Flipkart Flash Sale Fraud… How to respond?

Today, I got a WhatsApp message about some attractive offers titled “Flipkart Big Freedom Sale Offers”. The order placement URL was given as http://flipkart.flash-sale-offer.com. To complete the sale the requirement was that the message had to be shared with atleast 8 whatsApp friends/groups. Registration with address of the person was also required.

Last year we had published an article titled “Amazon 97% discount Fraud”.. Police in Kanyakumari..please arrest Mr Anil Kumar”in which the registrant’s full particulars (not sure if it was fake address or real address) was published on our website. We had urged the Police to take action against the fraudulent person.

As usual everybody ignored the “Attempt to impersonate a Company” which could lead to cheating. Police remained quiet because Amazon did not file a complaint and that fraud now has resurfaced as a Flipkart fraud. In between we have seen many such fraud attempts which everyone of our regulators have ignored.

At the same time, when there is a “Copyright issue” regarding a Film to be released, even Courts jump in and hundreds of websites get blocked without even considering whether the site is guilty or not. Our ISPs as well as the Ministry readily cooperate in the request to ban such websites.

Why is that the regulators are willing to act when there is a risk of a Film producer losing money if a film copy is released on the Internet but are not concerned when a citizen of the country could be defrauded?

I would like an answer to this from the Ministry of Information Technology.

Now people who are aware of the domain name system know that “Flipkart.flash-sale-offer.com” is a sub domain of “flash-sale-offer.com” and may not officially belong to Flipkart. However not all people know this and if a familiar name appears in the beginning of a domain name they trust it should belong to that company.

Another interesting thing observed in a mini survey of perceptions I did against this Flipkart incident was that some people identified the site as probably fake not because of the “Sub domain” concept but because the protocol was “http” and not “https”. This indicates that a perception is building up that all “https” sites are reliable and by contrast “http” site is not reliable. If this helps the fraudster, he will readily create https sites instead of http sites and continue the fraud more successfully.

(P.S: I presume some of the visitors to naavi.org might have observed that the word press site is now under https protocol so that those who think it is more secure may feel comfortable.)

Can Go Daddy be held liable?

Now the flash-sale-offer.com has been registered with “GoDaddy” as the registrar which happily helps the registrant to hide his information under the false pretext of “Privacy”.

It appears that the name of the registrant is Kumar Singh which indicates that an Indian could be behind this fraud. The domain name was registered on 29/7/2017.

GoDaddy will have other meta data that could help the Police to identify the person who has registered the domain name.

If therefore Police serve a CrPc notice on Go Daddy.com, more information on the registrant could be obtained both from log records around the date of registration and subsequently. The forms completed by the respondents to the message will also land at the hosting server which also could be with GoDaddy. Hence identifying the registrant is not difficult.

If GoDaddy does not co-operate and provide the details, Police can take criminal action on Go Daddy and stop ( or threaten to stop)  their lucrative business in India and hence it is not a choice for Godaddy.com to hide behind its client’s privacy rights.

In fact if we check the domain name registration contract with Godaddy.com it would have a clause that it is not permitted for any registrant to register a domain name infringing the trade mark rights or for committing a fraud. Similar clause will also be there in the hosting contract. Hence they can cooperate with the law enforcement request without being subject to any counter legal action by the registrant on GoDaddy.

Hence once Go daddy is served a notice they should not only be able to close down the site but also provide the details to the Police for further action.

By the time I am writing this article in the evening, MalwareBytes on my computer has already blocked this site but on my mobile browser the site is still opening.

What Should Flipkart Do?

In this context, I would like to also raise an issue on what should be the response that we should expect from Flipkart in such a situation. Presently, I see that Flipkart is completely silent on the issue. I donot see even a notice on their website that such a fraud attempt has been reported and genuine users of Flipkart should not respond. They also could have sent a message to all their registered customers and alerted them. They could have tried to get the site down and file a criminal complaint so that not only this attempt could be foiled at the earliest but future attempts of similar nature could be prevented.

Many would ask why should Flipkart take the trouble of taking action on such incidents.

However, I consider this as “Due Dilgience” requirement of Flipkart under Section 79 of ITA 2000/8. In fact my own thinking is that Flipkart should have a mechanism by which registration of domain names which could use their names in committing a fraud should be monitored. In the present case since this is a “Sub domain”, the registration of “Flash-sale-offers.com” on 29th July 2017 could not be immediately linked to Flipkart. But at least today morning when Flipkart came to know of this fraud attempt, they could have taken some action that they could justify as “Due Diligence”.

We can recall that in the 2004, baazee.com case, when a video named “DPS-MMS Video” was put up for sale in the platform, I was one of the persons who said that not having a “search engine within the server to scan the products on sale and filtering it on names indicating goods which are illegal” was a failure of the “Due Diligence” of the company. (At that time, the public knowledge around DPS-MMS video was sufficient to classify it as an objectionable property that should not be allowed for sale). Consequently we saw that the CEO of the company and one GM had to fight a legal battle for nearly 8-10 years to stave off a 5 year imprisonment charge.

If we go by that precedence, we can say that people who suffer loss of money through fraudulent sites in the name of Flipkart may blame Flipkart for lack of Due diligence.

It is therefore considered prudent for Flipkart to at least show that they are interested in protecting the interest of their customers by sending out a message to all their existing customers and putting up a note on the home page of the site prominently so that every body visiting the site are informed.

Flipkart could have also requested its customers to immediately kill any social media messages that was wrongly issued in the name of the company by posting a counter statement.

Even now it should be possible for Flipkart to send a notice to Godaddy and a few prominent domain name registrars (if possible all of them) that if there are any registration of domains or sub domains in the name of Flipkart, they should be immediately informed (like filing of a caveat).

There could be opposition for such suggestions but legally if a prior notice has been given, it would be difficult for the registrar to ignore such notice and act as if they donot know that a well known brand such as “Flipkart” exists.

Carrying this argument further, just as we have a “Bug Bounty” program for software companies, Companies like Flipkart should introduce some kind of incentives to at least a few people who report such incidents to the Company..say the first 5 persons who alert the Company about such websites. It would be like incentivising whistle blowers who bring such incidents to the knowledge of a company.

At present no company in the world have been taking such measures. But some body can the first to take such a Netizen friendly step. It could be Flipkart if they are alert to the PR benefits of such a move.

Lookalikes.in Service

Way back in 2002, Naavi had filed a patent for a service which is presently show cased under “lookalikes.in

The concept was that if there are similar looking domain names both of which are genuine, both can co-exist if they display a mutual disclaimer that “I am not that website”. It was suggested that this could be run as a trusted third party service who maintains a data base of similar domain names which can cause “Consumer Confusion”.  It was suggested that the service provider would run a continuous search of new domain names registered to identify the conflicting domain names similar to their client’s names so that appropriate remedial action could be taken if required.

The service was not commercially exploited, but the concept remains valid till date.

ICANN and the Registrars actually are part of a global fraud because they allow registration of any domain name and pocket the revenue but leave to new registrant and the earlier registrant to fight out a trademark litigation. Lookalikes.in was considered a first level disclaimer service which would help in reducing the instances of conflicts of domain name similarly when more than one company had genuine claim on the name.

Now it is time for all these regulators to join together and take such steps as are necessary to put a check to the frauds that could be committed with the misuse of the domain names.

 

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.