Drawing Attention of Media on this Karnataka High Court hearing

Posted on May 26, 2013 by Vijayashankar Na

On 27th May 2013, an interesting writ petition is coming up before the Karnataka High Court (WP 21049/2013 at Court Hall No 9, #54).

This petition has been filed by Axis Bank Ltd against the Adjudicator of Karnataka as the first respondent and Gujarat Petrosynthese Ltd as the second respondent and a decision on the petition will have a huge impact on the Cyber Crime law in India.

On the face of it the case appears to be a simple “Preliminary Hearing” and the proceedings at the end of the day are unlikely to have any earthshaking consequences. But this perception may not be correct.

During the preliminary hearing the Court will consider admission of the petition and also take a view on the “Interim Stay” granted by the vacation judge on 16th May 2013.

The options before the Court appear to be one of the following.

a) Admit the petition, post it for a detailed hearing on another day and in the meantime continue the Interim Stay granted by the vacation judge.

b) Admit the petition, post it for a detailed hearing on another day but vacate the Interim Stay.

c) Based on the preliminary objections, dismiss the petition.

A normal observer of Court proceedings would say, “What is special about this? This is common for all similar writ petitions”. They may also say that “The most likely decision is the first one where an opportunity is given for detailed hearing and in the interim the status quo  may be continued. The status quo in this case means continuation of the interim stay.

In order to appreciate the impact of a decision on the above preliminary hearing on the Cyber Judiciary system in India, it is necessary to understand the background of the case and the meaning that can be ascribed to the above three possible decision outcomes

The decision outcome will interalia determine

a) Whether the Adjudicator of Karnataka can effectively discharge the duties cast on him under ITA 2000/8

b) Whether Individual Cyber Crime victims can file any adjudication complaint against any companies such as a Bank

c) Whether any Company can file any adjudication complaint or hacking or denial of service etc complaint against any other individual or a company.

As an example let us take the recent case in which some persons hacked into the systems of two BPOs in India (One of which is in Bangalore) and stole some information/modified some information unauthorizedly and caused a fraud of over Rs 250 crores. Some of these hackers have been arrested in New York. Had they been in Karnataka, the Company here which suffered hacking cannot file a complaint  sustainable under Section 66 of ITA 2000/8.

Another example is that if some body hacks into Infosys or Wipro, then Infosys or Wipro cannot file a Section 66 complaint with the Police or Section 43 complaint to the adjudicator.

If somebody hacks into an ATM in Bangalore by any means, the Bank cannot file a Section 66 (Hacking) Complaint against such a person.

To understand why such an adverse impact can arise we need to appreciate what a “Continuation of Interim Stay Means” as a legal precedent.

The background of the case is as follows:

In around June 2011, M/S Gujarat Petrosynthese Ltd, (GPL) a company having an account with Axis Bank, Marathhalli found that Rs 39 lakhs vanished from its account. On filing a complaint with the Bank as well as the Police it was found that the amount had been transferred to several other branches of Axis Bank, Indus Ind Bank, Standard Chartered Bank, ING Vysya Bank etc.  Bank gave the account details to the Police and Police are trying to identify the existence of such customers.

In the meantime, GPL filed a complaint under Section 43 to the Adjudicator of Karnataka alleging that Axis Bank and the other Banks who received the proceeds transferred from their account should compensate them for the loss.

Axis Bank objected to the filing of the complaint stating that the “Adjudicator does not have jurisdiction” to entertain the complaint under Section 43 of ITA 2000.

The reason stated by Axis Bank for the purpose was

1. Under Section 43, any “Person” can file a complaint against another “Person”.  Here the word “Person” means an “Individual”. GPL is not an individual. Also Axis Bank is not an individual. They are “Body Corporates”. Hence Section 43 is not applicable.

2.Recognizing the lacuna of Section 43 that it was not applicable for Companies, an amendment was brought to the Act to introduce Section 43A.

Despite objections from GPL, the then Adjudicating officer agreed with the contention of Axis Bank and issued a decision that the complaint cannot be entertained by him since Section 43 cannot be invoked by GPL since it is a corporoate entity. He confirmed his conviction on this view in another instance where the complainant was an individual but the respondent was ICICI Bank which was a corporate entity.

By these two decisions, the Adjudicator created a precedent that “Section 43 cannot be invoked by a Company and cannot be invoked against any Company”. This also applied to partnership firms and association of persons.

GPL submitted a request for review immediately within 2 days of the decision on 29th December 2011. The review was kept pending by the Adjudicator.

In the absence of a review of the said order of 27th December 2011, no cyber crime victim in Karnataka could approach the Adjudicator under Section 43. Since Section 43 is directly linked to the definition of offences under Section 66, if a Company cannot be considered as part of Section 43, it could not be part of Section 66 also. (Please see Section 43/and  Section 66 here). Under Section 61 of ITA 2000/8 the Adjudicator has the sole jurisdiction for any claim for damage upto Rs 5 crores. The Civil Judiciary therefore believes that any claim for damages arising due to contravention of any of the provisions of ITA 2000/8 is falling under the sole discretion of the Adjudicator and they would therefore refuse to entertain any complaints.

The situation was similar to the jurisdictional police station and the Cyber Crime police station bouncing a cyber crime complainant from one to another. There was therefore a void created in the Cyber Judicial System in the state of Karnataka.

Recently the Karnataka Human Rights Commission took suo-moto cognizance of the adverse effect of the lack of Cyber Judicial process in Karnataka and in the month of March 2013 issued a notice to the current IT Secretary of the State to set things right. The current IT Secretary who is holding the Adjudication responsibilities and having the review request in his files took a legal opinion of the State Law department and in accordance with such opinion cancelled the order of 27th December 2011 and started hearing the complaint once again on 15th May 2013. During the hearing Axis Bank sought time to file a reply and the hearing was adjourned for the next hearing on 31st May 2013.

On 16th May 2013, the vacation judge of the Karnataka High Court considered the writ petition challenging the order of the current adjudicator cancelling the earlier order and deciding to continue the process making several allegations against the IT department, the Law department as well as the complainant. The Court  issued notices to the respondents namely the Adjudicator and GPL for hearing on 27th May 2013. However the Court routinely approved the request for interim stay.

The interim stay was on the action of the new order of the present adjudicator dated 26th April 2013 which cancelled the earlier order of 27th December 2013  which had held that “No Company has a right to invoke Section 43 or no body can invoke Section 43 on any Company”.

If On 27th 2013, the interim stay is not vacated, it would mean that until such time where the Court changes the order later in the future, the adjudication order of 27th December 2011 will be operative and the cancellation will not be effective. This also means that the citizens of Karnataka would be deprived of the human right regarding availability of judicial redress in respect of cyber crimes. There would be a conflict between the decision of the Karnataka Human Rights Commission and the Karnataka High Court and the Adjudicator would be sandwiched between the two decisions.

If the Court vacates the Stay and continues hearing the case then the adverse impact of the stay will be prevented.

However if the High Court proceeds to hear the writ petition, it would be over ruling the powers of the Adjudicator as envisaged under ITA 2000/8 and would be also destabilizing the natural process of “Appeal” that has been envisaged under ITA 2000/8. This would mean that the role of the Cyber Appellate Tribunal is irrelevant. In other words the Karnataka High Court would change the hierarchy of Cyber Judiciary from

-Adjudicator of a State to Cyber Appellate Tribunal to the High Court of the State and then the Supreme Court of India to

-Adjudicator of a state to High Court of the State and then the Supreme Court of India.

The system of Cyber Appellate Tribunal can therefore be considered as redundant and ITA 2000/8 provision will effectively stand amended.

It is not clear if the High Court has this power to cause an effective amendment of ITA 2000/8 by agreeing to continue hearing of the case.

The option where the petition is dismissed and returned to the adjudicator for continuation would avoid setting of the above precedents which may add some confusions in the Cyber Law situation in India.

The objective of placing this detailed analysis of the forthcoming  hearing is to enable the media to take note of the importance of the case so that they can follow up the case.

I wish Mr Arnab Goswami of  Times Now, Mr Rajdeep Sardesai of CNN IBN, Mr Rahul Kanwal of Head Lines Today, Ms Bukah Dutt of NDTV, Mr Vishweshwar Bhatt of Suvarna News (Kannada) and others from TV 9 (Kannada), Samaya, (Kannada), Public TV (Kannada) and other channels to take note. I also invite attention of the print media such as Hindu, Deccan Herald, Economic Times, DNA, Deccan Chronicle, Bangalore Mirror, Times of India, Business Standard, Kannada Prabha, etc also to take note.

I request readers who have contacts with these journalists to draw their attention to this article so that they show some interest in the case.

Naavi

 

 

Posted in Cyber Crime, Cyber Law, ITA 2008, Netizen's Forum | Tagged , , , , , | Leave a comment

Regulating the Ethical Hacking Training in India

Posted on May 26, 2013 by Vijayashankar Na

The views expressed here and elsewhere on the need to regulate the “Ethical hacking Training” in India has evoked some responses which need to be debated. I will try to present some of these views and my perceptions about them.

Two important points of view that have been raised are as follows:

1. Regulation means one more opportunity for corruption and hurdles for development.
2. More Security education will lead to reduction of cyber crimes and hence no regulation is required.

One of the biggest advantages of regulating the ethical hacking education is more accountability in the industry.

Yes one more regulation, one more regulator, one more licensing scheme, one more audit power etc., will also open the possibilities of corruption. But even if a few training institutes get valid accreditation despite being ineligible, such people will at least be accountable after some time through RTI or otherwise. No scam can be hidden for long as we have seen in the recent days.

Secondly, whether more security education will reduce cyber crimes, depends on what type of “Security Education” we are talking about.

I agree that teaching a software developer to build security into the software architecture at the design level will help better practices to prevail in the community and enhance the security environment.

Also, I believe that teaching ethics at the graduation level when the students are at a more impressionable age is more likely to embed an ethical behaviour rather than years later when they have seen the world and tasted money flowing in their hands. (In the relative sense).

If ethical hacking training is imparted at an age where people are not willing to easily accept ethical suggestions and are only looking forward to acquiring skills which they themselves will decide how to use, then the probability of misuse is far higher. Since these trainings also distribute ready made hacking tools, I believe that the risk of mis-application of knowledge is higher.

What could reduce cyber crimes is security education where the curriculum is meant for the Aam Admi and sensitizing him to the dangers that lurk in the Internet and the tools of security he can use to minimize the risks while using web based services.

These type of trainings are done mostly by NGOs and self motivated individuals without the expectation of financial rewards while training for developing fraud skills is done by other companies for making profit.

The Government of India needs to invest in the “Security Awareness Programs for the Public” and not financing the “Fraud Skills Development” programs.

Hence regulation of Ethical Hacking education is in my opinion requires a serious consideration both at the basic academic level and at the advanced private education level.

May be the regulation may also include that for every ethical hacking trainee trained by a company, 100 members of the public are to be trained in security awareness through schools, colleges and public fora… so that the environment improves.. similar to de-forestation and re-forestation programs.

More Comments are welcome

Naavi

Posted in Cyber Law | Leave a comment

Punjab National Bank Customers at Special Risk

Posted on May 25, 2013 by Vijayashankar Na

A client of Punjab National Bank in Chennai has reported that the Bank has suspended sending of SMS alerts for Internet Banking transactions as is required under RBI guidelines.

The reason is reported to be some malfunctioning of some software.

If this is a problem in all branches of the Bank, it puts all the customers of the Bank at a serious risk of losing money in cyber frauds.

RBI should immediately take note of the situation and suspend the Internet Banking facility of PNB until the problem is sorted out.

The IT Secretary of Tamil Nadu who is also the “Adjudicator” for the State of TN should suo moto take cognizance of the development which places the citizens of the State at great risk and demand an explanation from the Bank.

I suggest all customers of PNB to walk into their branches and obtain a written confirmation about the availability of the SMS alert system and if the Bank confirms that the system is not available, the customers should suspend their Internet Accounts until the Bank sets right it’s system.
They may also send their complaints to the RBI in this regard.

Naavi

Posted in Cyber Law | Leave a comment

Positive use of Ethical Hacking Skills

Posted on May 24, 2013 by Vijayashankar Na

While in the long run Naavi.org would like a proper regulatory regime to be set up for regulating Ethical Hacking trainings in India,  it is necessary for  Ethical Hackers who have already been trained to be guided properly to use their skills for legal purposes only.

At present the hacking skills can be used only with the written permission of the owner of an Information Asset who can authorize a  vulnerability testing of his own systems. Any other form of “Unauthorized Access” or even an “Attempt at Unauthorized Access” including even a “Port Scanning” is not permitted in India law and can be prosecuted for punishment from 3 years to life imprisonment.

If hacking is attempted on foreign government assets there are countries which prescribe even a “Death Sentence”.

No person can give a written authorization to attempt hacking of any system not under his control. For example, an employer cannot try to hack into his employee’s e mail account without his written permission. A hacker should not therefore consider the written permission from a company as an all encompassing authority to hack.

In this context, the trained ethical hackers may feel frustrated that a training for which they paid lakhs of rupees is going unrewarded. Yes there is an underground mafia of Cyber Criminals and it may be profitable for them to join the mafia and make money. Then like Sreeshant the cricketer who sacrificed his promising cricket career for a short term enrichment through spot fixing, they may find themselves spending the rest of their time in jail.

Alternatively, I draw the attention of such frustrated souls to http://bugcrowd.com/ . (There may be other sites like this). Some of these sites are authorized (Please check authorization since they may make false claims) by certain system owners to conduct vulnerability testing and reward the persons who find out bugs. Those who have the skills should explore such opportunities and avoid getting lured to committing Cyber Crimes.

Naavi

Posted in Cyber Crime, Cyber Law, Uncategorized | Leave a comment

Regulating Ethical Hacking Training in India

Posted on May 24, 2013 by Vijayashankar Na

The recent accusation that a prominent information  security training company in India was responsible for release of some malware in the wild and used for Cyber Espionage of Telenor and also for attacking Pakistani and Chinese web assets has raised an issue of ethics for all security trainers.

Naavi.org has for years advocating that there should be a proper regulation of training of ethical hackers since the skills acquired by people during these training programs can be used for committing crimes.

Recently the Government of India has announced that India needs 4.7 lakh security experts. Obviously this has created an opportunity for many unscrupulous IT training companies to start what they call as “Ethical Hacking Course”. APPIN itself has created many franchisees and trying to provide training to hundreds of persons across the country.

Who will be the persons who will undertake the training? what will they do afterwards? are areas of concern of the society.

If these training companies are not strictly regulated, there will be lakhs of young trained hackers ready to test their skills in the open market. During these training programs trainees also get a “Hacking Kit” and information about online resources. These can be dangerous terrorist training camps in the digital world.

It is the responsibility of IN CERT to immediately take stock of the activities of these companies and put a hold on their activities until a proper system of regulation is evolved.

There is no doubt that we need information security professionals. But we donot need “hackers”. The very use of the term “hacker” mentally indicates to the trainee a status different from a “Security Professional”. Just as there is a ban on the use of “Bank” by any organization other than licensed Banking institutions, the use of the word “Hacking” or “Ethical Hacking” should be banned in India.

Also all companies indulging in information security training other than registered educational institutions such as the Engineering and Law Colleges whose curriculum is controlled by regulators such as the AICTE or BAR councils should be subject to scrutiny of IN CERT. If a licensing system is required for this purpose, it should be designed.

All persons who are enrolled into such programs should submit proper ID documents and the details are to be kept in a central data base accessible to public who can report any adverse activity of a person. Such list should be available for employee background check by companies. INCERT should periodically conduct audit of such educational organizations and record their observations. Sample background checks should be done on the candidates.

Once trained and certified, the trainees should submit themselves to a life time surveillance of their activities by IN CERT. Their employment movements, financial returns, IT activities should all be voluntarily submitted for surveillance of the State.

If any organization or individual does not enter into appropriate contractual agreement to be monitored (like a person on parole) they should not be allowed to run such courses or take such training.

I am sure that many of my friends in the security professions may express strong dissent for such a move which appears “Draconian”. I agree that it is draconian. But the consequences of letting loose trained hackers in lakhs to the field already reeling under the growing threats of Cyber crimes is disastrous. It will eventually destroy the Internet and convert it into a Cyber Crime Paradise.

If for this purpose we need to enact a separate law such as “Cyber Security Regulation Act” on the lines of Banking regulation and give the powers of regulation to say the newly formed National Cyber Security Council, it can be considered.

If this suggestion needs to be countered by the private sector information security education industry then there is a need for formation of a similar “Cyber Security Education Regulatory Forum” as a private sector initiative. This should not be left either to NASSCOM or DSCI. It should be more like TRAI and headed by a person outside the corprote influence which gets reflected in NASSCOM or DSCI.

If APPIN is an affected party in the current controversy, they can consider taking the leading initiative in formation of such a forum without putting themselves into a position where they can be accused of influencing the activities of such an academic organization.

I see a parallel in this proposal with the need for BCCI to set up an independent committee (Uninfluenced by BCCI cronies such as Atul Wassan) to monitor Betting in IPL.

On many occasions I have suggested formation of a “Netizen Protection Forum” as a Netizen imitative and “Netizen Protection Commission” as a regulatory structure. The same commission can also undertake the responsibility of regulating the ethical hacking training.

Comments are welcome.

Naavi

Posted in Cyber Crime, ITA 2008, Netizen's Forum, Uncategorized | 1 Comment

IPL betting

Posted on May 23, 2013 by Vijayashankar Na

The entire country is crying hoarse about the havoc betting is playing on IPL. The power of money available through betting influences spot fixing and probably even match fixing. This is a logical development and there is no surprise here. However some ares till arguing for legalizing betting.

While we consider that betting is illegal in India, there is a website http://www.iplbet.com/ which is providing online betting options. There is also a list of bookies and offers.

 

In India except for Goa and Sikkim, betting in any form is illegal. Viewers are advised to refrain from using the site particularly if you are a citizen of India.

Naavi

Posted in Cyber Law | Leave a comment