Naavi.org

The digilocker beta project launched by the Government of India seems to be set to introduce a precedent which is ultra-vires the Information Technology Act 2000/8.

According to the information available the Digi Locker can be used to store important documents of the public such as marks cards, PAN cards etc in e-form. They can also be submitted to authorized Government departments for various services with an “e-sign” of the document owner.

The concept of e-sign which is proposed to be adopted by technologists advising the Government appears to be not in accordance with the provisions of the Indian Information Technology Act. According to the proposal, the public and private key pair for e-sign would be generated on the CA’s systems and not under the control of the signer. This would amount to a compromise of the Private Key ab-initio.

Further, use of the private key which is known to be compromised may be considered a contravention of ITA 2008.

This web based private key generation and storage is a procedure adopted by some foreign Certifying authorities and it appears that the technology is being recommended to the Indian Government. However, this system may seriously affect the “Non Repudiation” nature of the Indian digital signature system as we know today.

Once the system is used by a Government department, it would set a precedent which will be followed by other organisations also and hence the legal status of the entire digital signature mechanism will be adversely affected.

It would be preferable if the Government pauses to think before it leaps.

Naavi

In 1996, when E Commerce was in its nascent stage, UNCITRAL recognized the need for providing a legal backing to E Commerce and drafted the model law on E Commerce to provide assurance to international business transactions. To accomplish this, UN  through a General Assembly resolution, recommended the “UNCITRAL Model Law on E Commerce” for legislation by the member nations. This was the root legislation based on which the Cyber Law of India was developed. It first surfaced as the “Draft E Commerce Act”, transformed into “Information Technology Bill 1999” and got passed as Information Technology Act 2000. The law had a major amendment in 2008 to accommodate the information security requirements which surfaced over time.

Now the Modi Government has placed a lot of faith on E-Governance and E-Business and is dreaming a “Digital India”. We are fully with Mr Modi on this concept since proper use of IT in Governance leads to Transparency and Efficiency besides Economy in Governance.

However, in order to achieve this “Digital India” concept, the Government is raiding on the Aadhar infrastructure which has been handled so far with scant respect to security. Mr Nandan Neelakeni never demonstrated a concern for security and always argued that since no two aadhar numbers can be claimed by the same person, the system cannot be misused. He could not however explain why aadhar cards were issued to a “coriander seed” or to countless fake persons claiming not to have fingers.

Now the NDA Government went ahead to use Aadhar for its Jandhan Yojana and Gas Subsidy with the twin objective of Direct Benefit Transfer avoiding the middlemen and also to withdraw the subsidy at its discretion on a later day. It remains to be seen if the middlemen will vanish as the Government tends to believe or there will be more of them who will keep the aadhar cards as well as the bank ATM cards of their followers with them and operate the accounts of the illiterate beneficiaries.

While  the project per-se may be good intentioned, the undersigned always has an objection when technology developments are pushed down the throats of the illiterate masses without sufficient efforts to train and educate them. In the security implementation we say that “Workforce training” is an important part of the implementation for which a CISO has to find budgetary investment. Similarly, if the Government wants to spend a few lakh crores on technology projects to benefit the illiterate masses, there has to be a reasonable investment in educating the masses.

While the “Aadhar” may be a fait accompli at this point of time, the lessons learnt in its case should be remembered when we embark on the “Digital India” program.

In the coming days with Smart Cities, Bullet Trains, Internet of Things, Social Media Banking etc, the dependence of the society on technology would reach such levels when any disruption would cause absolute chaos in the country. With Chinese Cyber Army and Pakistani Cyber Terrorists being in continuous preparation for taking control of Indian IT assets, the dependency of Digital India on IT appears an worrisome situation.

We can therefore expect that in the “Digital India” there will be more Cyber Crimes than today, more financial losses for Citizens, besides threats to the national assets. To enable the society to withstand this threat of increased risks to the life and property in the Digital India arising out of Cyber Threats, there is a need to strengthen the Cyber Laws of the country as may be required.

When we say “Strengthening of Cyber Laws” there is no need to immediately jump to the conclusion that the present ITA 2000/8 is inefficient and we need to have a set of new laws. Yes this can be considered. But what is more important is that we need to strengthen the “Cyber Law Eco System” in India so that whatever laws that exist now or may come into being tomorrow will be efficiently used to the benefit of the people.

Mr Rajiv Gandhi once said that only 17 paise out of Rs 1 of Government subsidy reached the ultimate beneficiary. This is being corrected now by Mr Modi with the new system of subsidy delivery.

If we extend this analogy to the reach of the benefits of Cyber Law to people,  it appears that the reach to  the ultimate needy as of today may be even less than 17% . For example, there are 36 adjudicators in the country one for each State and Union Territory. In the last year only 1 out of them was active. (Mr Rajesh Agarwal of Maharashtra). Now even he has been shifted out of his post and therefore we have “Zero” number of active adjudicators in India.

There was one Cyber Appellate Tribunal (CAT) in Delhi which was formed under the ITA 2000 which was active for about 3 years. However before the first real decision could come out of this CAT, the Chairperson retired. Since June 2011, neither the earlier UPA Government nor the current Government has been able to find a Chair person to occupy this position. We therefore have “Zero” number of CATs in India.

Thus at present we have a completely non-existent Cyber Judiciary system as envisaged in ITA 2000/8.

Will Mr Ravi Shankar Prasad or Mr Modi  explain if this  is the Cyber Law Eco System that can drive us to the Digital India?

In such a scenario it is obvious that Police are misusing some provisions and people are knocking at the doors of Supreme Court and High Courts to get clarifications and decisions which ought to have been given by Adjudicators and CAT.

To meet the requirements of the Digital India, it is therefore not only required for us to review the Cyber Laws of India but more importantly wake up the Government from its slumber to see that the “Cyber Law Eco System” is properly refurbished. Alternatively the changes in Cyber Law that is required now will include an overhaul of the Cyber Judiciary system, as well as the Policing system for Cyber Crimes, if necessary appointing exclusive Cyber Crime Criminal Courts in each State.

Professional Organizations such as Computer Society of India and National Law School/Institutions need to focus their attention on how to guide the Government officials and educate them on their responsibilities even as we talk of “Cyber Law Awareness of Masses, High School or College Students” etc.

Let’s see if we can wake up the “Kumbhakarnaas” with our bugle call!

Is the PMO listening?

Naavi

 Reference Articles: 

Aadhar Nightmare continues

Around 3,858 Aadhaar Cards Don’t Have Human Photos: Report

UIDAI cancels 3.84 lakh fake Aadhaar numbers