Phishing for Green Apes

On May 17, 2022, actor Seth Green announced to the world that he got “phished and had 4NFT stolen”. Apparently, he clicked on a link that led him to a website that requested and obtained access to his wallet – a wallet containing four high-profile collectible NFTs. After he provided the necessary consent, a scammer promptly emptied his wallet of these four expensive collectible NFTs.

Green purportedly knows how to navigate Web 3.0 but does a really bad job of justifying his lack of security hygiene:  “Scam GutterCats clone site. I’m crazy careful with separate wallets and security but still got got. Luckily it’s art not crypto so they can be traced. For anyone that bought them, we can work something out.”

Disregarding whether what was lost was actually “art” in the sense of fine art – they are likely more properly described as innovative collectible NFTs with significant speculative value based on community growth, utility, endorphins, and numerous other intangible measures, Green’s loss presents a valuable security lesson for all NFT collectors and raises issues that will not go away anytime soon. All of this is now ripe for discussion.

Green asked OpenSea not to allow trades in his four missing collectibles.  It is doubtful any marketplace will affirmatively identify, tag, and refuse to trade in Green’s four NFTs. As it stands, there are huge numbers of fake collectible NFTs sold on marketplaces – especially on OpenSea. Despite recent OpenSea changes aimed at addressing “copymints” – fake listings using copies of actual collectibles, the collectible fraud problem will not subside any time soon given this sort of fakery does not require much effort and can be very lucrative for scammers – as well as the marketplaces that thrive on trading fees.  More to the point, even the upgraded OpenSea controls do little to address the core issue of compliance.

To its credit, there are no current OpenSea listings tied to Green’s collectible NFTs but that might change at any time given at least one marketplace has them listed.  As of May 19, 2022, Rarible has MAYC # 19182 listed by public wallet address # 0xae7f30d77b367afe64f04dfd94e95f71f8e4ae66.

And, Rarible apparently also has BAYC # 8398 listed by public wallet address # 0xaf20e2e1dca5dffd0efa1a8055099a947beec8be.

These are not Green’s collectible NFTs simply because they reference the correct collections, point to the right image files, describe the correct collectible rarity properties, and use the right numbering scheme.  On the other hand, both have sold – perhaps in wash trades or maybe not, for significant amounts – 106.5 ETH on May 8, 2022 or $268,912 for BAYC # 8398 right around the time it was purportedly removed from Green’s wallet and 31.5 ETH on March 17, 2022 or $87,129 for MAYC # 19182.  Without a way to provide a universal and easily accepted means of verifying the authenticity of these collectibles, collectors will need to be part detective and part forensic investigator and use ETH explorers to track the relevant wallet addresses. 

Assuming someone did the legwork to confirm these are the actual pilfered collectibles, Mr. Green has several options.  He can continue pressuring marketplaces to refrain from listing them.  That would not get them back, but it might prevent further monetization and may cause the current owners to cut a deal with Green for their return given this lack of monetization.

As with many film actors, Seth Green lives in California where knowingly receiving actual stolen property is a criminal offense punishable for up to a year in prison.  See Cal. Penal Code § 496(a) (“Every person who buys or receives any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained, or who conceals, sells, withholds, or aids in concealing, selling, or withholding any property from the owner, knowing the property to be so stolen or obtained, shall be punished by imprisonment in a county jail for not more than one year, or imprisonment pursuant to subdivision (h) of Section 1170.”).  Almost all NFT marketplaces are non-custodial – which means this statute would not really apply to them under any reading of the law.

Given this lack of custody, a marketplace would also not likely be liable for conversion. “The tort of conversion is established when one who owns and has the right to possession of personal property proves that the property is in the unauthorized possession of another who has acted to exclude the rights of the owner.” Angiolillo v. Christie’s, Inc., 103 N.Y.S.3d 244, 260-61 (N.Y. Sup. Ct. 2019).  Similarly, a cause of action of replevin requires that the defendant actually possess the property in question before its return can be obtained in court.  All of this assumes ownership of the constituent parts of an NFT, namely private keys, smart contract software code, IPFS content, etc., constitutes personal property in the first place.

Green’s likely best avenue for redress would be going after current holders of his lost NFTs who might be considered bona fide purchasers or good faith purchasers for value not having knowledge of the tainted title. Mr. Green lives in California and the “stolen” property could be in wallets belonging to persons anywhere in the world.  Assuming he knows the public wallet addresses of the current owners, Green would still not know the country of origin let alone name and address.  If the purchaser is identified, however, negotiating a deal or filing suit will be viable options.

Knowing the applicable law for a claim is significant given in some jurisdictions such as New York the law favors rightful owners seeking their stolen personal property.  See e.g., Solomon R. Guggenheim Found. v. Lubell, 77 N.Y.2d 311, 320, 567 N.Y.S.2d 623 (1991) (“To place the burden of locating stolen artwork on the true owner and to foreclose the rights of that owner to recover its property if the burden is not met would, we believe, encourage illicit trafficking in stolen art.”); Barnard v Campbell, 55 N.Y. 456, 461 (1874) (“The general rule of law is undoubted that no one can transfer a better title than he himself possesses.”); DeWeerth v Baldinger, 38 F3d 1266, 1278 (2d Cir. 1994) (“New York case law has long protected the right of the owner whose property has been stolen to recover that property, even if it is in the possession of a good-faith purchaser for value.”).

In some states and countries, however, it is quite different.  For example, under Swiss law, a bona fide purchaser becomes the owner even if the chattel was stolen or otherwise transferred without the authorization of its owner.

On the other hand, even New York law distinguishes between fraud and theft because the owner who is defrauded acted affirmatively and could have protected herself by due diligence, “whereas the owner from whom property is stolen has not acted affirmatively, and, in many instances, could not have protected herself. The [bona fide purchaser] may be equally innocent in both cases, but the original owner from whom property is obtained by fraud is more blameworthy than the original owner from whom property is stolen, and the former is entitled to less legal protection than the latter.”  Shubert Org., Inc. v. Partridge, 2020 NY Slip Op 32748 (N.Y. Sup. Ct. 2020).

This legal distinction raises an interesting point regarding Green’s “stolen” NFTs.  After all, Mr. Green was led to a website by way of a fraudulent email in the hope of minting himself some Gutter Cat Gang NFTs but instead connected his wallet to an imposter website.  All the while, he would have consented to everything done, including his wallet connection and any subsequent activity.  In other words, he was defrauded.  No one went to his home or computer, stole his private key, went into his wallet, and transferred his collectibles to another wallet.  If Green could bring to court a bona fide purchaser of his quartet of valuable NFT collectibles such a buyer could certainly raise all of this as a defense.

Beyond the security hygiene lessons and potential difficulties in retrieving lost collectibles, Green’s mishap also shines a light on the need for due diligence when using a marketplace.  In sharp contrast to collectible NFTs such as BAYC NFTs, purchasing fine art NFTs from a reliable source such as an established art gallery provides justifiable trading confidence.

UPDATE: June 7, 2022

On May 30, 2022, Seth Green announced he had struck a deal with the buyer of his Bored Ape #8398.

He also mentioned he was “working together to prosecute the original thieves” so presumably law enforcement is involved. The following day, Green made a somewhat cryptic statement: “Had to track the NFT to the current holders & make a deal between us to get them back- although we get to prove the friendship & community we all are building around these artists & collections. Plus now we work together to prosecute the original thief who scammed us both”.

In other words, Green was able to convince the buyer to send Green’s Ape back home for an unknown price. For all we know, it may be what the buyer paid or even a premium on that price. What will be of most interest to the ending of this story is what sort of prosecution takes place against Green’s scammers.

UK Royal Mint Wants to Mint an NFT

On April 4, 2022, the UK Royal Mint was asked to mint an NFT.  As with many announcements today, the Royal Mint’s announcement came in a tweet.

Either the above announcement demonstrates supreme ignorance or utter brilliance.  Offering for sale non-fungible representations of currency – the most fungible of assets, certainly seems on its face nonsensical.  Disregarding the typo, however, it may have been a brilliant marketing gambit – with the Chancellor’s goal of placing the UK on the crypto map furthered.  What happens this summer might be a major step in that direction.  Who knows?  There may even be a Royal Mint NFT drop at NFT.NYC in June.

Axie Infinity’s Sidechain Suffers Massive DeFi Exploit

On March 29, 2022, the developers behind the Ronin Network – an Ethereum sidechain used to support the decentralized game Axie Infinity, announced a major exploit.  The developers revealed that an attacker used hacked private keys from four Ronin Validators and a third-party validator run by Axie DAO – out of a total of nine, to forge withdrawals of 173,600 ETH and 25.5M USDC – valued at over $625 million. 

This sort of 51% consensus attack plagued the proof of work crypto community since its early days but largely fizzled out as a threat as the major blockchains grew more complex and the number of mining nodes grew into the thousands.  The fact that the Ronin sidechain only had nine validators for its exit bridge – with a majority being a mere five of the nine, was a security failing by most vantage points.  Not surprisingly, to “prevent further short term damage”, the Ronin Network immediately “increased the validator threshold from five to eight.” And, more importantly, the network “will be expanding the validator set over time, on an expedited timeline.” 

The race to mass adoption of new networks has caused many DeFi platforms to forego a security-first design.  Rather than viewing such an approach as time-consuming or stifling growth, new networks competing with Bitcoin and Ethereum and underlying many new DeFi platforms, must recognize that only with trust will this community ever grow beyond its current early adopters.

UPDATE: March 30, 2022

According to a text message sent to Bloomberg by Aleksander Leonard Larsen, chief operating officer of the developer behind the Ronin Network, Sky Mavis: “We are fully committed to reimbursing our players as soon as possible. . . We’re still working on a solution, that is an ongoing discussion.”

Another OpenSea Vulnerability Is Exploited

The world’s largest NFT marketplace – OpenSea, just got hit with another design flaw – this time allowing buyers in an ongoing auction buy rare NFTs for earlier auction prices.  One analyst ripped the $13.3 billion OpenSea for its security failing:

It’s worth noting that this problem arose as a result of the intended design of OpenSea, a centralized service that uses decentralized coins. It’s difficult to classify this as a hack or even a bug. OpenSea informs consumers that this is how its service works, which has resulted in numerous scams. The OpenSea bug shows that it is a sloppy marketplace, and if users aren’t cautious to follow proper practices, they may be exploited by more savvy users.  Whether the OpenSea bug is being treated as an open security flaw or a result of user error is currently unclear.

The CTO of Ledger had even more harsh words for OpenSea in a now-deleted tweet – suggesting that it is currently not safe for NFT holders to have their assets listed on OpenSea: “It’s very difficult to use this platform securely right now.”  

Despite being an exploit that has existed for well over a month, the actual mechanism for this switch remains unknown – with rumors pointing to a flaw in the API used by OpenSea and Rarible.  One analyst speculated “that an API exploit between Rarible and OpenSea was involved, allowing it to buy these #NFTs at a much lower price.” 

While the exact cause of the vulnerability is not yet known, it may ultimately derive from the fact that OpenSea requires a gas fee to remove a listing.  As a gas fee workaround, certain users transferred their NFTs to another wallet without cancelling the original listing.  This avoided paying any gas fees but left the original listing technically still open. 

After some time elapsed, owners would transfer the NFT back to the original wallet and list again.  That’s when the exploit comes into play.  If there is another auction using the original wallet’s address someone could possibly obtain the NFT using a bid that is based on an earlier offer – in essence, buying the NFT for a fraction of its true current value. 

Potentially feeling some pangs of guilt, the latest “exploiter” of this vulnerability took profits and “sent 20Ξ to @T_BALLER6  and 13Ξ to VirtualToast, two of the people he originally took #NFTs from.”  The public name tag of this person is “OpenSea Opportunistic Buyer” – just in case anyone had any doubts as to their good intentions. 

To date, neither Rarible nor OpenSea have publicly stated anything regarding this “exploit”.   

UPDATE:  January 25, 2022

An OpenSea spokesperson said in a private statement provided to a friendly crypto news outlet that the company has been “actively reaching and reimbursing affected users,” and is taking the matter “incredibly seriously.” The spokesperson apparently did not inform the news outlet exactly how much users have been reimbursed.

OpenSea said it’s been quiet on the issue to avoid notifying “bad actors who could abuse it at scale” before patching the problem. It’s apparently working on product improvements, including a new dashboard that shows all active listings, to address the issue.

Moreover, OpenSea suggested that this loss was caused by a “loophole” and was not an exploit or a bug – “it was an UI issue caused when a user creates a listing, then transfers the NFT to a different wallet to avoid the gas fee that comes with nixing a listing.”  In other words, it was as presumed by those looking at what originally took place.

OpenSea also said in its private statement that it is changing the default listing duration for NFTs from six months to one month, so that if an NFT is transferred back into a wallet after the new time frame the listing will have expired.

It goes without saying that a $13.3 billion company having such a large share of a nascent market should not disclose on a piecemeal basis its security and design failings – either wait until the coast is clear or open the spigots to everyone who can ask meaningful questions.

Frosties Rug Pull Demonstrates Community is Key to NFT Projects

On January 9, 2022, creators of the Frosties NFT Collection abandoned their project after investors spent over $1.2 million buying the entire inventory of digital “cartoon ice cream” characters. The money received by the creators was transferred the same day.

Relying on the Chinese lucky number 8 four times over, the collection of 8,888 Frosties was described as “Cool, Delectable, and Unique” and quickly sold out based on claims made by the creators.  Their project website – which has since been taken down, promises the following:

Frostie NFTs are made up of over a hundred exciting traits of backgrounds, body, clothing, eyes, mouths, eyewear, hats, toppings, and items. Each Frostie is a unique, non-fungible token (NFT) on the Ethereum blockchain.

Frosties will have staking, metaverse, breeding functions, and so much more!

Holding a Frostie allows you to become eligible for holder rewards such as giveaways, airdrops, early access to the metaverse game, and exclusive mint passes to the upcoming seasons.

The Frosties presale will take place on January 7th and the main sale will take place on January 8th.

Join the Frosties community on Twitter and Discord!

After the January 8, 2022 public drop of Frosties at a floor of 0.04 ETH, the project’s Twitter and Discord server accounts were taken down and in a “rug pull” the floor price was removed.  It was also a cash grab given the NFTs stayed with their new owners whereas the creators stopped all further efforts to build or benefit the community.

What happened next is instructive.  First, the value of the underlying NFTs have been selling both low and very high.  In other words, the market is now dictating the pricing and life goes on with how these assets are going to be priced.

As for moving forward with the project, the Frosties Rug Pull demonstrates that projects can go forward with or without the original creators.  The key is to have a passionate community and at least a few folks who can help lead the charge from a technical perspective. 

In the case of Frosties, someone named EsahcHslaw took charge and posted on reddit:  “We are wrapping Frosties under a new contract for those who want to continue to hold while the project kicks off again. Old dev won’t gain royalties this way. The community will own the funds. Community ran, doxxed multisig, roadmap, website, new Twitter. DM for DC server invite.” 

By removing the possibility of creators obtaining future royalties, Frosties owners effectively removed the creators from the project going forward.  And, if the Frosties community continues growing organically – with new social media channels and active community involvement, the Frosties Rug Pull will demonstrate that an active community is the primary engine for driving NFT value.

UPDATE: March 25, 2022

Federal prosecutors New York charged two in a criminal complaint with conspiracy to commit wire fraud and conspiracy to commit money laundering, in connection with the Frosties rug pull.

As set forth in the March 24, 2022 DOJ press release, “Mr. Nguyen and Mr. Llacuna promised investors the benefits of the Frosties NFTs, but when it sold out, they pulled the rug out from under the victims, almost immediately shutting down the website and transferring the money. Our job as prosecutors and law enforcement is to protect investors from swindlers looking for a payday.”

NY Privacy Bill Inches Forward

On January 6, 2022, the newest draft of the proposed New York Privacy Act now being jointly worked on by the Senate and Assembly was published in the Senate as S6701A and in the Assembly as A680B.  A review of this latest draft shows that even though a great deal of important changes were newly inserted into this bill , it still requires some tweaking or it will end up having the same loopholes found in other privacy laws implemented around the country. 

Hopefully, the NY legislative has the will to fully take on the data oligarchs – who have been very aggressively working behind the scenes fighting against this bill.

Defi Security Growing Pains Continue with BitMart Breach

On December 6, 2021, crypto exchange BitMart – which bills itself as “The Most Trusted Crypto Trading Platform”, announced a security breach “mainly caused by a stolen private key that had two of our hot wallets compromised.”   A tweet from security analysis firm PeckShield first called attention to this hack days earlier.  According to Peckshield, the loss is around $196 million.  Interestingly, BitMart at first denied there was any hack – claiming it was “fake news”.

According to the BitMart Twitter release:  “At this moment we are temporarily suspending withdrawals until further notice.”  A Telegram “ask me anything” is scheduled for 8:00 p.m. est this evening.

Similar to what was done by other centralized crypto exchanges after a security incident, BitMart will use its own funds to compensate users impacted by the theft.   

The BitMart theft comes on the heels of a report by London-based consulting firm Elliptic revealing billions of dollars stolen from DeFi platforms.  According to Elliptic’s recently released report, the overall losses caused by DeFi exploits total $12 billion and of that amount, fraud and theft accounted for $10.5 billion, seven times the amount from last year.

Thefts hitting crypto exchanges such as BitMart and DeFi protocols such as Poly Network shine a light on the fact DeFi is largely driven by startups lacking cybersecurity maturity.   In contrast, the financial institutions that literally spend billions on cybersecurity want no part in helping DeFi projects; and more likely, welcome cyber incidents that tarnish DeFi’s reputation.  Until they reach a higher level of security and such incidents become less commonplace, DeFi projects will continue making platform users whole after a security incident – or risk a total collapse in the market for non-money laundering usage. 

Depending on their popularity, open-source products can be highly secure and DeFi should be no different. At some point in time – after decentralized protocols are adequately security tested and implemented and DeFi projects become fully independent and organic and not reliant on any centralized cloud solution or centralized servers, breaches such as the one that hit BitMart will be rare.  In other words, as the market and business opportunities for DeFi increase in scale and scope DeFi’s security profile will naturally evolve.

DeFi May Overtake Traditional Finance If Crypto Changes to 26 U.S.C. § 6050I Becomes Law

The day after the world’s largest NFT event concluded – a truly spectacular event, a bill criminalizing unreported digital asset transactions over $10,000 was sent for presidential signature.  Prior to passage, one blogger warned:  “The amendment to section 6050I is an affront to the rule of law and to the norms of democratic lawmaking. It was slipped quietly into a 2,700 page spending bill, allegedly as a tax measure to defray the bill’s trillion-dollar price tag even though section 6050I is in fact a costly criminal enforcement provision.”

While US bankers and financial institutions thought this provision would level the playing field or even knock DeFi out from the playing field, it may eventually have the exact opposite impact.  By way of background, the 1980’s era 26 U.S.C. § 6050I requires persons who engage in “a trade or business” and receive “more than $10,000 in cash in 1 transaction (or 2 or more related transactions)” to file a Form 8300 report containing the “name, address, and TIN of the person from whom the cash was received, the amount of cash received, [and] the date and nature of the transaction”. 

In the proposed amendment to this law, however, there is a new additional definition of “cash”, namely “any digital asset (as defined in section 6045(g)(3)(D))”.  The definition of “digital asset” is broadly defined as “any digital representation of value which is recorded on a cryptographically secured distributed ledger or any similar technology as specified by the Secretary.”.  Not surprisingly, existing exemptions for “cash received by financial institutions” and reporting organizations or for those transactions “occurring outside the United States” all remain intact.

If this law is signed “as is” – which is apparently likely, it will push a knife deep into the virtual heart of DeFi, NFTs and any other burgeoning alternative investment solutions targeting US customers.  The KYC and reporting requirements would presumably create insurmountable disadvantages.

Some bitcoin whales rejoiced given that hodlers don’t really care much about DeFi or NFTs – they just want to buy more bitcoin and anything that gives rise to anti-governmental sentiment is bullish for hodlers.  In fact, BTC rose to new heights on the news.

While in the short term DeFi and NFT platforms may have significant new hurdles if this bill is signed into law, in the long term it may have the opposite impact intended by the bankers who likely pushed for this financial reporting provision in an “Infrastructure Bill”. 

For one thing, no one country can kill something that is truly decentralized – whether it is China, India or the United States.  The whole point of decentralization is that it is not tethered to any country.  Mandating governmental centralized reporting is no different than pushing a child into a pool – the reality quickly becomes “sink or swim”.  If this bill gets signed, platforms may very well expedite their decentralization plans and US banks will be flanked by truly decentralized platforms they cannot control or influence and participants who would rather take more control over their financial future.  After a decade or two, traditional financial institutions may very well go the way of Sears.

UPDATE: November 16, 2021

On November 15, 2021, the Infrastructure Bill was signed into law. None of the major news outlets discussed the change to 26 U.S.C. § 6050I – with only a few discussing the changes impacting digital asset broker disclosures. One senator, however, introduced on November 16, 2021 a bill to repeal all of the Section 80603 digital asset provisions – including that one involving 6050I. With any luck, it will quickly be enacted into law. And, if not, there is still the potential that down the road this change will forever alter the financial institution landscape by accelerating implementation of DeFi.

UPDATE: June 12, 2022

On June 10, 2022, a federal action funded by Coin Center was filed in the US District Court of the Eastern District of Kentucky against the Treasury Department in the first constitutional challenge to the amendment of Section 6050I of the IRS Code. One of the lawyers bringing suit first sounded the alarm on this amendment last year at NFT.NYC.

Seeking to block enactment of the amendment, the federal suit makes two major claims: “(1) forcing ordinary people to collect highly intrusive information about other ordinary people, and report it to the government without a warrant, is unconstitutional under the Fourth Amendment; and (2) demanding that politically active organizations create and report lists of their donors’ names and identifying information to the government is unconstitutional under the First Amendment. The first claim is about privacy and our Fourth Amendment right to be secure from unreasonable searches and seizures. The Fourth Amendment already has some huge carve-outs that leave people with precious little space for privacy. For example, under the “third-party doctrine” once you hand private information over to a bank or social media company, you lose your right to prevent warrantless searches of that information.”

It remains to be seen whether the suit will successfully block enactment of the new regulation but what is undeniable is that DeFi specifically and Web 3.0 generally is under attack by centralized institutions and constitutional challenges such as this one are an absolute necessity.

World Phone vs. Facebook and WhatsApp

On October 7, 2021, World Phone served on WhatsApp its response in a writ Petition filed by World Phone in India. World Phone previously filed its reply to the Facebook submission on August 25, 2021.

The World Phone Rejoinder provides a detailed analysis of why the Court should bar the use of WhatsApp until the company complies with applicable Indian law. To that end, it is anticipated that the Court will grant the requested injunctive relief on or about December 6, 2021 as to both Respondent No. 3 (Facebook) and Respondent No. 4 (WhatsApp).

Relevant sections of this filed Rejoinder are extracted below.

In 2015 – long before Respondents No. 3 and 4 solidified their current monopoly positions in India, TRAI already recognized Respondents No. 3 and No. 4 were providing the top two mobile phone applications used in India. See Consultation Paper on Regulatory Framework for Over-the-top (OTT) services, para 2.39 at page 27 (27 March 2015) (Publicly available at https://trai.gov.in/sites/default/files/OTT-CP-27032015.pdf).

It is submitted that private monopolistic entities directly impacting the public interest are always subject to writ petitions. Zee Telefilms Ltd. & Anr v. Union of India & Ors., (2005) 4 SCC 649, para 158 (“A body discharging public functions and exercising monopoly power would also be an authority and, thus, writ may also lie against it.”) [emphasis added].  Given the strong public interest implicated by this Petition and Respondent No. 4’s exertion of monopoly power, the Petitioner’s writ Petition should proceed against all Respondents – including Respondent No. 4. 

The fact that the functionally equivalent Internet Telephony services of an Internet service provider (“ISP”) – an entity required to obtain a Unified License prior to providing such services, are provided by Respondent No. 4 un-hindered and without entering into a Unified License Agreement is well recognized and admitted by all Respondents.  Such unlicensed activity is in violation of Section 5 of the Indian Wireless Telegraphy Act, 1933; Sections 4 and 20A of the Indian Telegraph Act, 1885; Section 79 of the Information Technology Act, 2000; and the entire framework of the Telecom Regulatory Authority of India Act, 1997.

It is submitted that all such services  provided by Respondents No. 3 and No. 4 in India should be “licensed pursuant to an agreement with the Department of Telecommunications, Government of India (“DoT”)” notwithstanding,  considering such services “internet-based ‘over-the-top’ (“OTT”) services”.

It is submitted that the Respondent No. 3 by its own averments states that it provides unlicensed Internet Telephony Service/VoIP Calls.  Such Services are provided by the Petitioner by procuring a license from Respondent No. 2 and are governed by the Indian Wireless Telegraphy Act, 1933; the Indian Telegraph Act, 1885; the Information Technology Act, 2000; and the Telecom Regulatory Authority of India Act, 1997.  

It is further submitted that this uneven application has allowed Respondents No. 3 and No. 4 to dominate the market completely and totally – also damaging and putting out of business other Internet Telephony service providers who were once viable.  This market dominance has not gone unnoticed in the United States where an Amended Complaint was filed on 19 August 2021 by the US Federal Trade Commission. 

Respondent No. 4 currently publicly opposes the enforcement of any interception rule.  See “What is traceability and why does WhatsApp oppose it?” (Publicly available at https://faq.whatsapp.com/general/security-and-privacy/what-is-traceability-and-why-does-whatsapp-oppose-it) (“Some governments are seeking to force technology companies to find out who sent a particular message on private messaging services. This concept is called “traceability.” . . . WhatsApp is committed to doing all we can to protect the privacy of people’s personal messages, which is why we join others in opposing traceability.”) [emphasis added]No matter what Respondent No. 4 does or does not do in this regard, it is submitted that the applicable Rules of interception of communication is dwarfed by the applicable financial commitments and vigorous checks and balances required under the Unified License Agreement and associated regulations which Respondent No. 4 should adhere to given the Internet Telephony/VoIP services it provides. 

The Hon’ble Supreme Court has recognized that

“it can very well be said that a writ of mandamus can be issued against a private body which is not a State within the meaning of Article 12 of the Constitution and such body is amenable to the jurisdiction under Article 226 of the Constitution and the High Court under Article 226 of the Constitution can exercise judicial review of the action challenged by a party. But there must be a public law element and it cannot be exercised to enforce purely private contracts entered into between the parties.” Binny Ltd. v. V. Sadasivan, (2005) 6 SCC 657, para 32. 

It is submitted that the issues raised in this writ Petition concern existing legislation governing the services provided by the Petitioner and the Respondents No. 3 and No. 4.  Wherein the Petitioner is operating through the Unified License Agreement issued by Respondents No. 1 and No. 2, the Respondents No. 3 and No. 4 are providing the same services but circumventing the existing legislation and are completely unregulated/unlicensed.  This injustice can only be ruled upon by a Constitutional Court under Article 226 of the Constitution by the Hon’ble High Court and under Article 32 of the Constitution by the Hon’ble Supreme Court of India and not by the TDSAT.  Moreover, Petitioner submits that this Hon’ble Court respectfully should not rely on mere recommendations from TRAI.   

It is submitted that rather than simply ignoring applicable laws, other countries have sought to change their existing licensing regime.  For example, by suggesting that India should not be one of those countries having a licensing scheme for Internet Telephony such as “Korea, Singapore, Hong Kong, Philippines, Thailand, Ecuador, and Mexico”, Microsoft suggested a different approach:  “Microsoft respectfully requests that the TRAI propose a regulatory approach wherein PC to PC VoIP requires no license (and is permitted to be transmitted by ISPs over their networks, public or managed, without restriction), and that only two-way PC to PSTN calling (both inside and outside of India) requires a light-touch registration or minimal licensing obligation, accompanied by appropriate regulations deemed necessary to protect consumers or address a market failure.” Response To Telecom Regulatory Authority of India Consultation Paper, Microsoft Corporation India Private Limited, page 14 (September 2016) (Publicly available at https://www.trai.gov.in/sites/default/files/201609060217157734124Microsoft_Corporation_India_Private_Limited.pdf). 

Reliance JIO, suggested:  “The unrestricted Internet Telephony by the ISPs/ 0TTs may be allowed only if they migrate to the Unified License with Access services authorization or they offer this service under a commercial arrangement with an existing Access service provider.” Comments of Reliance Jio lnfocomm Limited on the issues raised in the Consultation Paper on Internet Telephony (VOIP) (Consultation Paper No 13/2016 dated 22.06.2016), 5 September 2016, at page 9 (Publicly available at  https://www.trai.gov.in/sites/default/files/201609060234264610172RJIO.pdf).  Further, Reliance JIO suggested that “[i]t should be the responsibility of the Access Service Provider offering Internet telephony in collaboration with the OTT provider or otherwise to ensure that the international internet telephony calls are terminated in India through a licensed ILDO.”  Id. at 13 [emphasis added]. 

Respondent No. 3’s current business partner, Reliance Jio, realized early on that a special “Facebook exception” was in its best interests.  See “Stop illegal routing of internet telephony calls:  COAI”, Economic Times (5 May 2016) (“The Cellular Operators Association of India (COAI) has urged the telecom department (DoT) to stop illegal routing of internet telephony calls, warning that a failure to do so would lead to a breach in telco licence conditions, pose security risks and cause sizeable losses to the national exchequer.   Newcomer Reliance Jio Infocomm is also a COAI member, but the GSM industry body in its letter said Jio held a divergent view on the matter.”) [emphasis added] (Publicly available at https://economictimes.indiatimes.com/tech/internet/stop-illegal-routing-of-internet-telephony-calls-coai/articleshow/52133359.cms).

Respondent No. 4 claims it is a “mere application provider” rather than Petitioner who is an “access provider”.  The submitted statement ignores Petitioner is most certainly both and to provide its Internet Telephony/VoIP services in India, Petitioner has fully complied with the existing applicable licensing regime for such services.  

Respondent No. 4 also submits that “the relevant regulatory authorities are seized of the issue and the consultation process is ongoing”. The Respondent No. 4 is misleading this Hon’ble Court wherein the reality is that the regulators have already spoken, and they will not do anything further to enforce the law as currently written. TRAI rather recommends that going forward “Market forces” should dictate a solution.   

Contrary to what is submitted by Respondent No. 4, there is no need for the creation of a new regime applying to “OTT services” and Petitioner is certainly not requesting the creation of such a new regulatory regime – especially given one is not needed.  The Petitioner through this writ Petition is only praying before this Hon’ble Court to enforce the Law/Regulations currently in place.

Respectfully, TRAI has long had an agenda to grow the Internet user base in India.  In 2010, TRAI recognized that the uptick in Internet users was below what was sought by it.  See  Recommendations on Spectrum Management and Licensing Framework, para 2.105 at page 104 (11 May 2010) (“Despite a token licence fee for ISP, the number of internet subscribers has grown from 5.14 million in September 2004 to only 15.24 million by the end of December 2009. Of this, the number of broadband subscribers is 7.83 million. These numbers are way below the target of 40 million and 20 million by the end of 2008 for internet and broadband subscribers respectively.”) (Publicly available at https://trai.gov.in/sites/default/files/FINALRECOMENDATIONS.pdf). To increase the number of Internet users in India, sometime after 2015, TRAI began tilting the scales in favor of OTTs and simply disregarded the current licensing regime when making recommendations.  These efforts have been very successful as shown by the hundreds of millions of customers Respondents No. 3 and No. 4 have accumulated since 2015. 

Without referencing the applicable laws and regulations, TRAI recently concluded:  “It is not an opportune moment to recommend a comprehensive regulatory framework for various aspects of services referred to as OTT services, beyond the extant laws and regulations prescribed presently. It may be looked into afresh when more clarity emerges in international jurisdictions particularly the study undertaken by ITU.”  TRAI Press Release Regarding Recommendations on “Regulatory Framework for Over-the-top (OTT) communication services” (14 September 2020) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/PR_No.69of2020.pdf). See also TRAI Recommendations on Regulatory Framework for Over-The-Top (OTT) Communication Services, para 2.4(iii) at page 8 (“Since, ITU deliberations are also at study level, therefore conclusions may not be drawn regarding the regulatory framework of OTT services. However, in future, a framework may emerge regarding cooperation between OTT providers and telecom operators.  The Department of Telecommunications (DoT) and Telecom Regulatory Authority of India (TRAI) are also actively participating in the ongoing deliberations in ITU on this issue. Based on the outcome of ITU deliberations DoT and TRAI may take appropriate consultations in future.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/Recommendation_14092020_0.pdf). 

The international ITU body, however, previously made it clear that it is not involving itself in India’s internal regulatory matters and is merely a spectator to such activities.  See ITU Economic Impact of OTTs Technical Report 2017, 5.2 India at 33 (“India is in the process of reassessing its rules on online services, including OTT services. . . . As noted in Section 4.2, voice and messaging services are permitted to be offered only by firms that hold a licence. Internet Protocol (IP) based voice and messaging services can also be offered by licensed network operators as unrestricted Internet Telephony Services; however, these services may not interconnect with traditional switched services. The dichotomy between regulated traditional services and largely unregulated OTT services leads to numerous anomalies.”) [emphasis added] (Publicly available at https://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-ECOPO-2017-PDF-E.pdf).   

As for the local ITU branch – the ITU-APT Foundation of India, that group has already sided with Respondent No. 4’s claim there is an “intelligible differentia” between its Internet Telephony services and Petitioner’s Internet Telephony services.  ITU-APT Foundation of India comments on TRAI OTT consultation (7 January 2019) at 3 (“The Consultation Paper (“CP”) draws parallels between the communication services offered by OTT service providers and TSPs.  However, we would like to submit that the services offered by them are widely different and cannot be compared.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/ITUAPT08012019.pdf).  

This position is not surprising given that according to the ITU-APT Foundation of India:  “Facebook’s, [sic] one of our valued corporate member[sic] announce a major investment in Reliance Jio that would facilitate the ailing telecom Industry. The two companies said that they will work together on some major initiatives that would open up commerce opportunities for people across India.” ITU-APT Weekly News Summary [emphasis added] (Publicly available at https://itu-apt.org/itu-letter.pdf).   

Rather than rely on ITU, TRAI should have considered more the deliberations of the Confederation of Indian Industry (CII) – which recognizes that OTT providers are already governed by the present licensing regime.  See CII Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services at 6 (7 January 2019) (“Any new regulations for TSPs and OTTs should be considered taking into account the respective regulations govern the TSPs and the OTTs under the Telegraph Act, license, TRAI Act and the Information Technology Act. The Authority should consider new future fit frameworks that lightens the regulatory burden and adopts a progressive approach that allows all entities in the eco-system to proliferate and grow – offering maximum benefits to the consumers.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/ConfederationofIndianIndustry08012019.pdf).  CII has long been a major force in advocating what is in the best interest of Indian businesses – and does not care about the interests of US-based monopolies:  “The journey began in 1895 when 5 engineering firms, all members of the Bengal Chamber of Commerce and Industry, joined hands to form the Engineering and Iron Trades Association (EITA). . . . Since 1992, through rapid expansion and consolidation, CII has grown to be the most visible business association in India.” [emphasis added] (Publicly available at https://www.cii.in/about_us_History.aspx?enc=ns9fJzmNKJnsoQCyKqUmaQ==).

It is submitted that a comprehensive licensing regime is already in place which covers not only the interception rules, penalties, security issues but also governs the license fees and tariffs and mode to operate among others.  It is submitted that the stand of Respondent No. 4 in regards to interception rules and end-to- end encryption claimed to be covered under the IT Act and other rules, which it publicly opposes, is just like crumbs from a pie wherein the Indian Wireless Telegraphy Act, 1933; the Indian Telegraph Act, 1885; the Information Technology Act, 2000; and the Telecom Regulatory Authority of India Act, 1997 provide a complete pie and once it is brought under such laws Respondent No. 4 will have to comply with all the rules and regulations at par with the Petitioner.

Petitioner and Respondent No. 4 are indeed “equals” in that they provide the same Internet Telephony/VoIP service while are treated “unequally” by Respondents No. 1 and No. 2. It is submitted that only the Petitioner is required to comply with the licensing regime applicable for providing such telephony services.

Individual citizens forming a legal entity or juristic person can invoke fundamental rights. It is submitted that the ameliorative relief sought by the Petitioner is issuance of writ by this Hon’ble Court that the applicable laws and regulations are complied with and enforced upon the unregulated/unlicensed Internet Telephony/VoIP Service Provider Respondent No. 4 herein.

It is denied that the issues raised by this Petition are being “considered and decided by DoT and TRAI, the regulatory authorities with the expertise and experience to address such issues.”   It has been over five years since the issue of an uneven level playing field was raised with Respondent No. 2 as regards Respondent No. 4.    

Petitioner through this writ Petition is praying that the existing laws and regulations are fairly applied and enforced as to all companies no matter how large and powerful they are.  It is humbly submitted that if the unlawful conduct uncovered by this writ Petition is not addressed by this Hon’ble Court, Respondent No. 4 will likely forever be left unchecked to do what it likes in India.

It is submitted that on 19 November 2019, the Minister of Home Affairs was asked “whether the Government does Tapping of WhatsApp calls and Messages in the country” and responded without answering the question but implied it was “tapping of WhatsApp calls and messages” by referencing the same interception rule mentioned by Respondent No. 4 in its submission. Government Of India, Ministry Of Home Affairs, Lok Sabha, Unstarred       Question No: 351” (Publicly available at http://loksabhaph.nic.in/Questions/QResult15.aspx?qref=6696&lsno=17).   The Hon’ble Court has no way of knowing if Respondent No. 4 is helping law enforcement, exactly how Respondent No. 4 is helping law enforcement, or whether Respondent No. 4 could do more to help.

Whether or not Respondent No. 4 is consistent with its public pronouncements and does not actually access user accounts is actually of little importance – than that the Respondent No. 4 admittedly does not comply with the licensing requirements applicable to providers of Internet Telephony/VoIP services.   

It is denied that there is no financial loss to the national exchequer despite the complete failure to obtain any entry fee, payment of license fee, or goods and service tax from India’s largest operator of Internet Telephony services. A loss of income naturally results when licensing fees are not paid. See Cellular Operators Association of India (COAI) Counter Comments TRAI Consultation Paper on Internet Telephony Released, 22 July 2016, at 1 (“Internet Telephony provided by unlicensed entities besides being in violation of license will not only deprive the licensed operators of huge revenue but will also result in lesser payout to exchequer in the form of reduced license fee on revenues.”) [emphasis added] (Publicly available at https://www.trai.gov.in/sites/default/files/201609161151061091227COAI.pdf).   

It is denied that Respondent No. 4’s unregulated conduct actually “generates more revenue for the government by enhancing investments in data networks, and consequent increases in license fees.” [emphasis added].   Even the ITU-APT Foundation of India acknowledges that the infrastructure growth created by OTT providers happens in the USA and not in IndiaSee ITU-APT Foundation of India comments on TRAI OTT consultation (7 January 2019) at 5 (“It is estimated that OTT investments in infrastructure is fast growing, and the bigger OTT players invested 9% of their 2011-2013 revenues in networks and facilities in the US.  This trend can be replicated in India with the right regulatory environment which would recognize and incentivize greater investments rather than stifle the industry with arbitrarily applicable licenses.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/ITUAPT08012019.pdf).  Both the ITU-APT Foundation of India and Respondent No. 4 are wrong, however, given that Respondent No. 2’s failure to enforce existing laws has already created the “right regulatory environment” for the bigger OTT players.  It is also clear neither Respondent No. 3 nor Respondent No. 4 have any intentions of building networks or facilities in India given they have withdrawn their prior physical presence in India and currently neither even have any office in India.

It is submitted that the question is not whether a licensing regime should apply to OTT’s when the existing regime already does apply, but the real question is whether the existing laws and regulations will be regulated and enforced by Respondents No. 1 and No. 2. 

It is submitted that the contents of this Petition seeks liberty of the Court to enforce the laws as written. It is denied that the Petitioner is seeking from the Hon’ble Court to “displace” regulatory authorities  but only to enforce existing law and regulations which are applicable to all providers of Internet Telephony/VoIP services,  even those who claim to  ride on the telecommunications rails built and maintained by other companies. 

It is denied that the Respondent No. 4 was singled out in the writ Petition.  Unlike Respondent No. 4, other similar service provider like “Skype” have near zero market share compared to Respondents No. 3 and 4.   It is submitted that Skype was once the undisputed dominant provider in India but after its corporate parent Microsoft was sued in 2014 by Petitioner, Skype removed the ability to call within India from Skype to mobiles and landlines. In the relevant case, the Hon’ble Court in the United States found that Petitioner was better served filing a writ petition in India rather than in the United States. TI Investment Services, LLC, World Phone World Phone Internet Service Pvt. Ltd. v. Microsoft Corp., 23 F. Supp. 3d 451, 472 (D. N.J. 2014) (“The Courts of India are better positioned to determine whether their own national laws have been violated, and, if so, what the antitrust consequences, if any, are in their national market. If Plaintiffs wish to renew their suit, they should do so in the jurisdiction where they are alleged to have competed with Defendant, to have complied with regulatory laws, and to have suffered injury, and that is India.”).

It is further submitted that unlike Microsoft and even Google, Respondent No. 4 flagrantly violates existing regulatory prohibitions by, for example, allowing Indian users of its free “WhatsApp Business” utilize their landline phone numbers for messaging with customers. See WhatsApp Business App Android Download Page (“You can use WhatsApp Business with a landline (or fixed) phone number and your customers can message you on that number.”) (Publicly available at https://play.google.com/store/apps/details?id=com.whatsapp.w4b&hl=en_IN&gl=IN).  As recognized even by TRAI, such unlicensed services run afoul of the existing licensing regime.  See Consultation Paper on Regulatory Framework for Over-the-top (OTT) services, para 2.40 at page 28 (27 March 2015) (“Under the current telecom licensing regime, voice and messaging services can be offered only after obtaining a license. Apart from traditional voice and messaging, IP based voice and messaging services can also be offered by TSPs as unrestricted Internet Telephony Services, which are permitted under the scope of the Unified Access Service (UAS) license in terms of the UAS Guidelines dated 14th December 2005. Similar provisions exist for Cellular Mobile Telephone Service (CMTS) and Basic Service Licences. However, the scope of the Internet Services Licence was restricted to Internet Telephony Services without connectivity to Public Switch Telephone Network (PSTN)/Public Land Mobile Network (PLMN) in India.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/OTT-CP-27032015.pdf).   

It is denied that Respondent No. 4 can freely provide telecommunication services and ignore the Unified License Agreement because it relies on networks built by other companies. It is submitted that Respondent No. 4 at one point was building out its physical presence in India for regulatory reasons.  By way of background, on 6 April 2018, the Reserve Bank of India issued its Directive, Storage of Payment System Data, requiring that: “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.”  Directive on Storage of Payment System Data, 6 April 2018, (Publicly available at https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0).    

Soon thereafter Respondent No. 4 announced the appointment of Abhijit Bose as head of “WhatsApp India”– WhatsApp’s first full country team outside of California . . . based in Gurgaon.” Respondent No. 4’s company statement is no longer available on its website but press accounts of this statement can still be found online.  “WhatsApp appoints Abhijit Bose as head of WhatsApp India”, The Economic Times of India (21 Nov 2018) (Publicly available at https://economictimes.indiatimes.com/tech/internet/whatsapp-appoints-abhijit-bose-as-head-of-whatsapp-india/articleshow/66735848.cms). According to Mr. Bose’s November 2018 statement recounted by the India Times:  “WhatsApp can positively impact the lives of hundreds of millions of Indians, allowing them to actively engage and benefit from the new digital economy.” Id. The India Times also reported in that article: “Apart from the traceability request, the government had had asked WhatsApp to set up a local corporate presence. . . .” Id. After finding a way to maneuver around the Reserve Bank of India’s 2018 Directive, on 6 November 2020, Respondent No. 4 announced the launch of its payment platform without having any “local corporate presence” that would store “data related to payments”See “Send Payments in India with WhatsApp”, WhatsApp Blog (6 November 2020) (Publicly available at https://blog.whatsapp.com/send-payments-in-india-with-whatsapp). As with Respondent No. 3’s massive build out of its physical presence in India, Respondent No. 4’s “company statement” regarding the building of “WhatsApp India’s” physical presence in India is no longer found on Respondent No. 4’s website.  

More importantly, as also with Respondent No. 3, Respondent No. 4 now no longer has any physical presence in India – despite the country being Respondent No. 4’s largest country market.  And, without Respondent No. 4 having any physical presence in the country, Mr. Bose – still apparently head of “WhatsApp India”, announced in July 2020:  “Our collective aim over the next two to three years should be to help low-wage workers and the unorganised, informal economy easily accesses three products – insurance, micro-credit and pensions.” See “Facebook’s WhatsApp to partner with more Indian banks in financial inclusion push”, Reuters Article, (22 July 2020) (Publicly available at https://www.reuters.com/article/us-whatsapp-india-idUSKCN24N24E.  It is further submitted that Respondent No. 4 – who already dominants in Internet Telephony, messaging, and mobile payments plans on dominating  in providing access to “insurance, micro-credit and pensions”. It is submitted that this blatant form of digital colonialism should respectfully be rejected  by way of this present writ Petition

Respondent No. 4 submits it need not comply with the Unified License Agreement despite providing “telecommunication services” simply because it uses for free the networks built by others.  The relevant regulatory authorities have been made aware of the matters set forth in the Petition for over five years without enforcing public laws and their own regulations and is why DoT is named as Respondent No. 2 in this matter.  Last year alone, Respondent No. 3 generated revenues of more than US$85 billion and profits of more than US$29 billion.  These numbers will grow exponentially as the “free” unlicensed products currently offered to Indians become further monetized by Respondents No. 3 and No. 4. 

Other than the present writ Petition, there is no available “statutory remedy” that would otherwise cause the enforcement of applicable law.  It is respectfully submitted that the Hon’ble Court should intercede to ensure equal protection under the law. It is further humbly submitted that if the Hon’ble Court does not intercede to stop the digital colonialism of Respondents No. 3 and No. 4, the same will go forward unabated. Considering the foregoing facts and circumstances, it is therefore respectfully prayed to this Hon’ble Court to kindly allow the prayer of relief sought by the Petitioner, in the interest of justice, including enjoining Respondent No. 4 from providing Internet Telephony/VoIP services until such time as Respondent No. 4 is in full compliance with the applicable requirements for providing such services in the Union of India.

UPDATE: December 8, 2021

On December 6, 2021, Justice Rekha Palli closed the pleadings and ruled in favor of an adjournment request made by counsel for the Department of Telecommunications and Union of India. This was done so that the DoT could further evaluate the recommendation of TRAI filed in 2020.

Most importantly, the Court ruled that “it is expected that before the next date of hearing, the said respondents will take a final decision on the aforesaid recommendations. While doing so, it will also be open for them to consider whether any fresh recommendations are called for from the TRAI.” The next hearing is scheduled for March 16, 2022.

By not dismissing the action and instead moving the DoT away from the sidelines, Meta was dealt a blow that may very well lead to the end of its unlicensed activities in India. Even though it would have been nice to see that happen in 2021, given the strong political ties of Meta in India the old adage “better late than never” easily comes to mind.

UPDATE: March 19, 2022

On its own motion, the Court adjourned the March 16, 2022 hearing without taking evidence or hearing any arguments. The next hearing date was scheduled for September 8, 2022. To date, the DoT has ignored the December 6, 2021 Order and has not taken “a final decision on the [TRAI] recommendations.”

It appears as if the Court recognizes it must eventually rule against Facebook and WhatsApp but would prefer to delay the inevitable.

Facebook’s Curious Outage

After a six-hour outage on October 4, 2021 that impacted 3.5 billion people relying on three monopolistic properties (Facebook, WhatsApp, and Instagram), Facebook blogged an update on October 5, 2021 regarding the cause:  “We want to make clear that there was no malicious activity behind this outage — its root cause was a faulty configuration change on our end. We also have no evidence that user data was compromised as a result of this downtime.” 

What sort of “faulty configuration change” would take down three separate massive online properties relying on servers and cloud services spread across the world?  According to one cloud provider:  “It was as if someone had “pulled the cables” from their data centers all at once and disconnected them from the Internet.”    Facebook is not disclosing any further details – the fact that it lost about $545,000 in U.S. ad revenue per hour is not sufficient to trigger disclosure given that this outage will likely have little long-term effect on its revenue growth.  Accordingly, only if another Facebook whistleblower steps forward will any real insight become public.

With any luck, on December 6, 2021, one tiny case in India will help pop the Facebook balloon once and for all.

Legal and Business Advocacy