By Na Vijayashankar
The incident of well-known TV anchor Nidhi Razdan having been conned with an offer at Harvard University has created a flutter among senior executives who routinely receive such offers. The possibility of them being similarly trapped and embarrassed and losing money and their current jobs is staring in their face. The fraudster in such cases adopts a sophisticated profile research of the victim and through spear phishing, grooms them to believe that the offer is true. He further extracts money in various forms such as rendering verification service or facilitating the appointment.
The victim has filed a complaint with the police, but it is an uphill task for law enforcement to trace the fraudster. Most cyber crimes, including phishing frauds, go unsolved because the police fail to recognise the contribution of intermediaries in the commission of the crime. They don’t bring them into the investigating loop, but hold them as suspects until they prove their innocence. For a successful investigation, intermediaries such as e-mail providers as well as Harvard University need to co-operate.
One typical case in India which highlighted the responsibility and liabilities of the intermediaries and the organisation in which the phishing was encashed was S Umashankar vs ICICI Bank in which both the adjudicator of Tamil Nadu (in 2010) and TDSAT (in 2019) held that the Bank was responsible for compensating the victim for the phishing fraud. In this case, the Bank was placed in the trial as an accused and hence, judicial authorities recognised the security failure as a contravention of Section 43(g) of the Information Technology Act, 2000.
Similarly, in the Nidhi Razdan case, there is a need to check if Harvard was aware that such frauds using its name occurred in the past and chose to remain silent. This silence may be considered facilitation of the crime. It is possible that only a person who is well aware of all the procedures of the University would have been able to successfully execute the fraud, which included conducting an online interview. Hence, the clue to solving the crime may lie within Harvard’s servers. Similarly, the emails, chat messages and documents received and responded to by the victim may hold information which could help in tracking the fraudsters, provided the email service providers and others assist the investigation.
The most potential source of tracking would be available if any payment has been made by the victim as part of this fraud. If so, there would be a beneficiary who is actually a part of the “money laundering crime” and a banking institution that has made the fund transfer. For successfully investigating the crime, it is necessary to get the cooperation of all the intermediaries, failing which the case will reach a dead end.
In fact, some aspects of the data protection law as well as certain information security practices may actually be assisting the criminals. Phishing involves impersonation, but sending an “impersonated mail” is only a tool of crime. The real crime is how the victim is exploited subsequently. It is for this reason that in a bank phishing fraud, the sharing of the password or OTP by the victim is one part of the preparation of the crime and entering the bank system with the stolen password is the execution of it. While we may blame the victim for being foolish enough to part with the password, banks cannot be absolved either for not recognising and preventing the impersonated access to the account. It is in this context that a bank fails to recognise, through technical measures, the unusual nature of the transactions.
Just like bankers have a responsibility in a bank fraud case involving phishing, so too does Harvard if it has been silent regarding such incidents in the past as they might have contributed to more people like Razdan being conned. It should be investigated whether the HR department of the University had any prior instances of such attempts and if so, how they were disposed of. An investigation should also be made on whether any current or past employees of the Harvard recruitment department had a history of commission of such frauds. There is a need to expand the scope of the investigation by involving Interpol and FBI and taking it to US soil.
Some of the provisions of the data protection law need a deeper look at how they relate to a cyber crime of this type. “Privacy” is often considered a tool to hide information. Hence, under the guise of “privacy”, the “Who Is” data of a website is not made available freely and originating IP address in emails are hidden. These directly contribute to the impersonation of emails.
Similarly, if Harvard had a system of using only digitally signed emails for communicating any recruitment or other critical messages to third parties, then Razdan would have recognised that her offer letter was not digitally signed.
Thus, the misinterpretation of “privacy protection” as a licence for anonymous communication and hiding of identity is one of the main reasons why phishing proliferates. Unless privacy activists learn to accept “regulated pseudonymity” in place of “anonymity” when delivering services such as emails, the world of cyber crimes will only thrive.
At the same time, we have elements in law enforcement who misuse legal privileges and try to fix investigations. Many of the experts remain silent when such misuse occurs and therefore, it continues. This has created distrust between society and law enforcement authorities and any suggestion that they should be allowed investigative privileges in the data protection regulation is not appreciated.
It is this distrust that makes it difficult to arrive at a data protection law that provides enough flexibility to investigators without them misusing the powers. Finding the right balance may even be impossible in the current structure of law enforcement unless we create a layer of intermediary service providers who provide “regulated pseudonymity”. This can assist data principals in protecting their privacy, enable business to pursue their legitimate interests and allow law enforcement to get appropriate information to help their investigations with a check on the misuse.
Fortunately, the Indian Personal Data Protection Bill 2019 provides for such a mechanism and if properly harnessed, we will be able to find a balance between privacy and security, which is eluding us for a long time. We should also remember that one of the privacy protection measures that GDPR and now PDPB 2019 suggest is that personal data should be periodically updated to maintain accuracy. This requires the service provider to ask for updation from time to time which itself can be a possible source of phishing.
Hence, while implementing such measures, care should be taken to ensure that there is authentication of the request and other measures to secure against phishing.
Razdan’s incident has given room for introspection by privacy law makers and data security specialists, besides providing an opportunity for the public to learn from the incident. It would be interesting to see how law enforcement proceeds with this investigation. It is possible that some evidence for investigation may be available at Harvard which needs to be explored.
Thus, the Razdan incident has many nuances and should not be dismissed as a case of a gullible person being negligent and getting cheated. If it is not properly understood, there could be many more such frauds in the senior executive job market. It is more likely to happen in cross-border placements, but it cannot be ruled out in India as well.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru