Naavi.org | Towards building Cyber Jurisprudence in India

TCS set to withdraw from Digital Certificate Issue

Posted on March 18, 2015 by Vijayashankar Na

It appears that TCS-CA which was one of the licensed Certifying authorities has decided to close down its business. On the website it is reported that they have stopped issuing further certificates from 1st December 2014.

However the CCA website still does not record this information.

Already MTNL and the Department of Customs have closed their Certifying Authority business. But it is surprising why TCS decided to back down.

If we analyze the Digital Certificate market, there is a good business potential because of the mandate in submission of IT and MCA returns. If TCS withdraws it will further reduce the competition only to Safescrypt, n-Code and E Mudhra. The result could be an increase in the cost for those who want to adopt to the system of judicial recognized digital identity.

However we observe that most of the CAs are not compliant with the provisions of ITA 2000/8 and CCA is remaining silent. Recently the Government’s digilocker project has been conceived in violation of ITA 2008 provisions and CCA seems to be unmindful. Bankers have always been reluctant to use digital signatures and prefer to flout the law while RBI looks the other way.

In the light of these developments, it is disheartening to see TCS withdrawing from the business. Unlike other CAs, TCS was operating on indigenously developed technology while others had to pay royalty to some foreign technology providers. Inspite of this, if TCS finds it unprofitable to be in the business, it could also be because the other CAs are flouting regulations to expand the market which TCS may not be willing to do.

I wish TCS clarifies the reasons for their exit from the business.

Naavi

Posted in Cyber Law, ITA 2008 | Leave a comment

Yet another Bank Fraud.. What will RBI say?

Posted on March 18, 2015 by Vijayashankar Na

Bank frauds have been so common in India that it hardly surprises any body when a new fraud is reported. The Banks are after technology in a hurry and RBI has either no clue to the risks or is just unable/unwilling to regulate the banks as we have frequently pointed out.

The reason for the situation is that RBI has not been implementing its own regulations to secure Banking in Cyber Space and Banks have effectively silenced Adjudicators and the Cyber Appellate Tribunal so that fraud victims are unable to get justice. The “Lawlessness” is so palpable that cyber criminals are emboldened to try commission of frauds at every opportunity. RBI in the meantime is busy diluting the security in cyber banking and remaining silent when non compliance of law is brought to their notice.

To bring the discussion to the context, TOI reports today that “Anti-Nationals pull off Rs 6.9 crores” using cloned and stolen cards. What the report fails to recognize is that the cloned cards were one of the instruments used and the other major instrument used was “Bank Accounts” opened by the fraudsters in some Bank/s (Name of the card issuing Banks and the money receiving not revealed in the article). These Banks have opened the accounts without proper KYC and are mainly responsible under Anti Money Laundering as accessories/abetters to the fraud.

The report states that the fraudsters were Dubai based and hence they were “Anti Nationals”. But what about the Banks which opened the accounts for these Anti-Nationals? Are they also not “Anti Nationals”?

The main culprits in such cases of KYC failures leading to frauds are AXIS Bank and ICICI Bank with PNB and SBI not far behind.

Will RBI name and shame these Banks? Will it dismiss or take disciplinary proceedings against the Chair Persons of these Banks instead of the Governor dining with them with IMF dignitaries?

The fraud is an indication of lack of security in the Banking system for which RBI is solely the custodian. It appears that Mr Raghuraman Rajan has failed to assume responsibility for the security of Banking and has to start looking at this part of his role also. If he wants to remain only as an Inflation Monitor, Government needs to look at creating another organization that is solely responsible for regulating the security in the Banking system and take this responsibility away from RBI.

Naavi

Posted in ITA 2008 | Leave a comment

At Last Government of India remembers the Cyber Appellate Tribunal

Posted on March 17, 2015 by Vijayashankar Na

After nearly 4 years of mysterious inaction, Government of India has now realized that the Cyber Appellate Tribunal (CAT) needs a Chair Person and called for applications.

It may be remembered that 0n 30th June 2011, Justice Rajesh Tandon demitted office after reaching super annuation. Subsequently Justice S.K.Krishnan, a retired Judge of the Madras High Court was appointed as a “Member” of CAT. Mr Krishnan was eligible for the post of Chair person and there was no reason to believe that he was good enough to be a member but not good enough to be the Chair person. In an absurd way of Government functioning, Mr Krishnan remained in the CAT office for about 9 months and went into super annuation as a “Member” who did not attend any hearing. During this time the Ministry headed by Mr Kapil Sibal had time to appoint a technical member to the CAT and a Head of Department of CAT. These two posts had little meaning int he absence of a functioning CAT.

After exhausting all avenues such as writing to the Minister of IT, Secretary of Ministry of IT, PM, President, Chief Justice of India, Rahul Gandhi, Sonia Gandhi etc., the non appointment was questioned in more than one Court. The Karnataka High Court was close to passing strictures on the IT department when finally the Kapil Sibal lead ministry gave an undertaking that they would fill up the post “Expeditiously” and the High Court was satisfied. During the proceedings, it was revealed that the Ministry had sent a recommendation which the Chief Justice had declined and the matter was left to rest there without an alternative name being suggested by the Ministry.

Despite the undertaking to the Court, the Ministry did not do anything for the appointment and soon the elections came and over took the Kapil Sibal ministry.

What is surprising however is that even after the new Government took over and the thrust on Digital India and E Commerce was announced, the ministry failed to take steps to fill up the CAT Chair Person’s post. The undersigned has been pursuing this literally from day one of Mr Ravi Shankar Prasad’s appointment but for reasons known to the department the matter remained unattended.

Some how now two major appointments are sought to be filled up by the IT Ministry. First is the Chair Person of CAT and the second is the post of the Director General of INDIA CERT, a position which was vacated by Dr Gulshan Rai again on attainment of super annuation. Now Dr Rai has been appointed as Chief of Cyber Security at the PMO and may be he has initiated the current moves to fill up both the positions of the Chair Person CAT and Director General IN-Cert.

The time given for receiving the applications is April 13 for the IN-CERT position and April 20 for the CAT position. The requirements are available here.

1. Director General of IN CERT

2.Chairperson of CAT

It would be interesting to see who will occupy these key positions which are critical for the Indian thrust for digitization. (See this article on Cyber Law Eco System).

In the meantime, Mr Rajesh Aggarwal who was one of the most active Adjudicators in India (as IT Secretary, Maharashtra) has been posted as Joint Secretary (Financial Services) at Government of India, Delhi and has been lost to the Cyber Law Eco System. The other person who contributed a lot as an Adjudicator was Mr PWC Davidar of Chennai who also got transferred because of a routine transfer of the AIADMK Government took over in TN.

At present there is no other active IT Secretary in India and hence the system of Adjudication is languishing.

I request the Government to immediately organize a training of all the IT Secretaries so that by the time the new CAT starts functioning, the support system would also be in place. Otherwise this will be the first task of the new Chair Person of CAT.

Naavi personally and Naavi.org wish whoever may occupy these critical positions all the best in their endeavour to stabilize the Cyber Law Eco System in India and assist the Modi Vision of a Digital India.

We know that it is still a wait upto around June for the appointments to be completed. But having waited for 3 years and 9 months, a wait of another three months is not too difficult for persons like us.

Naavi

Posted in ITA 2008 | 1 Comment

Security Audit Vs Maintenance, the Gap is large..Verizon Study

Posted on March 15, 2015 by Vijayashankar Na

Verizon has recently released the 2015 report on PCI Compliance which has provided some key insights into the current practices in industry. Though on the face of it the report indicated that about 80% of the companies were validated as PCI DSS compliant in internal assessments, the reality the compliance was not sustained over a period of time. The report highlights the fact that only 28.6% of companies actually maintained their compliance status on all the 12 controls they committed to under the PCI DSS audit. It was therefore not surprising that data breaches detected in 9700 sampled companies, indicated over 43 million security incidents in 2014 showing a compounded annual growth of 66% since 2009 and an increase of 29% over the previous year.

On the positive side, the survey indicated that though the sustainability of compliance dropped off soon after the validation, compliance in 11 of the 12 compliance factors actually saw an improvement with the biggest compliance being in authentication access. The compliance drop was noticed in compliance of testing procedures.

The study indicated that “Maintenance of policy addressing security awareness building” within the workforce was one of the neglected aspects of compliance with a measly 4% increase in compliance effort.

The report is an eye opener to organizations that it is not enough if an information security assessment is done at a point of time but there is a need to sustain the compliance as an ongoing practice in the organziation. There is therefore a need to assess the controls that specifically address the “Sustainability” of compliance efforts so that the benefits of an assessment and validation is retained for a longer time. Alternatively, organizations can try if the internal reassessment schedules may have to be undertaken at more frequent intervals in the hope that this will help in the improvement of the sustainability factor.

Naavi

Reference: Article in Computerweekly : Article in neirajones blog

Posted in Cyber Law | Leave a comment

Digi-locker Project may consciously flout Information Technology Act

Posted on March 14, 2015 by Vijayashankar Na

The digilocker beta project launched by the Government of India seems to be set to introduce a precedent which is ultra-vires the Information Technology Act 2000/8.

According to the information available the Digi Locker can be used to store important documents of the public such as marks cards, PAN cards etc in e-form. They can also be submitted to authorized Government departments for various services with an “e-sign” of the document owner.

The concept of e-sign which is proposed to be adopted by technologists advising the Government appears to be not in accordance with the provisions of the Indian Information Technology Act. According to the proposal, the public and private key pair for e-sign would be generated on the CA’s systems and not under the control of the signer. This would amount to a compromise of the Private Key ab-initio.

Further, use of the private key which is known to be compromised may be considered a contravention of ITA 2008.

This web based private key generation and storage is a procedure adopted by some foreign Certifying authorities and it appears that the technology is being recommended to the Indian Government. However, this system may seriously affect the “Non Repudiation” nature of the Indian digital signature system as we know today.

Once the system is used by a Government department, it would set a precedent which will be followed by other organisations also and hence the legal status of the entire digital signature mechanism will be adversely affected.

It would be preferable if the Government pauses to think before it leaps.

Naavi

Posted in Cyber Law, ITA 2008 | Leave a comment

Bitcoin in new form?

Posted on March 14, 2015 by Vijayashankar Na

Bitcoin has been in discussion for some time. In India the response for Bitcoin has been mixed. While initially it attracted the attention of entrepreneurs setting up echange services, the RBI frowned upon the system and ED moved in to conduct raids on some of the exchanges because it was felt that there was violation of foreign exchange regulations involved in the exchange transactions. This dented the enthusiasm and more or less killed the initiatives.

One of the main reasons for the RBI responding to the system with an unapproving look was that Bitcoin had been earlier associated with criminal activities and continue to be the preferred currency of the underworld. Coupled with this the claim of the Bitcoin operators that it is an “Alternate to legacy currency” threatened the regulators that the economy could be adversely affected if Bitcoin popularity grows.

Naavi has held that Bitcoin as a category of “Virtual Currency” is an “Electronic Document” and is recognized as such under ITA 2000/8. Whether it is a currency alternative or a virtual commodity or just a “pointer” to which a closed community ascribes a value is a matter of how the community would like to use the concept. Naavi has also highlighted that the system of “Virtual Currency” is a technology which has a great potential to be used by the regulators themselves. In fact Naavi’s old patent applied system of “Digital Value Imprinted Instrument System” itself did place faith on a server based authentication of a transaction and conversion of legacy currency to customized currency by the user himself. Presently some form of such limited currencies are in use both in the form of prepaid virtual cards as well as closed payment systems.

Now, today’s report in news papers state that IBM is working on a “Bitcoin-like” system (Refer this article). This system is supposed to use the “Block Chain Technology” and will eliminate the need for Banks and Financial institutions to authenticate a transaction and use the Block chain type of authentication. From the reports it appears that the system will convert legacy currency into some form of virtual currency which the spokes person refers to as “Token”. It is not clear however how the availability of back end fund is being authenticated without involving the financial institution.

In contrast, what I would like to suggest is for the regulator like RBI to start a new Virtual Currency on its own or convert the current stock of notes into virtual notes gradually by withdrawing the paper currency in parts and replacing them with virtual currencies. What can be done in this system is to enable RBI to track every transaction. In such a system the availability of stock is authenticated against the base block authenticated by RBI and further authentication of transactions can be done by others who can be rewarded with appropriate commissions.

If RBI sheds it’s reservation on virtual currency, we can discuss the alternate possibilities which will satisfy the RBI as well as the Government and yet will make the technology work for revolutionalizing the nation’s currency system. This would be far more economical than printing new One rupee plastic notes which RBI seems to be thinking. The virtual currency system has not only the prospect of better economy but could be a better security against organized counterfeiting by enemy countries.

Naavi