Naavi.org

At a time the MeitY is finalizing the rules to be notified under DPDPA 2023, we need to flag some of the erroneous practices of e-mail providers and domain name registrants that gives raise to Cyber Security concerns under the false pretext of “Privacy”.

It is well known that WhoIs data of domain name registrants are mostly blocked under the pretext of “Privacy” which prevents or at least delays any investigation about cyber crimes committed with the use of fraudulent domain names.

Similarly e-mail providers donot reveal the originating IP address and substitute it with a proxy IP address. As a result any investigation requires the service provider such as GMail to be contacted for knowing the originating IP address. The service provider in such circumstances refuses to provide the information and a long legal process making the service provider liable under Section 79 of ITA 2000, is involved to get the details.

The e-mail service providers also quote “Privacy” as a reason for withholding the information.

We need to point out that “WhoIs” information is about maintaining a domain name visible to the public and posting content of any type which includes legal and illegal activities. This is not involving “Personal” activity and has to be classified as a “Publishing” activity and a “Business”. As a result the concept of “Privacy” of an individual under the “Right to Privacy as a fundamental Right” does not apply to domain name registration service.

Hence MeitY has to declare that all Domain Name Registrars are “Intermediaries” under ITA 2000 and the practice of hiding the name and address of registrants is unacceptable. Further, registration of any domain name under a false name is an act of “Impersonation” which violates ITA 2000 as well as the DPDPA 2023 and hence makes the registrar liable for any crimes committed with the publication.

As a part of “Due Diligence” of Domain Name registrars, Government should introduce a notification declaring that the registrars are required to verify the e-mail address and mobile number of the Registrant, Admin and Technical contact of every registered domain name. In the event that any of the details provided are “False” and the fact is brought to the notice of the registrar, the domain name must be immediately notified for de-activation within 48 hours and if no response comes forth from the registrar or the registrant/admin contact of the domain, the domain activity must be suspended.

Similarly, service providers like Gmail need to accept that the “Recipient” of an e-mail particularly if he is also using the gmail ID, is a customer of Google and if a sender of an e-mail is a fraudulent person or a terrorist, Gmail has no business to assist such fraudster or terrorist to hide his originating IP address and use the services in a manner which is considered as an “Offence”.

Hence under the Section 79 due diligence, MeitY has to issue a notice to Google that for all gmail recipients, Gmail should either drop the substitution of the originating IP address or introduce a one click access to the originating IP address from the menu bar of the e-mail inbox.

The same procedure should be made mandatory to all e-mail service providers including the Proton mail and other service providers who are assisting Criminal syndicates around the world to commit Cyber Crimes with impunity. Service providers like Protonmail as well as Topmail which served terror threat emails to Bangalore schools recently must be declared as “Terror Abettors” and charged accordingly under terrorist acts. Such services need to be black listed and blocked under Section 69 of ITA 2000.

There is no “Free Speech” rights for either the criminals who use E-mail as a tool of threat and a tool of spreading fear in the community with bomb threats under a fake ID and this must be made known to all the service providers.

India being a country ruled by Supreme Court, any directions in this regard by Meity as an executive wing of Governance or even the Parliament as a legislative wing of Governance under the Constitution, will be challenged in the Supreme Court. Hence, in the end it would be the responsibility of the Supreme Court to determine what is more important…the rights of a criminal or the rights of a victim/potential victim of a cyber crime. Let the Supreme Court take the responsibility for prevention of Cyber Crimes on its decision.

It is unfortunate that the law enforcement often does not initiate action against e-mail service providers and it emboldens them to indulge in such activities and claim protection under “Privacy”.

After the recent CERT IN Guidelines, many of the VPN service providers who did not want to abide by the Indian laws have moved out of India. This is more a loss to them though it is also a small irritant to many genuine users of the service.

India today has services such as e-mail and chat services such as LegerMail or LedgerChat that are a replacement of G mail and WhatsApp providing both security and privacy and more such service providers will come in India to replace Proton mail and others who are “Law Compliant secure email providers”.

The suggestions made here on invoking ITA 2000/DPDPA 2023 also may raise some objections including from Google/Gmail who are perhaps drafting the DPDPA 2023 rules on behalf of the Meity in the backrooms, but in the interest of Cyber Security of India, Government must introduce the recommended measures.

I request the MeitY/CERT-IN and NiXi to take the necessary measures.

Naavi

CBI has successfully investigated a fraud in UCO Bank where two support engineers manipulated the system which resulted in credits to accounts without a corresponding transfer of money from the sending bank to the receiving bank.

See report in NewIndian Express

The fraud involved 8.53 lakh transactions resulting in credit to the accounts of customers. Some of them either knowingly or unknowingly withdrew the amount. Most of the amount has since been recovered.

However the incident which could be a sophisticated fraud or a technical glitch needs to be taken seriously by security experts and remedial measures are required to be taken.nt.

If the fraudsters had later withdrew the money and transferred it into the fraudster’s account as it happens in many phishing credits, the account holder would be accused of money laundering and his account would be frozen even if the balance is more than the disputed amount. In many such instances, innovent customers are left with frozen accounts for reasons they are not aware of.

One reason why even genuine customers may not be able to recognize the wrong credit is because today’s technology bankers donot provide full description of the transactions in the account. They only provide a transaction code which only they can decypher. It is important that as in the manual banking era, the description of credit has to indicate the source account number and name of the sender along with any purpose indicated by him all of which are captured at the sender’s end.

The least the Banks can do is to ensure that if the recipient clicks on the credit entry, the transaction ID should be deciphered and the details provided without the need to raise any help ticket.

RBI should work on this technology change to prevent blaming the genuine customers who without knowing the nature of the false credit may withdraw the money in due course.

I request REBIT to work on this updation of Banking software in consultation with the CBS software developers.

This incident falls within the “Jago Regulator Jago” campaign that we are highlighting since it has become a fashion to introduce technology with inadequate securities and then blame the public for the consequences.

It is an established principle of law that if the Bank customer has innocently altered his position with the knowledge of the balance in his passbook, the money can only be recovered without coercion. If the amount is in several lakhs it may be possible for the customer to realize that it was an erroneous credit. But if it is in few thousands, many customers may not think it is a wrong credit. They may think that it may be an arrears of pension or some thing similar. Hence it would be wrong to blame them for misappropriation if they have withdrawn the balance. In such cases thee “Negligence” of the Bank should be punished. If any account has been frozen in such cases, compensation should be paid to the customer for inconveniencing him.

If any cheques are dishonoured in the process, it has to be considered as “Wrongful Dishonour” and Bank should pay compensation.

Hope RBI makes necessary changes in this regard to the Account rules.

Naavi

DPDPA 2023 has introduced “Nomination” as a right of a data principal. We have in our two previous articles discussed certain aspects of nomination.

Why Privacy cannot survive the death of an individual?

Relationship between IPR and Privacy

It is now observed that “Digi Locker” has already introduced the system of “Nomination” for its application. While the Digi Locker mobile has a “privacy Policy” which does not seem to have been updated since March 14, 2017, but refers mostly to the Digit Locker portal, the privacy policy on the website is undated . There is no reference to the “Nomination” in the Privacy Policy or the Terms and Conditions. However,nomination has been introduced as a new link in the App some time back.

The nomination link leads to a form which collects the Name, e Mail address, Mobile number and the Aadhaar number of the nominee.

Digilocker being an entity of the MeitY, this method may be considered as a “Precedence” for other Data Fiduciaries to collect nomination.

This however raises two issues.

Firstly the issue is whether Digi Locker should have provided for collection of Virtual Aadhaar number instead of original Aadhaar number .

Secondly like in the True Caller case, it is a moot point whether the Digi Locker owner/registrant has the right to disclose the aadhar number of the nominee. Possibility of stretching the non applicability clause in DPDPA 2023 for “Personal Domestic use” to the declaration of the nominee’s information is also a matter to be explored.

It is noted that there is no notice to the nominee that he is being designated as the nominee and that his personal information has been provided to Digi Locker. There is not even a request for OTP from the nominee so that he remains informed.

Under DGPSI, if a similar system has to be introduced, it is recommended that only the e-mail and mobile number of the nominee may be collected and the request for Virtual Aadhaar has to be sent by Digilocker directly to the nominee. The disclosure of the e-mail address or mobile number is less sensitive and the notice may perhaps be considered as a reasonable compliance to the use of these identity parameters.

A better technical method would be for enabling a real time check for permission to be recorded as a nominee at the time of registering the nomination through an API which can be initiated by the registrant without revealing the email address or mobile number to the service provider. On receipt of permission, the service provider may initiate the identity verification process by directly contacting the nominee for the virtual aadhaar or any other means such as the OTP. In the meantime the nomination request may be kept pending.

A sample nomination form has been created for FDPPI which incorporates the definition of the role of a Nominee and his relationship with FDPPI. This is an important Jurisprudential observation and open for debate .

(Comments welcome)

Naavi

One of the requirements of DPDPA 2023 as a law of Digital Personal Data Compliance is that Personal Data shall be processed only for lawful purpose. Hence it is a compliance requirement that a Data Fiduciary shall adopt necessary measures to ensure that all their employees remember that “Making Profits” is only a goal secondary to “Being Lawful”.

In terms of compliance the Board should establish the norm through a resolution mandating DPDPA 2023 compliance that the organization shall take such measures as are required to be compliant with all laws of the land in their activities.

At the operational level, the compliance specification would require that all “Project Managers” who prepare new project proposals whether in Business, R&D, Finance etc., shall add an assurance that the “Project proposal is within legal boundaries of all applicable laws”.

For this purpose adherence to laws such as the ITA 2000 becomes mandatory for compliance of DPDPA 2023. If the new IPC (Bharatiya Nyaaya Sanhita 2023) or Telecom Act or the new Evidence Act (Bharatiya Nyaaya Adhiniyam) has any provisions applicable to Digital personal data, they shall also be complied with as part of DPDPA 2023 compliance.

Naavi

DGPSI or Data Governance and Protection Standard of India is an approach that follows the principles of compliance that is indicated in the DPDPA 2023.

Compliance to DGPSI means not only being in compliance with DPDPA 2023 but also to ITA 2000 as well as the BIS standard for Data Governance.

Just as Lord Rama is a symbol of Good Governance , DGPSI endeavours to be the symbol of a Good Compliance Framework that towers over other compliance frameworks.

Our next physical program is at Pune on 6th January 2024.

Watch out for DGPSI training sessions at your city or online. Contact FDPPI at fdppi4privacy[@gmail.com]

Naavi

We wish all the visitors of Naavi.org a very happy and prosperous new year. At the same time we welcome the emergence of the Ayodhya Rama Mandira to be in Bharat.

In the last few months of 2023 we saw a spate of new laws being passed including DPDPA 2023 which is of direct interest to the Data Protection community. The new Criminal Code, IPC and Evidence Act also are very significant and are connected with DPDPA 2023 and ITA 2000. Probably we may see in 2024, rules of DPDPA 2023 being notified, new ITA 2000 being introduced and many other laws such as the Broadcast Bill being passed. Let us watch the legal space as it develops.

Naavi