Naavi.org

When we order an expensive device like a Mobile or laptop online and end up receiving a package containing stones as the above unfortunate gentleman is reported to have received, one wonders how to recover the loss.

The E Commerce platform may be reluctant to take the blame as this could be a fraud committed by a courier boy who may not be traceable at all. There may also be cases where because some fraudulent buyers have made false claims of such nature, the E Commerce platform or the merchant may not take the blame and accuse the customer himself that he is not telling the truth.

There are also issues of fake products being delivered or products of a different specifications and lesser value being delivered. In some of these cases the E Commerce platform may accept returns but in some cases they may not.

The Consumer in such cases need to initiate other actions to ensue that his grievance is resolved.

In Indian law, every Intermediary such as the E Commerce platform need to disclose a “Grievance Redressal Process” and the name and contact of the Grievance redressal officer for the website. Often most websites donot have such contacts disclosed on the website or the App.

Most service providers display a Terms of Contract which is accepted as a “Click Wrap Contract” which is not recognized under Information Technology Act and renders the contract as an “Implied Standard Form Contract” which can be disputed in a Court.

Further the Terms are under the custody of only one of the parties to the contract namely the platform and the Consumer does not have any control on changes that may be made to the terms. (Similar issues are also faced in respect of consents given on the basis of the version of a privacy policy as present on a website on the date of transaction”

As a result of the above, pursuing the legal case in a Court of law to claim damages for the lost money would be almost impossible even if the jurisdiction is a local Court. Amazon and Snapdeal have a Court jurisdiction in Delhi while Flipkart has a court jurisdiction in Bangalore which itself makes it expensive and impossible for buyers from any other place to take legal action.

In such cases, we need the following.

1. A Dispute resolution Mechanism which is easy to use and not very expensive.
2. Evidence about the fact that the package was not containing the product

Naavi suggests that we should make it mandatory for such intermediaries to ensure that the Courts in the place where purchase is made must have the jurisdiction to resolve the disputes. In one of the cases related to adjudication in Chennai, Punjab National Bank had argued that the customer has to file the case in Delhi instead of Chennai since the head quarters of the Bank was in Delhi. At that time a complaint had been made to RBI that Bank’s license should be cancelled outside Delhi, if they insist on this jurisdiction and then they agreed to proceed with the case.

In order to render the jurisdiction in a physical location irrelevant, the disputes should be resolved with the use of “Online Dispute Resolution”. With the increased use of Video conferencing even in Court proceedings, it should now be possible for a system like what has been recommended under www.odrglobal.in could be used for the purpose of online dispute resolution. This would sort out the problem of court jurisdiction to a large extent.

Additionally Naavi has activated a service under CEAC Drop Box (Refer www.ceac.in) and a new service called CEAC-EDB-Video Service to address the requirements of Evidence Collectio.

The CEAC-EDB service can be used to capture the Terms of Service as well as the Privacy Policy of a Website as also the product specifications offered by the seller for sale.

Where the unboxing of the expensive item purchased has to be evidenced, an advance appointment has to be fixed with CEAC and a registrar will then make a Video observation of the unboxing and record it in his computer with a CEAC certificate.

Both CEAC-EDB and CEAC-EDB-Video can be claimed with CEAC certification within 30 days of the dropping or at such extended time as agreed upon payment of the necessary fees.

Dropping of static documents will be available free but creation of CEAC-EDB Videos will be charged. Retrieving the certified copies of both would also require payment of fees.

The fees will be quoted based on the duration of the video and the size of the files.

These twin services would perhaps be able to sort out the evidentiary problems that may be faced by victims of the E Commerce delivery frauds.

Naavi

In a clear admission of their concern of losing a business opportunity, rivals of Zoom like FaceBook, Google and CISCO have made statements about their latest attempts to improve their products and make it more user friendly.

See article here

If the competition improves the products in the interest of the consumers, it is fine. But the Supreme Court should realize that the case against Zoom in India is a motivated case which does not deserve to be admitted.

In the meantime, we are waiting for any Indian solutions to come up to match the requirement. Probably some solutions have been presented to the MeitY which has announced a prize of Rs 1 crore to the best indigenous video conferencing software.

It appears that those who have entered the competition might have been prevented from releasing the beta version to the market. But consumers cannot indefinitely wait for the MeitY to declare the winner. If the products are not made available, then consumers will continue to use Zoom or other available choices that suits them and the MeitY exercise may only be of academic interest.

Naavi’s article on the subject which appeared in India Legal is also reproduced below. It is also available here;

One business that has thrived during the lockdown in various parts of the world is video-conferencing, virtual meetings and virtual collaboration solutions. Many large corporations have already installed virtual meeting infrastructure across their branch offices and were quickly able to adapt to this form of doing business by adding more individual users logging in from different locations.

A large number of SMEs and individual businesses, however, had to search for affordable and easy-to-use solutions to establish face-to-face contact with their workers scattered in different locations. Educational institutions also had a requirement to conduct classes in the virtual environment to meet their teaching deadlines. Such users found that the Zoom communications platform was convenient and affordable. As a result, its business spurted from around 10 million users to 200 million.

Companies, which had competing products and were big names in the industry, felt their egos bruised by the phenomenal success of this relatively small company. They launched a well planned attack on Zoom and the fact that it was promoted by a Chinese entrepreneur. They tried to bring down its popularity partly to get some business themselves and partly to satisfy their hurt egos.

The campaign against Zoom revolves around security issues. One issue is that uninvited persons can log into running sessions where there is no password set for the meeting or where the password is weak and predictable. As the meeting password is not considered as important as bank account passwords or similar other access environments, users tended to set weak passwords. These intrusions were highlighted as “Zoom bombings” and the possibility of corporate espionage was stressed.

Secondly, data used during corporate meetings had to move between different users and to ensure that this moved without much latency, the company maintained servers in different countries, including China. Rivals highlighted this and showed the possibility of Chinese espionage.

A third complaint raised was that Zoom claimed to have “end-to-end encryption”, whereas it was theoretically only encryption from the sender’s computer to the receiver’s. It was quite like an “https” connection and did not extend to the processes within the sender’s and receiver’s systems at the application level. This was suggested as a deliberate misrepresentation. There was also an allegation that Zoom shared some data with Facebook without the knowledge of the user and that some log-in IDs and passwords were on sale on the dark web.

As a result of these allegations, a campaign was launched to show that Zoom video-conferencing solutions were unsafe. Media, which did not understand the depth of the problem, also painted a picture of Zoom being the only software where all security flaws were found and hence its use should be discontinued. Neither the media nor others presented any better alternative. Its Chinese ownership was also a reason for some to switch to other solutions.

It was unfortunate that the home ministry became a pawn in this game of one up-manship. As usual, a section of the media claimed that the home ministry had evaluated the Zoom application and was not in favour of its use from the security point of view. While the ministry’s concern about the use of Zoom for meetings of government officials was perhaps genuine, the unusual action of it coming up with a press release, including a set of “secure configuration guidelines” was strange. Though this notification was meant only for government departments, the media implied that it was a national security advisory. Normally, any such guidance should be the responsibility of the Ministry of Electronics and Information Technology (MeitY) and there was no need for the home ministry to step into its shoes and come up with operating guidelines on a subject in which it has no direct knowledge or expertise.

By the time this notification was released, Zoom had already attended to most of the concerns. It changed the default settings of the meetings to a higher security level and left it to the choice of the user to downgrade the security features. It also provided an option to the user to avoid servers in specific countries such as China.

Zoom bombings were due to the user’s negligence. Instructions were released to set a strong password, use the waiting room facility and to lock the meeting if needed. This could avoid unauthorised entries into the meetings. Zoom also clarified that personal data sharing with Facebook occurred because its software development kit (SDK) for log-in authentication collected information beyond the permissions required and granted. It appears to be a deliberate violation of privacy by Facebook, though there could be some negligence on the part of Zoom too.

The controversy regarding end-to-end encryption was more of semantics than anything else. Security experts say that if the encryption is not done at the application level and decrypted only at the destination, it cannot be considered as “end-to-end”. It is possible that the marketing personnel at Zoom called their encryption “end-to-end encryption” without recognizing the difference.

However, most messaging services, including popular email ones, use only transport-level encryption and not the real end-to-end encryption. Even banks in India may not be using real end-to-end security. Hence, singling out Zoom for such a mistake is unfair.

Before the home ministry jumped into the fray, it should have realized that the problem with Zoom was both of technical interpretations and user awareness. It was not an issue of fraudulent intention. The ministry was not capable of understanding the nuances of technology and should have refrained from giving the impression that it was giving a technical advisory on Zoom.

Criticizing Zoom without criticizing Facebook for misusing the consent shows prejudice. Perhaps this should be investigated as the Facebook log-in SDK of the type used by Zoom may also be in wide use in India by others. In all such cases, there could be a siphoning off of personal data beyond what has been consented to by the user. The home ministry has not revealed that email providers also use only VPN security and not end-to-end security. If so, it would have placed the issues observed in Zoom usage in the right perspective.

If Zoom had installed any malware like some Chinese applications do, then the home ministry would have had a reason to issue such advisories. But it did not consider TikTok and UC Browser type applications for a ban. This could be due to their ignorance or pressure from certain business lobbies. It is also to be recognised that Zoom has been promoted by a person of Chinese origin but is not a Chinese company. It is a US company and the promoter is perhaps now a US citizen settled there.

The ministry should also have realised that Zoom as a company is not like telecom equipment suppliers like Huawei or Chinese mobile companies. Some of these companies have allegedly preinstalled malicious applications to bring users under surveillance of the Chinese government. Even point of sale systems used for card authentication at shops and biometric devices used for Aadhaar authentication are being imported from China and the ministry should worry if these have any hidden backdoors.

The ministry appears not to have heard about Deepfake and Deepnude applications which threaten society and could create huge problems. If it was watching the web world, it would have moved to block such apps along with voice-changing apps, Blue Whale or other gaming apps which require urgent attention. It has also remained silent when larger security issues arose when Bitcoin exchanges were allowed to resume their operations, unmindful of their use in possible terror funding.

By not coming out with advisories in such cases and over-reacting to the Zoom controversy, the ministry appears to have been used by industry in a commercial war between companies. In comparison, MeitY has responded positively to the incident by trying to encou­rage an indigenous replacement for the Zoom software. It has announced a prize of Rs 1 crore for this.

—The writer is a cyber law and techno-legal information security consultant based in Bengaluru

Naavi

In a Public Interest Litigation, an advocate has filed a petition in the Supreme Court seeking ban on Zoom . The petition seeks a direction that the Government has to ban the use not only for the use of the Government but also for the public.

It is unfortunate that the Supreme Court has admitted the petition and sent  notices to the Government and Zoom.

So far, whenever the Supreme Court has been notified about the adverse impact of apps like TikTok or the Anti Society systems like the Bitcoin, the Supreme Court did not consider it necessary to respond in public interest. On the other hand it gave a completely anti establishment judgement in the case of Bitcoin and the CJI did not think of reviewing the decision.

However, it has now acted with alacrity to respond to the Zoom petition as if it is a great natural emergency during Covid lock down.

I wish the Judges consult some independent technology specialists who are not in the pay rolls of companies adversely affected by the popularity of Zoom.  Otherwise the credibility of the Court is likely to be severely dented.

This petition was not worth the paper on which it was printed. It ought to have been rejected even for admission with a fine. The Court however has given undue respect to the PIL and issued notices.

At the same time, the Court has failed to issue notices to all stake holders and therefore if it proceeds with the hearing of the petition, the current users of Zoom will be adversely affected. The current users of Zoom in India are also citizens of India and have their own rights to use the software of their choice.

The Supreme Court has failed to realize that there is no compulsion for any individual to use Zoom and it is the choice of the public to use Zoom or chose any other equivalent software.

Intervention of Supreme Court is therefore only serving the business interests of the competitors of Zoom which include big names like Microsoft and CISCO. It has very little public interest objective.

It is possible that the Court might have been wrongly informed  that this is a “Chinese Software” which is spying on India and this could have influenced the decision to admit the petition. This may not be the correct view since Zoom is an US Company and there is no indication that it works under the directions of the Chinese Government, as of now.

The Court might have also been given to understand that Zoom is the only software that has the vulnerabilities  and every other video conference software of Microsoft or Adobe or CISCO are security wise impregnable. This is also not correct.

The Court needs to check with security professionals how often Microsoft or Adobe products are found to have vulnerabilities, whether CISCO has been every accused of providing a backdoor to FBI etc.

Supreme Court may not be aware that Zoom provides recording of meetings as an option either on the cloud or in local computers as do others. It is a choice of the users to store it on the cloud if they want.

I would be pleasantly surprised if the advocate Wajeeh Shafiq or Harsh Chugh or their associates Nimish Chib and Divye Chugh can explain the concept of “End to End Security” and why they think Zoom’s  transmission security is inferior to other similar systems including G mail and Facebook.

The petitioner advocates need to also ki clarify whether they are talking of “Privacy Protection” or “Information Security” and how they distinguish “Personal Data Protection” and “Corporate Information Security”. They seem to be confused.

The Supreme Court should understand that vulnerabilities are part of the software development process and the only way the consumer interest is served is to make all software developers liable for zero day vulnerabilities if any consumer suffers a loss on account of such vulnerabilities. This is feasible even under our consumer protection laws .

Zoom is an intermediary under ITA 2000 and if its platform is used for commission of any offence, it can be tried under any of the provisions of ITA 2000 including hacking, denial of access etc., and Zoom will have to prove “Due Diligence”. ITA 2000 has extra territorial jurisdiction as well as a possibility of extending the liabilities to the Zoom CEO under Section 85 of ITA 2000. Zoom CEO is in USA and the Company is a US Company and hence it should not be difficult to invoke extra territorial jurisdiction if the petitioners want.

Instead of using such provisions that are already available under the ITA 2000, the petitioners are launching a speculative attack to serve the business interests of the competitors.

The petition is therefore ill conceived and it indicates that business rivals of Zoom must have encouraged this litigation or the petitioners are doing it for publicity purpose.

Supreme Court has to show maturity and maintain distance from such business related issues.

Naavi

After teaching Cyber Laws and ITA 2000 for a long long time, Naavi had moved his attention to teaching “Privacy and Data Protection” because that was the need of the hour.

The market has however come around to realize while studying the upcoming Personal Data Protection Act that it is afterall an extension of ITA 2000/8 and replacement of one aspect of our current Information Technology Act.

Simultaneously the market is realizing that even if the passage of the Personal Data Protection Bill 2019 can be held up, the Section 43A of ITA 2000/8 or the Section 72A or Section 67C or Sections 69,69A,69B, 70 B or Sections 85 and 79 all remain effective today and most of them will continue to remain effective even after PDPA 2020 comes into existence.

Hence the need to know Cyber Law and IT Act has got rejuvenated.

To satisfy this demand, Naavi is conducting two 12 hour courses in the next 10 days. One course will be over the week ends and will be for the members of a CISO/CTO group. The second would be a week day course for more law oriented persons.

The Core coverage would be ITA 2008 but the emphasis could be different. While the CTO’s/CISOs will receive the information security perspective of ITA 2000/8, the other group will receive a little more legal perspective.

I hope both segments will be satisfied with what is on offer.

Ofcourse the Course has to refer to some Case studies, Cyber Crimes, Adjudication,  the Digital and Electronic Signatures, Section 43A obligations of Reasonable Security or Due diligence concept under Section 79 and the Evidentiary aspects of Section 65B.

After the lock down is lifted fully, neither the participants nor me may have the same time to conduct such programs and therefore these could be unique occasions to revisit ITA 2000/8 at a time when the PDPA 2020 is likely to occupy our mind space for the immediate future.

The details of the week day batch  is available below.

Yes… It is a paid course and the payment link is here

The participants of this Course will get copies of three e-Books, one on Cyber Crimes, one on Electronic Signatures and one on Section 65B.

I invite all interested Advocates and IT personnel to take advantage of this knowledge boosting sessions.

The focus of this program is different from the Classical approach and adopt a Cyber Jurisprudent’s approach…

We will focus on this is what the law says…This was the legislative intent… Perhaps this is the best interpretation…

Even when there is a judicial verdict, we shall analyze it rather than accepting it in blind faith.

I believe that this approach will help us improve our collective understanding of the law and we all will be contributing to the development of Cyber Jurisprudence.

Naavi

P.S.: Participants would receive participation certificate from Cyber law college.

Naavi was the pioneer in Cyber Law Education in India. Cyber Law College itself was a concept ahead of its times and when it started its activities in July 2000 and launched first course in Cyber Laws in October 2000, the concept of “Virtual” was alien to most. It was however necessary in the context of economy.

The first version of the program was as a “Distance Learning Course”. Then several years later the concept of video classes developed after 2005. During that time classes were conducted online on the platform of gatherplace.com and later gotomeeting and Webex with a batch of students at the other end seeing a common projected screen. Then came the individual across the screen training in Digital Signatures and HIPAA where the student/s or trainees connected either individually or collectively on their own computers. One of the successful use of this virtual meeting was for HIPAA training for a group of medical transcriptionists in Phillipines.

With the success of these experiments, Naavi also launched the Arbitration.com (now odrglobal.in) as a video conference based online dispute resolution mechanism.

However, none of these were fully accepted by the market and they remained as experiments. While the teaching and training continued, it often involved travelling and wasteful expenditure. However, 20 years later, the Corona Virus has changed the perspective of “Virtual Meetings”. Now it is not only acceptable but also the preferred norm.

Now towards the end of the lock down period, we are observing that there are innumerable number of online meetings and webinars both by individuals and organizations.  Naavi’s dream of carrying the College in his laptop bag has now been realized and even got further miniaturized into the mobile.

Cyber Law College moved from other video conference tools to Zoom and now more options are becoming available. We may even see some Indian version “fokuz.online” coming up with an indigenous version of a class room.  Many other platforms including Tata VSNL have woken up from their slumber and trying to enter the market without much success.

The Apnacourse.com, and the like which enabled recorded versions of the training programs to be hosted were useful but with the entry of Zoom like tools, may find it difficult to grow.

However Online Examination tools with proctoring and without proctoring are still in the nascent stages and will get integrated with the Zoom like platforms to provide a complete transformation of the education system in India.

The training material of Cyber Law College also went through the transition from the following bulky but attractive books to the current form of PDF files or Kindle books.

The books shown above which were training materials used for two of the courses reflect the relics of those days.

Subsequently CD Books were also used by Naavi both in 1999 when the printed book “Cyber Laws for Every Netizen in India” had to be supplemented with the copy of the Bill as presented in the Parliament.  Subsequently, several CD Books were released on Cyber Crimes.

Presently E Books, Kindle format have become the norm though the physical books still have retained the charm except for the difficulty in distribution.

During this fascinating journey of 20 years, Naavi also promoted the concept of “Cyber Vidya” with the vision of upgrading the teaching in Government schools with virtual teaching. The project which was discussed with the Karnataka Government at one point of time would have been a great development had it been taken up. But as usual it was ahead of its time. But its time has now come and I see some thoughts about this are floating in the market . Perhaps this dream of “Cyber Vidya” will also be realized one day.

This journey down the memory lane was triggered because Naavi/Cyber Law College is starting online courses on Cyber Law and IT Act in the next week after a gap of several years.

One of the courses will be for CISOs and CTOs and the other for Cyber Law students.

I will share more details of what is envisaged in these courses so that interested persons can take advantage of the same.

Naavi

Program conducted over interactive online session. Covers entire Information Technology Act along with the Cyber Jurisprudential analysis of the law, including Digital Signatures, Section 65B of Indian Evidence Act and Legal aspects of Information Security, Cyber Crimes in E Banking, E Commerce scenario etc

Payment for registration can be made here:

All participants would be issued participation certificate from Cyber Law College

Naavi