Section 65B Questions answered

Posted on June 15, 2020 by Vijayashankar Na

On 14th June 2020, we had a well attended webinar organized by the Cyber Society of India, on Section 65B of Indian Evidence Act. During the webinar, I made a brief presentation on the Techno Legal perspective of Electronic Evidence and Section 65B. It was followed by the talks from some other experts also.

During the discussions several questions had been raised by the participants. Some of them were answered by other experts during the webinar. However, I have collated the questions and provide my view for each of them .

Watch this video first:

Sl No Question Response
1

Being a forensic examiner of a particular digital material, whether it need to be produced a 65b certificate?

Yes
2

How a person giving 65B certificate for the data which is not his own property, will verify the veracity of the digital data and it becomes the evidence in the Court.

The Certificate is for what the certifier has seen in his computer. If your eye can see a a car was passing by  in the street, you can give evidence that the car was passing by in the street. It need not be your property
3

For physical/manual documents produced in the court as Documentary Evidence, no Certificate is insisted upon  for relevancy and admissibility, but for electronic documents, why it is insisted notwithstanding it’s genuineness .What is the distinguishing feature in this?

An electronic document is a rendition of the devices. The real original electronic document is the binary stream. Hence the certificate is essential.
4 Can we interpret the Screen shots from mobile as an admissible evidences be it primary or secondary??

The screen shots are electronic documents that can be produced as evidence. The question of “Primary” and “Secondary” is redundant. The original is the binary stream stored in the memory card or the hardware memory of the device. It is not presentable as evidence since it is not humanly readable.
5 Whether 65b certificate demands a third party or persons involvement in between the client and the Court? The Certificate is provided at the request of one of the litigants to the litigant. The litigant presents it in the court may be under an affidavit. The certifier need not always be called in by the Court unless there is doubt whether a certificate has at all been issued by the said certifier or not. When present the certifier can only confirm his signature and the fact that he has given that certificate. Any other deposition on the content orally is not admissible under Section 22A of the IEA. An expert under Section 45A of IEA may however interpret any of the contents and give his opinion. An ordinary certifier cannot.
6 Who can give 65B Certificate: The applicability of procedural requirement under Section 65B(4) of the Evidence Act of furnishing certificate is to be applied only when such electronic evidence is produced by a person who is in a position to produce such certificate being in control of the said device and not of the opposite party. Section 65B certificate is given for the production of the “Computer Output” as defined in Section 65B(1). ..not for the original capture or creation of the electronic document. Everytime an electronic document is produced as evidence, Section 65B certificate has to be produced.
7 Now days everything is an out put of electronic device whether all those require 65B (4) certificate is mandate Yes
8 It seems this section needs a lot of interpretation in view of the individuals/advocates/Judges, this itself indicated that the section should be redefined in a simple way, Technology law is always complicated if we donot understand technology and try to interpret it with our past knowledge. We must forget your current interpretation of Primary and Secondary documents and look at Section 65B without the coloured glasses of our current interpretation.
9 At what stage the certificate has to been give?? during Chargesheet or while tendering the evidence? Preferably when the electronic document is first presented. With the permission of the Court any time thereafter
10 Just we can assume, if this zoom meeting should be made it as an electronic evidence, who will give a certificate, whether Zoom service provider? or the authority of Cyber society? Whoever is viewing the zoom session in his computer can provide a certificate from his perspective of what he saw by capturing the electronic document. You can use a screenshot or recording if you can record. Recording has to be supplemented with hashvalue.
11 PV Anwar has completely taken away the provision of 63/65 from Electronic Record, which Shafi mohamad brings back. Shafhi Mohamad is a two member bench and cannot bring back what the three member bench of PV Anvar has interpreted. The law as there since 17th October 2000 and PV Anvar has only give the recent realization.
12 Can  a person can  self certify when she/he producing a document of phone recording with the transcript that it was received in their own smartphone and that is always in their own possession . Yes… but the quality of the evidence would be low as it can be considered as a self serving evidence
13 Whoever is giving medical or some Certificate they can give their digital signature (encrypted document)..no body can hack it.. Yes if the document is issued in electronic form
14 A print out from LinkedIn regarding profession and salary of an individual,  should a certificate be given by the person taking printout or,  from the LinkedIn office? Person taking the printout
15 What is the necessity of electronic or digital signatures For authentication of an electronic document
16 If the CCTV footage is in the custody of the accused… if he wants to produce the electronic evidence…  who should produce the certificate He can get the cctv footage viewed by a trusted third party who can give the certificate that the electronic document was present in the given form. The defence can argue that the document was in the custody of the accused and hence could have been tampered with. This does not affect what the certifier saw and certified. Court can resolve this through a digital evidence examiner and forensic report
17 We are giving Footage as an evidence for any crime occurs… Yes… should be given with Section 65B certificate
18 Is 65(B) IEA certificate mandatory for the records received from Facebook through email? Yes
19 All form of evidences are verified and cloned or duplicated prior to investigation to ensure the integrity of the evidence. Computer Forensic evidence plays a crucial role in the threat management life cycle, from incidence response to high stake corporate litigation. Contemporaneous certifications are required whenever the document is re-saved
20 India Post established electronic post for quick and fast transmission. It is also comes under the electronic evidence. Here the documents transmits from one terminal to other terminal by way of sending by the sender and the receiver receives the same..

In this case the document can be  digitally signed by the postal authorities. Section 65B certificate can also be given for producing the evidence of even the digitally signed electronic document

If you have more questions, please send it by e-mail.

Naavi

Posted in Cyber Law | Leave a comment

Are Banks taking sufficient steps to protect their Employees?

Posted on June 14, 2020 by Vijayashankar Na

During the Covid lockdown, apart from the Police and the Health workers who are being hailed as “Covid Warriors”, there are also another industry where the employees are keeping the services going despite the enormous risks that the employees are facing. That industry is “Banking”.

Banks have not closed down even during the severe lockdown conditions and for some time there was alternate day working in some Banks. However some banks have now started daily working ignoring the risks posed to the employees.

Though Banks have digitized their operations and the branch transactions have  reduced, some Banks appear to be not taking appropriate measures required to ensure that employees and the customers donot get infected by contact during the physical banking transactions.

Even in places like Mumbai where the Corona infections are on the higher side, some Banks have not taken the necessary measures to curtail the foot falls in the Branches. Reserve Bank of India does not seem to have made any efforts to properly advise the Banks in this regard.

This is high time that customers are advised to make most of their transactions through online and where necessary, contact the Branch manager through video calls.

The employees should be able to log in remotely from their residences to complete the routine transactions. Even the banking transactions can be done through the internet banking system with suitable modifications where an authorized employee with appropriate access controls based on biometrics, face recognition and digital signatures or e-sign, to log in to the Banking system  and conduct shadow transactions which can be later integrated with the CBS after a time delay.

It appears that in the last 3 months, no effort has been made either by REBIT or IDRBT to introduce such alternate secure methods by which employees can work from home.

The CBS software suppliers which include the  major Indian companies also could have worked out a supplementary interface which could enable secure log in to the system remotely without sacrificing the security aspects.

The lack of innovative initiatives from individual Banks and the RBI is disappointing.

In order to understand the preparedness of the Banks to meet a prolonged lockdown, Naavi.org would like to conduct a survey inviting responses from Banks and other professionals in the area to elicit the following kind of information.

I would be happy if the readers can submit the following information.

In this connection I am conducting an online survey and would like to know your responses for the following.

[weforms id=”10551″]
Naavi
Posted in Cyber Law | 1 Comment

Different Employee Types emerge during Covid

Posted on June 11, 2020 by Vijayashankar Na

One of the interesting aspects of COVID 19 Lockdown is the emergence of new paradigms in HR. It appears that the HR practitioners need to re-skill themselves in several aspects of motivation and leadership as the established theories are getting outdated.

It is a fact that after three months lockdown as the industries open out, they are receiving an unexpected response from many employees who are preferring to continue the “Work From Home” (WFH) practice as a more long lasting practice. This has set the industries thinking on their long term strategies of employee engagement.

It is a fact that in the IT industry, productivity has not suffered much because of the lock down. Many individual employees have actually improved on their productivity and also achieved better work life balance.

The situation is not the same in manufacturing organizations or where a team effort is critical for creative output.

Also there are people who enjoy the company of their family members and those who are not. This has also given raise to more domestic conflicts.

Nuclear families with responsibility to take care of children are in another peculiar situation where the employers are calling the employees back to work while the schools are not ready for physical classes. Hence looking after the children is another reason why some employees donot want to return to work.

HR also have the problem of new recruitment and possible moonlighting by employees.

All these issues are beside the security issues which the security professionals are trying to address separately.

Legal departments are also struggling with their contracts with the customers and how to accommodate WFH into their contracts.

An interesting discussion was held by FDPPI under its Jnaanavardhini series of webinars on 10th June 2020 where a Behavioural science trainer discussed the HR issues arising out of the Covid.

In the coming days, we may have to classify our present and prospective employees who may be technically skilled to use technology for work as two principal types namely the “Lone Wolf” and “Hunter in Pack”. or the “Family Type” and “Company Type”

The Lone wolf will be happy to work from home and deliver. He may sleep upto 9.00 am, does not shave, works in shorts, but works upto 2.00 am in the night to finish the task given to him. As long as the task is well defined, he is happy to work alone. This is best suited for individual software employees who need to code.

The Hunter in Pack however needs peer nudging to activate his creativity and will go into depression if he is not with the team.

These attitudes may also reflect in whether a person has a happy family to support him or depends on the work place facilities like the canteen the gym etc.

A recruiter therefore has to design methods of identifying the type of employee and fit him into the corporate environment. The “Return to Workspace” option also has to be designed to meet the type of employee and the nature of his activities. Projects may have to be redefined as “Team Only”, “WFH compatible” etc.

The team leads also need to be comfortable with the different types of engaging with the team members. They have to be adept both in physical brain storming meetings as well as the virtual meetings.

Probably we need to design specific training programs to develop a new “Virtual Leadership” capabilities which will help the leader to “Virtually Motivate” his employees into action.

These are new areas of research and perhaps we need to add to the current motivational and leadership theories.

There is also a challenge when we recruit some body under the Covid conditions, train them up and later we have to move back into the old system. The some of the people who are well entrenched into the current work-life balance will consider giving up their jobs solely for the reason of the change and there could be a new attrition challenge to address.

The software development companies will be critically hit in such migration from corporate work space to home workspace.

The trend is like the “Stockholm Syndrom” exhibited by kidnap victims as more and more COVID lockdown victims start falling in love with the new paradigm of work. This could both be a threat and an opportunity for the innovative HR Professionals.

It looks exciting opportunities ahead for HR managers who can think differently and adopt their skills to the new environment. Management schools have to look at “HR Management in a Virtual Environment” as a new area of specialization.

Let us keep our thoughts on this emerging area of learning which is as important as “Security or Privacy Management in a Virtual Environment”

Naavi

Posted in Cyber Law | Leave a comment

Logistics Companies…Jiomart Reliance Digital and Bluedart, Don’t ask for OTP

Posted on June 9, 2020 by Vijayashankar Na

In the recent days, i came across two instances where the logistics companies used an OTP to get an acknowledgement of delivery. First was the case of Reliance Digital or the Jio Mart. Second was BlueDart.

In both cases after the delivery, an OTP was sent to the customer and he was asked to reveal the OTP to the courier boy so that he would input the OTP from his mobile as confirmation of the delivery.

This goes against the general principle of caution that we try to educate the consumers with, that they should not share OTP with anybody.

If we develop this habit of courier boys asking for OTP, then we will be opening a new channel of fraud where the OTP may actually be sent just in time to carry out some fraud and the consumer may fall a victim.

I therefore request these big companies to stop this practice. They can however have some other way of obtaining the confirmation including the customer himself confirming receipt directly to the company.

If this practice is not stopped these companies will be indirectly responsible for such OTP stealing frauds if any.

Naavi

Posted in Cyber Law | 1 Comment

One More Technology Intoxication case

Posted on June 9, 2020 by Vijayashankar Na

Here is another case of a hacker admitting publicly an offence for which he may get 3 to 7 years of imprisonment and challenging the Indian Government. The MeitY is not strong enough to either secure their systems nor prevent Indian software professionals trying to use the Government projects as target practice for testing their hacking skills.

In the bargain the Indian Government under Mr Modi appears to be powerless against people who are specifically targeting the Indian Government assets and exposing the other citizens to great risk.

I draw the attention to the article   https://yetanothersec.com/blog/2020/06/03/digilocker-disclosure/

which has highlighted the exploits of  Sri Mohesh Mohan, Senior Security Specialist for Dubai Smart Government.

I have no doubt that this person is a talented security specialist and his website (https://www.h4hacks.com/) may have proof of his talent. However, he represents that category of technology experts who are suffering from “Technology Intoxication” and focus their energies on hacking Government projects particularly of India because the Indian Government is meek in dealing with such persons.

In his article he admits that he was motivated by the “Competitive Hacking Urge” that he felt when the  another software person from Bangalore announced that he has hacked the Aarogya Sethu app.

He has then targeted the digi locker app after downloading it . Rest of the article describes the modus operandi of the hacking just like how a psychopath describes how he murdered a person.

The fact that this person is proud of his act makes me wonder about the ethics of professionals.

I want to question the Dubai Government if it has assisted this person to hack the Indian Government assets by providing him any hardware, software, wifi connectivity etc., if so whether they would take the responsibility for the hacking.

It is clear that because the Aarogyasethu authorities handled the earlier hack with kid gloves, it has encouraged this hacking. Hence we should hold the officials who did not take stringent action on the AarogyaSetu hacker for encouraging Mr Mohesh Mohan for complicity in this fraud.

I am a DigiLocker holder and this hack has directly compromised my security for which I am entitled to claim damages from the Government of Indaia.

I seek an answer from the person in charge of the Digi Locker project, National e-Governance Division, MeitY on what action they intend taking against this hacker.

Has the Meity got Digilocker notified as a “Protected System” under Section 70 of ITA 2000?

Has the terms and conditions of use of Digilocker prohibit the downloading for reverse engineering and hacking purpose?

Is there a privacy policy and terms of use before the citizen first provides his Aadhaar number to the Digilocker authorities when some body downloads the app?

I would like to know from the Secretary of MeitY who will be held responsible for exposing mine and several lakh fellow Indian’s confidential information to the hacker who may sell it in the darkweb?

The reply from CERT-IN that the vulnerability has been plugged confirms that the vulnerability did exist and is a damning evidence against the Digilocker authorities.

The reply of the digilocker team is funny as it says “No account other than that of the attacker was used”. It does not say that the information of the 3 billion documents were not accessed by the hacker. The reply also says that the data is “Safe and Secure”. It is difficult to understand how  compromised data is considered “Safe”.

The digilocker team does not perhaps understand that keeping data safe and not the data owner’s safe is not  acceptable Techno Legal security.

The incident calls for  a severe disciplinary action against the digilocker team along with initiation of criminal action against the hacker.

I am forwarding this article to the concerned persons and await their reply.

I hope  MHA also takes necessary action since this incident is a crime which causes a serious concern for Indian citizens if their critical personal information such as the Aadhaar data, PAN data, Driving license data etc are safe.

Naavi

P.S: I have sent the following e-mail to digital locker team:

To: support@digitallocker.gov.in

Dear Digitlocker team

I am informed that a hacker by name Mohesh Mohan has hacked into your system and accessed 3 billion confidential records including critical information of citizens of India.
I also understand that you have admitted the vulnerability and CERT-IN has also confirmed the vulnerability.
Though you have stated that the data is still with you, what you have is only a copy of what the hacker also has. It is possible that he could have by this time sold the data in the darkweb and made millions.
Please let me know what action have you taken against the hacker who has admitted his hacking. Are you entering into any compromise with him? If so for what consideration?
Please also let me know how you are compensating individuals like me?
You have been kind enough to answer the hacker. Will you be duty bound to answer me?

I have also sent the following message to CERT-IN:

To: incident@cert-in.org.in

To

The Director General
CERT In
Kindly advise me if you have initiated any action against the Digilocker team or the hacker. Forbearance is an act of complicity and I hope you would not let this pass just as you let the Aarogyasetu hacker get away.
This kind of soft handling of such serious incidents would create a very bad precedent and is not keeping with the policies we advise the private sector to follow when it comes to imposing sanctions on their employees for negligence.
Meity and Cert-In should not create a precedence of this nature.
Naavi
(Na.Vijayashankar)
Posted in Cyber Law | Leave a comment

Dubai Data Protection Law

Posted on June 9, 2020 by Vijayashankar Na

Another Data Protection law having relevance to Indian Companies is now out. Effective 1st July 2020, the Data Protection Law in Dubai has been revised and brought in line with the current trends.

The new DIFC (Dubai International Financial Center) law (no 5 of 2020) replaces the earlier 2007 version. The law tries to replicate the GDPR provisions but expresses the provisions differently and perhaps with a little more clarity.

The application of the law is in the jurisdiction of DIFC and the purpose is to protect the fundamental rights of data subjects as well as provide standards and controls for processing.

The law applies if the data processor/controller is situated in DIFC or processes personal data in DIFC as part of stable arrangements other than on an occassional basis.

Processing is generally subject to free consent or explicit consent (special category of information) though other basis such as a contract, legal necessity, protection of vital interest of data subject as well as the legitimate interest.

The appointment of a DPO is optional except for controllers performing high risk processing activities on a systematic basis. DPO must reside in UAE.

Transfer of data outside DIFC is permitted on “Adequacy” basis,  or through a legally binding instrument, Binding Corporate Rules, Standard Protection clausses approved code of conduct etc. Transfer is also permissible under an explicit consent, or public interest , for legal claims etc.

The requirements of notice and the information to be contained there in is also mentioned in the act.

Rights of the Data Subject such as withdrawal of consent, right to access, rectification and erasure as well as portability and object to profiling are also provided.

Atleast two means of contact for the data subject to exercise their rights need to be provided.

Data Breach Notification is provided for and the Commissioner shall be the regulatory authority. Only in high risk breaches the data subjects need to be notified.

A voluntary certification scheme may be established for the purpose of the Controller or Processor to demonstrate compliance of the law but certification alone will not relieve the responsibility for compliance. The Commissioner may issue accreditation for agencies who are authorized to issue such certificates.

Non compliance is subject to appropriate fines that may be imposed by the Commissioner. Right of private action is also available.

In general the regulation closely follows the GDPR principles but avoids the quoting of a threatening high limit of fine or criminal prosecution though they could be invoked when necessary.

The Indian companies who intend using Dubai as a base for their operations should gear up to the new regulation.

(P.S: This is only a preliminary view to keep the legislation under our radar. Watch out for detailed discussions in due course)

(Copy of the law can be found here)

Naavi

Posted in Cyber Law | Leave a comment