Cyber Crime in 2017 - India

More than 27,000 #cybercrime reported in first half 2017, according to #MEITY. The figure was 50,362 for entire 2016 in India

Your Mobile Phones are hacked using Fake Replacement Parts When sent for repair. Are you aware ?

To the layman, a chip may be just a chip but its utility is more than just making your smartphone work. Even screens, external slots, camera and other attachments have enough hardware capability on them to act as potential hack vectors. There have been multiple researches on this point that a simple chip replacement or addition can compromise your smartphone significantly. The major source of such hacks have undoubtedly been the mobile repair centers. More so in India than anywhere else, there is a workaround presented for any hardware glitch. Glitches that the manufacturers themselves never claim to fix. Your iPhone charging port goes wrong; the authorized service centers only offer to replace the phone at a staggering cost whereas a local market guy will replace the charging port for $10. 

The source of these replacement parts are unknown, all the repair centers know is that they get it without any branding or packaging but they have good results. In what researchers are calling the “chip-in-the-middle-attack”, a screen replacement is demonstrated with an exactly original like screen replacement with an add-on chip that compromises the communication system of the device. In a demonstration video, it has also been shown that how the chip can power off the display and perform notorious tasks like taking pictures, logging behavior and patterns and streaming camera feed to the attacker. This is indeed an upcoming risk originating in hostile nations that are manufacturing replacement parts are selling them for practically no money because the cost of data that they receive in return is unimaginable. This chip in the middle attack is a newly coined term but such illicit activities have been going on since a long time. Counterfeit SIM slots with phony IMEIs have been found in stolen phones which led to major busts in this underground mafia of cell phone thefts. 

As a point of caution and awareness, one must make sure that when something goes wrong with their devices, they approach an authorized service center to get them repaired and always make sure to wipe your phone clean before giving it for repairs because there are also cases where these technicians have copied data from mobiles that are given for repair and when they find that one whatsapp video to earn money, they will go to any extent. In one case, where private pictures of a couple were sold at a pan shop for Rs. 10 per picture. 

Ecommerce Online Consumers can file a case anywhere on Sellers in India

Landmark Decision for Online Marketplaces: Online buyers can register a case on sellers anywhere in India.

By Prashant Mali     

Spicejet Ltd Vs Ranju Aery      

The issue of jurisdiction has made a lot of people sweat in the recent past since the Internet has come into play. With the nation recognizing different forms of businesses that are Internet-dependent, the law has definitely had some catching up to do. I have personally utilized this independence day holiday to research all important legislation and case law in this matter and through this blog, I would like to make my research available for everyone to study.

As a practicing Ecommerce Lawyer and Cyber thought leader of the country, I feel that this recent decision of Supreme Court dated 4th August 2017 in the case of Spicejet Ltd is krantikari or as it is referred to in Law, a landmark decision. As per the case law deduced from this decision, it will be apt to say that an online buyer may sue a seller at any place. For the purpose of clarification, an online buyer here means any person who has purchased any goods via a seller online.

In my opinion, this will affect all ecommerce buyers like all of us and give them a much needed relief freeing them of the bounds of local jurisdictions but simultaneously, it will also increase the sellers’ overhead now as lawyers will need to appointed across all consumer forum jurisdictions that they have customers in. This observation lays emphasis on my earlier thoughts about ensuring Online Dispute Resolution (ODR) in cases involving Mobile wallets and E-Commerce.

In over-the-counter purchases, a consumer can file a complaint in the consumer court only within the local limits where the company/ opposite party resides, carries on business or where the transaction takes place (by the bare reading of the CPC). However, now the law says that online consumers can sue a company for deficiency in services at any consumer court of their choice. In these times, when E-Commerce trading is growing rapidly, this ruling from the Supreme Court has brought a big relief for consumers purchasing goods through websites and E-Commerce apps. 

A bench of Justices Adarsh K Goel and S Abdul Nazeer on 4^th August 2017 upheld a six month old ruling of the National Consumer Dispute Redressal Commission (NCDRC). The NCDRC had ordered Spicejet Ltd. to pay Rs 1.25 lakh compensation to Ms. Ranju Aery for cancellation of a flight. She had booked a ticket (Chandigarh to Delhi via Bagdodra and Kolkata) on yatra.com on June 23, 2015. The airline cancelled her return flight from Kolkata to Delhi without any reason and provided her no alternative. She approached the consumer court in Chandigarh and secured an order against Spicejet. In the appeal, the airline claimed that the Chandigarh court did not have jurisdiction to hear the case as the place of business of the company was at Gurugram. The airline relied on Section 11 of Consumer Protection Act which allows a complaint to be instituted by a consumer within the local limits of where the opposite party resides or carries on business or where cause of action arises.

Rejecting this argument, the NCDRC in its order of February 7, 2017 found the company guilty of cancelling her flight without reason when on that day 128 flights took off from Kolkata without any delay. The NCDRC noted that the airline gave no explanation for cancellation and failed to make any alternative arrangements. The consumer also stated her grief wherein she discloses that she purchased the ticket at a cost of Rs 80,855 after borrowing money from her relatives at Kolkata. Besides the compensation, the NCDRC directed the airline to refund the consumer Rs 80,855 with interest at the rate of nine per cent after deducting the airfare between Kolkata and Delhi. The company was also to compensate Rs 10,000 towards litigation cost. It has also been reported via news houses that the Supreme Court found no reasons to interfere with the National Commission’s order.

By reading the provisions of Consumers Protection Act, 1986 and I.T. Act, 2000 and with the help of the ratio of the judgement in A.B.C. Laminart Pvt. Ltd. and anr.'s case, we can safely hold that, where contracts for services and/or goods are entered into over the internet (or online as such transactions are commonly referred to), for the purposes of consumer complaints, part of the cause of action arises interalia, at the complainant’s place of business, if acceptance of the contract is communicated to her through the internet, including the medium of email. Further, irrespective of the fact, whether or not the contract is one made over the internet, cause of action would also continue to arise at any of the places

(a) where the contract is performed or is to be performed or

(b) where money under the contract is either payable or paid or

(c) where repudiation of the contract is received, if any.

As such, it cannot be disputed that a consumer forum is competent to entertain a consumer complaint, even if only an infinitesimal part of cause of action arises within its territorial jurisdiction. As a result, territorial jurisdiction over a consumer complaint would lie with the consumer forum situated at any place, where any of the aforementioned causes of action arises. This, of course, is in addition to the other places, where a consumer may choose to file a complaint in accordance with the other provisions of Section 11 (2) of the CPA, 1986. It was reiterated in the case of M.D.Air Deccan vs Shri Ram Gopal Agarwal where the State Consumer Disputes Redressal Forum interpreted Section 13 of the IT Act along with Section 11 of the CPA.

Conclusion:

To cope up with the technology law has to take the help of technology; as Charles Clark once remarked ‘The answer to the machine is in the machine’. Indeed, the perfect reply to the technological abuses is the application of technological innovation.

This is a landmark case in ecommerce dispute resolution and jurisdiction issues. This is a big relief for ecommerce buyers such as of Amazon, Flipkart, Naaptol, Myntra, online insurance providers, Travel portals etc. I feel online consumers have got clarity now that a case can be filed against online sellers sitting in their own homes as all consumer disputes also can be filed online with or without lawyers help. I feel the ratio held in the above case can safely be included in the next scheduled amendment of The IT Act, 2000 

The Court Orders for Download are available on following links below

District Forum  State Commission Order   National Commission Order  SC Order

A man from Odisha gets six years of Jail in cyber pornography Section 67A: A Revenge Porn Case

Judgement Dowload link

A Judicial Magistrate in Puri today sentenced a man to six years of imprisonment in a cyber pornography (A revenge Porn) case, stated to be the first such case.

Puri Sub-Divisional Judicial Magistrate Shibasis Giri also slapped a Rs-9,000 fine on the convict, Jayanta Kumar Das an alleged RTI activist, A fake profile was created by the accused in the name of the victim woman from Puri Township in a pornographic site, who then had uploaded the woman’s name, address, photo and phone number on a pornographic website in 2012 to take revenge against her husband.After her personal info was posed on the site, the victim started receiving calls from numerous persons enquiring about her interest in paid sex and wife swapping.

The husband of the woman, a local journalist, had written about several cases involving the convict.

The crime branch had arrested Das on September 18, 2012, following a complaint filed by the victim in July.He was booked under several sections of the Indian Penal Code and Information Technology Act, 2000. Sections 292, 465, 469, 500 of the Indian Penal Code and 66(C) and 67A of the Information Technology Act,2000(cyber law of India) were applied

The conviction was procured on evidence, including crucial witness statements of scientists from the Central Forensic Science Laboratory, Kolkata.

My Views:

I highly appreciate the conviction upheld as India is short of convictions for cyber crimes committed. This remains first of a kind of conviction in odisha state and could be a first serious conviction of a revenge porn in India. Maligning and destroying a girls life by defaming her online often kills a ladies zeal to live. 

I feel if the convict moves for appeal, his punishment under sections of IPC would be set aside by the High Court in the light of decision made under Sharat Babu Digumarti Vs State Govt of NCT of Delhi but punishment under Sections 66(c) & 67A could be confirmed on merits of the case.

What do we mean by a “right of privacy” in India?

What do we mean by a “right of privacy” in India?

Justice Cooley in 1888 defined it simply as a right to be left alone. Alternatively, it may be defined as a right to be anonymous. The two definitions are quite different but both are important, and the right to be anonymous is a form of privacy that has particularly significant implications in cyberspace. In legal terms, our right of privacy amounts to a right to be free from government intrusion into certain areas of our lives and a right to be free from intrusion by other individuals into our “private” lives. The former is protected largely through Constitutional interpretation and a number of statutes; the latter is protected largely through the common law under tort principles.
Before 1890 no English or American court had ever granted relief based on such a claim as “invasion of privacy.” 
However, in 1890 a Harvard Law Review article by Samuel Warren and Louis Brandeis examined a number of cases ostensibly decided on other grounds, and concluded that these decisions were actually based on a broader principle, a right of privacy. Warren and Brandeis claimed such a principle was in fact necessary to deal with what was seen as the growing problem of excesses of the press. New York was the first state to confront this issue head on in the wake of the article. Several lower courts had held the existence of a right of privacy.
The New York State Court of Appeals (which is, oddly, the State’s highest court – the “Supreme Court” is the State’s entry level court) got to review the matter in the case of Roberson v. Rochester Folding Box Company in 1902. In this case, the defendant had used a picture of an attractive young woman to advertise its flour without her consent. In a 4–3 decision, the Court of Appeals held that there was no legal precedent for such “right of privacy.” Furthermore, the Court felt that recognizing a right of privacy was a poor idea because, first, the alleged harm was of a purely mental character and would thus be difficult to prove or disprove; second, recognizing a right of privacy would lead to a flood of litigation; third, there would be difficulty in distinguishing between “public” and “private” figures, whose protections under a right of privacy would differ; and finally because it might lead to undue restrictions on the freedom of the press.
A public outcry followed the decision and, in its next session, the New York State Legislature passed a law banning the use of a person’s name or picture “for advertising purposes or for the purposes of trade” without the person’s written consent. By the 1930s “virtually” all jurisdictions had recognized the Right of Privacy, either by statute or through the common law.

Man’s house is his castle.a well-known proverb is also getting legal recognition as Right to Privacy. Human beings have a natural need to autonomy or control over confidential part of their. This need is inherent in human behaviour  and now this has been recognized as fundamental right to privacy. It is not a right against physical restrains but it is a right against psychological restrain or encroachment of right . USA, UK, India, and at International level UDHR, ECHR, ICCPR has recognized this right as fundamental right.

Position in India

Right to Privacy is not explicit in the Constitution of India, so it is a subject of judicial interpretation. The judicial interpretations of fundamental right bring it within the purview of fundamental right. The journey of this project would start from the search of answer of issue that whether the right to privacy is a fundamental right, through analysis of cases and some pioneering work of scholars.

In India, after the case of R. Rajagopal alias R. R. Gopal v State of Tamil Nadu and People s Union for Civil Liberties (PUCL) v Union of India , the right to privacy is well recognized as Right to Life. In the case of People s Union for Civil Liberties (PUCL) v Union of India (Telephone Taping Case) Supreme of India also observed Article 17 of ICCPR and Article 12 of UDHN.

The apex court is hearing the Aadhaar card privacy issue.The Government is of a view and has argued before Supreme Court that “there is a fundamental right to privacy, but it is a wholly qualified right”.  The constitution bench of Supreme Court in the same case have said "Can this court define privacy? You can't make a catalogue of what constitutes privacy. Privacy is so amorphous and includes everything... if we make any attempt to catalogue privacy it will have disastrous consequences," 

What now evolves remains to be seen, but i agree that Privacy cannot be an absolute right. I also agree that Data Privacy is bigger than Right to Privacy in this cyber age. India definitely needs Data Privacy or Data Protection Act.

Why does India need Data Privacy or Protection Law ?

Why does India need a Data Protection Law?

Apart from appeasing European Union for sharing data with Indian companies, One of the reason is

presently all Data of ours -Search, Emails, Chats of Google, FB, Hotmail, Whatsapp are stored in Californian Servers, USA Jurisdiction.

US Foriegn Intelligence Survivelenace Court (FISA) with a single penstroke court gag order can take all Indian MPs, PMO, Home Minister,MEA's etc Email data and Analyse them for leverage in Intl' Affairs, Thats a severe Threat, #privacy intrusion. 

Not to mention even the Locations of each Citizen,Official in India can be monitored by US NSA analysts as of now with #Whatsapp, Android Phones relaying data back to USA servers. 

Hence a Data Protection Law in India is a need of the Hour.

"How to turn Android Phone or Tablet into a Server"

.You can check it out here - https://joyofandroid.com/use-old-android-phone-as-server/

Prashant Mali Interview in Business Standard Newpaper

Ransom-payers are also the cause of ransomware proliferation: Prashant Mali

The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins

Nikita Puri July 1, 2017 Last Updated at 21:20 IST

Operations at a terminal of the country’s largest container port, Jawaharlal Nehru Port Trust in Mumbai, came to a standstill earlier this week. The process of loading and unloading containers was halted as the port’s computers shut down after a major cyber attack that swept across the globe. The aggressiveness of the malware showed that such attacks were capable of bringing both corporate and government networks to a sudden halt. The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins. Cyber law expert Prashant Mali, also an advocate at the Bombay High Court, tells Nikita Puri how to prevent mass-scale civil disruptions that future cyber attacks can result in. Edited excerpts:
 
First we had individual companies and high-networth individuals who were targets of ransomware, then WannaCry hit servers across the globe. Now another malware, which some are identifying as Petya, has sent corporations into a tizzy. Do you foresee more such threats?

 
To date, financial cyber crime has only grown and it is yet to peak, so I would say it’s written on the wall that many more such attacks are expected in the near future. Such threats loom large as the ransom is paid in bitcoins, so the criminals aren’t caught. One thing the police and the government can do is to ensure that citizens make compulsory declarations of purchase of bitcoins and other cryptocurrencies (like ethereum) when they file their income tax returns. This can help the government see who pays and how much because, I feel, ransom-payers are also the cause of ransomware proliferation.
 
Security experts confirm that the malware isn't really a ransomware, but a wiper designed to destroy data. Reportedly, because of “ its aggressive features,” the malware makes it impossible to retrieve certain files leading many to believe that this attack may not have been for money. Can this be seen as an attempt to test how far companies will go to protect data?
 
Even if cyber attacks don’t cause financial damage, they definitely throw open defences. Identifying fortresses that have holes in their system can be of interest to the state and non-state actors. This data of the number of loopholes is in demand and is sold at a premium price. There are different types of people involved in the dark world: many a time those who look for such holes, those who attack, and those who intend to get ransoms are all different.
 
Companies are often wary of making such attacks public. Security firm Symantec has said that India is the worst hit in Asia, but we have confirmation only from Mumbai’sJawaharlal Nehru Port Trust. Do you think information sharing could actually help build a better defence against such attacks?
 
By not reporting such attacks, companies are depriving the nation of a knowledge database that can help other companies develop better defences. Symantec and other (security) vendors also cannot be fully relied upon because fear is what they harp on. The more fear they put in Indians, the more they sell security products. The Insurance Regulatory and Development Authority of India and insurance companies should make it compulsory for clients to file a First Information Report (FIR) before claiming cyber insurance. Once reporting to some government agency becomes mandatory to claim insurance, companies would be motivated.
 
What are the security measures that one must take to avoid such attacks? 
 
No one can be immune in cyber space and that's the reality. Only cyber awareness in organisations can bring in cyber resilience. I would advise organisations to have multi-prong policies to establish a cyber security culture. I feel the highest level of cyber safety can be achieved by establishing a cyber security culture in the company, and a country can be cyber resilient by cultivating a culture of cyber security in society. Government should quadruple its budget for digital literacy programmes. For the government to be ahead of hackers, we need cyber spies: our law and enforcement agencies should implant cyber spies among cyber criminals. The chatter within their group helps the state to be ready for what is coming: we need cyber intelligence. 
 
Do you think companies should have ethical hackers on their pay rolls? 
 
I have an issue with the term “ethical hackers” because legally this isn’t right: those are two contradictory terms put together. People who use these terms are either doing it for branding purpose or are students. Companies should opt for services by cyber security researchers. 
 
Are India’s cyber laws equipped to handle such large-scale attacks?
 
No. Laws can be invoked when prima facie evidence is found against criminals and investigation can be completed if attribution to a criminal is possible. The legal framework to help enforcement agencies in India has serious flaws. Large-scale cyber attacks need multiple law and enforcement agencies to work together along with CERT-In (Indian Computer Emergency Response Team), but the protocol for this is yet to be developed. 
 
In the future, cyber attacks are going to affect government facilities meant for citizens: like centres for health, water etcetera. Even municipalities should coordinate with the aforementioned agencies to avoid mass scale civil disruption from cyber attacks.