Security

Security in a digital world!

Security in a digital world has become paramount as our personal, financial, and professional lives increasingly shift online. The rapid proliferation of digital technologies, while offering immense convenience and connectivity, also brings forth a plethora of challenges in safeguarding sensitive data and maintaining privacy. Cyberattacks, identity thefts, and data breaches are becoming more sophisticated, emphasizing the need for robust cybersecurity measures. Individuals, corporations, and governments alike are recognizing the imperative of bolstering their digital defenses, ensuring that as we embrace the conveniences of the digital age, we’re not compromising our security and integrity. In essence, as we navigate this digital era, being cyber-aware and proactive in our security measures is not just an option, but a necessity.

Bashing passwords as vulnerable means of online security is quite common these days. Sure — authentication means like biometrics, OTP, mobile, etc., do sound fancy and are touted as cornerstones in future security practices. But fundamentally there is nothing wrong with a password paradigm. In fact, it’s the weakness of individual passwords that leads to a security risk.

In this article, we are going to give you a background to passwords, their philosophical underpinning, and also evaluate the other possible options we have.

Passwords have a long history. They are used to access private accounts, applications, documents, databases, websites and more since long. Even the treasure den in the fabled tale of Ali Baba and the Forty Thieves had a password! The other way to access such secrets was through some body tattoo or possession of a unique seal.

Interestingly, these three ancient methods of verification still do represent the fundamental principles of modern authentication practices:

  1. What you know — Passwords/PIN
  2. What you have — Seal/OTP/Credit Card/Tokens
  3. Who you are — Biometrics/Body tattoos

The combination of these three factors (3FA) is seen to represent an authentication framework for accessing information or doing risky transactions. Take an example of a Credit Card swipe. The card represents “what you have” and the pin represents “what you know”. Combining the two provides greater security than any one method alone. When any two of these are used, it’s called two-factor authentication. More factors imply higher security.

What is often not discussed is which factors are safer in which contexts. Given we are moving into rapid digitization it might be important to discuss the three factors, their types and when should they be used.

Let us trace this movement from password based to other factors and see what maybe a good framework to keep consumers and systems safe.

How passwords work?

Passwords are stored in a system as hashes.

A hash is a one-way pseudo-random function, which means that it can produce a random text from a password.

But the random text can’t reproduce the original password.

Let’s take an example of SHA-2 Hash algorithm.When we feed it a password, say “ankit8388”, it produces a random text like “96c32e63d785c77d8de8089523a346210d2299a25c349c518dc8bf0181ff911b”. This hash is now stored in the database and with it the website can authenticate me without ever storing my original password.

(Even when the database is hacked, my password doesn’t get leaked because the original data is never saved in a database.)

How hackers hack passwords?

To hack passwords, hackers create pre-created hash tables for all possible password combinations.

For the “ankit8388” password, a hash table of small letters and numbers of length 9 would be able to find a match.

This means the hacker will need to process all the possible permutations and combinations of small letters (26) and numbers (10) for 9 places. In mathematical terms this would be (10+26)⁹ combinations. This is a highly intensive task and a single computer might still take 50 years to do this.

But hackers work together and pool resources, which means 50 hackers with their computers can create such a table in less than a year.

Further, it’s possible that they will find a match at a half-way stage or within 6 months.

The point is this:

A password becomes unsafe when it’s too short and simple to guess or crack.

Alternatively, if a user sets a complex, multi-character long password, there’s a risk the user will keep it noted somewhere (and this note might reach unsafe hands and cause a vulnerability).

So passwords (either too simple or too complex) can be unsafe in their own ways. That said, the other authentication means available, too, aren’t foolproof. Lets get a bit more understanding on other authentication methods.

Why biometrics and OTPs can’t be the foolproof solutions for the Digital Security?

The two emerging contenders for future digital authentication are biometrics and OTPs.

Biometrics, along with a password, would indeed enhance security by providing a two-factor authentication. But when used alone, it’s not the best bet for the future because it comes with three big problems:

  1. Unlike passwords, biometric data cannot be stored as a hash. This means that the web application will need to store your biometric data as is. This is a very risky proposition as, in case of a hack, your actual biometric data (or its mathematical representation, in some cases) is revealed. In one of the biggest data breaches in the US, 5.6 million fingerprints of government employees got hacked from the the U.S. POM (Office of Personnel and Management), which gave the hackers access to raw biometric data.
  2. In case biometric data is ever compromised, there is no resetting like a password. This means, you would forever be prevented from using your biometric authentication during your lifetime.
  3. Biometric systems are extremely susceptible to spoofing. In spoofing, a stolen digital template of a biometric trait could be inserted into the authentication process to authenticate the wrong user. In 2013, Jan Krissler, a famous German hacker spoofed Apple’s Touch ID (iPhone 5S) on the other day of it’s release. He used the smudge on the screen of an iPhone to print a dummy finger using wood glue and sprayable graphene. He then used this print to successfully unlock a phone registered to someone else’s thumb. The same hacker then used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defence, to beat fingerprint authentication technology.

OTP, as an alternate authentication means, has its own set of risks:

An OTP is a one time password consisting of characters, numbers or symbols that’s used to authenticate a user for a single login session. And it becomes invalid after a few seconds.

Take an example of a credit card swipe as I’ve explained earlier. (The card represents “what you have” and the pin represents “what you know”). When you swipe the card you get a code ( an OTP) and you aren’t authenticated until you enter the code and are verified.

So, here two authentication methods are being used for authentication (two factor authentication) which ensures more security. But still they can’t be considered as the best security solution.

  1. The biggest challenge to the OTP authentication factor comes from trojan software.

Hackers show their victims a browser pop-up box or ad that looks like an authentic message from the bank and prompts the user to download a “security application” or a “mobile banking application” on their phones.

Once a user downloads such fake applications, hackers can easily intercept their SMSes. Which allows the hackers to read the OTPs sent on the mobiles.

Security expert, Brian Krebs, tells how an Android botnet targeting banks in the Middle East could infect more than 2,700 phones and intercept at least 28,000 text messages:

This attack affected customers from various banks including the ones from the Riyad Bank, SAAB, AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

 

2. SIM swap/cloning: By procuring a duplicate SIM card in a user’s name, hackers can use it to receive communication from the banks (including the OTPs).

3. Social engineering: Hackers also call users claiming to be from the bank. And during the call, they ask for the OTP. Unsuspecting users are usually easy victims to such attacks.

4. SS7 Attacks: Using flaws in Signaling System 7 (SS7) hackers can listen to private phone calls and read text messages of the users. According to a report from German-language newspapers Süddeutsche Zeitung, in a cyber attack in Germany hackers intercepted OTP’s using SS7 flaws and stole customer’s money from their accounts.

As you just saw, all the three authentication factors — passwords, biometrics, and OTPs — have their set of risks. However, passwords stand out because users can exponentially strengthen their passwords (while also keeping them easy to remember). So let’s re-examine passwords and see how we can improve them, and then explore the Password 2.0 approach.

How passwords can be made more secure?

As we discussed earlier hackers have been able to pool resources and pre-create hash tables hence making guessing of simple passwords really easy. Then what could be the way to make their life hard? Increase the combinations, of course. And the usual way of doing it has been to increase possible inputs:

  • Alphabet (Small letters and caps) — 52
  • Numbers — 10
  • Special characters — 33

So this gives a total combination of 95 characters. Cracking this is so hard that it would take the same hacker group over 6000 years to hack password in the same way. And at that point, I obviously don’t care (unless AI leads to afterlife; another topic for another blog :))

Therefore, from a security guy’s point of view, all these rules of having multiple combinations is really helpful because it keeps you safe. But at the time of signing up or using a service, this becomes a huge pain and a turn off. Also, it’s an eventual security risk as people keep forgetting such tough passwords and hence often note it down in insecure places, such as desktop files or random pieces of paper.

Introducing Password 2.0 — the Paraphrasing Approach (the security and user-friendly password solution)

Now, there is another way to do this, which seemed to have been neglected until now: the length of the password. I could have achieved a similar tough password by simply having 4 more characters, i.e., a 13-letter-long password, without any restriction on small letters, caps, numbers, special characters, etc.

This new paradigm is what I call Password 2.0: the passphrase approach. It’s easy to remember a passphrase, such as “thisisacoolpassphraseforthiswebsite”. Such passphrases can provide a better user experience at the time of signing up and also during authentication.

Also, at its length (35 characters), hash tables will be almost impossible to compute. Thus we can build passwords that are convenient yet secure.

Why passwords are crucial for Security?

One principle that has to be accepted in a security paradigm is — you will get hacked. This principle is important to remember when choosing one or a combination of the three authentication factors (passwords, biometric or an OTP).

The property of biometrics in this context is really risky. As biometrics can never be changed, once hacked they become vulnerable for that person for their lifetime. So in a biometric auth world, over time more and more people would get vulnerable. Thus you would inevitably reach a stage where, for a certain population, biometric will not be a valid authentication mechanism.

Mobile phones, or number can also not be changed very frequently or easily and hence make changing of the auth factor difficult.

Unlike biometrics and mobile numbers (or handsets), passwords can be changed if they get hacked. That too quite easily. Hence they have no permanent vulnerability. Another great property they have is the ability to protect the actual password at each authentication. This paradigm is akin to knowing a secret that you will never reveal but are able to prove you know it.

So while biometric and OTP authentication breaches leave their users vulnerable (for life), passwords breaches always give the users a way to “reset”. Because of their simplicity and cryptographic beauty, passwords will continue to dominate as the higher security layer. And when you add an additional layer of authentication to a password (like biometric or an OTP), you can probably design a more secure system. (In a further article we will go through the best combination given a business use-case)

The password 2.0 approach — of creating complex but easy-to-remember “secret-style” passwords — can be a useful tool in such a scenario where the password is a mainstay in the security authentication mix. So, start thinking of a secure passphrase because in a modern digital world, “a strong secret” will be worth more than any other assets you own.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Supreme Court Judgement & Re-birth of Privacy

Supreme Court Judgement & Re-birth of Privacy

In a recent judgement, a nine-judge Supreme Court Bench unanimously ruled that individual privacy is a fundamental right. The court noted that the “Right to Privacy is an integral part of Right to Life and Personal Liberty guaranteed in Article 21 of the Constitution.” The right to privacy verdict, although primarily passed on a petition filed about the Aadhar Card scheme, will impact every company that collects and handles user data.

In its 547-page judgment, the Supreme Court touched upon the different aspects of informational privacy — and explained how collecting data could threaten an individual’s privacy.

This Supreme Court ruling is a check: For both the government (against which the case was mainly fought) as well as the non-state actors or private companies because it doesn’t just oppose any privacy invasive practices employed by the government but also applies to private companies that collect user data.

In this article we will give a short description of court’s view on what is private and their concerns in a digital world. Then we will look at the new rulings impact on the financial sector with a 7-point framework. We will be looking at areas like cross-selling, credit history, SMS scraping, Aadhar KYC, Payments, Banking Agents, Social behavioral data among others. Now lets start with the basics.

Defining what is “personal and confidential”

The information must be “personal and confidential” to be protected by right to privacy. One of the points raised by the opposing counsel during the trial was that privacy was vague and ill-defined. The judges patiently tried defining what is “private” data, to carve out the scope of law.

For example, the Court pointed out that data about electricity consumption pattern of a person is NOT personal or confidential, and couldn’t be protected as “private information”. That said, the Court also cited a UK judgement that stated the storing of the biometric data indefinitely of individuals no longer suspect of criminal activities would be an invasion of privacy. Clearly, a person’s biometric data is both “personal and confidential”.

The Supreme Court used an infographic (from Bert-Jaap Koops et al., “A Typology of Privacy”) in its judgement to depict the nature of data and its classification. This is extremely rare and hence also shows how judges understood the importance of the judgement and that it would be read by people who might need simpler language and symbols to understand the implications:

 

Supreme Court Judgement & Re-birth of Privacy

Privacy in the Digital World

While the court had a broader mandate and covered privacy from all aspects,they did cover digital privacy in detail. At some level they felt the real challenge to privacy is coming from this rapid transformation of processes from offline to digital. They also gave an intriguing example of a travel agent, which illustrates this point well:

“The old-fashioned travel agent has been rendered redundant by web portals which provide everything from restaurants to rest houses, airline tickets to art galleries, museum tickets to music shows. These are but a few of the reasons people access the internet each day of their lives. Yet every transaction of an individual user and every site that she visits, leaves electronic tracks generally without her knowledge. These electronic tracks contain powerful means of information which provide knowledge of the sort of person that the user is and her interests. Individually, these information silos may seem inconsequential. In aggregation, they disclose the nature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation. In aggregation, information provides a picture of the being: of things which matter and those that don’t, of things to be disclosed and those best hidden.”

Expressing privacy concerns about how tracking happens in the digital world, the Court hinted at the possibility of scrutinizing activities carried on by companies like reading/analyzing/tracking emails, messages, other social behaviour.

Further the court stressed upon properties of the digital world that make it difficult to detect privacy invasion and hence heighten privacy concerns:

  • Non-rivalrous — simultaneous use by multiple users
  • Invisible — invasions of data privacy are difficult to detect — and it travels at speed of light making it further difficult to trace any breach of privacy. Data can be accessed, stored and transmitted without notice
  • Recombinant — data collected can be used, analysed and combined to create more data output which is unseen earlier

Expanding on these principles the order stated that owing to the nature of digital data, it becomes possible to combine data from social profiles and IoT devices to create information about the individual which did not exist. Secondly, while collecting the behaviour of one person it could also be possible to gather information about other individuals around him. The Court noted that these concerns are from both State and Private entities as both use Big Data to analyse data about individuals which is a concern to privacy.

Easily one of the most tech-savvy orders ever, this Supreme Court judgement took into account various technical intricacies of the digital world and cited specific instances:

  • Cookies used for tagging IP
  • Browsing information to create profiles using algorithms
  • Automated content analysis of emails for targeted marketing
  • Online purchases like books, airlines, book taxi etc. and their history for user behaviour and doing income analysis
  • Metadata and IoT — used to collect information about a person’s behaviour

It is refreshing to see such technical detail quoted in the judgement.

The court also gave details on what can be the future of digital privacy and principles of the new law. We have tried to summarize it below in a simple framework. But for any legal geeks out there we have also created another article which details out laws examined by the court and their approach in reaching to this conclusion.

A 7-point framework to guide companies’ data policies (based on the privacy case judgement)

We’ve analyzed the judgement in extensive detail and have come up with a simple 7-point framework that shows the key points that organizations need to think about when framing their data policies :

Personal vs Private: Every data that is personal is not necessarily private. A user’s name, for example. Because a person’s name is used in public communication, name can be considered to be non-private personal information. Also any information that is anonymized is neither personal or private and exempt from purview of the law.

Explicit Consent in plain words: User’s consent has to be taken explicitly and cannot be hidden inside lengthy terms of service or agreements.

Consent alone is insufficient: Court has also opined that in certain situations, even a consent based mechanism may not be able to protect the customer and hence encroachment of privacy shouldn’t be a preferred option.

Necessity: This is a simple principle which asks the question if collecting it is really necessary to invade privacy to achieve the outcome.

Proportionate benefit or risk: Whenever it is necessary it should be weighed against proportionate benefits and risks. Privacy should not be encroached unless there is some proportionate good possible or some bad that is preventable.

Right to Forget: Eventually the user should have the right to revoke access to his/her data

Access and Correction: The ownership of data is with the individual whose private data is collected. Therefore he has a right to access and correct the data or delete as given above.

Note: We hope this will help businesses make sound and compliant judgement around their data, but do take professional help to make sure you are fully compliant.

Few instances of impact in the financial world

The right to privacy might initiate changes in current processes and hence some of the current and emerging areas may need a relook:

Credit History under Credit Information Act

  • Collection of credit data: Collection of credit data by the creditor is completely ok as it is consent-driven private data between the two parties.
  • Exchange of credit data: Banks report credit data to licensed agencies. These agencies then exchange this data with other banks as requested by the bank. This might require clear exceptions made in the privacy act or a re-look into how credit reports are requested, what kind of information can be shared and what is to be hidden.
  • Access and control over credit history: Currently consumers cannot easily request credit history to be forgotten or edited. Going further there would need to be an option to have greater control and access of one’s own credit history.

Pulling data of a customer from KRA by Mutual Fund and AMCs

  • Collection of data: Currently the agency that collects the data and the one that stores the data are different. Clear consent and declarations hence maybe needed.
  • Current practice of data pull from PAN, without an appropriate consent layer may also need a relook.

Account Details

  • Login based scraping: Account username and password definitely fall into the domain of private data. And the reason in many cases is convenience, as it might be more difficult for the user to submit a copy of bank statement himself. Thus this encroachment may not meet the principle of necessity or proportionate benefit.
  • Account Aggregator: The new RBI guidelines provide for a consent layer and a lot of regulation around security of such data. The data does not remain with the aggregator post-completion of the purpose and therefore the guidelines seemed to have given protection to privacy and may not be greatly affected by the judgment.

Mobile data collection during application download

Following are few of affected the categories and let’s go through them one by one:

  • Malware or Security risk: The data collected to assess malware risk may not fall within privacy parameter. Specially if it can be anonymized enough to be unlinked to the individual himself. But current assessment tools and processes might need to ensure they follow this principle.
  • SMS reading: This is being seen as a new innovative way to provide credit assessment. But within the new privacy regime, this maybe really tricky. Let us explain: SMS reading is a clear invasion into privacy and hence would require explicit consent. But where it gets really tricky is that SMS is usually a private conversation between two parties and hence you would need consent of both the parties to read SMS. It will be interesting to see how the innovation can be enabled without being unlawful.
  • Reading personal contacts to use later for collection: Like SMS reading this may also need consent of two parties and hence should be seen in the same light. (Signzy would be coming up with another article on multi-party conversations including email, sms, call etc. We will examine in detail the implications under a privacy law.)

Aadhar based KYC regime

  • There are two KYC possibilities in Aadhar A) Demo Auth B) eKYC — biometric or OTP. As the Aadhar regime has a robust consent architecture in place it should hold good even in the present regime. The only concern raised by the court was on biometrics being private. Hence the nature of benefit should be proportionate as consent alone, as noted by the court may not be enough protection. Hence biometric based KYC for account opening, new SIM or other risky scenario might be acceptable. Biometric based KYC for non-risky scenarios such as event registration might need a relook.
  • The other more grave change maybe the need for an alternate option. While the financial regulators in line with government view had been pushing a biometric KYC, the current law would require the financial system to provide alternatives. This is especially true for cases where there maybe no real risk or proportionate benefit of forcing biometric KYC.

Users financial transaction history

  • Cross-sell: Financial data mining for targeting for another product might definitely fall under invasion of privacy. The judges have clearly defined “financial information” as private. And such targeting in no ways provides “proportionate” benefit. Hence banks will need to take explicit consent in the original account opening form, even then it’s best that such analysis and targeting is totally automated. Closer on the lines of Google’s approach where a Google employee at no point has access to your records even though you are targeted based on your personal data. This will make sure that there is no leakage or profiling and hence the principles are being adhered to. But there would need to be clear regulation to define such actions by the bank.
  • AML/CFT risk assessment: This is one use case where the risk may justify privacy invasion. But we need to weigh it against the principle of necessity. Again as it stands out it might not be necessary to invade privacy. The court has enunciated how “anonymity” does provide privacy, and hence analysis of data that has been “anonymized” will not be a breach of privacy. Only when suspect transactions are found, should the bank de-anonymize the data an identify the actual account holder. (We understand this might need much more detailed explanation, rest assured we will be writing a longer post on the impact on AML/CFT processes)
  • Credit Risk monitoring: Unless the risk is large it might be very difficult to justify reading of transactions. The Financial Institution will have to provide the borrower a mechanism to provide consent each time such an assessment is made. This might defeat the whole purpose as someone with a risk may actually deny consent every-time. Thus it would be interesting to see how this part of the system pans out and what regulations are framed to balance risk and privacy concerns.

Banking Agents

  • Collection of data: Even current regulations require Banks to ensure that agents are registered and a clear trail can be established which ensure zero data leakage. This might now fall under a clear law or regulation, further not only Banks but all financial institutions (FIs) might need to have stricter regulations for agent models.
  • Storage of data: The storage of data will strictly require physical or digital records to be destroyed by the agents post transaction. Unless there is explicit consent by the consumer for such storage.
  • Sharing of data with other parties: Many a times agents do end up sharing data with parties who at the time of consent were not in the picture. As an example if the intended Bank doesn’t give a loan, data might be shared with other parties as well. Now one will need to take clear consent to ensure that this sharing is agreed by the user.

Payments

  • Aadhar Pay: Biometric has been considered by the court as a core private space. And it has also opined that at times consent may not be enough as the users may not understand the risks. In this light, Aadhar Pay might not have “proportionate” good. As while KYC carries risk to financial system and hence proportionate good, mere payments might not be an ideal scenario to invade individual privacy.
  • Cards based payments: Current cards eco-system relies on a “card” and PIN and no specific private data, at least from our point of view it doesn’t encroach privacy during payments. Fraud rules are also generally based on aggregated behavior and hence might also not carry any risk of privacy encroachment.
  • Mobile wallets: Since it is based on a standalone wallet that I recharge it has no personal data about me other than my basic KYC, phone number, email and my transaction details. Therefore no private information is shared with wallets. But wallets would not be able to leverage on my digital footprint for credit assessment without clear consent.

Social behavioral data

  • Social media: Google and Facebook have recently shown interest in using customer data gathered over a period of time as credit decision tools. This data has clearly been stated to be private. Thus this too would fall under the gambit of future regulation
  • Application’s own data: Even if the data is not coming from a third party but reflects user behavior on the same platform, such as Amazon, Uber etc. It will still be considered within the domain of privacy and needs to be regulated

As social behavior data is rich and possibly being seen as an alternative to many traditional data stores it important to share another case regarding Whatsapp’s decision to share its data with Facebook (its parent company). The matter concerns the privacy of 160 million Indian Whatsapp users. Such data has expressedly been considered to be private — and Judge’s comments left no room for imagining what their views were:

Recently, it was pointed out that “‘Uber’, the world’s largest taxi company, owns no vehicles. ‘Facebook’, the world’s most popular media owner, creates no content. ‘Alibaba’, the most valuable retailer, has no inventory. And ‘Airbnb’, the world’s largest accommodation provider, owns no real estate. Something interesting is happening. […]

Uber’ knows our whereabouts and the places we frequent. ‘Facebook’ at the least, knows who we are friends with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.

Social networks providers, search engines, e-mail service providers, messaging applications are all further examples of non-state actors that have extensive knowledge of our movements, financial transactions, conversations — both personal and professional, health, mental state, interest, travel locations, fares and shopping habits […]

Large number of people would like to keep such search history private, but it rarely remains private, and is collected, sold and analysed for purposes such as targeted advertising[…]

Thus, there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors. There is also a need for protection of such information from the State”

These are just some of the instances that maybe impacted by this judgement. We will be happy if you can share any areas we may have missed and we will add them here.

Way Forward

This is certainly a landmark judgement and in some ways can claim to be the re-birth of privacy. In a digital world it was assumed that privacy has been sacrificed at the altar of convenience. But the court has upheld an individual’s right to his privacy providing him means to protect it and hence re-introduced a principle which seemed lost in the digital world. As the next steps, it’s incumbent upon the legislature to create clear law regarding this concern. But it’s safe to assume that usage of such data would be become much more regulated than it is now.

We are hoping that this article would be useful to you and also help you make sound business decisions. We might not have been able to go into depths of few topics which need much more deliberation. Hence we would be coming up with few more articles going in depth into some of these topics. We will be happy to receive feedback and also get to know which areas would you want much more in-depth analysis.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Smart Contracts 

Smart Contracts — An Indian Perspective

Smart Contracts, within the burgeoning realm of blockchain technology, are beginning to gain traction in India’s technological and legal landscapes. These self-executing contracts, with terms of agreement directly written into code, promise a future of transparent, tamper-proof, and efficient transactions. While the global community has been quick to adopt and integrate these into various sectors, India stands at a pivotal juncture, balancing its rich legal traditions with the innovations of the digital age. As the nation grapples with the challenges and opportunities presented by smart contracts, it’s essential to understand their implications, regulatory frameworks, and potential transformative power in reshaping the Indian contractual ecosystem.

Demonetization in India has placed Blockchain-based Smart Contracts in a visible space. Blockchain technology has enabled the smooth transition from traditional to smart contracts by making them simpler and less expensive. Smart contracts are a vital step forward in automating the terms of an agreement between two parties.

For smart contracts to completely penetrate the Indian business circuit, the following aspects need to be focused upon:

  • The myth of smart contracts not being analogous to traditional contracts, needs to be addressed.
  • The legal clarification on status of Digital Currency is vital. Adequate regulation in the sphere of digital currency and smart contracts, will help in integration of digital contracts into present industrial standards. But, this transition needs the regulatory and logistical help of the RBI and Government structures.

What are Smart Contracts?

Smart contracts are computer protocols that embed the terms and conditions of a contract. The human readable terms of a contract are fed into an executable computer code that can run on a network. Many contractual clauses are made partially or fully self-executing, self-enforcing, or both.

Understanding Smart Contracts and Blockchain Technology

  • Smart contracts are self-performing and operate in combination with blockchain. This enables them to move information of value on the blockchain between parties.
  • Blockchain forms the backbone of all digital contracts and currency like the Bitcoin. It creates a transaction database that is shared by all nodes participating in a system based on the Bitcoin protocol.

Smart Contracts vs. Traditional Contracts

Contracts can be understood as agreements which are legally enforceable. The rights and obligations created by this agreement are recognized by law.

The idea of smart contracts is compatible with our understanding of traditional contract principles. Since, smart contracts also have legal backing, they fulfil the requirements of traditional contract law.

An important distinction between traditional and smart contracts is the medium on which the contract is formed. Commerce depends on individuals being able to form stable, predictable agreements with one another. Communication and physical ratification are the primary ways of creating a legal relationship. This infuses confidence of enforceability into the parties. The legal legitimacy and confidence of enforceability make traditional contracts a preferred way of forming contractual relations.

In smart contracts, the terms and conditions of contractual agreement are entered into the software code. But, this does not take away from the original character of the agreement. As long as the agreement creates a set of rights and duties or obligation, it is a valid contract.

Smart contract comprises of a new set of tools to articulate terms. The process of formation and articulation of contract is now embedded in a self-enforcing automated contract. Hence blockchain technology-based-smart contracts are a way to complement or replace, existing legal contracts.

For a wide range of potential applications, blockchain-based-smart contracts offer many benefits:

  • Speed — Smart contracts use software code. These codes automate tasks that are typically accomplished manually. Hence, they can increase the speed of a wide variety of business processes.
  • Accuracy — The probability of manual error is reduced due to automated transactions.
  • Lower cost — Smart Contracts need less human intervention, fewer intermediaries and thus reduce costs.
  • Auto-enforcement — Smart contracts are unique in their enforceability since these clauses are embedded in the applicable software itself.

Despite these benefits, there is hesitancy to participate in transactions involving smart contracts. This is because the status of digital currency is still ambiguous in India. Unlike traditional contracts, the legal position on enforcement, jurisdiction etc. is unsettled.

Yet, it can be seen that smart contract based transactions are much more popular in international parlance. Recognition for such transactions in major international commercial law statute have a profound impact.

Current Legal Scenario in India

Opponents of smart contracts in India argue that cryptocurrencies do not have the legal status as a currency in India. Hence, there is ambiguity about whether they constitute a ‘valid consideration’ as per traditional contractual principles.

  • Cryptocurrency is undefined under the FEMA, RBI Act or Coinage Act.
  • It is uncertain as to how Cryptocurrencies will be taxed and whether such tax will be a central or state subject.
  • Recently, a multi-stakeholder panel comprising of members from the RBI and the IDRBT looked into the implications of blockchain technology.[1]
  • Since all transactions take place over the internet, the dispute resolution or clause reposing jurisdiction to courts or excluding jurisdiction of courts needs to be clearly spelt out. “Smart contract itself should envisage a dispute resolution mechanism involving external arbitrators and/or courts, where the contract is frozen pending proceedings, and the award of the court is incorporated into the terms of the smart contract. With regards to evidence, a dual-integration mechanism comprising hybrid ‘code + paper’ contracts can be presented in court.”[2]

Commercial agreements comprise of clauses that protect parties from various liabilities. They are not always suitable for representation and execution through code. Hence it can be concluded that smart legal contracts will need a blend of code and natural language.

Smart contracts in the commercial realm are at a nascent stage. Hence, regulation in this regard will render adequate clarity to the functioning of smart contracts. This would ensure a smooth transition from traditional contracts to smart contracts in the near future.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

1 2 3 4