Naavi.org

Cyber Law Compliance Center started by Naavi.org is a pilot project in pursuance of the fundamental objective of Naavi.org viz “Towards Building a Responsible Cyber Society”, in the immediate context of building a “Secure Digital India”.

“Securing” the digital space is a multi dimensional task which involves Technology, Cyber Law and Management of the Behavioural aspects of IT users. Of these three parameters, “Technical” aspects are being addressed by several technology specialists. Naavi.org will focus more on the Legal aspects of Information Security and would pursue the behavioural science aspects to a minor extent.

In actual application, Legal Aspects of Information Security manifest in the form of

a) Developing policies and procedures in the IT environment for the users to follow

b) Assisting the Government in the formulation of appropriate laws

c) Fighting for Better Cyber Laws from the Authorities

d) Fighting for Better implementation of Due Diligence requirements in the Corporate sector

e) Fighting against misapplication of law by law enforcement 

f) Fighting against mis-interpretation of law by the Judiciary

g) Working for better Cyber Law Education at all levels

h) Working towards the  wider acceptance of the concept of Cyber Insurance at all levels such as policy making levels in the Government, Service offerings at the Insurance Companies and the proper use of the services at the consumer levels

The past 17 years of work of Naavi since 1998 represent numerous activities towards achieving these objectives.

Continuing the activities of the past, it is felt that a greater emphasis is now required in spreading the message of Cyber Law Compliance and its benefits amongst the Corporate circles. While bigger companies have the resources to buy appropriate expert services and achieve a desired level of compliance, they still lack the appreciation of why they should work for better legal compliance in the IS environment.

Naavi has therefore proposed an intense “Cyber Law Awareness  drive in Corporate Circles” starting from Bangalore. This will be one of the objectives of the Cyber Law Compliance Center as proposed by Naavi.org.

Additionally, the Cyber Law Compliance Center (CLCC) intends to offer additional Cyber Law Compliance Services in the form of  sharing Policy Documents that can be used by Companies and Individuals as part of their due diligence requirements under law. This will be supplemented by consultancy services and support services as may be required.

While some of the services of the CLCC may be offered free, certain support services which will require time and efforts of Naavi may be offered at a price which ofcourse will be reasonable.

Some of the support services include the services explained under different arms of naavi.org such as CEAC (Cyber Evidence Archival Center), Cyber-Notice Service, e-Ombudsman Service, Online arbitration service, Domain Name related services, Cyber Insurance related services  etc. Readers can explore the menu links from which they can get more information on these services.

The model  WhatsApp Admin  policy document thrown open for adoption by the WhatsApp group admins in one such service which has now gone live. It is proposed that any person who would like to use the service may register himself by providing his name and Contact details besides some information on the group to which the policy is being adopted.

This process of registration is meant to build a community of  Cyber Space users who voluntarily comply with Cyber Laws . We call them the  “Society of Cyber Law Compliant Netizens”.  Such Netizens can be individuals or organizations. The basic premise is that any body who would be a member is interested in “Voluntary Cyber Law Compliance” as an ethical practice and would be taking whatever steps are possible within his domain of activity towards this goal.

Naavi has proposed such thoughts in the past in the context of Home Based Medical Transcription workers, though without much success.  However, with each passing year, it appears that the age old suggestions of Naavi.org are becoming more and more relevant and the prospect of the thoughts being accepted is increasing.

I therefore place this thought of “Society of Cyber Law Compliant Netizens” who by a voluntary self declaration to be Cyber Law Compliant, before the readers. Suggestions on how this can be implemented in practice are welcome. Similarly if there are any suggestions of developing any of the services envisaged on a larger scale with participation of other experts and even on a commercial platform if feasible are welcome.

Naavi

After the arrest of WhatsApp Group Admins by the Latur Police it has become necessary for all Netizens who want to use WhatsApp and more specifically create and become Admins, to protect themselves from possible prospect of arrest.

Though if the Police are knowledgeable, they should not arrest any WhatsApp admin for the content posted by the members, one cannot  trust the Police to apply law properly.

We can also not trust the judiciary to understand the intricacies of WhatsApp  usage.

Hence the possibility of Latur case being repeated is a distinct possibility.

Naavi in his bid to assist in the development of “Secure Digital India” has therefore suggested a model policy to be adopted by WhatsApp administrators which should satisfy the Police and Judiciary that the Admin is exercising “Due Diligence” and unless the admin himself is directly liable for any offence, he need not be charged with an offence attributed to a message that passes through the system.

As a part of the service of the Cyber Law Compliance Center, we therefore launch a model policy which can be adopted by any WhatsApp administrator.

We suppose that adoption of the policy will significantly mitigate the risk of the innocent group admins from being held liable.

There is also a suggestion that Cyber Law Compliance Center may provide assistance in grievance redressal through its e-ombudsman, or arbitration.in service.

The service of offering an adopted use of the policy document is a pilot service launched for the benefit of the Netizen community in India and  can be accessed through CLCC page in the menu item. The WhatsApp admin policy would be offered free for non commercial purpose but a “Registration” and “Getting Permission” from Naavi is essential.

We suppose this will be one of the first steps towards making the Indian Information Security Framework (IISF-309) an open source document for the benefit of SMEs who want to be Cyber Law Compliant.

Please send your comments and suggestions.

Naavi

We are familiar with the words “Ignorance is no excuse in law”.  But when law is in a state of constant evolution and re-interpretation, it is difficult not to question how will “Ignorance” be tested. Just as many other principles of law are being over turned, this adage also deserves a fresh look.

Normally this adage “Ignorance is no excuse” applies to “Ignorance of law”. “Ignorance of fact” cannot be put in the same light as such “Ignorance of Fact” may be argued as similar to “Mistake of Fact” that could be considered as a “Valid defense” particularly when it is supported  by “Due Diligence” and “Good Faith”.

Even the “Mistake of Law” is considered as capable of being held out as a valid defense under the following circumstances

-When the law has not been published;
-When the defendant relied upon a law or statute that was later overturned or deemed unconstitutional;
-When the defendant relied upon a judicial decision that was later overruled; or
-When the defendant relied upon an interpretation by an applicable official.

However some of the recent developments in India particularly involving the interpretation of Cyber Law indicate that often mistakes committed by the lower end of law enforcement often result in new laws being created out of ignorance.

One such example recently is the discussion on the liability of a WhatsApp group administrator on the contents posted in the group by an user. This discussion followed the action of the Latur Police in Maharashtra who arrested a Whats App group administrator for a content that was posted in the group.

According to this report in Deccan Chronicle , a rumoured message was doing rounds, which included the following message:

‘3,000 armed men are roaming in parts of Solapur district with the intention of kidnapping children.’

The Police have booked a case using sections 153 of the IPC (promoting enmity and ill will), section 34 and section 67 of IT Act, 2000.

To understand how “Ignorance creates new law”, we need to look back on the Shreya Singhal judgement of the Supreme Court on Section 66A of ITA 2000/8 delivered on 24th Marh 2015.  (Refer to the many articles on this site about the judgement)

In this case, Supreme Court ruled that Section 66A of ITA 2000/8 was unconstitutional since it violated Article 19 of our Constitution and went ahead to scrap the section. This famous (infamous?) case originated because the policemen in Palghar, Maharashtra arrested two ladies one for posting a message on a facebook page and the other for clicking on “I like” button against that message. The Supreme Court in its wisdom held that the action of the Police was violative of the “Freedom of Expression” guaranteed by our constitution.

It must however be reiterated that while it was correct for the Supreme Court to defend the freedom of expression and the freedom to say what the objected face book post said, it was incorrect for the Supreme Court to hold Section 66A of ITA 2008 as a law was made to curb such freedom of expression and hence the Court was wrong in scrapping the section.

However, if we turn the pages of the brief history of the Section as it appeared in the media and continues to appear in the media, it appears that Supreme Court did a great thing by defending the democratic principles which was being stiffled by the Section. Many experts also supported the scrapping of Section 66A on the grounds which the Supreme Court considered as correct.

In the process, a new law was created in India that the erstwhile provisions of Section 66A which the Supreme Court struck down was in deed violative of the constitutional right of freedom of speech. If in future similar laws are passed, then the judgement in this Shreya Singhal case can be held out as a precedent.

Naavi.org has consistently maintained that application of Section 66A to the Palghar case was wrong ab-initio and this mistake of the police should have been struck down by various Courts since Section 66A did not apply to “Publishing” of electronic content but only applied to “Message” sent from one communication device to another. This fundamental difference between “Publishing” and “Messaging” was blurred by the erroneous judgement of the Supreme Court in this case.

We donot know when this mistake of law will be corrected in future.

The Latur Case

Now the arrest of WhatsApp administrator by the Latur police (and earlier by Agra Police) and the media reports that are coming through there after indicate that we are in the process of re writing another piece of law based on the mistaken action of the police at the lowest rung of law enforcement.

I also note that many experts in the field of Cyber Law have endorsed the action of the Police either consciously or otherwise in the course of expressing their opinion which goes towards building an opinion that what the police have done is correct.

Naavi.org however does not want to contribute to the proliferation of an erroneous opinion being created and though it looks odd to contradict all other experts, we would like to go on record with our opinion.

Before I proceed further I would like to state however that if I am a policeman and I spot a message either on WhatsApp or in an Off the Air interception of a mobile communication or even a over hearing of a conversation in a bar in which one is speaking to another indicating commission of an offence of any nature, more so if it can disturb public peace or national integrity, I would swing into action and try to apprehend the alleged offenders to prevent commission of a crime. This does not mean however that I would arrest the owner of the bar in which the conversation was held or the mobile service provider who facilitated the conversation. I may however contact them for information on the conversatonists whom I need to identify and continue my further investigation. If I feel that they are aware of the identity of the conversationists but are not sharing the information, I will then threaten them with legal action and if they are obstinate, I may then arrest them “for withholding evidence and interfering with the lawful duty of the officer”. All my other comments must be viewed with this caveat.

Now coming back to the case of the arrest of the WhatsApp Administrators, I refer to the following reports

1.Indian Express of 10th October 2015

2.The Hindu Report of 8th OCtober 2015

3.The Hindu report of 13th October 2015

4.Newsminute Report of 20th October 2015

5.Track.in report of 12th October 2015

6.Deccan Chronicle Report of August 14, 2015

7.Times of India report of 9th February 2015 (Agra incident)

and many other similar reports.

To start with let’s see the sections under which Police seem to be building a case. There are three sections mentioned namely Section 153 and 34 of IPC and Section 67 of ITA 2000/8.

These sections are reproduced here for immediate reference:

Section 153 in The Indian Penal Code

 Wantonly giving provocation with intent to cause riot—if rioting be committed—if not committed.—

Whoever malignantly, or wantonly, by doing anything which is illegal, gives provocation to any person intending or knowing it to be likely that such provocation will cause the offence of rioting to be committed, shall, if the offence of rioting be committed in consequence of such provocation, be punished with imprisonment of either description for a term which may extend to one year, or with fine, or with both; and if the offence of rioting be not committed, with imprisonment of either description for a term which may extend to six months, or with fine, or with both.

Section 34 in The Indian Penal Code
Acts done by several persons in furtherance of common intention.—

When a criminal act is done by several persons in furtherance of the common intention of all, each of such persons is liable for that act in the same manner as if it were done by him alone.

Section 67 in The Information Technology Act, 2000
Punishment for publishing or transmitting obscene material in electronic form. –

Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

A quick glance at these section indicate that

a) Section 67 applies only to material which is lascivious or appeals to the prurient interests. The subject message is no where near this definition. Hence this section is not applicable. In the unfortunate event of the Shreya Singhal error repeating in this case, we will be redefining the meaning of “lascivious” and “prurient interest” to “alerting the community for a danger from kidnappers of children”.

b) Section  153 of IPC applies when an “illegal act” has been committed and some body uses it to provoke others into  causing “offence of rioting” and 

c) Section 34 applies when a “Criminal act” is committed by a number of persons.

In my reading of these sections, first an illegal act has to be committed, then there has to be a provocation to riots using the illegal act as a reason and there has to be several persons involved in such an act if Sections 153 and 34 of IPC are to be applied.

Here, Section 67 of ITA 2000/8 is an independent section that defines an illegal activity and Section 153 of IPC is dependent on Section 67 and Section 34 is further  dependent on Section 153.

Since Section 67 is considered applicable for “Publishing or Transmitting of Obscene Electronic Content”,  unless the “objectionable message” falls into the category of  “Publishing or Transmitting of Obscene Electronic Content”, no offence is made out under any of these sections.

Hence the entire case filed by Latur Police is without a proper basis and arrest of WhatsApp administrators is a gross misuse of law which should be questioned under the Human Rights Act. (Unfortunately Human Rights Activists in India are only interested in protecting terrorists and criminals and not genuine victims and hence no body may come to the rescue of these hapless WhatsApp administrators).

Now let us turn our attention to another aspect. If the content had been different and it was say promotion of terrorist ideologies. Then we need to discuss whether the WhatsApp platform can be considered as equivalent to a “Website” and can be treated as an “Intermediary”.

An “Intermediary” is defined under Section 2(w) of ITA 2000/8 and if any offence is committed by a third party with messages that are handled by an “Intermediary”, then as per provisions of Section 79 of ITA 2000/8 the liability of the Administrator would be determined.

Accordingly,

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

There is no doubt that this is an “inclusive” definition and one can take the liberty of extending the definition to beyond the examples provided such as “telecom service providers”, “network service providers”, “internet service providers”, “web hosting providers”, “search engines”,”online payment sites”, “online auction sites, online market places and cyber cafes”. In the subject dispute, an attempt is being made to extend the definition of “Intermediary” to a “WhatsApp Group” and the role of the “Administrator” to that of the owner of the types of entities mentioned in the section.

To understand the nature of WhatsApp service one needs to check the FAQ on the WhatsApp website.

When the WhatsApp is first installed on the mobile, it asks for permissions to access data on the device such as the device ID, contact details etc.. Basically these are privacy issues which the user agrees and downloads the App. Once the app is downloaded, there is a “Terms of Service” which a person need to “agree” and then enter the mobile number for verification. Once accepted, it is difficult to revisit the Terms and one has to go back to the website to check the FAQs and other terms.

Apart from absolving itself from any responsibilities as to the content, WhatsApp specifically says

“YOU SPECIFICALLY ACKNOWLEDGE THAT WHATSAPP SHALL NOT BE LIABLE FOR USER SUBMISSIONS OR THE DEFAMATORY, OFFENSIVE, OR ILLEGAL CONDUCT OF ANY THIRD PARTY AND THAT THE RISK OF HARM OR DAMAGE FROM THE FOREGOING RESTS ENTIRELY WITH YOU.”

The user therefore discharges WhatsApp from all the liabilities and takes all such liabilities on himself.

When messages are sent or received, WhatsApp stores it on the device and a limited back up to facilitate delivery after a user is disconnected from Internet and reconnects.

According to WhatsApp,

“WhatsApp does not copy nor store the messages sent through its messaging system. Nevertheless, if the recipient is not connected, undelivered messages will be kept in WhatsApp servers and may be stored in those servers for up to 30 days”.

This is a transient storage that makes “WhatsApp” an intermediary as per ITA 2008 only in respect of such “Undelivered messages”. In respect of “Delivered Messages”, WhatsApp is not rendering the “Storage Service” and is providing only routing service which is akin to a telecom service provider. While this is also a service recognized as that of an intermediary, the “Due Diligence” requirements under Section 79 differs from an intermediary who provides storage services from an intermediary who provides message routing services. WhatsApp wears two hats and its responsibilities for “Due Diligence” therefore has to be seen with reference to its function.

In the subject case, Police are not making WhatsApp a party to the dispute and only making a criminal charge on the “Administrator of a Group”. It is not clear if they consider the Administrator as a representative of the WhatsApp Company or a service provider himself who provides a service called “Group” on the platform provided by WhatsApp company.

While the Administrator is a user of the WhatsApp service and is bound by the terms which he has signed with the Company for which the WhatsApp company has a cause of action, the creation of a group is an activity of the user to make it convenient for him to exchange messages with a sub group of his contacts. When a person sends a message to a group, it is a set of multiple messages which will be sent to each of the persons. It is therefore an aggregation of many messages sent with a single click. The administrator when he creates the group has the power to add remove or make another person a co-administrator (If the person is already in his contact list ). He may also invite a person to join the group. The invitee may refuse the invitation by exiting the group. The recipient of a message can delete the content of the message received on his account or forward it to another person or a group in his name apart from replying back to the group from which the message was received by him.

The recipient of a message from a group only sees the mobile number of the sender unless he has been stored as a contact. But it is clear from the message that the message has originated from “an identified mobile number” and not from the group administrator.

Every WhatsApp group message is therefore attributed directly to the given mobile number and the Group admin has no role in “initiating the transmission of a message, selecting the the receiver of the transmission (it goes to all the members of the group)  and selecting or modifying the information contained in the transmission”. (Conditions mentioned under Section 79 of ITA 2000 for the intermediary to be absolved of the liabilities).

In the event we presume that the “Group” is itself an intermediary service provided by the Administrator, the admin is entitled to protection under Section 79 if he observes “Due Diligence” and also if he takes expeditious action towards determination of whether a content is objectionable and is to be removed, after he is duly notified by a Court.

Thus in the subject case, the fact that the WhatsApp group is an intermediary itself is debatable. Even if so, the admin’s liability can only be counted from the time a Court order is served (may be we can dilute this to an order being served from the Police) and is limited to the removal of the content. In WhatsApp, the admin has no power to remove content in individual user’s devices. At best he may send another group message that he has received a notice from the Court/Police and every user is required to delete the content. Beyond this, expecting the Admin to share the responsibility for the content itself is not justified.

Police should remember that the admin should be presumed to be innocent until proven guilty. Police should also realize that some times when the admin of a group leaves the group, another person might have been assigned as an administrator without the need to do anything affirmative.

The responsibility of the admin in any investigation should be considered limited to the extent of providing the phone number of the person who has posted the objectionable content and it is the duty of the Police to trace the person using the KYC of the mobile service provider. When mobile numbers are used as valid identification for even Bank accounts, a WhatsApp administrator cannot be expected to do any KYC other than identifying the mobile number which is done by the WhatsApp itself when the app is downloaded and installed.

We need to also recognize that WhatsApp is not a service to host content and it is a “Messaging Platform”. It is only in the event of some message not getting delivered, it gets stored until the destination device re-connects to the Internet. It cannot therefore be equated to posting of content. While Section 66A could have been applied to it if the section had not been scrapped, Sec 67 can be applied only if the message is obscene.

However, Section 67 cannot be applied in all cases since it applies only for  messages that can be proved  that it  has the effect “ to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter” .  This would require that only a member of the group has the right to  raise objection and a third party cannot take cognizance of the message being an offence under Section 67 since he is not a member of the group and the message is not meant for him.

Looking at from any angle therefore the action of the Police in the Latur Case to arrest the WhatsApp administrator is a gross misuse of it’s power and calls for action under the Human Rights Act.

As stated earlier, if a person sends a message which is say anti national and uses the emphasis “Please share this with your friends”, then he may be accused of trying to broadcast the message outside the group and punished as may be appropriate. I donot think that the Latur message of alerting on Child kidnapping falls into this category. In many cases Police itself issues warning such as “Donot open door for strangers”, “Beware of motor cycle boarne persons asking for address” etc. These are also having the potential of creating a scare and lead to undesirable and unintentional consequences including lynching of a suspect.

Hence Police are wrong in Latur Case to hold WhatsApp admins responsible on the basis of whatever information is now available to the public.

Hence media should stop creating its own scare that WhatsApp Administrators are in the danger of being arrested. Instead of spreading this rumour, media should try to educate the Police.

I also request Cyber Law Experts not to interpret the term “Intermediary” in too broad a term not envisaged in law or merge the definitions of “Publishing” and “Messaging” into a single category and burden a WhatsApp administrator with legal responsibilities not envisaged in law.

More importantly, I wish that Courts and Magistrates donot validate the Police action by confirming the action taken by the police in which case, like the Shreya Singhal case, this will be another case where an ignorant Police Constable would have re written law through the mouth of an equally ignorant Judge sitting in a Chair which is respected for its role and authority to deliver justice to the community.

Naavi

I refer to a report today in money.cnn.com, staing that Amazon has  sued over 1000 sellers of “fake product reviews”.

It may surprise many that “Writing Fake Reviews” is a business model taken by many and it is being advertised on sites such as Fiverr.com.

For example one of the offer costing US $ 5/- per review is as follows:

QUOTE

• I will write a 200 -300 word review of your website or chosen product.  This could be on your website or a review site.
• I will make the review sound natural, genuine, insightful and with lots of enthusiasm.
• The aim of the review is to build trust and show your product in the best possible light without sounding ‘ Fake’.
• I pride myself on paying attention to detail and will make sure your review is engaging.
• I have reviewed a range of products and services, covering many different audiences. Therefore, I can adapt to suit your needs.

NOTE: If a review is pulled from a site, for whatever reason that may be, I cannot be held responsible, nor will I be able to offer you a refund.  

UNQUOTE

The service offering indicates how the service is “Ab-Initio” a fraud on the consumers any where in the world. It is an offence that can attract penal provisions under any law.

The question also arises on the responsibility of the website such as Fiverr.com in promoting such fraudulent business. Some time back, we commented on the business model of Glassdoor.com which thrives on a facility to black mail an employer by carrying on a false campaign, though the original intention could have been only to provide a genuine employee feedback on an employer.

Naavi once had to battle with another Cyber Law practitioner in India whose hired “Reputation Management Contractors” who, in a bid to promote their client kept on writing against me in many websites. I had to go to each of such websites, write counter comments and eventually the campaign was perhaps withdrawn. I am not sure if the professional who in fact had used Naavi.org to promote himself in the beginning of his career was aware of what the “Reputation Managers” were actually doing. But obviously, he was taking responsibility for the irresponsible activities of the hired reputation managers.

These indicate the dark side of Internet and Social Media where there are members willing to spread mis-information for a price. At $5 a piece, an unscrupulous competitor can hire people to damage the reputation of a rival. With increasing emphasis on mobile commerce and e-commerce, it is necessary for all those who are interested in the positive development of Internet that these tendencies are nipped in the bid. These are like viruses and trojans who need to be tracked down and killed.

I therefore support Amazon fully in its efforts to bring these unscrupulous contract review writers to book and also support action against the website managers who fail to follow due diligence steps to prevent such misuse of their platform.

While we donot have any objection to genuine job seekers to post their resume and credentials in review writing or any other matter, the offer “To write fake reviews” is a shameful profession for any talented person. We need to stand up against such practice and make the Cyber Space more trust worthy.

Naavi

Today is the 15th anniversary of the Digital Society Day which marked the beginning of the legal recognition of electronic documents in India.

In order to mark the day, Naavi has been initiating new activities in different years basically to spread the awareness of Cyber Law in India.

This year, Naavi will rededicate his efforts towards better Cyber Law Awareness through the following two projects.

1.Cyber Law Compliance Center for Mobile Apps

2.Techno Legal Information Security Awareness workshops for Corporates in Bangalore

Both projects are initiated by Naavi but its implementation depends on others joining the initiative.

My thoughts on the projects are explained below.

1.Cyber Law Compliance Center for Mobile Apps:

Technology practitioners have a general dislike for regulation. Most Indians believe that India developed into a significant IT power because of the lack of regulation. The fact that Internet itself is an example of growth without regulation is a vindication of this belief.

However, once Internet usage crossed into the business domain, regulation became a necessity to prevent the “jungle Raj” setting in. ITA 2000 was born because e-Business and e-Governance could not be conducted in an unregulated environment.

But the fight between Regulation and Freedom continues unresolved. One example of such fight is between Privacy and Freedom of Expression  with the Social media users demanding “Freedom” even to misuse while some are wary of reputation loss due to irresponsible defamatory posts.

Today is 17th October, the “Digital Society Day” first declared and celebrated by Naavi through specific activities geared towards better awareness of ITA 2000. It is now 15 years since ITA 2000 became effective with legal recognition of electronic documents, enabling contract formation online and introducing the concept of Cyber Crimes, vicarious liabilities on intermediaries etc. It is more than 6 years since ITA 2000 was amended and the concept of “Reasonable Security Practice” and other enhancements to mandated Information Security prescriptions became effective.

But the question remains..  Do we have adequate awareness of  ITA 2000/8 ? Let’s forget Police who make mistakes and Judges who are not cyber savvy. Let’s us reflect whether there is adequate knowledge of ITA 2000/8  at professional levels in Companies? My own impression is a firm No.

We have miles to go before we sleep ..with the comfort that “All is Well”.

I recently referred to Indian Financial System  being at the “Napster Moment” indicating the possibility that lack of Cyber Law Compliance may force businesses to shut down when business prospects may otherwise be booming.

The present situation as I see it is that a company doing business with the use of electronic documents is exposed to “Techno Legal Risks” which could be crippling at times. They may manifest as a “Cyber Attack” leading to reputation damage, data theft etc or as a “Regulatory Ban” leading to closure. In either case, there could be a risk of both civil liabilities to the company and also a criminal liability on the CEO, the Directors etc.

A prudent business manager should therefore ensure that this “Techno Legal Risk” is assessed well in time and addressed before it manifests into a liability.

The best time for a business owner to look at Techno Legal Risks is right at the beginning of the project, namely at the “Start Up” phase. This however is also the time when a company would be starved for funds and would like to focus only on essentials such as building the technology infrastructure. It is therefore natural for entrepreneurs to ignore any activity or expense which is not directly related to the functionality of the project and its early take off.

However, there are some Cyber Law issues which are better sorted out right at the beginning in the “Feasibility Evaluation” stage of the project itself. Hence along with the traditional four dimensions of project feasibility, such as Market Feasibility, Technical feasibility, Financial feasibility and the managerial feasibility, a fifth factor namely “Techno Legal Feasibility” needs to be undertaken so that the Start Up does not spend time, effort and money only to find at the take off stage or soon after, an unsurmountable legal hurdle.

Also, just like it is prudent to attend to security right at the software architectural level, even the legal aspects of security should be attended  right at the time when the business architecture is taking shape. Any attempt to ignore this at this stage and go for patching up the systems later would be less efficient and more expensive.

While this is the wise advice which security professionals always provide, the entrepreneurs do not always appreciate the advice and go ahead with their own ideas of “Business First, Compliance Later”. As long as our Police are ignorant and can be managed both by bullying them with technology terms as well as other influential factors, it was possible for businesses to do what it wants and manage the mistakes if it was found out later.

But the times are changing. Police are becoming more knowledgeable and can catch omissions and transgressions of law even under complicated concepts such as “Reasonable Security Practice” or “Due Diligence” and question the corporate officials why they should not be held liable.

The emerging Cyber Insurance industry will also demand “Proof of compliance” before and after a Cyber Insurance contract is written.

In view of these developments, it is not possible for businesses to ignore Cyber Law Compliance any longer.

With most businesses now moving onto the mobile platform and some companies preferring to offer services in the “Mobile Only”  mode, the need for Cyber Law Compliance for “Mobile Start Ups” has become a necessity.

Unlike other industry start ups, mobile start ups are normally a single techie venture and often lack the benefit of an adequate  managerial infrastructure to guide them on what is required for compliance of Cyber Laws.

Recognizing this emerging need, Naavi has started a new service aimed at making mobile business start ups Cyber Law Compliant.

The service is aimed at providing consultancy to companies to develop “ Cyber Law Compliant Apps” for their business. Since an App is actually an enterprise level business management tool, it is a micro replica of an ERP system. It has several sub functionalities and all the legal risks arising out of the use of the app for business cannot be covered by a one page privacy permission statement when the app is installed. Further, the app based business model is likely to keep modifying rapidly as the business grows and hence the legal risks need to be dynamically assessed and patches applied without much delay.

Some of the apps like the payment bank apps such as Paytm or Pockets are functionally as huge as an independent Bank itself. If these apps are to be made Cyber Law Compliant, it is like rendering a  Banking institution cyber law compliant. It is a massive job which requires continuous attention. If the organization is big and the business is critical, there needs to be an in-house team attending to this.

“Naavi’s Cyber Law Compliance Center for Mobile Apps” will try to provide necessary support to start ups through its development phase to be Cyber Law Compliant from day one.

Companies which will be using Finance and Health care apps need this service immediately.

Before the market is flooded with non cyber law compliant apps making it difficult to weed out non conforming apps, it is better for the mobile eco-system to adapt to being compliant  so that the environment will be healthy from the beginning.

Naavi will try to carry this thought and put it into action and hopefully the companies will realize the need and make proper use of the services.

This will be the new project of Naavi initiated on this 15th anniversary of Digital Society of India. I invite other professionals who would like to be part of this initiative to contact me so that we can together help build a Cyber Law Compliant Mobile App eco system

2.Techno Legal Information Security Awareness Workshops for Corporates in Bangalore

This is a simple program where on invitation Naavi would like to conduct half day workshops for companies both in the IT and non IT sector explaining the provisions of ITA 2008 and its impact on Information Security Management in the corporate environment.

The idea is to conduct 100 such workshops in the next one year (This was the rate of my awareness activities in the first five-six years after ITA 2000 came into being before tapering off) as part of the Secure Digital India initiative.

Obviously, this is the intention and self imposed target. First of such meetings should start next week. But it all depends on how the industry responds and if there can be any sponsors for this program from commercially sound stake holders in the information security industry including the Cyber Insurance industry who are the likely beneficiaries of such largescale awareness programs.

Naavi

Two years back we wrote the following posts:

RBI and ECGC should consider trade remittances to Hong Kong as Highly Risky : July 14, 2013

Syndicate Bank loses Rs 1.13 crores of customer’s money: November 26, 2013

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud: November 27, 2013

In these articles, attention had been drawn on Companies as well as RBI and ECGC about the e-mail identity hijacking fraud which had become a convenient tool of Cyber Fraud. I donot accept that these articles have escaped the  notice of RBI and ECGC. It should not have escaped notice of even large companies which have professionals working as legal advisors, information security professionals, compliance professionals etc besides the finance professionals. Some of these companies might have kept “Fraud Mitigation Advisors” under retainership who are supposed to audit the business process and advise the companies on reduction of fraud lossses.

But it appears that ONGC has suffered a loss of Rs 197 crores to a simple impersonation fraud as this report indicates.

See report here

In Information Security, we often talk of the importance of “Awareness Building”. The above articles did try to build such awareness. But unfortunately, it has proved once again that “Awareness Building” is only the first little step and as long as there are irresponsible and uninterested people around, frauds will continue to happen.

What irks people like us is that the fraud that has happenned in ONGC did not involve any sophisticated trojans and viruses nor a cyber army or cyber terrorist attacks. It could have been done by an ordinary fraudster who was aware of the business processes used by the Company. That’s why I called it a silly fraud. If we cannot defend against such simple frauds, we donot have right to talk about Stuxnet or Zeus or other more sophisticated attack vectors.

The modus operandi of the fraud was,

A website was registered in the name of ognc.com probably by our own Indian ISP, Net4domains.com  recently on 19th September 2015, as indicated by the following Whois information:

Domain ID:D9853385-AFIN

Domain Name:OGNC.CO.IN

Created On:19-Sep-2015 02:36:10 UTC

Expiration Date:19-Sep-2016 02:36:10 UTC

Sponsoring Registrar:Net4India (R7-AFIN)

Status:TRANSFER PROHIBITED

Registrant ID:R15091904345215

Registrant Name:Robert Knowles

Registrant Organization:

Registrant Street1:116 Street NW

Registrant Street2:

Registrant Street3:

Registrant City:Edmonton

Registrant State/Province:AB

Registrant Postal Code:t6j6x5

Registrant Country:CA

Registrant Phone:+91.7804377824

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant Email:aditi.morex@gmail.com

Admin ID:A15091904345215

Admin Name:Robert  Knowles

Admin Organization:

Admin Street1:116 Street NW

Admin Street2:

Admin Street3:

Admin City:Edmonton

Admin State/Province:AB

Admin Postal Code:t6j6x5

Admin Country:CA

Admin Phone:+91.7804377824

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:aditi.morex@gmail.com

Tech ID:T15091904345215

Tech Name:Robert Knowles

Tech Organization:

Tech Street1:116 Street NW

Tech Street2:

Tech Street3:

Tech City:Edmonton

Tech State/Province:AB

Tech Postal Code:t6j6x5

Tech Country:CA

Tech Phone:+91.7804377824

Tech Phone Ext.:

Tech FAX:

Tech FAX Ext.:

Tech Email:aditi.morex@gmail.com

Name Server:NS1.NET4INDIA.COM

Name Server:NS2.NET4INDIA.COM

E Mails have been sent in the name of patel_dv@ognc.co.in to a customer namely the Saudi based Aramco with whom perhaps an executive of ONGC was in touch with an email address of patel_dv@ongc.co.in with an order to deliver 36000 metric tons of Naftha

On September 7, ONGC dispatched the order, worth Rs 100.15 crore, from Hazira port in Surat. According to the police, the company usually transferred payments to ONGC’s State Bank of India (SBI) account, but did not do so this time.

ONGC was to send a second batch of naphtha to Aramco on September 22. However, since they had not received the earlier payment, they enquired with the Saudi-based company. On being told that the delay was on account of public holidays and bank holidays, ONGC dispatched the second batch of Naptha worth Rs 97 crore on September 22. Again, ONGC e-mailed a scanned copy of the tax invoice with its SBI account number to the company.

An e-mail ONGC received on October 7 from Aramco stating that the money had been transferred to a new account. Obviously such a change of bank name had been sent to Armaco from the alternate email ID. As of now the identity of that Bank is not known.

It is clear that the fraudster has started his action after the first batch of the order had been delivered and the money was due from the other end.

It is possible for us to blame Aramco that it was their negligence in not identifying the change in e-mail and remitting the money to a new account. It is also possible to blame the Bank which could have been used for completing the fraud by opening the account of the fraudster.

It is possible that ONGC may ultimately recover its money and the loss may have to be borne by Aramco.

I wish Dr Triveni Singh the celebrated police officer attached to UP cadre and who even yesterday busted a huge employment racket in Noida is made the special officer in charge for investigating this ONGC fraud.

But negligence should be recognized by ONGC on account of not using digital signature in communicating with its customers.  Not identifying the presence of a confusingly similar domain name (Though the fraud has occurred immediately after the registration and perhaps it was too early for the recognition of the registration) could also be an area of negligence.

Net4Domains will also share a good part of the blame since it has unwittingly become a tool of this crime. I will not be surprised if Aramco files a case against this company and it will be tough for them to defend.

In summary we can again highlight that “Cyber Law Compliance” in business is being ignored by large companies and it is resulting in such frauds. Sooner they realize the need to have the right kind of advisors who understand Cyber Laws and how they impact the business in a verity of ways, better it is for the company

We may also highlight here that ONGC is a listed company and its CEO and CFO are signatories to the Clause 49 declaration of the listing requirements. How did they give a declaration without adequate security in their communications will be a point which the shareholders of the company need to raise in the next AGM.

Shareholders need to also watch out for the remedial steps that ONGC needs to take after the incident including whether they have Cyber Insurance and question the directors.

At the same time, I also would like to draw the attention of the Controller of Certifying Authorities (CCA) that while people like us are placing faith on the digital signature system since that is part of ITA 2008, CCA itself is diluting the legal validity of digital signature system as I have explained in greater detail in an earlier article on esign. This is a great disservice CCA is doing to ITA 2000/8 loyalists like the undersigned and CCA should call for a meeting of experts to discuss how it can resolve the esign issue and other issues that dilute the legal validity of digital signature and its non repudiable nature.

Naavi