Why was TikTok Banned ? What was TikTok Doing

TikTok was a data collection service that was thinly-veiled as a social network, for tons of data few rupees were paid to TikToker’s.

It use to get information on you, your contacts, or your device, Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc), Other apps you have installed. Privacy Violated to the core.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name), Whether or not you're rooted/jailbroken.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC.

They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication.

The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM'd the application.

They provide users with a taste of "virality" to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there's also a ton of creepy old men who have direct access to children on the app, and I've personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do "duets" with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.

Here's the thing though.. they don't want you to know how much information they're collecting on you, and the security implications of all of that data in one place, en masse, are really huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can't see what they're doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

Now, I when I spoke to my TikToker friends they were completely blanketed with the fame and money. Their addiction made them question me , even if TiKTok has taken my data or knows where I am so what ? I don’t mind and what happens to the data already gone?

I had to explain them with my examples that when u models and TikTokers go near my BMW car and make video because it is Kul even my location is compromised. This is because your location shows my cars location, date and time. The car owners database is openly available on Internet. Joining these data points My movement’s get tracked, my privacy even though I don’t have TiKTok in my mobile is compromised.

Your front camera and microphone is compromised means who you meet, what you do and what you talk all is comprised.

Since, other Apps On your mobile data gets accessed by TikTok, that means what photos you take , what medicines you buy online even which all other competitors social media Apps you use is known to them.

What is your heart beat or pulse rate or blood pressure is also known to them thanks to your health Apps, they even know how much square foot is your house or terrace where you shoot your videos, Google to find out how if you don’t trust me 😊

Researchers have reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare. TikTok was clearly the states cyber Weapon in the larger Cyberwarfare to collect Data. 

Advocate (Dr.) Prashant Mali

Cyber & Privacy Law Expert 

Google to pay $57 Million GDPR Fine in France

The French Supreme Court of Administrative Law rejected Google’s claim that it had to pay a $57 million fine last year for failing to tell its users how to handle their personal information. On June 19, the French State Council officially released the trial results, confirming the previous investigation results of the data regulator CNIL, that Google did not provide Android users with “clear enough” information reminders. This means that it did not have lawful consent to use user data for specific advertising. Considering the seriousness and continuity of Google’s violations, the $57 million fine is also justified.

More importantly, the court also confirmed the French national regulatory authority’s jurisdiction over Google. Based on the GDPR regulations, the multi-million-dollar fines faced by Google are by far the highest fines against technology giants. This incident will also have a certain symbolic significance, mainly for those who think whether the GDPR can play the role.

This penalty seems insignificant relative to the global revenue of Google’s parent company Alphabet. Nevertheless, Google will make corresponding adjustments in the future. It will work on how to collect user data and its advertising positioning bottom line.

Indian arrested for Selling psychotropic medicines on Darknet

Indian  Narcotics Control Bureau (NCB) on 9th February has arrested the country's first 'darknet' narcotics operative who allegedly shipped hundreds of psychotropic drug parcels abroad in the garb of sex stimulation medicines. 

Dipu Singh, 21, son of a retired army officer, was arrested by the sleuths of the Delhi zonal unit of the Narcotics Control Bureau (NCB) from Lucknow recently. 

Darknet refers to the deep hidden internet platform that is used for narcotics sale, exchange of pornographic content and other illegal activities by using the secret alleys of the the onion router (ToR) to stay away from the surveillance of law enforcement agencies. Owing to its end-to-end encryption, darknet is considered very tough to crack when it comes to investigating criminal activities being rendered over it. 

Singh was a major player on the darknet. His listings were found in one of the biggest and reliable darknet markets like Empire Market and Majestic Garden.

Accused initially used to ship  medicines related to erectile dysfunction and fitness supplements to overseas locations using the dark internet facility, but later shifted to transacting in psychotropic drugs under this garb seeing the profit margin in this illegal trade.

A Bachelor in hotel management from Amity University in Lucknow, Singh had "mastered the technique to disguise identity while making a shipment.

Accused was arrested by the central anti-narcotics agency under the Narcotic Drugs and Psychotropic Substances (NDPS) Act after raids were conducted at his residence in Lucknow's Alam Bagh area. 

While 12,000 tablets of various psychotropic drugs were seized from his residence, the NCB alleges Singh is a "mastermind" of hundreds of drug parcels clandestinely couriered to countries like the USA, UK, Romania, Spain and some European nations using the dark web. 

A total of 55,000 psychotropic tablets that includes tramadol, zolpidem, alprazolam have been seized as part of this two-month-long operation that was conducted with cooperation from international agencies, 

Some other seizures in this case were made in Mumbai and the UK too. 

The NCB was part of a global 'Operation Trance', launched in December last year, entailing a joint intelligence gathering action on international postal, express mail and courier shipments containing psychotropic drugs (which can only be purchased on a doctor's prescription) that are abused as sedatives and painkillers. 

The latest darknet ring was unearthed as part of this operation, which has international linkages and is spread across Singapore and the US and services of global post offices and international couriers were used as logistics for the illicit trade.

The payment gateways of cryptocurrency like Bitcoins and Litecoin were used by the operators to conceal the transactions from regulatory agencies,

The orders were procured from darknet and routed through various wicker identities, WhatsApp and some business-to-business platforms.

Cyber Insurance paid to pay Ransomeware: Case Study & Case Law

A Canadian insurance company infected by ransomware virus paid off the cybercriminals using its cyber insurance policy. Their British reinsurers, having to disburse 109.25 Bitcoins, wanted it back from the blackmailing cybercriminals.

After infection, the unnamed Canadian company suffered a total lockdown of all of its systems and asked its reinsurance firm to pay the ransom so it could get back on its feet.

Paying off blackmailers holding a company to ransom is never advisable, many a time it is against the local law. Despite a negotiation that made criminals bring down their initial demand of $1.2m to $950k, the decryption tool provided had to be run on each and every affected device on the company's network.

It took five days to decrypt 20 servers and "10 business days" to unlock 1,000 desktop computers.

Neither company was going to pay out and forget the incident. The English reinsurer hired Chainalysis Inc, a "blockchain investigations firm", which eventually pinpointed the people responsible.

In the AA Versus Unknown Persons and Ors. [2019] EWHC 3556 (Comm) Case No: CL-2019-000746

The Unknowns were arraigned as below:

(1) PERSONS UNKNOWN WHO DEMANDED BITCOIN ON 10TH AND 11TH OCTOBER 2019

(2) PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN

(3) iFINEX trading as BITFINEX

(4) BFXWW INC trading as BITFINEX

IN THE HIGH COURT OF JUSTICE BUSINESS & PROPERTY COURTS OF ENGLAND AND WALES COMMERCIAL COURT (QBD)

Hon. Justice Bryan said: "Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address. In the present instance, the address where the 96 Bitcoins were sent is linked to the exchange known as Bitfinex operated by the third and fourth defendants."

Bitfinex is a cryptocurrency exchange headquartered in the British Virgin Islands, though the court noted that one email address associated with the exchange was seemingly traced to China.

Justice Bryan said: "At the present time there is no evidence that [Bitfinex] are themselves, perpetrators of the wrongdoing, rather, it is said, they have found themselves the holder of someone else's property."

Hon. Justice ruled that Bitfinex probably knew who the two alleged ransom receivers were, saying: "I have no doubt that Bitfinex has the ability to access its records and its KYC [know your customer, finance sector ID rules] material to identify the information that is sought" about the two alleged blackmailers.

A Scottish MSP was caught red-handed promising ransomware decryption services when in reality all they were doing was paying off the cybercriminals and adding a windfall high margin. At least one study has found that less than half of companies paying off ransomware actually get their files back.

Meanwhile, A US federal judge has ruled that an insurer providing a "business owner's insurance policy" to National Ink & Stitch, which sustained a ransomware attack in 2016 and was forced to replace most of its IT infrastructure, must pay for the damages the security incident caused.

In her recent ruling, Judge Stephanie Gallagher of the U.S. District Court of Maryland wrote that the damage to Nation Ink & Stitch's computer infrastructure from a ransomware attack constituted "physical loss or damage" covered by the insurance policy and that the insurer must pay the costs to recover and rebuild the network. National Ink & Stitch is an Owings, Maryland-based embroidery and screen printing firm.

The insurer, Columbus, Ohio-based State Auto Property and Casualty Insurance Co., had denied coverage for the cost of replacing National Ink & Stitch's computer system, arguing that that the company had not experienced "direct physical loss of or damage to" its computer system, the judge noted in the ruling.

The ruling did not set a specific dollar figure, although National Ink & Stitch previously argued for a settlement of $310,000 in recovery costs, according to court documents. National Ink & Stitch and State Auto could be reached for comment.

Advocate (Dr.) Prashant Mali
Cyber & Privacy Expert

Online Defamation Laws in India

Online Defamation Laws (Criminal) in India

With Section 66A of The IT Act,2000 struck down by Hon. Supreme Court of India in Shreya Singhal's Case, victims have left only with options in other laws based on words and actions of the accused online.

Section 504 Indian Penal Code- Intentional insult with intent to provoke breach of the peace. (using bad words, curse words like BC, MC, F*ck U e.t.c)

“whoever intentionally insults, and thereby gives provocation to any person, intending or knowing it to be likely that such provocation will cause him to break the public peace, or to commit any other offence, shall be punished with imprisonment of either description for a term which may extend to two years, or with fine, or with both”.

Section 469 of the IPC states that whoever commits forgery, intending that the document or electronic record forged shall harm the reputation of any party, or knowing that it is likely to be used for that purpose shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine.

Section 499 of the IPC states that a person who uses some words spoken or intended to be read, by signs or visible representation to make or publish any imputation about a person in order to harm their reputation is guilty of defamation in India. 

Section 500 of the IPC states that a person who is liable under Section 499 would be punished with simple imprisonment for up to 2 years, with fine or both. Within the meaning of publication, posting any defamatory statement on a social media network, website, forum or bulletin board is also considered as defamation in India. 

Section 503 of the IPC : states that whoever threatens another with any injury to his person, reputation or property, or to the person or reputation of anyone in whom that person is interested, with intent to cause alarm to that person, or to cause that person to do any act which he is not legally bound to do, or to omit to do any act which that person is legally entitled to do

For a better understanding of sec 504 IPC, it is necessary to know what does the term ‘insult’ actually mean and how it become severe in nature that can even make a person liable for committing a criminal offence.

The objective of 504 IPC section is to prevent the intentional use of abusive language amounting to insult, giving rise to provocations causing the person against whom such words are used to commit a breach of peace. In this section, it is showed how a person can provoke another to commit an offence that is criminal in nature and which can also harm the public peace at large.

In our daily lives also, we hear a lot of words that are offensive in nature but somehow ignore to manage them, but in cases, if a person intentionally uses abusive or offensive words in order to humiliate a person or provoke him, he is said to commit an offence under the purview of sec. 504 Indian Penal Code. In order to establish an offence under this section, the following ingredients must be proved:

That the accused insulted some person intentionally.

That the intention of the person is such which is likely to give provocation to the person insulted.

The accused has the knowledge that such provocation would cause the person to break the public peace or under the influence of which, he can commit an offence.

Most Read: IPC Section 498

To commit an offence under this section, insult is necessary. The term ‘insult’ means that the words used must be of such a nature that causes contempt to the dignity of a person or we can say, which causes a sense of humiliation to the person. These words even include the daily slangs people use in their daily lives as well such as- bastard, foolish and so on.

To bring a case under this section, it would be necessary to decide whether the use of such words led to an intentional insult or not. A person cannot be held liable under this section unless insult was intended. Now the major question arises, how to determine whether the insult was intentional or not? 

So, the answer to this question is, an intention of insult is a matter of facts and circumstances which differs from case to case and situation to situation. Nature of insult is more of a question of fact and not of law. Insult caused should give provocation to cause a breach of public peace.

Say for an example- when the accused abused the complainant in such a manner which involves the chastity of his mother or sister, such an act falls under the ambit of IPC section 504. This was also held in the case of In re Karumuri Venkatratnam.

By reason of the expression of the abusive words in the background, atmosphere, and circumstances in which they are used, the act shows the breach of peace, which is considered as the determining test to bring a case within the extent of section 504 IPC.

Further, it is also contended that every insult could not be classified as an intentional insult. Say for an instance, a mere lack of good manners and casual talks between friends does not constitute an offence under this section. In the same manner, use of abusive language not supported by intention also does not lead to a breach of peace and does not make it an offence.

In classifying whether the particular abusive language is covered under IPC 504 or not, the court has to find out what in ordinary circumstances would be the effect of the abusive language used, and what if the complainant used those words or did an act as a result of his cool temperament or in his sense of discipline.

It is the ordinary general nature of the abusive language that is the test for considering whether the abusive language is an intentional insult likely to provoke the person insulted to commit a breach of peace and not the particular conduct or temperament of the complainant.

Each case of abusive language is to be decided on the facts and circumstances of that case, and there cannot be a general proposition that no one commits an offence under section 504 IPC if he merely uses abusive language against the complainant

Hence, the abuse that attracts section 504 IPC, must be accompanied with an intention to provoke a person intending or knowing it to be likely that such provocation will cause the latter to break the public peace, or commit some other offence.

The punishment provided in the code for committing the offence under this section is imprisonment for 2 years or fine, or may include both. It is a non-cognizable as well as a bailable offence, triable by any Magistrate.  

Credit Card Debit Card New RBI Rules 2020

RBI 2020 new  Credit card Debit Cars rules: What cardholders must knowTo avoid card frauds U should know the following-

• All debits and credit cards, including those which are reissued, can only be used for domestic transactions at ATMs and point of sale (PoS) terminals at the time of issuance / reissuance of the card. "At the time of issue/re-issue, all cards (physical and virtual) shall be enabled for use only at contact-based points of usage within India," RBI said.
• Banks can deactivate current cards and reissue them based on risk perception. RBI has asked all banks and other card-issuing companies to disable online payment services of all debit and credit cards that have never been used for online/contactless transactions. RBI told banks and card issuers: “Existing cards which have never been used for online (card not present) /international/contactless transactions shall be mandatorily disabled for this purpose.”
• All those Debit Card and Credit Card which are never used for online transactions after March 16,  a move aimed at enhancing security for digital transactions.
• If the cardholder wants to use the Debit/Credit card outside India, then they need to ask the bank to enable international transactions.
• Cardholders now can switch on and switch off their card or any particular facility like ATM transaction, online transactions available in the Debit or Credit Card.
• Customers can get the facility to set their transaction limits.              RBI's new rule for debit and credit cards will come into effect from March 16. However, it will not be applicable for prepaid gift cards and those cards used at the mass transit system

When IT Act, 2000 is applied, IPC cannot be applied by Police in the FIR

IT Act is a Special Act: case laws By Advocate (Dr.) Prashant Mali
Sharat Babu Digumarti Vs. Govt. of NCT of Delhi. 
MANU/SC/1592/2016. 
Gagan Harsh Sharma and Ors. Vs. The State of Maharashtra and Ors. MANU/MH/3012/2018.
Ajay Murlidhar Batheja Vs. The State Of Maharashtra and Ors. MANU/MH/  /2018.

Special Law:  A law that applies to a place or especially to a particular member or members of a class of persons or things in the same situation but not to the entire class and that is unconstitutional if the classification made is arbitrary or without a reasonable or legitimate justification or basis 1.

The Indian Parliament enacted in the Fifty-First Year of the Republic of India, an act called the Information Technology Act, 2000. This act is based on the resolution A/RES/51/162 adopted by the General Assembly of the United Nations on the 30^TH January 1997 regarding the model law on the electronic commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITAL) in its twenty-ninth session.

The Act is here to protect and provide certain means of redressal even to the owner of a single computer, computer system or computer network located in India which has been violated by any person. The act is the first step to give necessary confidence and protection to the said owner.

The said Act is a special act as it is said section 81 of the act which reads as follows :

Act to have overriding effect.-“The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. Provided that nothing contained in this act shall restrict any person from exercising any right conferred under the Copy Right Act, 1957 or the Patents Act , 1970(39 of 1970)”.

In the case of Sharat Babu Digumarti v Government (NCT of Delhi) [(2017) 2 SCC 18]  the accused were charged with offences under Section 67 of the IT Act

and Section 292 of the IPC. The question before the Supreme Court was whether the accused who was discharged under Section 67 of the IT Act could be prosecuted under Section 292 of IPC. Placing reliance on non-obstante provisions under Section 81 of the IT Act and Section 67A and 67B, it was held that charge under Section 292 could not survive. The decision was on the basis that Sections 67, 67A and 67B was a complete code regarding offence concerning publishing and transmitting obscene material in electronic form and non-obstante provision under Section 81 makes IT Act a special law that will prevail over the general law, IPC.

On 26 October 2018, a two-judge bench of the Bombay High Court vide its judgment in Gagan Harsh Sharma And Anr vs The State Of Maharashtra And Anr on 26 October, 2018 (Criminal Writ Petition No 4361 of 2018) held that when the offence is sufficiently covered under the provisions of the Information Technology Act, 2000 (IT Act), the IT Act will apply as lex specialis to the exclusion of the Indian penal code, 1860 (IPC). The Bombay High Court vide its judgment quashed and set aside the First Information Report (FIR) insofar as the investigation into the offences punishable under the IPC were concerned, on the basis that the ingredients of offences alleged under IPC were the same as compared to the ingredients of the offences alleged to have been committed under IT Act.

I Got this Bail in the sessions court. Police often apply IPC Section 379 in data theft cases along with Section 43 & 66 of the IT Act,2000 .

I argued along with above case laws for non-applicability of IPC S379 which was only added by police to make the offense Non-Bailable, special Act i.e IT Act,2000 when applied IPC sections do not apply. Court has accepted my argument on the merits of Law and granted the Bail

Bail Order of sessions court  - Download Link

In the case of Ajay Murlidhar Batheja vs The State Of Maharashtra And Anr on 26 October 2018 (CRIMINAL APPLICATION NO.1217 OF 2018) the Bombay high court held “We are therefore not inclined to quash the said FIR as far as the offences under the Information Technology Act are concerned, however, we hold that the invocation and application of the provisions of the Indian Penal Code and specifically, Section 420, is not sustainable in light of the judgment Sharat Babu Digumarti v/s. Government (NCT of Delhi) (Supra)”.

Thus we can see that the provisions of this Act will prevail notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Nevertheless, by virtue of new proviso the scope of the overriding effect shall not restrict any person from exercising any right conferred in Copy Rights Act,1957 or the Patents Act,1970. The idea behind the new proviso is to protect the rights of intellectual property rights holder under the Copyright At or the Patents Act.

Conclusion:

It is often found that police in cybercrime matters to make the offence nonbailable will add 379 or 420 or 408 of the Indian Penal Code. The above case laws clearly indicate that when sections of the IT Act,2000 are applied sections from the general law namely IPC should not be added.

By Advocate (Dr.) Prashant Mali [MSc (Computer. Sci.) LLB, LLM, Ph.D. in Cyber Law]

Mobile: +919821763157

Email: cyberlawconsulting@gmail.com

Twitter: @AdvPrashantMali

References :

1. “Special law.” The Merriam-Webster.com Legal Dictionary, Merriam-Webster Inc., https://www.merriam-webster.com/legal/special%20law. Accessed 14 January 2020.