Sunday, September 10, 2017
Friday, August 25, 2017
To the layman, a chip may be just a chip but its utility is more than just making your smartphone work. Even screens, external slots, camera and other attachments have enough hardware capability on them to act as potential hack vectors. There have been multiple researches on this point that a simple chip replacement or addition can compromise your smartphone significantly. The major source of such hacks have undoubtedly been the mobile repair centers. More so in India than anywhere else, there is a workaround presented for any hardware glitch. Glitches that the manufacturers themselves never claim to fix. Your iPhone charging port goes wrong; the authorized service centers only offer to replace the phone at a staggering cost whereas a local market guy will replace the charging port for $10.
The source of these replacement parts are unknown, all the repair centers know is that they get it without any branding or packaging but they have good results. In what researchers are calling the “chip-in-the-middle-attack”, a screen replacement is demonstrated with an exactly original like screen replacement with an add-on chip that compromises the communication system of the device. In a demonstration video, it has also been shown that how the chip can power off the display and perform notorious tasks like taking pictures, logging behavior and patterns and streaming camera feed to the attacker. This is indeed an upcoming risk originating in hostile nations that are manufacturing replacement parts are selling them for practically no money because the cost of data that they receive in return is unimaginable. This chip in the middle attack is a newly coined term but such illicit activities have been going on since a long time. Counterfeit SIM slots with phony IMEIs have been found in stolen phones which led to major busts in this underground mafia of cell phone thefts.
As a point of caution and awareness, one must make sure that when something goes wrong with their devices, they approach an authorized service center to get them repaired and always make sure to wipe your phone clean before giving it for repairs because there are also cases where these technicians have copied data from mobiles that are given for repair and when they find that one whatsapp video to earn money, they will go to any extent. In one case, where private pictures of a couple were sold at a pan shop for Rs. 10 per picture.
Tuesday, August 15, 2017
Landmark Decision for Online
Marketplaces: Online buyers can register a case on sellers anywhere in India.
Spicejet Ltd Vs Ranju Aery
The issue of jurisdiction has made a lot of
people sweat in the recent past since the Internet has come into play. With the
nation recognizing different forms of businesses that are Internet-dependent,
the law has definitely had some catching up to do. I have personally utilized
this independence day holiday to research all important legislation and case
law in this matter and through this blog, I would like to make my research
available for everyone to study.
As a practicing Ecommerce Lawyer and Cyber thought
leader of the country, I feel that this recent decision of Supreme Court
dated 4th August 2017 in the case of Spicejet Ltd is krantikari or as it is referred to in
Law, a landmark decision. As per the case law deduced from this decision, it
will be apt to say that an online buyer may sue a seller at any place. For the
purpose of clarification, an online buyer here means any person who has
purchased any goods via a seller online.
In my opinion, this will affect all ecommerce
buyers like all of us and give them a much needed relief freeing them of the
bounds of local jurisdictions but simultaneously, it will also increase the
sellers’ overhead now as lawyers will need to appointed across all consumer
forum jurisdictions that they have customers in. This observation lays emphasis
on my earlier thoughts about ensuring Online Dispute Resolution (ODR) in cases
involving Mobile wallets and E-Commerce.
In over-the-counter purchases, a consumer can
file a complaint in the consumer court only within the local limits where the
company/ opposite party resides, carries on business or where the transaction
takes place (by the bare reading of the CPC). However, now the law says that
online consumers can sue a company for deficiency in services at any consumer
court of their choice. In these times, when E-Commerce trading is growing
rapidly, this ruling from the Supreme Court has brought a big relief for
consumers purchasing goods through websites and E-Commerce apps.
A bench of Justices Adarsh K Goel and S Abdul
Nazeer on 4th August 2017 upheld a six month old ruling of the
National Consumer Dispute Redressal Commission (NCDRC). The NCDRC had ordered
Spicejet Ltd. to pay Rs 1.25 lakh compensation to Ms. Ranju
Aery for cancellation of a flight. She had booked a ticket
(Chandigarh to Delhi via Bagdodra and Kolkata) on yatra.com on June
23, 2015. The airline cancelled her return flight from Kolkata to Delhi without
any reason and provided her no alternative. She approached the consumer court
in Chandigarh and secured an order against Spicejet. In the appeal, the airline
claimed that the Chandigarh court did not have jurisdiction to hear the case as
the place of business of the company was at Gurugram. The airline relied on
Section 11 of Consumer Protection Act which allows a complaint to be instituted
by a consumer within the local limits of where the opposite party resides or
carries on business or where cause of action arises.
Rejecting this argument, the NCDRC in its order
of February 7, 2017 found the company guilty of cancelling her flight without
reason when on that day 128 flights took off from Kolkata without any delay.
The NCDRC noted that the airline gave no explanation for cancellation and
failed to make any alternative arrangements. The consumer also stated her grief
wherein she discloses that she purchased the ticket at a cost of Rs 80,855
after borrowing money from her relatives at Kolkata. Besides the compensation,
the NCDRC directed the airline to refund the consumer Rs 80,855 with interest
at the rate of nine per cent after deducting the airfare between Kolkata and
Delhi. The company was also to compensate Rs 10,000 towards litigation cost. It
has also been reported via news houses that the Supreme Court found no reasons
to interfere with the National Commission’s order.
By reading the provisions of Consumers
Protection Act, 1986 and I.T. Act, 2000 and with the help of the ratio of the
judgement in A.B.C. Laminart Pvt. Ltd. and anr.'s case, we can safely hold
that, where contracts for services and/or goods are entered into over the
internet (or online as such transactions are commonly referred to), for the
purposes of consumer complaints, part of the cause of action arises interalia,
at the complainant’s place of business, if acceptance of the contract is
communicated to her through the internet, including the medium of email.
Further, irrespective of the fact, whether or not the contract is one made over
the internet, cause of action would also continue to arise at any of the places
(a) where the contract is performed or is to be
(b) where money under the contract is either
payable or paid or
(c) where repudiation of the contract is
received, if any.
As such, it cannot be disputed that a consumer
forum is competent to entertain a consumer complaint, even if only an
infinitesimal part of cause of action arises within its territorial
jurisdiction. As a result, territorial jurisdiction over a consumer complaint
would lie with the consumer forum situated at any place, where any of the
aforementioned causes of action arises. This, of course, is in addition to the
other places, where a consumer may choose to file a complaint in accordance
with the other provisions of Section 11 (2) of the CPA, 1986. It was
reiterated in the case of M.D.Air Deccan vs Shri Ram Gopal Agarwal where the
State Consumer Disputes Redressal Forum interpreted Section 13 of the IT Act
along with Section 11 of the CPA.
To cope up with the
technology law has to take the help of technology; as Charles Clark once
remarked ‘The answer to the machine is in the machine’. Indeed, the
perfect reply to the technological abuses is the application of technological
This is a landmark case in ecommerce dispute
resolution and jurisdiction issues. This is a big relief for ecommerce buyers
such as of Amazon, Flipkart, Naaptol, Myntra, online insurance providers,
Travel portals etc. I feel online consumers have got clarity now that a case
can be filed against online sellers sitting in their own homes as all consumer
disputes also can be filed online with or without lawyers help. I feel the
ratio held in the above case can safely be included in the next scheduled amendment
of The IT Act, 2000
The Court Orders for Download are available on following links below
Friday, August 4, 2017
Thursday, July 27, 2017
Justice Cooley in 1888 defined it simply as a right to be left alone. Alternatively, it may be defined as a right to be anonymous. The two definitions are quite different but both are important, and the right to be anonymous is a form of privacy that has particularly significant implications in cyberspace. In legal terms, our right of privacy amounts to a right to be free from government intrusion into certain areas of our lives and a right to be free from intrusion by other individuals into our “private” lives. The former is protected largely through Constitutional interpretation and a number of statutes; the latter is protected largely through the common law under tort principles.
Before 1890 no English or American court had ever granted relief based on such a claim as “invasion of privacy.”
However, in 1890 a Harvard Law Review article by Samuel Warren and Louis Brandeis examined a number of cases ostensibly decided on other grounds, and concluded that these decisions were actually based on a broader principle, a right of privacy. Warren and Brandeis claimed such a principle was in fact necessary to deal with what was seen as the growing problem of excesses of the press. New York was the first state to confront this issue head on in the wake of the article. Several lower courts had held the existence of a right of privacy.
The New York State Court of Appeals (which is, oddly, the State’s highest court – the “Supreme Court” is the State’s entry level court) got to review the matter in the case of Roberson v. Rochester Folding Box Company in 1902. In this case, the defendant had used a picture of an attractive young woman to advertise its flour without her consent. In a 4–3 decision, the Court of Appeals held that there was no legal precedent for such “right of privacy.” Furthermore, the Court felt that recognizing a right of privacy was a poor idea because, first, the alleged harm was of a purely mental character and would thus be difficult to prove or disprove; second, recognizing a right of privacy would lead to a flood of litigation; third, there would be difficulty in distinguishing between “public” and “private” figures, whose protections under a right of privacy would differ; and finally because it might lead to undue restrictions on the freedom of the press.
A public outcry followed the decision and, in its next session, the New York State Legislature passed a law banning the use of a person’s name or picture “for advertising purposes or for the purposes of trade” without the person’s written consent. By the 1930s “virtually” all jurisdictions had recognized the Right of Privacy, either by statute or through the common law.
Sunday, July 23, 2017
Monday, July 3, 2017
Ransom-payers are also the cause of ransomware proliferation: Prashant Mali
The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins
To date, financial cyber crime has only grown and it is yet to peak, so I would say it’s written on the wall that many more such attacks are expected in the near future. Such threats loom large as the ransom is paid in bitcoins, so the criminals aren’t caught. One thing the police and the government can do is to ensure that citizens make compulsory declarations of purchase of bitcoins and other cryptocurrencies (like ethereum) when they file their income tax returns. This can help the government see who pays and how much because, I feel, ransom-payers are also the cause of ransomware proliferation.
Security experts confirm that the malware isn't really a ransomware, but a wiper designed to destroy data. Reportedly, because of “ its aggressive features,” the malware makes it impossible to retrieve certain files leading many to believe that this attack may not have been for money. Can this be seen as an attempt to test how far companies will go to protect data?
Even if cyber attacks don’t cause financial damage, they definitely throw open defences. Identifying fortresses that have holes in their system can be of interest to the state and non-state actors. This data of the number of loopholes is in demand and is sold at a premium price. There are different types of people involved in the dark world: many a time those who look for such holes, those who attack, and those who intend to get ransoms are all different.
Companies are often wary of making such attacks public. Security firm Symantec has said that India is the worst hit in Asia, but we have confirmation only from Mumbai’sJawaharlal Nehru Port Trust. Do you think information sharing could actually help build a better defence against such attacks?
By not reporting such attacks, companies are depriving the nation of a knowledge database that can help other companies develop better defences. Symantec and other (security) vendors also cannot be fully relied upon because fear is what they harp on. The more fear they put in Indians, the more they sell security products. The Insurance Regulatory and Development Authority of India and insurance companies should make it compulsory for clients to file a First Information Report (FIR) before claiming cyber insurance. Once reporting to some government agency becomes mandatory to claim insurance, companies would be motivated.
What are the security measures that one must take to avoid such attacks?
No one can be immune in cyber space and that's the reality. Only cyber awareness in organisations can bring in cyber resilience. I would advise organisations to have multi-prong policies to establish a cyber security culture. I feel the highest level of cyber safety can be achieved by establishing a cyber security culture in the company, and a country can be cyber resilient by cultivating a culture of cyber security in society. Government should quadruple its budget for digital literacy programmes. For the government to be ahead of hackers, we need cyber spies: our law and enforcement agencies should implant cyber spies among cyber criminals. The chatter within their group helps the state to be ready for what is coming: we need cyber intelligence.
Do you think companies should have ethical hackers on their pay rolls?
I have an issue with the term “ethical hackers” because legally this isn’t right: those are two contradictory terms put together. People who use these terms are either doing it for branding purpose or are students. Companies should opt for services by cyber security researchers.
Are India’s cyber laws equipped to handle such large-scale attacks?
No. Laws can be invoked when prima facie evidence is found against criminals and investigation can be completed if attribution to a criminal is possible. The legal framework to help enforcement agencies in India has serious flaws. Large-scale cyber attacks need multiple law and enforcement agencies to work together along with CERT-In (Indian Computer Emergency Response Team), but the protocol for this is yet to be developed.
In the future, cyber attacks are going to affect government facilities meant for citizens: like centres for health, water etcetera. Even municipalities should coordinate with the aforementioned agencies to avoid mass scale civil disruption from cyber attacks.
Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...
Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...
India's fastest decided Cyber Stalking Case under IPC 354D for Sending Obscene messages on WhatsApp and Talking Obscene on Ph...
Cyber Law : Case Law for 1.IT Act, 2000 is a Special Act. 2. Section 292 of IPC is not applicable in Internet based Obscinity only Section 6...