Naavi.org

Naavi.org was in the forefront of raising objection to the Section 43A rules of the MeitY in 2011 where the MeitY insisted that “ISO 27001 compliance” is deemed compliance of Section 43A.

When I first wrote “Is India selling itself out to ISO 27001?” or Has MIT issued the guidelines without proper evaluation? , “Is DIT misleading the Public”? etc.,  the Kapil Sibal led ministry was extremely unhappy because it was pointed out that if all Indian companies were made to undergo ISO27001, there would be a huge and useless burden on the industry.

Now that Section 43A is coming to the end of its lifetime and would be replaced by the Personal Data Protection Act,  it is time to recall how Naavi’s concern that giving a prominence to ISO 27001 as “Deemed Compliance of Section 43A” was a blunder of the MeitY.

Dr Lal Pathlabs has given a perfect example to justify the point which I made in 2011 which the MeitY brushed aside.

Now going by the press reports, Dr Lal Pathlabs compromised millions of sensitive personal information of Indian public by storing them in Amazon cloud without a password.

Techcrunch.com reports as under:

Quote:

Unquote:

Techcrunch also reports that the security loophole has since been closed, meaning that a password has now been set.

However what surprises me is that the website of Dr Lal Pathlabs does not show any information on the data breach. There is no information about CERT IN having asked for a report on the data breach as per powers available and duty cast on them under Section 70B of ITA 2000/8.

The “Privacy Policy” on the website covers only the information collected on the website and does not give clarity about the policies and practices related to the collection of information on their services.

The Privacy policy inter-alia suggests as follows:

Quote:

Information security

The Company has implemented appropriate security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Further, the Company takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data and restricts access to your personal data to the Company’s employees who need to have that information in order to fulfil your request or supply our services

Unquote:

This indicates that the privacy policy has been drafted in accordance with the words contained in Section 43A guidelines.

It is therefore not surprising to note that the company also sports ISO 27001 as one of its accreditations

It would be interesting to find out who gave the ISO 27001 accreditation to this company and with what scope and whether that would continue to be used even after the report of the current breach or would be withdrawn.

It is time for the industry to consider that ISO27001 is only a guidance tool and it cannot be considered as a stamp of everything being in order regarding the information security implementation in an organization.

I recall the reply I had received on 11th July 2011 from Mr Prafulla Kumar  of DIT which stated as follows

However the notification contained the words

“A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensively documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.

In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.”

“The international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).”

In view of the above, despite the clarification provided to me directly, MeitY continued to give an impression to the public that ISO 27001 is a “Deemed Section 43A compliance”.

This false impression created by the MeitY is the reason why Dr Lal Pathlabs type of companies continue to ignore information security in its real sense and opt to buy the certification and remain complacent that every thing is fine with them.

I call upon the MeitY to clarify whether they are prepared to withdraw their endorsement of ISO 27001 at least now.

Making mistake once is understandable.

Standing on the ego and justifying it is undesirable.

But Not making amends and not apologizing for the mistake even after it is seen how an “ISO 27001 certified company can have sensitive data in Amazon storage without a password”, is unpardonable.

The data breach raises similar questions on other accreditation agencies like the CAP, NABL etc., who have to withdraw their certifications or at least conduct an enquiry and re-establish the credentials.

I also call upon the NSE and BSE to clarify whether Dr Lal Pathlabs filed any report with them that there was a data breach, there could be a PIL or Government penal action on the company and as a result there could be a financial risk to the share holders of the company.

We will continue to watch if the Clause 49 declaration applicable to listed companies will report the breach to the share holders in the annual report and whether the statutory auditors report the same in their audit reports.

(P.S: Deloitte Haskins & Sells LLP was the auditors of the Company some time back. After the ILFS fiasco, Deloitte could have faced some sanctions barring them from continuing their audit work.  It appears that the matter is with NCLT).

There were 5 independent directors of the Company who also have many questions to answer along with the Company secretary.

I have also pointed out earlier that Adjudicating officers in multiple states can start an enquiry under Section 46 of ITA 2000 on the incident and  PIL can be filed in any High Courts or the Supreme Court, provided the matter is considered as a serious privacy breach. Otherwise all the “I Love Puttaswamy Judgement” statements of privacy activists will only be considered as a TRP hogging drama.

Unless the regulatory authorities take such data breaches seriously and use it to define the future direction of compliance, such incidents will continue to happen in future.

Naavi

Also view the article on the420.in: 

On October 17th, India will be celebrating the 20th anniversary of the birth of the digital society of India. On this day in 2000, Information Technology Act 2000 was notified. On that day, an electronic document became legally recognized as equivalent to a paper document. The digital signature was recognized as equivalent to a physical signature. Together, the legal recognition of electronic document and the method of authentication gave legal recognition to a digital contract. Digital contracts gave birth to the transactions in the digital society with judicial oversight. The electronic document also got recognition as “Evidence” under the Indian Evidence Act and Section 65B became effective as the means of making an electronic evidence admissible in the court of law.

This day is therefore significant in the history of evolution of Digital India and Naavi.org has been celebrating the day as the “Digital Society Day of India” ever since. First few years we even had physical events to celebrate the day. We have always believed that MeitY has to take up this celebration in large scale but it has not happened.

Anyway it is our duty to remember the importance of the day.

Naavi.org is putting together some suggestions on what amendments may need to be considered in the ITA 2000 in the current scenario where the Personal Data Protection Act will automatically affect some of the provisions of this Act.

I invite comments from public on what are the three most important pain points in the Act that they have been confronted with in these years so that it can be consolidated and brought to the attention of the Government.

Naavi

(Image Source: techcrunch.com)

In February 2020, a major data breach was reported from Breach Candy hospital, Mumbai. At that time, Naavi.org called it an “I Love You Moment” recalling the incident in 2000 when the “I Love You” virus hit the Internet and woke up the Indian regulators into taking steps in passing the Information Technology Act 2000 (ITA 2000) which was otherwise kept in cold storage in a Standing Committee.

In the Breach Candy incident, over 121 million medical records of Indian patients had been exposed due to lack of secured storage. The data which included X-rays, Scans, patient history, National ID, date of birth etc  had been stored in the cloud and was accessible through the internet without a password. The data was stored in what is referred to as the DICOM protocol to be accessible to registered medical practitioners attending the patient  and the patient with appropriate user name and passwords but was negligently made available openly.

This entire data set would be now in the Dark Web and could be exploited by criminals.

The incident was called a “I Love You” moment because it was felt that it would ensure the passage of Personal Data Protection Act in India which was pending with the JPC. Unfortunately the Covid intervened and the JPC activity was delayed. The JPC has till now not completed its study and the presentation of the Bill back in the Parliament has been postponed again and again. Now it has been pushed beyond 2020 and may be presented only in January 2021.

When the Breach Candy data breach occurred, it was a failure of “Reasonable Security Practice” under Section 43A of the ITA 2000 and it was possible for any affected party to file a complaint on the hospital for compensation. There could have been a PIL also. But no victim came forward.

However, it would have been possible  for the regulatory mechanism to take some proactive steps to recognize the incident as a representative incident that required attention in the interest of preventing such incidents in future.  The Adjudicator of Maharashtra could have taken suo-moto action under Section 46 of ITA 2000. The CERT-In could have conducted an enquiry and suggested some remedies. Even a High Court could have taken a suo moto action and initiated an enquiry.

However none of these regulatory bodies thought it fit to move in and take some action which would have brought better discipline in to the system. All of them collectively exhibited apathy and ignorance which is the bane of our country. Probably none of them wanted to do anything that could put the well known hospital into disrepute.

Now another major data breach has hit us in the form of Dr Lal Pathlabs. The Personal Data Protection Bill is still a Bill and again we need o fall back on the ITA 2000. At least now we need to see if CERT IN conducts an enquiry and some Adjudicator takes a suo moto enquiry on behalf of the affected patients or some PIL gets filed in a High Court.

According to the information available, Dr Lal PathLabs headquartered in New Delhi serves 70000 patients a day and stores the medical diagnostic results on the Amazon Web services.

It is alleged that the data was stored without a password protection .

It is impossible to think how any IT operator handling the data was unaware of the need to encrypt the data in cloud storage. Having a password is like LKG lesson we teach our students  and if any data is stored without a password or in passwords such as admin123, then it is not possible to recognize that person as “IT Literate”.

If the Company had engaged such IT operators then the company which describes itself as “An international Service provider of diagnostic and related health tests”, then the management of the company including the board of directors should question themselves if they had any moral right to be in a critical business like health care.

It is immaterial

if the IT team of the company, the CEO or the Directors were  aware of Information Security or Data Security, or not

whether they were aware of HIPAA standards or Section 43A -ITA 2000 or not,

whether  they were aware of  The Personal Data Protection Bill 2019,

Whether there was a DPO in the company or not or whether he was a certified data professional or not.

But if they did not have the basic “Password control” for the Amazon cloud storage, then they need to re assess their managerial credentials.

Amazon provides services for data storage even under HIPAA standards and it is difficult to see how they would have enabled access without a password and that too without some combination stronger than something like admin123. Perhaps the information that the database was not protected with password is not correct. The possibility is that some default password was used or the lab must have a system where the password was broadcast to all their units so that anybody could use the database.

Whatever is the reason for the data breach, it is sad to note that a large company like Dr Lal Pathlabs could have such a callous approach to data security.

What is lost is lost. Whether we fine the company Rs 5 crores or 100 crores is immaterial. What is now required is for us and the regulators to reflect, how long we will keep on postponing the passage of Personal Data Protection Act and how long CERT-In and the Adjudicators under ITA 2000 remain mere show pieces in the system of data protection in India.

Though the JPC on Personal Data Protection Bill has taken time upto the budget session to submit its report, it is time for the members of the JPC and the Chair person to re-think and try to submit their report at least in the December session of the Parliament.

Naavi

P.S: The privacy policy of Dr Lal Path labs  inter-alia state as follows:

Information security

The Company has implemented appropriate security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Further, the Company takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data and restricts access to your personal data to the Company’s employees who need to have that information in order to fulfil your request or supply our services

The problem is what is “Appropriate” in the context which needs to be debated.

It is a common cliché to say “Data is Oil”. For those who look at Data from the eyes of Facebook or Google, it is easy to understand why Data is a mouth watering business asset with huge profit prospects. Such data operators can simply discover data from the environment as if we are plucking it from air. They can squeez data like squeezing water out of wet cloth.

But for most of the people in say manufacturing industry, the value of data is an enigma. It is not visible in their operations and if a little bit of data is available, it could be like “Scrap” in the business.  The complex nature of data where data can be replicated, transmitted in the speed of light and combined with other data horizontally and vertically to create value products is some thing most manufacturing companies are unable to visualize.

The industry has today heard of Information Technology Act 2000 (ITA 2000) and Personal Data Protection Act of India or PDPAI (Presently in the form of a Bill). Both these legislations talk of what cannot be done with data. Though we recognize that data is useful either as “Personal data” or as “Corporate Data”, laws only speak of the “Donts” rather than “Dos”. The “Dos” if any are in the form of what should be done to avoid the liabilities that arise because of the “Donts”.

It is therefore a pleasant surprise to many that India is contemplating a new regulation called “Non Personal Data Governance Act” which essentially focusses on how to unlock value out of data without infringing either the ITA2000 or the PDPAI. One need not be a Cyber criminal nor a personal data profile creator to unlock value in the data. What this act does is to recognize that after data is segregated into non personal data and personal data, it is possible to further remove the identifiable elements in the personal data and make it “Anonymzied personal data”. This anonymized personal data is also non-personal data and together with other non personal data which may include corporate data and environmental data, can create a “Data Asset” that can bring value to business.

Just as “Data” though “Intangible” can have “Value” if it is considered as “Intellectual Property”, Data which is not personal has value in itself. What we need to innovate is how to convert this residual data into more valuable and marketable data.

In the non-data industry, people have heard about use of Data as a catalytic tool for production in an Industry 4.0 scenario. We have also heard how data flowing through a 3D printing device can create a product by converting data into a physical product by using an appropriate printing material which could be a metallic dust or  plastic material.

What many manufacturing entrepreneurs donot know is that just as we take raw material and convert it into finished goods, it is possible to take data as a raw material or a semi finished input and create finished products that are of value. The Facebook and Google are examples of how raw data can be made into valuable products and turn enterprises into globally competitive business entities.

Now it is time for Indian entrepreneurs to understand the potential of “Data” as a “Raw material” and find ways and means of creating appropriate finished goods. This may start as a by-product of the current manufacturing activity but through aggregation techniques could be converted into valuable industry data which can be converted into cash when a “Data Exchange” becomes available  after the Non Personal Data Governance Act is passed.

Suppose we have a  mango tree growing in our backyard, we may not be able to make full value of the produce because it is seasonal and only one variety of mangoes is available every year in such large quantities that we cannot consume. But we can always find a buyer who purchases mangoes from you and several others and markets it as a separate activity. Similarly some of the data you produce during your production, may be not useful for you. But some body else may find value for the same because he can aggregate it horizontally with similar data gathered from other sources and he may be able to give you value for your data too.

While it may take a couple of years more for this “Data Business” to emerge,  we need to start thinking of how we can start recognizing the value of data which is generated in our process.

Though “Data Business” has already been developing within the IT industry, the system of recognizing value for data and how it can be brought into the balance sheet is still not properly resolved by the community. A few attempts of assigning value to data has been made in the field of “Personal Data” for the purpose of conducting surveys for advertising. But this value is mostly used as a one time passing off of information and not to reflect the wealth of an enterprise.

In the days leading to the development of the “Data Exchange” we need to find ways and means of devising a method by which we value different types of data both, personal, and non personal data and devise instruments of transfer of rights so that a complete eco-system is built for data marketing.

If we look at the source of data, there is always a cost of generating  “Data”. This could be one way of estimating the value of data and can be used for Cyber Insurance purpose. The same valuation can also be used if the data is to be transferred for consideration. This is the “Actual Cost” or “Replacement Cost” basis for valuing data.

This system can also be used for valuing data which is in different forms in the life cycle just as how we value “Goods in Progress” as a percentage value of the finished goods.

Once we have the finished goods on stock, the valuation can be on a conservative basis the total cost of production with the option of the “Valuation on the market value basis”. Similarly, the finished data (eg a Profile)  could be valued at the perceived market value.

Since the market has found a method of valuing the intangibles like the IPR , a similar approach can find a method of valuing data also.

However IPR value is brought to the balance sheet by  creating a special reserve which analysts can always discount of they want to. Similarly the personal and non personal data can also be valued and brought into the balance sheet. When a proper Data Exchange is set up in the country for exchange of data, it may be possible to make a reliable valuation of data. Until then it will be difficult for accountants to sign off on a balance sheet where the value of data is shown as an asset.

However, until the accountants come to an agreement on how to value data, we can always use the method of creating a data value on the asset side of the balance sheet and at the same time create a contra entry on the liabilities side to off set the value of the data shown in the asset book.

The advantage of adding such a value would be that in the case of the valuation of the firm as a Going Concern basis for mergers, acquisitions, the value of data becomes recognizable. It will also not escape the eyes of the Banker or even the bankruptcy courts who otherwise tend to always give a zero value for data assets as they did in the case of Net4India insolvency case in India.

The concept of “Valuation of Data” also gives rise to a new professional service of “Data Valuers” who can assign a value to the data holdings of an organization. Such data valuers have to be experts in understanding the laws related to data as well as security of data since they have an impact on the valuation.

This is a new career opportunity that would develop in due course beyond the  career opportunities of CISO/Compliance officer developed by ITA 2000 or the DPOs and Data Auditors created by PDPAI.

To fully appreciate the valuation of data, perhaps it would be useful if one also takes a look at “Naavi’s theory of data” which tries to place a structure on how we define data, recognize its evolution during processing and how value can be recognized.

Perhaps the Future is uncertain and it is like passing through a Time warp in space. Once the PDPAI becomes a reality some time in the early part of 2021, we may suddenly find ourselves on the other end of the time warp and emerge into a world unknown but full of new opportunities.

Let us look forward to this world at the other end of the PDPAI warp.

Naavi

I refer to the various articles regarding the Net4India issue and it appears that time has come to question the wisdom of the Government of India in not intervening in the NCLT proceedings regarding the Net4India issue.

To summarize the developments till now, Net4India was a leading domain name registrant in India and lakhs of Indians registered domain names with the company and many thousands also availed other services for hosting their domain names and e-mail services from them. The company was therefore a critical service provider for Internet based activities in India.

The company however stopped its operations some time back and customers found out that an NCLT proceeding had been initiated by Edelweiss Asset Reconstruction Company to which State Bank of India assigned the debts of the company.

It is not clear how SBI came to run the huge debt against the Company and whether there was any internal vigilance enquiry or CBI enquiry from the Ministry of Finance or RBI. It appears that there was no such enquiry and there was a massive fraud in SBI resulting in an NPA of more than 200 crores when SBI quietly shifted the action to NCLT.

Until the matter was brought to open by Naavi.org, there was no clarity on why Net4India was not servicing their customers properly. Now the reason for the partial closure of the operations has become clear. It is due to the insolvency proceedings that has been initiated for the recovery of the SBI loan through Edelweiss Asset Reconstruction company.

However, we can identify that there were many faults by NCLT, SBI etc which has resulted in the current crisis. It is also not clear if in the assignment of debt from SBI to Edelweiss whether the valuation was done fairly. These are subject matters for the  Finance Ministry to consider. Nothing less than a CBI enquiry into the way by which the debt was built up in SBI, how it was assigned to Edelweiss and how they tried to suppress the digital assets of Net4India either by design or ignorance causing losses to lakhs of citizens of the country.

Some of the omissions of NCLT and others can be listed as follows.

a) Not ensuring that the notice about the insolvency proceedings was displayed on the website of Net4India website which is the contact point for the lakhs of its customers many of whom were also small creditors of the company.

b) NCLT not properly understanding the business of Net4India nor making an assessment of its digital assets before they ordered the sale of its properties and starting the insolvency proceedings.

c) From the order dated 25th September 2020, it is now clear that the NCLT has been fully appraised now. However the website of Net4India still sports the “Covid Notice” and there is no notice of the proceedings.   Though it is little significance now since  the customers of Net4India have been wronged by NCLT and that cannot be reversed, the fact that NCLT does not even now realize that it ought to ensure that a notice on all Net4India websites speaks volumes about the knowledge and efficiency of our judicial system in facing the challenges of the Digital era.

d) Since the Judges manning NCLT are the previous generation judges, it is the responsibility of the IT Ministry and the Law Ministry to actually organize appropriate training to the judges in the NCLT which makes them realize that today there is no company in India which does not have digital assets. In many instances the digital assets may far outweigh the physical assets and in all insolvency proceedings it should be mandatory for NCLT to recognize the presence of digital assets and how its value may be unlocked before proceeding with the insolvency petition.

e) The Government of India is presently considering the “Non Personal Data Governance Act” based on the report of the Kris Gopalakrishna Committee. This Act envisages setting up of a “Data Exchange” where non personal data can be sold for value like shares in BSE/NSE. On the other hand, NCLT which has thousands of corporate insolvency petitions seems completely ignoring of the value of data as a corporate asset.  Had the special nature of the business of Net4India been factored into the insolvency proceedings, the revelations in the order of 25th September 2020 would have surfaced in the first hearing itself. In that case, even before the immovable property belonging to the company was sought to be sold, the digital assets would have been encashed by transferring the business of the Domain Name registration to another entity as a “Going Concern”.

f) It is also time for NCLT to give confidence to the corporate world if they follow the concept of value of an asset on a “Gone Concern Basis” or a “Going Concern Basis”. If law recognizes “Intellectual Property” and we have a whole system for protecting, transferring and selling Trademarks, Copyrighted works , Patents etc, the law should also recognize that a substantial part of the value of IPR exists on a “Going Concern” basis. When there is an insolvency proceedings, unless special care is taken the IPR such as Trademarks come down to Zero. However, before the value of a trademark comes down to Zero, there could be companies in the similar business who may like to take over the trade mark or other rights so that some value can be realized before applying the insolvency hammer. Similarly the digital assets of Net4India can be valuable as a going concern and become zero as a gone concern. NCLT should try to preserve the value by adopting the Going Concern basis of valuation as long as feasible.

g) In the Net4India case, the lakhs of customers would have been happy if another registrar had taken over the business and provided business continuity to their operations which depended on the domain names and other ISP services registered with Net4India.

I would like NCLT to give a thought to what would happen if the domain name nclt.gov.in stops functioning from tomorrow or some cyber squatter diverts the domain. What if the e-mail address of the registrar of NCLT or the RPs stops functioning from tomorrow.

Then the cost that NCLT will have to pay for restoring its operations  is the value of the domain name nclt.gov.in or the e-mail address registrar@nclt.gov.in.

NCLT should ask itself whether  this value is reflected in the NCLT asset register.

I am separately discussing the valuation of data assets in a follow up article. But for the time being I want to only highlight that if one domain name of nclt.gov.in is having such value that if it is stopped there would be chaos in the country, then imagine that Net4India had more than  70000 domain names registered by different individuals and companies in India who were given a scare that their business doors have been closed because NCLT did not recognize that the insolvency proceedings will indirectly drive many others into insolvency or at least significant losses.

h) Again, I am willing to concede that the Judges of NCLT did not study valuation of data during their LLB days nor encountered such issues during the days when they grew in the system to don the responsible position they hold today.

But Does not MeitY know the value of data asset and how it can affect the proceedings of asset reconstruction and insolvency?.

Does not Finance ministry which oversees the Insolvency act know?

Does not Edelweiss reconstruction which was the petitioner know?

Does not SBI which gave a loan of 200+ crores to Net4India  know?

I feel that all these agencies lacked the vision to understand that their action in trying to collect their debts of Rs 200 crores could jeopardize the assets worth thousands of crores of the customers of Net4India?

Do they know that even an innocuous domain name like naavi.org is valued nearly a lack of rupees though it may take only Rs 700 per year to maintain it?. If it is so, we can imagine what would be the value of 70000 plus domain names alone which the proceedings have jeopardized.

Who is responsible for this?

Digital India wants to know if all these agencies including NCLT is willing to apologize to the public for their ignorance?

Will the Meity or Law Ministry or Finance Ministry take the responsibility for not creating the awareness about the value of data with the NCLT judges?.

In most compliance measures we say that “Awareness training” is a pre-requisite for a company. Is this not a pre-requisite before judges are appointed to the NCLT or RPs pass the examination?

i) Even though NIXI has assured that dot.in domain names will be transferred out of Net4domains and AuthCodes have been released in recent weeks, the transfers are yet to be completed since after the new registrar requests for confirmation of transfer, no response is coming from net4India. I hope NIXI will look into this and ensure that the transfers get completed.

j) While NIXI has shown some concern in attending to the dot in domain holders, ICANN remains to be intransigent. ICANN is still insisting that unless its dues from Net4India is cleared, they will not allow transfer of domains in the generic TLDs.  They are only affecting the domain name registrants by their actions and not the Registrar.

k) ICANN failed in its due diligence in not taking action in time when Net4India was converting itself into a reseller and roped in another entity to defraud the customers who had no clue on how this transfer would affect them. Now the NCLT order of 25th September indicates that Net4India committed a fraud by retaining its main registrar contract with ICANN without making payment of dues but shifted the revenue generating business to another entity. All companies who are part of this “Domain laundering” must be identified and punished.

l) If all the above actions are to be taken, then the MeiTy has to step in and take the responsibility for resolving the issue.

We must consider that Net4India is an indicator of the shortcoming in the ICANN system of Domain Name registrations appointing registrars without proper due diligence. Hence this matter needs to be addressed at the ICANN policy level also so that business failures of registrars does not hold the world to ransom.

I want ICANN to imagine the impact on the global economy if GoDaddy stops its business today for whatever reason.

Indian Government has to think if it is possible for  ICANN to hold Indian Government to ransom by threatening the closure of the domain name registries. What is the guarantee that this will not happen some time in the future when ICANN management comes under the control of China -Pakistan-North Korean nexus? .

Since ICANN does not have a solution for this, can Indian Government continue to keep Indian digital economy dependent on ICANN registrars? Is it not time for the Indian Government to ensure that the interests of the Indian citizens is protected by ensuring that all domain name registrations of Indian citizens are under the control of the Indian Government and not external body can threaten us to shut down our digital system.

This requires that NIXI should be given the responsibility for all TLDs registered by an Indian citizen. For this process, the domain name registration system should have a “Right of the Nation” clause and the registrant should be provided an option to appoint a Government of his choice or by default the Government of a country of which he is a citizen as the controller for the domain. In the event of contingency where the registrar stops business ICANN should enable the designated Government to take over control of the said domain.

If Internet is considered a human right, there is a need to ensure that the domain name registration system is also secured properly so that the Net4India issue should be the last such incident in India.

Countries all over the world are passing personal data protection laws to protect the right to privacy of their citizens. Domain Name registration represents the Right to do digital business and it needs to be also protected. Fortunately we donot need a separate law for this purpose and we can bring it under our Information Technology Act 2000. We can consider the situation like what we are now facing as a “Denial of Access” and an offence under Section 66 of ITA 2000. Every one who is directly and indirectly responsible for this situation should be prosecuted under ITA 2000 so that they donot mess with the digital asset system.

In the meantime, watch out for my views on the valuation of digital assets for which the Chartered Accountant Community has to make some changes in their accounting practices.

Naavi

(Comments welcome)