mouthshut.com challenges ITA 2008 rules

Posted on May 1, 2013 by Vijayashankar Na

The Intermediary rules under Section 79 of ITA 2008 has been repeatedly used by parties to get adverse content on internet removed without appropriate procedures. The problem has been the interpretation that an Intermediary is bound to take down content objected to by a party within 36 hours.

As a result of these rules, many websites have been bombarded with notices for removal of objectionable content. Websites such as mouthshut.com are primarily meant for expressing consumer grievances and have been useful to general consumers looking for information on various products and services. It is also true that some times the comments posted on the site may hurt the business interests of the companies whose products are criticized. There could also be cases where adverse comments are posted by competitors while companies may also post self serving reports. However buyers can try to understand the strengths and weaknesses of products by browsing through the various comments.

There are also many instances of companies responding to the adverse comments of consumers on mouthshut.com.

In totality therefore a website like mouthshut.com is an instrument of “Consumer Protection” and deserves  encouragement.

However knowing the way some companies function and the threatening legal notices that lawyers can draft, it is not difficult to imagine the problems that mouthshut.com must be facing. More importantly the Police who may not understand law and who can be manipulated by the companies and their lawyers has the potential to unnerve the employees of mouthshut.com.

It must however be reiterated that Naavi.org has always been stating that Section 79 rules only indicate that “Action should commence” within 36 hours on grievance redressal. Such action need not start with the removal of the objectionable content unless there is a valid Court order for removal of content. This aspect was specifically clarified recently by the Government. (See here)

It is however essential for an intermediary like mouthshut.com to have a good grievance redressal mechanism on the site. At present a suitable system is not in place. According to the rules, the grievance redressal mechanism needs to be activated within 36 hours of the receipt of complaint.

It appears that mouthshut.com has now approached Supreme Court for the rules to be struck down. (See medianama report here). The cause of action cited is that it amounts to “Censorship”. However in the view of Naavi.org, “Censorship” rights cannot be presumed under the rules. The clarification of the government  on 18th March can be used as a defense against the petition. Hence though the petition is based on a genuine grievance, the grounds on which the remedy has been sought is incorrect.

Naavi.org has been repeatedly highlighting that when such petitions are made to Supreme Court under wrong pretences, the Court may be forced to reject the petition. The media which has highlighted the petition now as a “Challenge to ITA 2000 Rules” will also highlight that “Challenge has been dismissed”. This will give a wrong impression to the public that the Supreme Court has upheld the validity of the rule though the Court might have dismissed it for some other technical reasons. This is more harmful than leaving the rule as it is since such media reports will be taken as a vindication of the erroneous stand that may prevail now.

In such a scenario, many of the smaller websites which may be facing problems similar to what mouthshut.com is representing may have to shout down their business.

If however the Supreme Court goes beyond the technicality of whether Section 79 rules does in fact represents censorship or not and provides a positive assertion that “Expression of grievances of Consumers through websites such as mouthshut.com is part of the freedom of expression guaranteed by the constitution and needs to be protected for asserting consumer rights under  the Consumer Protection Act”, then there may be a positive impact of the case on the society.

I therefore urge mouthshut.com to include in their prayer such a declaration rather than asking only for the rules to be struck down. To ensure that its plea is strong, mouthshut.com needs to take immediate steps to make its site “Cyber Law Compliant” with appropriate changes to its terms of use.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment

Workshop on Safe E Banking

Posted on April 30, 2013 by Vijayashankar Na

A day long workshop on Safe E Banking is underway at Reserve Bank of India, Bangalore. Mr G.Gopalakrishna, The Regional Director of RBI, Mrs Uma Shankar, Regional Director of RBI at Bangalore has inaugurated the workshop. ED is delivering the Key Note Address. Internaional Institute of Information Technology Law (IIIT Law) is organizing the speakers.

The workshop will discuss the GGWG regulations, the Risk Mitigation guidelines of February 28, 2013 and other regulatory aspects of regulation. Naavi  along with several other professionals and Banking security specialists will participate as speakers.

The event will mark the second anniversary of the issue of the RBI guidelines on April 29, 2011 on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as GGWG guidelines).

Naavi

[Detailed Report will follow]

Posted in RBI | Leave a comment

Migrating to Adaptive Authentication

Posted on April 29, 2013 by Vijayashankar Na

Banks in India have been traditionally using the “Legally Non Compliant”, “Password based Authentication” for their E Banking requirements. As a result there are frequent customer-Bank conflicts where the customer demands that Bank should undertake the liability on account of Cyber Frauds while the Banks blame the customer for not securing the passwords.

The RBI on the other hand has been urging Banks to improve the authentication methods used by the Banks. Way back in 2001, RBI stated that if Banks donot use Digital Signatures for authentication, they should assume the legal risk for Phishing kind of frauds. They reiterated the same again in 2011 through GGWG (G Gopalakrishna Working Group ) recommendations on Information Security.

After the rap on the knuckles received by the S.Umashankar Vs ICICI Bank adjudication verdict, some Banks started thinking of digital signatures as a means of authentication. But most stuck to the passwords and only enhanced it through a mobile based second authentication for certain key elements of transactions.

On February 28, 2013, RBI again issued a set of guidelines for mitigating the risks in both the electronic payment transactions as well as the Payment card transactions. Apart from reiterating the need for using digital signatures at least for RTGS transaactions of a certain value, RBI in this guideline has spoken about the need for the use of “Adaptive Authentication Technology” .

Banking in India therefore is on the move from the 2 Factor authentication to a regime where apart from the multiple factors that contribute to the authentication of an online transactions, the technology of authentication should adapt to the “behavioural pattern” of the customer based on a real time assessment.

This technology should increase the security for the customers though Banks would grumble as always about the cost of implementation.  But since this is the direction in which the global banking is moving  , there is no option for Banks but to adopt the “Adaptive Authentication technology”. (AAT)

From the users perspective it should not make any difference. In fact the AAT is expected to be unobtrusive and non interfering. The foundation may still be based in the currently used authentication parameters such as “What the customer knows”, “What the customer has” and “What the customer is”, supplemented with technologies such as the public key encryption etc. But the difference is that the AAT provides a deeper level of security since based on the transaction parameters it will invoke additional security measures.

For example, if a person has never used his E Banking account from abroad and there is a debit request from a foreign IP, the system should get alerted and hold the transaction execution until further confirmation is obtained. Similarly, if the amount withdrawn is far in excess of the usual transaction or the number of transactions within a small time is high etc (All these are typical occurrences in a Phishing transactions), the system should invoke higher levels of security. The higher level of security may be to requisition an additional factor of authentication including a “Call Referral” where the customer is given a telephonic call where the voice of the customer may be recognized by the system for authentication.

Hopefully Bankers will start adopting this higher level of security soon. Today being the second anniversary of the RBI guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as the G Gopalakrishna Working group or GGWG Recommendations), it is the right time for Bankers to take a pledge that they will leave no stones unturned for making Indian Banking Safe. Naavi therefore urges the industry to treat 29th April as the “Safe E Banking Day” and ensure that we remember our obligations and take steps towards protecting the citizens against E Banking frauds.

Naavi

 

Posted in Bank, ITA 2008, RBI, Uncategorized | Leave a comment

Banking Ombudsman Scheme under Review

Posted on April 29, 2013 by Vijayashankar Na

As one of the follow up measures of Damodaran Committee report on Customer Service, RBI has set up a committee to review the Banking Ombudsman scheme. (Refer details here).

Members of the public who have their views on the functioning of the scheme may take this opportunity to pass on their views to RBI.

The Committee set up for review would be headed bySmt. Suma Varma, Chief General Manager ,Customer Service Department, Reserve Bank of India, 1st Floor, Amar Building ,Sir P.M. Road, Fort, Mumbai-400 001. (Ph: 22630483).

Naavi

Posted in Bank | Leave a comment

Banks can be fined upto Rs 1 crore for violating RBI regulation

Posted on April 28, 2013 by Vijayashankar Na

The Banking Regulation Act amendment Act 2012 which was recently passed by the Parliament has now become effective.(See PIB Press Release).  It amends several provisions of the Banking Regulation Act 1949.

Some of the amendments are directed towards new Branch licensing , raising of capital, voting rights etc.

The Act will

a) Increase the powers of RBI to regulate the erring Banks

b) Provides greater freedom for public Banks for mergers, captital issue etc

c) Increase voting rights

What is of specific interest to the general public are  the following  amendments

1. Depositor Education and Awareness Fund

A new section 26A has been introduced in the Act which provides for setting up of a “Depositor Education and Awareness Fund” to which the balances in the inoperative accounts in accounts not operated upon for 10 years would be transferred. (Can be claimed back by genuine depositors even after the period). The fund may be utilized for purposes which RBI may specify from time to time in “Depositor’s interest”.

2.Increased Fine for Non Compliance

Further for various kinds of violations under the Act the fines that RBI may impose have been substantially raised. The maximum penalty which was Rs 5 lakhs at present has been increased to Rs 1 crore.

This development is considered good for the industry since it has been found in recent days that the regulations of RBI addressing depositor’s interests were being repeatedly ignored by some Banks.

In recent days “Money Laundering” which generally means “Facilitating the use of Banking services for criminal funds” has been indulged in by Banks as a matter of general policy of business promotion. A sting operation recently exposed such activities un ICICI Bank, HDFC Bank and Axis Bank.

This Business Standard article advocates that fines upto Rs 1 crore may be imposed for KYC failures.

Naavi.org has been discussing how KYC failures are the essential ingredients of any Bank fraud and needs to be curtailed with heavy fines. We have also pointed out how most of the losses of Depositors arising out of Phishing Frauds could be met out of collection of fines on KYC failures at the maximum rate of Rs 5 lakhs per failure if a fund is created for the purpose of insuring the depositors against such losses.

It appears that the scope for creation of such funds has now increased with the above amendment.

RBI may now examine if under the amended Banking Regulations Act, it may create a suitable “Electronic Banking Fraud Protection Fund” from out of a corpus built from the fines collected out of KYC failures observed during encashment of any phishing frauds. The suggestion is that while the Banks can pursue the legal means of locating the offenders and recovering the money from them, the victims must be reimbursed the amount of loss immediately from out of such funds. The payments can be considered as a loan to the Bank and suitable interest may be charged.

The fund may absorb losses arising out of cases where the offenders are not apprehended and money becomes irrecoverable in which case the loan already raised in the name of the Bank is written off. In other cases, recovered money maybe reimbursed to the fund.

The initial fund may be started with a corpus created out of contributions from member banks based on their deposits like the fees payable under DICGC or ECGC schemes.

Naavi

 

Posted in Bank, ITA 2008 | Leave a comment

Can Minors open Facebook account?

Posted on April 26, 2013 by Vijayashankar Na

For the regular users of Facebook or Google, the question whether minors can open an account appears funny. But this is precisely what the Delhi High Court has asked the Indian Government in a PIL. (Details here). It would be interesting to know how Government of India will respond. Facebook and Google are also respondents to the case and their reply is also to be made in the next 10 days.

It is well known that minors constitute a large part of Facebook users and their business model thrives on the activity of these minors who seek friends and post messages of all kinds.

During the registration, Facebook asks for the date of birth and gives an explanation why the date of birth is asked, with the following pop up message.

“Providing your birthday helps make sure you get the right Facebook experience for your age. You can choose to hide this info from your timeline later if you want. For more details, please visit our Data Use Policy.

Not creating a personal account? If you’re here to represent your band (Sic), business or product,  please create a Facebook Page.”

There is also a page on “Minors and Safety” which states as follows:

“We take safety issues very seriously, especially with children, and we encourage parents to teach their children about safe internet practices. To learn more, visit our Safety Center.
To protect minors, we may put special safeguards in place (such as placing restrictions on the ability of adults to share and connect with them), recognizing this may provide minors a more limited experience on Facebook.”
There is therefore a clear admission from Facebook that accounts can be opened by minors and except for the warnings no other preventive measures are taken by Facebook to block minors.
It is also not easy to accept an argument that minors should be barred from using Facebook because they cannot enter into a valid contract and agree for terms and conditions.
The fact is that even adults donot have a valid contract for opening the accounts either with Facebook or Google since Indian law does not recognize the “Click Wrap Contracts” represented by the “I Gree” kind of acceptances which these websites use.
At the same time Facebook is not concerned since it does not have any financial stake if minors use the account.
From the perspective of technology development, it is also undesirable to say that a person has to be of 18 years of age to use the Facebook. At a time when 16 year olds commit rapes and murders  it is ridiculous to suggest that minors cannot use technology devices such as Facebook and Google. In fact today’s 16 year olds are more techno savvy than many older people. It will therefore be a regressive step to expect that minors cannot use social media or Google.
In fact, the Indian Majority Act itself is in need of change with the age of majority to be brought down from 18 to 16 for the contractual and CrPc purpose. The Internet use should be available under parental  supervision from at least 12 years on wards.
I remember that earlier Yahoo used to get parental consent for opening accounts of minors above 13 years of age. Today Yahoo mail account can be opened using a facebook ID or a Google ID. Hence at present even Yahoo appears to have diluted the norms of providing service to minors.
Keeping the earlier practice of Yahoo, solutions can be found to this issue which both Facebook and Google can adopt which may satisfy the concerns of the Court without affecting their business interests to a significant extent.
It would be interesting to see how these companies now respond to the Court’s order.
Even when this issue of social media is being discussed,  one can also raise the issue of whether minors can use mobile phones because mobiles also are individual communication devices though SIM cards or handsets can be owned by adults.
Naavi
Posted in ITA 2008, Uncategorized | Leave a comment