free registration of the group to the CLCC.

A question has been raised by one Admin if there is any way of getting a legally valid evidentiary confirmation for the users having adopted the policy. It has been suggested that at present the policy is notified by reference to the link to the document at the CLCC at the time a member joins the group.

However, it has been suggested that CLCC can act in conjunction with ceac.in to provide a “Certified E Mail Delivery Service” through which the notices can be served to the users. This may however be offered at a fee and details can be discussed when there is a specific enquiry.

In the meantime, CLCC has also worked on a Voluntary “Data Breach Notification Policy”. Such a policy is often mandated by regulators in many countries. In India there is no Privacy law for the time being and the reference to data breach notification as a policy is available in ITA 2000/8 but not very specific.

We however consider that such a policy is part of the recommended “Good Practice” for all entities which want to build a trust with its customers before picking up their data for any service. We also feel that such a practice will instill a sense of discipline amongst the Information Security Professionals in an organization. It is also envisaged that having a data breach notification practice  will also create a short circuiting of liabilities before they accumulate and blow up on a later day and hence should be of interest to Cyber Insurance Companies to suggest it as a mandatory practice.

Since Data Breach Notification Policy will be only of commercial interest, we intend to make it available on request at this point of time. Requests may be sent by email to Naavi indicating the organization for which it is expected to be used.

Naavi

Bengaluru is hailed as the Silicon Capital of the country.  A few years back there was an announcement made that Bengaluru would be made the Cyber Security Capital of the country. Startups still consider that this is the City to be in. Even established Start Up promoters like Mr Vijay Shekar Sharma of Paytm has indicated his interest in shifting his personal base to Bengaluru. We already have IT giants like Azim Premji, Nandan Nilekani and Mohan Das Pai with their own funding propositions for start ups.

These should be considered as opportunities to push growth of Start Up business which requires low infrastructure support and has high visibility. Unfortunately, the State Government does not seem to have a good understanding of the E-Business. Its past trophies such as the “First Cyber Crime Police Station in India”, E Governance initiatives such as “Bhoomi” and more recent achievements in the implementation of Aadhar etc are slowly gathering dust with either no achievements or more alarmingly some negative achievements.

One of the main areas of concern is the “Law and Order” in Cyber Space in India where the Government has failed miserably to put proper laws in place and is trying to do its best in creating hurdles which are discouraging the e-entrepreneurs.

Firstly, in January 2011, the then IT Secretary acting as the “Adjudicator” declared that the word “Person” used in Section 43 of ITA 2000/8 did not extend to corporate bodies. As a result any Corporate body was considered as not being capable of invoking Section 43 either for or against another corporate entity. As as result even Section 66 became purely a section meant for “individuals” and any cyber crime committed by a Company or against a Company was outside Section 43 and Section 66.

By an extension of this revised definition of the word “person” which is against the definitions used in other laws including the General Clauses Act, most sections of ITA 2000/8 have been rendered impotent forcing me to claim that Karnataka is now a “Cyber Criminal’s heaven”.

This issue remains unresolved since the appellate body namely Cyber Appellate Tribunal is dysfunctional for the last 4 years without a Chair person having been appointed and unlikely to be resolved until the NJAC stand off is amicably settled between the Government and the Judiciary.

More recently, the ignorance of the Government was also revealed in the passage of the Indian Registration Act 1908 amendment bill which has now gone to the President for assent which is considered ultra-vires ITA 2000/8. (Status of assent unknown at this point of time).

Now today’s Economic Times indicates that the Karnataka Government is expected to come out with a new rule called “On Demand Transport Technology Aggregator’s Rules, 2015”

This has raised or will raise a new controversy on the powers of the State to meddle with ITA 2000/8.

I wish the taxi companies such as Uber and Ola also watch this space since they have committed some mistakes in the past which has reduced their bargaining power as to the definition of the business of “Aggregations” over the electronic network. If this is not properly addressed now, there will be precedence s created which will hurt the interest of several other businesses.

I recall my own opinion expressed earlier on these columns in which I considered that what Taxi For Sure or Ola or Uber were doing was a glorified call center business (Now called by the fancy name aggregators) and they have to be treated as such and not as “Taxi Companies” requiring Taxi licenses.

The Kolkata Police authorities appear to hold a similar view though Delhi and Karnataka Governments may not agree because they are looking at it only from the point of view of taxation and not otherwise.

The proposed rules from Karnataka (details not yet available with Naavi) may further complicate the issue with a Government backed notification which may consider Uber/Ola as “Technology Aggregators” but would like to pass a regulatory notification.

The issue is similar to the issue of regulation of Cyber Cafes where State Governments in the past passed laws that are in conflict with ITA 2000/8. Similar situations may arise in the case of these Taxi aggregators.

If these companies are “Techology Aggregators”, they may come directly under some provision of ITA 2000/8. Then the power to make the rules may be in conflict with Section 90 of ITA 2000/8 which states as under.

Section 90 (ITA 2000/8): Power of State Government to make rules

(1) The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely –

(a) the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6;

(b)for matters specified in sub-section (2) of section 6;

(3) Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.

Apart from the immediate concern on the way Uber or Ola may be regulated,  the issue is of larger concern to the E Commerce industry in general.

For example, any legal precedence established and accepted in the case of aggregators of taxi services may directly affect the definition of an “Intermediary”. Technology based aggregations occur in cases such as Oyo rooms, Make My Trip, Flipkart, Paytm, 99acres.com and many many other services.

It is imprudent to consider each of the “aggregators” as carrying the same legal liability for the down stream domain business in which they operate.

For example,

If I am a real estate aggregator, am I liable as a real estate builder?, If I am a hotel room aggregators, do I need license to run hotel business? If I aggregate airline tickets, do I need to have air line ticketing license?,

Such discussions will directly hurt the growth of E Commerce in India and the “Digital India” project.

In the reverse,

If I am already an established aggregator who is accepted by the Government say as supplier of food to railway passengers, Can I claim to be part of the Indian Railways?..

If I am an aggregator of banking services, can I claim I already have a deemed banking license?

If I am an aggregator of medical services, can I claim myself to be a recognized hospital?… these are the issues which will come up for debate.

Such discussions will make the Government moves look absurd.

I therefore draw the attention of the Karnataka State Government and the Government of India to think twice before such legislations on E-Commerce are permitted under Section 90 of ITA 2000/8.

I call upon the industry to also respond immediately so that they will not be required to fight a “fait accompli” on a later date.

Naavi

Related Articles:

Govt frames rules for cab aggregators like Ola, Uber

New State policies could spoil the arty for taxi aggregators like Ola and Uber

Why It is a mistake to think of Uber as a Technology Company (January 15, 2015)

Government Fails to understand Uber Business (Dec 11, 2014)

Uber failed in ITA 2008 Compliance (December 11, 2014)

Cyber Law Compliance Center started by Naavi.org is a pilot project in pursuance of the fundamental objective of Naavi.org viz “Towards Building a Responsible Cyber Society”, in the immediate context of building a “Secure Digital India”.

“Securing” the digital space is a multi dimensional task which involves Technology, Cyber Law and Management of the Behavioural aspects of IT users. Of these three parameters, “Technical” aspects are being addressed by several technology specialists. Naavi.org will focus more on the Legal aspects of Information Security and would pursue the behavioural science aspects to a minor extent.

In actual application, Legal Aspects of Information Security manifest in the form of

a) Developing policies and procedures in the IT environment for the users to follow

b) Assisting the Government in the formulation of appropriate laws

c) Fighting for Better Cyber Laws from the Authorities

d) Fighting for Better implementation of Due Diligence requirements in the Corporate sector

e) Fighting against misapplication of law by law enforcement 

f) Fighting against mis-interpretation of law by the Judiciary

g) Working for better Cyber Law Education at all levels

h) Working towards the  wider acceptance of the concept of Cyber Insurance at all levels such as policy making levels in the Government, Service offerings at the Insurance Companies and the proper use of the services at the consumer levels

The past 17 years of work of Naavi since 1998 represent numerous activities towards achieving these objectives.

Continuing the activities of the past, it is felt that a greater emphasis is now required in spreading the message of Cyber Law Compliance and its benefits amongst the Corporate circles. While bigger companies have the resources to buy appropriate expert services and achieve a desired level of compliance, they still lack the appreciation of why they should work for better legal compliance in the IS environment.

Naavi has therefore proposed an intense “Cyber Law Awareness  drive in Corporate Circles” starting from Bangalore. This will be one of the objectives of the Cyber Law Compliance Center as proposed by Naavi.org.

Additionally, the Cyber Law Compliance Center (CLCC) intends to offer additional Cyber Law Compliance Services in the form of  sharing Policy Documents that can be used by Companies and Individuals as part of their due diligence requirements under law. This will be supplemented by consultancy services and support services as may be required.

While some of the services of the CLCC may be offered free, certain support services which will require time and efforts of Naavi may be offered at a price which ofcourse will be reasonable.

Some of the support services include the services explained under different arms of naavi.org such as CEAC (Cyber Evidence Archival Center), Cyber-Notice Service, e-Ombudsman Service, Online arbitration service, Domain Name related services, Cyber Insurance related services  etc. Readers can explore the menu links from which they can get more information on these services.

The model  WhatsApp Admin  policy document thrown open for adoption by the WhatsApp group admins in one such service which has now gone live. It is proposed that any person who would like to use the service may register himself by providing his name and Contact details besides some information on the group to which the policy is being adopted.

This process of registration is meant to build a community of  Cyber Space users who voluntarily comply with Cyber Laws . We call them the  “Society of Cyber Law Compliant Netizens”.  Such Netizens can be individuals or organizations. The basic premise is that any body who would be a member is interested in “Voluntary Cyber Law Compliance” as an ethical practice and would be taking whatever steps are possible within his domain of activity towards this goal.

Naavi has proposed such thoughts in the past in the context of Home Based Medical Transcription workers, though without much success.  However, with each passing year, it appears that the age old suggestions of Naavi.org are becoming more and more relevant and the prospect of the thoughts being accepted is increasing.

I therefore place this thought of “Society of Cyber Law Compliant Netizens” who by a voluntary self declaration to be Cyber Law Compliant, before the readers. Suggestions on how this can be implemented in practice are welcome. Similarly if there are any suggestions of developing any of the services envisaged on a larger scale with participation of other experts and even on a commercial platform if feasible are welcome.

Naavi