Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Status of Bitcoin…Why our views have changed?

Posted by Vijayashankar Na on May 22, 2017
Posted in Cyber Law  | No Comments yet, please leave one

When Bitcoins were first introduced to the undersigned,  like many others, I was also impressed by the technology behind Bitcoins or Crypto coins. Many are aware that I was supportive of Bitcoins as a concept. Such persons may be wondering what happenned to Naavi as he has turned against Bitcoins and is advocating banning in India. I would like to explain the reasons for this change of our opinion on Bitcoins and Crypto Currencies.

Even in the earlier time when I was supportive of Bitcoins, there was already a controversy regarding Silk Route website and the fact that Bitcoins were used by the drug mafia was known. However the overall adverse impact of Bitcoins on the economy was not alarming and hence a lenient view was in order.

As regards the legal view, it was clear that Bitcoin was an “Electronic Document” and therefore it had a recognition as an “Electronic Commodity”. The fact that some were giving value to this commodity and many others were able to accept the value and participate in the trade created a situation where the commodity began being perceived as a “Currency”.

Additionally, this “Commodity which was perceived by many as Currency” was being bought from international markets since mining was not always feasible/profitable. Some were selling the bitcoins from India to outsiders. While selling Bitcoins against foreign currency was an “Export” of the commodity, buying from abroad was an “Import” of commodity.

The current FEMA regulations could not be clearly interpreted as permitting buying of Bitcoins from abroad as a permitted import.

Hence we were expressing the opinion that “Bitcoin” is a “Recognized Electronic Document” and if some body was able to use their computers to generate Bitcoin by mining, it was perfectly legal. But we also expressed that importing it should be within the provisions of FEMA and any profits made by trading in Bitcoins is taxable. Also once a Bitcoin stock becomes tainted as illegal acquisition, it remains so for ever since Bitcoin is not a “Currency” or a “negotiable Instrument” under law.

This opinion stands even today and has not changed.

However, initially, the undersigned was supportive of Bitcoins as a concept with the hope that negative aspects associated with the Bitcoin regime could be tackled effectively.

However, as the days progressed, Bitcoins grew more and more as the “Currency of the Criminals” and the Bitcoin community did nothing to bring controls that would prevent the misuse of Bitcoins by criminals.

At the same time, variants of Bitcoins also started coming out (Currenty more than 750 Crypto Currencies are said to be operating) and the criminals started distributing their holdings of Bitcoins into other forms of Crypto Coins. As a result, today Bitcoin and other Crypto coins have become fungible and if one of them can be the “Currency of the Criminals”, all Crypto coins are to be treated as “Currencies of the Criminals”. We therefore have to look at all of them equally.

The recent growth of ransomware attacks in the world into a level where it can be considered as  “Cyber Financial Terrorism” have made “Bitcoins” and Crypto Coins” as a chief faciliator of such terrorism. If there were no Crypto Coins, then the ransomware owners would find it difficult to operate their ransom kingdom before they are caught.

The “Anonymity” of Bitcoins/Crypto coins is therefore the biggest problem in accepting the system only as a technological innovation that may facilitate payment settlements in Cyber Space.

An “identifiable Crypto Currency” would make things different but people seem to be unable to give up the anonymity for acceptance of the system by regulators.

The second negative aspect about Crypto Coins is that it is not regulated by any central bank and hence the Crypto Coin wealth is all “Black Money” for the conventional economists. Even though the holdings of Bitcoins as compared to Black Money in currency form was considered negligible, consequent to the demonetization in India, we may now say that the market share of Crypto Currency in Black Money holdings in India must have gone up significantly and hence the adverse impact of all Black money holders in India converting their Swiss Bank money and other Black wealth to BItcoins/Crypto coins is very real and cannot be ignored.

Again, there is a possibility that the Crypto Currency holders can declare their holdings and agree to bring it into their account books along with payment of tax if any on their buying and selling. But I doubt if the Bitcoin/Crypto currency community would agree for declaring their Bitcoin holdings because this again comes back to the “Anonymity” aspect.

The third point that needs attention in the context of Crypto currency is the security of the system as a whole and whether the system can be hacked either at the Block Chain level or at the individual Bitcoin wallet level. Supporters of Crypto coins may swear by the security of the system because of the inherent checks and balances in the Block Chain method of authentication. But security is still debatable.

Another aspect that needs consideration by the economists of the country is that currently India is not a major holder of Crypto Currencies in the world. On the other hand countries like China, US and Canada may have a large holding of different Crypto currencies. India therefore will be at a disadvantage in the global economy if Crypto Currencies become a globally accepted currency equivalent.

There is no level playing field in the current Crypto Currency wealth and hence it would not be prudent for the country to adopt the Crypto Currencies as acceptable exchange medium.

In view of the above aspects and more particularly for the need of disabling the Cyber Criminals from using Crypto Currency as a tool to reap rewards of their criminal activity, Naavi has changed his earlier lenient stand on Crypto currencies and is  now firmly advocating “Ban on Crypto Currencies” as a policy of India.

Until such time the Crypto Currency community agrees to abandon anonymity inherent in these transactions, we will hold the view that Bitcoins and other Private Crypto Currencies have to be banned and its holdings criminalized.

I hope followers of Naavi.org will understand the logic for the shift in our stand.

Naavi

Government seeks Public Comments on Bitcoin Ban

Posted by Vijayashankar Na on May 22, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Department of Economic Affairs, Ministry of Finance has constituted an Inter-Disciplinary Committee chaired by Special secretary (Economic Affairs) and representatives from Department of Economic Affairs, Department of Financial Services, Department of Revenue (CBDT), Ministry of Home Affairs, Ministry of Electronics and Information Technology, Reserve Bank of India, NITI Aayog and State Bank of India on 15th March, 2017.

Read details here

The Committee will

(i) take stock of the present status of Virtual Currencies both in India and globally;

(ii) examine the existing global regulatory and legal structures governing Virtual Currencies;

(iii) suggest measures for dealing with such Virtual Currencies including issues relating to consumer protection, money laundering, etc; and

(iv) examine any other matter related to Virtual Currencies which may be relevant.

Comments/suggestions from the members of public are requested on the following questions by 31th May, 2017 on the website: MyGov.in.

In particular, the following queries have been raised.

a) Whether Virtual Currencies (VCs) should be banned, regulated or observed?

b) In case VCs are suggested to be regulated:

i). What measures should be taken to ensure consumer protection?
ii). What measures should be taken to promote orderly development of VCs.
iii). Which appropriate institution(s) should monitor/ regulate the VCs?

c). In case VCs are not suggested to be regulated:

i). What should be the effective self-regulatory mechanism?
ii). What measures should be adopted to ensure consumer protection in this scenario?

It is requested that the comments may be supplemented by rationale and brief.

Public are requested to provide their comments in time to enable the Committee to arrive at an appropriate decision.

Naavi.org has published many articles on Bitcoin and also presented its views. Links to all the old articles will be provided for those who want to understand what is a Bitcoin and a “Crypto Currency” or “Virtual Currency” so that we can form an opinion on the same.

Naavi


 

This is an open letter to our honourable Prime Minister Mr Narendra Damodar Das Modi, our honourable Finance Minister, Mr Arun Jaitely, our honourable Minister for IT, Mr Ravishankar Prasad, our honourable Minister of Home Mr Rajnath Singh and also to the Secretaries of the Ministries of Finance, IT, Home, as well as the RBI Governor Mr Urjit Patel and the Director General of CERT-IN.

Over the last few months, India has been witness to a series of attacks not only from across the borders of Kashmir, but also from the Cyber Space. It will not be long before the enemies across the borders and the enemies from Cyber Space converge more effectively than what they are doing now so that they can recruit more physical terrorists and inflict damage to the country.

The recent Cyber attack in which a ransomware called “WannaCry” infected over 2 lakh computers across the world and an estimated 40,000 in India itself should strike a warning bell in us since we in India are preparing for ushering in a “Digital India” with ‘Digital Payment’ systems replacing our currency system and introducing concepts such as smart cities and smart gadgets of various kinds leading our future.

The country’s dependency o IT systems is growing by the day and with the possibility of Aadhar Enabled Payment Systems coming into use, the vulnerabilities are all around us. If these vulnerabilities are exploited by our enemies, then the country will be irretrievably pushed back in its development agenda.

It is reported that there was recently an advertisement in the dark web stating “Let’s Kidnap the Planet” promoting a “Ransomware”. Though we may be relieved that WannaCry did not hurt India as much as it did some other countries, this relief may be short lived and we cannot be complacent. A whole industry is said to be coming up around “Ransomware” as indicated in the following report.

Ransomware: “Let’s Kidnap the Planet!”.

According to this report, ransomware is growing at an alarming rate because there is enormous money to be made. The report says that a study has indicated that 40% of the victims paid the ransom and some malware rakes in upto $ 30 million every 100 days. Hence the menace will continue and new variants of ransomware will keep coming up.

While technology people work out technical solutions to ensure that observed vulnerabilities in systems are quickly and effectively plugged, the Governments also need to device their own strategies and build a multi pronged Counter strategy to defeat the design of these Cyber Financial Terrorists to kidnap the planet for their personal gains or otherwise.

Though the initial crop of ransomware may come from techies who are not conventional terrorists who kill people for religious fanaticism or otherwise, ransomware is a tool which is easily acquired by conventional terrorists and it is reasonable to expect that it should already be in use for fund raising by terrorists not only in Kashmir or Naxalites in India but world over by many rogue elements.

A time has come now for us to initiate some measures which is in the hands of the Indian Government to mitigate the risk. I would like to highlight one such measure here since this is currently under the radar of the Finance Ministry and the RBI.

I am referring to a concept called “Bitcoin”, which is the most successful “Crypto Currency” in circulation in the word and traded in exchanges against legacy currencies like dollars.

There are countries which have formally recognized the Bitcoin as a currency for public to use in exchange of goods and services. There are even ATMs which can be used to withdraw dollars against bitcoin holdings and also for depositing dollars into bitcoin wallets.

The current bitcoin  (BTC) exchange rate is around Us $2000 and about 300,000 exchange transactions take place per day (Source www.coindesk.com).

Countries like China are reported to have invested a huge sum of money to acquire Bitcoins both by mining it themselves and also perhaps by buying from the market.

Bitcoin is created by computer operations which is called “Mining” but the total stock of Bitcoins in the world is limited to 21 million by design and it has become almost impossible now for any ordinary computer user to mine new Bitcoins. Most of the Bitcoins presently acquired are traded Bitcoins. Since Bitcoin has been a currency of drug mafia and other underworld activists, most of the current stock (Which is a commodity in legal sense) is tainted as having been used as “Money Laundering Tool” in the past. Hence most current stocks in India are legally like “Stolen gold pledged with a pawn broker” which is sold and resold.

Now there is a lobby in India which is trying to convince the Government and RBI that Bitcoins should be legitimized in India. Government has even formed a committee to bring in regulations for Bitcoins. The industry has started spreading the rumour that there will be regulation but there will be no ban on Bitcoins in India. Recently, one of the Bitcoin exchanges in India reported that they are receiving more than 2500 new registrants each day.

The confidence with which the industry is claiming that the Bitcoin Regulation Committee will only “Regulate” and not “Ban”  Bitcoins creates a concern that the industry might have already got a hint of the things to come.

Bitcoin technology called “Block Chain” is technically fascinating and there is every possibility that the Committee members may be impressed to accept the technology. Many Banks are advocating its use for authenticating Banking transactions.

There is no doubt that “Block Chain” technology is an innovative technology but the way it has been used in Bitcoins as well as the way it is proposed to be used by Banks in India is not within the legal frame of the country.

Most importantly, there is a level of anonymity in Bit coin transactions which make it the best parking place for Black Money. Though technically, technologists claim that Bitcoins can be traced and FBI has the capability, the challenge is imposing. India is presently not capable of tracing Bitcoins and unless a global coordinated effort is launched, Bitcoin tracing is not practical.

There is a possibility that a Crypto Coin is seeded with a regulatory mark (Like an RBI seal) to make it usable as a replacement of printed paper currency. But the Bitcoin and other Crypto coins in circulation are anonymously generated and is outside the economic system of the country.

Allowing “Non RBI seeded Crypto coins” to be created and circulated is inimical to the economic interests of India and hence if there is any regulation, there should be a total ban on any “Crypto Currency” other than one which is released by RBI.

This is common sense like saying that no currency printed in India is valid as a currency unless it is printed in the Government Mint and carries the signature of the RBI Governor.

The second aspect that we need to recognize that Bitcoin today has become the currency of operation of the ransomware operators and one effective way to curb the menace of ransomware is to eliminate the use of Bitcoin worldwide so that the holdings of Bitcoin become worthless like the demonetized notes.

Just like high denomination notes were demonetized on November 8, 2016, the Government of India should “Demonetize Bitcoins” and force all existing holders of Bitcoins who are citizens of India  to declare their present holdings and convert them to legacy currencies within a certain time of say one week after which holding of Bitcoins should be declared as an offence.

At the same time, we should work on getting other Governments to also take similar steps by raising this issue in the UNO so that we can move towards a global ban of unregulated crypto currencies and more particularly the Bitcoin.

If this is not done, we will have terrorists using Bitcoins instead of Havala to exchange money and pay the stone pelters of Kashmir and other Terrorists, Naxalites and Criminals. Bitcoin Ban will also prevent corrupt politicians, bureaucrats and businessmen from holding their black wealth in the form of Bitcoins.

Hence the request to “Ban Bitcoins” and “All Unregulated Crypto Currencies” should be considered as an extension of the November 8, 2016 move to demonetize Black wealth.

At the same time, Banks who are experimenting with authentication of transactions under the Block chain technology should review the legality of the operations involved before further action is involved.

I would like everybody to remember that Bitcoin is fascinating like the hood of a King Cobra. But we need to keep away from it to remain safe and not try to go near. Some may say, King Cobra can also be handled if we know how to handle. But only those who know the risks know how safe it is to sleep with the King Cobra.

I therefore urge the Indian Government that we should defeat the Cyber Financial Terrorists by choking their source of revenue and one of the first steps in this direction is to ban Bitcoins in India.

I request the Committee looking into the regulation to consider this as a submission from a concerned Indian citizen and take it on record before arriving at their final decision.

Naavi

(Na.Vijayashankar)

Bitcoin supporters are now in a PR thrust mode trying to lobby with the Media and bring influence on the Modi Government for a favourable dispensation including some kind of recognition for Bitcoin.

According to this story “India is preparing Bitcoin Regulations and a Ban is unlikely”

The report makes a categorical statement that “..It is also becoming increasingly likely that authorities will not ban digital currencies in India.”…”..It continues to state “…A televised CNBC report in mid-April revealed that Indian authorities were leaning toward acknowledging bitcoin, granting it a legal status in the country with regulatory oversight by the government.”

However, one of the visitors to the site made the following comment which is revealing.

” Well, That is unlikely but rumors have come that RBI has stated all India banks to close down all accounts dealing with bitcoins. But have avoided giving reasons to the consumers. Axis Bank has started giving notice to the customers who are dealing in Bitcoins to close bank accounts within 30 days. with a reason that “your transactions are to be on serious concerns.” when asked for the reason, they have not replied it yet. One of the Yes Bank Manager had a chit chat with me in this regards (Denied to disclose name) but have stated that they indeed received notification from RBI to close such activities and Axis Bank letter was issued, right after 2 days of that, coincidentally.

I don’t think India is getting towards it, and even if they will, I have strong feelings (Bad Feelings) that they will apply apply such rules which will not be beneficiary for normal consumers to do so. This is my personal opinion and feeling. and I am against that, but truth can not be denied that Indian Government seems to be nervous approving it or rather to say “suffering from fear of adopting new Technology” Since they can not and they will not be able to completely control over it.”

I have earlier made extensive comment on my view that Bitcoin is an “Electronic Commodity” and not a “Currency” in the way people perceive currency such as Rupee or Dollar.

I have also stated a number of times that a majority of stock of Bitcoins in the world have passed through the hands of criminals and are therefore tainted. Acquiring,holding or transacting with these Bitcoins is therefore not supported by law and can be punishable.

Much to the discomfort of many of my friends in the technical circles, I have recently been stating that there is a case for a “Global ban” on Bitcoins because it has become the “Currency that is aiding and abetting Financial Terrorism” through ransomware.

However, enthused by the recent news report that Japan is legalizing the currency the exchange rates of BTC has surged to around $2000. Taking a cue from the news that even Russia may legalize the currency, Bitcoin industry is now going behind the Indian Government and planting stories in media that India also may legalize Bitcoins.

It may be true that the Government might have formed a committee to go into the issue which may work on a regulation for “Crypto Currency” in general. It is a pure speculation that this committee will legalize the “Bitcoins”.

In fact, there is no legal base in India by which “Bitcoin” can be recognized as a “Currency” even if another country like Japan or Russia accords recognition. If the committee suggests such a provision it will be ultravires the law.

Bitcoin community is also trying to confuse the issue with Indian Bankers by riding on the “Block Chain” as a technology and “Crypto Currency” as a concept to strengthen their claim for recognition of Bitcoin.

My opinion is that

a) Bitcoin as an Electronic Document is today considered as some thing similar to a club chip bought for cash. (I am ignoring that the holder can be a miner in which case it could be considered as legal)

It does not come under  the Payment and Settlement Act,  which recognizes three types of “Prepaid Instruments” (Refer RBI circular here) namely  “Closed” system or “Semi Closed” system” or “Open” system.

b) Bitcoin is not a currency since it does not carry the backing of RBI as a legal tender.

c) Crypto Currency as a concept is fine and RBI can consider adopting it as part of its future strategy to issue currency.

d) Block Chain Technology is also fine though I doubt very much that the way it is being implemented as we understand in the Banking circles is ultra vires the Banking laws.

e) Any acquisition of Bitcoin from a foreign holder needs to be in accordance with the Import regulations under FEMA. Any acquisition in India even against payment of white money is only legal if the entire chain of custody of the unit of Bitcoin from its first generation to today has gone through identifiable individuals for legal exchanges only. Only “Mining” is legal but I doubt there is any single person in India who has himself mined a Bitcoin in India.

In the light of the above, it is not possible for the Committee of executives to recommend any form of legalization of Bitcoin. If they do, they are open to legal challenge.

It is possible that some politicians may be in favour of Bitcoins as it is a better form of storing black money particularly in the light of the demonetization of Indian high value currency. I am reasonably certain that many politicians and businessmen are already in possession of their black money holdings converted from their Swiss Bank accounts to Bitcoins.

It is necessary for the Modi Government therefore to ensure that they donot create an alternative mode of holding black money.

Additionally, in view of the entire “Ransomware Industry” being dependent on Bitcoin as a currency , one effective way for the world community to check the spread of Ransomware is by outlawing the Bitcoins on a global scale.

I would like India under Mr Modi to take the global leadership to outlaw Bitcoin even in countries where recognition has already been accorded and get it recognized as the “Currency of the Terrorists”.

Simultaneously, RBI should not allow vested interests to get some form of Block Chain technology to get into the Banking system without being vetted for compliance of Indian laws.

In my understanding,

Block Chain technology works where there is a “Public Ledger” to be kept of transactions which may be authenticated by any member of the public.

Every body tries to solve a puzzle while being witness to the transaction and one of them succeeds. He will be rewarded and recognized as the “Authenticator”.

This system cannot work in the Banking system where authentication is given of a transaction by a Bank with whom the client has a banker customer relationship.

The transaction cannot be tossed around to public and a public ledger of transactions published to a number of people who are not “Power of Attorney Holders of the Bank”.

Also if the number of such participating persons is not large, the system will fail statistically and fake authentications get created. Bitcoin survives because any attempt of creation of a fake authentication is defeated by the very large number of persons who will not authenitcate.

This formula cannot work in the Bank which wants to use a “Block Chain” technology for authentication of any bank transaction.

I request representatives of Banks who are experimenting with Block Chain technology to convince me that I am wrong.

I consider that the Banks are being influenced to endorse the Block Chain technology because it legitimizes the Bitcoin and hence this experiment is being supported by the global bitcoin commodity.

I want NDA Government to recognize that there is no legality in the claim made by Bitcoin that it should be considered as a “Recognized Currency in India”.

Instead I request the NDA Government to take up with the other countries in the UN to establish that there is a global welfare thought in demonetizing Bitcoins and it should be treated as a “Counter Cyber Financial Terrorism Strategy”.

The total Bitcoin wealth around the world is estimated to be valued at US$ 33 billion (Over Rs 2 lakh crores in INR) and all of this is financing Ransomware, Drugs industry, Illegal Arms industry and Black money with politicians etc. If all this wealth is de-anonymized, all countries will benefit from the flow of this wealth into the regular economy.

I hope the members of the “Committee To Advise Government on Bitcoins” are listening.

Naavi

Also Read:

Here’s why Bitcoin prices rose by 60% over a month

Bitcoin is a Speculative Asset, Not a Currency, Says Economics Professor

Despite RBI caution, Bitcoin exchange Zebpay adds 2.5k users a day in India

At Naavi.org..in ransomware context

  1. One more reason why there should be global ban on Bitcoins
  2. It is time for a world wide ban on Bitcoins

Beware of the Flipkart Big Sale Phishing

Posted by Vijayashankar Na on May 21, 2017
Posted in Cyber Law  | No Comments yet, please leave one

[P.S:. I thank Mr Niket Popat, a security professional from Gujarat for bringing this potential scam to my notice.]

Some time back, we had brought to the notice of the public through our article: “Jio upgrade Phishing..Jio and Hyderabad Police should act” , an attempt to impersonate Jio and cheat public through a phishing site. In the article, I had provided an e-mail and mobile to be investigated.

I am reasonably certain that neither the Police nor the Jio itself took any action in this regard as “complacency” and “”Irresponsibility” is a common trait and it is one reason that India is always moving from one crisis to another. If WannaCry has passed over, there will be other malware that will soon attack us because some body somewhere is negligent and release a software with a bug, or keep the software unpatched or click on a poisoned hyper link.

However, it is one of the duties of security professionals not to lose hope and be optimistic that at least after repeated reminders, some effective action will follow.

Now it is the time of Flipkart and Bangalore Police to take suomoto action on what is being presented here so that possible frauds in the name of Flipkart can be prevented.

We have here an evidence of a preparation by some fraudsters to commit a fraud by impersonating themselves as “Flipkart”. We also have a proof that this is a case of impersonation which is punishable under ITA 2000/8 as a cognizable offence under Sections 66C and 66D with 3 years imprisonment. Also it is business prudence that if some of these frauds go through, it will hurt the image of Flipkart and therefore it is PR issue for the company. Also, if the frauds go through because Flipkart allowed it to go through, we can allege Flipkart to be complicit in the successful perpetration of the fraud by its “Passive assistance” which could be considered as an offence under Section 43 of ITA 2000/8.

A Fake website in the name of www.flipkart-big-sale.com has been registered and hosted by a fraudster with a message indicating sale of a number of popular items at throw away prices just like the 97% discount sale in Amazon reported here some time back.

The victims may make payment of the money and either not get any response, or get fake products or get some junk. The exact manner in which the fraud may take place is not known.

It is also possible that the site may use this offer to get the credit card details with CVV number and then simply reject the payment and sell the information to another fraudster who uses the credit card credentials to fraudulently withdraw the money. Then the victim may not even be able to connect the attempted purchase attempt that has failed to the credit card fraud and find it difficult to recover the amount.

It is possible that the fraud has already started from 17th May 2017 because the website has been registered on that day and there may be already some victims. Soon there will be a number of WhatsApp messages that will go viral and try to make people try this sale offer.

Many may think that Flipkart has just concluded a Big Sale and hence many may think that the the Big sale must still be open and respond to this advertisement.

The website has been registered with GODADDY.COM.LLC who is a registrar accredited by ICANN. If the fraud is successful, both GODADDY and ICANN will be accomplices.

According to the details of registration the website has been registered by a person by name Abhay Shanka, New Delhi with an email address hx90214@yandex.ru. In all probability the address and the phone number may be wrong.

According to the domain name registration rules, GODADDY cannot register domain names when the registration particulars are false.

Registration of a domain name with false particulars is itself a fraud which GODADDY should not condone. We remember that GODADDY is a beneficiary of this domain name registration and hence their hands are not clean.

It may be recalled that in the celebrated “Baazee.com” case where the company and the CEO faced criminal trial for a Section 67 (ITA 2000) offence committed by one of their customers, the fact that Baazee.com was a commercial beneficiary of the transaction was an important point that weighed against the Company.

Though apparently there is a false information, if Police is interested, it is possible to investigate and identify the registrants.

We are aware that recently, Republic TV brought out some information on ISIS activities in Hyderabad at great risk to the life of its reporters which constituted credible evidence. But the Police were reluctant to act. They registered the case and questioned the suspects but did not secure them though the alleged offences were all serious offences where life imprisonment was possible.

At the same time Police in Karnataka are known to have recently arrested an Auto driver for being an administrator of a WhatsApp group in which some objectionable content was posted.

So it all depends on the intentions of a particular police officer. If he is interested, the case is pursued. Otherwise, it is not of interest.

It is however necessary for Flipkart to take action including immediately getting the domain name blocked immediately by sending a notice to GODADDY. It would be better if they file a complaint with the Police so that the matter cannot be ignored.

If Flipkart can make an example of this case and gets the persons involved in the fraud punished, then such fraudsters may think twice before tarnishing the Flipkart name again.

Will Flipkart and Bangalore Police Act? and try to prevent the crime?… Let’s wait and watch.

Naavi

 

Zomato Data Breach.. What Next?

Posted by Vijayashankar Na on May 19, 2017
Posted in Cyber Law  | No Comments yet, please leave one

Zomato a leading Mobile App owner and a restaurant guide has suffered a major security breach in which 17 million data sets of customers including the name, email address and hashed password is reported to have been lost.

Read Article here

The hashed passwords are said to have been hashed using the MD5 algorithm which is considered  weak and has already been dis-accredited even in India for a long time.

Most of the customers of Zomato are Indians particularly from the high income group of IT workers who use the App on a regular basis.

It is suspected that the data lost may include the payment details which may include Credit Card and Bank related data.

This is therefore a very serious situation that could in association with the currently prowling ransomware and other malware could create chaos in the Indian Financial Markets.

We have a real Cyber Financial Terror threat on hand and need to defend the situation in national interest.

There are discussions about what kind of liability does Zomato face under Section 43A of ITA 2000/8 for failing to provide “Reasonable Security” for the “Sensitive personal Data”. This is a legal discussion which can be kept for a post mortem analysis.

But what we now need to decide is an action plan on how to handle the crisis. This is a disaster management situation where the Private Sector, the Public Sector as well as the regulators need to come together and find solutions to first contain the damage and ensure that there is no large scale adverse effect on customers of Zomato.

There will be two kinds of Zomato Customers. Those who have downloaded the App and used it for searching the restaurants and those who have further ordered food through Zomato and made payments.

According to Zomato, all payment information on Zomato is stored in  a highly secure PCI (DSS) Compliant vault and hence no payment information or credit card data has been leaked.

Zomato also claims that the passwords leaked are in hash format and hence is not easily readable though there is a claim that MD5 hashing is not secure enough.

On the other hand, the Privacy Policy of Zomato says:

“We assume no liability or responsibility for disclosure of your information due to errors in transmission, unauthorized third-party access, or other causes beyond our control.”

It is doubtful that such blanket self declared indemnities are valid in law.

In US, it is common regulatory imposition in such cases for the organization to pick up the cost of “Data Identity Theft Insurance” for a certain period such as 2 years. (Such insurance may cost around $30 per person and in the current instance it would be of the order of $500 million in total). Such an insurance covers consequential losses that may arise to the data subject on account of the current breach.

In India we donot have any precedence of any organization being held liable unless an individual files an Adjudication application under ITA 2000/8.

ITA 2000/8 of course provides an option for the Adjudicator to take Suo Moto action on behalf of unnamed victims and impose a fine on an offender but we can be reasonably certain that no Adjudicator may do so. (In the current case, the jurisdiction may fall on the Adjudicator of Haryana.)

The companies like Zomato are ignorant that there are multiple sections under ITA 2000/8 where civil and criminal liabilities are defined for lack of compliance.

While the company claims PCI DSS compliance, there is no indication of whether the Company is “ITA 2008 Compliant”. It is obvious that the company may not even be aware of the need to be ITA 2008 compliant and like many other companies, big and small, consider Indian laws with a “Chalta hai” attitude while looking at international laws with reverence.

Some are suggesting therefore that this is the time to make Zomato an example and make these companies realize their responsibilities. Naavi has a history of pursuing Banks for their negligence and has been shouting from roof tops that the Start Up companies using Mobile App based business model should also be ITA 2000/8 complaint and should not be blinded by being certified either under ISO 27001 or PCI DSS.

Unfortunately most IT personnel in these companies donot want to take responsibility for running the business fairly and take the consumers for a ride. Professionals in such companies often are not worried since at the first such instance they leave the troubled company and join another company leaving the promoters to go behind bars if necessary.

Promoters on the other hand are often dependent on professionals who donot take any liability for their negligence and end up paying the price.

If CERT-In and the Police are strict in implementing the provisions of ITA 2000/8, most of these companies will find their business unviable under their current business models.

Without further hurting the already hurt Zomato, its promoters and their IT professionals, let us see how the situation can be salvaged.

Zomato presently uses a Privacy Policy and Terms which indicate their present commitments to security which need to be reviewed. A Copy of the Privacy and Terms of use is available here.

The Privacy Policy is an “Implied Contract” which is a “Standard Form Contract” and an “Unconscionable” contract. It is legally unacceptable and hence cannot be defended. This was my argument against Banks and will hold against these companies also.

We can therefore consider that the Company is likely to be held liable to prove its “Due Diligence” with the appropriate authorities and the Courts if required.

It can however be said that ITA 2000/8 compensates when a loss has accrued and not on a possibility of loss. Hence Zomato may not immediately be liable for any actual loss. There is also a lack of “guilty mind” and hence  it can defend against normal criminal charges.

However, regulatory agencies may be able to persuade and it would be a good gesture for Zomato to offer a warranty to its customers in the form of “Cyber Insurance Coverage” against “Any loss that may arise to the customers of Zomato, within the next one year on account of data loss that can be directly attributed to the current breach, subject if necessary to a limit of (say) Rs 25000”. I am sure one of the Cyber Insurers can structure a policy of such nature.

Additionally, Zomato should assure to revise its Privacy Policy and Terms to be in tune with the legal requirements in India and also introduce a grievance redressal mechanism (Which may include the Online Dispute Resolution Facility similar to what is suggested in www.odrglobal.in) .

As a PR exercise it can also provide some discount coupons to soften the impact to all those customers who are willing to forego the Cyber Insurance coverage otherwise offered. (Probably most would opt for this rather than wait for Cyber Insurance).

The CERT on the other hand needs to examine the claim of the company that the critical data lost is in encrypted/hashed state and the risks are containable.  Users will better change at least the VBB associated with the cards (or its equivalent) they might have used in their transactions with Zomato.

Credit Card Risk managers need to create an “Adaptive Authentication Filter” by which any card used at Zomato would be flagged for additional authentication.

With such protective measures we may be able to reduce the impact of the crisis until another reckless App company brings in another crisis for the Citizens of India.

Naavi

Close It