Naavi.org

Admissions open for Cyber Law Course from National Law School, Bangalore

Posted on September 22, 2018 by 98410spice

National Law School University of India (NLSUI) has released the admission notice for admission to the PG Diploma Course in Cyber Law and Cyber Law and Cyber Forensics (PGDCLCF).

This is a distance learning course with contact classes which will be held in Bangalore.

Details are available here:

The last date for admission is September 30, 2018. Extended date with late fee of Rs 500/- is October 15, 2018.

As a premier law education entity in the country, the course attracts senior IT professionals, Lawyers, Administrators and Law Enforcement persons each year.

Persons interested may avail the opportunity.

Naavi

Posted in Cyber Law | Leave a comment

Data is the New Oil, Attempt to create Economic Colonies using Data Mining is a reality

Posted on September 22, 2018 by 98410spice

I draw the attention of readers to an interesting article titled “American Data Miners are modern avatars of British East India Company” .

This article also has relevance to the lobbying that many International companies are presently attempting to change some of the provisions of the PDPA 2018 (Proposed Personal Data Protection Act). Many vested interests have been even organizing seminars with the ulterior intention of mobilizing public opinion against the move of the Government which only says “One Serving Copy of personal data collected from India should be held in India”.

It is however noted that there are many experts who are vocally opposing the moves of these companies and we see heated debates in the seminar halls and WhatsApp group supporting the Government’s move.

Naavi.org considers that the provisions of PDPA 2018 has taken into consideration the views of the industry and accommodated the international players sufficiently. It has at the same time tried to safeguard the Indian interests both from the national security perspective as well as a need to give a boost to the Indian data storage eco system.

Just as the Y2K gave a boost to the Indian IT industry, the move of the Government has substantial economic significance and hence has to be pursued. It has the potential to create more data centers in India with associated activities including development of the professional work force with specialization in Data Protection.

Referring to the “East India Company” reference made in the article in mynation.com, we need to highlight that Naavi.org has several times in the past during discussions on Copyright and IPR indicated that the IPR regulatory regime is being used to create economic powers to ride over India. Now we see a similar attempt through the International Data Protection Regulations.

In our earlier article “Data Processors in India should avoid entering into unenforceable contracts which may be termed “Fraudulent” we had highighted how the “Standard Contractual Clauses” used in EU recommendations is an attempt to over ride Indian law. Sensing such attempts, we had recommended during the deliberations of the Srikrishna Committee that Indian Companies should be protected from international assault through data protection laws by creating an “Umbrella of Protection” so that no penal action be launched against Indian Companies under GDPR or similar laws except through the Indian Data Protection Authority. (Refer: “Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights“).

It is unfortunate that even during the East India Company days, India has been exploited by foreign agencies through obliging locals who could be bribed by various means to support the long term exploitation goals of the foreign interests ignoring the interests of the nation.

Even today, the same threat continues to haunt us and is also reflecting in the commercial aspects related to data localization or data protection in general.

Recognizing the need for Indian Data Protection Professionals to keep the interests of the nation on top of their minds, the Foundation of Data Protection Professionals in India (FDPPI) has adopted as its objective, of building an empowered community of Data Protection Professionals who contribute to the development of a Secure Information Society in India taking the national interests into consideration.

I hope the long term benefit of having an organization that focuses on Data Protection without neglecting the national interests would be appreciated by the community and translates into an active participation in the activities of the Foundation.

Naavi

Also refer:

India: The Debate – Data Localization And Its Efficacy

How localization of data will affect firms, consumers

Posted in Cyber Law | Tagged data localization, FDPPI | Leave a comment

Controller of Certifying Authorities can improve security of Digital Signatures

Posted on September 17, 2018 by 98410spice

Digital Signatures are the legally recognized means of authentication of electronic documents in India. Though many companies including Banks ignore that Password is not the legally acceptable authentication, it is being widely used for many authentications including the financial transactions. While some Banks have started offering digital signing options for Banking transactions, most of them are banking only on the OTP system to secure the authentication.

The e-KYC system used by Banks is also dependent completely on the security of the OTP system and even though e-KYC can be used for e-Signing which is legally equivalent to digital signature, is still not secure enough beyond what OTP provides.

Most Banks use OTP only on mobiles and the OTP message is sent through an unencrypted SMS message. In such cases, if there is a compromise of mobile through SMS reading apps, or when the customer is subjected to a Voice based phishing, the OTP will be compromised and could lead to frauds.

While it is necessary that Banks need to anticipate such risks of compromise at the user device level and initiate the security measures which overcome OTP compromise risks or bear the responsibility for the fraud losses, we can independently look at one measure which the Controller of Certifying Authorities (CCA) can initiate to improve the reliability of the Digital Signature system.

The CCA should take a leaf out of UIDAI in this regard where some measures have been initiated which appear to be also good for the CCA to introduce.

Firstly, just as UIDAI uses a system of biometric lock, CCA can through the Certifying Authorities provide an option to the digital signature user to lock and unlock his digital signature through the repository maintained by the parent Certifying Authority (CA).

Secondly the usage of every digital signing incident where a verification call is made on the repository could be logged with useful meta data and made available to the digital certificate subscriber. This also has been done by UIDAI though the information logged is sketchy and could be improved.

If such a facility is available, the application developers may also use a “Verification Call” as a mandatory requirement before a digital signature is applied in any usage scenario.

Probably in the case of offline digital signing there could be an issue but such situations can still be logged with a post signing verification whenever the digitally signatory is connected on the internet.

When such verification calls are made, there could be practical issues including privacy issues to be considered but the concerns can be handled since we are verifying through a secure connection between the digital signer and the CA.

I hope the CCA would consider some of these measures as a part of its rule making power until such time that the ITA 2008 itself can incorporate such measures as part of the law.

I look forward to suggestions from security experts in this regard. The request has already been made on the CCA and I am awaiting the response.

P.S: This suggestion arose due to a query from Mr Uday Gupta, one of the readers of an article on this site on digital signatures and I thank him for raising this issue.

Naavi

Posted in Cyber Law | Tagged CCA, digital signature | Leave a comment

Section 498A: Why Supreme Court cannot be consistent?

Posted on September 16, 2018 by 98410spice

[P.S: This may not be a Cyber Law Issue but is a matter of concern to the youth in the IT industry and reflects the personal experience of the undersigned in interacting with several young persons in the IT industry with whom the author interacts as a part of his Cyber law activities. This should also not be considered as anti women …. Naavi]

The recent decision of the three member bench of the Supreme Court holding that there is no need for a Family welfare committee to advise the Police before an arrest can be made under Section 498A may be technically justifiable. But the view of the Supreme Court over turning the earlier decision of a two member bench to meant to prevent abuse of the provisions of the Section 498A and introduce some safety measures is not consistent with the aggressive view taken in respect of other issues such as in the case of Section 377, or even Section 66A of ITA 2000/8.

In the cases of Sec 377 (IPC) or Sec 66A (ITA 2000/8) the Court went ahead with striking down earlier legal provisions and change the law in the Court without waiting for the legislature alone to do it. But when it comes to 498A, it tries to make the Government responsible to change the law. If it can change IPC or ITA 2000/8 in other cases, it is not clear why it cannot change the law in the case of 498A.

Merely making a lofty statement that the Court is aware of the abuse does not suffice to show the concern for justice and fairness which should be the hallmark of the Apex Court.

Making such statements for records but following them with measures to remove the safeguards introduced by another bench of the Supreme Court itself and enhancing the scope of misuse of law is not a welcome development.

Section 498A has been so much abused that it has already dented the confidence of the Indian male on the Indian marriage system. Many young males are refusing to get married because of the “Risk of Marriage”. There are many professional extortionist young girls who use dowry harassment and domestic violence to extract unreasonable damages in cases of normal domestic differences of opinion.

This argument against 498A is not a bias against women because in all the cases of 498A, along with the husbands and the father in law, it is the women in the house like the mother in law or the sister in law who gets dragged into being accused as accomplices. The cases are often propped up not by the wife who may actually want to compromise but by her parents who for their ego try to show their power.

This objection to the supreme court decision should not be confused as reflecting any intention to deny that there is a need to protect women in genuine cases of dowry harassment. There is definitely a need to prevent such harassment and victims do need protection of law.

But there is a need for the law to learn from the past experience and ensure that there is a balance which prevents misuse. Also , it is agreed that divorce may the preferred solution in cases where the boy and the girl have an irretrievable break down of relationship often because of their relationships outside marriage. Hence a forced compromise is not a solution to broken marriages. It can only lead to further domestic violence. Hence divorce requests are to be handled realistically and facilitated. But when it comes to settlement, the Courts should recognize that one of the strong motives for divorce could be the ability of the girl to extract a large compensation. Hence many girls who are financially better than the husband often ending up claiming damages to which they should not be eligible.

The divorces become acrimonious because the girls have the practice of invoking Domestic Violence case complaints as part of every divorce. This should be seriously discouraged.

The Supreme Court bench does not seem to have considered the plight of innocent senior citizens who have been dragged to jail by violent daughter in laws.

If the Supreme Court does not show consistency and uphold justice to common man in every aspect of law whether it is 498A or 66A or 377, it is the reputation of the Court which is in jeopardy.

It is unfortunate that in the Section 498A issue, the Supreme Court has already declared its intention that it prefers to follow it’s own whimsical ways of deciding on different issues, some times being logical and humane and some times adopting a completely irrational approach to problems.

Now the current ruling will only increase corruption in the Police but the damage has already been done. The solution to the problem now lies either with the Government at the Center or in the States.

First and foremost the higher officials of the Police in the States should themselves initiate a proper process to ensure that Section 498A is not used to harass innocents. It should not allow arrests without the intervention of a higher level officer preferably beyond the Station level.

Probably the State Police should create a special committee of police officers to replace the Family welfare committee which was proposed by the earlier Supreme Court which should direct the station level investigating officer if arrest is required or not. I suppose this will be permitted within this judgement.

This could be within the administrative powers of the State police and the political sanction of the State Government. Since the issue is not political, I suppose there should be no problem in the State Governments taking a quick stand in this respect.

The second solution is for the Central Government to move in quickly if required through an ordinance to ensure that the imprisonment provision in Section 498A is softened by reducing the maximum imprisonment to some thing like 3 months and allowing quick bail. It should only be for deterrence.

In case of exceptional cases where there is real harassment leading to a dowry death there are other provisions under which the accused can be punished for life or with death sentence.

While the Supreme Court conveniently says that there are alternate provisions of getting a bail and hence there is no need of the safety clause, the same logic applies to the fact that there are alternative measures to punish the really guilty and there is no need to arrest the poor husbands when his newly wed wife runs away to her parent’s place and launches litigation alleging all kinds of torture on every known relative of the husband when there is no real threat to her. It appears that the judges had not made a proper assessment of such cases before arriving at their current decision.

I hope that the Central Government of Mr Modi and the different State Governments try to address the issue with necessary changes in law to prevent abuse of Section 498A.

Naavi

Posted in Cyber Law | Tagged 498A | 3 Comments

Johari Window… and the Story of the Emperor’s New Clothes… Perhaps the Supreme Court should take a lesson about

Posted on September 14, 2018 by 98410spice

“Johari Window” is a well known principle used by behavioural scientists and known to most of the Corporate managers. The recent happenings in the Supreme Court of India indicate that the Judges who head constitutional benches need to be given a lesson on what this concept means. Mr K.K. Venugopal, the Attorney General, Mr Abhishek Manu Singhvi and most importantly the fire brand TMC MLA Ms Mahua Moitra should also be invited to a workshop on Johari Window to make all of them realize how they are together mis-interpreting the UIDAI and I& B Proposal on Media Monitoring.

However, the situation is like the proverbial “Emperor’s New Clothes” . Nobody dares to use their “Freedom of Expression” which is a fundamental right guaranteed by the Indian Constitution to tell either the Judges, or the Senior advocates that their perception on what constitutes “Media Monitoring” and how it is not amounting to “Surveillance on the Citizens” and why the RFP on media monitoring cannot be considered as an attempt to infringe on the privacy of Indian Citizens and more particularly that of the petitioner.

However, in the interest of Justice and fair play, some body has to bell the Cat…. the Cat called “Privacy” which seems to be able to approach business from any direction and in any form. Even after the specific law will be passed in India for this purpose based on the Personal Data Protection Act 2018, (PDPA 2018) “Privacy” would continue to be used as a a convenient political stick to beat the Government at the pleasure of the opposition parties. The Privacy activists therefore are unhappy to bind the monster called “Privacy” into a framework called “PDPA 2018” and are using all means to oppose the passage of the Privacy Act.

Keeping the PDPA 2018 opposition to a different discussion, let us now focus on what is Johari Window and why there is a need for the Supreme Court to understand it.

According to the Google and Wikipedia,

The Johari Window is a technique that helps people understand their relationship with themselves and others.

All of us whether we are citizens of India or the politicians or lawyers or Judges in the Supreme Court of India, need to make continuous efforts to know ourselves and others better because it is an eternal need of a human being from birth to death. Unfortunately, in most of the humans, self realization dawns only on the deathbed. The Shivaparadha Kshmapana Stotra and BhajaGovindam created by Adi Shankaracharya amply captures this human tendency to ignore truth until it is too late, though it is stated in a different context.

The psychologists Joseph Luft and Harington Ingham propounded the principle of the “Johari Window” way back in 1955. The essence of the theory is that the awareness grid of human beings can be classified into four zones as represented in the diagram shown here.

The Johari Window concept illustrates a simple method to recognize that in order to improve our relationship with others, we need to be aware that there is a “Blind Area” about ourselves which others know but we ourselves donot know. This is what needs to be addressed in the UIDAI RFP.

The area about ourselves which is known to us and also known to the world is the “Public” domain.

The area which is known only to us and not to others is the zone of “Privacy”.

The Privacy zone is the one which the law of Privacy should protect and prevent information to move from this privacy zone to the Public zone. On the other hand, it should be the endeavor of every responsible individual or corporate to ensure that the “Blind Zone” is made smaller and smaller by moving what others know about ourselves which we ourselves donot know to the zone of “Public” which is known both to self and others.

( P.S: I admit that this applies as much to me as an author of this article and welcome constructive suggestions. But self improvement presupposes that the ignorant seeks the knowledge from outside and for this purpose, we need to expose our thoughts to the world and try to get feedback. eg: This article)

There is however a zone which neither the self knows nor the public knows and this is what introduces a certain level of “Uncertainty” while designing “Privacy laws” and defining “Privacy”. Privacy Laws essentially tries to protect that aspect of human behaviour about which the individual himself is not aware but the Privacy Activists and the Courts sit in judgement thereof.

The Puttaswamy judgement is hailed as a “Landmark judgement in India”. But it only confirmed the known fact that “Privacy is a fundamental right of Indian citizens” but failed to define “Privacy”. (Refer the set of articles on this issue written earlier).

In the part of the discussions recorded in the judgement to which Justice D Y Chandrachud subscribed to, it was recognized that “Privacy is a State of Mind of an individual”. Hence the limitations of the law in designing a means of protecting the “State of Mind” was recognized and the focus of the judgement therefore remained only on “Information Privacy”.

The judgement also quoted “… privacy is the expectation that information about a person will be treated appropriately. This theory of “contextual integrity” believes people do not want to control their information or become inaccessible as much as they want their information to be treated in accordance with their expectation (Nissenbaum 2004, 2010, 2011)”

The judgement also recognized that “Privacy is the best friend of terrorists..” and there is a duty cast on the State to balance National Security even while designing Privacy laws.

It is surprising that it is now the same judge D.Y.Chandrachud who is thinking that the RFP of UIDAI is likely to infringe on the Privacy of an individual. There is no doubt that he is being perhaps mislead by the petitioner’s advocates who are high profile politicians.

In our opinion it is the legitimate right and more appropriately the duty of UIDAI to know “What others know about itself but it itself does not know”. This is the “Blind Zone” in the Johari Window. It is the corporate wisdom that the authority takes all efforts to shrink this zone by trying to know what people are talking about itself.

As a citizen I would consider it the duty of UIDAI to monitor the media not only for its own reputation management but also to identify leads to potential attempts at hacking into different agencies and sub systems of Aadhaar. I believe this is what is attempted in the RFP.

“Surveillance” is the speculation which is in the minds of Mahua Moitra and Abhishek Manu Singhvi and is being transferred to the minds of the benches. The AG is not helping the judges arrive at a correct decision by refusing to point out to the judges that the perception that Mr Singhvi is trying to create is wrong and cannot be accepted. Perhaps he needs to be reminded of the story of the “Emperor’s new clothes”

AG by his silence is actually making the Court to come to a wrong conclusion. I wish the Communication industry professionals wake up and see what a wrong judgement in this case can do to their business.

The way the discussions are progressing, the Court is likely accept that the current RFP is actually infringing on the privacy of the petitioner. If so, the activity envisaged in the RFP which we have called “Media Monitoring” will be deemed as equivalent to “Surveillance”.

By deduction therefore, in future, if any PR agency undertakes the task of News Paper Clipping services and monitoring social media on behalf of a Company, it would be termed illegal. The business of “Reputation management” will be illegal. The same way, the media monitoring by political parties including BJP and Congress both of whom maintain what they call “Media Monitoring Cells” will also become illegal.

If either of the political parties say they saw a news report and are reacting to it, the immediate counter would be “How did you know?…Did you monitor the Media?… Have you not given an undertaking to the Supreme Court that you would not do it?”

In this respect, Congress can continue to lie about everything because they have not given any undertaking to speak truth before the Court or the Public but if these lies are monitored by the I & B Ministry, Supreme Court will cry foul.

Presently, UIDAI is receiving threats from all over the world with motivated hackers trying to discredit the agency. It is not difficult to corrupt one or more of these Aadhaar user agencies, compromise their end point system either in collaboration or otherwise and then claim that UIDAI is compromised.

This is exactly what happened in the Abhinav Srivatsava incident where hospital systems were the source of access to UIDAI but it was called “hacking” of the UIDAI. It was the same case in respect of the Chandigarh journalist case and the more recent HuffpostIndia revelations.

Even Naavi.org has recently highlighted how the the e-KYC system can be misused because of the Aadhaar Authentication trusts the simple OTP over mobile as a means of authentication and enables Banking frauds to happen.

But these are not reasons to consider that this RFP is wrong. The security vulnerabilities are there in the Windows system itself and the way Internet is designed. All applications have to use appropriate security measures during the usage of the applications to reduce the risks. This applies to UIDAI as well as to others.

In order to understand what are the risks in the operation of any Company or an online service such as Aadhaar authentication, the Company has to carefully monitor the Internet and find out if any phishing websites or Apps have been in circulation, whether any of the citizens are experiencing any difficulties, whether there are any complaints registered under complaints.com or naavi.org or glassdoor.com etc.

Many times, it is the twitter and facebook which first reveals to the public that a particular vulnerability has been discovered. Before this, the deepweb would have discussed it and some hacks would be put on sale in the “Virus on Sale” list and these need to be monitored by a responsible agency.

Tomorrow if some body reports on a facebook page, that the Supreme Court judgement on its site can be modified and re-uploaded, Supreme Court should be the first agency which should watch out. That is “Media Monitoring” and not “Surveillance”.

It is regrettable that people want to mislead the public that the RFP of UIDAI is not media monitoring but is surveillance. Mr Singhvi is pointing out to the word “Listening” as one one of the specifications of the software. Let Mr Singhvi understand that there is some thing called Intrusion Detection Systems which often work along with Firewalls whose job is to “Listen” . The word “Listen” is used in the context of “Filtering” and not “Snooping”. Nevertheless, if internet packets going through a particular ISP system is “Listened to”, it may be a kind of snooping. But still it will be snooping into the corporate entity not subject to Privacy Rights but protected by the other laws.

Tomorrow, these advocates without technical background may interpret a “Handshake” between two systems as “Collaboration and Conspiracy and invoke Section 120 of IPC”!. Let us understand that techies have some terminologies that sound similar to popular words used elsewhere but have a different contextual meanings.

But what the RFP wants to do is not “Snooping into the packets” as they traverse the internet. It is scanning the published content ,from the published content identifying if the article is relevant for UIDAI and if so, list it out.

The Google Search Engine does exactly this. All robotic searches do the same. If a common Google search is termed as “Invasion of Privacy” of Mahua Moitra, and the Court wants to accept it, then the Court has to kill the internet itself.

Supreme Court cannot be selective and object only to UIDAI and I& B Ministry and block their need to monitor the media (Print, Electronic and online) without also blocking Google and other search engines as well as the Intrusion detection systems which are essential for protection against DDOS attacks.

If done, it will indicate that the Court is biased.

When does “Media Monitoring” becomes “Surveillance”? and infringe Privacy?

The dictionary definition of surveillance is:

“close observation, especially of a suspected spy or criminal.
eg: “he found himself put under surveillance by British military intelligence”

synonyms: observation, scrutiny, watch, view, inspection, monitoring, supervision, superintendence; spying, espionage, intelligence, undercover work, infiltration, reconnaissance; informal bugging, wiretapping, phone tapping, recon”leading members of the party were to be kept under surveillance”

The Cambridge dictionary definition is

“the careful watching of a person or place, especially by the police or army, because of a crime that has happened or is expected.

The essence of considering a Media Scanning as “Surveillance” is when an individual is tagged and the Government observes him, considering him as a potential criminal. If a Non Government entity does a similar act, we may call it as “Stalking”.

If a person is closely observed to the extent it creates harassment of the individual, then it becomes a ground for judicial intervention provided there is no prima facie reason to believe that the person is likely to endanger the national security.

If there is any “Suspicious” movement of a person in a street or in Cyber street, the Government not only has a reason for but also a duty to carry out “Surveillance”.Cyber Intelligence is part of the “Intelligence” activity that the Government intelligence agency has to undertake. if they are not doing it, they are committing dereliction of duty.

Now it is for the Supreme Court to read through the RFPs and identify if there is any “Surveillance” indicated. In the UIDAI RFP there is certainly nothing even closely remembering “Surveillance” and if Ms Moitra thinks so, it is the figment of her imagination.

The Supreme Court cannot undertake roving enquiries and conduct contentious litigation against the Government and paralyze Governance just to satisfy the ego of politicians working as advocates and looking for media sensitive bytes from the Judges to carry out their political agenda.

If the Supreme Court was serious, they should have called a media expert and checked if the RFP is meant to cause surveillance of the masses or some thing else.

I wish that the Public Relations Society of India impleads itself in the hearing and educates the Supreme Court.

Without considering the contents of the RFP and relying entirely on the pleadings of a petitioner, it is improper for the Supreme Court judges to pass comments in front of the press and allow the Press to pronounce as if “Supreme Court has slammed UIDAI”, “Supreme Court has called the RFP as E Spying” etc.

In our adversarial system of Jurisprudence, it is the responsibility of the defending counsel to highlight what all we are stating here.

I wish the AG brings home these points and let the Court come to a correct decision that RFP in question does not amount to Surveillance and there is no need for the Court to interfere in the day to day management of UIDAI. It is his duty to do so even if there is a possibility that the bench will hit back in the Aadhaar judgement which is now being held in reserve.

Fine should be imposed on the petitioner for bringing up a frivolous litigation and trying to mislead the Court. The petitioner’s advocates should be warned that they have to be more discrete in interpreting the commercial documents and consult relevant experts before jumping into conclusions and bringing it before the Court as truthful grounds for interference by the Court.

Naavi

P.S: EU parliament in the meantime seems to have passed a copyright rule which may mandate that internet platforms have to filter every piece of content from copyright angle. This means that the alternate presence of the content elsewhere in the Internet needs to be identified and the authorship also has to be tracked. Will this not be directly in conflict with what the above view of the Court may be suggesting? (Refer article here)

Posted in Cyber Law | Tagged Aadhaar, johari window, uidai | 1 Comment

Fake Bank accounts being opened by RBL in Bangalore

Posted on September 13, 2018 by 98410spice

In the recent days some of the new generation banks have been opening Bank accounts for customers online with an Aadhaar based eKYC.

Naavi has highlighted several times that eKYC is only as secure as the security of a mobile and if the mobile of a person gets compromised, eKYC is compromised. If Banks open accounts on the basis of eKYC, then the integrity of the Bank account will also be diluted to the level of the mobile security. The OTP which is used for verifying the mobile is itself a degraded security system in US and it is unfortunate that we in India are according it a status which has made OTP a replacement for digital signature.

Recently, Naavi has come across a complaint that RBL, has been opening Fake Bank accounts in the name of fraudsters who are using the accounts to transfer fraudulent crime funds from other Banks. In other words, these Bank accounts are being used for “Money Laundering”. This will render RBL liable both in civil and criminal terms.

RBL may not be alone in this game and there could be other Banks. But in order to verify the same, I checked out the process of opening of a Bank account in Kotak Bank, Axis Bank and in RBL.

Out of these and several other Banks procedures screened, only Kotak was accepting Virtual Aadhaar ID and set up a call from the Bank.. Axis and RBL are taking the real Aadhaar ID. Some Banks like Central Bank of India require visit to the Branch.

In the case of RBL, the account is opened with an eKYC based on the Aadhaar and opened with minimal restrictions as shown below.

The Complete terms are available as a hyper link here This indicates that the account is a limited KYC account with relevant restrictions.

As a matter of convenience, this online opening of account may be fine. But it appears that this facility is being misused by fraudsters and dragging these Banks into picking up liabilities on behalf of the fraudsters.

It is necessary for these Banks to ensure that there are robust security processes to ensure that the process is not misused.

I draw the attention of the Reserve Bank of India also to instruct the Banks to follow proper security measures to ensure that the online e-KYC process is not misused. For this purpose the following procedures need to be introduced.

Banks should stop obtaining the real Aadhaar numbers and work only with Virtual Aadhaar number.
UIDAI should cancel the authorization provided to Banks for e-KYC unless they are registered for full KYC process using biometrics which require the physical presence of the Aadhaar owner at the branch where the account is being opened
The OTP system should be ideally discontinued completely or at least restricted for use in non critical services and not for opening of Bank accounts.
Banks should be reminded that as per the comprehensive reading of the RBI guidelines, Banks are liable in case of such misuse of the Aadhaar ID and they need to bear the loss and cover it with Cyber Insurance.

I personally warn the Bank officials that they will be liable for criminal prosecution in cases of fake accounts being opened by fraudsters which may send them to jail for a term of 3 years and above.

In such cases, even UIDAI and the e_KYC agent will also be liable for being complicit in money laundering through forged documents.

Naavi

Posted in Cyber Law | Tagged fake Bank account, RBL | Leave a comment