Verdict on Section 66A expected tomorrow at 10.30 am

Posted on March 23, 2015 by Vijayashankar Na

The much awaited judgement on whether Section 66A of ITA 2008 is constitutionally valid or not is expected to be pronounced tomorrow at 10.30 am.

Section 66A has been frequently abused by Police when it has been used to arrest persons making posts on FaceBook, Twitter or Blogs. In at least one case, a person was arrested for clicking on “I like” on a Facebook post.

Most of the arrests under Section 66A has been related to criticisms of politicians in the form of comments and cartoons under the pretext that it was “Defamatory” and “Caused annoyance”.

Simultaneously, Section 79 of the Act may also come under review. Under this section, a few people have interpreted that it is necessary for a blog owner to remove a content within 36 hours of an objection having been lodged.

Both the arrests under Section 66A and the perception of mandatory removal of content under Sec 79 are being held out as leading to the sections being adversely affecting the “Freedom of Expression” as guaranteed by the constitution.

Naavi.org has debated this section in detail in the past and links to these articles are found below. The essence of the views expressed are that “Abuse of Section 66A” is a matter of ignorance, as well as misuse of the powers by Police and Politicians. Section 66A in our opinion was meant for addressing the issues such as Cyber bullying, Cyber Stalking, Spamming, Phishing, Threatening by SMS/Email etc. The section 66A is very much required to meet these requirements. Similarly, Section 79 imposes no obligation to “Remove Content” when objection is raised by a person who perceives himself to be a victim. Only a judicial review can order removal of content. This has been clarified by the Government subsequently though the original notification was not worded properly by the Government.

It would be interesting to note whether Supreme Court judgement would be dictated by the “Perception” or “Reality”. Wide spread perception is that the section 66A or 79 may curtail the freedom of expression but the reality is that this perception is the result of misuse of law by politicians and police. Such misuse has been in existence before these sections became available and will continue even if these sections are removed.

I wish Supreme  Court judgement would reflect this reality. I will be happy if the Supreme Court suggests some checks and balances where by misuse of the section by Police is made punishable rather than removing the provisions themselves which have other uses.

It is however acknowledged that the Government might not have put up its case properly and the decision may reflect only how effectively the two sides have argued the matter in the court.

Afterall, in computers we say “Garbage in, Garbage out”. Similarly in the Indian system of justice dispensation, it is the relative strengths of the adversarial arguments that determine the judgement and a perception of “Judicial Precedent”.

If the decision is in favour of removal of the section, then Government needs to think of bringing a suitable amendment to ITA 2008 retaining the major part of the section and accommodating the Supreme Court observations as explanations.

Naavi

Other related articles in Naavi.org:

 Section 66A and Section 79 of ITA 2008 at Supreme Court

Section 66A coming for review at Supreme Court..the issues

IRDA files Section 66A Complaint against an activist

Mumbai High Court on Section 66A

No Arrests under Section 66A without prior approval of higher officers

 Section 66A abused again

Advisory on Section 66A

Mis-perceptions about Section 66A

Section 66A is not meant for “Cyber Defamation”

Government issues clarification on Section 79 rules

Posted in ITA 2008 | Leave a comment

Indus Media and Communication Ltd committing a Cyber Crime?

Posted on March 19, 2015 by Vijayashankar Na

indigital_stb_killing

Indus Media and Communication Ltd which manages the cable TV service (InDigital) in Bangalore is knowingly or unknowingly committing a Cyber Crime and admitting the same in its broadcasts. As we can see in the above photograph, (dated 19th march 2015), there is a pop up on the TV saying “This STB has reached its end of life”. This notice is normally followed by an advertisement that new STB would be provided at a cost of Rs 500/- .

Obviously the threatening message is an attempt to sell its new STB s for whatever advantage it perceives. There is therefore both a “Threat” and also an attempt to derive a “Commercial Benefit”. It is therefore an attempted “Extortion” under IPC.

Indus Media has taken over many of the local operators and many of these consumers are using the STBs which they possessed before the change over. Now Indus Media appears to be interested in phasing out these STBs and replace it with new STBs.

If the offer was a free upgradation, one can appreciate that there could be some technical convenience to the company (Which could be nothing but they would have better control to switch off the consumer’s connection at their discretion). But when the company wants the consumers to pay for the upgrade, the notice is to be seen as an unfair attempt at enrichment.

What the Company however is not realizing is that they are making a statement that the “Set Box is reaching the end of its life”.

Consumers cannot understand how when technically the STB is still working, Indus Media knows that it is about to die?.. unless it is being killed?….

If the STB is being killed, then it amounts to “Denial of Service” and also “Hacking into the STB” to disable it. Both are offences under Section 66 of ITA 2008. These are cognizable offences and the Police can launch an investigation immediately.

I have sought explanation about the pop up from the customer care department which however has not yet answered.

Since the company has itself admitted their intention to kill the STB, there is no need for further evidence in this regard and the Police can act immediately and take action to arrest the officials of Indus Media in Bangalore and file a suitable case against them.

I request the Cyber Crime police in Bangalore to take up this case as an “Attempt to Murder”  an “Electronic Device” and take appropriate action.

Naavi

Posted in Cyber Law, ITA 2008 | Leave a comment

TCS set to withdraw from Digital Certificate Issue

Posted on March 18, 2015 by Vijayashankar Na

It appears that TCS-CA which was one of the licensed Certifying authorities has decided to close down its business. On the website it is reported that they have stopped issuing further certificates from 1st December 2014.

However the CCA website still does not record this information.

Already MTNL and the Department of Customs have closed their Certifying Authority business. But it is surprising why TCS decided to back down.

If we analyze the Digital Certificate market, there is a good business potential because of the mandate in submission of IT and MCA returns. If TCS withdraws it will further reduce the competition only to Safescrypt, n-Code and E Mudhra. The result could be an increase in the cost for those who want to adopt to the system of judicial recognized digital identity.

However we observe that most of the CAs are not compliant with the provisions of ITA 2000/8 and CCA is remaining silent. Recently the Government’s digilocker project has been conceived in violation of ITA 2008 provisions and CCA seems to be unmindful. Bankers have always been reluctant to use digital signatures and prefer to flout the law while RBI looks the other way.

In the light of these developments, it is disheartening to see TCS withdrawing from the business. Unlike other CAs, TCS was operating on indigenously developed technology while others had to pay royalty to some foreign technology providers. Inspite of this, if TCS finds it unprofitable to be in the business, it could also be because the other CAs are flouting regulations to expand the market which TCS may not be willing to do.

I wish TCS clarifies the reasons for their exit from the business.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment

Yet another Bank Fraud.. What will RBI say?

Posted on March 18, 2015 by Vijayashankar Na

Bank frauds have been so common in India that it hardly surprises any body when a new fraud is reported. The Banks are after technology in a hurry and RBI has either no clue to the risks or is just unable/unwilling to regulate the banks as we have frequently pointed out.

The reason for the situation is that RBI has not been implementing its own regulations to secure Banking in Cyber Space and Banks have effectively silenced Adjudicators and the Cyber Appellate Tribunal so that fraud victims are unable to get justice.  The “Lawlessness” is so palpable that cyber criminals are emboldened to try commission of frauds at every opportunity. RBI in the meantime is busy diluting the security in cyber banking and remaining silent when non compliance of law is brought to their notice.

To bring the discussion to the context, TOI reports today that “Anti-Nationals pull off Rs 6.9 crores” using cloned and stolen cards. What the report fails to recognize is that the cloned cards were one of the instruments used and the other major instrument used was “Bank Accounts” opened by the fraudsters in some Bank/s (Name of the card issuing Banks and the money receiving not revealed in the article). These Banks have opened the accounts without proper KYC and are mainly responsible under Anti Money Laundering as accessories/abetters to the fraud.

The report states that the fraudsters were Dubai based and hence they were “Anti Nationals”. But what about the Banks which opened the accounts for these Anti-Nationals? Are they also not “Anti Nationals”?

The main culprits in such cases of KYC failures leading to frauds are AXIS Bank and ICICI Bank with PNB and SBI not far behind.

Will RBI name and shame these Banks? Will it dismiss or take disciplinary proceedings against the Chair Persons of these Banks instead of the Governor dining with them with IMF dignitaries?

The fraud is an indication of lack of security in the Banking system for which RBI is solely the custodian. It appears that Mr Raghuraman Rajan has failed to assume responsibility for the security of Banking and has to start looking at this part of his role also. If he wants to remain only as an Inflation Monitor, Government needs to look at creating another organization that is solely responsible for regulating the security in the Banking system and take this responsibility away from RBI.

Naavi

Posted in ITA 2008 | Leave a comment

At Last Government of India remembers the Cyber Appellate Tribunal

Posted on March 17, 2015 by Vijayashankar Na

After nearly 4 years of mysterious inaction, Government of India has now realized that the Cyber Appellate Tribunal (CAT) needs a Chair Person and called for applications.

It may be remembered that 0n 30th June 2011, Justice Rajesh Tandon demitted office after reaching super annuation. Subsequently Justice S.K.Krishnan, a retired Judge of the Madras High Court was appointed as a “Member” of CAT. Mr Krishnan was eligible for the post of Chair person and there was no reason to believe that he was good enough to be a member but not good enough to be the Chair person. In an absurd way of Government functioning, Mr Krishnan remained in the CAT office for about 9 months and went into super annuation as a “Member” who did not attend any hearing. During this time the Ministry headed by Mr Kapil Sibal had time to appoint a technical member to the CAT and a Head of Department of CAT. These two posts had little meaning int he absence of a functioning CAT.

After exhausting all avenues such as writing to the Minister of IT, Secretary of Ministry of IT, PM, President, Chief Justice of India, Rahul Gandhi, Sonia Gandhi etc., the non appointment was questioned in more than one Court. The Karnataka High Court was close to passing strictures on the IT department when finally the Kapil Sibal lead ministry gave an undertaking that they would fill up the post “Expeditiously” and the High Court was satisfied. During the proceedings, it was revealed that the Ministry had sent a recommendation which the Chief Justice had declined and the matter was left to rest there without an alternative name being suggested by the Ministry.

Despite the undertaking to the Court,  the Ministry did not do anything for the appointment and soon  the elections came and over took the Kapil Sibal ministry.

What is surprising however is that even after the new Government took over and the thrust on Digital India and E Commerce was announced, the ministry failed to take steps to fill up the CAT Chair Person’s post. The undersigned has been pursuing this literally from day one of Mr Ravi Shankar Prasad’s appointment but for reasons known to the department the matter remained unattended.

Some how now two major appointments are sought to be filled up by the IT Ministry. First is the Chair Person of CAT and the second is the post of the Director General of INDIA CERT, a position which was vacated by Dr Gulshan Rai again on attainment of super annuation. Now Dr Rai has been appointed as Chief of Cyber Security at the PMO and may be he has initiated the current moves to fill up both the positions of the Chair Person CAT and Director General IN-Cert.

The time given for receiving the applications is April 13 for the IN-CERT position and April 20 for the CAT position. The requirements are available here.

1. Director General of IN CERT 

2.Chairperson of CAT

It would be interesting to see who will occupy these key positions which are critical for the Indian thrust for digitization. (See this article on Cyber Law Eco System).

In the meantime, Mr Rajesh Aggarwal who was one of the most active Adjudicators in India (as IT Secretary, Maharashtra) has been posted as Joint Secretary (Financial Services) at Government of India, Delhi and has been lost to the Cyber Law Eco System. The other person who contributed a lot as an Adjudicator was Mr PWC Davidar of Chennai who also got transferred because of a routine transfer of the AIADMK Government took over in TN.

At present there is no other active IT Secretary in India and hence the system of Adjudication is languishing.

I request the Government to immediately organize a training of all the IT Secretaries so that by the time the new CAT starts functioning, the support system would also be in place. Otherwise this will be the first task of the new Chair Person of CAT.

Naavi personally and Naavi.org wish whoever may occupy these critical positions all the best in their endeavour to stabilize the Cyber Law Eco System in India and assist the Modi Vision of a Digital India.

We know that it is still a wait upto around June for the appointments to be completed. But having waited for 3 years and 9 months, a wait of another three months is not too difficult for persons like us.

Naavi

Posted in ITA 2008 | 1 Comment

Security Audit Vs Maintenance, the Gap is large..Verizon Study

Posted on March 15, 2015 by Vijayashankar Na

Verizon has recently released the 2015 report on PCI Compliance which has provided some key insights into the current practices in industry. Though on the face of it the report indicated that about 80% of the companies were validated as PCI DSS compliant in internal assessments, the reality  the compliance was not sustained over a period of time. The report highlights the fact that only 28.6% of companies actually maintained their compliance status on all the 12 controls they committed to under the PCI DSS audit. It was therefore not surprising that data breaches detected in 9700 sampled companies, indicated over 43 million security incidents in 2014 showing a compounded annual growth of 66% since 2009 and an increase of 29% over the previous year.

On the positive side, the survey indicated that though the sustainability of compliance dropped off soon after the validation, compliance in 11 of the 12 compliance factors actually saw an improvement with the biggest compliance being in authentication access. The compliance drop was noticed in compliance of  testing procedures.

The study indicated that  “Maintenance of policy addressing security awareness building” within the workforce was one of the neglected aspects of compliance with a measly 4% increase in compliance effort.

The report is an eye opener to organizations that it is not enough if an information security assessment is done at a point of time but there is a need to sustain the compliance as an ongoing practice in the organziation. There is therefore a need to assess the controls that specifically address the “Sustainability” of compliance efforts so that the benefits of an assessment and validation is retained for a longer time. Alternatively, organizations can try if  the internal reassessment schedules may have to be undertaken at more frequent intervals in the hope that this will help in the improvement of the sustainability factor.

Naavi

 

Reference: Article in Computerweekly : Article in neirajones blog

Posted in Cyber Law | Leave a comment