2021 October promises to be different than October 2020. The difference is being felt already and it is not because of the increase in the number of vaccinated people who may win over pandemic, but because of the ever growing percentage of cyber-crimes, especially cyber monetary crimes. Several researches have shown that pandemic related lockdown has pushed people to go on a buying spree. Given the situation, people have invested more on online shopping. The festival periods are the chosen periods for pumping up sale. In 2020, people could not invest more in the festival related shopping which includes paying for vacations, apparels and accessories. 2021 sees the graph slowly rising. Governments have eased restrictions and this has further encouraged people to venture out from their homes, visit more shops physically as well as virtually. But people have understood the value of plastic money better than before. Ecommerce platforms are booming with offers and consumers are buying heartfull. Most of the ecommerce platforms have offered their own applications to be downloaded in Android phones so that the consumers do not venture out to other links. There is unique blending of application of social engineering, artificial intelligence, business analytical skills and most importantly data polling which makes the e commerce platforms unique in their own spheres.
The e-commerce platforms are the chosen platforms for consumer data theft.
Why do our phones showcase us our secret plans?
Many have asked me why and how their devices “secretly spy” on their buying plans and how the social media platforms, popup ads show exactly the staff that these consumers/customers are looking for. The answer is: NO! The devices are inanimate objects and they cannot spy on our plans unless there is a human made mechanism to share our plans. Here we need to look into the consumer behavior on the cyber space: time and again the internet companies have tried to shred off liability of breaching the privacy of their subscribers/customers. If we look into the consumer behavior on the cyber space, we may be able to understand that the internet companies are not completely wrong. One cannot have the search engines activated unless the said person is using some personally identifiable unique identification data which may include the phone number or the email id. Most of us do not log out of our email ids after we have finished our “search”. We neither log off from our social media accounts when we are doing a virtual window shopping. Not to forget that social media companies are deeply connected with the e-commerce platforms: they are even more deeply connected with the search engines as well. This makes the entire search- history of the respective consumers reflect on the digital platforms that are being used by the said consumers.
The banking data leak?
Quite in the same way consumers/customers leave their banking digital footprints on the e-commerce platforms. When we use any online payment modes, the e-commerce platforms record the said mode for future commercial transaction purposes. The card/payment app etc., that may have been used by the consumers/customers may also be recorded by the e commerce platforms. But if seen minutely, the customers are ‘asked’ to consent for ‘remembering’ the payment systems. Such payments through cards or net-banking or through any other digital payment mode further goes through other payment gateways which will also remember the amount paid, the unique customer id that the banking card displays and other related sensitive personal financial data of the customer/consumers.
Several researches and cyber-crime analysis have shown that the festival times may be considered as the peak times for monetary crimes on the cyber space because there may be heavy flow of commercial transactions on e-commerce platforms and there may be almost nil ‘monitoring’ in this regard. Added with this, it has also been noticed by some that personal details of women customers may become the highest ‘valued’ data in this regard. The profile of the female customer along with the banking details and the stuff that she chooses to purchase may all be linked for an entirely different and unethical business that would add profit for some in the deep dark net world. Unfortunately it may become a herculean task to detect the mastermind of the entire data theft as the crime detection agency may need to investigate through multiple layers of virtual platforms, majority of which may deny their liability siting the negligence of the customer.
The legal recourse?
We need to look into EU General Data Protection Regulation (EU GDPR) for understanding the universal rules in this regard. Chapter 3 of the EU GDPR discusses in detail about the rights of the data subjects and clearly mentions that there should be restrictions in sharing personal data of the data owner with multiple stakeholders when the data owner has not given any explicit permission for the same. Interpreting this, it may be understood that social engineering is never permitted under the EU GDPR even if the consumer/customer has ‘voluntarily’ consented for recording of his/her online payment mode by the e-commerce platforms. India still does not have any dedicated data privacy protection laws. Resultant, we need to look at scattered laws and rules mentioned in different statutes and legal provisions. The Consumer Protection Act, 2019 does not specifically protect consumer’s rights against such kinds of data privacy infringements. Information Technology Act, 2000(amended in 2008) very loosely touches upon the issue of consumer data privacy under S.72A which states as follows:
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.
But again, we must understand that the scope of this provision to prevent sharing of the banking/financial and sensitive personal data by the internet companies becomes extremely limited especially when they come up with strong plea of no liability towards willful causing of loss and ignorance of the behavior of the consumers in spite of giving the later opportunities to protect their data and profiles through different privacy control mechanisms. However, this doesn’t mean that the victim does not have legal recourse. The internet companies may need to clearly establish that they were absolutely ignorant of the probable loss that may be caused to the victim due to recording the banking details, consumer habits of the later. They must also establish that their data processing and recording mechanisms are secured and cannot be infringed by perpetrators. This claim of the internet companies must also be adhering to the principles set in S.43A of the Information Technology Act, 2000(amended in 2008) which speaks about the responsibilities of the body corporates. Otherwise, they may need to undergo the legal recourses that the present Indian legal system offers for penalizing the internet companies.
It is hoped that India enacts a full-fledged data privacy law which will protect the rights of the general individuals including the consumers. But till then, we the general users of the information and digital communication technology need to be aware of the risks and rights available to us.
Please note: Please do not violate the copyright of this writeup. Please site it as Halder Debarati ( October, 2021) "Data theft during festivals post pandemic: why we need to be aware." Available @https://debaraticyberspace.blogspot.com/2021/10/data-theft-during-festivals-post.html