Digi-locker Project may consciously flout Information Technology Act

Posted on March 14, 2015 by Vijayashankar Na

The digilocker beta project launched by the Government of India seems to be set to introduce a precedent which is ultra-vires the Information Technology Act 2000/8.

According to the information available the Digi Locker can be used to store important documents of the public such as marks cards, PAN cards etc in e-form. They can also be submitted to authorized Government departments for various services with an “e-sign” of the document owner.

The concept of e-sign which is proposed to be adopted by technologists advising the Government appears to be not in accordance with the provisions of the Indian Information Technology Act. According to the proposal, the public and private key pair for e-sign would be generated on the CA’s systems and not under the control of the signer. This would amount to a compromise of the Private Key ab-initio.

Further, use of the private key which is known to be compromised may be considered a contravention of ITA 2008.

This web based private key generation and storage is a procedure adopted by some foreign Certifying authorities and it appears that the technology is being recommended to the Indian Government. However, this system may seriously affect the “Non Repudiation” nature of the Indian digital signature system as we know today.

Once the system is used by a Government department, it would set a precedent which will be followed by other organisations also and hence the legal status of the entire digital signature mechanism will be adversely affected.

It would be preferable if the Government pauses to think before it leaps.

Naavi

apna_ad_nov24

Posted in Cyber Law, ITA 2008 | Leave a comment

Bitcoin in new form?

Posted on March 14, 2015 by Vijayashankar Na

Bitcoin has been in discussion for some time. In India the response for Bitcoin has been mixed. While initially it attracted the attention of entrepreneurs setting up echange services, the RBI frowned upon the system and ED moved in to conduct raids on some of the exchanges because it was felt that there was violation of foreign exchange regulations involved in the exchange transactions. This dented the enthusiasm and more or less killed the initiatives.

One of the main reasons for the RBI responding to the system with an unapproving look was that Bitcoin had been earlier associated with criminal activities and continue to be the preferred currency of the underworld. Coupled with this the claim of the Bitcoin operators that it is an “Alternate to legacy currency” threatened the regulators that the economy could be adversely affected if Bitcoin popularity grows.

Naavi has held that Bitcoin as a category of “Virtual Currency” is an “Electronic Document” and is recognized as such under ITA 2000/8. Whether it is a currency alternative or a virtual commodity or just a “pointer” to which a closed community ascribes a value is a matter of how the community would like to use the concept. Naavi has also highlighted that the system of “Virtual Currency” is a technology which has a great potential to be used by the regulators themselves. In fact Naavi’s old patent applied system of “Digital Value Imprinted Instrument System” itself did place faith on a server based authentication of a transaction and conversion of legacy currency to customized currency by the user himself. Presently some form of such limited currencies are in use both in the form of prepaid virtual cards as well as closed payment systems.

Now, today’s report in news papers state that IBM is working on a “Bitcoin-like” system (Refer this article). This system is supposed to use the “Block Chain Technology” and will eliminate the need for Banks and Financial institutions to authenticate a transaction and use the Block chain type of authentication. From the reports it appears that the system will convert legacy currency into some form of virtual currency which the spokes person refers to as “Token”. It is not clear however how the availability of back end fund is being authenticated without involving the financial institution.

In contrast, what I would like to suggest is for the regulator like RBI to start a new Virtual Currency on its own or convert the current stock of notes into virtual notes gradually by withdrawing the paper currency in parts and replacing them with virtual currencies. What can be done in this system is to enable RBI to track every transaction. In such a system the availability of stock is authenticated against the base block authenticated by RBI and further authentication of transactions can be done by others who can be rewarded with appropriate commissions.

If RBI sheds it’s reservation on virtual currency, we can discuss the alternate possibilities which will satisfy the RBI as well as the Government and yet will make the technology work for revolutionalizing the nation’s currency system. This would be far more economical than printing new One rupee plastic notes which RBI seems to be thinking. The virtual currency system has not only the prospect of better economy but could be a better security against organized counterfeiting by enemy countries.

Naavi

chp_apna_ad1

Posted in bitcoin | 2 Comments

Digital India and Bugle Call for Activating the Cyber Law Eco System

Posted on March 13, 2015 by Vijayashankar Na

In 1996, when E Commerce was in its nascent stage, UNCITRAL recognized the need for providing a legal backing to E Commerce and drafted the model law on E Commerce to provide assurance to international business transactions. To accomplish this, UN  through a General Assembly resolution, recommended the “UNCITRAL Model Law on E Commerce” for legislation by the member nations. This was the root legislation based on which the Cyber Law of India was developed. It first surfaced as the “Draft E Commerce Act”, transformed into “Information Technology Bill 1999” and got passed as Information Technology Act 2000. The law had a major amendment in 2008 to accommodate the information security requirements which surfaced over time.

Now the Modi Government has placed a lot of faith on E-Governance and E-Business and is dreaming a “Digital India”. We are fully with Mr Modi on this concept since proper use of IT in Governance leads to Transparency and Efficiency besides Economy in Governance.

However, in order to achieve this “Digital India” concept, the Government is raiding on the Aadhar infrastructure which has been handled so far with scant respect to security. Mr Nandan Neelakeni never demonstrated a concern for security and always argued that since no two aadhar numbers can be claimed by the same person, the system cannot be misused. He could not however explain why aadhar cards were issued to a “coriander seed” or to countless fake persons claiming not to have fingers.

Now the NDA Government went ahead to use Aadhar for its Jandhan Yojana and Gas Subsidy with the twin objective of Direct Benefit Transfer avoiding the middlemen and also to withdraw the subsidy at its discretion on a later day. It remains to be seen if the middlemen will vanish as the Government tends to believe or there will be more of them who will keep the aadhar cards as well as the bank ATM cards of their followers with them and operate the accounts of the illiterate beneficiaries.

While  the project per-se may be good intentioned, the undersigned always has an objection when technology developments are pushed down the throats of the illiterate masses without sufficient efforts to train and educate them. In the security implementation we say that “Workforce training” is an important part of the implementation for which a CISO has to find budgetary investment. Similarly, if the Government wants to spend a few lakh crores on technology projects to benefit the illiterate masses, there has to be a reasonable investment in educating the masses.

While the “Aadhar” may be a fait accompli at this point of time, the lessons learnt in its case should be remembered when we embark on the “Digital India” program.

In the coming days with Smart Cities, Bullet Trains, Internet of Things, Social Media Banking etc, the dependence of the society on technology would reach such levels when any disruption would cause absolute chaos in the country. With Chinese Cyber Army and Pakistani Cyber Terrorists being in continuous preparation for taking control of Indian IT assets, the dependency of Digital India on IT appears an worrisome situation.

We can therefore expect that in the “Digital India” there will be more Cyber Crimes than today, more financial losses for Citizens, besides threats to the national assets. To enable the society to withstand this threat of increased risks to the life and property in the Digital India arising out of Cyber Threats, there is a need to strengthen the Cyber Laws of the country as may be required.

When we say “Strengthening of Cyber Laws” there is no need to immediately jump to the conclusion that the present ITA 2000/8 is inefficient and we need to have a set of new laws. Yes this can be considered. But what is more important is that we need to strengthen the “Cyber Law Eco System” in India so that whatever laws that exist now or may come into being tomorrow will be efficiently used to the benefit of the people.

Mr Rajiv Gandhi once said that only 17 paise out of Rs 1 of Government subsidy reached the ultimate beneficiary. This is being corrected now by Mr Modi with the new system of subsidy delivery.

If we extend this analogy to the reach of the benefits of Cyber Law to people,  it appears that the reach to  the ultimate needy as of today may be even less than 17% . For example, there are 36 adjudicators in the country one for each State and Union Territory. In the last year only 1 out of them was active. (Mr Rajesh Agarwal of Maharashtra). Now even he has been shifted out of his post and therefore we have “Zero” number of active adjudicators in India.

There was one Cyber Appellate Tribunal (CAT) in Delhi which was formed under the ITA 2000 which was active for about 3 years. However before the first real decision could come out of this CAT, the Chairperson retired. Since June 2011, neither the earlier UPA Government nor the current Government has been able to find a Chair person to occupy this position. We therefore have “Zero” number of CATs in India.

Thus at present we have a completely non-existent Cyber Judiciary system as envisaged in ITA 2000/8.

Will Mr Ravi Shankar Prasad or Mr Modi  explain if this  is the Cyber Law Eco System that can drive us to the Digital India?

In such a scenario it is obvious that Police are misusing some provisions and people are knocking at the doors of Supreme Court and High Courts to get clarifications and decisions which ought to have been given by Adjudicators and CAT.

To meet the requirements of the Digital India, it is therefore not only required for us to review the Cyber Laws of India but more importantly wake up the Government from its slumber to see that the “Cyber Law Eco System” is properly refurbished. Alternatively the changes in Cyber Law that is required now will include an overhaul of the Cyber Judiciary system, as well as the Policing system for Cyber Crimes, if necessary appointing exclusive Cyber Crime Criminal Courts in each State.

Professional Organizations such as Computer Society of India and National Law School/Institutions need to focus their attention on how to guide the Government officials and educate them on their responsibilities even as we talk of “Cyber Law Awareness of Masses, High School or College Students” etc.

Let’s see if we can wake up the “Kumbhakarnaas” with our bugle call!

Is the PMO listening?

Naavi

 Reference Articles: 

Aadhar Nightmare continues

Around 3,858 Aadhaar Cards Don’t Have Human Photos: Report

UIDAI cancels 3.84 lakh fake Aadhaar numbers

apna_ad_nov24

Posted in Cyber Law, ITA 2008 | Leave a comment

Make in India to create IPR wealth

Posted on March 13, 2015 by Vijayashankar Na

Speaking at the National Conference on Cyber Space Security at Bangalore today, Dr K.D.Nayak, DS & DG, DRDO highlighted the importance of “Make in India” concept from the point of view of the need to protect IPR. He recalled that the manufacturing cost of an Apple i-Phone which costs around US$ 650 in the retail market is only around US $ 200 and attributed the differential profit earned by Apple to the IPR developed by Apple. He therefore urged that while for security reasons we do recommend “Make in India” in cyber space, the benefit of IPR should also be taken into account and we should focus on “Design and Make in India” rather than only “Make in India”.

We fully endorse this view and wish that this is taken note by the policy makers in Delhi.

While it is interesting to note the collateral benefit of the IPR as evident in the Apple i-Phone case, it also indicates the darker side of the IPR law which is assisting in the exploitation of the consumer. The Apple’s profit of over 100% on its manufacturing cost should be considered as a “Usurious Profit” which is anti consumer.

IPR particularly the “Patent” is the main cause of increasing the cost of services despite increased use of IT in business.

We have seen this in the Banking segment in particular as well as in the E Governance sector where IT sneaked in as a means of economic and efficient delivery of services but over time increased the cost of services.

Now when we speak of security as well as cyber law compliance, many in the industry would only focus on the cost and load it on the consumers.

As the Government pursues the concept of “Digital India” and we the cyber security specialists pursue the need for security, we need to ensure that services donot become too expensive over a period of time creating an unrest in the society.

I would urge the Government to therefore keep an eye on how foreign companies manufacturing in India would load
their research expenses in the form of IPR. At the same time we need to increase the investment in Research several folds to ensure that a fair share of future IPR is held by Indian citizens.

I also urge the Government to ensure that the FDI policy in general should also include a clause that whatever is discovered/designed in India ultimately creates IPR value for the country.

Naavi

Posted in Cyber Law | Leave a comment

Tech Mahindra starts use of Digital Signatures for job offers

Posted on March 12, 2015 by Vijayashankar Na

It was heartening to note that Tech Mahindra has reportedly started using digital signatures for sending out its job offers to counter the phishing mails sent in their name. (See Report Here).

This has been a continuing demand of the undersigned for last decade and I am happy to note that at least now one company has realised the importance of being Cyber Law Compliant.  We presume that this would be because of some enterprising and committed individual in the IS department who is different from others. We congratulate this anonymous IS professional for his initiative.

We may note that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu in the phishing case in which ICICI Bank was ordered to pay compensation to their client Mr S.Umashankar who had suffered a wrongful loss on account of a phishing mail, for not using digital signatures on their mail communication to the clients. Banks have still not learnt their lessons since the lethargic judicial system of India supported by the lethargic bureaucracy is available to them to prolong litigations and harass their customers into submission in such cases. But we have faith in the adage “God Sees the Truth But Waits” and one day Banks will realize that they would be held liable for Phishing because they failed to use digital signatures on their mails as a continuing practice.

It was also reported (See report here) opening of emails with subjects such as “Salary Hikes for Government Employees” was a reason for a Pakistani firm stealing data from Government functionaries. If the Government had adopted the use of digital signatures for their internal communications, the possibility of such data thefts could have been reduced.

Having reiterated the need for the use of digital signatures by corporates as a part of the ITA 2008 compliance requirements in India and as a risk mitigation measure in general, it is also necessary to point out two other aspects that have a bearing on the use of digital signatures.

Firstly, the “Ponemon Institute’s 2015 Cost of Failed Trust Report” revealed that  most organizations believe the trust established by cryptographic keys and digital certificates, which they require for their businesses to operate, is in jeopardy. This study done across 2300 IT security professionals in Australia, France, Germany, UK and US, concludes that in the next two years attacks on keys and certificates are likely to increase and threaten the crypto systems. Security professionals look at the possibility of a “Crypto-apocalypse”, a scenario where standard algorithms of trust like RSA and SHA are compromised and exploited overnight. (Apocalypse=pralayaMtaka darshana/shruti/saakshaatkaara, in Sanskrit or Kannada)

In the light of this survey, we are in a situation where we need to ask “Are we in India ready to face the consequences of a Crypto apocalypse”?

My recent encounters with some of the certifying authorities indicate that even those who are using digital signatures in India are doing so in an extremely insecure manner and the CCA is itself grossly negligent of turning a blind eye to the situation of organized non compliance of ITA 208 by certifying authorities.

Wish CCA responds to this post.

Naavi

Posted in ITA 2008 | Leave a comment

Digi Locker Beta Release

Posted on March 7, 2015 by Vijayashankar Na

Government has opened the beta version of the Digital Locker operated by CDAC and UIDAI which provides 10MB free storage space for every Aadhar number holder. It envisages that members can upload their ID documents and share it with other Government agencies if required.

The service is available at   http://digilocker.gov.in. It can also be accessed through http://digitallocker.gov.in and http://elocker.gov.in.

The site carries a digital certificate from an Indian Certifying Authority unlike many other web sites which are using certificates issued by verisign which is not licensed in India. However it is surprising to note that instead of using a digital certificate issued by the Government owned NIC, the site uses the certificate from (n)code solutions which is a private sector certifying authority. Also, some of the practices used by (n)code solutions for issue of digital certificates to public is not in accordance with the legal procedures suggested under ITA 2008. It is therefore surprising that the project has preferred to use their services instead of NIC or other more Cyber Law Compliant Certifying Authorities.

At the time of account creation and for certain other operations, the site uses OTP as a verification mechanism. It appears that an “e-sign” procedure is envisaged for users to individually authenticate the documents. But this is not yet working properly at present. It is also not clear what is meant by e-sign in this context.

The documents would be made available to designated agencies of the Government. Users can also send the document to another person through email.

While the concept of making available a free digital document storing place is welcome it is necessary to note that the site is short in the implementation of ITA 2008 compliance measures.

The website is silent on the issue of storage of information and it is unlikely to be in an encrypted state. We draw the attention of readers to my immediate previous post about the data breach in Anthem Inc, USA and the consequences. We are already aware that the Aadhar data base has been compromised in parts many times and lakhs of aadhar records would be available with cyber criminals as well as the enemy states of India. Now if the linked information is also leaked, it is a goldmine for terrorists in Pakistan or ISIS as well as countries like China who are preparing for Cyber space domination.

Government of India may be unaware of the risks that it is undertaking in this project and Modi Government should be prepared for a huge embarrassment at some time in future.

Employers should also be ready for a completely faked employee IDs with fake marks cards etc which may completely compromise their background verification systems. This can enable more Mehdi’s to find employment in critical sector and compromise the national security interests.

We hope the authorities will take a deep breath and review the security of the system before proceeding further.

Naavi

Posted in Cyber Crime, Cyber Law, ITA 2008 | 1 Comment