Naavi.org

I reported a fraud on Uber yesterday stating that when the driver cancelled a scheduled trip, I was still charged for the same.

Since yesterday I have been pursuing the complaint on twitter and though the complaint was acknowledged, there has been no resolution so far.

I also point out that the complaint mechanism is inefficient since my issue is not clearly listed in the standard complaints and there is no proper provision for sending an e-mail complaint. According to Indian law namely ITA 2000/8, Uber is an intermediary and has to provide a “Grievance Officer” as per the requirements of Section 79. The contact details of the Grievance officer should be available on the website but there is no such information.

I would like to present here the trip details

The first picture here was taken from the Uber website and indicates in the billing that  I have travelled from one place in Bangalore 560050 to another place in Bangaore 560023.

The time of departure is 4.40 am and time of reaching is 4.58.

But the map shows that the icon has not moved from near the South end circle and the trip time s 00.00.14.

The second picture below shows the bill sent to my email.

The incident points out that the Uber App is faulty and provides false information about the trips.

From the critical point of view of “Evidence”, the records give mistaken impression that I was at two different places at the same time.

Secondly, despite the trip showing “Zero Time of Travel”, a charge was made for a trip showing a point of pick up and point of drop.

It is therefore evident on the basis of the data that a “Fraud” has been committed. The rewards have been shared between the driver and the Uber. If and when I am provided a refund, the fraud may be downgraded to “Attempt to Commit a Fraud”.

From the technical view point, it is possible that the App may have a bug and if so, it is for Uber to come out and make the necessary confession that the App is faulty.

I have received information from other users with similar experience and some of them have felt that this is done deliberately by Uber under the hope that certain number of customers would not challenge the wrong debit and the company would profit from those debits even while those who complain are provided the refund.

At this point of time, this is a charge which needs to be investigated.

If Uber is honest as a technology company, it should conduct an audit of all incidents of billing where there is zero time of travel but a positive billing and identify the amount of wrongful gain they have made.

The information I have provided here is sufficient for the Bangalore Police to launch an enquiry for “Cheating” and also for the Adjudicator to take up Suo moto an enquiry for wrongful gain. The CERT In should also undertake an audit of the Uber App and check if the charges made here in are correct.

Naavi

It was a personal observation today that an Uber driver cancelled my  scheduled trip and still the amount was immediately debited to by Paytm account.

I later found out that this experience has been observed by many others who have reported it on Twitter.

I suppose Uber will refund the payment. But there appears to be a larger issue here.

It is observed that the Uber app shows the trip map where the vehicle has not moved out from its location and the time of debit was the time supposed to be at the start of the trip. Both these should have been recognized by the app to conclude that the trip did not take place and hence the debit should not have arisen.

Alternatively, it is suspected that this is not merely a bug in the App but could be a fraud indulged in by some drivers. If the app can be used to debit an amount  X without the trip having been undertaken, it is possible that it can debit any other amount and at any other time from the linked PayTm account. When there is an immediate debit after the driver’s cancellation, we may observe the debit and report it for refund. But if the debit is made after some time, it is possible that the users may not observe the unauthorized debit.

Further if the app has a bug which can raise a debit for a trip which has not taken place, it can perhaps be also used for altering the amount of debit.

Hence this bug indicates the possibility of a serious fraud.

At the same time, I also point out that Paytm debit note did not have a provision for immediate indication of an unauthorized transaction as is required under the RBI rules.

PayTm should check and introduce the change in their SMS notification as required under the Limited Liability Guideline.

I am waiting for a response from Uber and Paytm in this regard and later would take it up with RBI.

Any body else with similar experience may kindly inform.

Naavi

During October 2019, a “New Theory of Data” was presented in these columns. The objective of the theory was to bring a common ground of understanding between the Privacy Activists who are leading the passing of data protection regulations in India, the Technologists who are racing ahead with AI based consumer profiling and Big Data Analytics and the Business Entities who are building profitable commercial propositions with “Data and Personal Data” being the raw material.

Resolving the differences in the perspectives of these three segments of stakeholders is an essential part of bringing in a legislation which will be acceptable to a majority of people.

We already have stiff opposition from some business entities on at least one of the aspects of the legislation namely the “Data Localization”. There will be other entities like the “Digital Marketing Industry” which may have some conflicting views to be accommodated. Similarly, framers of the draft law of DISHA for the health sector have already expressed some contradictory views of their own. We therefore need to analyze the personal data protection bill when it is debated in the Parliament to discuss how it will satisfy the views of the different stakeholders.

While doing so, we shall also make a comparison with the New Theory of Data and see if some of the conflicts get a better clarity when the new theory is applied to the understanding of the data whose protection and governance we are trying to regulate through PDPA 2018 (whatever version that emerges in the parliament).

The New Theory of Data propounded three principles as three different hypotheses.

First was that “Data” is constructed by “Technologists” brick by brick through binary notations. But what we the humans understand as “Data” is an interpretation of the binary notations seen through a computing device with appropriate software applications. The human interpretation of data being dependent on the technology devices may give different experiences to different people both because the interpreters may be inconsistent as well as the person looking at the data interpretation may himself be inconsistent with his interpretations.

The very concept of “Privacy” is a concept that tries to understand the “State of Mind” of an individual. This “State of Mind” is dynamic and inconsistent. It differs from person to person and within the same person from time to time. But we try to formulate one single law that applies to all people for all times to protect their “State of Mind”. The legislation therefore has a huge challenge in bringing in “Flexibility” along with a ” Well defined Framework of Principles and Rights”.

Such flexibility needs to be available to the Data Subject (Data Principal) at the time of providing “Consent” where different persons should be able to provide different  consents to suit the different purposes. The flexibility should also be available to the Data Processor  at the “Data Management” stage where the Data Processor complies with various provisions of data security, data disclosure, data breach notification, etc.

To enable a smooth compliance of the regulations, the regulators need to understand that “Data” assumes different dimensions in the hands of the data processor depending on the applied human perspective and undergoes a “Reversible Life Cycle” where it exists in different states from its birth when the first binary set which forms one element of the data becomes available to the organization. This could be the “name” or the “E Mail address” or the “IP address” etc.

This single data set then combines with other data sets and forms the composite data sets such as “Name with E Mail Address”, Name with E mail address and Aadhaar number” etc. The regulations need to recognize this transition from “Unidentified data” to “Personal Data” to “Sensitive Personal Data” etc along with the possibility of a reversal through de-identification and anonymization.

An irreversible “Destruction” ends the life cycle of data within an organization when the data is disintegrated into individual binary elements and forensically jumbled up so that they become one with the “two elements” (The Zero and One) in a chaotic arrangement that provides no meaningful data to a human being.

These concepts of the New Theory of Data  has to be consistent with PDPA provisions of definition of “Anonymization”, “Personal Data”, “Non Personal Data”, “Community Data”, “Corporate Data”, etc.

Similarly when a Data Processor applies his technology and creates a value added product from the basic raw data, there needs to be a recognition of the “Additive value theory of ownership” where each person/entity who operates on the data during its life cycle and builds value to the data entity is credited with ownership for the value addition.

At the same time if the Data Principal wants to retain his right over the value addition, it has to be enabled through the mechanism where by the consent itself recognizes that the right on the value addition part is retained with the data principal or transferred to the data processor for a consideration.

We must recognize how the California Consumer Privacy Act (CCPA) clearly recognizes the “Right to Sell personal data” where as the GDPR is being interpreted as a more rigid regulation where “Selling of personal data is a taboo”.

We need to see how the Indian law will be interpreted.

Will it take the left extremist view like the GDPR where Controller determines the means of processing based on a defined lawful basis ?or

the Right extremist view where the Data Fiduciary has the right to take decisions in the interest of the Data Principal?  (like a “Mutual Fund Manager or a Portfolio manager taking investment decisions for a client”)  or

A “Centralist View” of a “Purpose Specific Consent” determining whether a personal data can be sold, transferred, disclosed etc for consideration?

needs to be watched.

Let Cyber Jurisprudence on the role of Data Fiduciary on whether he is a “Controller” or  a “Trustee” be developed through the debates that follow. This will be the first of the prominent principles that needs to be established in the course of time.

Naavi

Reference Articles

The Theory of Data

Blood pressure is raising for some activists who have been opposing the present draft of the Personal Data Protection Act 2018 (PDPA 2018)  with the news that the Government has stuck to its commitment by re-presenting the Bill as recommended by the Justice Srikrishna Committee.

This was first presented on July 27, 2018 but since the Parliament was dissolved, it needs to be re-presented again.

In the meantime public comments were obtained by the MeitY and also some select discussions were held with some key stake holders. The revised version could be presented now. It is unlikely that it will be significantly different from the earlier version but officially, it will be a new version which will go into debate in the Parliament.

The main opposition was from the industry which opposed the Data Localization provisions. But the Government has re-iterated its “Data Sovereignty” principle and may not deviate much from the original draft. Without waiting for the next move of the Government, some activists are already raising their voices in opposition of the Bill which is grossly unfair.

We urge all professionals to wait for the final bill to be placed before the parliament before making any further comments.

However,

Where as, we already have Information Technology Act 2000 (ITA 2000/8) in place

Where as ITA 2000 has defined  the concept of “Due Diligence” and “Reasonable Security Practices”

Whereas the intention of the Government to replace Section 43A with PDPA 2018 (or a modified version) has already  been indicated

it may be considered that the current draft bill will be a “Due Diligence” requirement under Section 43A as part of the Reasonable Security Practice.

Hence PDPA 2018  may be considered as being already in place and responsible companies cannot deny the fact that PDPA 2018 is the “New Reasonable Security Practice under Section 43A of ITA 2000).

Naavi

Analysis of the draft bill by PRSindia

A Brief introduction on PDPA:

https://www.facebook.com/groups/1004611326222954/permalink/3039087706108629/

The recent judgement of the Supreme Court Rojer Mathew Vs South Indian Bank Ltd & ors Civil Appeal No 8588 of 2019 dated November 13, 2019 has raised a doubt in some circles as to whether TDSAT continues to be the Cyber Appellate Authority.

Initial views expressed in this regard that “TDSAT is no longer Appellate Body to Adjudication Officer instead of CyAT” appears to be not supported by the judgement.

Copy of the judgement

The judgement requires a deeper analysis and contains discussion of many issues. It actually highlights the importance of Tribunals and their role in good justice delivery.

Parts of the judgement cover discussion on Section 184 of the Finance Act 2017 insofar as it delegates the powers to lay down the qualifications of Chairperson etc of Tribunals mentioned in the eight schedule. This schedule covered 19 tribunals but not the Cyber Appellate Tribunal.

It was under the Ninth Schedule of the Finance Act 2018 that the Cyber Appellate Tribunal was merged with the TDSAT which had already been formed and regulated under the TRAI Act.

The striking down of the “The Tribunal, Appellate Tribunal and other Authorities (Qualifications, Experience and other Conditions of Service of Members) Rules, 2017 ” does not affect CyAT or TDSAT.

Hence at present I hold the view that this judgement does not affect the functioning of TDSAT regarding Appeals arising from the Adjudicating officers.

The judgement is being studied in detail and if necessary, further clarifications will be posted here.

Counter views are welcome.

Naavi

Here is a copy of an online discussion on PDPA held at the office of Dakshlegal on 12th instant. It was an impromptu discussion.

A link to the entire discussion is available here:

https://www.facebook.com/groups/1004611326222954/permalink/3039087706108629/

Naavi