Cyber Surveillance in India

Posted on June 15, 2013 by Vijayashankar Na

The public outcry on the US program “PRISM” under which US Government is said to be spying on Cyber Communication of individuals has naturally raised some attention on the Indian situation.

Under ITA 2008 there are powers for the Government to intercept cyber communication under reasons of national security, prevention of cognizable crimes etc. However it is also true that Indian intelligence agencies often resort to interception without adequate legal sanction or procedures. The past indications clearly point out the misuse of intelligence for political purposes also. Since India does not have a strong “Privacy” law, it is presently difficult to prevent surveillance by intelligence agencies. The Government also uses the ISP licensing regime to gain access to ISP data.

It is believed that not only the Indian Government but also several other countries such as UK and Australia have huge surveillance mechanisms in place.

Though Government of India has recently stated that their National Security agencies may tap only the meta data and not go into content, the assurance can only be taken with a pinch of salt. Individuals therefore need to bank upon private encryption if they want privacy. Though law may still be invoked by the Government to demand decryption, in a majority of cases the user may at least be aware that his communication is being monitored.

The biggest challenge for the security agencies is to ensure that the need to monitor criminal activities where they genuinely need power to surreptitiously carry on surveillance is suitably met. In such cases the intelligence agencies may need to break the encryption themselves. Since breaking a strong encryption could be difficult, any person using encryption could be treated as a “Suspect” in the eyes of the Government and may be subjected to physical surveillance as well. The cost of security of the nation is therefore likely to sky rocket in the coming months.

In order to find a solution to this problem it is necessary for the Indian intelligence agencies to broker a treaty with the privacy community, establish a trusted relationship so that common public would not resort to wide usage of encryption and make national security costs prohibitive. For this purpose Government should offer a system of Monitoring of  surveillance agencies by a committee” consisting of select members of public and putting in place a strict regime of procedures that the mechanism would not be used for political and tax purposes.

Related Article in ET

Naavi

Posted in Cyber Law | Leave a comment

IB Warnings on WeChat app

Posted on June 15, 2013 by Vijayashankar Na

It is reported that Indian intelligence agencies have flagged a mobile application by name WeChat developed by a Chinese company “Tencent” as a “Threat”.

After the revelation about the US intelligence program PRISM through which the US Intelligence agencies are reportedly spying on all communications passing through Google, FaceBook etc. it appears that intelligence agencies in India also have become a little more alert.

The threat of Chinese intelligence agencies intruding into Indian Cyber Space is well known. The WeChat may be one such application. However there are bigger threats since India imports a huge number of computers, laptops and mobiles from China, some of which are branded where there could be backdoors at the OEM level.

Until the dependence on China for IT assets is removed, Indian Cyber Space will remain vulnerable. Hence one important aspect of Indian Cyber Security program should be encouragement of a large scale indigenous investment in Cyber Security research and subjecting all Chinese products to be put through a security check for certification.

I urge Indian Corporates to also think in the direction of setting up specialized Cyber Security labs that can analyze source codes and test hardware for security. The Government backed security lab led by IISc Bangalore has lost credibility since it is reported to carry substantial funding  by the Chinese Company Huawei itself.

Related Article:

Naavi

Posted in Cyber Law | Leave a comment

Use of Aadhar for Cardholder authentication

Posted on June 13, 2013 by Vijayashankar Na

It is reported that RBI is considering use of Aadhar as a second factor authentication for Credit Card transactions.

Report in TOI here

The cost of upgrading the card swipe mechanism at the merchants with a biometric capable instrument is being held as a stumbling block. However it is also necessary to examine if the move has legal sanction.

First of all the UIDAI bill is yet to become law. A case is before the Supreme Court to decide the examine the validity of the scheme. But the Government is going ahead with the scheme to render it more and more difficult for Courts to cancel the scheme.

Further the current move talks of using aadhar for “authentication”. It is to be noted that “Authentication” of a customer’s instructions is the prime responsibility of the Bank.

The move proposed by RBI  means that UIDAI will be used as an outsource partner of the Bank to examine and authenticate a customer of the Bank. This raises the question as to whether in this process the “UIDAI” will act as an “Officer” of the Bank and “Pass Payment Instructions of the customer” and if so whether this is legally within the mandate of Banking.

If however this system of “Outsourcing” is to be legitimized, the Bank has to execute an SLA with the UIDAI authorities and follow the instructions on information security issued by RBI for “Outsourcing”.

If these considerations are not taken into account, the move will be contradicting RBI’s own earlier instructions.

Naavi

Posted in Bank, RBI, Uncategorized | Leave a comment

Mule Recruitment Advertisement on job sites

Posted on June 13, 2013 by Vijayashankar Na

Trusteer research team has reported that a mule recruitment advertisement has been hosted on a recruitment site careerbuilder dot com. The advertisement lures job seekers to marketandtarget dot com.

More details availalable here.

Naavi

Posted in Cyber Law | Leave a comment

Karnataka High Court delivers a favourable verdict for Axis Bank

Posted on June 11, 2013 by Vijayashankar Na

P.S: Karnataka High Court has given a decision on 27th May 2013 in a writ petition filed by Axis Bank which has a huge implication on Cyber Crime victims in Karnataka and elsewhere in India. Hence in the general public interest of the Citizens of India (of which citizens of Karnataka are a part), the implications of the decision are being analyzed here.  These are the personal views of the author only. I request students of law to study the implications and seek appropriate remedies….Naavi, Netizen Activist

This decision has an adverse impact on all Cyber Crime Victims in India

In a decision delivered on 27th May 2013, in the Writ Petition WP No 21049 of 2013 (GM-RES), Karnataka High Court has  provided a relief to Axis Bank. Though the dispute is between Axis Bank and the Adjudicator of Karnataka, the adverse effect of the decision falls on all the Cyber Crime Victims in India.

The Background Facts

In the underlying matter, there are two orders of the Adjudicator of Karnataka. Order 1 dated 27th December 2011 which was in favour of Axis Bank and Order 2 dated 26th April 2013 which cancelled the earlier order of 27th December 2011.

The aggrieved party of the order dated 27th December 2011, namely the complainant of an Adjudication application had approached the adjudicator immediately with a request for review of the order on 29th December 2011 on the premise that the order was faulty.

The adjudicator however did not respond.

The aggrieved party was therefore put in a situation where while it waited for the review, if it did not act it could lose its right of appeal to CAT. It therefore registered its application for appeal at CAT within the permitted time though CAT was not functional at that time. Since CAT has not been functioning from around June 2011 even upto today,  CAT is yet to consider the application.

The Cyber Crime victim was therefore forced to suffer under the inaction of the Adjudicator and inaction of the CAT. This also translated into a “Human Rights Issue” since the precedence set by the adjudicator by his order of 27th December 2011 had denied almost all Cyber Crime Victims in Karnataka, access to both Civil and Criminal liabilities. The height of the absurdity of the order is evident when it indicates that under the principles set by the order, RPG group could not initiate action against Yes Bank for its loss of Rs 2.41 crores in the Mumbai fraud. It also meant that no Company such as Infosys or Wipro could file a case of hacking, unauthorized access, denial of access, virus introduction etc under Section 66 of ITA 2000/8. It rendered relief given by other Adjudicators of the country in similar circumstances erroneous. It even challenged the legality of the earlier proceedings in CAT. It could even be interpreted as to negate the validity of over 15 lakh digital signature certificates issued in the Country etc.

In summary it was an order which negated the entire Information Technology Act 2000/8 for the sole benefit of Axis Bank.

(The fact that such a blatantly erroneous order was ever passed is so surprising that it needs a separate enquiry by Lok Ayukta of Karnataka.)

Intervention by Karnataka Human Rights Commission

Under the circumstances explained in the previous paragraphs, it was  apt that while the “Review request” was pending with the Karnataka Adjudicator, the “Appeal Request” was pending at the CAT, and the Cyber Crime victim was left to keep helplessly cursing the Indian judicial system on how it can be misused to the advantage of the rich and powerful and to the disadvantage of the common Citizen,  the Karnataka Human Rights Commission took notice of the effect of the defective order on the public of Karnataka and issued a notice to the Adjudicator on 21st March 2013.

The Adjudicating office then referred the matter to the State Law department which confirmed that the order of 27th December 2011 was prima facie defective in law and therefore the request for review was justified. After these compelling circumstances,  the Adjudicator proceeded to issue his order of 26th April 2013 cancelling the earlier order of 27th December 2011 and calling for a hearing on 15th May 2013. 

Axis Bank attended the hearing and submitted its objections. The Adjudicator explained the circumstances under which the order of 26th April 2013 was issued and fixed the next hearing on 31st May 2013 for Axis Bank to submit its reply.

High Court May be Unaware

The High Court order of  27th May 2013, does not document the above facts and appears to have been issued under the false premise that

a) The second respondent had approached the Adjudicator for review of the decision during the pendency of the appeal with CAT

b) The adjudicator ignored the principles of natural justice and acted in a biased manner in issuing the order of 26th April 2013.

c) The Adjudicator had no rights to decide his own procedure as to the conduct of enquiry under the powers vested on him by ITA 2000/8 and the notification dated 25th march 2003 on the procedures to be adopted for such an enquiry

d) The order of 26th April 2013 had a certain level of finality that irrevocably affected Axis Bank’s interests.

e) The order of 26th April 2013 of the Adjudicator was malafied where as the order of 27th December 2011 was lawful.

f) Quashing of the order of 26th April 2013 did not have any adverse impact on the society at large.

It is considered possible that Axis Bank had deliberately withheld vital information from the Honourable court which prompted the Court to come to the current decision.

Why there is Public Interest involved in this Case

It must be noted that the order of 27th December 2011 had rejected the complaint of the cyber crime victim on the grounds that Complaint cannot be considered under Section 43 of Information Technology Act 2000 (ITA 2000/8) since the section was not applicable for “Companies” and Companies can neither invoke the section as “Victims of a wrongful loss” nor the section be invoked against Companies as “Respondents”.

The order was also defective since it stated that the dispute came under Section 43A only ,  that the complainant did not invoke Section 43A,  instead invoked 43 which was not applicable and the Adjudicator was required to look at any section other than one specifically invoked by the complainant

This view was based on the contention that Section 43 used the word “Person” and 43A used the word “Body Corporate” and hence Section 43 should be used for individuals and 43A should be used by Companies.

The Adjudicator failed to note that the cause of action for Section 43 and 43A were different and the word “Person” used in Section 43 included by legal definition any association of persons and a “Company”.

The decision of the Adjudicator dated 27th December 2011 was indicative of a blatant mistake of law as the General Clauses Act defined that a “Person” as including a “Company”.

Further, this absurd decision created unexpected and untenable contradictions in the interpretation of ITA 2000/8.

The request for review was therefore not only justified but was a duty cast on any person who cared for the rule of law in the Country.

The order of 26th April 2013 was trying to correct this defective order. The effect of this order of 26th April 2013 (Which the High Court has now quashed) was only to re-establish the legal process of the enquiry which had been illegally terminated. This order of 26th April did not express any final conclusion that Axis Bank was liable for any fraud based on the complaint. It only stated that the Adjudicator would continue from where the case was left earlier.

The decision of the Karnataka High Court dated 27th May 2013 has in effect cancelled the “Correction of the defect” and made the “Defective Order of 27th December 2011” operative.

This means that Karnataka High Court has upheld the view that Section 43 cannot be invoked by a Company or against a Company.

The order fails to take note of the long term implications of this decision on the community.

What is also disturbing is to note the contradictions within the order.

For example,

The Court has held that the Cyber Crime Victim may approach the Cyber Appellate Tribunal (CAT) ,(which everyone knows is not functional for the last two years,) for relief against any adjudicator “as per law”. However the Court has not under the same “law” thought it necessary that  Axis Bank  should have approached the CAT for its grievance against the Adjudicator’s decision instead of approaching the High Court.

Again, the Court says that the Adjudicator did not provide an opportunity for Axis Bank to oppose the review request made by the second respondent. At the same time the High Court delivered its decision on a “short point” without giving an opportunity to the second respondent to explain the adverse effect of the defective order.

If these contradictions are not removed, the citizens of India will feel that law applies differently between a Cyber Crime Victim and the Axis Bank.

Call for a PIL

Since this decision has affected all Cyber Crime Victims of the Country, there is an urgent need that this decision is reviewed either by the same Judge or by a higher bench of the Karnataka High Court.

I appeal to public spirited advocates in Bangalore to take up the issue as a Public Interest Litigation and ensure justice is restored to the Cyber Crime victims of the Country.

Naavi as a Netizen Activist

Posted in Bank, Cyber Crime, Cyber Law, ITA 2008, Uncategorized | Leave a comment

Bank Executive in Credit Card fraud

Posted on June 11, 2013 by Vijayashankar Na

In a credit card cloning fraud in Hyderabad, an employee of HSBC call center has been arrested on charges of credit card cloning. The executive reportedly bought credit card data from a Nigerian and also used skimmers to collect more data locally through two petrol bunk employees. He used the data to create cloned cards and commit the fraud. 4 persons have been arrested in this regard. Report in TOI.

Naavi

Posted in Cyber Crime, ITA 2008 | Leave a comment