Naavi.org

Technology has disrupted many traditional business practices. For example, Banking before and after technology has never been the same. Same way, ever since Cyber Laws became a prominent practice area, lawyers have found that their traditional practice domain has been disrupted.

Today, it is almost impossible to run an efficient litigation without using Cyber evidence and Cyber law. If any firm is unable to make proper use of evidence most of which is in electronic form and also be able to run a good cross examination of witnesses trying to prove or disprove electronic evidences presented, they would find it difficult to be effective as a litigation lawyer. Hence good legal firms have found it necessary to use the services of experts where required and also develop in house expertise in Cyber Forensics.

When it comes to using the services of high end experts, the firms have a difficulty in forging a long term association because those professionals may not be qualified advocates and hence cannot be partners in business.

At the same time, the Chartered Accountants who are already in the domain of whatever is called “Auditing” have also been fighting to get into the space of “Forensics” since their internal audit work in any Corporate environment lands them in fraud investigation in electronic environment and associated Cyber Forensics.

They also have difficulty in forging long term association with Techno Legal experts who can assist them in the auditing work when it comes to “Compliance Audit” or “Fraud Audit”.

Actually, “Cyber Forensics” is an area which is highly technical and should have been a natural domain of a software or hardware specialist. Professionals in this tech field should normally be found in organizations such as Computer Society of India but they seem to be absent in the race for business in Cyber Forensics. There is also a professional group belonging to the “Information Security Domain” which includes those who are certified with diplomas such as “Certified Ethical Hacker”, “CISSP”, “Network Forensics” etc who also claim to be experts in Cyber Forensics and have a say in this domain. But this set of professionals donot have a strong organization and hence most of the Information Security audit work is done by Chartered Accountants with CISA qualification rather than core information security expertise.

This Economic Times Report highlights the emerging Turf war between law firms and the Big Four accounting firms. It is stated that law firms are poaching forensic experts from BigFour firms and even launching legal action charging the Big Four firms of running unauthorized legal practice. (See this report)

Essentially, Law Firms are trying to take protection from the “Advocates Act” which tries to reserve legal practice to registered members of the Bar Council. This tendency for “Reservation” is also present in the Chartered Accountants who also prevent non CAs to join firms run by CAs in providing corporate advise. The Company Secretaries and Computer Society professionals are not so well organized to fight for their own turf in the corporate scenario.

Now that the Delhi Bar Council has taken the issue to the Court, there is going to be a big fight for “Reservation” of business between the Advocates and Chartered Accountants.

Given that the Judicial Community has emerged only from the advocate community, the judicial fight may be skewed towards the advocate community and there is a huge conflict of interest between the Judiciary and this dispute.

The undersigned has always opposed every kind of reservation in life and is not comfortable with the professional agencies using their clout to reserve parts of the business to themselves. ( Naavi himself has faced issues in forging partnership with law firms and CA firms though both use his services for improving the quality of their services.)

However, the Cyber Forensic business is a new business area which involves Technology, Law and Auditing expertise. We can even say that Forensic involves analysis of “Behaviour” of the technology user which is a “Behavioural Science” skill. Naavi has been a pioneer in projecting Information Security as a three dimensional expertise of Technology, Law and Behavioural Science. However in view of the fact that these domains of expertise developed in recent years and there were no formal degrees and diplomas in these fields until recently. As a result  the law graduates who claim their right to litigate Cyber Crime cases have no relevant qualification in Cyber Laws nor the Chartered Accountants who qualified in the past and claim their right to auditing today are  exposed to technology issues as they should be. Hence the claims of reservation of business based on qualifications appear to be unreasonable.

It appears that a day has come where the “Disruptive” aspect of technology has come into the area of “Reserved Professional Practice” and it is time that the restrictions placed on legal firms partnering non legal practitioners as well as Chartered Accountant forms partnering non CAs should be summarily removed. We must recognize that the technology areas requires collaboration of people with different skills and in the interest of clients who require efficient services, a legal firm needs technology, accounting and behavioural science experts, in their fold and the Big Four or other CA firms also need Cyber Law experts and Experts in international law, taxation law etc in their fold.

Instead of the top legal firms fighting with top accounting firms in Courts, they need to forge an alliance and ensure that the mutual exclusions which they have used in the past which I call as “Reservation Mentality” is dropped and “Merit” prevails in the profession.

We however would advise that both the legal firms and Big Four should not compromise to keep the Information Security professionals outside the area of Information Security Audit and Forensics. In fact these professions should study the case which Delhi Bar Council has brought and implead themselves to put up their arguments if required so that they are not pushed out by the law firms and Big Four from the field of Cyber Forensics.

Probably the case brought up by the Delhi Bar Council has more to do with corporate advisory services in the area of Mergers and Acquisitions and less on Cyber Forensics. However, the principles of “Exclusivity in Professional Practice” is a potential “Frankenstein” and should be curbed before it gains any judicial validity through this case. If IS professionals are negligent, then lawyers and chartered accountants may declare that Cyber forensics is their exclusive business domain and make IS professionals subordinate to either of the professions!.

Naavi

It is reported that Mumbai police are pursuing a data theft complaint against a senior Bank employee in Mumbai.  According to this TOI report the senior employee, (a lady), with 20 years of working in the Bank in the past, resigned and is due to join another Bank.

The allegation is that some time after resignation, she  has taken away  some confidential information belonging to the Bank to her pen drive. The complaint has been made by the Bank manager.

The report

There are many inconsistencies in the report and there is every indication that it could be  a motivated report. More clarification is required before it is given credence.

According to the Bank manager, “She got access, after quitting the job, on the pretext of taking down data stored in her computer system in her office”. Bank officials complained that she took the data without the knowledge of anyone present on the premise.

The complaint was lodged on September 9, 2015 where as the person has left the Bank on April 21. It is not clear when she got the access and how the manager came to know the “pretext” when no body was present in the premises.

According to the TOI report, a spokes person of the Bank is supposed to have stated “The data was related to Reserve Bank of India rules and banking policies, which the suspect can misuse”.

If the data related to RBI guidelines, it is not clear what is the confidentiality involved.

If the Bank is concerned it could as well be a case of some information which the Bank is afraid would harm its reputation.  If it was simply rules and policies, there is no reason for the Bank to file a complaint except as a vendetta against a parting executive.

It would be interesting to observe how the case develops.

If the Police conduct a proper investigation, there is every possibility that the complainant himself may turn out to have indulged in some offence.

There is however a need for the defense to handle this technical case with some intelligence as otherwise the weight of the complainant’s organization may have a bearing on the way the case proceeds from now on.

Naavi

During our childhood, we have heard of stories of a Fox and Bear who agree for collaborative cultivation. For the first crop they agree that whatever grows above the soil belongs to Fox and whatever grows underneath the soil belongs to the Bear. Fox suggests that they grow tomatoes. Bear works hard and when the cultivation is ready, Fox walks off with all tomatoes and the Bear is unhappy. Fox convinces the bear for the next crop and agrees that what grows above the soil will now belong to the Bear and what grows underneath the soil belongs to the Fox. Bear agrees. Fox suggests that they grow ..potatoes…. so the story goes…

It appears that Maharashtra Government has now implemented a PPP model of a similar nature where the Government and Mumbai Police in particular will promote a PPP project in which all the revenue goes to a private party while the Government and the Police is only used to promote the project for the benefit of the private partner.

I refer to a project called coin.org.in which is projected as a platform for global law enforcement people with information, training and support for investigation of cyber crimes. However it also invites public to become members of the project at a membership cost upto Rs 24000/- per year.

The website however does not provide any information on the revenue sharing between the Government and the Private partner.

Some time back, we had exposed the case of  e2labs which had used the Union Home Ministry, CERT IN etc to promote its business and tried to convince investors to invest in its company. On verification with CERT IN it was found that the claims made by e2labs in the investment promotion presentation prepared by a well known investment banker, were false . The information was later withdrawn.

Presently the coin.org.in project appears to be heading in the same direction.

For records, we appreciate the nature of the venture. We have no issue of the project being a commercial project. However, using the Government and Mumbai Police to project as if this is a Government project but retaining the entire commercial revenue with itself is not considered ethical. The disclosures on the website as of now donot provide a truthful representation of the status of the project and there is every attempt to mislead and misrepresent the public to give an impression that this is a joint venture with Mumbai Police. The previous Mumbai Commissioner Mr Rakesh Maria’s speech made at the time of launching of the website has been  used for promotion along with the name of the Chief Minister Mr Fadnavis who inaugurated the event in which the website was launched.

We here by call upon the Maharashtra Government and the Mumbai Police to clarify

a) if they have an equity stake in the project and a claim on the revenue and if so what is the share distribution?.

b) If not, will they clarify if they are happy with the use of the Government for promotion with the revenue being entirely kept by the private partner? Or

c) Was the project envisaged as a non-profit venture and the private promoter has introduced a commercial element without the knowledge of the Government?

We also call upon the Private partner to clarify the nature of arrangement between them and the Government and whether they have the permission to put Rakesh Maria’s speech on the website copyright of which is claimed by them.

We request both the Government and the Private partner to review their arrangement and make the service as a free service (which may be restricted to the law enforcement personnel if required) and remove the commercial aspects of the project.

If there has to be a commercial project in which the Government wants to pass on benefits to a private party, there will be needless questions on what was the procedure adopted in selection of the private partner, whether any public notice was given of such a project, whether any other entities competed for the project etc.. All these will raise the issue of “Transparency” in Government administration and I request the BJP Government in Maharashtra not to make yet another mistake that may show Mr Narendra Modi in bad light.

Naavi

The India Cyber Insurance Survey 2015 which tries to capture the views of the stake holders on what is the current status of the  Cyber Insurance industry in India is, is shortly set to close.

If you have not yet participated in the survey, kindly do so now. Your views would be valuable. To participate in the survey you need not be knowledgeable in Cyber Insurance nor an expert in Information Technology. If you donot find any question not relevant to you, mark it as “neutral” and proceed.

Click on the above image or here for the form

Naavi

The case of M G Gokul, a techie in Bangalore who has been arrested for sending hoax messages through WhatsApp to Bangalore and New Delhi airports suggesting that bombs have been placed on 6 flights causing an estimated $ 1 million (Rs 650 lakhs).

Bangalore police should be congratulated for having solved the hoax message case within 48 hours and arresting Gokul. What was commendable was that the SIM card which was used for committing the offence was in the name of another person Mr Jose who was innocent and was a neighbor of Mr Gokul. Police did not get diverted by this prima facie evidence which pointed out the innocent person as the offender and went deeper into the use of the SIM card with which they zeroed in on Gokul. The investigating Officer should be commended for the presence of mind and also for having persevered with the investigation until the real culprit was caught.

This was the second time that a Bangalore techie had sent messages to the Delhi airport about a bomb threat. Last incident was that of an Infosys employee who wanted to catch the flight for which he could not reach in time and thought of delaying it by sending such a message. He was also caught immediately.

As some body involved in Counter Cyber Crime activities for a long time, I wonder why the so called “Techies” should not realize that such messages would be traced easily and they would be caught and punished.

There could be two reasons. One is “Ignorance” that there are laws in India that make sending of such messages punishable under ITA 2000 as well as under IPC or under Air Safety related laws. Secondly it is “Technology Intoxication” which makes them blind to the fact that Police may also be sufficiently intelligent as to solving such cases.

These incidents also point out  negligence of the HR functionaries in these companies who have not taken steps to educate their employees on the ethical aspects of usage of technology. Hopefully these incidents would make at least some of the HR managers to sit up and take action to build a basic ethical behavioural culture in their employees.

Refer article in Bangalore Mirror

If one goes through the article in Bangalore mirror, one wonders if Gokul is another incarnation of Indrani Mukherjea who had reportedly schemed murder of her daughter and son and executed the murder of the daughter Sheen Bora in Mumbai .

Gokul not only schemed (As per the report) and murdered his wife but also laid an elaborate plan to win over his neighbors wife first by forging letters in the name of an Archbishop and then trying to frame the husband of the lady whom he loved. He has also reported to have tried to get Mr Jose framed by creating a facebook page and putting ISIS promotion information there in.

It is interesting to note that both Indrani and Gokul had committed the offence of  sending forged electronic messages and committing Cyber Crimes under ITA 2008. Though their other offences are graver and can lead to hanging or life imprisonment, the use of Cyber Crimes by ordinary IPC criminals as a common modus operandi seems to be clear. This highights the need for Police to improve their skills and investigative resources for solving Cyber Crimes because it can lead to solving of many other non ITA 2008 crimes also.

The case of Gokul makes an excellent case study for criminologists on how an educated and well informed techie can misuse his knowledge and skill if he has no ethics but is unable to see the possibility of being caught by the Cyber Crime investigators.

Naavi

The recent circular from the Maharashtra Government explaining the law of “Sedition” as mentioned in Section 124A of IPC has opened up a debate rightly in how the law can be misused.

Refer here for more information

For records the section states as follows:

Section 124A in The Indian Penal Code
124A. Sedition.—Whoever, by words, either spoken or written, or by signs, or by visible representation, or otherwise, brings or attempts to bring into hatred or contempt, or excites or attempts to excite disaffection towards, 102 [***] the Government estab­lished by law in 103 [India], [***] shall be punished with im­prisonment for life, to which fine may be added, or with impris­onment which may extend to three years, to which fine may be added, or with fine.

Explanation 1.—The expression “disaffection” includes disloyalty and all feelings of enmity.

Explanation 2.—Comments expressing disapprobation of the meas­ures of the Government with a view to obtain their alteration by lawful means, without exciting or attempting to excite hatred, contempt or disaffection, do not constitute an offence under this section.

Explanation 3.—Comments expressing disapprobation of the admin­istrative or other action of the Government without exciting or attempting to excite hatred, contempt or disaffection, do not constitute an offence under this section.

Following a direction from Mumbai High Court to the Government of Maharashtra that a proper instruction be given to the field level Police so that the section 124A is not misapplied, some official of the Government has issued a circular in Marathi. The press has indicated that the circular has tried to explain the views of the High Court but in the process has stated that any criticism of a Government official which word includes representatives of the Government such as the MLAs, Zilla Parishad members etc will also come under this section.

It is obvious that for the Police in Maharashtra which interpreted a “Like” of a face book posting to “Any message sent from a communication device” and arrested a lady, this circular gives a free license to arrest persons under Sc 124A which  may result in “Life imprisonment” and is therefore cognizable and non bailable.

There is therefore no two opinions that Maharashtra Government should not only withdraw the circular but also get an undertaking from every policeman in the State that he will not use SEC 124A IPC against any criticism of a Government representative unless it is accompanied with a threat of breaking the country like what LTTE elements in Tamil Nadu or the Terrorist and some political elements in Kashmir indulge in.

Why I insist on such an undertaking is that Police either are too naive or some times crooked and apply non existent laws to harass people. We have seen that in two recent cases one in Tamil Nadu and another in Maharashtra, cases have been booked under Section 66A which has been scrapped by Supreme Court (albeit for wrong reasons).

We have extensively discussed in these columns why Supreme Court was wrong to just believe that whatever Police constables interpret is the law and therefore if they make a mistake, it is attributed to the law itself being bad rather than the policemen being bad interpreters of law.

I expect that the circular on Sedition once issued will therefore be used by the Police even after it is withdrawn to harass people. Hence a mere administrative withdrawal or clarification by another circular will not suffice. We need a more visible action by none other than the Chief Minister of Maharashtra to reduce the possibilities of misuse of the circular. It would be better if the clarificatory circular states that the erring Policemen will be booked for malicious mis-use of law.

In the meantime, if some capable person such as Shreya Singhal 3 can move the Supreme Court and ensure that a bench consisting of Honourable Justices Nariman and Chelmeshwar hear the case, then it may be possible to get Section 124A to be struck down. Never mind the genuine cases where it would be required. It is not the responsibility of the Supreme Court to ensure that there are stringent legal provisions in our law as long as they can draw a link between Freedom of Expression and an errant police action.!

Naavi