2021 October promises to be different than October 2020.
The difference is being felt already and it is not because of the increase in
the number of vaccinated people who may win over pandemic, but because of the
ever growing percentage of cyber-crimes, especially cyber monetary crimes.
Several researches have shown that pandemic related lockdown has pushed people
to go on a buying spree. Given the situation, people have invested more on
online shopping. The festival periods are the chosen periods for pumping up
sale. In 2020, people could not invest more in the festival related shopping
which includes paying for vacations, apparels and accessories. 2021 sees the graph slowly rising.
Governments have eased restrictions and this has further encouraged people to
venture out from their homes, visit more shops physically as well as virtually.
But people have understood the value of plastic money better than before. Ecommerce platforms are booming with offers
and consumers are buying heartfull. Most of the ecommerce platforms have
offered their own applications to be downloaded in Android phones so that the
consumers do not venture out to other links. There is unique blending of
application of social engineering, artificial intelligence, business analytical
skills and most importantly data polling which makes the e commerce platforms
unique in their own spheres.
The e-commerce platforms are the chosen platforms for
consumer data theft.
Why do our phones showcase us our secret plans?
Many have asked me why and how their devices “secretly
spy” on their buying plans and how the social media platforms, popup ads show
exactly the staff that these consumers/customers are looking for. The answer
is: NO! The devices are inanimate objects and they cannot spy on our plans
unless there is a human made mechanism to share our plans. Here we need to look
into the consumer behavior on the cyber space: time and again the internet
companies have tried to shred off liability of breaching the privacy of their
subscribers/customers. If we look into the consumer behavior on the cyber
space, we may be able to understand that the internet companies are not
completely wrong. One cannot have the search engines activated unless the said
person is using some personally identifiable unique identification data which
may include the phone number or the email id. Most of us do not log out of our
email ids after we have finished our “search”. We neither log off from our social media
accounts when we are doing a virtual window shopping. Not to forget that social
media companies are deeply connected with the e-commerce platforms: they are
even more deeply connected with the search engines as well. This makes the
entire search- history of the respective consumers reflect on the digital
platforms that are being used by the said consumers.
The banking data leak?
Quite in the same way consumers/customers leave their
banking digital footprints on the e-commerce platforms. When we use any online
payment modes, the e-commerce platforms record the said mode for future
commercial transaction purposes. The card/payment app etc., that may have been
used by the consumers/customers may also be recorded by the e commerce
platforms. But if seen minutely, the customers are ‘asked’ to consent for
‘remembering’ the payment systems. Such payments through cards or net-banking
or through any other digital payment mode further goes through other payment
gateways which will also remember the amount paid, the unique customer id that
the banking card displays and other related sensitive personal financial data
of the customer/consumers.
Several researches and
cyber-crime analysis have shown that the festival times may be considered as
the peak times for monetary crimes on
the cyber space because there may be
heavy flow of commercial transactions on e-commerce platforms and there may be
almost nil ‘monitoring’ in this regard. Added with this, it has also been
noticed by some that personal details of women customers may become the highest
‘valued’ data in this regard. The profile of the female customer along with the
banking details and the stuff that she chooses to purchase may all be linked
for an entirely different and unethical business that would add profit for some
in the deep dark net world.
Unfortunately it may become a herculean task to detect the mastermind of
the entire data theft as the crime detection agency may need to investigate
through multiple layers of virtual platforms, majority of which may deny their
liability siting the negligence of the customer.
The legal recourse?
We need to look into EU General Data Protection Regulation
(EU GDPR) for understanding the universal rules in this regard. Chapter 3 of
the EU GDPR discusses in detail about the rights of the data subjects and clearly
mentions that there should be restrictions in sharing personal data of the data
owner with multiple stakeholders when the data owner has not given any explicit
permission for the same. Interpreting this, it may be understood that social
engineering is never permitted under the EU GDPR even if the consumer/customer
has ‘voluntarily’ consented for recording of his/her online payment mode by the
e-commerce platforms. India still does not have any dedicated data privacy
protection laws. Resultant, we need to look at scattered laws and rules
mentioned in different statutes and legal provisions. The Consumer Protection
Act, 2019 does not specifically protect consumer’s rights against such kinds of
data privacy infringements. Information Technology Act, 2000(amended in 2008)
very loosely touches upon the issue of consumer data privacy under S.72A which
states as follows:
Save
as otherwise provided in this Act or any other law for the time being in force,
any person including an intermediary who, while providing services under the
terms of lawful contract, has secured access to any material containing
personal information about another person, with the intent to cause or knowing
that he is likely to cause wrongful loss or wrongful gain discloses, without
the consent of the person concerned, or in breach of a lawful contract, such
material to any other person, shall be punished with imprisonment for a term
which may extend to three years, or with fine which may extend to five lakh
rupees, or with both.
But again, we must understand that the scope of this
provision to prevent sharing of the banking/financial and sensitive personal
data by the internet companies becomes extremely limited especially when they
come up with strong plea of no liability towards willful causing of loss and
ignorance of the behavior of the consumers in spite of giving the later opportunities
to protect their data and profiles through different privacy control mechanisms.
However, this doesn’t mean that the victim does not have legal recourse. The internet
companies may need to clearly establish that they were absolutely ignorant of
the probable loss that may be caused to the victim due to recording the banking
details, consumer habits of the later. They must also establish that their data
processing and recording mechanisms are secured and cannot be infringed by
perpetrators. This claim of the internet companies must also be adhering to the
principles set in S.43A of the Information Technology Act, 2000(amended in
2008) which speaks about the responsibilities of the body corporates. Otherwise, they may need to undergo the legal
recourses that the present Indian legal system offers for penalizing the
internet companies.
It is hoped that India enacts a full-fledged data
privacy law which will protect the rights of the general individuals including
the consumers. But till then, we the general users of the information and digital
communication technology need to be aware of the risks and rights available to
us.
Please note:
Please do not violate the copyright of
this writeup. Please site it as Halder Debarati ( October, 2021) "Data theft
during festivals post pandemic: why we need to be aware." Available @https://debaraticyberspace.blogspot.com/2021/10/data-theft-during-festivals-post.html