Naavi.org

For the last few days, the YouTube video of Mr Saket Modi showing the 20 Sec mobile hack in a TV studio in front of honourable Minister of IT and Law, Mr Ravishankar Prasad with some key officials of Government of India including Mr Sajay Bahl, Director general of CERT-In  in the audience is creating waves in the security professional circles. (See the video below).

Mr Ravishankar Prasad was distinctly uncomfortable that he was sharing stage with an ethical hacker who was demonstrating the hacking of a mobile which could create a scare among the public about the use of smart phones while the PM has so many times gone about advising villagers to use mobiles for payments.

During the demonstration, Mr Saket Modi installed an app on the demo phone from perhaps his own website. The App asked for permissions for access of SMS, Contact list and location etc which was granted by Mr Saket himself since he was holding the mobile for that crucial 20 seconds.  After this, through his laptop he was able to access the SMS, Contact list and location and show it to the public. During the exercise it is presumed that the demo phone was connected to Internet either through Wifi or mobile internet. So also was Saket’s laptop. He also demonstrated the activation of an audio recording service on the mobile.

There is no doubt that the demonstration served the objective of sensitizing the audience about the risk of a malware getting installed in their mobile either through the physical access to the phone made available to a hacker or through a malicious link being opened by the mobile user.

The risk of a “Virus” or a “Trojan” in any computer device is already well known. Whether it can be installed in 20 seconds or more or less depends on the size of the file to be installed and the bandwidth of the internet connectivity.

It is therefore not surprising at all to note that Mobiles have a security risk. In fact every electronic device including the EVMs and Aadhar Biometric Devices have risks that we need to recognize. It is for this reason that the Election Commission refused the request of AAP that the EVMs should be handed over to them to show that it is hackable.

What we need to analyze is how to mitigate such risks. In this respect the Saket’s demonstration fell short of my expectations.

Normally apps are downloaded from the Google PlayStore or Apple Store. In such cases, it is presumed that apps are screened before they are allowed to be uploaded into the PlayStore so that malicious apps can be filtered out. However, except identifying the app with a signature of the app creator as declared (which can be an anonymous or pseudonymous) the app store does little to “Certify the App” as “Reliable”.

Before the App is installed, it asks for certain permissions and if the permissions are not given, the app may not get installed.

The app needs some permissions depending on its functionality. However most apps simply get access to several services in the phone and there is no way Google or Apple may know how the permission would be used subsequently when they allow apps to be uploaded into their stores.

Whether an App is asking for only such permissions that it does require for delivering the services it is supposed to provide and not more is a matter which an ordinary user is unable to find out. At the time of downloading the App he is only interested in using the App and hence he will provide permissions to all services sought by the App.

Some Apps may require what is called “Root Access”. This is normally used when some basic hardware functions need to be tweaked by the App. Most manufacturers block root access by design and void their warranty if this block is removed.  Most hackers therefore try to work within the non root access requiring permissions.

When an app is downloaded from a source other than the PlayStore, it would be necessary to provide additional “Permission to install from unknown sources” by going to “settings”. (unless it has already been in the open status). Obviously, in this case one has to trust the site from which the app is being downloaded and there would be no assurance from the PlayStore about any aspect of the app.

Once the permission/s are granted, the app owner may use it for the functionality for which the user downloaded it and also for any other purpose.

The best practice for App developers is to take one time permission each time a specific functionality is required to be used rather than taking it once and holding it permanently. Though this may slow down the operations a little, it is the best practice which should be followed but no body seems to realize as of date.

Hence app owners easily misuse the permissions and commit frauds against the mobile user.

It is also possible for a malicious person to provide one functional app which the user installs and gives permissions and using the permissions, the app owner may install another malicious app without the knowledge of the mobile owner.

Mr Saket Modi says in his video demo that he is using only such permissions as the popular apps like Uber or True Caller use and nothing more.

His statement may be wrong in at least one respect namely the “Audio Recording Permission”. Normally apps donot ask for this permission unless it is a call recording app. Using this permission,he demonstrated that he could activate the recorder remotely and record the sound from the room where the mobile was present. This could be your confidential conversation with your wife in the bed room or the corporate secrets discussed in the Board room. Since this was a demo of the risks, we can ignore this misstatement of Saket for the time being.

Similarly, when a “Permission to Access Camera” is provided, the app can maliciously switch it on and take snaps or video without the knowledge of the user. A permission to read SMS may be misused for reading the OTP sent by a Bank to push through a Banking transaction. Permission for reading call records etc may not be required for most functions but they are often asked for.

I consider that the limited purpose of the demo was to create awareness that “Smart Phones carry the risk of being hacked easily” which puts the user at great risk. Such risks are higher when the user puts through financial transactions of various Bank applications and the UPI applications.

Sensing the aggressive mood of Mr Ravi Shankar Prasad, Mr Saket Modi was perhaps not very honest in  saying that BHIM or other UPI apps donot carry risks of the type he was discussing. Unfortunately, once a person gets access to SMS and therefore the OTP, most of the financial applications which depend on the 2 Factor authentication are vulnerable.

RBI and the Government may be thinking that 2 Factor authentication is great but the way it is being implemented now is amenable to be misused very easily. In US, OTP based authentication has already been degraded by the Government as per its security policies. But in India we are using OTP even for Aadhar based authentication and for the issue of e-Sign digital certificates with which contractual documents can be signed.

I would like to say that the Government has not fully assessed the risks of OTP based authentication for Banking and Aadhar KYC and its faith on OTP as a 2 factor authentication is misplaced.

Mr Saket Modi was seen assuring the Minister that frauds in India is about a third of what it is in US and got a special applause for the same. Either he did not know or did not want to confide that in India we donot have a proper recording of frauds and hence we record only around 10 to 20% of financial frauds and ignore the others. Our statistics are therefore unreliable.

I consider that the demo was good for awareness creation, but it did not focus on providing a clear picture of what kind of solutions we need to think of to prevent these risks.

Where is the Solution?

As a solution, Mr Saket Modi spoke of on app “Unhack” and there are many other similar apps which basically check the “Permissions Granted” to different apps and list them as risk factors. Some apps may provide you an option to remove permissions already granted.

These apps which monitor “Permissions” do serve a purpose but they cannot prevent the misuse of the permissions granted in good faith and misused later.

If therefore we want to look for solutions, we need to prevent misuse of “Permissions Granted”. In the demo we did not see any useful discussions on such solutions.

Mr Ravi Shankar Prasad repeatedly drew the attention of Mr Saket Modi to the Information Technology Act 2000/8 and Saket also acknowledged it.

It must be noted here that under Section 43 of ITA 2000/8, if the permissions obtained under one pretext are used for purposes other than the disclosed use, it can be considered as “Unauthorized Access” and penalized under Section 43 and Section 66 of ITA 2000/8.

Indian law is robust and does not consider “Permission Granted for a certain purpose as a universal consent for the receiver to do whatever he wants with the information”. Hence if the app owner requires a permission for a certain functionality and obtains it, he cannot use it for any other purpose without being liable under Section 43/66.

The key to this deterrence is to bind the app owner to disclose what permissions he seeks and why he is seeking them before the installation of the App so that if there is any misuse, he can be charged under Section 43/66. 

Mr Ravi Shankar Prasad needs to look at creating a deterrence around this Section 43/66 in ITA 2000/8 by forcing the app owners to disclose the permission information. This is the solution that the Government should work on.

Saket Modi’s own solution “Unhack” is said to be a “Free App” but it asks for permission for IN-app Purchases, Device & app History and Wi-Fi connection information.

I donot know what is the purpose of these permissions in the first place and how can I be assured that these permissions would not be misused later on.

Before these permissions are granted, the App (Unhack) does not display either an EULA (End User License Agreement or Terms of use) or Privacy Policy which commits the app owner either informing the user about what information is being collected, the why and how of it or the security of information collected etc.

It would be unfair to point out that Mr Saket Modi’s application does not have a proper privacy policy documentation because most others also donot have such a policy.

During the discussions, Mr Sanjay Bahl of CERT-IN referred to the C-DAC application called M-kavach and stated that it can be used for mobile security.

When we look at this app, we note that it does present an EULA. However the EULA provides “No Warranties” and proclaims “No Liability for Damages”, though it claims Copyright protection.

This is typical of all software providers that they take it as their birth right to place a software product for public use but donot take any liability for any bugs and vulnerabilities in the software.

It is unfortunate that CDAC also follows this principle which I consider as a “Fraud Against People”.

Every software developer must state that to the best of his knowledge and good faith, the software does not contain any bugs.

He should also introduce a “Bug Bounty” program and seek the assistance of the good intentioned security professionals to point out bugs if they find it, for which atleast a nominal reward or recognition may be given.

We had recently pointed out this requirement while discussing the Abhinav Srivastava’s case. If despite this, bugs are found, it should be examined if the disclosure was made in good faith or recklessly to mislead the users and action initiated under ITA 2000/8.

Further, if he EULA for M-Kavach is accepted ,it immediately asks for  the following permissions such as

• “Permission to Manage Phone Calls”
• “Permission to access photos, media and files on the device”
• “Permission to access contacts”
• “Permission to Send and View Messages”
• “Permission to access this device’s location”

Again, there is no “Privacy Policy” for M-Kavach which might have explained why these permissions have been sought for and how it is relevant for the service and how the information is secured etc.

So, it is clear that CDAC (Hyderabd) is no better than Mr Saket Modi in failing to inform the users of the app about why they need permissions of different types.

I request Mr Ravi Shankar Prasad and Mr Sanjay Bahl to ensure that no Government App is placed on public space without a proper Privacy Policy disclosures following the internationally accepted privacy principles which are part of Section 79 of ITA 2000/8. Even Bug Bounty program is considered as a part of “Due Diligence” and it should be made available by the Government agencies.

Only when the Government shows the way, we can insist that private app providers may also follow this good practice.

Since we are discussing the safety of mobile apps who get permission for a functional requirement and use it for a different purpose, the only way security can be provided is to bind the app owner to certain security commitments and then haul him under ITA 2000/8 if he fails.

Safe App Certification Progam

For proper implementation of this requirement, Government may consider introduction of a “Safe App Certification Program” which will ensure that

a) the App owner is known through a KYC process

b) Provides a commitment that he has taken reasonable security measures to ensure that the app is bug free at the time of release,

c) Provides for a bug bounty program to further crowd source the security against bugs and vulnerabilities,

d) Provides appropriate disclosures through a proper privacy policy and EULA/Terms

e) Provides a Cyber insurance cover to the users to atleast a nominal extent to cover losses arising out of the vulnerabilities in the app.

For the solution to be successfully used, there is also a need for creating appropriate evidentiary support  to ensure that the app owner can be hauled up under the Indian law. This can be taken care of by the Safe App certifying agency which can also make periodical re-assessments for continuing the security certification.

The system will be like the ISI mark for manufactured products and the Certifier can digitally sign the registered app and provide a list of such certified products in the CERT-In site or the certifier’s site.

If we think India has to use more of mobile apps for financial transactions and the vulnerabilities as demonstrated exist, the only way by which the Government can assure the public is to introduce such “Safe App Certification”.

While the Government ponders over this thought which I am sure will take its own time….. I urge some enterprising private party to come up with such a certification for which we can draw up certain norms and provide a kind of “Audit Certificate” to say that the App owner follows the recommended process for certification.

In the meantime, if any App owner wants to use a Certified Disclosure through the CEAC service of Naavi, they are welcome.

Look forward to comments…

Naavi

A Round Table was held at Bangalore in the FKCCI hall in K G Road, this Sunday, the 20th August 2017 to discuss the “Responsibilities of Parents” in addressing the Blue Whale Challenge issue in which youngsters are committing suicides across the world.

(Copy of this report in Kannada Prabha news paper of 21st August 2017)

Speaking on the occasion, Mr K.Ravi, President of FKCCI highlighted the increased digitization in India leading to an urgent need for making users understand the problems arising due to not being aware of technology aspects. He urged Parents  to spend more time with their children so that they can understand the external influences that drive Children to adopt to a high risk life style. Dr Shivanand Naik, a Child Psychologist  who specializes in Graphology and hand writing analysis discussed the various behavioural traits that provide early indications of Children getting addicted to a game such as Blue Whale Challenge.

The undersigned highlighted the effects of Internet Addiction behind the Blue Whale Challenge and said that Internet is a powerful audio visual medium that can be used by psychopaths as in evidenced in the case of Blue Whale Game to brainwash and hypnotize the children. He said that the technique can also be used for stealing financial information of the parents leading to financial crimes.

As regards the means of monitoring the Children’s internet habits, the undersigned cautioned that the use of spywares may lead to a total trust breakdown with children. He also indicated that Children may learn to bypass the software and further that spywares may themselves be used by hackers as tools to take over the user’s computers.

The undersigned emphasized that Parents role is important in identifying the “Internet Addiction” of their children but they need to then take a pause and check if they are themselves setting a proper role model for their children and if not first correct themselves. He said that more than the Parents, Schools are better placed to take corrective action and they should not push the responsibility only to the parents.

Naavi suggested three distinct measures for Schools to follow namely

a) Create Awareness about the dangers of Internet addiction and measures of Internet addiction through various activities including essay competitions, drawing competitions etc

b) Use Whistleblowing techniques to get information about Blue Whale Challenge game usage of any students from the peers.

c) Appoint “Internet Counselors” who are expert Psychologists with an understanding of Internet who can be approached by students.

Naavi also urged NGOs to set up anonymous online counselling and work with Schools to provide the required expert assistance.

Mr Phanindra  of clue4evidence who had organized the program in public interest highlighted some of the legal issues involved in curbing the menace of addictive games like the Blue Whale. Mrs Shanti Iyer, an educationist indicated the measures that Schools can take in this regard and also urged parents to cooperate with the administration of schools in implementing the suggestions provided by the schools whenever they observe and report about behavioural disturbances of their children.

The round Table gave an opportunity to flag some of the major issues surrounding the Blue Whale problem and hopefully there will be more such interactions with the experts with Schools and Parents to spread awareness and mitigate the risk posed by the Blue Whale challenge game to the society.

Naavi

In the recent controversy surrounding the resignation of Mr Vishal Sikka as the CEO of Infosys, there was one intriguing aspect of how the Board handled the disclosure of the resignation. This itself is a matter which needs to be debated to understand the motives of different persons involved.

Infosys is known to be a Stock market sensitive Company and therefore it was surprising to note that its Directors decided to announce the resignation of Mr Vishal Sikka right during the Stock market hours on Friday the 18th August 2017. As a result the Infy shares tumbled more than 12 % subsequently before recovering a few percentages before close. However, investors suffered a huge loss in the process. Hence on 18th August 2017, shareholders of Infy lost Rs 22,519.50 crore after the sell-off triggered by Sikka’s unexpected resignation. The Infosys stock closed 9.6% lower from the previous close.

In Stock markets, one person’s loss is another person’s gain. Hence there are some persons collectively who have gained 22000 crores during the day.

As any prudent person would easily make out, the Board of Infosys showed extreme lack of sensitivity to the share holders of the Company and investors in general in making the announcement during the morning hours of Friday. If they had waited for few hours until the Indian markets closed and before the US markets opened, or for one full day, there would be much lesser damage to the share holders as the intervening week-end would have softened the blow.

The very fact that the Board decided to announce the resignation in the manner they did  was an indication that they perhaps wanted investors to lose and high drama to be created around the incident.

It was also uncharacteristic for any mature Company or Board members to come out with a vitriolic 6 page letter attacking Mr Narayana Murthy personally who is not only the founder of the Company but also a highly respected individual.

This showed that the Board was acting with a vengeance to discredit Mr Narayana Murthy and wanted the stock markets to fall as much as it could to dramatize the exist of Mr Vishal Sikka and blame Mr NRN for the investor’s losses.

This actually demonstrated that the Board Members were immature in their approach and gave in to their personal ego more than showing expertise in “Corporate Governance”. In the process they vindicated the charge of Mr Narayana Murthy that there was “Corporate Governance deficit” in the Board.

I wish SEBI conducts an enquiry as to understand if some persons made excessive profits due to the 10% fall in Infy shares yesterday and whether there was any possibility of insider trading.

If on some future date, Mr Nandan Nilekani comes back in some form to the Company, the shares will perhaps gain all its losses of yesterday. We need to see how the announcement would be made at that time to know if the Board learns a lesson.

As an independent observer and share holder, I am sorry to observe how the Board is treating Mr Murthy with disrespect which is meant to hurt his reputation and in the process exposing the insecure feeling of the Board members.

NRN’s doubts were legitimate

Mr Murthy’s concerns were genuine and Infy Board has been unable to explain the several controversies that indicated the possibility of imprudent decisions that siphoned off the share holder’s money. The Rajiv Bansal severence package, the Panaya deal , the Resignation of Ritika Suri, .

Additionally, Sikka’s use of chartered flights, appointment of Jayant Sinha’s wife to the Board, salary hike granted to Sikka himself, left many questions in the minds of public and more so with people like Mr Narayana Murthy.

Instead of addressing the issues squarely by being transparent, because the incident reflected on the integrity of the members of the Board more than Mr Vishal Sikka himself, the Board compounded the problems by trying to hide the internal investigation report on the whistle blower’s complaint under technicalities.

Any independent Corporate Fraud examination expert would read these symptoms as indications of possible cover up operation and possibly some hidden agenda to protect other board members.

Though the management may try to justify their actions and try to project as if Mr Narayana Murthy is responsible for all the ills, this will not carry any credibility with informed corporate observers, though most of them will remain silent out of respect for the plight of share holders.

Presently Board members are only quoting the financial figures of the Company to say that Mr Sikka has done some a great job. It is possible that Mr Sikka is a talented executive but he belongs to the generation where ethics is the last priority of business. Mr Narayana Murthy belongs to the other end of the spectrum where ethics comes before everything else. In such a scenario, difference of opinion is natural and his moving away may be the only logical solution.

But the Board cannot escape its own responsibilities and if they have failed to protect the long term interest of the share holders and also taken specific imprudent decisions on August 18th that eroded the share holder’s value, they deserve to be subjected to an independent enquiry.

The only organization which is statutorily empowered to do so now is SEBI. If SEBI finds some issues in the Panaya Deal, then there could be more serious issues involving Criminal action against some of the members of the top management.

If action could be initiated against Satyam Promoters for fudging accounts, we should accept that Infosys Board should also be open to scrutiny. The argument that an internal enquiry was held by an “Internationally reputed” firm does not cut the ice. We know that even Satyam had been audited by an “internationally reputed” accounting firm before it was found that the report itself was fraudulent. Since the current report of Infosys has been given by a law firm, it is likely that there would be proper disclaimers from the firm which itself could reveal a lot. I am sure that they would not have given the report in a manner which could land themselves in trouble but in the process made some statements which could indicate the possibility of what may be called a fraud. Board’s refusal to make it public therefore indicates that there is some thing to hide.

In the past, we have seen Enron and several other firms being held guilty of fraud at the highest level. Infosys under Vishal Sikka, coming from the US culture of Corporate Management cannot claim to be immune to such possibilities. The doubts raised by Mr Narayana Murthy should not be brushed away  without an independent enquiry. Had Infosys been a public sector company, investigation would have happened under a Supreme Court monitored SIT. Here at least the Board should make public the investigation report so that public will understand what has gone wrong.

Considering however that the Board members are well connected individuals, the Government may take the classic delaying strategy and wait for next one year for everything to cool down before trying to make the pretense of making any move to address the Corporate Governance complaints floating around Infosys.

Naavi

The Government of India has issued instructions to social media sites such as Google, Facebook etc to block links to the Blue Whale game. It is stated that some have implemented it and some have not.

Today social media accounts can be easily opened even by minors who donot have any contractual capacity. Children often donot want their parents to monitor their facebook accounts and donot even allow their parents to be their friends. So monitoring of the children’s social media activities by parents is nor practically possible.

In the early days of Internet yahoo mail had a system where a minor would be required to obtain parental consent before opening an account. Such system is no longer in existence.

Of course, even if such a restriction is imposed, it is possible that some minors may declare himself to be an adult and open an account. But when they post birthday wishes or photographs, it is possible for Facebook to identify.

At the same time FaceBook can tag an account by easily recognizable identifiers that a Facebook page is a “Minor Page” or an “Adult Page” so that some visitors can flag if the classification is inappropriate.

It is also possible for FaceBook to introduce a classification of “Verified” account so that the identity of a person is verified with some KYC document like an Aadhar number so that the possibilities of “Impersonation” is reduced. Facebook may retain the “Pseudonomization” if they want but at least allow a classification where only identified persons interact. The user applications such as mobile apps can then be designed to create a filter to block chatting and other content from unverified accounts to protect children.

Perhaps Government should consider having a dialogue with the social media players to see how the minor accounts can be flagged for monitoring either through their parents or though some NGOs or through filters in different applications.

Naavi

The “Blue Whale Challenge” game has been in discussion over the last fortnight in India. People have been alarmed at the deadly consequences of the Game which can take away the lives of their loved ones. There is a scramble for finding an effective solution to the problem at different levels.

There are many suggestions that are floating around on how to tackle this menace. One of the first demands is that Government has to “Ban” the game. There is also a demand that ITA 2000 has to be amended to regulate this (and may be other Games). There is also a demand that Parents need to monitor their children and also for Schools to educate the children.

The Government of India appears to have sent a request to some of the large Internet intermediaries like Google, Microsoft and Face Book to remove links to the game under their control. The measure is welcome but is not going to be sufficient since the spreading of the game is often through private chats and links can always be hidden with alternate names. It is also reported that variants of the game are emerging and therefore the removal of some of the links from Google or Bing Searches would not suffice. We can also observe that in many of the articles there are comments in which links are on demand. There is both curiosity as well as a demonic attraction for the game.

The efforts of the Government are therefore only a short term effort and will have to be supplemented by other measures from other stake holders.

Changes in law is a long term measure which cannot help us now. But the existing laws themselves may be good enough to bring some control if people really understand the essence of the law and how to interpret them. The regulators may need to remind the intermediaries about their responsibilities under Section 79 of ITA 2000/8 which are strong enough to bring some sense of responsibility in them.

There are ofcourse the issue of conflicts in law arising out of Privacy and Freedom of Expression consideration and some pseudo supporters of this “Freedom” who will start complaining if Government or Law starts talking of monitoring Child behaviour or forcing websites to bring down links etc. Even Child activists may say that excessive controls on children are not acceptable.

Many Schools have started creating awareness amongst its students. But most schools would like to push the responsibility back to the Parents to monitor their children so that they donot fall prey to depression and become victims of the game.

There is no doubt that highest stake in the adverse effect of the game is with the Parents and hence hey need to do more than anybody else to protect their children.

But we need to recognize that Parents are not necessarily equipped to handle all psychological issues connected with the growth of their children. There is also a fundamental barrier that “Familiarity breeds Contempt” and children donot listen to even good suggestions from the parents. There is a backlog of relationship issues between the Parents and Children and it is difficult to overnight change and expect that children will start listening to them.

How do we then empower the parents? is a challenge that the society has to address.

Just as “Panic Buttons” have been conceived in mobiles and configured for protecting women, there could be technological solutions to expand the configuration of the “Panic Buttons” to make them also as “Child Safe” buttons which can identify presence of Bluewhale or other identified malicious games in the mobile.

Perhaps the real solution does not lie with any one of the stake holders but with all of them acting together with the help of technologists.

The key to protecting our children is in the hands of Anti Virus and Anti Malware companies who can at short notice ensure that access to the game could be blocked.

Perhaps more effort is required in this direction. These are likely to yield instant positive results in substantially reducing the risk of children falling prey to the viles of the “Curators” of the Blue Whale game.

Naavi

Today, I got a WhatsApp message about some attractive offers titled “Flipkart Big Freedom Sale Offers”. The order placement URL was given as http://flipkart.flash-sale-offer.com. To complete the sale the requirement was that the message had to be shared with atleast 8 whatsApp friends/groups. Registration with address of the person was also required.

Last year we had published an article titled “Amazon 97% discount Fraud”.. Police in Kanyakumari..please arrest Mr Anil Kumar”in which the registrant’s full particulars (not sure if it was fake address or real address) was published on our website. We had urged the Police to take action against the fraudulent person.

As usual everybody ignored the “Attempt to impersonate a Company” which could lead to cheating. Police remained quiet because Amazon did not file a complaint and that fraud now has resurfaced as a Flipkart fraud. In between we have seen many such fraud attempts which everyone of our regulators have ignored.

At the same time, when there is a “Copyright issue” regarding a Film to be released, even Courts jump in and hundreds of websites get blocked without even considering whether the site is guilty or not. Our ISPs as well as the Ministry readily cooperate in the request to ban such websites.

Why is that the regulators are willing to act when there is a risk of a Film producer losing money if a film copy is released on the Internet but are not concerned when a citizen of the country could be defrauded?

I would like an answer to this from the Ministry of Information Technology.

Now people who are aware of the domain name system know that “Flipkart.flash-sale-offer.com” is a sub domain of “flash-sale-offer.com” and may not officially belong to Flipkart. However not all people know this and if a familiar name appears in the beginning of a domain name they trust it should belong to that company.

Another interesting thing observed in a mini survey of perceptions I did against this Flipkart incident was that some people identified the site as probably fake not because of the “Sub domain” concept but because the protocol was “http” and not “https”. This indicates that a perception is building up that all “https” sites are reliable and by contrast “http” site is not reliable. If this helps the fraudster, he will readily create https sites instead of http sites and continue the fraud more successfully.

(P.S: I presume some of the visitors to naavi.org might have observed that the word press site is now under https protocol so that those who think it is more secure may feel comfortable.)

Can Go Daddy be held liable?

Now the flash-sale-offer.com has been registered with “GoDaddy” as the registrar which happily helps the registrant to hide his information under the false pretext of “Privacy”.

It appears that the name of the registrant is Kumar Singh which indicates that an Indian could be behind this fraud. The domain name was registered on 29/7/2017.

GoDaddy will have other meta data that could help the Police to identify the person who has registered the domain name.

If therefore Police serve a CrPc notice on Go Daddy.com, more information on the registrant could be obtained both from log records around the date of registration and subsequently. The forms completed by the respondents to the message will also land at the hosting server which also could be with GoDaddy. Hence identifying the registrant is not difficult.

If GoDaddy does not co-operate and provide the details, Police can take criminal action on Go Daddy and stop ( or threaten to stop)  their lucrative business in India and hence it is not a choice for Godaddy.com to hide behind its client’s privacy rights.

In fact if we check the domain name registration contract with Godaddy.com it would have a clause that it is not permitted for any registrant to register a domain name infringing the trade mark rights or for committing a fraud. Similar clause will also be there in the hosting contract. Hence they can cooperate with the law enforcement request without being subject to any counter legal action by the registrant on GoDaddy.

Hence once Go daddy is served a notice they should not only be able to close down the site but also provide the details to the Police for further action.

By the time I am writing this article in the evening, MalwareBytes on my computer has already blocked this site but on my mobile browser the site is still opening.

What Should Flipkart Do?

In this context, I would like to also raise an issue on what should be the response that we should expect from Flipkart in such a situation. Presently, I see that Flipkart is completely silent on the issue. I donot see even a notice on their website that such a fraud attempt has been reported and genuine users of Flipkart should not respond. They also could have sent a message to all their registered customers and alerted them. They could have tried to get the site down and file a criminal complaint so that not only this attempt could be foiled at the earliest but future attempts of similar nature could be prevented.

Many would ask why should Flipkart take the trouble of taking action on such incidents.

However, I consider this as “Due Dilgience” requirement of Flipkart under Section 79 of ITA 2000/8. In fact my own thinking is that Flipkart should have a mechanism by which registration of domain names which could use their names in committing a fraud should be monitored. In the present case since this is a “Sub domain”, the registration of “Flash-sale-offers.com” on 29th July 2017 could not be immediately linked to Flipkart. But at least today morning when Flipkart came to know of this fraud attempt, they could have taken some action that they could justify as “Due Diligence”.

We can recall that in the 2004, baazee.com case, when a video named “DPS-MMS Video” was put up for sale in the platform, I was one of the persons who said that not having a “search engine within the server to scan the products on sale and filtering it on names indicating goods which are illegal” was a failure of the “Due Diligence” of the company. (At that time, the public knowledge around DPS-MMS video was sufficient to classify it as an objectionable property that should not be allowed for sale). Consequently we saw that the CEO of the company and one GM had to fight a legal battle for nearly 8-10 years to stave off a 5 year imprisonment charge.

If we go by that precedence, we can say that people who suffer loss of money through fraudulent sites in the name of Flipkart may blame Flipkart for lack of Due diligence.

It is therefore considered prudent for Flipkart to at least show that they are interested in protecting the interest of their customers by sending out a message to all their existing customers and putting up a note on the home page of the site prominently so that every body visiting the site are informed.

Flipkart could have also requested its customers to immediately kill any social media messages that was wrongly issued in the name of the company by posting a counter statement.

Even now it should be possible for Flipkart to send a notice to Godaddy and a few prominent domain name registrars (if possible all of them) that if there are any registration of domains or sub domains in the name of Flipkart, they should be immediately informed (like filing of a caveat).

There could be opposition for such suggestions but legally if a prior notice has been given, it would be difficult for the registrar to ignore such notice and act as if they donot know that a well known brand such as “Flipkart” exists.

Carrying this argument further, just as we have a “Bug Bounty” program for software companies, Companies like Flipkart should introduce some kind of incentives to at least a few people who report such incidents to the Company..say the first 5 persons who alert the Company about such websites. It would be like incentivising whistle blowers who bring such incidents to the knowledge of a company.

At present no company in the world have been taking such measures. But some body can the first to take such a Netizen friendly step. It could be Flipkart if they are alert to the PR benefits of such a move.

Lookalikes.in Service

Way back in 2002, Naavi had filed a patent for a service which is presently show cased under “lookalikes.in

The concept was that if there are similar looking domain names both of which are genuine, both can co-exist if they display a mutual disclaimer that “I am not that website”. It was suggested that this could be run as a trusted third party service who maintains a data base of similar domain names which can cause “Consumer Confusion”.  It was suggested that the service provider would run a continuous search of new domain names registered to identify the conflicting domain names similar to their client’s names so that appropriate remedial action could be taken if required.

The service was not commercially exploited, but the concept remains valid till date.

ICANN and the Registrars actually are part of a global fraud because they allow registration of any domain name and pocket the revenue but leave to new registrant and the earlier registrant to fight out a trademark litigation. Lookalikes.in was considered a first level disclaimer service which would help in reducing the instances of conflicts of domain name similarly when more than one company had genuine claim on the name.

Now it is time for all these regulators to join together and take such steps as are necessary to put a check to the frauds that could be committed with the misuse of the domain names.

Naavi