ResponsibleTransparentIntegrityAccountable

NASSCOM and UNDP to be more forth coming on NISG and NOT to PROTECT NISG and not to promote CORRUPTION in eGovernance in INDIA

How can NASSCOM do this, When NASSCOM is supporting NONACCOUNTABILITY in eGovernance in INDIA being a partner with NISG ?

Posted by nasscomundp on July 15, 2006

 

Nasscom to make India ‘Fort Knox’ of IT sector

[ How this can be done by NASSCOM when NASSCOM is MAJORITY partner in NISG ?}

http://www.mumbaimirror.com/nmirror/mmpaper.asp?sectid=13&articleid=71420062247148437142006224520437

Aims to get 70 pc workforce listed in a centralised database; in touch with engg colleges for the same

Sanjiv Kumar

New Delhi: The National Association of Software and Service Companies (Nasscom) is bullish on its National Skills Registry (NSR) initiative and is targeting 25 IT majors for this drive in the next two months. The aim is to improve recruitment in the IT-ITeS sector which is suffering from ever-increasing incidents of frauds and fake CVs.

Since its launch in January, about 18 IT firms – including Mphasis, TCS, Genpact, NIIT, Cognizant and ICICI OneSource – have already come forward to join the NSR. “The target for the next two-three months is to get all the top 25 companies, which account for 70 per cent of the workforce within the IT-ITeS sector, to enrol for the NSR,” Nasscom President Kiran Karnik told Mumbai Mirror.

What is the NSR?

The NSR is an initiative undertaken by the apex industry body to create, operate and maintain a national database of employees working in the IT-BPO industry in India.

It contains third-party verified personnel, their qualifications and basic career information of IT professionals.

According to Karnik, the inclusion of big IT-BPO players in the NSR, which is an employee-friendly measure to minimise any misuse of employee identity, will inspire small firms to join the novel league.

“We aim to make India the Fort Knox of security, positioning ourselves as the ‘gold’ standard for security as we already are in quality,” he added.

It won’t be easy!

In an industry that employs over 4,00,000 persons and sees a churn of nearly 4,000 agents every week, maintaining and updating a database like the NSR is an uphill task, according to some industry experts.

Admitting that the NSR will take some more time to be operational, Karnik still felt that the NSR was the need of the hour to ensure smooth development of the domestic IT industry which could be threatened by the slightest problem with physical security and governance.

After all, these issues, if not properly handled, could derail growth and hopes of the IT industry. According to a joint Nasscom-McKinsey study, the IT-BPO exports are expected to reach $60 billion in 2010, from just over $17 billion last year.

Engineering students welcome too

Besides IT and BPO firms, Nasscom is also in touch with engineering graduates to sign up for the NSR. “Letters have already been sent by Nasscom to heads of institutions like IITs, NITs and several private engineering colleges with NSR details and an outline of the advantages it offers,” Karnik stated. Nasscom has also urged these institutions to share the information among the Final Year students.

The association plans to hold roadshows in major cities on the issue. Such shows have already been held in metros.

Posted in NISG | 1 Comment »

UNDP and NASSCOM are cause of INCREASE in CORRUPTION in eGovernance in INDIA. Because of their direct support of NISG and it’s activities in promoting CORRUPTION in all the eGovernance activties that NISG was involved in since the formation of NISG. Jt. Secretary of eGovernance Mr. R. Chandrshekar should be held DIRECTLY RESPONSIBLE for formation of NISG.

Posted by nasscomundp on July 6, 2006

UNDP has not audited NISG for the FUNDA it invested in NISG.

NASSCOM has not responded to any of the correcpondences.

Mr. R. Chandrashekar has not given proper answers to formation of NISG.

Mr. J. Sathyanarayana, CEO of NISG has not responded to any of the letters.

Mr. R. Chandrshekar and Mr. J. Sathyanarayana have gone to the extent of providing CONFIDENTIAL INFORMATION to another IAS Officer whp works in WORLD BANK to RESPOND to an article in DATAQUEST and CIOL.

UNDP has not responded to the queries of Citizens of INDIA.

UNDP in INDIA has not responded either with their answers to the letters.

How can NASSCOM be a partner in NISG ? being an ASSOCIATION in INDIA ?

Posted in NISG | 1 Comment »

eProcurement Case Background: Andhra Pradesh State has not made efforts to solve the problems WHY ? Close working relatinships of NISG with C 1 INDIA. Mr. J. Sathyanaryana has hand picked C 1 INDIA for the eProcurement in Andhra Pradesh by making getting TENDERS in favour of C 1 INDIA.

Posted by nasscomundp on July 6, 2006

Case Background

1. October 2000

Information Technology Act 2000 was passed. Use of 128 Bit SSL & Digital

Certificate made mandatory for e-commerce activities. As per IT ACT 2000 for

any electronic document to be legally valid, it should be digitally signed by

Digital Certificate issued by any Licensed Certifying Agency (CA) approve by

Controller of Certifying Agency (CCA).

2. September 2001

Government of Andhra Pradesh (GoAP) Core implementation committee was

formed to implement eProcurement and PWC (Price water house coopers was

appointed as consultant). They were paid Rs. 1.75 Cr for 5 projects, approx Rs. 35

Lakh/Project as consultancy fee. Ref. pwc hired as consultant.pdf.

3. Feb 2002

CCA granted license to Safescrypt on 5th February, 2002, India’s first CA. SAFESCRYPT Ltd, a Satyam Infoway company affiliated with VeriSign Inc,

issued the country’s first digital signature certificate to the Minister for

Communications and IT & Parliamentary Affairs, Mr Pramod Mahajan, at an

official ceremony here on Wednesday.

SafeScrypt is the first Indian company to get a certifying authority licence for

digital signature from the Controller of Certifying Authorities (CCA). The

company received this licence earlier this week.

4. In Feb 2002,

Department of Public Relation, Madhya Pradesh floated a tender for eTendering,

eProcurement which categorically specified that IT ACT 2000 needs to be

complied and Digital Certificate/SSL/PKI should be used to ensure secrecy of

price bid. No MNC consultant appointed to draft tender document. 5 Companies

participate in the same including Applitech Tenercity.com I Pvt. Ltd (Tendercity),

NexTenders, ITI/Antares, CNet, etc.

5. May 2002

Sometime in May 2002, GoAP floated a Tender for eProcurement software more

specifically eTendering and Reverse Auction engine by Govt. of AP. No mention

of PKI/SSL/Digital Certificate – what was Rs. 35 Lakh paid to then to PWC?

6. Mid 2002

Out of many bidders who had submitted the tender a consortium comprising of

C1 India Pvt. Ltd., Microsoft & Antares System Ltd & Compaq had submitted the

bid. Other bidders included companies like Wipro and consortium of Boradvision

and TCS. Consortium head by C1 India Pvt. Ltd (C1) won the tender. GoAP

approves rate of Rs.4500/Tender (GoAP Pays) & 0.24% of the Tender Value

(winning bidder pays to C1 India Directly)

7. In June 2002,

GoAP enters into a secret agreement with C1 India to do a pilot project and not

the consortium which had won the contract? WHY?

8. On 29 th Jan 2003,

www.eprocurement.gov.in launched without compliance to IT ACT 2000, Digital

Certificate, PKI. GoAP gives lame excuse that since Digital Certificates are not

available, hence the same was not integrated in spite of the fact that first Digital

Certificate was issued to Shri. Promod Mahajan as early as Feb 2002.

What started as a Pilot Project for nine months, gets extended for another 9

month unilaterally in spite of the fact that system did not comply to IT ACT

2000.

9. Jan 2003

C1 India gets a 128 bit SSL Certificate from Verisign for

www.eprocurement.gov.in domain? WHY?

1.) .gov.in domain belongs to only government organizations, how come the same

was issued to a private company.

2.) 128 Bit SSL was procured from a US Company, whereas IT Act mandates that

it should be procured only from liscensed CA. Why was the same not procured

from TCS, Safescrypt.

3.) TCS, Safescrypt would have never issued a 128 Bit SSL certificate to C1 India

Pvt. Ltd, as .gov.in domain belongs to only Govt. departments. A US company

issued the same without any verification, because they were interested in dollars.

10. March 2003

PWD, Chhattisgarh floats a tender for eTendering with Department of Public

Relations, Madhya Pradesh specifications.

Tendercity, C1 India, Wipro, Antares/ITI, Nex Tener & other 3 companies

participated in the tender. Tender gets awarded to NexTender, a mumbai based

company in spite of Tendercity Being the lowest Bidder.

11. April 2003

C1 quotes to PWD, Chhattisgarh Rs. 1000/Tender as fix service charge

irrespective of Tender Value & No fee to be paid by PWD, Chhattisgarh?

Tendercity shares the same information with GoAP. GoAP calls for a steering

committee and yet no action is taken to revise fee being paid to C1 India i.e.

Rs. 4500/Tender (GoAP pays) & 0.24% of Tender Value (winning bidder pays)

12. July 2003

The first lawsuit under Indian cyber law, Antares Systems Ltd, the Bangalore-

based IT firm, has filed a case against an e-governance project in the Delhi High

Court for alleged infringement of intellectual property rights (IPRs) and unfair

competition. The case has been filed against C1 India Pvt Ltd, a subsidiary of

Nasdaq-listed CommerceOne. The Government of Andhra Pradesh and Principal

Secretary, Department of IT and Communications, AP have been arraigned as

parties.

Antares has urged the Delhi HC that C1 India and the AP Government be

restrained from infringing its copyright in its e-tendering software product

Tenderwizard and from relying upon, in any manner whatsoever, the features of

Tenderwizard, said the company’s Senior Vice-President, Mr R. Kamath.

13. July 2003

India’s First Digitally Singed eTender was enabled by Tendercity for Madhya

Pradesh Poorva Kshetra Vidyut Vitran Company Ltd, Madhya Pradesh Electrictiy

Board, MP (MPPKVVCL, MPSEB,MP). 10 Digital Certificates (TCS) were

issued to contractors across India.

14. December, 2003

Northern Railway floats a Tender for eTendering. C1 India, Wipro/NexTender,

Antares, HCL, Tendercity Participated in the tender. Tender awarded to

HCL/Boradvision Consortium. Rate approved Less than Rs.1500/Tender. GoAP

takes no action and does not revise the service fee it pays to C1 India.

15. Feb 2004

Tendercity writes letter to IT Secretary, GoAP, and Principle Secretary GoAP and

bring to their notice that PKI compliance is not there on eprocurement.gov.in and

that the eTendering services available at a very competitive rates in open market.

No Action taken by the GoAP Officers.

16. Mid 2004

On PWC recommendations, JV option was dropped (JV between eTendering

service provider and Government of AP) and eProcurement services was

continued to be used in ASP model

Why did PWD suggested not to go ahead with JV option? probably because in

case of JV Government of AP would have made a lot of money? Total fee

reimbursed by GoAP & Various Bidder to C1 India in last 3 years is in tune of

Crores of Rupees.

If GoAP had procured the software, it would have costed

Rs. 0, because that what C1/PWC quoted to NIC, in December 2004 for

eTendering Software.

17. July 2004

GoAP steering committee meets in October, 2004. Price bid revised to as follows

w.e.f. 1st April 2004 as follows

  - GoAP pays nothing – i.e. Rs. 4,500/Tender waived off

- For Tender<50 Cr – each participating bidder pays 0.04% of Tender value or

Rs.10,000/Tender as processing fee, which ever is higher.

- For Tender>50 Cr – each participating bidder pays 0.04% of Tender value or

Rs.25,000/Tender as processing fee, which ever is higher.

- Still the same is very very high compared to open market rates. GoAP Continues

with C1 India, when the contract though an illegal contract.

- GoAP accepts non compliance of IT ACT 2002 and yet gives C1 India 6 month

period to make their product PKI enabled, by March 2005. Why, was the project

not scrapped in then and then itself till the PKI compliance was not complete.

18. December 2004

PWC Partners with C1 India for NIC tender for eTendering.

Having played a instrumental role in causing great exchequer loss of GoAP, by

recommending ASP Mode,

C1 India reward PWC with partnership for NICTender.  C1 ditched PWC (presumably) by quoting Rs.0 as software price to

NIC.

19. 1st April 2005

  Digital certificates made mandatory from April 2005. Digital certificate are used

only of Authentication purpose at time of Login. Only price bids are digitally

signed and leaving room for service provider to tamper with technical bids,

document uploaded, etc.

20. Mid 2005

Tendercity alleges of eProcurement scam in one of the reply it filed in Delhi

High Court. The same document is shared with various AP departments, but no

action is taken.

21. 24th November 2005,

  Tendercity demonstrate to IT Secretary Shri Narsing Roa, the loopholes and

security defects in www.eprocuremnet.gov.in in person in his chamber. IT

Secretary assures that proper action will be taken against the culprits.

Tendercity gets an invitation from HUDA for demonstration of security loopholes

in the system but the same is postponed by CE after a brief 5 minute meeting.

Reason for postponement not specified. Subsequent meeting doe not take place.

22. 3rd December, 2005

  Tendercity demonstrates to Principle Secretary & MD APTS the security

loopholes in www.eprocuremnet.gov.in and ideal security features that should be

enabled. Principle Secretary IT&C promise to take the appropriate action.

23. 5th December, 2005

  GoAP accepts vide their email dated 5th December, 2005 that

  1.) www.eprocurement.gov.in is property of GoAP

2.) GoAP sees no harm if a 128 Bit SSL Certificate has be procured from USA

instead from a licensed CA as per CCA norms and that too by C1 India. In

layman terms it means a private company owns www.eprocurement.gov.in

 

3.) GoAP accepts that till December 2005, price bid submitted by 10,000 of

contractors 9800 eTender enabled so far reached the server in readable fashion

without any encryption, but that OK. It’s public money and it can go down the

drain.

4.) GoAP accepts that only C1 India can access the Price bid of contractors, as

they are the system administrator and super Admin of the website. Since no

government office has access to database, and generally they are corrupt the

system is secure. As per GoAP, private company which has been given the

custody of Rs.32,000 Cr. worth of eTender price bid security are trustworthy and

walking gods.

5.) GoAP states that C1 India does not access the readable price bid of all

contractors that is there in Database, and which can be accessed by C1 India

anytime from anywhere. GoAP goes on record that since not a single case of

tampering has been raised, there is nothing wrong with present system and they

have full faith on C1 India. They have full faith on PWC, so what if they partner

with C1 India for other government departments.

6.) GoAP does not care about Antares software being illegally used, since the

matter is sub-judice.

7.) GoAP has accepted that the system was so insecure, that had they told the

contactors and public at large about the security loopholes, no contractor would

have submitted the bid and hence all contractors, public, government officers

were kept in dark about the security loophole.

8.) GoAP has accepted that Detached Signature and Server Side encryption are

international practice as per their MNC consultant PWC, so what if C1 India get

the privilege to access the price bid of each and every contractors.

24. 10th December, 2005

  To cover things up, IT Secretary gives a clean chit to Service provider – C1 India

by means of issuing unsigned certificate making a claim that there is nothing

wrong with the system.

Posted in NISG | 7 Comments »

eProcurement of Andhra Pradesh: C1 India affairs : C 1 INDIA promoted by NISG

Posted by nasscomundp on July 6, 2006

 Date: Tue, 21 Feb 2006 06:34:25 +0000 (GMT)
From:  “manoj verma” <drmkv@yahoo.co.in
Subject: C1 India affairs
To: vmkumaraswamy@yahoo.com

Dear Mr. Kumaraswamy,

Please find below one more affair of C1 India management affair, Karnataka has come up with a Tender for eProcurement on PPP model as of Andhra Pradesh, Please look in to the matter if Good Business Practices can be ensured:

  • Covansys has partnered C1 India Pvt. Ltd, a delhi based for offering eTendering solution to MPLUN, Madhya Pradesh, India.company which is in engaged in Rs. 38000 Crore eTendering scam in
    Andhra Pradesh, India. For more details log on to www.mpez.net.
  • C1 India has a IPR Theft case filed against them by a company called Antares System, Based out of Bangalore
    India. The case is pending in Delhi High Court,
    India.
  • C1 India is engaged in another legal battle with a company called Nextenders, based out of Mumbai for NIC Tender for eTendering solution. The same case in pending in Delhi
    High Court, India.
  • C1 India is engaged in another legal battle for a tender for eTendering software floated by MMTC,
    India. The case is pending in Delhi High Court,
    India.
  • In MPLUN Tender, Covansys/C1 India JV is not Lowest Bidder. The lowest bidder is as per our market intelligence a MP based company

    Thanks & Regards

    Dr. Manoj Verma 

  • Posted in NISG | Leave a Comment »

    AMPLIFYING LOCAL VOICES TO DEMOCRATIZE DEVELOPMENT , says Bank Information Center “BIC”

    Posted by nasscomundp on July 5, 2006

    Is this really happenning ? In World Bank ?

     An Unbelievable Act of World Bank

    Dear Mr. Bhavnani,

    Saturday morning i had a bitter taste of my coffee sip while reading a news of World Bank as linked below

    http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTINFORMATIONANDCOMMUNICATIONANDTECHNOLOGIES/EXTEGOVERNMENT/0,,contentMDK:20870206~menuPK:702592~pagePK:148956~piPK:216618~theSitePK:702586,00.html

    Before patronizing/glamourizing a SCAM you would have done some Homework on your own or through your investigating agencies. Should we believe that World Bank has lost the basic motive of the Millenium Development Goal or eGovernance at large?

    I had earlier informed the person incharge in World Bank Mr. Knut Leipold about the facts of eProcurement being practiced in Andhra Pradesh, long back and had requested him to assign suitable time for a demonstration about what other good inititaives had been taken in India, The Best Practice Real eProcurement in India, but since then I’m waiting for his confirmation.

    You are requested to read the following link to understand the other side, story of SCAM in the name of eProcurement in Andhra Pradesh, India -

    http://www.mpez.net//eprocurement-scam/default.asp

    The above mentioned story tells the real truth of a big scam in the name of eGovernance (eProcurement) in Andhra Pradesh.

    The representation had been lodged to all the concerned officials in Andhra Pradesh and GoI, but nothing has happened till now and as a sheer surprise World Bank is validating a SCAM and glorifying it to the World for practicing something opposite to the motive of World Bank Belief. Had it been posted under “eProcurement Scam” on World Bank’s website?

    While pursuing it with the GoAP and GoI officials we concluded that they might have been working Hands in Glove with this SCAM but to our Ultimate surprise WORLD BANK could not even distnaced themselves of the similar apprehension.

    Investigate the Corruption and inappropriate eProcurement charges got established while exchanging communication with the GoAP and APTS the implementing agency (Detailed in the Scam link above).

    Why it had violated the IT Act 2000 till 2005? Does World Bank appreciate violation of Local Government Laws?

    You mention in the case study of such report that “Encryption of data is happening on Server” what happens when it arrives on the server? did it not arrive in clear text on server? did the system administrator do not have access to these data?

    a lot other you will find when reading the represented “eProcurement SCAM in Andhra Pradesh” Link.

    With a sheer Shame and Great Disappointment “I WAS WORRIED TILL NOW FOR INDIA, NOW I AM WORRIED FOR THE ENTIRE WORLD” 

    Had I skipped this News?…………

    For Global Citizen’s shake investigate it properly and request GoI for penalizing all the guilty and culprits of this nature of affair.

    As a request to Mr. Knut Leipold – I’m still waiting to demonstrate the real eProcurement system in practice (Working in FOSS environment) for which MDBs had drafted a guideline. Please assign us your valuable time.

    Thanks & Regards

    Dr. Manoj Verma

    + 919376128329

    Posted in World Bank | 3 Comments »

    UNDP Information Disclosure Policy

    Posted by nasscomundp on July 5, 2006

     UNDP Information Disclosure Policy

    On June 21, 2004, I made a request for information to the Communications Office of the United Nations Development Programme (UNDP) under the UNDP Information Disclosure Policy. On August 25, 2004, I made a request for review of the refusal to provide information to the Oversight Panel established under the Policy. The Oversight Panel has not yet made a decision.

    http://foi.wikispaces.com/UNDP

    http://foi.wikispaces.com/space/showimage/Roberts_UNDP_Aug25_04.pdf

    Letters from civil society organizations asking the UNDP to complete its processing of the request:

    http://foi.wikispaces.com/space/showimage/A19_UNDP.pdf

    http://foi.wikispaces.com/space/showimage/A19_UNDP_Response.pdf

    http://foi.wikispaces.com/space/showimage/BIC_UNDP.pdf

    http://foi.wikispaces.com/space/showimage/BIC_UNDP_Response.pdf

    http://foi.wikispaces.com/space/showimage/CHRI_UNDP.pdf

    UNDP statement on the right to information

    The UNDP made a statement about the importance of the right to information in an April 2006 report. It said: “UNDP can play an important role in promoting right to information in a number of ways including levering its relationships with host governments; acting as a catalyst for change by supporting different right to information initiatives; identifying opportunities for constructive intervention in the debates and discussions that are likely to be taking place; using its own global expertise and experience of working on democratic governance issues; and meeting the commitments set out in its own Information and Disclosure Policy (IDP).”

    Posted in UNDP | 1 Comment »

    World Bank need to INVESTIGATE before PATRONIZING / GLAMOURIZING Andhra Pradesh eProcurment SCAM.

    Posted by nasscomundp on July 5, 2006

    FYI & Investigation

    manoj verma <drmkv@yahoo.co.in> wrote:

    Dear All,

    I had sent the below mentioned mail to the concerned officials of World Bank last week which got bounced (This is one more IRONY of the World Bank’s eGovernance Management), I resent it from another mail_id which has yet not reported to be bounced back but i have yet not received any acknowledgement till this time. These acts compell us to believe World Bank’s functioning like a Taluka affair where you are on mercey of the officers if they wish to acknowledge you or favor you by responding.

    The posting was as below:

    ————————————————————-

    Dear Mr. Bhavnani,

    Saturday morning i had a bitter taste of my coffee sip while reading a news of World Bank as linked below

    http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTINFORMATIONANDCOMMUNICATIONANDTECHNOLOGIES/EXTEGOVERNMENT/0,,contentMDK:20870206~menuPK:702592~pagePK:148956~piPK:216618~theSitePK:702586,00.html

    Before patronizing/glamourizing a SCAM you would have done some Homework on your own or through your investigating agencies. Should we believe that World Bank has lost the basic motive of the Millenium Development Goal or eGovernance at large?

    I had earlier informed the person incharge in World Bank Mr. Knut Leipold about the facts of eProcurement being practiced in Andhra Pradesh, long back and had requested him to assign suitable time for a demonstration about what other good inititaives had been taken in India, The Best Practice Real eProcurement in India, but since then I’m waiting for his confirmation.

    You are requested to read the following link to understand the other side, story of SCAM in the name of eProcurement in Andhra Pradesh, India -

    http://www.mpez.net//eprocurement-scam/default.asp

    The above mentioned story tells the real truth of a big scam in the name of eGovernance (eProcurement) in Andhra Pradesh.

    The representation had been lodged to all the concerned officials in Andhra Pradesh and GoI, but nothing has happened till now and as a sheer surprise World Bank is validating a SCAM and glorifying it to the World for practicing something opposite to the motive of World Bank Belief. Had it been posted under “eProcurement Scam” on World Bank’s website?

    While pursuing it with the GoAP and GoI officials we concluded that they might have been working Hands in Glove with this SCAM but to our Ultimate surprise WORLD BANK could not even distnaced themselves of the similar apprehension.

    Investigate the Corruption and inappropriate eProcurement charges got established while exchanging communication with the GoAP and APTS the implementing agency (Detailed in the Scam link above).

    Why it had violated the IT Act 2000 till 2005? Does World Bank appreciate violation of Local Government Laws?

    You mention in the case study of such report that “Encryption of data is happening on Server” what happens when it arrives on the server? did it not arrive in clear text on server? did the system administrator do not have access to these data?

    a lot other you will find when reading the represented “eProcurement SCAM in Andhra Pradesh” Link.

    With a sheer Shame and Great Disappointment “I WAS WORRIED TILL NOW FOR INDIA, NOW I AM WORRIED FOR THE ENTIRE WORLD” 

    Had I skipped this News?…………

    For Global Citizen’s shake investigate it properly and request GoI for penalizing all the guilty and culprits of this nature of affair.

    As a request to Mr. Knut Leipold – I’m still waiting to demonstrate the real eProcurement system in practice (Working in FOSS environment) for which MDBs had drafted a guideline. Please assign us your valuable time.

    Thanks & Regards

    Dr. Manoj Verma

    + 919376128329

    Posted in World Bank | Leave a Comment »

    AP State eProcuremnet scam – why my integrity,credibility, capability is being questioned

    Posted by nasscomundp on July 5, 2006

     From: “Ramesh Sinha” <rsinha@tendercity.com

    To: eGovINDIA@yahoogroups.comumashankarc@yahoo.com, vmkannada@gamail.com
    CC: kemal.dervis@undp.org, egovindia@yahoogroups.com, presidentofindia@rb.nic.in, dch@yojana.nic.in, mos@mit.gov.in, pmosb@pmo.nic.in, 10janpath@vsnl.net, soniagandhi@sansad.nic.in, nkchoudhary@sansad.nic.in, psgadhavi@sansad.nic.in, nivedita@sansad.nic.in, ddgasab@cag.delhi.nic.in, ssadel@cbi.nic.in, adco@cbi.nic.in, cvc@nic.in, mocit@mit.gov.in, secyegov-dpar@karnataka.gov.in, cs@karnataka.gov.in, cm@karnataka.gov.in, “‘Cc:’” <secy_it&c@ap.gov.in>, cmap@ap.nic.in, drysr@ap.gov.in, ksdir@hub.nic.in, moni@hub.nic.in, secretary@mit.gov.in, jsegov@mit.gov.in, ceo@nisg.org, vs@nisg.org, maxine.olson@undp.org, zephirin.diabre@undp.org, hafiz.pasha@undp.org, jan.mattsson@undp.org, david.lockwood@undp.org, terence.d.jones@undp.org, darshak.shah@undp.org, mari.matsumoto@undp.org, vmkumaraswamy@yahoo.comegovindia@yahoo.com, kkarnik@nasscom.org, saravade@gmail.com, mumbai@nasscom.org, mail@dqindia.com
    Subject: FW: eProcuremnet scam – why my integrity,credibility, capability is being questioned
    Date: Wed, 30 Nov 2005 10:28:16 +0530
    _____________________________

    From: Ramesh Sinha [mailto:rsinha@tendercity.com]
    Sent: Wednesday, November 30, 2005 10:26 AM
    To: ‘addlsecy_agr@ap.gov.in’; ‘addlsecy_efst@ap.gov.in’; ‘addlsecy_hsng@ap.gov.in’; ‘addlsecy_ict@ap.gov.in’; ‘advgovt_fin@ap.gov.in’; ‘advisor_it@ap.gov.in’; ‘apstocm@ap.gov.in’; ‘asstsecy_letf@ap.gov.in’; ‘bethapudi@yahoo.com’; ‘binoy@ap.gov.in’; ‘cpro_cm@ap.gov.in’; ‘cs@ap.gov.in’; ‘cvsksarma@ap.gov.in’; ‘dfa_pmu@yahoo.com’; ‘drpsubrahmanyam@ap.gov.in’; ‘gopikrishna@ap.gov.in’; ‘healthsys@rediffmail.com’; ‘jannathussain@ap.gov.in’; ‘jdinfra_it&c@ap.gov.in’; ‘jtsecy_fin@ap.gov.in’; ‘jtsecy_rsad@ap.gov.in’; ‘mgvkbhanu@ap.gov.in’; ‘mnrao@ap.gov.in’; ‘murali@ap.gov.in’; ‘nshari@ap.gov.in’; ‘osd_fin@ap.gov.in’; ‘prabhakarreddy@ap.gov.in’; ‘prabhakert@ap.gov.in’; ‘praghuveer@ap.gov.in’; ‘pratapsp@gmail.com’; ‘prl.secyagr@ap.gov.in’; ‘prlsecy_agr@ap.gov.in’; ‘prlsecy_cm@ap.gov.in’; ‘prlsecy_hmfw@ap.gov.in’; ‘prlsecy_letf@ap.gov.in’; ‘prlsecy_minwelf@ap.gov.in’; ‘Prlsecy_sw@ap.gov.in’; ‘PS_CM@ap.gov.in’; ‘pstocm@ap.gov.in’; ‘ramakanth@ap.gov.in’; ‘ratnaprabha@ap.gov.in’; ‘rksuman@ap.gov.in’; ‘schanda@ap.gov.in’; ‘scio@ap.gov.in’; ‘seclegis@a.p.nic.in’; ‘Secy_BCW@ap.gov.in’; ‘secy_bud_fin@ap.gov.in’; ‘Secy_FOOD@ap.gov.in’; ‘secy_hmfw@ap.gov.in’; ‘secy_poll_gad@ap.gov.in’; ‘Secy_R&E_FIN@ap.gov.in’; ‘secy_rws_prrd@ap.gov.in’; ‘secy_se_edn@ap.gov.in’; ‘Secy_TW_SW@ap.gov.in’; ‘so_portal@ap.gov.in’; ‘SplSecy_efst@ap.gov.in’; ‘tchatterjee@ap.gov.in’; ‘tigdi@ap.gov.in’; ‘tparthas@ap.gov.in’; ‘cmap@ap.gov.in’; ‘cmap@ap.nic.in’; ‘drysr@ap.gov.in’; ‘NarsingRao’
    Cc: ‘drverma@tendercity.com’
    Subject: eProcuremnet scam – why my integrity,credibility, capability is being questioned

    From: Ramesh Sinha [mailto:rsinha@tendercity.com]
    Sent: Wednesday, November 30, 2005 10:23 AM
    To: ‘pmeprocurement’
    Cc: ‘NarsingRao’; ‘P Raghuveer’
    Subject: RE: eProcurement- tender city
    Dear Sir,Instead of taking action against M/s. C1 India Pvt. Ltd. we are surprised to see that the Government of AP has started to grill us for bring out in public the loopholes in the eProcurement system www.eprocurement.gov.in it uses. I think whistle blowers in our great country
    India, cannot escape it and hence we are complying with your request with this mail.
    I have not yet received any reply to the question raised by me on 24th of November, 2005. Please let me know if It would be wrong to assume that Government of AP is trying to cover up the issue by asking irrelevant question and questioning my credibility, capabilities and integrity. Not that I have answered your email promptly, can I expect reply to the questions raised by me on 24th of November after 6 days.Applitech Tendercity.com has enabled the first eTender in
    India in July 2003 which complied to IT Act, and was digitally signed. Since then till date we have enabled eTenders & eAuctions for government department in excess of Rs. 8,000 Crores. Some of our customers includes Gujarat Water Supply and Sewerage Board, Sardar Sarovar Narmada Nigam Limited, Government of Rajasthan, Gujarat
    Narmada Valley Fertilizer Company, Indian Oil Corporations, etc.
    I have bought to your notice the major security loopholes because of which the secrecy of price bid can be compromised. There are 100’s of live tenders currently available on www.eprocurement.gov.in and because of which I had requested Government of AP to pull down the site immediately, which for some reasons beyond has been not done. I further take this opportunity to point that I had demonstrated our entire system to your colleague for almost 2 hours. I unfortunately do not recollect his name, but he was there when I met the IT secretary.Ramesh SinhaCEOApplitech Tendercity.com I Pvt. Ltd

    9825021784

    ___________________________________________________

    From: pmeprocurement [mailto:pmeprocurement@ap.gov.in]
    Sent: Tuesday, November 29, 2005 9:30 PM
    To: rsinha@tendercity.com
    Cc: NarsingRao; P Raghuveer
    Subject: eProcurement- tender city
    Dear Mr.Ramesh Sinha,

    Greetings!

    Please indiciate the following details about the tender city eprocurement platform by 30th Nov 2005 ,

    1. Please indicate the names of Government departments or Agecies using the tender city eprocurement portal for end to end (NIT publsihing to award of contract to the successful bidder) tender processing. Furnish client wise details on number of tenders com[pleted with their aggregated value on tendercity portal since last two years.

    2. Who is the system administrator and data base administrator for the tedner city eprocurement portal used by your clients.

    Yours Sincerely,
    K.Bikshapathi
    Project Manager,
    eProcurement,
    Ph.No.23451055
    Fax.No.23450103

    Posted in Govt of INDIA, nasscom, NISG, UNDP, World Bank | 161 Comments »

    World Bank and UNDP please read letter from Tendercity to Sri. Narsing Rao , Secretary, ITC&C Dept. Andhra Pradesh State on eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh State in INDIA.

    Posted by nasscomundp on July 5, 2006

    From: Ramesh Sinha [mailto:
    rsinha@tendercity.com]
    Sent: Tuesday, December 06, 2005 11:07 AM
    To: ‘pmeprocurement’
    Cc: ‘NarsingRao’; ‘P Raghuveer’; ‘ratnaprabha’; ‘Sunitha Natti’; ‘drverma@tendercity.com’; ‘kinjal@tendercity.com’;
    PAAVAN DUGGAL
    Subject: RE: eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).
    Dear Sir,Your reply has confirmed our doubt that Rs. 38,000 eProcurement scam did take place.  As requested, we are making your reply with our comments public. Let the contractors/public decide what good for them and how their money should be spent.

    1. Service Provider fully controls and owns the eprocurement.gov.in site and all the data on that site
    2. Encryption was done using internal algorithm for symmetric encryption on the server side, till Feb 2005.
    3. Digital Certificates were not used till Feb 2005.  The GoAP accepts that Digital Certificates were available as on Jan 2003.
    4. GoAP does not have any objection if price bids of all contracters can be accessed by the service provider before tender opening date, as the GoAP has blanket trust on the ethics of the Service Provider, C1 India Pvt Ltd.  This is despite the fact that 3 different companies have filed lawsuits involving C1 India charging them with various unethical practices.
    5. We have demonstrated clearly to the GoAP IT Secy on 24 Nov, and APTS on 3 Dec the various technology issues and best practices.  The GoAP still insists on continuing their blind trust on the service provider.
    6. The GoAP admits that the price bids reach the application in readable clear text, and subsequently are subject to encryption.  The GoAP is explained this loophole and still continues to use this site.
    7. The GoAP is remaining silent on the fact that the SSL certificate is issued by a
      US based private company, which is not recognized by the CCA of India.  The GoAP also is not able to explain how the ownership of a .gov.in domain is given to a private limited company, as is mentioned in the Server Certificate.
    8. PWC, who was asked to conduct a security audit, is a consortium partner with C1 India for eprocurement tender invited by other state governments.

     

     

    We request that:

    1. The site eprocurement.gov.in be pulled down immediately
    2. All the 9841 tenders be investigated given the admissions of lack of secrecy.
    3. To penalize the service provider and its champions within the government for willfully and knowingly supplying and using a sub standard eprocurement system.
    4. As per you instructions of the IT Secretary, we are making the letter LR.No. 2852/eProcurement/IT&C Department/2005 Dated 5.-12-2005 public.  We request all interested and knowledgable people to carefully review the letter and send their comments to the IT Secretary, and educate him on technology.

     

     



    From: pmeprocurement [mailto:pmeprocurement@ap.gov.in]
    Sent: Monday, December 05, 2005 6:41 PM
    To:
    rsinha@tendercity.com
    Cc: NarsingRao; P Raghuveer; ratnaprabha; Sunitha Natti
    Subject: Fw: eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).

     


    Dear Mr Ramesh Sinha,

    Greetings.

    Please find attached our reply to the issues raised in your mails dated 8/11/05, 26/11/05 on eProcurement platform of GoAP. A physical copy will follow. Meanwhile, it is requested to forward our reply immediately to all those to whom you have mailed letters( referred above) either in physical mode or email and host the reply prominantly in the  web site http://www.tendercity.indiatimes.com for 15 days at  your cost.

    Yours Sincerely,
    K.Bikshapathi
    Project Manager,
    eProcurement,
    Ph.No.23451055
    Fax.No.23450103

    —– Forwarded by pmeprocurement/IT/HYD/APGOVT on 05/12/2005 06:26 PM —–

    pmeprocurement/IT/HYD/APGOVT 26/11/2005 09:19 PM
    To rsinha@tendercity.com
    cc NarsingRao/IAS/APGOVT@APGOVT, P Raghuveer/IFS/APGOVT@APGOVT
    Subject Fw: eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).

     

     

     

    Dear Mr Ramesh Sinha,

    Greetings.

    your mail has been forwarded to me and we are examining the issues raised there in.

    Yours Sincerely,
    K.Bikshapathi
    Project Manager,
    eProcurement,
    Ph.No.23451055
    Fax.No.23450103

    —– Forwarded by pmeprocurement/IT/HYD/APGOVT on 26/11/2005 09:15 PM —–

     

     

     

    “Ramesh Sinha” <
    rsinha@tendercity.com>
    26/11/2005 02:22 PM

    Please respond to
    <
    rsinha@tendercity.com>

    To <
    secy_it&c@ap.gov.in>, <
    cmap@ap.gov.in>, <
    cmap@ap.nic.in>, <
    drysr@ap.gov.in>
    cc <
    addlsecy_agr@ap.gov.in>, <
    addlsecy_efst@ap.gov.in>, <
    addlsecy_hsng@ap.gov.in>, <
    addlsecy_ict@ap.gov.in>, <
    advgovt_fin@ap.gov.in>, <
    advisor_it@ap.gov.in>, <
    a
    pstocm@ap.gov.in>, <
    asstsecy_letf@ap.gov.in>, <
    bethapudi@yahoo.com>, <
    binoy@ap.gov.in>, <
    cpro_cm@ap.gov.in>, <
    cs@ap.gov.in>, <
    cvsksarma@ap.gov.in>, <
    dfa_pmu@yahoo.com>, <
    drpsubrahmanyam@ap.gov.in>, <
    gopikrishna@ap.gov.in>, <
    healthsys@rediffmail.com>, <
    jannathussain@ap.gov.in>, <
    jdinfra_it&c@ap.gov.in>, <
    jtsecy_fin@ap.gov.in>, <
    jtsecy_rsad@ap.gov.in>, <
    mgvkbhanu@ap.gov.in>, <
    mnrao@ap.gov.in>, <
    murali@ap.gov.in>, <
    nshari@ap.gov.in>, <
    osd_fin@ap.gov.in>, <
    prabhakarreddy@ap.gov.in>, <
    prabhakert@ap.gov.in>, <praghuveer@ap.gov.in>, <
    pratapsp@gmail.com>, <
    prl.secyagr@ap.gov.in>, <
    prlsecy_agr@ap.gov.in>, <
    prlsecy_cm@ap.gov.in>, <
    prl
    secy_hmfw@ap.gov.in>, <
    prlsecy_letf@ap.gov.in>, <
    prlsecy_minwelf@ap.gov.in>, <
    Prlsecy_sw@ap.gov.in>, <
    PS_CM@ap.gov.in>, <
    pstocm@ap.gov.in>, <
    ramakanth@ap.gov.in>, <
    ratnaprabha@ap.gov.in>, <
    rksuman@ap.gov.in>, <
    schanda@ap.gov.in>, <
    scio@ap.gov.in>, <
    seclegis@a.p.nic.in>, <
    Secy_BCW@ap.gov.in>, <
    secy_bud_fin@ap.gov.in>, <
    Secy_FOOD@ap.gov.in>, <
    secy_hmfw@ap.gov.in>, <
    secy_poll_gad@ap.gov.in>, <
    Secy_R&E_FIN@ap.gov.in>, <secy_rws_prrd@ap.gov.in>, <
    secy_se_edn@ap.gov.in>, <
    Secy_TW_SW@ap.gov.in>, <
    so_portal@ap.gov.in>, <
    SplSecy_efst@ap.gov.in>, <
    tchatterjee@ap.gov.in>, <
    tigdi@ap.gov.in>, <
    tparthas@ap.gov.in>
    Subject eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).

     

     

     

    To
    The Secretary
    Information Technology and Communication Department
    Room No. 433, 3rd Floor, D Block, AP Secretarial
    Hyderabad – 500 022
    Date: 26th November, 2005
    Kind Attn. : Mr. Narsing Rao
     
    Subject: eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).
     
    Dear Sir,
    I am herewith listing the points discussed during our meeting at your office on 24th of November, 2005 regarding the major security loopholes in www.eprocurement.gov.in. Further you are requested to immediately pull down the website as using the system till the time the below security loopholes are not patched, would mean compromising with the Public Procurement Practices at large where “Public Money” is at stake.
     
    ·        Though the Tender/Project was awarded under IT Act 2000, Digital Certificates were only incorporated after March 2005. This means that approx 5000
    Tenders worth Rs.31,000 Crore were enabled in an insecure fashion where system administrator could access to the price bids submitted by 10’000 odd bidders before due date and time.
     
    ·        Though the government made it mandatory to introduce Digital certificate after March 2005, but as of November 2005, the “Goods” Tender are being submitted without being digitally Signed and are not stored in encrypted fashion (that is encryption is not done using Buyer’s Digital Certificate. When we logged into your system, we could actually edit our bid and this proves the above point.
     
    ·        As of November 2005, the “Works” Tender are only Digitally Signed, but are not stored in Encrypted Fashion using Digital Certificate.
     
    ·        As of November 2005, during bid submission process a detached digital signature is being generated because of which Original Bid and its Signature are separately stored in the database ie. If a bidders quotes Rs. 1000 as his price bid, Rs. 1000 is stored in database in readable format and Digital Signature of Rs. 1000 is separately stored. Because of this loophole the system administrator can have access to the price bid of a Bidder before due date and time. One of your officer who was present objected to this point and said that it was actually attached signature that was being generated. I suggested that we save the page from www.eprocuremnent.gov.in and call the TCS- CA (Certifying Authority), your CA Vendor and ask them to clarify to which I didn’t get any reply from yours or your colleague, which validates this loophole.
     
    ·        After the bid is submitted by a contractor, the system throws a message that “you can not edit the bid because it is encrypted” whereas in reality the bids are actually stored in a readable fashion which can be accessed by system administrator. As per your colleague’s comments, the encryption takes place at server level. If the bid reaches the server in readable fashion then there is no point of encryption in the system as the administrator can read it, make a copy of it, or share it. Ideally it should be encrypted at client machine and then transferred to the server. When we submitted the bid, there was no encryption done on client machine and as per your colleague it was done at Server level which compromise with security and thus secrecy of price bid.
     
    ·        M/s. C1
    India, the service provider must have known the loopholes and yet didn’t do anything about it in spite of the fact that 10,000 e
    Tenders worth Rs.38,000 Crore has been enabled. This validates the major flaw in Public Procurement system in Andhra Pradesh where www.eprocurement.gov.in is being used.
     
    ·        Inspite of offering a substandard and security lapse services M/s. C1 India is charging very high charges for the same other than what they are quoting to other Governments  1/10th of the rate for similar services but still the Government of AP has not negotiated the rate with C1 India and not warned them for removing the flaws in security to check compromise with Public Procurement Practices.
     
    ·        We asked to tell us as who was the system administrator – Some AP Government officer or M/s. C1 India Pvt. Ltd and you had no idea about the same. The officer in charge of eProcurement who was also present during the meeting did not share as who was the system administrator. Given the fact that 10,000 Tender worth Rs. 38,000 Cr. were enabled on such insecure manner, we are forced to believe that it should be actually M/s. C1 India Pvt. Ltd, which basically strengthens our doubts and lapse in e-Tendering (could be intentional because of some vested interest). No government officer would have allowed such insecure application in the first place if he would have been the system administrator as he would have known the above mentioned serious and major lapse in the security & secrecy of the Bids.
     
    Because of the above loopholes, you are requested to pull down the insecure website www.eprocurement.gov.in immediately. We eagerly wait for your immediate action in this regard.
     
    If our request to pull down the site by November, 26th 2005 is not entertained we will be forced to go to the public to inform them about the above loopholes and the risk contractors face, when they participate in e
    Tenders. The public money is being risked and as a responsible citizen and socially conscious Company, we cannot allow this to continue any longer.
     
    We have also requested to be given the opportunity to demonstrate the above loopholes in person to you or agency like Andhra Pradesh Technology Services on 25th of November, 2005. We have not received any confirmation for the same till now.  We fear that M/s. C1 India will change the code of website if we do not get the opportunity to do it immediately.
     
    We see the current eTendering system in Andhra Pradesh as mother of all scams to a tune of Rs. 38,000 Crores. We further request you initiate appropriate investigation and ask the Anti Corruption Bureau to look into the matter in this regard.
     
    And also ensure that Key Government officers who were in charge of enabling www.eprocuremnet.gov.in and M/s. C1 India Key Officers should not get a chance to fly away and try to cover this major scam because of their influence.
     
    Looking forward to hear form you soon.
     
    Ramesh Sinha
    Director/CEO
    Applitech Tendercity.com I Pvt.  Ltd.
    98250 21784
    rsinha@tendercity.com

    Posted in Govt of INDIA, nasscom, NISG, UNDP, World Bank | 20 Comments »

    Reply of Sri. Narsing Rao , Secretary, ITC&C Dept. Andhra Pradesh State to eProcurement- Representation of Sri. Ramesh Sinha, CEO, Appllitech Tendercity. com India Pvt. Ltd.- Apprehensions on security in eProcurement platform – Reply- Reg. Mr. Rao writes: You are absolutely right on this one. We gave totally misleading figures. The correct figures are: 9841 tenders worth Rs. 32,578 crores have been processed with security loop holes.

    Posted by nasscomundp on July 5, 2006

    From: Sri Narsing Rao, Secretary, IT&C dept, Govt of Andhra Pradesh, Hyderabad

    To , Sri Ramesh Sinha, Director/CEO Applitech Tendercity.com Pvt Ltd. Ahmedabad, Gujarath.

    Lr.No. 2852/eProcurement/IT&C

    Department/2005 Dated 5-12-2005

    Sir,

    Sub: eProcurement- Representation of Sri. Ramesh

     Sinha, CEO, Appllitech Tendercity. com India Pvt.

     Ltd.- Apprehensions on security in eProcurement

     platform – Reply- Reg.

    Ref: 1. Letter No. Nil dated 8th November, 2005 from Sri. Ramesh Sinha, CEO,   Applitech Tendercity. com India Pvt. Ltd. addressed to Project Manager,   eProcurement, IT&C Dept. 2. email dated 26.11.2005 from Sri. Ramesh Sinha, CEO Appllitech Tendercity.   com India Pvt. Ltd.- addressed to Secretary IT&C

    1. With reference to your correspondence cited above on the issues related to compromise on security in eprocurement platform of Government of Andhra Pradesh (GoAP) on account of non encryption of sensitive data and malicious System administrator are purely hypothetical in nature. The IT&C Department of GoAP is aware that the security& secrecy of tender data is of paramount importance as the portal handles sensitive procurement transactions of Govt departments and has foreseen the above concerns during the conception stage of the eProcurement project itself. Accordingly, following stringent security measures have already been implemented in the system to ensure that transactions on eProcurement portal happen in the most secured manner.
    • Physical security of data center. Entry to the Data center is with Bio metric smart cards, round the clock CCTV monitoring and under strict personal supervision of Data center personnel.
    • Web security through 128 bit Secured Socket Layer (SSL) Technology from client end to server for secured passage of data The SSL certificate has been issued by a US based CA. Is this CA recognised by CCA? Is this certificate valid legally at all? How is it that the domain ownership of a .gov.in domain is with a private limited company, as it says in the server certificate?
    • Fire walls, intrusion detection system, online virus check, up to date anti virus system, online OS patches to prevent malicious attacks
    • Network monitoring system to monitor the service levels of the site.
    • Sound back up methods for storing data.
    • Comprehensive audit logs of all events that are taking place on the platform
    • Access controls, sharing of functions between system administrator and data base administrator
    • Third party security audit of eProcurement system. M/s. PWC has conducted security audit in pilot phase (2003) and has expressed that security is uncompromising. APTS is in the process of finalizing Security consultant for taking up another third party security audit of the system at the earliest. PWC was the consultant appointed. PWC was in a joint venture with M/s C1 India Pvt Ltd for NIC Tender. How is PWC “third party”?
    • Encryption of sensitive data (price bids). This has been done using internal algorithm during pilot phase and subsequently done through Digital Certificates issued by third party Certifying Agency (TCS) in compliance to IT Act, in the roll out phase i.e. from January 2005. “Internal Algorithm”? There is no such thing. If the algorithm cannot be made public, it is not worth anything. There is still no encryption taking place on the client side. The acceptable method would be encryption using Digital Certificates and the encryption should take place on the client side.
    • All this is keeping the site safe from unauthorised access. We have never questioned this. What we are consistently questioning is keeping the data on the site safe from authorised, albiet unethical, access.
    1. The GoAP has embarked upon eProcurement in 2002 with an objective to reform the prevalent manual tendering process which has severe short comings. eProcurement is to be implemented across whole government to bring transparency, derive process efficiency, cost and time reduction for both government & suppliers. The e-procurement project was envisaged by Govt. of Andhra Pradesh in the year 2002 under PPP- ASP (Application service Provider) model and the implementation of Pilot Phase was started in four departments on 29th January 2003. Since as on that date there were hardly 1 or 2 Certifying Authorities with national presence for issue of Digital certificates, the IT&C department has taken a conscious decision to go ahead with the eProcurement initiative without insisting for Digital Certificates in the Pilot phase and at the same time not compromising on the security and to gradually make way for implementation of Digital Certificates in the rollout phase, as it was expected that issue as well as usage of Digital Certificate processes would stabilize over time. The process of getting a digital certificate remains the same today as it was when the eTendering commenced in 2003. It is not any more easier or difficult. It took 10 minutes then, if all the documents were available. So the perception of unstable processes was purely imaginary and misguided. It is to be mentioned that non usage of Digital certificate would not amount to breach of security as there are alternative technologies to implement fool proof security in IT systems. For example, Digital Signatures are not being used for internet banking, online train bookings, online airline ticket bookings and several other eGovernance initiatives implemented by various state governments. It doesn’t mean that all these transactions are compromising the security and are violating the IT Act 2000. Read the disclaimers. The disclaimer for HDFC bank (https://netbanking.hdfcbank.com/netbanking/netbk-terms-con.htm), under the section titled NETBANKING, clearly writes “ I shall not request /demand any evidence of proof for transactions undertaken through the Net “. Similar wordings on all online banking sites, railway reservations etc. Forget online ticket bookings, even booking a ticket at the counter, you are asked to fill up a form giving the name of the passenger. No proof of identification is asked. Will you qualify a tenderer who makes claims in the experience criteria, but does not substantiate it with certificate of completion, etc. These business are serving a very different need, and their online presence is only a way to increase convinience for customers. The fact that you have booked a ticket is not to be kept secret from everyone till the date of the journey. Comparing these sites with an eprocurement site is comparing apples and oranges. If you still want to persist in the comparision, I have three words for you “Credit Card Fraud”. Since this is happening in the ecommerce world, and you are following the same standards, the “etendering scam” is definitely happening. The online transactions which do not use digital certificates are not in compliance with the IT Act. Any person who conducts such transactions will not have recourse to a court of law under the IT Act.
    1. Subsequently with more number of Certifying Authorities coming up, action was initiated to use Digital Certificates for authentication and encryption. Accordingly Andhra Pradesh Technological Services (APTS), a PSU of GoAP has become a Sub-CA to M/s. TCS-CA (certifying authority) for issuing Digital Certificates to the users of eGovernance applications of GoAP and started issuing digital certificates to the users of eProcurement platform in December 2004. As soon as the infrastructure was well in place in Andhra Pradesh, a PKI enabled eProcurement pilot was initiated for high value EPC type Jalayagnam tenders of Irrigation &CAD department from last week of December’2004. On success of this Pilot, Govt Orders were issued vide G.O.Ms 6 IT&C Dated 28-2-2005 for mandatory implementation of PKI with digital certificates for eProcurement w.e.f 1st March 2005. Am I the only one who is not stupid around here? The eprocurement portal of the GoAP accepts only TCS-CA certificates. That may or may not be a violation of the IT Act, but it definitely does not seem like a fair trade practice. What are the compelling reasons for this practice? Till date, Rs. 32000 worth of etenders have been processed in the most insecure fashion. A token compliance with the IT Act does not mean that systems are foolproof. The fact remains that the system administration can still see the price bids. The current process still uses digital certificates for login and signing of price bids. It still does not sign the technical bids or encrypt the price bids on the client side. This has been clearly demonstrated to the IT Secretary on 24 November, and indicated to APTS on 3 December. And as of 6th December, eprocurement.gov.in is happily functioning.
    1. It is to mention that your contention about approximately 5000 tenders worth Rs 31,000 Crores have been processed with security loopholes with out using Digital Certificate on eProcurement platform of GoAP is misleading, completely baseless, self presuming and an attempt to sensationalise the issue . The actual statistics are furnished in the following table.

    Period  Nos of Tenders Value   29-1-2003 to 28-12-2004. (pre PKI implementation with Digital certificates issued by TCS)  2506 Tenders  Rs 4,506 Crores   29-12-2004 to till date (post PKI implementation with Digital Certificates issued by TCS)  7335 Tenders Rs 28,072 Crores

    You are absolutely right on this one. We gave totally misleading figures. The correct figures are: 9841 tenders worth Rs. 32,578 crores have been processed with security loop holes

    1. It is to clarify that though the eProcurement platform was not using Digital Certificates for authentication and encryption in the pilot phase i.e., upto 28-12-2004, all the security issues were well addressed with good security policy in place viz., 128 bit SSL encryption for the data flow from client end to eprocurement servers, encryption of sensitive data (price bids) with COM based DLL using internal algorithm in symmetric method at server side , storing of data in encrypted form at the server end prior to opening of bids, controlled access to administrators, storing of log of all activities, third party security audit of the system etc,. “internal algorithm – symmetric method – server side”. How many times will have to go through this? The system administrator in question happens to be a private company called C1 India Pvt Ltd, based in Delhi. What are the compelling reasons for continuing to trust and defend the service provider with a system which could allow the price bids to be accessed from anywhere in the world.
    1. The PKI enabled eProcurement software using the Digital Certificates issued by TCS, a third party Certifying Authority, is implemented with effect from 29-12-2004 for high value EPC tenders of Irrigation department and later made mandatory for all other tenders w.e.f 1-3-2005. The digital signature process has been finalized after several rounds of consultations among the IT&C Department, TCS-CA, C1India and it was decided to adopt hybrid of both Symmetric and Asymmetric encryption methods to encrypt the sensitive data (price bids) of the bidders at the server side, generate detached digital signature as a best practice before storing them in the database. The sensitive data submitted by the bidder travels from the client machine to the server through 128 bit Secured socket layer and is encrypted with the buyer’s Digital certificate at the server side using TCS control tools. The data (price bid) is stored in encrypted format in the database and cannot be viewed in readable format by anyone including the database administrator prior to decrypting the bid by the buyer with his private key on lapse of specified time and date of opening of bids. These processes were shown to the media during tender opening of high value EPC tenders under ‘Jalayagnam’ programme. The detached or attached digital signatures are a moot point considering there is no encryption taking place on the client site. This effectively means that the system administrator still has ability to access the technical/price bids. The system administrator in question happens to be a private company called C1 India Pvt Ltd, based in Delhi. What are the compelling reasons for continuing to trust and defend the service provider with a system which could allow the price bids to be accessed from anywhere in the world.
    1. The transaction fee payable to M/s C1 India has been approved by the GoAP based on recommendations of sub-committee of Secretaries over a report prepared by a consultant with due diligence in October 2004 and is valid from 1-4-2004 to 31-3-2007, as per an agreement entered between the IT&C Department of GoAP and M/s C1 India. The revised transaction fee structure is significantly lower than the charges agreed for Pilot phase in the original agreement and comparable to the open market rates charged for similar level of eProcurement services by reputed firms in India. How does this revised transaction fee structure compare with the quotes submitted by this vendor in other parts of the country? Would you care to declare the reputed firms and their open market rates? Would you care to comment on what rates you would get if they were to quoted in competitive environment? Even the modified rates are amongst the highest as of today. For 1/10th of the amount paid by the GoAP to the service provider as fees, it could have procured a secure product, with complete IT Act compliance, along with source code.
    1. With regards to your presumptions on administrators role, it is clarified that the GoAP is taking eProcurement services from M/ C1 India through Application Service Provider model. In this model the service provider is totally responsible for operation and maintenance of the eprocurement platform and the services are regulated through a Service level agreement entered between the department and service provider. In view of this the System Administrator and Database Administrator privileges are retained with M/s C1India, as is the case in any other eprocurement portal delivering services on ASP model. The Privileges and functions are shared between different people of the company to avoid security lapse. The Operating System of Application maintain logs of all activities performed by System Administrator and Database Administrator. The Public Key Infrastructure is a fool proof measure for maintaining secrecy and security of Data as the System administrator would not be able to decrypt the bids on his own and also will not be in a position to view the bids as the data is stored in an encrypted mode in non-readable form. In addition to this, the bid opening is governed by date and time fixed for opening, which is basically server time hosted in a very secured professionally managed data center. In view of this multi level checks and balances implemented in the system, the security & secrecy of sensitive data is assured. Therefore, the eProcurement transactions are carried out in most secured manner to the benefit of society at large. By surrendering all privileges with the vendor, the government does not indemnify itself. Several times earlier in this document you have stated that the encryption is carried out using internal algorithm on the server side. Suddenly, this has changed to PKI, which I am assuming means that the well known algorithm which is asymmetric is being used. But this is still on the server side. This leaves room for play. This is like saying to your vendors “Fax me your price bids, I will put them in an envelope, seal them and drop them in the tender box for you”. Also, I am assuming that since the encryption is taking place on the server side, the decryption must also be taking place on the server side. Which, assuming you are using Public Key Encryption, means that the private key is available on the server side. What more is required to decrypt the data? And if the encryption is infact taking place on the server side, and the vendor does in fact have full control over the system, there cannot be any “assured” stamp on the secrecy (note that we are not disputing the security). The best practice of using signing and encryption have been explained and demonstrated to the IT Secy as well as APTS. If any part of this is not understood clearly, please feel free to call us again to explain the same. However, the fact remains that the existing site falls way short of the standards of secrecy required by eTendering and therefore every tender being processed is liable to be scrapped. To prevent further damage to the state government, we strongly suggest that you stop all procurement using this site.
    1. You must be aware that procurement transactions in the government domain are so sensitive that even a little amount of doubt about the integrity of data in eProcurement platform would have lead to public outcry and this platform would not have gained acceptance from the supplier community. The eProcurement platform has processed 9841 tenders aggregating to Rs 32578 Crores from January 2003 to end of November 2005. It is to emphasise that all these transactions were carried out in a very secured manner without a single instance of complaint from the suppliers about their bid values getting tampered or some favoured bidder getting advantage due to breach of secrecy by the service provider. The proof could also be corroborated from the fact that most of the completed transactions on eprocurement portal (90 % of tenders) are discounted quotations to a tune of 8 -10 % over the estimated rates, which resulted in savings of more than Rs.2000 crores of public money to the Govt. It is pertinent to highlight that in several tenders with a single bidder participation, the price bid quotations were on lower side of estimated value. This could not have been possible had the security and secrecy of bids submitted by bidders been compromised by the service provider as presumed by you. A third party security audit conducted during the pilot phase in pre PKI period has no adverse comments on data security and secrecy. Hence, your concerns on compromise in security & secrecy in eprocurement platform of GoAP are baseless and unfounded. These same statements when taken with the fact that secrecy of bids is not fool proof, become proof of the mischief we are claiming.
    1. Further, as per our security policy, the APTS is finalising a consultant for conducting third party security audit of eprocurement application for the current year and the bids are scheduled to close by 12-12-2005. Among other things, the scope of audit includes transaction audit of all EPC tenders (high value) and 50 numbers of randomly selected regular tenders processed through the platform. I suggest you appoint Infosys, Microsoft, etc. or any liscensed CA like TCS, Safescrypt, Ncode or Tendercity as the third party auditor. I suggest that you include in the scope of the audit, not just the current system, but also the past transactions on this system. If you are so sure that the service provider is a completely honest and trustworthy party, you should not have any hesitation in expanding the scope of the audit.
    1. It is not our intention to cast any aspersions on you for this misinformation campaign against one of the most successful reforms in the country, which made considerable social impact by eliminating contractor cartels in government tenders to a greater extent, brought in transparency and saved huge amounts of tax payers money. However, it is understood that your firm (Tendercity) is locked in a legal battle against our service provider(C 1 India) and it is quite possible that your complaint is a motivated one because of the business rivalry. If you bothered to get the case papers and go through them, or else ask your legal department to brief you on them, instead of just relying on the information that is fed to you, you will find that it is an ex-party stay order obtained by C1 India, which prevents us from using C1 Indias eprocurement software. We were not present when the stay was obtained. We are not using C1 Indias eprocurement software. Now that you have more information, you can better judge who is motivated and who has the feeling of business rivalry. We are drawn into unnessary, time consuming and costly litigation. M/s C1 India has been faxing these court orders to all our customers, resulting in further dilution of our resources and defamation of our company and product. We have solid faith in Indian Legal System. We urge you to track the case more closely and independently.
    1. In view of the above facts and figures, It is to inform that we have reviewed our processes based on the security concerns raised vide your letters cited and found that they are self presuming apprehensions, lacking any basis, as all transactions on eProcurement platform are conducted in the most secured way without any compromise on security and secrecy of sensitive tender data. It is requested to circulate this response to all the addresses to whomever you have marked a copy of the petitions cited either in electronic or physical mode, besides hosting on tendercity India times web site for 15 days at your cost. It is also advised to refrain from any such misinformation campaign against GoAP’s eProcurement project in future, otherwise the GoAP would be compelled to take appropriate legal recourse against you. The above facts and figures are totally in agreement with what we have been saying all along. I would advise you to learn from independent sources what constitutes “secrecy of sensitive tender data”. We will gladly circulate this response as well as host it on the tendercity indiatimes web sites. We assume that the 15 days is a lower limit and that there is no upper limit. We will continue to host this response for as long as we are able to bear the cost. We are still not able to believe that you gave all this in writing. We would however request you to either send us a printed and signed copy of this letter, or else a digitally signed electronic copy of this letter, so that you would not, at a later date, accuse us of forgery.

          We will be pleased if GoAP takes the matter to the court. If the site is not pulled down immediately, we would be forced to file a public interest litigation against GoAP, in the Supreme Court of India. In light of the admissions you have made in this letter, we request you to start the process of reinvitation of all 9841 tenders.

          Yours sincerely,

          Secretary, IT&C dept,

          Govt of Andhra Pradesh,

          Hyderabad

    Posted in Govt of INDIA, nasscom, NISG, UNDP | 14 Comments »

     
    Follow

    Get every new post delivered to your Inbox.