Journalist Nidhi Razdan duped

In a classic web based fraud, NDTV journalist Ms Nidhi Razdan appears to have fallen prey to an Internet scam according to which she was offered a position of “Associate Professor of Journalism” which prompted her to resign her job from NDTV.  Subsequently she has realized that the offer was not genuine.

This sort of fraud has been reported earlier also. In a typical fraud, the victim would receive forged appointment orders on proper letter head of a well known organization, there would even be a phone number for contact which would confirm the transactions if contacted. The fraudsters would go through the simulation of all the publicly known procedures that the organization normally adopts for such recruitment. Even the Work permits and Visa would be forged and delivered.

While providing all these preliminary services, the fraudster would collect money. In one of the cases I had come across earlier, a senior Corporate employee getting about Rs 3 lakhs salary per month in India opted to take a better offer from London. After resigning from the job and getting ready to move with his family to London, the person realized the fraud. By that time he had spent more than Rs 3 lakhs.

In the instant case, Nidhi Razdan has not revealed the financial loss she has suffered probably for keeping the information confidential for reasons of privacy. But it is reasonably expected that she would have suffered a loss of at least around Rs 5 lakhs. The financial trail of these payments are the best available means of tracking the fraud.  I presume that the money can be recovered if properly followed up.

What is however important for public to realize is that the fraudsters are so smart and sophisticated that even a well informed person like Nidhi Razdan with several personal contacts abroad who could have helped her check the genuineness of the offer fell prey to the fraud. We should welcome the public awareness being created by this incident and several senior executives seeking a job change would benefit from the knowledge they gain through this exposure.

The frauds of this kind are facilitated because of the natural psychological approach of most such senior professionals because initially they would keep the offer confidential and deal it entirely on their own. If they are financially independent, they would not even inform others even within the family before the loss starts hurting them. They would not share the information with their friends and colleagues because they would like to avoid problems in the current work space as long as possible. Thus until they are forced to submit their resignation, the information would be guarded as a secret.

In the mean time, the fraudster would take fees for verification of documents, arranging Visa and Work Permit etc. The victim would have shared his/her passport and identity details which are some times separately used to get fake identity documents by terrorists and other fraudsters abroad without the knowledge of the victim.

We donot know if any OTP for a Bank transaction is also obtained and a large amount of money siphoned off from the Bank.

I wish this will be a lesson for all job seekers to be careful whenever an “Upfront” payment is involved in such transactions.

Our sympathies are with the victim and appreciation for sharing the details with the public which would be useful for others.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Union Bank of India should learn to protect its Digital Assets

[In continuation of the previous Article]

Naavi has been advocating that Digital Assets need to be accounted for in the balance sheets of its owners. Today it is only under the Personal Data Protection Standard of India or PDPSI that a recommendation has been made to companies to bring the digital assets to the books of account.

By not accounting the digital assets in the books of account we have seen that NCLT declared Net4India bankrupt without recognizing the value of around 3 lakh sticky customers. In many web business take overs, mere “Eye Balls” (namely the number of average visitors to a website) have been valued at over $200/- (Read this old article in Fortune).

When Union Bank of India took over Corporation Bank and Andhra Bank, it inherited two websites namely www.corpbank.com and www.andhrabank.com.

Two years back, www.corpbank.com was valued at $503,200 (Rs 35 crores). (see here). According to another estimate it was worth $52000/-. (Rs 36 lakhs) The exact value may not be relevant. But the fact it had a substantial value is not in doubt. Will any prudent company throw away Rs 36 lakhs or Rs 35 crores worth assets?, when maintaining this asset ownership would have cost only around Rs 800/- per year?

Unfortunately, Union Bank of India has done just that. They have thrown away this asset without understanding its value. Similarly www.andhrabank.com also had a value, may be to a lesser extent.

After the merger, Union Bank of India has not renewed the domain names corpbank.com and andhrabank.com. As a result the two domain names have now been registered in the name of net4solutions and godaddy respectively.

Very shortly these domain names will be bought by Phishing scammers who will host websites which are confusingly similar to Corporation Bank and Andhra Bank respectively and successfully cheat the erstwhile customers of these Banks whose accounts will be in the Union Bank.

At that time, a valid argument of the customers would be that Union Bank of India by its ignorance and negligence failed to hold back the valuable trade mark asset of the merged banks and facilitated the phishing fraud.

The possibility of Union Bank of India failing to take note of the Digital Asset called domain names would have less if the balance sheet of Corporation Bank had shown the value of this domain name even at say Rs 1 if not Rs 36 lakhs or Rs 35 crores. Even if it had been shown as a contra entry on both the asset and liability side at say Rs 36 lakhs, the value would have remained visible.

This is the point we made in the case of Net4India.com which NCLT declared as “Bankrupt” when there was a hidden customer value of around 3 lakh X 200 Us dollars, equal to around 6 crore Us dollars or Rs 420 crores.

This valuation would be available if the concern is valued as a “Going Concern” and the value is preserved during the events such as merger or pre-insolvency evaluation. Once this is ignored, the company will revert to a “Gone Concern” status and the value will drop down to zero.

I would like ICAI to consider this and develop a methodology to bring valuation of digital assets (domain names and other assets such as personal data and non personal data) into the balance sheets.

I hereby request RBI to take note of how Union Bank has not only wasted the value of the assets taken over but also will be exposing the customers to a high Phishing Risk, which would be liabilities which have to be borne by Union Bank of India.

The Board of Union Bank of India should also check how they can atleast re-own the two domain names because there is a “Trade Mark” value associated with them which was passed onto Union Bank due to the merger.

The first thing the Union Bank has to do is to serve a notice to the two registrars and restrain them from selling the domain names to any third party. Later, they can file a buy back request and if the registrars quote an unreasonable price, the Bank should file a domain name dispute and recover the domain name immediately.

In the past, Canara Bank had a similar issue when Canarabank.com had been squatted by another person and the Bank without recovering the domain name simply adopted the Canbak.com and continued the business. After this was pointed out by the undersigned, the Bank got back the domain name through a domain name dispute process.

I am personally concerned with the Corpbank.com issue since I was personally responsible for the purchase of this domain name by Corporation Bank, create the content for the Bank’s first website and hosting it at the time they went public way back in 1997. I am also a continuing customer of Corporation Bank who has become a customer of Union Bank of India because of the merger. It is therefore sad if Union Bank does not manage its digital assets and the name corpbank.com (as well as andhrabank.com) is used by fraudsters to cheat the erstwhile customers of Corporation Bank who continue as customers of Union Bank of India.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

Union Bank of India will be facilitating Phishing by Ignorance and Negligence

Union Bank of India is considered one of the better managed banks in India and RBI recently merged Corporation Bank and Andhra Bank with Union Bank. Both the merged Banks had decades of history and brand name amongst its customers. 

However, Union Bank seems to be completely unaware of the banking risks in the digital era or it is so poor as not to be able to invest around Rs 800/- on behalf of  each of the merged Banks to protect the interests of the customers of these Banks.

I wish the Chairman of Union Bank of India looks at why I am forced to make the statement that “Union Bank of India will be facilitating Phishing by Ignorance and Negligence”.

(Continued)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Using publicly available data under GDPR

Many organizations involved in market research often collect data from publicly available sources such as Google Searches, Social media postings etc. This information is processed and some useful market information is gathered. This may also be commercially traded as market research reports.

In the light of the recent discussions on whether WhatsApp can share some of its information internally to FaceBook and whether FaceBook can use it for advertising profiling of the users has re-kindled the debate on how data protection laws need to address publicly available information.

The regulatory authorities can take the easy way out and stick to the exact narration of Article 14 of GDPR that Where personal data have not been obtained from the data subject, the controller shall provide the data subject with  certain information about the collection and the purpose etc., within a reasonable period not exceeding one month.

There is also a proviso that the restriction shall not apply where and in so far as

(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

In the context of the above we can re-visit the decision of the Polish supervisory authority imposing a fine of Euro 220K on a company by name Bisnode .

The Company had a total of 7.5 million data records (Personal and proprietary business) and the supervisory authority expected that all of them are duly notified as required. The Company represents that it had to incur a cost of around Euro 8-9 million if proper notices are to be sent which was disproportionate to the cause. There was no issue regarding the quality of security measures otherwise adopted by the company to secure the data.

This incident raises some specific issues which require a deeper debate.

Are the GDPR authorities interested in closing down all businesses which are into market research out of the public information?

Is it not fair to consider that Data Protection is essentially giving a control to the data subject about what information he wants to keep unshared and what information he wants to share. If the data subject wanted the social media information not to be shared, then would it not have been possible for him to set the privacy settings to his posts as “Visible only to approved Contacts” rather than making it open for a search engine to parse the data?

If a data subject has taken a decision not to enforce his privacy settings, is not correct to consider that there is a “Deemed Consent” that the data can be used for purposes consistent with the disclosure as long as no adverse impact on the privacy of the person is envisaged in the processing?

In most of the cases the data may be used for statistical analysis and only part of the data subjects may need to be contacted for further use of the data such as sending a marketing message. In such cases, will a consent request only for the data subjects short listed for further communication be sufficient? is to be explored.

Also, like in the case of WhatsApp obtaining the consent of the data subject to share the data to Face Book and Face Book using it on the basis of the consent obtained by WhatsApp, would it be possible for the social media platform like Twitter to obtain a general consent which includes some thing similar to the following.

“In case the user does not restrict the visibility of the data through privacy setting, the data may be shared with search engines and research agencies subject to no automated decision making on the data subject or direct contact with marketing messages”… etc.

It is time that experts represent with EDPB for a suitable relaxation in the interpretation of Article 14 to include the legitimate interest of market research agencies.

Until such time, those companies which are directly liable under GDPR as “Data Controllers” need to prepare a DPIA and file it for pre-consultation.  If the company is a “Data Processor” then he may depend on the Data Controller to take the responsibility.

In case the data processing is outside GDPR, then there is no need to worry about Article 14 of GDPR. Companies should follow the principles enunciated in the Personal Data Protection Standard of India (PDPSI) for this purpose.

The above is towards development of Jurisprudence regarding data protection.

Comments are welcome.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

WhatsApp relegates India to the Third World of Privacy Regulation

The revision of WhatsApp Privacy Policy and Terms has brought to light why an organization which is working in a multinational environment need adopt the approach taken by PDPSI (Personal Data Protection Standard of India)  for compliance.

The first thing we look forward in a Privacy policy or the Associated Terms of service is who is the service provider? Indian law clearly defines the Privacy Consent as a “Contract” and the essential part of a contract is to identify who is entering into a contract, what kind of commitments are being given and expected, whether the contract is a “dotted line contract” , whether the contract is “Unconscionable”, what is the dispute resolution associated with the contract, what is the liability clause and what is the exit clause etc.

In terms of compliance of the data protection law we also examine if all the required points to be notified (eg Section 7 of PDPB 2019) are covered.

As we observe, WhatsApp has indicated only two versions of their Terms of Service and Privacy Policy, one applicable for EU region and another for the rest of the world. The “Rest of the World” policy is tuned to the US requirements and hence all other countries are in the third world need to follow the WhatsApp policy for the US.

There is Privacy Law already in India

It is to be noted that WhatsApp has not provided an India specific policy at present. Probably WhatsApp thinks that India does not have a Privacy law at present and they want to introduce the new policies before the Act may be passed in India so that they can take some time to implement the new laws.

We would like to point out however that India presently has “Privacy” protection obligation because the Supreme Court has recognized it as a “Fundamental Right” and some Courts (eg Kerala) has indicated that the obligation extends to private companies as well.

More importantly Section 43A, Section 72A and other sections of ITA 2000/8 already determine the data protection regulations in India and it is in operation for a long time. Though there is no Data Protection Authority with an independent mandate to monitor, affected persons (including a group of persons represented by a public interest) can approach any of the Adjudicators or any adjudicator can take up a suomoto investigation of any perceived damage to a data principal.

Since the draft PDPB represents the legislative intent in the near future, it also doubles up as “Due Diligence” and “Reasonable Security Practice” under Section 43A of IITA 2000/8 and hence WhatsApp cannot escape compliance of PDPB 2019 even if the Act is yet to be passed and there could be 89+ amendments to the original draft.

Lack of Transparency on the Entity signing the Consent

The parent company of WhatsApp service is WhatsApp Inc, 1601, Willow Road, Menlo Park, California 940025, USA. WhatsApp Ireland Limited provides the services of WhatsApp to persons who live in the EU territory. WhatsApp LLC provides the services if the user lives in any country other than EU region. WhatsApp business services are also provided by WhatsApp LLC (Refer to the separate terms here).

WhatsApp LLC is located at 1601, willow Road office while the WhatsApp Ireland limited is located at No 4, Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

It has six locations, including two in India at Hyderabad and Gurugram, one in Dublin, Ireland, one in London besides two in USA (Menlo park and Austin).

There are registered companies like WhatsApp Africa LLC also registered in USA. In payment services, WhatsApp may use the services of Facebook companies making the maze of companies more complex.

As is common with Facebook, it is not easy to find out the physical location of Whats App offices and the “Transparency” aspect of Privacy compliance fails miserably at this stage itself.

It is not clear if WhatsApp’s two offices in India are considered only “Development” or “Marketing offices” and have legal divisions or Data Protection Officers or the Grievance Officer under ITA 2000/8. It is a reasonable presumption that there is no designated “Grievance Redressal Officer” and the company is not presently in compliance with ITA 2000/8.

India Specific Privacy Policy/Terms are absent

It is natural that WhatsApp has to adopt policies to be in compliance with US laws where it is the group head quarters . As regards the EU region, it is fine to adopt the policies from the Ireland office.  But not adopting policies relevant to India is a show of arrogance.

Considering that WhatsApp wants to expand its business in India, and is fully aware of the JPC’s views when they met them recently, it appears that WhatsApp did not give too much of value to the Data Sovereignty rights of India and thought it reasonable to ignore India reference in its new policies.

Presently WhatsApp has plans of expanding its operations in India with health insurance and micro-pension products through tie ups with licensed financial services players. It is presently set to partner SBI General to launch health insurance and HDFC Pension to make available NPS products on the App platform. The company is already live on the UPI platform with 4 Banks (SBI,HDFC Bank, ICICI Bank and Axis Bank) and 20 million users.

This partnership provides enough opportunity for WhatsApp to get the benefits of the service with the legal obligations being borne by the Indian banks.

Given these expansion plans, India expected WhatsApp to recognize the existence of our sovereign rights in terms of Privacy or Cyber Security when it thought of revising its Privacy policies with effect from 8th February 2021 which could be after or a few days before the Personal Data Protection Bill in its final form would be presented to the Parliament.

A question therefore arises whether these policies will be compliant with the proposed Indian laws or is set to become operative just before the Act comes into effect so that they can claim some privileges as a legacy policy before the Act came into existence.

A question therefore arises whether these policies should be compliant with the proposed Indian laws and if not should the licensing authorities like RBI and IRDAI withdraw their provisional approvals.

Dispute Resolution

We did briefly discuss the Dispute Resolution Clause yesterday and we can add some additional points today.

The dispute resolution issues are covered in Terms of service and not directly in the Privacy Policy.

The clause mentions the following:

Forum And Venue. If you are a WhatsApp user located in the United States or Canada, the “Special Arbitration Provision For United States Or Canada Users” section below applies to you. Please also read that section carefully and completely.

If you are not subject to the “Special Arbitration Provision For United States Or Canada Users” section below, you agree that any claim or cause of action you have against WhatsApp relating to, arising out of, or in any way in connection with our Terms or our Services, and for any claim or cause of action that WhatsApp files against you, you and WhatsApp agree that any such claim or cause of action (each, a “Dispute,” and together, “Disputes”) will be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or cause of action, and the laws of the State of California will govern any such claim or cause of action without regard to conflict of law provisions. Without prejudice to the foregoing, you agree that, in our sole discretion, we may elect to resolve any Dispute we have with you that is not subject to arbitration in any competent court in the country in which you reside that has jurisdiction over the Dispute.

Governing Law. The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions.

Time Limit To Bring A Claim Or Dispute. THESE TERMS ALSO LIMIT THE TIME YOU HAVE TO BRING A CLAIM OR DISPUTE, INCLUDING THE TIME TO START AN ARBITRATION OR, IF PERMISSIBLE, A COURT ACTION OR SMALL CLAIMS PROCEEDING TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. We and you agree that for any Dispute (except for the Excluded Disputes defined below) we and you must bring Claims (including commencing an arbitration proceeding) within one year after the Dispute first arose; otherwise, such Dispute is permanently barred. This means that if we or you do not bring a Claim (including commencing an arbitration) within one year after the Dispute first arose, then the arbitration will be dismissed because it was started too late.

As regards the US and Canada users, the Arbitration shall be “Binding” and unless they opt out they would be waiving any right to have the disputes decided by other means.

Though the consent is obtained on the basis of “Click Wrap” acceptance which has no legal validity in India except as a “Deemed Acceptance”  and the terms are part of a “Standard form/dotted line form” of contract which can be considered voidable in respect of unconscionable aspects of the contract, it is better if we avoid any defense being available to WhatsApp to avoid any legal scrutiny in India.

In case  WhatsApp launches a legal proceeding in US either against an individual user or against the Indian Government, it is difficult to defend in such forums that the jurisdiction is not acceptable. We may therefore end up facing an Arbitration notice or Court notice from the US jurisdiction and spending time, money and effort in filing petitions in Indian courts to counter such cross border litigation notices.

In India, the disputes with WhatsApp may arise out of ITA 2000/8 or PDPA (Proposed). Both of the statutes provide for “Adjudication” and “Appellate Tribunals”. Hence “Binding” arbitrations will not be compatible with the law.

[It may be noted that DDMAC (Data Disputes Mediation and Arbitration Center of FDPPI) as a specialized ODR center for data related disputes has adopted only Mediation and Non Binding Arbitration and avoided binding arbitrations. ]

The terms indicate that WhatsApp can do forum shopping at its discretion and not the other contracting party. This is a typical characteristic of a dominating party to the contract imposing an one sided term on the weaker party and would be considered by Courts in India as a determining factor to adjudicate if this is an “Unconscionable” contract or not.

The other point to note in the dispute resolution clause is that it attempts to over ride the “Limitation Act” of India. This may also be considered “Ultravires” the Indian law.

In view of the above, WhatsApp contract is not an admissible contract and an admissible consent under the Indian law.

It would have been better if WhatsApp had consulted organizations like FDPPI before such a major step is taken which could result in flight of many users to alternate messaging apps including some which may come up from India itself. 

The PDPSI Approach

Had WhatsApp adopted the PDPSI approach , it would have realized that the compliance program and the Privacy Policy has to be developed separately for different applicable law. In that case, there would have been a different Privacy Policy and the Associated Dispute Resolution Policy. By adopting a policy which may be in compliance with GDPR or the US law and assuming that it would automatically accepted under the Indian data protection law, WhatsApp has made a mistake.

Hopefully WhatsApp would correct the same. Otherwise the call from Privacy Professionals in India would be to “Switch From WhatsApp”.

Naavi

Previous Article: WhatsApp needs to change its jurisdiction clause

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

WhatsApp needs to change its Jurisdiction clause in the Terms or else, exit from India.

WhatsApp has announced a new Privacy Policy and Terms of use effective from 8th February 2021. Since then there have been a series of debates in the media about the impact of the change and how should users react. Most of these discussions are on the “Privacy Policy” and not on the “Terms of use”.

The objections have been on whether WhatsApp will have access to the User’s content and share it with Face Book. 

A brief review of the policies is attempted here for opening up more discussions.  It is not easy to decipher the privacy policies of any large MNC like WhatsApp or even Google or Twitter since there could be many  subtle wordings which can be technically and  legally interpreted in different ways. 

We also have to recognize that WhatsApp has created two different sets of policies, one offered by WhatsApp Ireland Ltd to the EU region and the other by WhatsApp LLC  to other countries . Except for the ownership of the service, there does not appear to be any difference between the two policies. This is either a mistake or perhaps WhatsApp thinks that the world outside EU has no importance and hence any policy will do.

Perhaps WhatsApp will realize that countries like India are conscious of the data sovereignty principle and will not tolerate this arrogance.

The Privacy Policy and the Terms of Service have to be read together.  There appears to be more contentious issues in the terms of service rather than the Privacy Policy as explained below.

A: Privacy Policy

The Privacy Policy consists of the following 12 sections.

1 Information We Collect

2. How we use Information

3.Information you and we share

4.How we work with other Facebook companies

5. Our legal basis for processing data

6. How we process your information

7. How you exercise your rights

8.Managing and retaining your information

9.Law, our rights and protection

10.Our Global operations

11.Updates to our policy

12.Contact Us

The policy appears to cover most of the requirements of a Law Compliant Privacy Policy though we cannot say that it is in “Clear and Precise ” format.

A couple of key points of the privacy policy are discussed below.

  1. Is there a Discrimination in refusing the service if permissions are not given?

In analyzing the Privacy Policy and commenting if it is acceptable or not, we must appreciate that WhatsApp is a private business of FaceBook and its commercial interests cannot be wished away.  We can only comment on whether there is transparency in the Privacy Policy as notified and the company does not deviate from what is stated in the policy. The right of the company to modify the policy need to be also recognized though we can expect a reasonable notice whenever major change occurs in the policy. Presently a notice of one month has been given and this need to be maintained in the future also.

In order to recognize the rights of WhatsApp to set pre-conditions with a right to reject the service if a certain information is not provided, we must recognize the nature of the WhatsApp service and the “legitimate Interest” built into it. According to its mission statement, WhatsApp started as an alternative to SMS and it now supports sending and receiving a variety of media: text, photos, videos, documents, and location, as well as voice calls.

As we understand, WhatsApp is a “Platform”. It enables a person to send a message to another provided they have downloaded the App in their device and subscribed to the service. Additionally in a “Group Communication”, one to many messages are sent to the WhatsApp server which distributes it one by one to all the members of the closed group. In this context, WhatsApp server is an agent to hold the content until it is downloaded by all the members within 30 days etc. The members of the group are collectively responsible as owners of the group. At present the “Admin” has only limited powers of admission or removal of members but has no powers to delete content posted. The member who posts the content to the group is the sole owner of the message  and make it disappear or remove it within a certain time. This reiterates the status of the service that WhatsApp is a messaging service from the sender of the message to the receiver. The server provides certain intermediary services. The Admin has no role in the transmission of the message. 

Hence it is the WhatsApp subscriber who has a contract with WhatsApp both for sending individual messages as well as to to form and participate in a group messaging activity. The Privacy Policy and the Terms of service are parts of this contract formation.

If therefore the terms of the contract is not acceptable to either of the two parties, there is nothing wrong in the service being not made available. Whether this can be brought under “competition Act” can be debated. But since there are multiple other services of similar nature, it is unfair to bring the service within the provisions of the Competition act and call the right of WhatsApp not to provide a service if the Privacy policy is  not accepted, as “Discriminatory” in terms of the Data Protection laws.

2. Information Collection and Storage

The information collected by WhatsApp is declared as specific to the “Options” used by the user. Hence it is declared as purpose specific. The mobile number and maintenance of log records of the use of the App therefore is directly related to the messaging service and hence within the rights of WhatsApp.

The “Storing” of the information in the servers for the intermediary period when it is yet to be downloaded by the receiver does not mean that the server is reading the information though technically this is possible even if it is in encrypted form. Encryption will prevent third party access but if Whats App really intends  to read the message, they can always simulate either the sender’s phone or the receiver’s phone and use the keys to decrypt it. However this is an unreasonable suspicion and unless there is any evidence of the same, should not be considered as a possibility. 

From the policy it appears that WhatsApp has two storage policies one for the Media and the other for the text message sent. The text part gets deleted from the server after delivery but the media remains in storage in an encrypted form to enable forwarding of the same. The company has a justification for this storage from the technical point of facilitating the forwards. When a forward occurs, this prevents the entire data related to the media travel again from the forwarder to the server. If the forward is to multiple persons, it will save on data transfer substantially. The media is held in the WhatsApp server not permanently but for a certain time so that forwards within this time span would save on data transfer.

Hence storage both from the point of view of maintenance of encryption and temporary storage can be considered legitimate. Criticisms in this regard is not sustainable.

3. Sharing of Information

The policy suggests that WhatsApp access, preserve and share certain information. This however refers to the information that is collected from the account holder such as the account information., messages (in encrypted form ) during the interim period when it is being held for deferred delivery, and meta data associated with the use of the services. 

There is nothing in the policy to suggest that the message content will be read by WhatsApp and used for profiling etc. 

In case the WhatsApp payment system or Contact upload feature, the users may be sharing more information related to the specific service. 

4. Legitimate Interests

The policy declares that legitimate interest relied upon includes provision of accurate and reliable aggregated reporting to business and other partners and statistics on performance, need to demonstrate the value the partners realize etc. 

It also states that Facebook products may be marketed to the users for direct marketing. This indicates that there could be “Advertising” messages sent to the users similar to Twitter inserting advertising in between messages. 

Prevention of fraud, securing against spam, abuse etc are also stated as a reason to use information under legitimate interest. 

Policy indicates that Pubic interest could also be a legitimate interest.

B. Summary views on Privacy Policy

At first glance therefore the policy does not seem to raise grave concern. It is possible that the company may draw a profile and use it for advertising but that is only to be expected as a revenue generation method unless the service becomes a paid service.

Since India is coming up with its Data Protection Law shortly, once the final version of the law is ready, we may review the Privacy policy to check if it is in tune with the requirements.

The Privacy policy appears to concede the requirements envisaged in the Indian law regarding providing tracking information when required by the law enforcement.

Perhaps remaining compliant with the Indian law could be one of the reasons for which the Privacy Policy was revised before the Indian Act is likely to be effective.

However, the policy is to large to be considered as easily comprehensible by an ordinary user of the service. Businesses should find a way to simplify their Privacy Notice to the public while keeping a more legalistic and verbose policy for internal use. Otherwise public will need expert interpreters to certify if a Privacy Policy is compliant with the requirement of law and meets the principles of Privacy protection. 

Terms of License

The terms of use however has some aspects which may cause some doubts in the minds of the users.

Fore example in the paragraph “Your license to WhatsApp”, it is stated as follows:

Your License To WhatsApp. In order to operate and provide our Services, you grant WhatsApp a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use, reproduce, distribute, create derivative works of, display, and perform the information (including the content) that you upload, submit, store, send, or receive on or through our Services. The rights you grant in this license are for the limited purpose of operating and providing our Services (such as to allow us to display your profile picture and status message, transmit your messages, and store your undelivered messages on our servers for up to 30 days as we try to deliver them).

Though at first glance this appears to indicate that WhatsApp may use the content for its own purpose, the issue is more related to IPR rather than Privacy. Also if the content is encrypted before it is shared by the user with the company, unless it is decrypted, it cannot be used in raw form by WhatsApp. The mention of “Limited purpose” indicates that there is no intention of creating “Derivative Works” from the user’s content and use it commercially though an “Enabling feature” has been wrote in.

Probably WhatsApp will be answerable for IPR violation if the user content is used for creating revenue generating product.  

The statement that “WhatsApp does not claim ownership of the information” further corroborates the status that the content is owned by the user. 

If WhatsApp tries to make derivative works out of the user’s content, they will also lose the status of an “Intermediary” under ITA 2000 and hence cannot claim any immunity for crimes that are committed with the service.

If WhatsApp claims absolute rights to use the content, then they will have to admit knowledge of the content which will make themselves liable for any drug related conversation or other offences using the WhatsApp messages. 

It would therefore be advantageous for WhatsApp to claim that they are not aware of the encrypted content and they don’t use them for any of their purposes. This is evident in the terms also.

The terms of use also take into account the disclaimers expected under the ITA 2000, Section 79, Intermediary rules.

As can be expected there is a disclaimer that “WhatsApp does not accept responsibility for losses” if they have exercised due diligence.

The Dispute resolution clause is not properly constructed in the policy since the both the policy applicable to EU and other countries seem to state that in countries outside EU, the applicable law is that of Ireland. 

This will not be acceptable in India. The amendment to the ITA 2000 intermediary rules as well as PDPB will ensure that WhatsApp is declared as requiring to open a separate Indian office and be considered as a Significant Data Fiduciary. At that time, WhatsApp will need to get itself licensed from the regulator and it may be refused a license to carry on its business unless the applicable law of India and jurisdiction of Indian Courts along with ODR usage is brought into the terms. 

Even the RBI needs to take a look at this since it is responsible for letting WhatsApp to handle payments. 

This will happen to be the most contentious issue of the terms of service/Privacy policy which needs to be addressed by WhatsApp. We may recall here that the Kerala High Court did pass adverse remarks in the Sprinklr case that the Kerala Government had accepted the New York Jurisdiction without proper evaluation of the terms of service.

Summary Views on the Terms of Service

The applicable law and Jurisdiction clause of the Terms are not compatible to Indian legal environment.

The RBI should take steps to withdraw the permission given to WhatsApp for running the payment services unless this clause is changed immediately.

Meity has to issue a notice to WhatsApp under Section 79, that the Jurisdiction clause which is part of this “Implied Contract” between the user and the WhatsApp is not valid in India and it shall accept the jurisdiction of the Courts of India at the residential place of the user as evidenced by the SIM card information.

Also under the PDPB, WhatsApp needs to provide a grievance redressal system which is more data principal friendly by incorporating an ODR facility to resolve grievances. The DPA is yet to come into existence and until that time, Section 43A , 43, 72A, 67C, 69,69A,69B, 70B and other provisions of ITA 2000 will be applicable to WhatsApp and compliance of ITA 2000/8 is necessary to be demonstrated by WhatsApp. 

CERT In should issue a notice to WhatsApp for an assurance that it is ITA 2008 compliant. 

It is open to any interested parties to file a PIL to force WhatsApp to change the Jurisdiction clause if it has to maintain the payment services and operate in India.

It is also a great opportunity for an indigenous messaging app developer to introduce an equally efficient app and  there will be lot of support from India.

(Comments Welcome)

  Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | 3 Comments