Advocate (Dr.) Prashant Mali's Blog

Tuesday, July 14, 2020

Section 65B Certificate under Evidence Act is Compulsory for Admission of Electronic evidence : Case Law

Certificate Under Section 65B(4) Evidence Act Is Compulsory for Admissibility of Electronic Evidence: Three Judge Bench of SC - 14 July 2020

Case Law : Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, 2020 SCC OnLine SC 571 , decided on 14.07.2020

The Indian Supreme Court has held in the above case that the certificate required under Section 65B(4) is a condition precedent to the admissibility of evidence by way of an electronic record. The bench headed by Justice RF Nariman further held that, in a fact-circumstance where the requisite certificate has been applied for from the person or the authority concerned, and the person or authority either refuses to give such certificate or does not reply to such demand, the party asking for such certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC.

The bench has also clarified that the required certificate under Section 65B(4) is unnecessary if the original document itself is produced. The court said that the judgment in Anvar P.V. v. P.K. Basheer & Ors. (2014) 10 SCC 473 need not be revisited, subject to the above clarifications.

"Is requirement of certificate U/s 65-B(4) Evidence Act mandatory for production of electronic evidence?" before the three judge bench of SC

Earlier, a two-Judge Bench of Justices Ashok Bhushan and Navin Sinha had referred the question in view of the conflict between Shafhi Mohammad Vs. The State Of Himachal Pradesh SLP (Crl.)No.2302 of 2017 and Anvar P.V. v. P.K. Basheer and Others, (2014) 10 SCC 473. It was held in Shafhi Mohammad vs. State of Himachal Pradesh that, a party who is not in possession of a device from which the electronic document is produced, cannot be required to produce a certificate under Section 65B (4) of the Evidence Act. In that case, the bench was considering the issue of whether videography of the scene of crime or scene of recovery during the investigation should be necessary to inspire confidence in the evidence collected. In Anvar P.V. vs. P.K. Basheer , it was observed that an electronic record by way of secondary evidence shall not be admitted in evidence unless the requirements under Section 65B are satisfied. Thus, in the case of CD, VCD, chip, etc., the same shall be accompanied by the certificate in terms of Section 65-B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible.

Application Can Be Made To Court When Requisite Person Refuses To Issue Such Certificate

The court observed that the major premise of Shafhi Mohammad (supra) that such certificate cannot be secured by persons who are not in possession of an electronic device is wholly incorrect. An application can always be made to a Judge for the production of such a certificate from the requisite person under Section 65B(4) in cases in which such person.

In a fact-circumstance where the requisite certificate has been applied for from the person or the authority concerned, and the person or authority either refuses to give such certificate or does not reply to such demand, the party asking for such certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC. Once such application is made to the Court, and the Court then orders or directs that the requisite certificate be produced by a person to whom it sends a summons to produce such certificate, the party asking for the certificate has done all that he can possibly do to obtain the requisite certificate.

In Anvar P.V. (supra), it was observed that such a certificate must accompany the electronic record when the same is produced in evidence. In this regard, the Court clarified thus:

"We may only add that this is so in cases where such certificate could be procured by the person seeking to rely upon an electronic record. However, in cases where either a defective certificate is given, or in cases where such certificate has been demanded and is not given by the concerned person, the Judge conducting the trial must summon the person/persons referred to in Section 65B(4) of the Evidence Act, and require that such certificate be given by such person/persons. This, the trial Judge ought to do when the electronic record is produced in evidence before him without the requisite certificate in the circumstances aforementioned. This is, of course, subject to discretion being exercised in civil cases in accordance with law, and in accordance with the requirements of justice on the facts of each case. When it comes to criminal trials, it is important to keep in mind the general principle that the accused must be supplied all documents that the prosecution seeks to rely upon before commencement of the trial, under the relevant sections of the CrPC. "

Sec. 65B(4) of the Evidence Act of furnishing certificate is to be applied when such electronic evidence is produced by a person who is in a position to produce such certificate being in control of the said device and not of the opposite party. In a case where electronic evidence is produced by a party who is not in possession of a device, the party asking for such a certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC.

Conclusion : Section 65B(4) stands compulsory for admission of Electronic evidence

What is Zohnerism? Media Bloating or else

Zohnerism

Why we need to Avoid watching too much of breaking news, panel discussions, twitter feeds, WhatsApp university gyan on Cyberspace and TV news channels now a days! Specially local TV channels.

The notorious concept of Zohnerism

Zohnerism - all about twisting of simple facts to confuse people.

In 1997, 14 year old Nathan Zohner presented his science fair project to his classmates, seeking to ban a highly toxic chemical from it’s everyday use.

The chemical in question? Dihydrogen monoxide.

Throughout his presentation, Zohner provided his audience scientifically correct evidence as to why this chemical should be banned.

He explained that dihydrogen monoxide:

Causes severe burns in while it’s in gas form

Corrodes and rusts metal

Kills countless amounts of people annually

Is commonly found in tumors, acid rain etc.

Causes excessive urination and bloating if consumed

Zohner also noted that the chemical is able to kill you if you depend on it and then experience an extended withdrawal.

He then asked his classmates if they actually wanted to ban dihydrogen monoxide.

And so 43 out of the 50 children present voted to ban this clearly toxic chemical.

However…this chemical isn’t typically considered toxic at all.

In fact, dihydrogen monoxide is simply an unconventional name for water.

Nathan Zohner’s experiment wasn’t a legitimate attempt to ban water, but instead an experiment to get a representation of how gullible people can really be.

Also, all of the points that Zohner used to convey his point were 100% factually correct; he just skewed all of the information in his favor by omitting certain facts.

In recognition of his experiment, journalist James K. Glassman coined the term "Zohnerism" to refer to "the use of a true fact to lead a scientifically and mathematically ignorant public to a false conclusion".

And this occurs a lot more often than you think, especially when politicians, conspiracy theorists, etc., use proven facts to persuade people into believing false claims.

The fact that people can mislead, and be misled so easily, is highly unsettling.

Tuesday, July 7, 2020

Why was TikTok Banned ? What was TikTok Doing

TikTok was a data collection service that was thinly-veiled as a social network, for tons of data few rupees were paid to TikToker’s.

It use to get information on you, your contacts, or your device, Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc), Other apps you have installed. Privacy Violated to the core.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name), Whether or not you're rooted/jailbroken.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC.

They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication.

The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM'd the application.

They provide users with a taste of "virality" to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there's also a ton of creepy old men who have direct access to children on the app, and I've personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do "duets" with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.

Here's the thing though.. they don't want you to know how much information they're collecting on you, and the security implications of all of that data in one place, en masse, are really huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can't see what they're doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

Now, I when I spoke to my TikToker friends they were completely blanketed with the fame and money. Their addiction made them question me , even if TiKTok has taken my data or knows where I am so what ? I don’t mind and what happens to the data already gone?

I had to explain them with my examples that when u models and TikTokers go near my BMW car and make video because it is Kul even my location is compromised. This is because your location shows my cars location, date and time. The car owners database is openly available on Internet. Joining these data points My movement’s get tracked, my privacy even though I don’t have TiKTok in my mobile is compromised.

Your front camera and microphone is compromised means who you meet, what you do and what you talk all is comprised.

Since, other Apps On your mobile data gets accessed by TikTok, that means what photos you take , what medicines you buy online even which all other competitors social media Apps you use is known to them.

What is your heart beat or pulse rate or blood pressure is also known to them thanks to your health Apps, they even know how much square foot is your house or terrace where you shoot your videos, Google to find out how if you don’t trust me 😊

Researchers have reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare. TikTok was clearly the states cyber Weapon in the larger Cyberwarfare to collect Data.

Advocate (Dr.) Prashant Mali

Cyber & Privacy Law Expert

Friday, June 26, 2020

Google to pay $57 Million GDPR Fine in France

The French Supreme Court of Administrative Law rejected Google’s claim that it had to pay a $57 million fine last year for failing to tell its users how to handle their personal information. On June 19, the French State Council officially released the trial results, confirming the previous investigation results of the data regulator CNIL, that Google did not provide Android users with “clear enough” information reminders. This means that it did not have lawful consent to use user data for specific advertising. Considering the seriousness and continuity of Google’s violations, the $57 million fine is also justified.

More importantly, the court also confirmed the French national regulatory authority’s jurisdiction over Google. Based on the GDPR regulations, the multi-million-dollar fines faced by Google are by far the highest fines against technology giants. This incident will also have a certain symbolic significance, mainly for those who think whether the GDPR can play the role.

This penalty seems insignificant relative to the global revenue of Google’s parent company Alphabet. Nevertheless, Google will make corresponding adjustments in the future. It will work on how to collect user data and its advertising positioning bottom line.

Sunday, February 9, 2020

Indian arrested for Selling psychotropic medicines on Darknet

Indian Narcotics Control Bureau (NCB) on 9th February has arrested the country's first 'darknet' narcotics operative who allegedly shipped hundreds of psychotropic drug parcels abroad in the garb of sex stimulation medicines.

Dipu Singh, 21, son of a retired army officer, was arrested by the sleuths of the Delhi zonal unit of the Narcotics Control Bureau (NCB) from Lucknow recently.

Darknet refers to the deep hidden internet platform that is used for narcotics sale, exchange of pornographic content and other illegal activities by using the secret alleys of the the onion router (ToR) to stay away from the surveillance of law enforcement agencies. Owing to its end-to-end encryption, darknet is considered very tough to crack when it comes to investigating criminal activities being rendered over it.

Singh was a major player on the darknet. His listings were found in one of the biggest and reliable darknet markets like Empire Market and Majestic Garden.

Accused initially used to ship medicines related to erectile dysfunction and fitness supplements to overseas locations using the dark internet facility, but later shifted to transacting in psychotropic drugs under this garb seeing the profit margin in this illegal trade.

A Bachelor in hotel management from Amity University in Lucknow, Singh had "mastered the technique to disguise identity while making a shipment.

Accused was arrested by the central anti-narcotics agency under the Narcotic Drugs and Psychotropic Substances (NDPS) Act after raids were conducted at his residence in Lucknow's Alam Bagh area.

While 12,000 tablets of various psychotropic drugs were seized from his residence, the NCB alleges Singh is a "mastermind" of hundreds of drug parcels clandestinely couriered to countries like the USA, UK, Romania, Spain and some European nations using the dark web.

A total of 55,000 psychotropic tablets that includes tramadol, zolpidem, alprazolam have been seized as part of this two-month-long operation that was conducted with cooperation from international agencies,

Some other seizures in this case were made in Mumbai and the UK too.

The NCB was part of a global 'Operation Trance', launched in December last year, entailing a joint intelligence gathering action on international postal, express mail and courier shipments containing psychotropic drugs (which can only be purchased on a doctor's prescription) that are abused as sedatives and painkillers.

The latest darknet ring was unearthed as part of this operation, which has international linkages and is spread across Singapore and the US and services of global post offices and international couriers were used as logistics for the illicit trade.

The payment gateways of cryptocurrency like Bitcoins and Litecoin were used by the operators to conceal the transactions from regulatory agencies,

The orders were procured from darknet and routed through various wicker identities, WhatsApp and some business-to-business platforms.

Monday, February 3, 2020

Cyber Insurance paid to pay Ransomeware: Case Study & Case Law

A Canadian insurance company infected by ransomware virus paid off the cybercriminals using its cyber insurance policy. Their British reinsurers, having to disburse 109.25 Bitcoins, wanted it back from the blackmailing cybercriminals.

After infection, the unnamed Canadian company suffered a total lockdown of all of its systems and asked its reinsurance firm to pay the ransom so it could get back on its feet.

Paying off blackmailers holding a company to ransom is never advisable, many a time it is against the local law. Despite a negotiation that made criminals bring down their initial demand of $1.2m to $950k, the decryption tool provided had to be run on each and every affected device on the company's network.

It took five days to decrypt 20 servers and "10 business days" to unlock 1,000 desktop computers.

Neither company was going to pay out and forget the incident. The English reinsurer hired Chainalysis Inc, a "blockchain investigations firm", which eventually pinpointed the people responsible.

In the AA Versus Unknown Persons and Ors. [2019] EWHC 3556 (Comm) Case No: CL-2019-000746

The Unknowns were arraigned as below:

(1) PERSONS UNKNOWN WHO DEMANDED BITCOIN ON 10TH AND 11TH OCTOBER 2019

(2) PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN

(3) iFINEX trading as BITFINEX

(4) BFXWW INC trading as BITFINEX

IN THE HIGH COURT OF JUSTICE BUSINESS & PROPERTY COURTS OF ENGLAND AND WALES COMMERCIAL COURT (QBD)

Hon. Justice Bryan said: "Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address. In the present instance, the address where the 96 Bitcoins were sent is linked to the exchange known as Bitfinex operated by the third and fourth defendants."

Bitfinex is a cryptocurrency exchange headquartered in the British Virgin Islands, though the court noted that one email address associated with the exchange was seemingly traced to China.

Justice Bryan said: "At the present time there is no evidence that [Bitfinex] are themselves, perpetrators of the wrongdoing, rather, it is said, they have found themselves the holder of someone else's property."

Hon. Justice ruled that Bitfinex probably knew who the two alleged ransom receivers were, saying: "I have no doubt that Bitfinex has the ability to access its records and its KYC [know your customer, finance sector ID rules] material to identify the information that is sought" about the two alleged blackmailers.

A Scottish MSP was caught red-handed promising ransomware decryption services when in reality all they were doing was paying off the cybercriminals and adding a windfall high margin. At least one study has found that less than half of companies paying off ransomware actually get their files back.

Meanwhile, A US federal judge has ruled that an insurer providing a "business owner's insurance policy" to National Ink & Stitch, which sustained a ransomware attack in 2016 and was forced to replace most of its IT infrastructure, must pay for the damages the security incident caused.

In her recent ruling, Judge Stephanie Gallagher of the U.S. District Court of Maryland wrote that the damage to Nation Ink & Stitch's computer infrastructure from a ransomware attack constituted "physical loss or damage" covered by the insurance policy and that the insurer must pay the costs to recover and rebuild the network. National Ink & Stitch is an Owings, Maryland-based embroidery and screen printing firm.

The insurer, Columbus, Ohio-based State Auto Property and Casualty Insurance Co., had denied coverage for the cost of replacing National Ink & Stitch's computer system, arguing that that the company had not experienced "direct physical loss of or damage to" its computer system, the judge noted in the ruling.

The ruling did not set a specific dollar figure, although National Ink & Stitch previously argued for a settlement of $310,000 in recovery costs, according to court documents. National Ink & Stitch and State Auto could be reached for comment.

Advocate (Dr.) Prashant Mali
Cyber & Privacy Expert

Sunday, February 2, 2020

Online Defamation Laws in India

Online Defamation Laws (Criminal) in India

With Section 66A of The IT Act,2000 struck down by Hon. Supreme Court of India in Shreya Singhal's Case, victims have left only with options in other laws based on words and actions of the accused online.

Section 504 Indian Penal Code- Intentional insult with intent to provoke breach of the peace. (using bad words, curse words like BC, MC, F*ck U e.t.c)

“whoever intentionally insults, and thereby gives provocation to any person, intending or knowing it to be likely that such provocation will cause him to break the public peace, or to commit any other offence, shall be punished with imprisonment of either description for a term which may extend to two years, or with fine, or with both”.

Section 469 of the IPC states that whoever commits forgery, intending that the document or electronic record forged shall harm the reputation of any party, or knowing that it is likely to be used for that purpose shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine.

Section 499 of the IPC states that a person who uses some words spoken or intended to be read, by signs or visible representation to make or publish any imputation about a person in order to harm their reputation is guilty of defamation in India.

Section 500 of the IPC states that a person who is liable under Section 499 would be punished with simple imprisonment for up to 2 years, with fine or both. Within the meaning of publication, posting any defamatory statement on a social media network, website, forum or bulletin board is also considered as defamation in India.

Section 503 of the IPC : states that whoever threatens another with any injury to his person, reputation or property, or to the person or reputation of anyone in whom that person is interested, with intent to cause alarm to that person, or to cause that person to do any act which he is not legally bound to do, or to omit to do any act which that person is legally entitled to do

For a better understanding of sec 504 IPC, it is necessary to know what does the term ‘insult’ actually mean and how it become severe in nature that can even make a person liable for committing a criminal offence.

The objective of 504 IPC section is to prevent the intentional use of abusive language amounting to insult, giving rise to provocations causing the person against whom such words are used to commit a breach of peace. In this section, it is showed how a person can provoke another to commit an offence that is criminal in nature and which can also harm the public peace at large.

In our daily lives also, we hear a lot of words that are offensive in nature but somehow ignore to manage them, but in cases, if a person intentionally uses abusive or offensive words in order to humiliate a person or provoke him, he is said to commit an offence under the purview of sec. 504 Indian Penal Code. In order to establish an offence under this section, the following ingredients must be proved:

That the accused insulted some person intentionally.

That the intention of the person is such which is likely to give provocation to the person insulted.

The accused has the knowledge that such provocation would cause the person to break the public peace or under the influence of which, he can commit an offence.