Naavi.org

The DGPSI (Data Governance and Protection Standard of India) as a framework for DPDPA Compliance adopted the Principle that Data as an asset must be recognized with monetary value which should also be rendered visible. Accordingly, one of the implementation specifications adopted by DGPSI framework (Full Version) was

“Organization shall establish an appropriate  policy to recognize the financial value of data and assign a notional financial value to each data set and bring appropriate visibility to the value of personal data assets managed by the organization to the relevant stakeholders.”

The concept of the DGPSI framework was first born as PDPSI or Personal Data Protection Standard of India in 2019. It was supported by the “Naavi’s Theory of Data” which recognize a “Value” for Data which could vary during the lifecycle of the data processing and different owners could be recognized for different value parts of the data. It also recognized that Data value is linked to the capability of the user since “Data is in the beholder’s eyes”.  By 2021, a model for Data Valuation evolved  for professional discussion.

The industry however was not ready to take cognizance of the Data Valuation as a Governance principle and the DGPSI provision remained only a suggestion.

The year 2025 has been a momentous year in India with the notification of DPDPA 2023 setting a time line for its implementation. Now the industry has taken DPDPA 2023 seriously and is trying to work towards compliance. The DGPSI framework has been a leading Governance tool of compliance which can be used for implementation as well as audit and assessment.

In the meantime, it is the PSUs which seem to have taken the first step in documenting the value of the Data Assets thanks to the initiative taken by the CAG. CAG has realized that there is no point in merely raising a slogan that “Data is the New Oil” and there is a necessity to recognize the financial value of data and make it visible in the accounting system.

We fully endorse this view. and in the year 2026 have taken a New Year Resolution that we shall work towards a movement to popularize the concept of Data Valuation and help the industry to arrive at a reasonably acceptable methodology for making this possible.

“Measure Your Data, Treasure Your Data” will be the motto that will drive this movement and add a new life to the DGPSI framework.

Join hands with  Naavi and FDPPI to make this movement a grand success.

One of the first activities under this would be  Round Table in Bangalore… watch out for the date…and participate.

Naavi

To

The Chief Justice of India
Honourable Supreme Court
New Delhi

From:

Naavi (Na.Vijayashankar)
Cyber Law and Data Protection Consultant
Founder: www.naavi.org
31st December 2025

Dear Sir

As a person following Cyber Laws in India since 1998, I am happy that the Supreme Court of India has taken Suo-Moto Cognizance of the “Digital Arrest Scam” and is trying to develop some guidelines to mitigate the hardship of the victims. This is a great opportunity to improve the digital eco system in India and we need to make full use of this opportunity.

In this context, I would like to place before you the following suggestions  for consideration and request you to provide suitable directives to  the relevant parties.

1. We need to identify and apply corrections to the root cause.
2. Consider introduction of a new Law for Neuro Rights Protection
3. Bring changes to our Banking practices by directing RBI and the Bankers avoiding collateral damage of innocent persons.
4. Bring Technical improvements to the Telecom and Mobile service providers

I will try to elaborate each of these suggestions.

1. Root Cause and it’s Rectification

The first thought that occurs to every one of us is how is that educated and otherwise mature persons fall into the trap of the Digital Arrest scam to the extent they take out crores of rupees of their savings and hand it over to the fraudster. This is continuing even after the Prime Minister himself addressed the awareness requirement in one of his “Man Ki Baat” episodes. While “Awareness” continues to be necessary, it is obviously not sufficient.

The modus operandi indicates two reasons why people are falling into a trap which is apparently irrational. The modus operandi is to make a fake phone call, threaten action by law enforcement agencies and suggestion that certain amount may be deposited temporarily in a Government account pending enquiry.

The irrational action of the victim in this context is induced by

a) Fear that even if they are innocent, law enforcement agencies may harass them
b) A False sense of security that the Government agencies where the money is sought to be parked can be trusted to return it since they are any way innocent.

Thus the fraudsters cleverly exploit both the “Fear” and the “Trust” and mesmerizing the victims through their talking. We may recall that some times back, the “Blue Whale” game was prevalent where fraudsters drove innocent children to harm themselves through suggestions.

The psychological analysis of this situation is that the victims got into a “Hypnotic State” where they lost their rational decision making process and blindly followed the suggestions of the fraudster. This is a sophisticated “Cyber Hypnosis” strategy.

We can observe such behaviour also in situations where people “Freeze” at the sight of a real or toy gun for the fear of harm that may occur. The so called “Stockholm syndrome” is also a manifestation of a defence mechanism that follows the initial state of obedience through fear.

Law recognizes that actions taken under threat, coercion, mistaken impression and when a person is not under control of his mental faculties as “Void” under law. Hence the act of “Handing over of money voluntarily” which is used as a defence by Banks to avoid their responsibility is not legally sustainable.

Therefore, the liability for the digital arrest scam, cannot be held against the victim even if it looks foolish for the victim to act in the manner in which he did.

The solution to prevention of this “Fear” and “Blind trust” together placing the victim in a terrorized state of mind and blind compliance is to increase public knowledge on institutions like CBI, ED and RBI on what they do and what they do not do.

Also a single point PR contact should be available at all these institutions to provide clarifications when required. A direction to this effect must be issued.

Academic institutions should work on creating “Cyber De-addiction Websites” which try to remove the misconceptions about social media that whatever comes on the Internet is true and reliable. People should be made aware that after the AI based synthetic content spreading across the Internet, no information is reliable unless it is cross verified from a reliable source. Availability of public contact points with law enforcement agencies is the first step in this direction.

Government agencies such as Meity should be directed to invest in measures to publicize the lack of reliability of information on the Internet and the dangers of synthetic content. Such investments should be mandated as a security measure along with investments for technology promotion.

2. New Neuro Rights Law

If we recognize that these frauds are occurring because the mind of the victim is manipulated, we should recognize that this is an offence. This is part of “Dark Patterns” under the Consumer Protection Act. It was also a part of the earlier versions of the Data Protection Bill which was omitted in the latest version of DPDPA 2023.

“Manipulation of Human Mind” with either devices or communication should be considered as a violation of “Neuro Rights” and should be protected either as an extension of the “Right to Privacy” or “Right to Free Choice” or through a separate law.

3. Changes in Banking Policies

It is noted that in a few instances where vigilant Bankers have identified the problem and prevented the customer from going through the payment. This indicates that in other cases, Bankers have been negligent.

In all the successful digital arrest fraud instance, the Bankers both at the end of the victim and at the end of the beneficiary along with the Mobile Service Provider who issued a SIM to the fraudster should be considered as co-conspirators to the fraud and must be jointly and severally liable.

The KYC norms and the RBI instructions on adaptive authentication make it mandatory that an account is monitored and any “Unusual” transactions are flagged for elevated authentication checks. Unfortunately Banks donot follow this norm. The beneficiary Banks donot check the known sources of income of their customers with the unusually large amounts that are credited. This is a blatant omission of the RBI norms.

In the TDSAT judgement on S Umashankar Vs ICICI Bank, the Tribunal considered that not following reasonable security practices by the Banker was a violation of Section 43(g) of ITA 2000 and makes them liable directly along with criminal consequences of Section 66.

This needs to be put into a direction by the Supreme Court.

At the same time, the Banks and the Police often mis interpret the RBI guidelines and when some stray funds are found in the account of innocent account holders proceed to freeze the entire account. Law is very clear that if there is any disputed credit in the account there can be a lien only on that amount and not the entire account. However many Police personnel issue directives to freeze entire accounts and Bankers oblige them. De-freezing of such account will be delayed unless pals are greased. This obnoxious practice must be stopped.

We request Supreme Court to give a clear direction to all Banks that unless a Court has indicated an amount on which a garnishee order is issued, no amount in excess should be frozen. Also the Garnishee order should apply to money due and payable as on the date of the receipt of the garnishee order and not future receipts. Hence the practice of Banks freezing the account is completely illegal and Banks should be suitably penalized for following such practices. Police issuing notices without indicating the amount under dispute also needs to be stopped. RBI itself should modify its “Freezing” provision and adhere to the known principle of a “Garnishee Order” and not create new provisions of law expanding their powers.

Further, the Court should direct that in all instances where the Bank cannot establish a conspiracy between the victim and the beneficiary, it should be presumed that the liability for the digital arrest payment lies entirely on the Beneficiary’s Bank or jointly by the Beneficiary’s Bank and the Victim’s Bank.

Further it is noticed that when the victim reports to his bankers about any fraud the Banker does not act immediately to stop payment in transit. This is contravening the established Banking practice of “Stop Payment”. Even in the case of Credit card transactions, RBI has taken an untenable stand under which Banks prioritize payments to the acquiring Bank instead of the Credit card owner and refuse charge back requests.

Supreme Court may kindly direct the Banks to honour “Digital Sop Payment” and initiate immediate action to inform the destination Bank whenever a victim reports a fraud or the Bank observes an “Unusual Transaction” so that the destination Bank “Exercised Caution”. These established practices which were prevalent before the advent of Digital Banking have been given up in the new digital banking era and must be restored.

4. Technical Improvements

Since “Collection of Electronic Evidence” is an important requirement for any legal defence, the Telecom operators should be advised to

a) Follow the suggestion of TRAI to display the caller ID linked to the KYC in respect of all calls so that impersonation can be identified
b) Introduce a “Hot button” on the mobile where at the click of a button the screen recording can be silently activated and deposited with a repository at the end of the call so that it is available for evidence. Currently “CEAC drop box” is a service that is available for voluntary deposit of electronic documents for evidentiary purpose. A similar service can be managed either by the law enforcement/MeitY or by a consortium of approved service providers. The user may subscribe to any of the free or paid services so that the evidence can be collected without a problem.

This has no “Privacy” bar since a “Conversation” is a data that belongs jointly to the caller and the called and hence each should be considered to have the right to record particularly when it has to be presented in legal defence of one of the parties. DPDPA 2023 also exempts collection of data for self legal defence.

These technical measures can also be directed to be introduced by the Mobile Service Providers along with a strict directive to ensure KYC for SIM card issue.

Yours sincerely

Na.Vijayashankar

Naavi
(Na.Vijayashankar)

P.S: We have placed this in public domain so that any victim or member of public can respond and add his views. This can be read along with our earlier article.

Under DGPSI as the framework of Data Governance and Protection for compliance of DPDPA 2023, it is suggested that every organization should ideally be able to recognize a “Financial Value” for its data assets.

DGPSI recommends “Identification of the financial value of a Personal Data Asset and showing it as part of the balance sheet as a below the line item”

-to provide visibility to the importance of Data Governance and  Protection in an organization.

-to enable provision of appropriate resources for Data Protection including appropriate compensation to the DPO

Though most organizations have not yet adopted this “Model Implementation Specification”, there is an increasing acceptance that this is a necessity as we go forward.

In this context we can draw attention to the Policy on Data Governance and Data Security issued by the Comptroller and Auditor General of India (CAG). This document tries to define the broad contours of how the CAG intends to pursue the objectives of Data Governance and Data Security in the light of DPDPA 2023. The Policy prescribes a mechanism for oversight and monitoring of our personnel who have been entrusted with the tasks of collectioń, storage analysis and dissemination of personal data.

This is translated into instructions for audit of Public Sector organizations which are bound  by DPDPA 2023. This therefore becomes part of the FDPPI’s audit guidelines under DGPSI where applicable.

In its recent “Revised Directions for Statutory Auditors”, CAG has advised the auditors to verify amongst other things

“Whether the Company has identified its data assets and whether it has been valued properly”?

The data auditors under DGPSI framework should therefore take note of this requirement.

Naavi had already released a document “Data Valuation Standard of India” which has been under discussion for some time in select fora. The subject of “Data Valuation” has already been dealt with in the Course on Data Protection in IIM Udaipur as an introduction to the management students. Now the time has come to explore this further.

FDPPI/Naavi is launching a new program for “Certified Independent Auditors” in 2026 and one of the topics that we  intend discussing is the “Valuation of Data Assets”. Naavi is developing an approach paper for Valuation of Data Assets as a guidance document under DGPSI and it should be useful in meeting the requirements of Auditors of PSUs under the CAG guideline.

Simultaneously, Naavi under Ujvala Consultants Pvt Ltd would start offering “Data Valuation” as a service. More details about this service would be released in due course.

Naavi

Also Refer:

PursuIT journal edition on Data Protection rom iCISA

Policy on Data Governance and Data Security (IA&AD)

Policy on Data Governance and Data Security (October 2024)

Naavi’s DVSI Model

July 21 copy of DPJI

Earlier article on DVSI model

Naavi has been repeatedly pointing out that the Domain Name Registrars are ignoring legal compliance as a matter of routine.

Now the Delhi High Court has published its order of 24th December 2025 setting some guidelines for Domain Name Registrars in India. The case originated on the basis of a petition by Dabur against websites infringing its trademark. (Dabur India Limited Vs Ashok Kumar and ORS,CS(COMM)135/2022)

The case is also related to to Cyber Crime prevention and the “Digital Arrest” Case being now tried at the Supreme Court. It is also related to Trademark infringement involved in registration of domain names.

The decision has taken into consideration views expressed by ICANN, GoDaddy, CERT In, MeitY, MHA and several other relevant parties.

The judgement has considered issues such as prevention of financial frauds, measures to be implemented by the Registrars etc. It also has brought into discussion some sections of DPDPA 2023 and GDPR into the discussion of protection of Privacy of the registrant.

The judgement  is a gold mine of information for all students of domain name law.

This judgement could be considered a landmark judgement on domain names in India.

Refer the copy of the judgement  here

Summary of Conclusions

Naavi has several times objected to the Domain Name Registrars hiding the names of the registrants under the guise of Privacy. The Court has taken note of this practice and held

“The Court was of the view that disabling the privacy protect feature may be essential to ensure that the identity of the Registrants is available on https://www.whois.com database (hereinafter “the WHOIS database”) among others.”

Naavi is of the firm opinion that registering and hosting a website on the Internet is a activity in the public domain and the identity of the registrar should not be considered as “Personal Information” subject to the Right of Privacy. It is an action that has an impact on others and hence is a “Public Activity” and the identity of the registrant should be considered as a “Right of the society to know”.

In summarizing its conclusions  the Court observed

1. Domain Names form the online soul of a business and their distinctive character has to be protected.
2. Misuse of domain names and website content endangers the larger public interest.
3. Stringent action  needs to be taken to maintain the integrity of the domain name system against parties such as Domain Name REgistrants, Registrar, Registry operator, ICANN, Banks, RBI, Telecom Service Providers, Meity and DOT and Law Enforcement agencies.
4. It is imperative for all Banks to implement the Beneficiary Bank Account Name Lookup in case of online payments.
5. It is mandatory for all Banks to cooperate with Law Enforcement Agencies in terms of Central Intelligence and Economic Bureau issued the Standard Operating Procedure dated 31st May, 2024 for processing of requests from LEAs by the banks
6.  Domain Name Registrars (DNR) must implement Rights Protection Mechanism under specification 7  including use of the Trademark Clearing house data base.
7. The DNRs ought to submit registered-name data to the Registry Operator, provide public query-based access to essential WHOIS/RDDS information, make registrant data available for ICANN’s inspection, comply with applicable laws and governmental regulations, avoid registering reserved names, verify and periodically re-verify Registrant contact information, investigate inaccuracies, and act promptly against DNS abuse or illegal activity.
8. DNRs ought to face termination of the accreditation agreement if a Court finds they permitted illegal activity or failed to comply with Court’s orders, or if ICANN determines that the DNRs engaged in bad-faith trademark-conflicting registrations.
9. DNRs  are obliged to follow ICANN’s WHOIS Accuracy Specification, validating address, email, and phone formats, and verifying email or telephone numbers through tool-based authentication, and must suspend or terminate domain names where registrants wilfully provide inaccurate information and fail to correct it within
   15 days.
10. The privacy protect feature extended by DNRs to registrants is acting as a cloak to hide the identity of those perpetrating illegal and unlawful acts on the internet  it is necessary to mandate that all DNRs offering their services in India shall collect the details of the Registrants and perform a e-KYC verification in the manner in which NIXI already mandates in India.
11. DNRs and Registry Operators cannot deny disclosure of Registrant’s details by taking blanket cover under the provisions of GDPR. The applicable privacy law would govern the relevant considerations in each case, and accordingly, the data collected from Registrants in India would be governed in terms of the DPDP Act and its allied Rules All DNRs who offer their domain names registration or ancillary services ought to appoint Grievance Officers who are located in India and publish their email addresses, mobile numbers and other contact details so that they can be contacted for the purpose of obtaining relevant information of the Registrant as also for implementing orders passed by Courts and to provide information to LEAs
12. DNRs who provide extended services including marketing of domain names may, not merely be considered as intermediaries but as complicit in actively enabling infringement.
13. It is a settled position in law in India that registration of an infringing domain name would not be permissible as there is every likelihood that the same could lead to diversion of users from the genuine website to the infringing one.
14. Offering of privacy by default to registrants is one of the reasons for proliferation of illegal domain names. Thus, unless and until a registrant requests for privacy protect, the same should not be offered as a default mechanism
15. The Government and various institutions ought to create their own list of names that can be misused so that such domain names can be placed in the reserved list.

In view of the above, following directions are issued to DNRs.

1.The DNRs and Registry Operators shall, henceforth, not resort to masking of details of the registrants, administrative contact and technical contact on a default basis as an ‘opt-out’ system. At the time of registration of the domain names, a specific option shall be provided for the Registrant and it is only if the said Registrant chooses for privacy protection, that the said service shall be offered as a value added service upon payment of additional charges. The additional charges shall not be made a part of the default package for registration of domain names.

2.  Whenever any entity or individual having legitimate interest, law enforcement agencies (LEAs) or the Courts, request for disclosure of data relating to any infringing or unlawful domain name, the data (such as name of registrant, admin and technical contacts, addresses, mobile numbers, email address and any payment related information  as well as any value added services provided.) shall be disclosed by the concerned DNR as soon as possible but not later than 72 hours in terms of the Intermediaries Guidelines 2021.

3. If any particular domain name is restrained by an order of injunction or has been found to be used for illegitimate and unlawful purposes, the said domain name shall remain permanently blocked and shall not be put in a common pool in order to disable re-registration of the same very domain name by other DNRs. The appropriate steps in this regard shall be taken by the concerned Registry Operator to ensure that all DNRs having an agreement uniformly give effect to the said direction.

4. In the case of trademarks/brands, which are well-known or are invented, arbitrary or fanciful marks, which have attained reputation/goodwill in India, if a Court of Law directs that there would be an injunction on making available the infringing domain name with different extensions or mirror/redirect/alphanumeric variations, the same shall be given effect to by the DNRs and no alternate domain name shall be made available in respect of such brands and marks.

5. Upon an injunction being issued by the Court in respect of any domain name and the same being communicated to the DNRs, the DNRs shall ensure that no alternative domain name is promoted or being suggested to a prospective Registrant. Any promotion of alternative domain names of an injuncted domain name would disentitle the concerned DNR for safe harbour protection under Section 79 of the IT Act

6.In respect of descriptive and generic marks, the restraining/injunction orders would be qua the specific domain name and any extension of restraining/injunction order for other infringing domain names would be with the intervention of the Joint Registrar before whom the application under Order I Rule 10 of Code of Civil Procedure, 1908 along with affidavit shall be filed and the injunction would be extended. Where any party is aggrieved by the order of the Joint Registrar, the application may be moved or placed before the ld.
Single Judge.

7.Upon orders being passed by a Court, the infringing domain name shall be transferred to the Plaintiff/trademark owner/brand owner, upon payment of usual charges

8.Search engines and DNRs shall not provide any promotion or marketing or optimization services to infringing and unlawful domain names

9.All DNRs offering services in India shall appoint Grievance Officers within a period of one month from today failing which they would be held as non-compliant DNRs.

10.  Service by email to the respective Grievance Officer’s details would be henceforth sufficient service for Court orders and any DNRs who insist upon services through MLAT or through other modes of services shall be held to be non-compliant DNRs.

11. In appropriate cases where an entity has repeatedly not complied with orders of the Court, and in the opinion of the Court it is a case where the interest of society at large is being adversely affected, such as cases of frauds, the Court may direct the appropriate authority to block access to the said entity under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.

12.All Registry Operators having valid agreements with ICANN shall take appropriate steps to implement the Trademark Clearing House services and make the same available to all brand owners & registered proprietors of trade marks.

13. All DNRs offering services in India or to customers in India shall undertake verification of Registrant’s details at the time of registration and periodic verification of the same. The verification shall be done in terms of KYC requirements mentioned in Circular No. 20(3)/2022- CERT-In dated 28th April, 2022 issued by Indian Computer Emergency Response Team. This is in line with the NIXI Accreditation Agreement.

14. All DNRs who are enabling registration of domain names which are administered by NIXI as a Registry Operator shall comply and provide requisite registration data to NIXI within one month of this judgment and also update the same on a monthly basis.

The Court has also given the following directions to the Government (Meity/MHA)

1. The Government shall hold a stake holder consultation with all DNRs and Registry Operators offering services in India and explore the possibility of putting in place a framework similar to the one used by NIXI by all DNRs for the purpose of domain name registration
2. Consider nomination of a nodal agency such as NIXI as the data repository agency for India with which all the Registry Operators and the DNRs would maintain details related to Registrants on a periodic basis so that the said details are made available to the Courts, LEAs and the governmental authorities for the purpose of enforcement of
   orders of Courts and for preventing misuse. Alternatively, DNRs shall be directed to localize the data in India for easy access. Irrespective of the decision, it is made clear that processing of personal information would be strictly in terms of the DPDP Act and applicable Rules.
3. In case of a DNR or Registry Operator, which does not comply with the orders of the Courts or with request from LEAs, the offering of services of such DNRs or Registry Operator be blocked by MeitY and DoT under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.
4. MeitY along with NIXI shall coordinate with ICANN to enable brand owners in India to avail of TMCH facilities on reasonable terms and conditions so that they can receive notifications whenever any conflicting /infringing domain names are proposed to be registered by any third parties across the globe.
5. The CGPDTM (Controller General of Patents, Designs and Trade marks) could also consider publishing the list of well-known marks along with the official and authentic website details of the trademark owners so that if any consumer or user wishes to verify the authentic website, the same would be made possible through the website of the Intellectual Property Office. The same shall also act as sufficient notice to all potential Registrants as to the actual websites
6.  Directions qua grant of ‘Dynamic +’ injunction:  The dynamic + injunction would apply under the following circumstances:
   (i) Wherever the brand/trademark appears as it is in the domain name;
   (ii) Wherever brand/trademark appears with a prefix or suffix which could lead to confusion;
   (iii) Wherever the brand/trademark appears as an alphanumeric variation.
   (xvii) Whenever there is a legitimate Registrant who opposes the suspension of the domain name, if the same is communicated by the said Registrant to the concerned DNR, the DNR may then ask the IP owner to obtain a Court order.

 Also, following directions are issued to Banks.

1. All banks shall mandatorily implement the ‘Beneficiary Bank Account Name Lookup’ facility in terms of the RBI circular dated 30th December, 2024 for all online payments including payment by UPI through applications such as Google Pay, Paytm, etc.
2. All banks shall also abide by the Standard Operating Procedures dated 31st May, 2024 issued by Central Economic Intelligence Bureau for processing and responding to requests received from LEAs.

In toto, this is a very comprehensive and useful judgement which will have a long term impact on the industry.

Naavi

In a move which matches the Karnataka Hate Speech  Bill the producers of the Kannada Movie “45” directed by Mr Arjun Janya with actors such as Shivarajkumar and Sudeep has released a notification that it has obtained an interim order from a court that whoever passes a negative remark or rating of the movie may be arrested.

Initially the movie made news about a statement given by Mr Sudeep on “Piracy” but now the crew seems to have moved a court and obtained a restraining order which is meant to create a chilling effect and curb comments on the Film. ..similar to the Karnataka Hate speech legislation brought by the Congress Government.

Request all free speech activists to take note and work for remedying the situation.

Refer: https://www.youtube.com/watch?v=WoYuG7SOCJE&t=466s

• Protection Against Negative Content: The notice states that a court has issued a restraining order preventing individuals, organizations, social media accounts, or channels from publishing “defamatory, derogatory, or negative propaganda,” including negative ratings and malicious reviews.
• Removal of Existing Content: The court directed that any such content already published must be removed or deactivated immediately.
• Warning of Legal Action: The film’s team warned that violators could face civil and criminal legal action, including FIRs and potential arrest for contempt of court.
• Anti-Piracy Measures: The notice also emphasizes strict action against piracy, specifically the unauthorized recording or distribution of the film’s HD prints.

The notification goes beyond the concept of “Defamation” where any malicious speech can be dragged to the Court for trial. But a “Blanket Threat” that  a person may be arrested is  an attempt to curb free speech.

The Court was completely wrong in giving such an order and it should be withdrawn forthwith. A criticism on the art saying that the movie is not good or acting is not good cannot be considered as “Defamation”.

The Karnataka High Court should take suomoto cognizance of the public notice issued by the producer as an open challenge against the Right to Freedom of Speech and scrap the order of the lower court.

Legal action should also be initiated against the film producer for holding out such an illegal threat.

Naavi

I recall the earlier article on this issue published on December 6, 2024

The digital arrest scam has now caught the attention of the Supreme Court (Refer the status of the case here:) which has taken Suo Moto cognizance of the  issue and initiated an enquiry. It has directed CBI to investigate and has also appointed a senior advocate Ms Nappinai as Amicus Curiae to submit  a report. Others are requested to submit their views to the Amicus Curieae. (P.S: contact information available in the order)

Naavi has been consistently advocating that the intermediary Banks who facilitate such crimes. In the case of S.Umashankar Vs ICICI Bank, Naavi who argued for the victim under a POA, was able to get orders from the Adjudicator of Tamil Nadu, TDSAT and also the Madras High Court that the liability of the phishing loss had to be borne by ICICI Bank for various reasons including maintenance of the mule account and lack of due diligence.

During the course of the 14 year long fight after the Adjudicator’s decision, Naavi had requested the DGP of Tamil Nadu to take up criminal prosecution against ICICI Bank which they failed to do. After the TDSAT decision, Naavi had visited ICICI Bank headquarters in Mumbai and  requested  the legal head to  settle the matter without going for  further appeal. But the Bank refused. Finally the Bank relented after Madras High Court also upheld the earlier decisions that ICICI Bank as an intermediary was liable under Section 85 of ITA 2000 read with Section 43 (at that time section43A was not available).

The TDSAT had even made an observation that under Section 43(g) of the ITA 2000, the negligence of the Bank could be considered as “Assistance” for contravention. Earlier the adjudicator had also held that “Not using Digital Signature in Bank-Customer email communication” was a material negligence causing the phishing.

Subsequently there have been a few decisions in which Intermediary banks and Mobile service providers have  been held liable for some Bank frauds involving negligence of the intermediaries.

The SC in the current  case on digital arrest has also flagged the role of Bankers who seem to have around 8.5 lakh mule accounts.

During my discussions with ICICI Bank in the Umashankar case, the  Bank official had confided that they cannot agree to settle the case since they had more than 40000/- such cases at that time and it would create a bad precedent if they settle the case in one instance. I am therefore not surprised with the 8.5 lakh mule accounts which are all accounts that are part of the fraud.

It is clear that no monetary fraud whether it is phishing or digital arrest or UPI can succeed except with the collusion of one Banker for the fraudster. Under ITA 2000, they must be considered as intermediaries and  made to take the entire liability without demur.  Even when a remedy is available to the Bank in the form of Cyber Fraud insurance they prefer to litigate since the capability of the customer to fight the long legal battle is low and the premium for the next year may go up if some claims are settled.

In the Umashankar case we had made the Chairman of ICICI Bank, Bank  managers of two Banks and the CISO a parties responsible  for negligence. But the Courts as well as the Police did not take proper cognizance of their role as conspirators by negligence.

Now in the Digital Arrest case the losses have been astronomical and has rightly attracted the attention of the Supreme Court. We need to bring  a final solution to prevent the Bankers and the RBI creating a fertile ground for cheating without assuming  responsibility.

In  the Uma Shankar case, I had visited RBI head office to request that the license of the branch which colluded in the fraud should be cancelled. Unfortunately the RBI officials did not consider the request.

Even now RBI is not concerned on the frauds and we have pointed out that opening digital banking account for Minors is another new door opened for frauds.

I had suggested that these Digital arrest scams happen because the victims are subjected to a kind of Cyber hypnosis induced by fear and hence are not liable for the loss even if they had themselves handed over the money. It is like the case of armed dacoity where a victim does things at the behest of the robber for fear of life.  Law recognizes that such acts are void ab-initio and hence the fraudulent transactions are to be reversed.

In the recent days a few instances of alert Bankers preventing the frauds by properly advising the customers have come to the fore indicating that if only Bankers were vigilant they could have prevented most of these digital arrest frauds.

Currently Police are not handling things properly and are actually harming more innocent persons through the wrongful freezing of accounts creating one more problem.

I wish the Supreme Court takes a holistic view of the case and initiates the following procedure.

1. In all cases where the police cannot establish a fraudulent link between the victim and the beneficiary of the fraud, he must be presumed innocent
2. In all cases of presumed innocence of the victim, the Bank from which payment has been made to the fraudster should be considered as primarily liable.
3. The Bank from which customer has lost money must demonstrate its  own vigilance and ensure stop payment of the distribution at the destination banks as soon as it becomes aware of the complaint.
4. RBI should ensure that in both  UPI, Internet Banking transfers, the right to stop payment prevails to the last second before which the payment is made at the destination.
5. Whenever the victim’s Bank fails to act on the complaint stating that an FIR is required etc., the Bank must be held jointly and severally liable for the loss.
6. Whenever any fraudulent telephone account is involved as in the case of all Digital Arrest scams, the Mobile Service  Provider must be held accountable for having  issued SIM cards to the fraudsters without proper verification.

I hope this petition would lead to some lasting improvements in the Digital Banking Systems.

Naavi