Naavi.org | Towards building Cyber Jurisprudence in India

TV Anchor robbed of his Bitcoins right on the show

Posted on December 24, 2013 by Vijayashankar Na

In an amusing real life story that provides an interesting lesson in information security, a Bloomberg TV anchor found that his $20 worth Bitcoin holding was stolen by a viewer when the anchor displayed his private key on the show. The private key which was in the form of a QR code was shown to the camera and one of the viewers captured it getting control of the wallet. He transferred the 0.28 BTCs which were in the wallet. Though he later indicated that he wants to return it to the anchor, the anchor has asked him to retain it. (Refer article)

Beyond the amusing part of this story, there is a lesson in information security to all in this story. First it should be clear to everyone that the “Private Key” in a digital signature should always be kept confidential and revealing it is like revealing your password to the Bank account. The second aspect is storing a confidential information in the form of QR code. QR code itself may look like a puzzle to the human eye. But it is easily read by any QR reader which is today a standard mobile app and found with everybody. Hence displaying the QR code to the private key was like reading out the password to the bank account.

Public should therefore learn not to reveal their private key in any form to others.

We may recall here that in India we are using the digital signature system as a legally accepted means of authentication of electronic documents and all company directors are mandatorily required to use such digital signatures for filing their returns to the Government. Since filing of returns are often done by the Chartered Accountants and Company Secretaries, it is a common practice amongst many directors to leave their private keys with the chartered accountants or company secretaries. This is a serious compromise of the confidentiality of the private key and just as the bloom berg viewer above stole the bitcoin holding of the anchor by knowing the private key, the director of a company revealing his private key to another can see any contract entered into in the name of the director and face the adverse consequences including filing of a false income tax return which may declare all his Swiss bank wealth tot he IT authorities!.

Hope the lesson is learnt.

Naavi

Posted in bitcoin | 1 Comment

RBI …Bitcoin

Posted on December 22, 2013 by Vijayashankar Na

[P.S: Kindly Note that subsequent to writing of this post in December 2013, and observing the lack of self regulatory attitude of the Bitcoin managers and the continuing use of the Bitcoin by criminals, Naavi has clarified his view on Bitcoins. Presently in the Indian Context, Naavi is advocating an express ban on Bitcoins. See other recent articles to know why Naavi has changed his view.]

Today’s Times of India carried an interview of the undersigned with the caption “RBI has no legal right to ban use of bitcoin: Na Vijayshankar”.

In order to clarify on why I think so, I would like to present here some additional information. The complete response to the entire interview is also available here:

What is Bitcoin?

Bitcoin might be perceived by the majority as a currency in the digital space. Some websites may be offering certain services in exchange of payment in Bitcoins. Hence consumers are using it as a currency in the limited web space where it is accepted. In this context it is nothing different from the plastic coins that can be used say within a club.

However where as the plastic coins in the club and similar limited currencies in a closed system are all originally acquired by a user by payment in the usual currencies such as the Rupee or Dollar, Bitcoins can be either acquired against payment in a normal currency or created by the user on his own. This is similar to a worker in a club who is told that his salary is paid in terms of the plastic coins which he can either use himself to play or give it away to other members for whatever price and consideration he wants. In order to help the easy exchange of coins, one of the employees may say that he would exchange any coin immediately to the normal currency and keep the stock of plastic coins with himself until another person wants to buy it. In this capacity he works like an exchange house.

Additionally the club may say that it will never issue plastic coins directly to a member of the public for cash and any body who wants it has to acquire it only from the workers who have earned the coins or through any other person who has offered to exchange it. It may also also declared that the total number of coins that will be issued to the workers at any point of time in future will never exceed a stated limit. Then the workers will scramble to earn the limited number of coins available and its perceived exchange value also increases.

All the above aspects are reflected in the Bitcoin system. The only difference here is that the “Club” is the “Peer to Peer Network” where any person with a computer can join and offer to be a worker. If his work is considered satisfactory, he will get his salary in terms of Bitcoins which he can use himself or trade. The rules of the game are well set in the form of a “public notification” and hence everybody knows what it takes to earn the Bitcoins. Hence it is a “Democratic” way of earning. But there is no compulsion on any body that the coins should be accepted and also no guarantee by the club owner that the coins will be reconverted to normal currency if a worker is unable to find a buyer. The club ownership itself is not with any individual but with the entire group of workers who are either previously successful salary earners or not.

However as an when more and more services are offered against payment of the plastic coins, since the supply is limited the demand for the coins will grow and along with it, the value of the plastic coins would also be perceived as higher. If suddenly one popular restaurant says that it will sell Pizzas against the coins, the value will increase. If it stops accepting the coins, the value will drop.

I suppose the above scenario might have given a fair idea of the Bitcoin eco system.

To be technically more precise, a Bitcoin protocol has been released in public which states how Bitcoins can be earned by any member of the public. It would be a reward to provide a service of collating the bitcoin transactions entered into by members of the public into a pre-designated format of an electronic document which will be examined by other members and approved as to whether it satisfies the pre-designated format or not. Every member is free to participate in this race to create the pre-designated format of a collation of transactions and publish it to the group. As in the case of a “Housie-Housie” game, the first person to complete the task within a time of around 10 minutes including whatever number of transactions that he can, would be declared as a “Winner” and all the transactions he has included would become “Approved Bitcoin transactions”. Then the race continues with the remaining transactions. Each such winner would presently be awarded 25 bitcoins. This will be reduced periodically and also the rules for creating the “Pre-designated Electronic document would be made more and more difficult as time passes by so that the number of bitcoins released to the public will increase at a slower and slower rate until the total stock reaches 21 million probably by the year 2140.

If we want to go deeper into the technology, the “Pre Disignated Rule” for the creation of the electronic document that collates the transactions is roughly described as follows.

1.Include as may transactions as are published in the network with each transaction* designating the bitcoin giver (in the form of bitcoin wallet address) , receiver (in the form of bitcoin wallet address) and the amount.

2.Include your own identity (in the form of a bitcoin wallet address)

3. Include the identity of the winner of the previous contest who has been awarded the 25 bitcoin reward

4. Include a variable of your choice

5. Calculate the hash value of a document that includes all the above information in the manner described in the protocol.

If the hash value which is calculated meets the criteria mentioned in the protocol and a few (say about 6) others verify and confirm the same then the work would be declared accepted for reward of the next issue of 25 bitcoins.

It may be noted that in this entire exercise, the Bitcoin protocol is a public document known to everybody and any body can join the network and try their luck at winning the next award. However this may depend on the processing power of their computer since only the first successful creator of the collation of transactions (referred to as a Block) is awarded the coins. Once the Block is verified and confirmed it gets added to the “Block Chain” which essentially is a data base of all transactions from the first bitcoin produced. The entire system is therefore considered a “Peer to Peer system” and does not have any central authority which controls the system or guarantees the value of bitcoin or its continued usage. Everything is voluntary and it is the public which determine how the system moves.

*[It may be noted that each bitcoin transaction initiated by a owner of a bitcoin is a digitally signed message indicating transfer of a certain bitcoin balance from the wallet of the transferor to the wallet of the transferee. Each such Bitcoin wallet has an address. A Bitcoin address is the hash of a public-key . The private key associated with this public key is with the owner of the wallet. When a person opens a Bitcoin wallet account with a service provider, this random key pair is generated. The system of public key cryptography used in bitcoin protocol is based on the Elliptical Curve system which is considered stronger than the RSA system used in the digital signature system in India as per ITA 2000. Similarly in the Bitcoin protocol hashing is done multiple times as against the single time hashing used in the legally approved Indian digital signature system.]

Why RBI cannot ban Bitcoin

If we now understand what a “Bitcoin really is” vis a vis what it is perceived as, we will understand it is just an “Electronic document” with some information such as “So and so is the winner of the award of this bitcoin”.

Electronic documents are recognized in India as equivalent to paper documents vide Information Technology Act 2000 (ITA 2000). Bitcoin is therefore recognized as a document that can even be considered as an “Evidence” in a court of law. If Bitcoin is stolen, it is like data theft. Bitcoin itself is considered “Sensitive Personal Information” and its handlers are subject to due diligence requirements specified under ITA 2000 as amended in 2008.

If Bitcoin is to be banned, it requires an amendment to ITA 2000 and not otherwise. It is in this context I have expressed my opinion that RBI cannot ban Bitcoins per-se.

Since Bitcoin is not a “Promissory Note payable to a bearer”, it does not come within the definition of a “Note” and RBI does not have the right to regulate it as a “Currency”.

However RBI has rights to take objection to the promotion of Bitcoins as a “Currency” and prohibit such an attempt. It can also regulate the foreign exchange part of transactions involving the Bitcoins.

Other aspects of regulation are also referred to in the complete interview.

What RBI Can do

There is no doubt that if RBI strongly feels that Bitcoin is undesirable, it can influence the Government and bring about an amendment to ITA 2000. However this would take not less than an year to process. In the meantime, RBI can threaten the public and ensure that Bitcoin is declared as an “Enemy” and put the fear of retrospective legislation in the minds of people so that they keep their hands off from Bitcoins. The Income Tax authorities can also remind people that what they did to Vodafone, they can do to Bitcoin and put the fear of God in the public. Such measures will successfully kill the Bitcoin system in India. After all we have all seen how the Napster was killed by legislation.

However it would be very unimaginative of RBI if they take this approach though it would satisfy certain hawks in regulation.

What RBI Should Do

If RBI feels compelled to issue any administrative circulars now without any amendments to law, they may have to restrict such circulars to the foreign exchange angle and issue of promotion of the Bitcoin as a “Currency”.

RBI of course has a duty to advise the public through an open advisory not to consider Bitcoin as a currency. This is more for public education so that they are not cheated by smart operators.

Apart from the caution notice that RBI should release, they may consider some steps of their own to meet the situation arising out of the Crypto Currency phenomenon.

It is almost imperative under current law that the Exchange of Bitcoins to any currency other than Indian Rupee such as US $, needs to be regulated as part of the current Foreign Exchange regulations. In this context Bitcoin is a commodity which can be produced in India as well as bought and sold in India either from another Indian or from a foreigner or from a Non resident Indian. Correspondingly RBI has to define the regulations.

However if RBI so desires, it can provide some concessions to Bitcoin Exports (Sale of Bitcoins by an Indian against receipt in foreign currencies) and Bitcoin Mining (Production activity similar to software development), It can also consider production of Bitcoins by Indians through foreign pools as a “Software Service Export”. In my opinion, RBI should consider these measures.

On the other hand, RBI may clarify limits on the import of Bitcoins (Buying of Bitcoins from foreign sources where the payment is designated in a foreign currency). While RBI has the right to ban such imports, it may consider permitting imports through designated exchanges upto a limit of say Rs 75000/-.

RBI may have to however caution the public that buying and selling of Bitcoins must be restricted to persons whose identity is known and records kept. Public must understand that in the current legal environment, Bitcoin is a “Virtual Commodity” and it does not have the immunity that “Negotiable Instruments” posses where a holder in certain circumstances claim the status of a “Holder in due course” which is free from the defects of the transferor.

STPI may consider declaring its own policies if some body wants to set up a Bitcoin (or another cryptocoin) mining facility as an STPI unit.

The danger of a hawkish policy

If RBI is imaginative, it would realize that we should not allow a repetition of the mistake which we made at the time IPv4 addresses were allocated to different countries in the beginning of the Internet era.

At that time India had underestimated the importance of Internet and failed to demand and get its share of the addresses. As a result, India as a country with about 17% of global population ended up with 0.8% of the number of available global IP addresses (28.78 addresses per 1000 population). At the same time, a country like USA with 4.4% of global population retained 35.9% of the available IP addresses. (4916 addresses for a population of 1000). This introduced certain competitive disadvantage to India in the use of Internet.

Similarly the “Crypto Coin Phenomenon” is currently a novelty but has the potential to establish itself as an inevitable development of the cyber world.

Even if India does not move with the times, countries like Switzerland are sure to move in and recognize the crypto currency. As a result wealth will move from India to Switzerland. It would be common for people to shift their deposits in Banks to Bitcoin Banks recognized in Switzerland.

Countries like USA and China will also sneak in and establish their hold on some part of the market despite their current rumblings. Other countries like Canada and Australia will also grab their share before we wake up to the risk of being isolated in the Cyber World Financial Market. Hence India will look foolish if it fails to recognize the emerging scenario and establish its foot hold in the market.

Wishlist

Keeping the vision that Cryptocoins may rule the cyber world in due course, India needs to not only acquire and hold a fair share of currently available Crypto coins but also develop a cryptocoin of its own.

I therefore wish the following steps.

1.Crypto Coin Exchange of India

RBI may in association with SEBI set up a “Crypto Coin Exchange of India” and legitimize all transactions put through this exchange.

The Exchange may open accounts based on a reliable KYC so that only genuine transactions move through the system. Such transactions may be provided with concessions from the foreign exchange angle and the taxation angle. In fact the current taxation regime of stocks can be easily extended to cryptocoins.

Though the current commodity exchanges can handle cryptocoins by just designating them as another category of commodity, it may be desirable to establish a specialized crypto currency exchange with greater involvement of RBI. Such an involvement which might not have been required in the cases of other commodities such as Bullion, Oil or Gas or agricultural commodities but is desirable in the Crypto currency exchange.

2.India Crypto Currency Pool

RBI may set up an “India Crypto Currency Pool” for mining Crypto currencies with membership open only to registered Indians. The server farm itself would be owned by RBI and would work as a National Mint for Crypto currencies. This mint will generate part of Bitcoin or Litecoin or other Crypto coins to be mined from here afterwards.

3. Hybrid variety of Crypto coin

RBI may develop a hybrid variety of Crypto coin which incorporates the best of both worlds namely the Crypto Currency system and the Fiat currency system. For example it can set up an exclusive Crypto Currency of its own using a protocol similar to Bitcoin protocol but with changes that incorporate features for tagging illegal transactions and preventing the system to be abused by money launderers. Such a system may be backed by a paper instrument such as was suggested by the undersigned under the DVIIS. (Digital Value Imprinted Instrument System) eventually replacing the current printed note system almost completely.

I would invite the RBI to constitute an expert committee to discuss the pros and cons of Crypto Currencies and prepare a suitable document for consideration of the coming new Government of 2014. The Bit coin community in India can also put in their views before such a committee and assist the committee to understand the nuances of this new emerging virtual currency system.

Naavi

Kindly Note that subsequent to writing of this post in December 2013, and observing the lack of self regulatory attitude of the Bitcoin managers and the continuing use of the Bitcoin by criminals, Naavi has clarified his view on Bitcoins. Presently in the Indian Context, Naavi is advocating an express ban on Bitcoins. See other recent articles to know why Naavi has changed his view.

Posted in bitcoin, Cyber Law | 3 Comments

Did RSA Compromise on its integrity?

Posted on December 21, 2013 by Vijayashankar Na

The security community suffered a shock recently when it was realized that NSA had paid $10 million to push through a encryption technology promoted by the agency through a RSA product. It is understood that NSA promoted a Dual Elliptical Curve encryption formula and RSA embedded it in their product BSafe. It was meant for deployment in PCs.

It is now known that this formula for random number generation had certain flaws which some experts have called nothing but a “Backdoor”. Now that it is known that NSA had spent money on pushing through the product it is logical to conclude that this was a deliberate act of NSA to have a backdoor means of spying on communication encrypted with BSafe.

The revelation has embarrassed RSA and compromised its own integrity as a security product supplier.

Related Article

In the light of NSA penetrating the otherwise reputed organizations like RSA, some experts in India has warned that UIDAI entering into some arrangements with US based Companies with suspected CIA connection may not be in the interest of Indian national security.

Naavi

Posted in Cyber Law | Leave a comment

Richest Bitcoin Owner

Posted on December 19, 2013 by Vijayashankar Na

Though Bitcoin holdings in wallets are expressed in terms of hash values and donot publicly reveal the name of the owner, the transactions from one address to another are always public (part of the block chain). By systematically studying the movement of coins in and out of a wallet, it is possible to unravel the owner.

A study of this nature appears to suggest that US Government could be one of the biggest holders of the Bitcoin wealth arising out of seizures during criminal investigations.

See Report

Naavi

Posted in bitcoin | Leave a comment

More Credit Card frauds in store

Posted on December 19, 2013 by Vijayashankar Na

Recently a fraud of Rs 63 lakhs involving gross negligence by Bank employees not ruling out their involvement. It is said that the Bank believed that the customer had a sore throat and executed large transactions including closing of FDs and remitting the amount to other accounts based on e-mail requests which were obviously not digitally signed.

See report

This incident indicated how current day Bankers have no idea of their responsibilities to the customers. It is as if a bunch of data entry operators have been designated as “Bankers” not withstanding some of them having MBA qualifications. They think that the entire banking is just punching some keys on the computer. For those of us who have undergone a rigorous training in Banking both on procedures and law, the current situation is completely unacceptable. This is not merely negligence but “Recklessness” for which they alone should be held liable.

Close on the heels of this Banker’s negligence comes a report about how many credit card/debit card accepting merchant establishments are reacting to the latest RBI guidelines that all POS systems should be able to accept the Pin entry for authenticating card payments. Many Banks have made ATM PINs also PINs for debit cards and hence the customers are using one single PIN with which they can pay with debit cards as well as withdraw money from ATMs.

Now it is reported that many establishments are continuing to keep the POS in the cashier’s counters and asking customers to write the PIN on the back of the bill so that the card entry can be completed by the cashier without the customer needing to move to the counter. Some are asking the PIN orally so that the cashier can enter the PIN in the POS kept some where not easily reachable by the customer.

Any ordinary person should realize that if PINs are being revealed to everyone then any fraudster can easily clone the card, use the PIN and empty the Bank accounts within minutes.

It is clear from the report which comes from Pune but may be happening elsewhere that merchant establishments are expressing their ignorance on the risks. If this is not corrected immediately, we will be seeing that hundreds of card frauds would be happening in the coming days.

Merchant establishments which want to serve their customers at their table have to use WIFI enabled POS systems. Otherwise customers have to be called to the counter and provided with facility to confidentially enter the PIN. If this does not happen, then customers have to be indemnified by the Banks and the Merchant establishments.

Naavi

Posted in Bank, Cyber Crime | Leave a comment

Is China playing out a Bitcoin Strategy?.. What should India do?

Posted on December 19, 2013 by Vijayashankar Na

After what appeared to be a silent prop up of Bitcoin by China, over the last one week, China announced a series of measures that are now seen as a regulatory backlash. In the process BTC climbed upto US$ 1300 and dropped down to around $528 (at the time of writing) within a week. The volatility would have hurt speculators who bought BTCs at the high points though for miners and other early entrants it is only an “opportunity loss”.

China has now announced two important measures. Firstly it advised Banks and Financial intermediaries not to support BTC trading. Now it has advised BTC exchanges not to accept Yuans for buying BTCs. (See Reuter article here)

Around the same time Denmark has indicated its desire to amend laws to cover Bitcoins as a regulated currency in some aspects. (See report here)

While some amount of regulatory concern is natural, the recent developments have indicated that Bitcoin is right in the center of regulatory radar all over the world. It has come to a situation that regulatory bodies can no longer ignore the development and have to stay focused and probably take a position sooner or later.

As discussed here, India also needs to break its silence at least to the extent of RBI releasing an advisory on the speculation involved in buying and selling BTCs against rupees and the foreign exchange considerations if the buying and selling is denominated in a foreign currency.

If Denmark comes up with a legislatory correction, it only means that it would have officially recognized BTC as a financial asset of some perceived value and exchange ecosystem.

The happenings in the China market appears intriguing however since it could either signal a change of heart by the regulators to come down heavily on BTC as an emerging currency for commercial transactions or a calculated strategy to increase its hold on the market at a reduced value.

It is eminently possible that while the official line in China would be negative on BTC, the Government may silently start acquiring BTCs mainly through mining and even purchases at lower value. It may be observed that China has not yet placed a complete ban on BTC. It has only restricted use of Yuans into BTCs. This could encourage Chinese people to convert their foreign currency assets to BTCs rather than the domestic assets. This appears to be a good strategy if China is not particular about conversion of such foreign currency assets of Chinese nationals to domestic currencies. If after some time some foreign country say Switzerland declares BTC as an accepted foreign currency, then China can convert its BTC holding to other foreign currencies through Swiss Francs. China is therefore only set to benefit by the fall in the exchange value of BTC in the short run. This is like the “Dump and Pump” scheme that Bears in the Stock market can employ from time to time.

India can also take a cue from this. The policy should consist of following objectives

a) Encourage local mining through a system of registered miners.

b) Tolerate trade of BTC in domestic currency amongst registered domestic miners through registered exchange houses

c) Tolerate export of BTCs (selling of BTCs mined in India in foreign exchange) ensuring receipt of proceeds in rupees in real time.

d) Set limits on import of BTCs (buying BTCs against foreign currency payments and from foreign nationals against rupee payments)

Investors may however be warned that at present BTC is considered as a “Virtual Asset” but not a “Currency issued by RBI”. It is not a “Promissory Note” or any form of a Negotiable Instrument. Hence there will be no “Holder in Due Course”. Every owner is subject to the defects in the title of the asset of the previous owner.

It is for this reason that Naavi is suggesting that Miners should be “Registered” so that they can be identified and buyers can fulfill the “KYC Obligation”. Buying from unknown sellers is risky. Buying through an identified exchange is acceptable since a “Good Faith, For consideration, without knowledge of defects in the title Buyer” can get himself indemnified by the exchange for any defects in the title identified later.

Exchange houses can be sued in such cases subject to their continued solvency. It is for this reason that Naavi suggests a system of registration for the exchange houses also.

The terms of registration of exchange houses may include “Capital Adequacy Controls”. Terms of registration of miners may include “Asset adequacy Controls”. More details of what could be a good regulatory scheme may be discussed if RBI initiates any discussion in this regard with experts or the Indian Bit coin community considers a “Self Regulatory Mechanism”.

For the time being, let us watch the developments around the world closely.

Naavi

P.S: By the time this post was completed, BTC as raised to $551!

Posted in bitcoin | Leave a comment