The GGWG has also commented on Industry Wide considerations regarding Digital and Electronic Signatures, Sec 65B of Indian Evidence Act, Use ofÂ Two Factor (2F) authentication. It also discusses data protection aspects in Banking and refers to Data Protection Act of UK(DPA), Gramm Leach Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.
We shall examine each of these aspects individually.
Digital and Electronic Signatures
“Digital Signature” was one of the key issues covered under ITA 2000 way back in the year 2000 when the Act was notified with effect from 17th October 2000. Even after 10 years the world has not seen a better technology that can substitute digital signatures as a means of authentication of an electronic document. The choice of the technology was therefore inevitable for a system which had the two sub objectives namely certifying data integrity of a signed document and certifying the identity of the person signing the document. Common people may some times be confused when they realise that law considers digital signatures as a valid replacement of physical signatures but not the thumb impression scanning as a “Signature”. The Working group however consisted of experts and hence there is no reason to believe that they did not understand the difference between a Digital signature that can authenticate both the person and the document and any other method of authentication which can only identify the person but not certify what he has stated. If the report gives any contrary opinion, we can only wonder if the group wanted to be clever and pass through recommendations in the hope that no body will challenge them.
Since there was some objection from technologists that ITA 2000 was dependent on the technology of Asymmetric Crypto System and hashing for the purpose of authentication and did not leave scope for new technology innovations, ITA 2008 introduced a flexibility into the legislation by defining what was called “Electronic Signatures”. The “Digital Signatures” as defined in Section 3 remained one form of Electronic signature already approved. It was open to Licensed Certifying Authorities (CA) to come up with alternate technologies that conform to the requirements of Section 3A and obtain the sanction of the Controller of Certifying Authorities (CCA) to introduce “Electronic Signatures” which would then be notified in Schedule II of ITA 2008. Since 27th October 2009 when ITA 2008 has been notified, no CA has come up with any proposal for Electronic Signature and hence it appears that as of date there is no alternative to digital signature for the purpose of authentication of electronic documents.
There is no ambiguity in ITA 2008 as regards this aspect as the working group seems to suggest. An approved Electronic Signature when notified will be an additional authentication method and in case any other section needs clarification, we can expect that it will be done when the notification is issued.
ICICI Bank which was one of the members of the group had been hurt in the Umashankar Case since the Adjudicator had found that the Bank was negligent in not using digital signatures as a means of authentication as per law to distinguishÂ its e-mails and hence the customer could be cheated by an impersonator.
The working group should have perused the judgment copy if not the details of the arguments adduced in the caseÂ by Umashankar (which the member Bank could have shared with the Group for public good) to understand why the learned judge came to the conclusion that Bank was negligent.
RBI is aware that the S R Mittal Group had gone into the details of the use of Digital Signatures and the then Deputy Managing Director of ICICI Bank who was the member of the group submitted a dissenting report opposing the group’s contention that “PKI is the only form of authentication approved in law and use of any other technology is a source of legal risk”.
The working group should also have known that ICICI Bank had started using Digital Signatures for authentication of e-mails in 2004 in its demat division and the information is in public space at www.naavi.org.
Working group should also realize that there are several Government agencies such as MCA and IT department who have made use of digital signatures compulsory for certain transactions. RBI itself has a subsidiary IDRBT who was also represented in the group which is a licensed CA and issues Digital Certificates to Bankers for their RTGS applications and Truncated Cheque applications.
Despite this wealth of information, the working group failed to analyse the pros and cons of its recommendations regarding the use of alternate forms of authentication as included in the report.
It appears as if the Group was not interested in exploring why the current technology which is available as well as affordable and is legally acceptable cannot be mandated for use in Banking. It was only interested in by passing law and recommend use ofÂ processes which are not sanctioned by law or recommend for the change of the law itself.
If the regulatory powers of RBI are applied to change laws that are inconvenient to the Bankers, then it would be creating a bad precedent in the Country.
If RBI shows any inclination to succumb to such a strategy, one can envisage that the next request could be for a retrospective change of law so that ICICI Bank could escape its liability in the Umashankar’s case.
S R Mittal Group had the guts to reject the dissenting report of the Deputy Managing Director of ICICI Bank and showed its charecter as the upholder of the regulatory character of RBI. The GGWG appears to have failed to show a similar resolve in boldly opposing the move of ICICI Bank for introduction of recommendations that are not in accordance with law and if approved, may make RBI a laughing stock in the Supreme Court when such decisions are questioned by people like Dr Subramanya Swamy.
I trust that RBI when it sits for giving its operational guidelines based on the report will consider these inappropriate recommendations and ensure that the image of RBI as a guard of Indian Banking system is preserved.
The inadequecies of the recommendations are better illustrated in the following comments on the two recommendations that the group has made to avoid the use of digital signatures namely the use of Section 65B certified documentation and decalration of 2F authentication as “Electronic Signature”.
Regarding Section 65B-IEA authentication
Section 65B of Indian Evidence Act (IEA) was introduced as a means of making certain printed documents admissible as “Electronic Documents” in a Court of Law. Just as the Bankers Book Evidence Act enables certain certified copies of ledgers as admissible in lieu of presentation of the entire ledger, Sec 65B envisages that print outs of electronic documents duly certified are admitted as documents in Courts of Law in lieu of the presentation of the electronic document itself.
This provision was not meant to be used as a replacement of authentication of an electronic document. An electronic document is authenticated by the originator with the use of digital signatures while Sec 65B enables a third party to certify an electronic document based on his observations as a “matter of fact”.
I may recall a Judgement on Stamping of Locker documents a few decades back which has some relevance to the current context. I presume involved State Bank of India which was one of the other Banker members in the working group. In this case, the Bank was using Locker Agreements which were unstamped though they required stamping as per the Stamp Act.Â Whenever a need arose, Bank used to pay the penalty of 10 times the understamping value and present the document in a Court of law. This practice was questioned by the Stamp authority and it was held as an unfair practice designed to cheat the law.
The suggestion of the group to avoid use of digital signatures and instead use Section 65B certification when a legal requirement arose appears to be similar to this case.
It must be also noted that Section 65 B certification can be used for documents which the certifier can view in the ordinary course of his activities. The documents which may be the subject matter of dispute in a Bank Vs Customer Case are mostly in the custody of the bank and most documents can only be certified and presented by the Bank. The Customer will not have any access to such documents and will be at a great disadvantage.
Section 65B certification can be provided by a Bank in favour of third parties. But when the bank uses information from its own server and provides any certified document for its own purpose, it will be deemed as a “Self Serving Evidence” and lose substantial weightage in the Court of Law.
If a customer wants to use any document that he cannot view but is reasonably suspected to be in the custody of the bank in the servers, the option available to him is to press for “E-Discovery”. The provisions of law for a customer to order production of documents for e-discovery from Banks in India are weak. Banks will normally use the “Privacy” argument to stonewall production of documents.
It may be fair to recall that in the Umashankar Vs ICICI Bank case, the Bank had appeared to have deliberately erased certain evidence to frustrate the complainant and hence even when provisions of e-Discovery is invoked with Court intervention, the possibilities of Banks erasing the data and claiming innocent procedures in support are very high.
In any case of Customer Vs Bank therefore it would be difficult to expect the Bank to produce documents that may help the customer with due certification from the bank for a self incriminating evidence.
In fact the working group failed to discuss Section 67C provisions of ITA 2008 on data retention and develop guidelines for data retention in Banks to enable e-discovery in respect of disputes.
This was a failure on the part of the working group.
The recommendation suggested to be made to the Central Government to appoint more agencies under Section 79A is irrelevant and has no value to the issue on hand.
Use of 2F Authentication
The working group has made a very ridiculous recommendations stating,
“..it is recommended that Rules may be framed by the Central Government under Section 5 of the Act, to the effect that, with respect to internet or e- banking transactions, 2F method or any other technique of authentication provided by banks and used by the customers shall be valid and binding with respect to such transactions, though ‘digital signature’ or ‘electronic signature’ is not affixed.”
This is an irresponsible recommendation to be made by a high power committee since this is a suggestion which is legally untenable.
The intention of the members of the group placing this suggestion is clear that “any other technique of authentication provided by banks” shall be valid. It appears that the Group thinks that it can make each Bank a law maker for itself.
For the understanding of the members, I would like to state that only those techniques which satisfy the requirements of Section 3A, approved by the CCA and introduced by a licensed CA can be accepted as an “Electronic Signature”. It is ridiculous to suggest that anything can be declared as a substitute for the legal method of authentication even if it is ultra-vires the ITA 2008.
RBI does not have powers to make such a suggestion and if the implementation authorities donot see through this fraudulent suggestion, they will be paying a price through legal opposition in the coming days.
The suggestion should be summarily rejected and the members responsible for such suggestion to be approved should be censured and black listed from future working groups of RBI.
Exemption of Liability
Amidst the discussions for 2F method of authentication, the group has slipped in two lines of great significance which is being pushed as if an under the table suggestion.
The last two lines of the paragraph on “Proposals” in page number 261Â state
“Finally, it is submitted that provisions similar to the provisions dealing with ‘unauthorised electronic fund transfers’, consumers liability for unauthorised transfers etc., in the Electronic Fund Transfer Act, USA, (as pointed out later in the report), would be useful in India. “
The intention of the working group when seen in totality and in particular the recommendation number 18 of Chapter IX is to use the EFTA as an example to exempt the Bank from liability arising out of “Unauthorized Transactions”.
However, it must be noted that the EFTA is set in a different context and in an environment where there are various other laws to protect the Bank consumers and is not necessarily a representative legislation that can be imported selectively to India. The laws of digital signatures are different in US and the liabilities for Privacy invasion are covered by other legislations. There are court decisions in US where simple E-Mails without digital signatures have been held as binding on the organization and opening of a face book account in an impersonated name treated as “Hacking” under Computer Abuse Act. Hence EFTA provision cannot be imported out of context.
It may be noted that EFTA actually makes the financial institutions liable for failure of electronic transactions put through by the Consumers and limits the Consumer liability to US $50/-. EFTA does not protect the financial institution for having effected a transaction which was not properly authorized.
Financial institutions are exempted from liability only on a failure to make an EFT in cases such as when the Consumer’s account has insufficient funds, an act of God, a technical malfunction known to the consumer at the time he attempted the transaction and not otherwise.
Passing of any unauthorized transactions is considered as “Forgery” and the laws of forgery applies to all “Unauthorized Transactions”. In the case of “Forgery” there is aÂ settled law in India regarding whether the customer is liable for payment of forged cheques from his account and what are the consequences of negligence etc.
Hence the suggestion of the GGWG to refer to EFTA is irrelevant and needs to be ignored.
The working group has discussed the Data Protection obligations on Banks Vis-a-Vis Section 43A liabilities.
We have already discussed this in an earlier note highlighting that a mere contract between unequal bargaining powers represented by the Bank on the one hand and the customer on the other hand would be insufficient.
While one can await further privacy related legislation from the Government in lieu of the Personal Data Protection Bill 2006 which lapsed or issue of guidelines under Sec 43A for “Reasonable Security Practices”, Banks cannot ignore the global principles of data protection by an overriding them with a contractual agreement.
Any attempt to ignore the global principles may be held as “Lack of Due Diligence”.
Naavi of Naavi.org