True Caller is abetting Cyber Frauds in India… Is it only a compromise? or Is it Recklessness?

True Caller is a reasonably popular mobile App which many mobile users in India have downloaded and installed. When the user receives a call from another True Caller user, though his name may not be in the contact list of the receiver, the receiver would get a display of the name of the person who is calling. This is meant to help the receiver to know the name of the caller when he is an unknown person outside his contact list.

When a user downloads the App, he gives permission for the App to access his contact list which goes into a global data base from which the service is delivered. In this process, the name of the owner of a mobile number is the name assigned to him by the member who shares the information.

There is no doubt that when this service  was conceptualized by a techie and became a successful venture, every body would have hailed the service as innovative. In fact it may have some positive uses also.

However, unfortunately, Cyber Criminals try to exploit every service on the  Cyber Space to their advantage and find various methods of using any useful and trusted service to commit frauds.

When a fraud is committed with the use of a service, the service provider becomes vicariously liable to third parties as an “Abetter” of crime. To avoid such liabilities, the service provider tries to adopt a “Privacy Policy” and “Terms of Use” to absolve himself of the liabilities through disclosures and consents.

Recently, it was brought to the notice of Naavi.org that a call was received by a user in Bangalore from one of the fraudulent entities operating as “Representatives of a Bank” and calling to threaten that the “Bank account is being deactivated… unless…”.

(Such frauds in the case of SBI Credit Cards are the most prevalent and soon it will become synonymous with the name of SBI. Just as we recognize advance fee frauds as “Nigerian Fraud”, soon we will recognize the Phishing frauds as “SBI Frauds”. I hope Ms Arundati Bhattacharya takes note of the PR implications of such association of a fraud to SBI’s name.)

The receiver has checked the number under the True Caller data base and found that it had been listed as “SBI”. This would be a reasonable confirmation to any ordinary person to believe what the caller says and act as per his instructions leading to a classical phishing fraud. It is easy to get the name of SBI or any other Bank associated with the telephone number of the caller if one or more of the fraud associates save the number as their contact under the Bank’s name and install True Caller.

When such a fraud occurs, the responsibilities of True Caller as a service provider who provides “Caller ID” as a service will come into question. In Indian law, ITA 2000/8 provides guidelines under Section 79 for intermediaries to maintain “Due Diligence” which also includes “Reasonable Security Practice” under Section 43A for sensitive personal information and additional responsibilities under Section 72A.

If this is an unintended compromise of the service, the service provider can defend by initiating corrective action. If he neglects, Court can interpret as intentional recklessness deserving invoking of law.

SBI  is well within the jurisdiction of India and hence has to recognize this potential risk of liability arising out of the operations of these call centers misusing its name. If no action is initiated by them, it would not only be a reason for holding them liable for the crime, but also for not providing adequate provisions in the balance sheet and thereby misrepresenting the financial position of the bank to the share holders constituting a Corporate Governance failure.

The Corporate Governance auditors of SBI are hereby given notice of the potential financial risk going un-reported in the balance sheet. Hope they will ask the right questions before they sign off on the audit.

True Caller declares as subject to jurisdiction of Courts in Stoclkholm, Sweden.

ITA 2000/8 however over rides the jurisdicional limitation under Section 75 to make Crimes committed outside India and by persons who are not citizens of India also come under the jurisdiction of ITA 2000/8.

Though True Caller presents its Privacy Policy and Terms of Use with several disclaimers, they can be considered as inadequate if the service is known to be used for committing frauds and the service provider has not taken sufficient steps to prevent the same.

I therefore urge the Police to initiate action against True Caller and demand if they have adequate measures

a) To prevent a User or a set of users deliberately registering an impersonated name to a number and commit frauds.

b) To initiate a process by which the Company takes knowledge of any misuse of its service and initiate appropriate immediate counter action

This article in public space is considered as a reasonable notice both to True Caller and the Police in India as well as SBI that True Caller service is being used as a tool of Crime in the name of State Bank of India and the Police are aware of this “Abetment to a Cognizable Offence”.

If no action is taken by any of these parties, future victims can invoke “Negligence” on the part of SBI and True Caller and make them liable under Section 79 read with Section 85 of ITA 2000/8 and other sections of ITA 2000/8.

I suppose efficient and dutiful police officers such as Dr Triveni Singh of Noida will issue notice to both SBI and True Caller to show cause why action cannot be initiated against them for abetting these  Phishing frauds.

For those who receive such calls, I recommend that they immediately post their own disclaimers using the service of Cyber-notice.com and Identity theft notice under ceac.in. This is to offset the possibility that a fraudster makes such a call and then in association with an employee of the bank hacks the Bank account even when the receiver has not revealed any information.

It must be appreciated that in such cases where a hacking is committed after a phishing call,  the evidence would stack against the victim since he cannot deny having received a phishing call but has to convince a Judicial authority that he did not reveal his identity parameters which the Bank will assertively claim.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.