In continuation of the report of the incident of illegal blocking of Naavi.org on 17th January 2021, I would like to inform the readers of Naav.org that Union Bank of India has expressed regrets for the incident. A senior executive of the Bank called yesterday evening to express his regrets on behalf of the Bank.
However, so far there has been no response from RSA.COM
I have therefore raised a complaint with CERT-In today as follows:
The Director General
Subject: Complaint against RSA.COM, wherever they are located
I write to report an incident of security breach caused by RSA.COM and request you to investigate the same and take action under Section 70(B) of ITA 2000.
It is understood that Union Bank of India, an Indian public sector Bank has engaged the services of RSA.COM for certain cyber security related services, under terms of contract which are not known.
However on 15th January 2021, RSA.COM caused the website www.naavi.org to be interrupted through a false accusation and notice sent to M/s Square Brothers Info Tech (P) Ltd (squarebrothers.com) which is the hosting company for naavi.org. As has been explained in the article which was accused of containing a phishing link, I had alerted Union Bank that if they donot take corrective action, the erstwhile Internet banking URLs of the merged banks could be used for Phishing. This was a sort of alert which normally should be given by CERT_In.
In the notice sent to the service provider, RSA.COM however made unsubstantiated and defamatory statements about the website www.naavi.org which has an impeccable history of over 20 years as the custodian of Netizens interest in India. The take down demand accused that the website www.naavi.org was “Fraudulent”, “Fake” and “Hosting a phishing link”. The notice was so drafted as to create panic in the minds of the service provider and force them to take down the website.
I however record that after my complaint, the service provider (Squarebrothers.com) restored the service quickly.
However, the action of RSA.COM needs to be investigated and necessary counter action has to be taken by CERT-In to prevent recurrence of such events to other website owners in India.
The action of RSA.COM was arbitrary and caused a “Denial of Service” under Section 43 (f) of ITA 2000 and an offence under Section 66.
Further, the notice sent by RSA to my service provider was a violation of Section 69 of ITA 2000 since it did not follow the due process indicated there in.
As the owner of the website www.naavi.org, I demand that action be taken against RSA.COM under the powers available with CERT-In under section 70(B) of ITA 2000.
In particular, I would like to know
1. why Indian Banks are allowed to obtain services from such foreign agencies which involve sharing of sensitive personal information of Banks. Does it not violate the Data Localization requirement of RBI?
2.Is RSA.COM have any accreditation with CERT-IN as a reliable security agency?
3.Do they have a system to analyze a Phishing Complaint before they issue take down orders on service providers.
4. Are they authorized to issue such “Orders”? as per the decision of the Supreme Court of India under the Shreya Singhal case?
5. Have they reported this as an “Incident” to either RBI or to you?
6.Does the contract between Union Bank of India and RSA.COM incorporate any indemnity clause to protect the Bank against legal action arising out of such reckless action by RSA.COM? since their action exposes Union Bank to legal liabilities.
7. Does the contract between Union Bank of India and RSA.COM provide for jurisdiction of Indian Courts and application of laws in India?
8. You can observe from the notice of RSA.COM that they are demanding certain data arising out of the incident. Under what law are they entitled to the data even if it has been collected through phishing?
I request CERT-IN to issue a circular to all service providers in general that
a) Companies like RSA.COM donot have any authority to issue demand for take down of any web service and such requests should be considered valid only if it is a “Verified” order from a “Competent Court in India” nor they have any rights to ask for customer data to be shared.
b) Service providers receiving such requests should be guided by a policy for addressing such take down requests which should normally come from the Courts or in an emergent situation from CERT_IN. Private Companies should in no circumstance be allowed to exercise judicial powers in the manner RSA.COM has done in this instance.
c) The policy (“Take down of services Policy” ) should ensure that the service provider should check if the allegation is true and ensure that a show cause notice is issued to the owner of the web asset which is sought to be removed before taking further action.
d) In all such cases a report should be shared with CERT IN
In the instant case, I have received an expression of regret from Union Bank of India and profuse apologies from the service provider who also restored the service quickly However so far no response has come from RSA.COM.
CERT In failed to intervene when Net4India customers were denied access through an wrong order from the NCLT. I wish CERT IN will not fail again to act in this case against RSA.COM.
I hope to receive a confirmation of the action taken. The Indian security community will be eagerly looking forward to the response from your end.
I am looking forward to the action to be taken by CERT IN.