Naavi.org

After the ITA 2000 was amended in December 2008, the gazette notification of 27th October 2009 brought into effect all the amendments. One of the amendments which therefore became effective from 27th October 2009 was Section 84A which was an addition to ITA 2000 and became part of the act.

Section 84A stated:

Modes or methods for encryption: 

The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption

While the section enabled (note the word “may”) the Government to prescribe “modes and methods” of encryption to secure the use of electronic medium” and “promotion of e-governance and e-commerce” , until now, no rules were notified by the Government. However ITA 2000/8 and the rules had also prescribed the system of “Digital/electronic” signature for which encryption standards had already been prescribed and were being monitored by CCA.

Many of the corporates were intrigued on the effect of this section on their operations and in the absence of specific guidelines, experts could only advise them that  “Best Practices” need to be followed.

Now the Government has come up with a draft guideline under Section 84A and asked for public comments.

According to the notification,

..”a draft National Encryption Policy as given under has been formulated by an Expert Group setup by DeitY based on which the Rules would be framed. Comments from the public are invited on the draft Policy.

You can send your comments by 16/10/2015 to Shri A. S. A. Krishnan, Scientist ‘G’, Department of Electronics and Information Technology, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi: 110003, Email: akrishnan@deity.gov.in. “

Copy of the detailed notification is available on the deity website here: 

The draft policy as proposed is reproduced below:

Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000

1. Definitions – In these Rules/Policy, unless the context otherwise requires, –

(a) The following definitions Cryptography, Encryption, Hash, Key, Public Key Cryptography/Asymmetric Cryptography, the meaning of aforesaid definitions has already been provided under Information Technology Act 2000, Rules and Regulations made there under.
(b) Symmetric Encryption is a method of encryption where the same key is used for both Encryption and Decryption. The key must be kept secret, and is shared by the message sender and recipient.

2. Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits are prescribed by the Government for use for protecting information by stakeholders.

3. Asymmetric Cryptographic/Encryption products as prescribed under Information Technology Act 2000, Rules and Regulations made there under shall be used for Digital Signature purposes by stakeholders

Apart from the draft notification, the detailed notification provides a “National Encryption Policy” and contains some interesting aspects on which the Corporates would like to deliberate and communicate their views to the Government.

Some of the observations are discussed in a subsequent post.

Naavi

Ref: Copy of the Draft National Encryption Policy

It is reported that an expert committee on Cyber crimes has amongst other things recommended an amendment to Indian Evidence Act.

Ostensibly the objective is to help law enforcement agencies to tackle new generation of cyber crimes particularly the mobile and cloud related crimes.

While the intention is appreciated, it is not clear what exactly is being sought.

This report in Hindu makes a reference to Section 65B of Indian Evidence Act and hints at some misunderstanding about the section.

Section 65B provides an option to convert electronic evidence to be presented in a Court in an admissible form. The presentation can be either in electronic form with a digital signature authentication or in paper form with written signature and should contain an appropriate certification.

The certification is meant to build prima facie validity to the evidence and fixing accountability to the person producing the evidence.

There is  some confusion on who has to sign the certificate and the Hindu report also suggests the same.

It is to be understood that Section 65B certificate only certifies the conversion of electronic evidence present in one form to another form in which it can be presented to a Court. It does not validate the truthfulness of the content but only tells the Court that “This is what is present in Cyber Space”. It is a “matter of fact” certification of something present in cyber space which is copied into a CD or printed out for the purpose of presentation to the Court. What Section 65B certificate provides is an assurance to the Court that this process of conversion has been made in accordance with the procedure mentioned in the section and certified as indicated there in.

I wish that before making any amendments, the Government  explores providing an “Explanation” and avoids creating any further confusion on the interpretation of the section.

We must reiterate that in the case of Section 66A, the inadequacies and ignorance of the Police was carried through the system and finally a wrong decision was taken at the highest level. Similarly, the suggestions of the Home Ministry for amending of the evidence act may result in wrong decisions if they are not properly discussed and evaluated. I hope the Government would not be in a hurry to carry out an amendment before such a debate.

Naavi

It is a sad commentary on the Indian legal system that litigation in Courts linger along for decades. In fact it was a surprise to know that the baazee.com case has still not been fully resolved by the judicial system and the proceeding against one of the officials of the company under Section 79 of ITA 2000 is still to be disposed off.

As readers are aware, baazee.com case was a landmark case under ITA 2000. It involved a video containing a sexual act indulged in by two minors being sold through the e-commerce platform.

The person who sold the material was Mr Raviraj, a student of IIT Kharagpur and was charged under Section 67 of ITA 2000. (and also under Section 292 of IPC). Simultaneously the CEO of baazee.com (now ebay.in) Mr Avnish Bajaj was also charged for failing to exercise due diligence under Section 79.  Baazee.com defended by stating that the terms and conditions presented was sufficient due diligence which was not accepted by the Court. However, Mr Avnish Bajaj was acquitted because the Police had launched the proceedings against him as the CEO of a company, under Section 79 without first making the company as an accused.

Now it is understood that one of the residual cases attached to the main case in which a manager of Baazee.com Mr Digumarti under Section 292 of IPC is yet to be disposed off though he was discharged of the offence under ITA 2000.

See report here.

The case would come up for hearing on October 9th where the fact whether Mr Digumarti had exercised due diligence or not and whether he could have prevented the offence being committed or not would be discussed.

We hope the unfortunate manager would be freed from this decade long agony he was made to suffer because of the unfortunate incident.

However, it is sadder to think that even after observing the predicament of this manager on how the law hurts when officials donot exercise “Due Diligence”, the corporate managers managing e-environments today might not implemented what may be termed as “Due diligence” in most cases.

It is important that we all review the “Due Diligence” at our end and protect ourselves from the kind of problems which both Mr Digumarti and Avnish Bajaj faced in this case.

In order to check if a Company has been following “Due Diligence”, the first thing for every executive is to conduct an ITA 2008 compliance audit and document the gaps in compliance. If the executives fail to move even now, then they have no body else to blame if they face civil and criminal liabilities for offences committed by their customers.

The undersigned has been advising companies in this regard of their responsibilities and would closely watch if there is any increase interest in the corporate world for knowing what is ITA 2008 compliance.

One of the challenges that is observed is that most of the corporate executives have been brainwashed into a state where they are unable to understand the importance of ITA2008 compliance even while there is a high awareness of compliance to some technical information security frameworks such as ISO27001 and PCI DSS.

The information security professionals in the organisations are yet to appreciate fully that “Legal compliance” alone can be the primary tool to defend them against liabilities while the “Best Practice compliance” can only be a secondary tool. Hence any amount of investment in ISO27001 or PCI DSS will be inadequate when it comes to seeking protection against the kind of liabilities which Mr Avinash Bajaj or Digumarti faced.

Some of them will realize it the hard way in times to come.

I would therefore once again urge all CEOs and CISOs to start asking yourselves if your company is ITA 2008 compliant? and take steps to comply before your company becomes the next baazee.com. Don’t hesitate to contact the undersigned if you need any clarifications.

Naavi

18^th September 2015

To

Sri Narendra Modi , Honourable Prime Minister, Government of India

Sub:  “Cyber Insurance For All Netizens of India

 Dear Sir,

One of the distinguishing features of the Governance model adopted by your Government is its reliance on technology. “Smart Governance through E-Governance” is the recognizable face of this Government.

In pursuance of this policy, you have adopted the “Aadhar” as the core citizen identity and linking every welfare programs of the Government to this e-identity of the Citizens. In a way you are converting every Citizen to a Netizen. With the ambitious projects such as “Smart Cities” and “Digital India” in the anvil, the dependence of the society on technology is only going to increase.

I am fully in support of this push for using of technology for development and have been advocating such a policy for a long time as documented at www.naavi.org. I had also advocated a “Charter of Demand for Netizens” which included several initiatives including “Digital ID for all Citizens of India” and “E Consumer Protection”. I request you to kindly take some time to look into these suggestions.

I firmly believe that success or failure of your Government will be hugely influenced by the success or failure of the E-Governance model which you are adopting and hence no stones should be left unturned to make it a success.

However, I always keep recalling how Mr Chandrababu Naidu lost an election despite his many good E-Governance measures in Andhra Pradesh and this should be remembered as a lesson for people like you who want to do good things but the society may not be fully ready for absorbing the long term thoughts.

 Cyber space has its fair share of risks and any society dependent on Cyber technology is open to the adverse effects of cyber attacks from cyber criminals, cyber terrorists and Cyber war capable nations.

It is therefore a certainty that such cyber attacks will have to be faced by the society from time to time. Measures to prevent an adverse fall out  therefore should be considered as inevitable.

We know that Cyber risks are an essential evil that has to be endured with, but politicians in the opposition will easily use any adverse attack as a consequence of “Anti People Policies” of the Government.

For example, in case there is a Cyber attack on the Indian Banking system and 10000 customers lose their money in their JanDhan accounts, opposition will say that it is a scam and all the money has been misused by BJP politicians. In a charged atmosphere that may follow, the perception battle is more likely to be won by the opposition than the Government.

If therefore your Government needs to insulate itself from the risks of being blamed for Cyber risks, you need to go an extra mile to ensure that citizens don’t lose out of cyber attacks.

In this context, I suggest that there is a need for a policy of “Cyber Insurance for All” as a means of protecting the Netizens from the vagaries of Cyber risks.

“Cyber Insurance” is a protection against financial losses arising out of cyber crimes such as “Phishing”, “Identity Theft”, “Denial of Services”, “Hacking” etc. It includes frauds involving cloning of credit cards, debit cards, ATM cards,  Aadhar data, etc. It includes mobile related frauds which will be one of the biggest threats of the future where a large number of victims will each lose a small amount making it impossible for them to invoke any traditional legal remedy such as approaching the Courts.

Just as “Drip Irrigation” is essential to fight the vagaries of failure of rains in the agricultural sector, “Cyber Insurance” is essential to fight the risks of cyber attacks in the Digital environment.

In the Motor Insurance area there is already a concept of Mandatory Third Party insurance. A similar policy is required in the E Commerce and E Banking area.

Of late, RBI has issued many licenses for Payment Banks and Small Banks as well as new generation Banks. These will all be heavily technology dependent and the customers will hold all the risks. Hence RBI should be persuaded to mandate that all new Banking licensees introduce mandatory Cyber Insurance for its customers.

Kindly don’t be swayed by any argument that Cyber risks are not “insurable” since it is too huge a risk to be covered or that no insurance company may be interested etc. Presently, insurance companies are doing a profitable cyber insurance business but are restricting it to companies and not extending it to individuals. They are milching the higher end of the market and are avoiding the lower end because they feel it is expensive to manage. They need to be persuaded and incentivized to provide the retail cyber insurance policies.

If the Rs 12 per year accident insurance policy for a cover of Rs 2 lakhs against accidents is commercially feasible, the individual cyber crime insurance policy that protects the individuals against any loss say to the extent of say Rs 10000/- to Rs 25000/- per incident must be also feasible.

I therefore suggest and also urge you to adopt  the “Cyber Insurance for ALL” as a new policy of the Government to support its Digital India initiative.

Regards

Yours faithfully

 Na.Vijayashankar (Naavi)

Founder: www.naavi.org

In pursuance of Naavi’s efforts to promote the concept of Cyber Insurance in India, Naavi has launched a dedicated website Cyber Insurance.org.in to discuss all issues of Cyber Insurance in India.

Naavi considers Cyber Insurance an important developing field because in the era of increasing Cyber threats accompanied by an increasing usage of Internet in a Digital India, the Netizen community needs to be protected against the risks.

Naavi also considers that Cyber Insurance is an extension of the Techno Legal Information Security activities since “Risk Transfer” is one of the four ways Risks can be managed in business, the others being Risk avoidance, Risk absorption and Risk Mitigation.

For the last several years, Naavi has been discussing the issue of Cyber Insurance with several industry players but found very little interest on the subject in the market place.

The reasons are many. Some may consider that like many of Naavi’s obsessions, this is ahead of its time and the business is yet to mature. Some may have no confidence that this is a viable business. Some may think it is some body elses’s responsibility.

The recent India Cyber Insurance Survey 2015 and the interactions Naavi has had with professionals in the Insurance industry do suggest that there is still lot of grounds to be covered in this field by both the Insurance industry as well as the Information Security industry.

But Naavi considers that this ground has to be covered if our dream of Digital India does not end up as a disaster.

Naavi has urged PM Mr Narendra Modi that just as he launched the life and accident insurance schemes for the masses as a part of his national agenda, he needs to push Cyber Insurance as part of Digital India agenda.

We hope that in due course this would be accepted as a policy in the Government.

In the meantime, we shall continue our efforts to popularize the concept of Cyber Insurance and also provide whatever assistance that is required by the industry to enhance the use of Cyber Insurance.

For some time there may be dual posting of articles between naavi.org and cyberinsurance.org.in.

However, I expect that Cyberinsurance.org.in should attract contributions from other professionals and develop into a community website.

I welcome contributions.

Naavi

Technology has disrupted many traditional business practices. For example, Banking before and after technology has never been the same. Same way, ever since Cyber Laws became a prominent practice area, lawyers have found that their traditional practice domain has been disrupted.

Today, it is almost impossible to run an efficient litigation without using Cyber evidence and Cyber law. If any firm is unable to make proper use of evidence most of which is in electronic form and also be able to run a good cross examination of witnesses trying to prove or disprove electronic evidences presented, they would find it difficult to be effective as a litigation lawyer. Hence good legal firms have found it necessary to use the services of experts where required and also develop in house expertise in Cyber Forensics.

When it comes to using the services of high end experts, the firms have a difficulty in forging a long term association because those professionals may not be qualified advocates and hence cannot be partners in business.

At the same time, the Chartered Accountants who are already in the domain of whatever is called “Auditing” have also been fighting to get into the space of “Forensics” since their internal audit work in any Corporate environment lands them in fraud investigation in electronic environment and associated Cyber Forensics.

They also have difficulty in forging long term association with Techno Legal experts who can assist them in the auditing work when it comes to “Compliance Audit” or “Fraud Audit”.

Actually, “Cyber Forensics” is an area which is highly technical and should have been a natural domain of a software or hardware specialist. Professionals in this tech field should normally be found in organizations such as Computer Society of India but they seem to be absent in the race for business in Cyber Forensics. There is also a professional group belonging to the “Information Security Domain” which includes those who are certified with diplomas such as “Certified Ethical Hacker”, “CISSP”, “Network Forensics” etc who also claim to be experts in Cyber Forensics and have a say in this domain. But this set of professionals donot have a strong organization and hence most of the Information Security audit work is done by Chartered Accountants with CISA qualification rather than core information security expertise.

This Economic Times Report highlights the emerging Turf war between law firms and the Big Four accounting firms. It is stated that law firms are poaching forensic experts from BigFour firms and even launching legal action charging the Big Four firms of running unauthorized legal practice. (See this report)

Essentially, Law Firms are trying to take protection from the “Advocates Act” which tries to reserve legal practice to registered members of the Bar Council. This tendency for “Reservation” is also present in the Chartered Accountants who also prevent non CAs to join firms run by CAs in providing corporate advise. The Company Secretaries and Computer Society professionals are not so well organized to fight for their own turf in the corporate scenario.

Now that the Delhi Bar Council has taken the issue to the Court, there is going to be a big fight for “Reservation” of business between the Advocates and Chartered Accountants.

Given that the Judicial Community has emerged only from the advocate community, the judicial fight may be skewed towards the advocate community and there is a huge conflict of interest between the Judiciary and this dispute.

The undersigned has always opposed every kind of reservation in life and is not comfortable with the professional agencies using their clout to reserve parts of the business to themselves. ( Naavi himself has faced issues in forging partnership with law firms and CA firms though both use his services for improving the quality of their services.)

However, the Cyber Forensic business is a new business area which involves Technology, Law and Auditing expertise. We can even say that Forensic involves analysis of “Behaviour” of the technology user which is a “Behavioural Science” skill. Naavi has been a pioneer in projecting Information Security as a three dimensional expertise of Technology, Law and Behavioural Science. However in view of the fact that these domains of expertise developed in recent years and there were no formal degrees and diplomas in these fields until recently. As a result  the law graduates who claim their right to litigate Cyber Crime cases have no relevant qualification in Cyber Laws nor the Chartered Accountants who qualified in the past and claim their right to auditing today are  exposed to technology issues as they should be. Hence the claims of reservation of business based on qualifications appear to be unreasonable.

It appears that a day has come where the “Disruptive” aspect of technology has come into the area of “Reserved Professional Practice” and it is time that the restrictions placed on legal firms partnering non legal practitioners as well as Chartered Accountant forms partnering non CAs should be summarily removed. We must recognize that the technology areas requires collaboration of people with different skills and in the interest of clients who require efficient services, a legal firm needs technology, accounting and behavioural science experts, in their fold and the Big Four or other CA firms also need Cyber Law experts and Experts in international law, taxation law etc in their fold.

Instead of the top legal firms fighting with top accounting firms in Courts, they need to forge an alliance and ensure that the mutual exclusions which they have used in the past which I call as “Reservation Mentality” is dropped and “Merit” prevails in the profession.

We however would advise that both the legal firms and Big Four should not compromise to keep the Information Security professionals outside the area of Information Security Audit and Forensics. In fact these professions should study the case which Delhi Bar Council has brought and implead themselves to put up their arguments if required so that they are not pushed out by the law firms and Big Four from the field of Cyber Forensics.

Probably the case brought up by the Delhi Bar Council has more to do with corporate advisory services in the area of Mergers and Acquisitions and less on Cyber Forensics. However, the principles of “Exclusivity in Professional Practice” is a potential “Frankenstein” and should be curbed before it gains any judicial validity through this case. If IS professionals are negligent, then lawyers and chartered accountants may declare that Cyber forensics is their exclusive business domain and make IS professionals subordinate to either of the professions!.

Naavi