Wednesday, October 13, 2021

Data theft during festivals post pandemic: why we need to be aware by Dr.Debarati Halder

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER


Image courtesy : Internet 

2021 October promises to be different than October 2020. The difference is being felt already and it is not because of the increase in the number of vaccinated people who may win over pandemic, but because of the ever growing percentage of cyber-crimes, especially cyber monetary crimes. Several researches have shown that pandemic related lockdown has pushed people to go on a buying spree. Given the situation, people have invested more on online shopping. The festival periods are the chosen periods for pumping up sale. In 2020, people could not invest more in the festival related shopping which includes paying for vacations, apparels and accessories.  2021 sees the graph slowly rising. Governments have eased restrictions and this has further encouraged people to venture out from their homes, visit more shops physically as well as virtually. But people have understood the value of plastic money better than before.  Ecommerce platforms are booming with offers and consumers are buying heartfull. Most of the ecommerce platforms have offered their own applications to be downloaded in Android phones so that the consumers do not venture out to other links. There is unique blending of application of social engineering, artificial intelligence, business analytical skills and most importantly data polling which makes the e commerce platforms unique in their own spheres.

The e-commerce platforms are the chosen platforms for consumer data theft.

Why do our phones showcase us our secret plans?

Many have asked me why and how their devices “secretly spy” on their buying plans and how the social media platforms, popup ads show exactly the staff that these consumers/customers are looking for. The answer is: NO! The devices are inanimate objects and they cannot spy on our plans unless there is a human made mechanism to share our plans. Here we need to look into the consumer behavior on the cyber space: time and again the internet companies have tried to shred off liability of breaching the privacy of their subscribers/customers. If we look into the consumer behavior on the cyber space, we may be able to understand that the internet companies are not completely wrong. One cannot have the search engines activated unless the said person is using some personally identifiable unique identification data which may include the phone number or the email id. Most of us do not log out of our email ids after we have finished our “search”.  We neither log off from our social media accounts when we are doing a virtual window shopping. Not to forget that social media companies are deeply connected with the e-commerce platforms: they are even more deeply connected with the search engines as well. This makes the entire search- history of the respective consumers reflect on the digital platforms that are being used by the said consumers.

The banking data leak?

Quite in the same way consumers/customers leave their banking digital footprints on the e-commerce platforms. When we use any online payment modes, the e-commerce platforms record the said mode for future commercial transaction purposes. The card/payment app etc., that may have been used by the consumers/customers may also be recorded by the e commerce platforms. But if seen minutely, the customers are ‘asked’ to consent for ‘remembering’ the payment systems. Such payments through cards or net-banking or through any other digital payment mode further goes through other payment gateways which will also remember the amount paid, the unique customer id that the banking card displays and other related sensitive personal financial data of the customer/consumers.

 

Several researches and cyber-crime analysis have shown that the festival times may be considered as the peak times for  monetary crimes on the cyber space because  there may be heavy flow of commercial transactions on e-commerce platforms and there may be almost nil ‘monitoring’ in this regard. Added with this, it has also been noticed by some that personal details of women customers may become the highest ‘valued’ data in this regard. The profile of the female customer along with the banking details and the stuff that she chooses to purchase may all be linked for an entirely different and unethical business that would add profit for some in the deep dark net world.  Unfortunately it may become a herculean task to detect the mastermind of the entire data theft as the crime detection agency may need to investigate through multiple layers of virtual platforms, majority of which may deny their liability siting the negligence of the customer.

The legal recourse?  

We need to look into EU General Data Protection Regulation (EU GDPR) for understanding the universal rules in this regard. Chapter 3 of the EU GDPR discusses in detail about the rights of the data subjects and clearly mentions that there should be restrictions in sharing personal data of the data owner with multiple stakeholders when the data owner has not given any explicit permission for the same. Interpreting this, it may be understood that social engineering is never permitted under the EU GDPR even if the consumer/customer has ‘voluntarily’ consented for recording of his/her online payment mode by the e-commerce platforms. India still does not have any dedicated data privacy protection laws. Resultant, we need to look at scattered laws and rules mentioned in different statutes and legal provisions. The Consumer Protection Act, 2019 does not specifically protect consumer’s rights against such kinds of data privacy infringements. Information Technology Act, 2000(amended in 2008) very loosely touches upon the issue of consumer data privacy under S.72A which states as follows:

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

But again, we must understand that the scope of this provision to prevent sharing of the banking/financial and sensitive personal data by the internet companies becomes extremely limited especially when they come up with strong plea of no liability towards willful causing of loss and ignorance of the behavior of the consumers in spite of giving the later opportunities to protect their data and profiles through different privacy control mechanisms. However, this doesn’t mean that the victim does not have legal recourse. The internet companies may need to clearly establish that they were absolutely ignorant of the probable loss that may be caused to the victim due to recording the banking details, consumer habits of the later. They must also establish that their data processing and recording mechanisms are secured and cannot be infringed by perpetrators. This claim of the internet companies must also be adhering to the principles set in S.43A of the Information Technology Act, 2000(amended in 2008) which speaks about the responsibilities of the body corporates.  Otherwise, they may need to undergo the legal recourses that the present Indian legal system offers for penalizing the internet companies.

It is hoped that India enacts a full-fledged data privacy law which will protect the rights of the general individuals including the consumers. But till then, we the general users of the information and digital communication technology need to be aware of the risks and rights available to us.

 Please note: Please  do not violate the copyright of this writeup. Please site it as Halder Debarati ( October, 2021) "Data theft during festivals post pandemic: why we need to be aware." Available @https://debaraticyberspace.blogspot.com/2021/10/data-theft-during-festivals-post.html 

 

  

 

 


Tuesday, September 7, 2021

Hurray … I am vaccinated: know the risks for updating vaccine-posts

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER

                                                    Image courtesy : Internet  



As on first week of September, 2021, India has reportedly vaccinated more than 67, 09, 59,968 people and several of them have also got fully vaccinated. Noticeably Covid vaccination drive is being conducted by the government and it necessarily includes sharing of certain sensitive personal data that have been included in the Aadhar data of every individual. Expectantly vaccination data is connected with the personal information including health information of the beneficiary as well.

Let me now explain how we the beneficiaries of Covid vaccination drive have knowingly shared our personal data and have invited risks of privacy infringement.

In 2020 when I was affected by Covid and wanted to be reassured that I am carrying the virus, I had sought for Covid testing like millions of us who have survived Covid. The government testing agencies were over flowing and this had happened in all cities across India. Medical shops got many of us connected with private labs who would be testing us ‘at the earliest’ to help us recover faster. Several people reported that even though they did not have symptoms, they were tested positive. Everyone suspected foul play, but we had to accept that the pandemic has touched all of us very dearly. Whether it was government labs or private labs, the individuals who would be taking the swab test were directed to mandatorily collect Aadhar data of the persons who were taking the tests. There were series of data sharing from private agencies to government agencies and in majority of the cases the data owners were never asked for their explicit permission for sharing their data. Added with this, we the general users of social media companies have shared about our levels of infections and recovery on social media platforms without giving it a thought that we are generating data that have potential to put us on risk for numerous kinds of cybercrimes including ransom attacks, bullying, stalking and doxing to name a few. During the very first phase of Covid-19 we have seen social exclusion with the Covid 19 victims and their families. There had been several cases of shaming on the social media for victims of Covid-19. Somehow such ‘harassments’ of victims of Covid and their families may be attributed to the data generated by people who had been infected and survived Covid.

Most of us would never understand how such data sharing would have affected us. Resultant, most people have shared about their vaccination details, which should have been considered as part of sensitive personal health data. Let me explain how we have unknowingly shared such data and have invited risks:

Many people who had vaccine may have taken selfies or may have allowed their family members to take photographs of being vaccinated. These images may have been immediately shared on social media profiles with date of vaccination and the name of the vaccine. Further, several vaccination centers had also offered galleries for taking photographs. Some may argue that vaccine beneficiaries may not have shared the personal data including secret numbers or registration details that may be availed from the government platforms. But not to forget, this is an age of social engineering.  Hackers and ransom attackers are smart to connect facial images, geo-locations, Aadhar details with date and time stamp to access sensitive personal data stored on platforms which may not provide much security to the privacy of the data owners.

Such apprehensions are not baseless. In December, 2020,  Pfitzer had reportedly shared the bad news of being targeted by cyber criminals.[1] Again, in June, 2021 news about possible hacking of CoWin platform made the government to consider for investigation of the entire issue.[2]

Why we need to be considered for this issue and what does the law say? The answer basically centers on the liability of the websites/social media companies to protect our data. Two issues must be understood here: the liability of the companies/body corporates (especially the vaccine production companies and the vaccine administering stakeholders) in whose data base our sensitive health data including the vaccine data is being stored, and  the liability of the social media companies on whose platform we are sharing our own data in the form of selfies, pictures etc. S.43A of the Information Technology Act, 2000(amended in 2008) makes the body corporates liable for protection of the data of the clients/customers/beneficiaries. If the integrity and confidentiality of the data is infringed, the body corporates need to compensate the damages. There may be huge legal battles for this and body corporates may always prima facie deny their negligence. Not to forget, they may outsource the entire work of data generation, data storing and maintaining the confidentiality of the data to the third parties and resultant, they may need to face layers of liability charges. This does not happen in case of social media companies. The later have explicit policies and agreement clauses that majority of the users of the platforms ignore. These clauses and policies clearly demonstrate the company’s due diligence clauses. In other words, the companies very clearly state that they will remove some posts if the same are offensive and fall within their own category of offensive posts. They would also bear the liability of securing confidentiality of  the profiles. But they would not take any liability if the users themselves “knowingly” post something which is self-damaging. For understanding this, we have take close look on S.79 of the Information Technology Act, 2000(amended in 2008) which elaborates website liabilities and immunity clauses for the websites from third party liabilities. In short, websites will not be liable for any ransom attack, hacking or any other forms of online harassment if the users “knowingly” upload some contents which may attract perpetrators. “Knowingly” here corresponds with the meaning of “awareness”. The websites expect their users to be aware of the risks of posting certain contents which would be self-damaging.  

We should rejoice the winning over the pandemic but not at the cost of our privacy and security. Be aware, stay safe and spread positive awareness.

Please note: Please note: Please  do not violate the copyright of this writeup. Please site it as Halder Debarati (2021) Hurray … I am vaccinated: know the risks for updating vaccine-posts @https://debaraticyberspace.blogspot.com/2021/09/hurray-i-am-vaccinated-know-risks-for.html

 

 



[1] See in Stubbs.J(2021) Hackers steal Pfizer/BioNTech COVID-19 vaccine data in Europe, companies say . published in https://www.reuters.com/article/uk-ema-cyber/hackers-steal-pfizer-biontech-covid-19-vaccine-data-in-europe-companies-say-idUKKBN28J1VF on December 10,2020.

[2] See for more in Jaswal M(June 2021) Claims of Cowin system, hacking, data breach baseless: Health ministry . Available @ https://www.livemint.com/news/india/claims-of-cowin-system-hacking-data-breach-baseless-health-ministry-11623489372000.html published on June 12,2021


Thursday, April 22, 2021

Is using electronic payment mode mandatory?

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER

We are facing challenge of Covid-19 restrictions. A whole generation is facing another unique challenge. Many senior citizens and people from socio-backward classes and communities are unable to exercise their basic right to life because they may be unable to use the electronic payment mechanisms.

By the end of 1990’s electronic commerce started getting popularity and almost by the first half of the millennium, banks of several countries had expanded their services for electronic money transactions. Soon plastic money in the forms of ATM, credit, debit cards etc., were introduced and the smart generation started relying more on plastic money rather than carrying currency in their wallets. But this proved dangerous for majority. There were physical theft of wallets and the cards, misuse of the cards, hacking of e banking systems which directly affected the card operating systems, ATM machines were unauthorizedly accessed, spycams were installed in the machines to detect the banking information including the passwords etc. Senior citizens were worst affected as most of them in countries like India could not operate the e-banking system or the cards: either they could not understand the operational mechanisms or they were not physically able to conduct the entire transactions either through the ATMs, or through their smart devices. This was due to generation gap.

With the advancement of technology, e wallets were introduced. Through online banking mechanisms, one can deposit a particular amount of money in e—wallets. However, this would not be operating as a single and independent device or mechanism. Users may connect their valid government identity proofs with e-wallets. Such e-wallets may necessarily be used through computers, smart phones etc.[1] Everything remains virtual except the device/s that will help a user to access the online transaction mechanisms. It has been continuously stated that plastic money, e-wallets and e-banking systems are safe and better than carrying the currency.

But do we really know who is safeguarding our money in this system? A few provisions Chapter III of our very own Information Technology Act, 2000(amended in 2008) would make this clear. Chapter III discusses about electronic governance. S.6A of the Information Technology Act (IT Act), 2000, amended in 2008 is noteworthy here: it says as follows:

6A Delivery of services by service provider. -

(1) The appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorise, by order, any service provider to set-up, maintain and upgrade the computerised facilities and perform such other services as it may specify by notification in the Official Gazette. Explanation. -For the purposes of this section, service provider so authorised includes any individual, private agency, private company, partnership firm, sole proprietor firm or any such other body or agency which has been granted permission by the appropriate Government to offer services through electronic means in accordance with the policy governing such service sector.

(2) The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

(3) Subject to the provisions of sub-section (2), the appropriate Government may authorise the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers.

(4) The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section: Provided that the appropriate Government may specify different scale of service charges for different types of services.

 

Online transactions for e-commerce purposes are directly connected with the concept of service delivery by service providers. S.6A has got two main component parts: (i) authorization to the service providers by the government to set up provisions for delivery of services in the electronic mode; and (ii) collection of service charges by the service charges. Whenever we get to see a smooth or a bumpy operation of services from the banks or from any other government or corporate authorities, we must know that there is a secret team behind that government department, bank or the corporate authority. They may be independent agencies who are commissioned by such government /bank/corporate authorities. These ‘secret teams’ perform all the technical functions for economic transactions, maintenance of the records for money transactions, maintenance of cyber security issues etc.,  and they are duty bound to not to violate the confidentiality of the user-data. Intact there are layers of contracts between the actual user and the bank/government/company, between such service provider and the actual users and the government etc. We know only the first layer of contracts and agreements between us, the actual users and the bank/government /company etc., who are providing us certain services or even goods. But there are several examples of violating the agreements and contracts. These ‘service providers’ know us more than we know ourselves because they know our bank details, our spending habits and even our location data too.

Considering the risk for breaching of confidentiality in all such cases S.7A of the IT Act, 2000(amended in 2008) has prescribed for auditing of documents etc., maintained in electronic forms. This Section says as follows:

“7A Audit of documents, etc., maintained in electronic form. -Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in the electronic form.”

But this is hugely neglected by many stakeholders and this loophole creates several data breaching related legal issues. The Indian legislature has also brought in the Intermediary guidelines Rules, 2021 which also shifts the liability for data protection for intermediaries in certain cases.

However, we must not forget that there is digital divide in our societies. Adults including men, women and people belonging to LGBTQ communities may not always access information and digital communication systems and services. This is a universal problem. Women may not be empowered to use electronic devices in socio-economically backward classes and communities. Not to forget that even though Indian constitution mandates for equal pay for all, women may not always get equal pay in unorganized sectors. Many households in India as well as in many Asian countries do not allow women to take any decision related to family-finances.  But there are situations when people are forced to use electronic payment/transaction systems. Covid-19 pandemic is one such situation where the WHO advised to reduce usage of anything which may transmit the viruses from people to people: reduction of usage of currency notes were also suggested as it was understood that the materials in the currency notes may get wet with sweat, saliva etc., and this may be extremely dangerous since it might increase the risk of spreading of pandemic. But there are new researches coming up every day which are suggesting how to take precautions while dealing with papers (including materials which are used to make currency notes) or clothes during pandemic times.

In all such cases, aren’t our constitutional rights get violated if the government or any other stakeholder insists on e-transactions? It actually does.

Answer to this question may be found in S.9 of the IT Act, 2000(amended in 2008). This says as follows:

Sections 6, 7 and 8 not to confer right to insist document should be accepted in electronic form.-Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form.

Nonetheless, the above mentioned provision empowers all who may not be able to use or who may want to refuse the use of electronic payment system. But this may not always be considered as the Rule: this is rather Exceptio probat regulam (an exception proves the rule) in the era of internet. Even though the government and other corporate stakeholders may extend their services on humanitarian grounds to help those who may not be able to use the digital payment systems or the e-wallets etc., people’s trust may easily be broken by gross misuse of the powers that such ‘helpers’ may have: ATM debit cards may be stolen, data may be compromised, e-wallets may be illegally operated by such ‘volunteers’ who may want to gain illegal and unethical profits at the cost of innocent people.

It will take longer time to make people from all backgrounds aware about electronic payment modes. It will probably take even longer to control cyber criminality targeting vulnerable people. One must not violate the legal norms and constitutional principles to make the right to life of others almost unachievable. Vulnerable groups including senior citizens, disabled people, socio-economically backward communities, women and children must be given enough protection to gain their trust so that all can survive and win over adverse situations.

Please note: Please  do not violate the copyright of this writeup. Please site it as Halder Debarati (2021) Is using electronic payment mode mandatory?  Published @ https://debaraticyberspace.blogspot.com/2021/04/is-using-electronic-payment-mode.html on 22-04-2021



[1] https://economictimes.indiatimes.com/definition/e-wallets