G Gopalakrishna Working Group Report notified
May1:RBI has notified Banks on information security guidelines in
e-Banking based on the G Gopalakrishna working group report. It would be
interesting to analyze the RBI notification in comparison with the
original report and its recommendations. Naavi.org would provide its
views in due course.
Copy of RBI Circular
Has MCIT issued the guidelines without proper evaluation?
April 30: I would like to bring to
the notice of the Central Vigilance Commission and the Comptroller and
Auditor General of India an apparent irregularity that needs
investigation in the interest of the Country. The issue involves
according to one estimation a decision proposed to be taken by the
Ministry of communications and Information technology resulting in IT
stake holders collectively spending Rs 700 crores immediately by a
payment to a private party abroad just to know what is the law of
Information security in India that applies to them. Stakeholders who
want to comply with the law later may collectively be required to spend
around Rs 30000 crores each year to follow the law as being notified and
this commercial benefit is again going to private sector because of this
notification.
There is a need therefore
to stop the approval of the proposed notification until a national
debate is undertaken in the matter and all stakeholders are convinced
that there is no reason to suspect irregularity in the promotion of a
commercial benefit of this magnitude....More
Draft Rules for Sec43A-79-cybercafes, finalized?
April 30: The draft rules proposed under ITA 2008 under sections
43A, 79 and for Cyber Cafes seems to have been finalized. Unfortunately
the department seems to have stuck to its earlier version which was sent
for public discussion and suggestions of the public seems to have been
completely ignored. Naavi.org has been particularly critical about the
adoption of ISO 27001 as the necessary and sufficient criteria for the
compliance of "Reasonable Security Practices" which is considered
incorrect since the framework is proprietary, not available in public
domain without a cost and grossly inadequate. The department has
accepted in a communication to Naavi that no study has been made by the
department on the impact of adopting ISO 27001 as the statutorily
approved framework and the financial implications of the same on the
India as a country.
In the light of this admission, it is strange that the department has
ignored the issues raised by Naavi (Ref:
Is India selling itself out to ISO 27001?). :
Finalized
rules :
Related Article in apargupta.com :
Banking Ombudsman Orders payment in Bank fraud case
April27: In another instance of a bank fraud involving unauthorized
debit, on the advise of Banking ombudsman in Mumbai Punjab National Bank
has refunded a sum of Rs 184980/- to the customer. The letter from the
Bank requests the customer to drop/delist his complaint. It is not clear
if the incident will reflect in the Banking Ombudsman's report or would
be hidden from public as "Complaint withdrawn". We also need to wait and
see if Punjab National Bank has reported this incident in their
annual report for the period ending March 31, 2011. If not, we need to
check what is the RBI policy regarding report of such security breach
incidents.
Indian Judiciary needs to Act differently
April 27: NY times has commented on the recent developments in India
on Internet Censorship. The Center for Information Society, Bangalore
recently published a list of 11 websites that have been blocked by the
Government of India (See
article). According to the report, instructions for blocking of the
sites were issued by the CERT-IN based on some Court's judgments. What
the report however fails to highlight is that some of these so called
judgments based on which CERT-In passed the blocking orders were
"interim orders" pending hearing of a complaint. At least in one case
information is available to suggest that the defendant was not given due
notice to appear and still the Court passed an interim order until next
hearing that the site be blocked. It is observed that many advocates
misuse the provision of "Interim orders" to get favourable judgements at
least in the short term. The fault however lies in the system where
judicial proceedings are generally delayed and any interim order is good
enough for a few months and in some cases for a few years. It is
necessary for the Chief Justice of India to look into each of the 11
cases referred to in the
article of CIS and determine how many of them are after a due
process of law.
IBA and RBI needs to take note of MCA Advice
April27: The
Circular
issued by Ministry of Company Affairs on the use of e-mails for outward
communication such as AGM notices etc is a matter which needs to be
taken note of by Banking institutions including the regulator such as
RBI and the industry forum such as IBA. The circular makes a
direct reference to Section 5 of the ITA 2008 indicating the need for
digital signatures to be used for authentication of e-mails. RBI
initially in its Internet Banking guidelines of June 14, 2001 had
clearly mentioned that PKI based authentication systems must be adopted
by Banks for its e-banking operations. Though this was not specific to
whether digital signature should be used for e-mails or for account
transactions, it was clear that wherever electronic documents need to be
authenticated, PKI system as required under ITA 2000 was to be adopted,
failing which Banks should assume the legal risk. However, since June
2001 to current date, RBI has not bothered to force the Banks from
adopting digital signatures. Even after MCA made digital signatures
mandatory for corporate returns and Income tax department for filing of
tax returns, Banks continued to ignore this important aspect of law. IBA
on the other hand appear to be silent on the issue that most Banks are
openly flouting the RBI regulations. From our observations of the
industry, one of the Country's leading Bankers and a leading private
sector bank are stonewalling adoption of digital signatures in Banking.
RBI seems to be incapable of meeting the resistance though it is
illegal. IBA is part of the resistance itself since it is the body of
the same Banks.
Industry observers are aware that there is a back room maneuvering going on
at the highest levels to get administrative support the non
compliant methods of e-banking that is prevalent in India.
Naavi.org which is in the forefront of a crusade for better security for
Bank customers in e-banking era, has time and again brought to the
notice of the public, RBI, IBA, SEBI Ministries involved, Some of the
Banks involved as well as the Cyber judiciary system that non adoption
of digital signatures for banking transactions and e-mails is a serious
non compliance issue. Excepting a part of the system, others are unmoved
by the pleas of Naavi.org. It appears strange that Naavi is isolated in
this concern for e-banking customers and no other institution appears
even remotely as concerned as Naavi.
We therefore need a Citizen led movement to make the regulatory
institutions to act. Naavi.org will start a new phase of "Building an
Awareness about the need for Cyber Law Compliance by Bankers" from
1st of May and would welcome any other individual or organization
that would like to join hands in this campaign to liberate Bank
customers from the risks of E banking arising out of negligence of the
Bankers. Watch out this space for the roll out of the campaign.
MCA advises use of e-mails for notices
April 26: As a part of compliance of section 53 of Indian Companies
Act, Ministry of Company affairs has issued a circular that as a "Green
initiative", e-mails can be used as a substitute for communication under
certificate of positing. It is good that the government has realized the
potential of e-mail at least now. It may however be necessary for the
Government to clarify that e-mails are to be digitally signed.
Article in CIOL :Circular
Dashworld reopens debate on Alternative Domain Name System
April 24: Alternative domain name systems that work outside the
ICANN is the biggest challenge to the authority of ICANN to regulate the
Internet name space. At the same time the logic of alternate domain name
providers which supports a free Internet movement cannot be faulted.
Alternate domain name management systems emerged way back in 2002 and
earlier (See article:
Is
There an Alternative to ICANN?). Obviously there was a reported
attempt to disable the alternate domain name systems through ISPs and US
Government intervention. Afterwards there was a silence indicating that
these efforts had fizzled out. Recently however dashworld.com has
restarted the alternate domain movement. If this trend catches on, there
will be a need to re-look at the current system of administration of
domain names and particularly the law related to Cyber squatting and
relevance of services such as lookalikes.in.
Clash of .xxx domains with New.net
April 24:
By opening the registration of
.xxx, ICANN has once again challenged Alternate domain name registration
services such as New.net. Way back in 2002, the conflict started with
ICANN issuing .biz TLDs which was already being used by the alternate
domain name systems. Now .xxx is another clash point where all new
registrants would be directly exposed to the risk of a domain name
conflict with the registrants of .xxx with New.net. A serious thought
has to be given to whether ICANN needs to recognize the alternate
domain name operators and adopt an inclusive policy or pursue an
apartheid system and keep them out.
Internet Governance Issues
April 22: Institute of Global Internet Governance & Advocacy (GIGA)
is being inaugurated on 23rd instant at Hyderabad by Honourable Justice
G.Raghuram, Judge, High Court of Andhra Pradesh. Dr V.C.Vivekanandan,
Director of GIGA coordinates the activities of the Institute and
discussing the various research and advocacy priorities of the Institute
and chart out an action agenda for the Institute.
Litigation Support Or Public Service?
April 21: Naavi has been engaged as Netizen
activist for over a decade now. His earlier crusade against Savita
Bahbhi.com is well known. For the last few years, Naavi's attention has
been on protecting the interests of innocent Bank customers against
frauds arising in the E-Banking sector. In pursuit of this, Naavi has
offered consultancy for several cases. The objective of Naavi has been
that innocent victims of Bank frauds are to be protected and Banks
should improve their security. Unfortunately, commercial considerations
always affect Information security whether in an SME or a huge Bank.
It is a natural tendency of every businessmen to make profits and cut
costs.When an activist opposes the establishment which is
neglecting consumer interest, the establishment looks upon the
activist as a trouble maker and tries its best to silence him if
possible by various means. This is as much true of Shanti Bhushans
involved in the Anna Hazare initiative as of Naavi in his anti phishing
initiative.
Presently Naavi has a role to play as an Activist
trying to protect the larger society of Netizens from victimization by
commercial interests. However some of the cases in which he is presently
engaged with, are hindering his freedom of expression since Banks are
trying to put a rein on his public service because the matters he may
raise could technically be called sub-judice. Though all matters which
are sub-judice donot become a contempt of court when reported in the
public, it is not always easy to convince a Court about the nuances and
this could create some practical issues in Naavi discharging his role as
an Activist cum representative of a victim. Though involvement in
the initial cases were necessary as an inertia breaker, there is a feeling
that it may restrict Naavi's role in public service in the long run.
Since each of the cases often drags for over three years before
culmination despite the legal limitation of 6 months in Adjudication and
6 months in CAT, some lawyers successfully reduce the fast courts into
ordinary courts by seeking frequent adjournments. Because of these
delays, if Naavi is engaged in more of the litigation work, he will
cease to be able to serve the society as a Netizen activist. This has
raised the dilemma "Litigation support or Public service?"
RBI and IBA are two national level organizations
which ought to take up the responsibility of making e-banking safer.
However, one does not get the confidence that they would be capable of
safeguarding the interests of the Customers of banks when there is a
conflict with the interests of the Banks themselves. While IBA being a
forum of Bankers and such an attitude is natural, the way RBI has so far
handled the issue of security in the G Gopalakrishna working group fails
to provide confidence that it will continue to be the protector of Bank
customers. A reading of the industry developments at this stage indicate
that a group of Bankers are actively working towards diluting the law of
e-banking in India to protect the Banker's commercial interests against
the public interest of the customers. It is possible that RBI may be supporting them. Soon
there will be a request made to the Ministry of Information Technology
for certain amendments to ITA 2008 to protect the Banker's interests
though it may hurt the customer's interests.
It is felt therefore that a movement against a
tendency to exploit Bank customers is required in India. Naavi is
reminded of the late Sri M.R.Pai who served the bank depositors during
the Seventies and Eighties working for their safety of their deposits..
We donot see any such visionary leaders around at present to protect the
Bank customers in the e-Banking era. But we hope that just as an Anna
Hazare movement emerged from no where to shake up the country, we will
see a movement emerge, to put an end to the exploitation of Bank
customers.
Naavi would be happy to take active part in such a
movement when it emerges. In the light of the above, Naavi is
considering the ways and means of completing the current assignments on
Phishing and freeing himself to take part in such a movement. All those
who want to be part of such movement to protect the e-banking customers
from being exploited by the profit hungry bank establishments may
contact naavi@vsnl.com. People who
can take the mantle from Naavi and support phishing victims in various
cities may also contact Naavi so that we can develop a network of public
spirited activists all around the country who would help innocent
victims of bank frauds in getting justice.
Naavi
ICICI Bank settles with a Phishing victim Out of Court
April 20: It is reported that in one of the adjudication
applications in Chennai, by Shri Jeevika Arasu Vs ICICI Bank, the Bank
and the customer have come to an out of court settlement. A copy of the
order from the Adjudicator in this regard is
available here.
On 20th April, ICICI Bank counsel who had to appear in the Cyber
Appellate Tribunal in Delhi to argue the case against Mr S.Umashankar
absented himself citing "Personal" reasons. While we donot know if there
is any relation between his absence in Umashankar appeal case in Delhi
and the reported compromise from the Bank in Chennai, it may be noted
that after Dwarak Ethiraj case, Jeevika Arasu case is the second
published compromise entered into by ICICI Bank in Chennai in respect of
Phishing complaints. Hopefully the Bank is realizing the futility of
fighting against its own customers. May God give them the wisdom to make
it a regular practice so that the fruits of Umashankar's fight reaches
many more customers.
US takes Suomoto action against Botnets
April16: US Department of Justice in association with Mirosoft is
reported to have launched a major offensive against botnets.
Filing a Civil Complaint under the "John Doe" principle on unknown
perpetrators, US attorney office has obtained search and seizure
warrants and proceeding on an offensive.
We may note that the Adjudicators under ITA 2008 are also empowered to take
such Suo Moto action when there are a large number of victims from an
unknown perpetrator. This can not only apply in case of Virus and Botnet
instances, but also on Phishing instances. It can also apply when there
are a large number of Bank accounts known to be used for encashing
Phishing proceeds.
We hope that a public spirited Adjudicator will launch such a proceeding.
Banking Ombudsman Orders payment
April 11: In another Bank fraud reported from Gurugaon where a
customer had lost around Rs 6.6 lakhs by way of fraudulent withdrawal
through ATM, the Banking Ombudsman has order the Bank to pay back the
amount lost to the Customer. The order restores the amount lost but is
silent on the interest.
Vigilance Cannot be dropped
April 9:It is good news that ultimately the Government of India has
agreed to the formation of a drafting committee to draft an effective
Lok Pal Bill. This is a victory for the people and could be as
significant as the second independence movement. However, the stakes are
so high for politicians that it is unthinkable that they would allow an
easy passage of this Bill making it into a law and allow an independent
person to head the Lok Pal. If appointments to key offices such as CVC
and CEC could be politically influenced, the possibility of political
mischief in the formation of Lokpal cannot be ruled out. It is necessary
for the Civil Society to keep up the vigil and watch every movement of
the Government and ensure that what has begun well also ends well.
Public Pressure Mounts on the Government
April 8: It appears that the public pressure is mounting on the
Government that it should yield to the demand of the Anna Hazare lead
movement to draft a Jan Lokpal bill including members of the Civil
Society in the drafting committee. Hopefully by tomorrow the official
notification is expected to be announced.
RTI Application on Websites blocked
April7: In a reply to an RTI application, DIT has indicated the list
of websites blocked by it so far under the ITA 2000/8. We congratulate
Mr Pranesh Prakash of Center for Internet Society for having taken this
initiative.Details
Corruption is the biggest threat to India.. We need to join the fight
April 6: It is heartening to note that a movement is building around
Mr Anna Hazare all over the country for immediate action on Lok
Pal bill. After the recent internet based movements in Egypt
it
is time for Netizens to express their solidarity to Mr Anna Hazare in
whatever manner they can. The Government will have its hesitation and we
cannot expect the it to take positive action unless there is enormous
public pressure.. We may require a "Non Cooperation" movement with the
Government to really make it think in the direction of involving the
civil society in a bill on which the politicians have a direct vested
interest.
There are some intellectuals who will have their own argument why
prevention of corruption is not possible and it is necessary for common
men to ensure that the movement is not derailed by such pseudo
intellectuals. Corruption is a decease which corrupts the society and
creates inequalities where there may be none. At a time when there is a
scam a day the need for a systemic infrastructure to act as deterrence
to corruption is the need of the hour. If we donot support some body who
has started a movement which is important for the future of India, we
will be failing in our duty to the nation. Let's therefore welcome the
Anna initiative.
For more information read here:
Comparision of Lokpal bill drafts Govt Vs Civil Society : Also see:
indiaagainstcorruption.org
Build Yourself an Anti Phishing Shield
April 4: It is observed that Phishing attacks are now appearing on
many Indian Public Sector Banks which has a large population of
customers who are not sufficiently net savvy. Though there is an
increasing awareness of Phishing frauds, the number of frauds are
expected to increase in the coming years. A Phishing crime network is
under development which starts from opening Bank accounts with false ID,
obtaining passwords of customers by various means, accessing accounts
over internet and transferring money to fraud accounts and withdrawing
through ATMs.
A new threat that emerges in this context is that some internal workers in
Banks (which includes temporary workers who work in marketing as well as
employees of outsource partners) may use the cover of Phishing attacks
and commit frauds of their own. The modus operandi would be to send a
Phishing mail to targeted customers whose passwords have already been
obtained by some means and then access the account. If there is any
objection from the customer he would be confronted with the fact of
receiving the Phishing mail and forced to believe that he might have
answered the same and therefore should bear the liability.
Though this can be challenged, it is a painful and long drawn process.
Since most of the evidences that can defend the victim are available
only with the Bank and not with the victim and the e-discovery process
is relatively unexplored, there is a need for Bank customers who receive
phishing mails to build their own shield against being unfairly held
liable for an internal fraud.
In order to provide some sort of a shield for such employee assisted
phishing frauds, CEAC has launched two services namely CEAC-ITN
(Identity Theft Notice) which is a free service for reporting such
events to a trusted third party and CEAC-VPN( Virtual Public Notice)
which is a paid service. Though it is not yet clear if this would be
considered by Courts as an effective alibi for the registrant, it is
considered a good step towards building a legal shield against being
unfairly treated by Banks in the unfortunate event of a phishing attack.
Details
Data mining of Health Information leads to legal suits
April 3: A national drug-store chain Walgreen co in California has
been accused of having unlawfully benefitted from the information of its
customers. In what could be considered as a suit that can hurt the data
mining industry in general, the dispute is over "de-identified
prescription" information which the store chain has allowed to be used
by medical companies. It is charged that the "information" on
which the store has made a commercial gain belongs to the patients and
that it cannot be commercially exploited by the store.
Related Story 1 :
Related Story2 :
Related Story3
Cignet Fine sends HIPAA concerns soaring
April3 : The OCR's decision to fine Cignet a total of US $4.3
million has sent alarm bells in the healthcare industry in USA on
the consequences of non compliance of HIPAA. This was the first time the
new HITECH Act penalty schedule was applied. It is said that Cignet
violated the rights of 41 patients when it denied them access to their
medical records and also not cooperated with the OCR in its
investigations. It was considered as a "Wilful Neglect" not corrected
within 30 days.
Details
![[Valid RSS]](../../image/valid-rss.png "Validate my RSS feed"){kind=small}
![[Valid RSS]](http://www.naavi.org/image/valid-rss.png "Validate my RSS feed"){kind=small}
