Category Archives: Privacy

Decentralization in 2024

One of the founders of Ethereum recently recognized, “it is rare for the interests of idealism and pragmatism to overlap” but in the case of decentralization it “is not just something we should work towards, but something we truly must deliver on.”  This fixation on “decentralization” took on new life after blockchain hit the popular press. 

Despite BTC reaching 21 month highs, true decentralization of financial systems based on crypto usage will lack mass adoption until there is sufficient trust to render Bitcoin or any other crypto “currency” a real currency.  More than likely, this lack of trust is what is stopping the acceptance of crypto for widespread purchases – an essential precursor for any currency status.  This failing is likely why the IRS from the very beginning relegated decentralized finance products and crypto’s to the status of taxable financial assets. 

To that point, on December 28, 2023, Barrons recognized, “crypto has a long path to relevancy beyond trading.  Despite years of development, blockchain networks remain on the outskirts of mainstream finance, while hacks, theft, and money laundering continue to be among the main uses.  Crypto is still gambling on an unproven technology.”

Indeed, decentralized finance (DeFi) opportunities have also been around for nearly a decade with little widespread market penetration.  With DeFi platforms, existing growing pains stem from a lack of proper security hygiene sufficient to generate trust and “only with trust will this community ever grow beyond its current early adopters.”  Moreover, DeFi platforms and their users face a full frontal attack by centralized banking authorities seeking the sort of financial disclosures currently only found with cash transactions.  DeFi will never touch the “PayPalJPMVisa” mountain peak “until at least one DeFi application checks all the relevant boxes for a sizable enough market.  It may be a decade before a DeFi project reaches that vantage point – with the classic Amazon vs. Sears endgame likely being studied along the way.”

Decentralization can also take on several non-crypto flavors.  For example, the decentralization of governance places local governmental structures above large centralized authorities.  The World Bank considers governmental decentralization in the context of community-driven development as a driver of “economic efficiency, public accountability, and empowerment” by providing “greater voice and choice to citizens to influence decisions that affect their lives” and “allowing local governments to respond dynamically to communities”, and resulting in “allocative efficiency by matching of local needs and preferences with patterns of local public expenditure (assumes substantial fiscal autonomy).”  In the same breath, the World Bank, suggests that potential dangers and challenges brought on by such decentralization include:   “Elite capture, Corruption, Patronage politics, Local civil servants feeling compromised, Incomplete information, Constituents not able to hold representatives accountable, and Opaque decision-making affecting accountability upwards and downwards.”

None of these “potential dangers”, however, are really any less of a risk in centralized governmental structures.  Indeed, “elite capture, corruption, and opaque decision-making” can be more efficiently perpetrated within centralized structures.  Corporate decentralization in the form of DAOs (decentralized autonomous organizations) have some life given the birthplace of limited liability companies – Wyoming, recognizes such a corporate structure and is typically decades ahead of the pack having been the first to recognize LLCs in 1977. Unlike a standard LLC , “a DAO can be managed by a combination of human members/managers and algorithmically.” Nevertheless, this decentralized business entity even in Wyoming remains an LLC hybrid and can be viewed as an unincorporated association able to be sued. DAOs still remain a decentralized movement to track in 2024 and beyond.

Persistent trust issues and effective governmental interventions may curtail widespread crypto adoption and increasing decentralized governance is a non-starter for most countries, but a third major area of decentralization remains a major threat to existing centralized structures – whether such structures derive from authoritative governments – which describes most existing governmental structures, or derive from financial institutions controlling major financial levers, or even are from the tech companies currently controlling most aspects of online and offline public discourse.

Simply put, the decentralization of one’s identity and personal data using self-sovereign identity (SSI) systems represents the greatest current threat to centralized power structures.  Unfortunately, this is not an easy sell or a threat that will manifest anytime soon because, for example, decentralization of one’s digital identity entails asking people to denounce their current online identity built over many years of experience in favor of a clunky and confusing decentralized online persona.

SSI specifications such as W3C VC, OpenID for Verifiable Credentials, SD-JWT – are all directly or indirectly spearheaded by large tech companies and are gaining attention due to potential adoption with European Digital Identity Architecture and Reference Framework, NIST, DHS, etc.  It is not difficult to see why these centralized structures are pushing for mostly federated SSI solutions – the EU Parliament sees SSI as a means of enforcing its privacy regime while NIST sees SSI as a means of strengthening cybersecurity and the DHS wants to deploy it as a means of improving physical security.

More to the point, after centralized authorities implement their own SSI solutions their chosen centralized solutions will never really be self-sovereign given centralized access to personal data – especially personal health information, will never be willingly given up by a centralized authority.  Even the much-ballyhooed HIPAA turns it back to “de-identified” data sales for “medical research”.  Until March 2023, the NIH and other federal agencies previously shared COVID-19 patient health data through several Open-Access Data and Computational Resources.   Indeed, there is a reason HIPAA has long had numerous disclosure exemptions that largely swallowed the law’s protective measures. 

As it stands, healthcare providers sell patient data for billions of dollars without ever violating a single word of either the HIPAA Privacy Rule or HIPAA Security Rule.  Not surprisingly, a 2021 proposed New York Privacy Law was killed in Committee not because of BigTech lobbying – it was shot behind the barn by large hospital lobbyists not keen on having their cash cows disrupted by NYS residents obtaining rights HIPAA does not currently provide.  All the while, since 2018 researchers could “accurately match 95% of adults to their data in a deidentified user dataset”.

The roughly 3 billion DNA base pairs found in human DNA can provide a hard-coded template that cannot be currently mimicked .  In other words, the future world of rapid-fire DNA ID testing envisioned by Gattaca may eventually be the primary means of distinguishing between individuals. 

DNA harvesting for research purposes became mainstream during COVID-19 testing – which is why French President Macron refused Putin’s offer of a PCR test in 2022.  The National Human Genome Research Institute describes COVID-19 PCR “amplification” tests as follows:  “Polymerase chain reaction (PCR) is a common laboratory technique used in research and clinical practices to amplify, or copy, small segments of genetic material. PCR is sometimes called “molecular photocopying,” and it is incredibly accurate and sensitive. Short sequences called primers are used to selectively amplify a specific DNA sequence. PCR was invented in the 1980s and is now used in a variety of ways, including DNA fingerprinting, diagnosing genetic disorders and detecting bacteria or viruses. Because molecular and genetic analyses require significant amounts of a DNA sample, it is nearly impossible for researchers to study isolated pieces of genetic material without PCR amplification.”  It should be no surprise that DNA analytics firms such as 23andMe are targeted by hackers eager to possess the ultimate insight for identity verification and the NIH deployed a wide-ranging voluntary DNA research program on the heels of the eMERGE Network.

Personal identification using DNA fingerprints will become more and more attractive as realistic simulations of human voice, gaits, and images/videos, etc. using generative AI increases the risk biometric identity systems will fail to distinguish real measures from fake ones.  Indeed, some vendors now focus heavily on “liveness detection” that recognizes physiological information as signs of life as an adjunct to the associated biometric data.  FaceTec is a leader in this space and even hosts its own educational site on the importance of liveness detection.  Nevertheless, even these companies will eventually reach a wall in the form of quantum AI capabilities – which points to live rapid-fire DNA testing as the key identity verification tool for future robust SSI implementations. 

Where does this leave decentralization in 2024?  While SSI, DeFi and governmental decentralization efforts today may self-correct in the future towards true decentralization left apart from centralized authority, there are projects in play right now that might more easily mature in 2024 to further data decentralization.  For example, there are efforts taking the form of improved fund distribution – one using a platform created for UNICEF by Nepal-developer, Rumsan, and one called Disburse by Scifn, offering a one-to-many approach. These and other fund distribution platforms can eventually be removed from centralized funding sources.   

In addition to Polkadot, peer-to-peer communication platforms such as Veilid allow users to build their own private distributed apps – which creates peer-to-peer communications with no resulting centralized data storage.  Believing that centralized social media is “harmful to society”, Spritely Institute replaces the current client-server architecture currently under-girding all existing social medium platforms with a “participatory peer-centric model” that places “people in control of their own identity and build the technology that would enable a shift to collaborative and intentional security models prioritizing active consent.”  These approaches still have many mass adoption barriers – the least of which is the competitive market barriers established long ago by current data oligarchs.

SSI left only in the hands of centralized authorities will eventually lead to increased hacking and continued misuse of personal data. Until new statutory requirements bring true portability of personal data – even platform-generated data that is derivative; coupled with meaningful consent rights for existing data usage – rights that limit centralized control when off-boarding to a peer-to-peer platform; individuals will never truly “own” or have control over their personal data.  In other words, decentralization of existing data silos cannot become viable until there is a complete reset of existing norms of data stewardship and lobbyists take a backseat to the preeminence of consumer rights.  If 2024 brings us even a few inches closer to that reality, it will be a good year for decentralization.

World Phone is Allowed to Pursue Meta in Regulatory Proceeding

On December 8, 2022, the High Court of New Delhi ruled that World Phone “may be allowed to participate, both by means of written representation and oral submissions” before the Telecom Regulatory Authority of India (TRAI). Such relief was granted despite opposition by Respondents Facebook and WhatsApp.

In addition, the Court ruled: “Considering the extensive prevalence and use of internet telephony, TRAI would expeditiously conduct this stakeholders’ consultation and give its recommendations accordingly.” In other words, not only must TRAI consider the submissions of World Phone, it must quickly deliberate regarding its recommendations.

On one level, the Court passed the buck on this matter given no substantive ruling was reached regarding the underlying merits of the Petition. On the other hand, there was a stern message set forth in the Order regarding how the Government of India has shifted in its approach to over-the-top services and that it may be the time to reign in Meta before it is too late. World Phone – a company that has been battling Facebook since 2015, will do what is needed to assist in that endeavor.

Phishing for Green Apes

On May 17, 2022, actor Seth Green announced to the world that he got “phished and had 4NFT stolen”. Apparently, he clicked on a link that led him to a website that requested and obtained access to his wallet – a wallet containing four high-profile collectible NFTs. After he provided the necessary consent, a scammer promptly emptied his wallet of these four expensive collectible NFTs.

Green purportedly knows how to navigate Web 3.0 but does a really bad job of justifying his lack of security hygiene:  “Scam GutterCats clone site. I’m crazy careful with separate wallets and security but still got got. Luckily it’s art not crypto so they can be traced. For anyone that bought them, we can work something out.”

Disregarding whether what was lost was actually “art” in the sense of fine art – they are likely more properly described as innovative collectible NFTs with significant speculative value based on community growth, utility, endorphins, and numerous other intangible measures, Green’s loss presents a valuable security lesson for all NFT collectors and raises issues that will not go away anytime soon. All of this is now ripe for discussion.

Green asked OpenSea not to allow trades in his four missing collectibles.  It is doubtful any marketplace will affirmatively identify, tag, and refuse to trade in Green’s four NFTs. As it stands, there are huge numbers of fake collectible NFTs sold on marketplaces – especially on OpenSea. Despite recent OpenSea changes aimed at addressing “copymints” – fake listings using copies of actual collectibles, the collectible fraud problem will not subside any time soon given this sort of fakery does not require much effort and can be very lucrative for scammers – as well as the marketplaces that thrive on trading fees.  More to the point, even the upgraded OpenSea controls do little to address the core issue of compliance.

To its credit, there are no current OpenSea listings tied to Green’s collectible NFTs but that might change at any time given at least one marketplace has them listed.  As of May 19, 2022, Rarible has MAYC # 19182 listed by public wallet address # 0xae7f30d77b367afe64f04dfd94e95f71f8e4ae66.

And, Rarible apparently also has BAYC # 8398 listed by public wallet address # 0xaf20e2e1dca5dffd0efa1a8055099a947beec8be.

These are not Green’s collectible NFTs simply because they reference the correct collections, point to the right image files, describe the correct collectible rarity properties, and use the right numbering scheme.  On the other hand, both have sold – perhaps in wash trades or maybe not, for significant amounts – 106.5 ETH on May 8, 2022 or $268,912 for BAYC # 8398 right around the time it was purportedly removed from Green’s wallet and 31.5 ETH on March 17, 2022 or $87,129 for MAYC # 19182.  Without a way to provide a universal and easily accepted means of verifying the authenticity of these collectibles, collectors will need to be part detective and part forensic investigator and use ETH explorers to track the relevant wallet addresses. 

Assuming someone did the legwork to confirm these are the actual pilfered collectibles, Mr. Green has several options.  He can continue pressuring marketplaces to refrain from listing them.  That would not get them back, but it might prevent further monetization and may cause the current owners to cut a deal with Green for their return given this lack of monetization.

As with many film actors, Seth Green lives in California where knowingly receiving actual stolen property is a criminal offense punishable for up to a year in prison.  See Cal. Penal Code § 496(a) (“Every person who buys or receives any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained, or who conceals, sells, withholds, or aids in concealing, selling, or withholding any property from the owner, knowing the property to be so stolen or obtained, shall be punished by imprisonment in a county jail for not more than one year, or imprisonment pursuant to subdivision (h) of Section 1170.”).  Almost all NFT marketplaces are non-custodial – which means this statute would not really apply to them under any reading of the law.

Given this lack of custody, a marketplace would also not likely be liable for conversion. “The tort of conversion is established when one who owns and has the right to possession of personal property proves that the property is in the unauthorized possession of another who has acted to exclude the rights of the owner.” Angiolillo v. Christie’s, Inc., 103 N.Y.S.3d 244, 260-61 (N.Y. Sup. Ct. 2019).  Similarly, a cause of action of replevin requires that the defendant actually possess the property in question before its return can be obtained in court.  All of this assumes ownership of the constituent parts of an NFT, namely private keys, smart contract software code, IPFS content, etc., constitutes personal property in the first place.

Green’s likely best avenue for redress would be going after current holders of his lost NFTs who might be considered bona fide purchasers or good faith purchasers for value not having knowledge of the tainted title. Mr. Green lives in California and the “stolen” property could be in wallets belonging to persons anywhere in the world.  Assuming he knows the public wallet addresses of the current owners, Green would still not know the country of origin let alone name and address.  If the purchaser is identified, however, negotiating a deal or filing suit will be viable options.

Knowing the applicable law for a claim is significant given in some jurisdictions such as New York the law favors rightful owners seeking their stolen personal property.  See e.g., Solomon R. Guggenheim Found. v. Lubell, 77 N.Y.2d 311, 320, 567 N.Y.S.2d 623 (1991) (“To place the burden of locating stolen artwork on the true owner and to foreclose the rights of that owner to recover its property if the burden is not met would, we believe, encourage illicit trafficking in stolen art.”); Barnard v Campbell, 55 N.Y. 456, 461 (1874) (“The general rule of law is undoubted that no one can transfer a better title than he himself possesses.”); DeWeerth v Baldinger, 38 F3d 1266, 1278 (2d Cir. 1994) (“New York case law has long protected the right of the owner whose property has been stolen to recover that property, even if it is in the possession of a good-faith purchaser for value.”).

In some states and countries, however, it is quite different.  For example, under Swiss law, a bona fide purchaser becomes the owner even if the chattel was stolen or otherwise transferred without the authorization of its owner.

On the other hand, even New York law distinguishes between fraud and theft because the owner who is defrauded acted affirmatively and could have protected herself by due diligence, “whereas the owner from whom property is stolen has not acted affirmatively, and, in many instances, could not have protected herself. The [bona fide purchaser] may be equally innocent in both cases, but the original owner from whom property is obtained by fraud is more blameworthy than the original owner from whom property is stolen, and the former is entitled to less legal protection than the latter.”  Shubert Org., Inc. v. Partridge, 2020 NY Slip Op 32748 (N.Y. Sup. Ct. 2020).

This legal distinction raises an interesting point regarding Green’s “stolen” NFTs.  After all, Mr. Green was led to a website by way of a fraudulent email in the hope of minting himself some Gutter Cat Gang NFTs but instead connected his wallet to an imposter website.  All the while, he would have consented to everything done, including his wallet connection and any subsequent activity.  In other words, he was defrauded.  No one went to his home or computer, stole his private key, went into his wallet, and transferred his collectibles to another wallet.  If Green could bring to court a bona fide purchaser of his quartet of valuable NFT collectibles such a buyer could certainly raise all of this as a defense.

Beyond the security hygiene lessons and potential difficulties in retrieving lost collectibles, Green’s mishap also shines a light on the need for due diligence when using a marketplace.  In sharp contrast to collectible NFTs such as BAYC NFTs, purchasing fine art NFTs from a reliable source such as an established art gallery provides justifiable trading confidence.

UPDATE: June 7, 2022

On May 30, 2022, Seth Green announced he had struck a deal with the buyer of his Bored Ape #8398.

He also mentioned he was “working together to prosecute the original thieves” so presumably law enforcement is involved. The following day, Green made a somewhat cryptic statement: “Had to track the NFT to the current holders & make a deal between us to get them back- although we get to prove the friendship & community we all are building around these artists & collections. Plus now we work together to prosecute the original thief who scammed us both”.

In other words, Green was able to convince the buyer to send Green’s Ape back home for an unknown price. For all we know, it may be what the buyer paid or even a premium on that price. What will be of most interest to the ending of this story is what sort of prosecution takes place against Green’s scammers.

NY Privacy Bill Inches Forward

On January 6, 2022, the newest draft of the proposed New York Privacy Act now being jointly worked on by the Senate and Assembly was published in the Senate as S6701A and in the Assembly as A680B.  A review of this latest draft shows that even though a great deal of important changes were newly inserted into this bill , it still requires some tweaking or it will end up having the same loopholes found in other privacy laws implemented around the country. 

Hopefully, the NY legislative has the will to fully take on the data oligarchs – who have been very aggressively working behind the scenes fighting against this bill.

World Phone vs. Facebook and WhatsApp

UPDATE: November 25, 2022

On November 25, 2022, the Indian Department of Telecommunications (“DoT”) – named Respondent No. 2 in the World Phone action, filed a short affidavit providing documentation of DoT’s request that the Telecom Regulatory Authority of India [“TRAI”] revisit its laissez faire decision regarding OTT operators such as Facebook and WhatsApp.

UPDATE: September 9, 2022

On September 8, 2022, the Court ruled that the Indian Department of Telecommunications (“DoT”) – named Respondent No. 2 in the World Phone action, was entitled to file an affidavit “placing relevant material on the record” regarding the issues “pertaining to internet telephony [that] have upon due consideration been remitted back to the Telecom Regulatory Authority of India [“TRAI”] for its consideration and opinion.” Legal counsel for Meta Platforms, Inc. (“Meta”) also suggested at the September 8, 2022 hearing that the rejection of TRAI’s recommendations did not necessarily mean Facebook and WhatsApp violated Indian regulatory law.

The September 8, 2022 hearing and ruling is significant for several reasons. First, it is the first official confirmation that the DoT did in fact reject TRAI’s September 2020 laissez faire recommendations. In 2020, TRAI did not recommend enforcement of DoT regulations on OTT operators such as Meta and WhatsApp. SeeRegulatory Framework for Over-the-top (OTT) communication services” (14 September 2020). Without referencing the applicable laws or regulations, TRAI concluded on page 8 of its September 2020 recommendations:  “It is not an opportune moment to recommend a comprehensive regulatory framework for various aspects of services referred to as OTT services, beyond the extant laws and regulations prescribed presently.” (emphasis added). On May 3, 2022, World Phone applauded the widely reported, yet previously unconfirmed DoT decision to reject TRAI’s 2020 recommendations. This unconfirmed press account has now officially been confirmed by Respondent No. 2 but only because of the September 8, 2022 hearing in the World Phone action.

Second, this decision has now placed Meta on the defensive in that the company will for the first time have to specifically address its lack of regulatory compliance. Armed with the DoT’s and Meta’s position prior to the next scheduled hearing on December 8, 2022, World Phone’s counsel will demonstrate once and for all the illegal nature of the Facebook and WhatsApp services. Only after that is done, will the Court finally rule on the matter.

All of this is very timely given that Google – a company like Microsoft that complies with the pertinent Indian regulations, has recently been at odds with Meta as regards the use of a government panel to oversee online content disputes. Meta wants no oversight from the Indian government. This is not a great surprise given that – as recognized by local press, companies like Facebook have “for years been at odds with the Indian government, arguing that strict regulations are hurting their business and investment plans.”

Meta dwarfs all other “Western tech giants” operating in India. No other company even comes close. Within a few months time, the High Court in New Delhi will hopefully finally put an end to Meta’s Digital Colonialism. This can only be considered good news for Indians who value their independence and right to self sovereignty.

UPDATE: March 19, 2022

On its own motion, the Court adjourned the March 16, 2022 hearing without taking evidence or hearing any arguments. The next hearing date was scheduled for September 8, 2022. To date, the DoT has ignored the December 6, 2021 Order and has not taken “a final decision on the [TRAI] recommendations.”

It appears as if the Court recognizes it must eventually rule against Facebook and WhatsApp but would prefer to delay the inevitable.

UPDATE: December 8, 2021

On December 6, 2021, Justice Rekha Palli closed the pleadings and ruled in favor of an adjournment request made by counsel for the Department of Telecommunications and Union of India. This was done so that the DoT could further evaluate the recommendation of TRAI filed in 2020.

Most importantly, the Court ruled that “it is expected that before the next date of hearing, the said respondents will take a final decision on the aforesaid recommendations. While doing so, it will also be open for them to consider whether any fresh recommendations are called for from the TRAI.” The next hearing is scheduled for March 16, 2022.

By not dismissing the action and instead moving the DoT away from the sidelines, Meta was dealt a blow that may very well lead to the end of its unlicensed activities in India. Even though it would have been nice to see that happen in 2021, given the strong political ties of Meta in India the old adage “better late than never” easily comes to mind.


On October 7, 2021, World Phone served on WhatsApp its response in a writ Petition filed by World Phone in India. World Phone previously filed its reply to the Facebook submission on August 25, 2021.

The World Phone Rejoinder provides a detailed analysis of why the Court should bar the use of WhatsApp until the company complies with applicable Indian law. To that end, it is anticipated that the Court will grant the requested injunctive relief on or about December 6, 2021 as to both Respondent No. 3 (Facebook) and Respondent No. 4 (WhatsApp).

Relevant sections of this filed Rejoinder are extracted below.

In 2015 – long before Respondents No. 3 and 4 solidified their current monopoly positions in India, TRAI already recognized Respondents No. 3 and No. 4 were providing the top two mobile phone applications used in India. See Consultation Paper on Regulatory Framework for Over-the-top (OTT) services, para 2.39 at page 27 (27 March 2015) (Publicly available at https://trai.gov.in/sites/default/files/OTT-CP-27032015.pdf).

It is submitted that private monopolistic entities directly impacting the public interest are always subject to writ petitions. Zee Telefilms Ltd. & Anr v. Union of India & Ors., (2005) 4 SCC 649, para 158 (“A body discharging public functions and exercising monopoly power would also be an authority and, thus, writ may also lie against it.”) [emphasis added].  Given the strong public interest implicated by this Petition and Respondent No. 4’s exertion of monopoly power, the Petitioner’s writ Petition should proceed against all Respondents – including Respondent No. 4. 

The fact that the functionally equivalent Internet Telephony services of an Internet service provider (“ISP”) – an entity required to obtain a Unified License prior to providing such services, are provided by Respondent No. 4 un-hindered and without entering into a Unified License Agreement is well recognized and admitted by all Respondents.  Such unlicensed activity is in violation of Section 5 of the Indian Wireless Telegraphy Act, 1933; Sections 4 and 20A of the Indian Telegraph Act, 1885; Section 79 of the Information Technology Act, 2000; and the entire framework of the Telecom Regulatory Authority of India Act, 1997.

It is submitted that all such services  provided by Respondents No. 3 and No. 4 in India should be “licensed pursuant to an agreement with the Department of Telecommunications, Government of India (“DoT”)” notwithstanding,  considering such services “internet-based ‘over-the-top’ (“OTT”) services”.

It is submitted that the Respondent No. 3 by its own averments states that it provides unlicensed Internet Telephony Service/VoIP Calls.  Such Services are provided by the Petitioner by procuring a license from Respondent No. 2 and are governed by the Indian Wireless Telegraphy Act, 1933; the Indian Telegraph Act, 1885; the Information Technology Act, 2000; and the Telecom Regulatory Authority of India Act, 1997.  

It is further submitted that this uneven application has allowed Respondents No. 3 and No. 4 to dominate the market completely and totally – also damaging and putting out of business other Internet Telephony service providers who were once viable.  This market dominance has not gone unnoticed in the United States where an Amended Complaint was filed on 19 August 2021 by the US Federal Trade Commission. 

Respondent No. 4 currently publicly opposes the enforcement of any interception rule.  See “What is traceability and why does WhatsApp oppose it?” (Publicly available at https://faq.whatsapp.com/general/security-and-privacy/what-is-traceability-and-why-does-whatsapp-oppose-it) (“Some governments are seeking to force technology companies to find out who sent a particular message on private messaging services. This concept is called “traceability.” . . . WhatsApp is committed to doing all we can to protect the privacy of people’s personal messages, which is why we join others in opposing traceability.”) [emphasis added]No matter what Respondent No. 4 does or does not do in this regard, it is submitted that the applicable Rules of interception of communication is dwarfed by the applicable financial commitments and vigorous checks and balances required under the Unified License Agreement and associated regulations which Respondent No. 4 should adhere to given the Internet Telephony/VoIP services it provides. 

The Hon’ble Supreme Court has recognized that

“it can very well be said that a writ of mandamus can be issued against a private body which is not a State within the meaning of Article 12 of the Constitution and such body is amenable to the jurisdiction under Article 226 of the Constitution and the High Court under Article 226 of the Constitution can exercise judicial review of the action challenged by a party. But there must be a public law element and it cannot be exercised to enforce purely private contracts entered into between the parties.” Binny Ltd. v. V. Sadasivan, (2005) 6 SCC 657, para 32. 

It is submitted that the issues raised in this writ Petition concern existing legislation governing the services provided by the Petitioner and the Respondents No. 3 and No. 4.  Wherein the Petitioner is operating through the Unified License Agreement issued by Respondents No. 1 and No. 2, the Respondents No. 3 and No. 4 are providing the same services but circumventing the existing legislation and are completely unregulated/unlicensed.  This injustice can only be ruled upon by a Constitutional Court under Article 226 of the Constitution by the Hon’ble High Court and under Article 32 of the Constitution by the Hon’ble Supreme Court of India and not by the TDSAT.  Moreover, Petitioner submits that this Hon’ble Court respectfully should not rely on mere recommendations from TRAI.   

It is submitted that rather than simply ignoring applicable laws, other countries have sought to change their existing licensing regime.  For example, by suggesting that India should not be one of those countries having a licensing scheme for Internet Telephony such as “Korea, Singapore, Hong Kong, Philippines, Thailand, Ecuador, and Mexico”, Microsoft suggested a different approach:  “Microsoft respectfully requests that the TRAI propose a regulatory approach wherein PC to PC VoIP requires no license (and is permitted to be transmitted by ISPs over their networks, public or managed, without restriction), and that only two-way PC to PSTN calling (both inside and outside of India) requires a light-touch registration or minimal licensing obligation, accompanied by appropriate regulations deemed necessary to protect consumers or address a market failure.” Response To Telecom Regulatory Authority of India Consultation Paper, Microsoft Corporation India Private Limited, page 14 (September 2016) (Publicly available at https://www.trai.gov.in/sites/default/files/201609060217157734124Microsoft_Corporation_India_Private_Limited.pdf). 

Reliance JIO, suggested:  “The unrestricted Internet Telephony by the ISPs/ 0TTs may be allowed only if they migrate to the Unified License with Access services authorization or they offer this service under a commercial arrangement with an existing Access service provider.” Comments of Reliance Jio lnfocomm Limited on the issues raised in the Consultation Paper on Internet Telephony (VOIP) (Consultation Paper No 13/2016 dated 22.06.2016), 5 September 2016, at page 9 (Publicly available at  https://www.trai.gov.in/sites/default/files/201609060234264610172RJIO.pdf).  Further, Reliance JIO suggested that “[i]t should be the responsibility of the Access Service Provider offering Internet telephony in collaboration with the OTT provider or otherwise to ensure that the international internet telephony calls are terminated in India through a licensed ILDO.”  Id. at 13 [emphasis added]. 

Respondent No. 3’s current business partner, Reliance Jio, realized early on that a special “Facebook exception” was in its best interests.  See “Stop illegal routing of internet telephony calls:  COAI”, Economic Times (5 May 2016) (“The Cellular Operators Association of India (COAI) has urged the telecom department (DoT) to stop illegal routing of internet telephony calls, warning that a failure to do so would lead to a breach in telco licence conditions, pose security risks and cause sizeable losses to the national exchequer.   Newcomer Reliance Jio Infocomm is also a COAI member, but the GSM industry body in its letter said Jio held a divergent view on the matter.”) [emphasis added] (Publicly available at https://economictimes.indiatimes.com/tech/internet/stop-illegal-routing-of-internet-telephony-calls-coai/articleshow/52133359.cms).

Respondent No. 4 claims it is a “mere application provider” rather than Petitioner who is an “access provider”.  The submitted statement ignores Petitioner is most certainly both and to provide its Internet Telephony/VoIP services in India, Petitioner has fully complied with the existing applicable licensing regime for such services.  

Respondent No. 4 also submits that “the relevant regulatory authorities are seized of the issue and the consultation process is ongoing”. The Respondent No. 4 is misleading this Hon’ble Court wherein the reality is that the regulators have already spoken, and they will not do anything further to enforce the law as currently written. TRAI rather recommends that going forward “Market forces” should dictate a solution.   

Contrary to what is submitted by Respondent No. 4, there is no need for the creation of a new regime applying to “OTT services” and Petitioner is certainly not requesting the creation of such a new regulatory regime – especially given one is not needed.  The Petitioner through this writ Petition is only praying before this Hon’ble Court to enforce the Law/Regulations currently in place.

Respectfully, TRAI has long had an agenda to grow the Internet user base in India.  In 2010, TRAI recognized that the uptick in Internet users was below what was sought by it.  See  Recommendations on Spectrum Management and Licensing Framework, para 2.105 at page 104 (11 May 2010) (“Despite a token licence fee for ISP, the number of internet subscribers has grown from 5.14 million in September 2004 to only 15.24 million by the end of December 2009. Of this, the number of broadband subscribers is 7.83 million. These numbers are way below the target of 40 million and 20 million by the end of 2008 for internet and broadband subscribers respectively.”) (Publicly available at https://trai.gov.in/sites/default/files/FINALRECOMENDATIONS.pdf). To increase the number of Internet users in India, sometime after 2015, TRAI began tilting the scales in favor of OTTs and simply disregarded the current licensing regime when making recommendations.  These efforts have been very successful as shown by the hundreds of millions of customers Respondents No. 3 and No. 4 have accumulated since 2015. 

Without referencing the applicable laws and regulations, TRAI recently concluded:  “It is not an opportune moment to recommend a comprehensive regulatory framework for various aspects of services referred to as OTT services, beyond the extant laws and regulations prescribed presently. It may be looked into afresh when more clarity emerges in international jurisdictions particularly the study undertaken by ITU.”  TRAI Press Release Regarding Recommendations on “Regulatory Framework for Over-the-top (OTT) communication services” (14 September 2020) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/PR_No.69of2020.pdf). See also TRAI Recommendations on Regulatory Framework for Over-The-Top (OTT) Communication Services, para 2.4(iii) at page 8 (“Since, ITU deliberations are also at study level, therefore conclusions may not be drawn regarding the regulatory framework of OTT services. However, in future, a framework may emerge regarding cooperation between OTT providers and telecom operators.  The Department of Telecommunications (DoT) and Telecom Regulatory Authority of India (TRAI) are also actively participating in the ongoing deliberations in ITU on this issue. Based on the outcome of ITU deliberations DoT and TRAI may take appropriate consultations in future.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/Recommendation_14092020_0.pdf). 

The international ITU body, however, previously made it clear that it is not involving itself in India’s internal regulatory matters and is merely a spectator to such activities.  See ITU Economic Impact of OTTs Technical Report 2017, 5.2 India at 33 (“India is in the process of reassessing its rules on online services, including OTT services. . . . As noted in Section 4.2, voice and messaging services are permitted to be offered only by firms that hold a licence. Internet Protocol (IP) based voice and messaging services can also be offered by licensed network operators as unrestricted Internet Telephony Services; however, these services may not interconnect with traditional switched services. The dichotomy between regulated traditional services and largely unregulated OTT services leads to numerous anomalies.”) [emphasis added] (Publicly available at https://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-ECOPO-2017-PDF-E.pdf).   

As for the local ITU branch – the ITU-APT Foundation of India, that group has already sided with Respondent No. 4’s claim there is an “intelligible differentia” between its Internet Telephony services and Petitioner’s Internet Telephony services.  ITU-APT Foundation of India comments on TRAI OTT consultation (7 January 2019) at 3 (“The Consultation Paper (“CP”) draws parallels between the communication services offered by OTT service providers and TSPs.  However, we would like to submit that the services offered by them are widely different and cannot be compared.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/ITUAPT08012019.pdf).  

This position is not surprising given that according to the ITU-APT Foundation of India:  “Facebook’s, [sic] one of our valued corporate member[sic] announce a major investment in Reliance Jio that would facilitate the ailing telecom Industry. The two companies said that they will work together on some major initiatives that would open up commerce opportunities for people across India.” ITU-APT Weekly News Summary [emphasis added] (Publicly available at https://itu-apt.org/itu-letter.pdf).   

Rather than rely on ITU, TRAI should have considered more the deliberations of the Confederation of Indian Industry (CII) – which recognizes that OTT providers are already governed by the present licensing regime.  See CII Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services at 6 (7 January 2019) (“Any new regulations for TSPs and OTTs should be considered taking into account the respective regulations govern the TSPs and the OTTs under the Telegraph Act, license, TRAI Act and the Information Technology Act. The Authority should consider new future fit frameworks that lightens the regulatory burden and adopts a progressive approach that allows all entities in the eco-system to proliferate and grow – offering maximum benefits to the consumers.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/ConfederationofIndianIndustry08012019.pdf).  CII has long been a major force in advocating what is in the best interest of Indian businesses – and does not care about the interests of US-based monopolies:  “The journey began in 1895 when 5 engineering firms, all members of the Bengal Chamber of Commerce and Industry, joined hands to form the Engineering and Iron Trades Association (EITA). . . . Since 1992, through rapid expansion and consolidation, CII has grown to be the most visible business association in India.” [emphasis added] (Publicly available at https://www.cii.in/about_us_History.aspx?enc=ns9fJzmNKJnsoQCyKqUmaQ==).

It is submitted that a comprehensive licensing regime is already in place which covers not only the interception rules, penalties, security issues but also governs the license fees and tariffs and mode to operate among others.  It is submitted that the stand of Respondent No. 4 in regards to interception rules and end-to- end encryption claimed to be covered under the IT Act and other rules, which it publicly opposes, is just like crumbs from a pie wherein the Indian Wireless Telegraphy Act, 1933; the Indian Telegraph Act, 1885; the Information Technology Act, 2000; and the Telecom Regulatory Authority of India Act, 1997 provide a complete pie and once it is brought under such laws Respondent No. 4 will have to comply with all the rules and regulations at par with the Petitioner.

Petitioner and Respondent No. 4 are indeed “equals” in that they provide the same Internet Telephony/VoIP service while are treated “unequally” by Respondents No. 1 and No. 2. It is submitted that only the Petitioner is required to comply with the licensing regime applicable for providing such telephony services.

Individual citizens forming a legal entity or juristic person can invoke fundamental rights. It is submitted that the ameliorative relief sought by the Petitioner is issuance of writ by this Hon’ble Court that the applicable laws and regulations are complied with and enforced upon the unregulated/unlicensed Internet Telephony/VoIP Service Provider Respondent No. 4 herein.

It is denied that the issues raised by this Petition are being “considered and decided by DoT and TRAI, the regulatory authorities with the expertise and experience to address such issues.”   It has been over five years since the issue of an uneven level playing field was raised with Respondent No. 2 as regards Respondent No. 4.    

Petitioner through this writ Petition is praying that the existing laws and regulations are fairly applied and enforced as to all companies no matter how large and powerful they are.  It is humbly submitted that if the unlawful conduct uncovered by this writ Petition is not addressed by this Hon’ble Court, Respondent No. 4 will likely forever be left unchecked to do what it likes in India.

It is submitted that on 19 November 2019, the Minister of Home Affairs was asked “whether the Government does Tapping of WhatsApp calls and Messages in the country” and responded without answering the question but implied it was “tapping of WhatsApp calls and messages” by referencing the same interception rule mentioned by Respondent No. 4 in its submission. “Government Of India, Ministry Of Home Affairs, Lok Sabha, Unstarred       Question No: 351” (Publicly available at http://loksabhaph.nic.in/Questions/QResult15.aspx?qref=6696&lsno=17).   The Hon’ble Court has no way of knowing if Respondent No. 4 is helping law enforcement, exactly how Respondent No. 4 is helping law enforcement, or whether Respondent No. 4 could do more to help.

Whether or not Respondent No. 4 is consistent with its public pronouncements and does not actually access user accounts is actually of little importance – than that the Respondent No. 4 admittedly does not comply with the licensing requirements applicable to providers of Internet Telephony/VoIP services.   

It is denied that there is no financial loss to the national exchequer despite the complete failure to obtain any entry fee, payment of license fee, or goods and service tax from India’s largest operator of Internet Telephony services. A loss of income naturally results when licensing fees are not paid. See Cellular Operators Association of India (COAI) Counter Comments TRAI Consultation Paper on Internet Telephony Released, 22 July 2016, at 1 (“Internet Telephony provided by unlicensed entities besides being in violation of license will not only deprive the licensed operators of huge revenue but will also result in lesser payout to exchequer in the form of reduced license fee on revenues.”) [emphasis added] (Publicly available at https://www.trai.gov.in/sites/default/files/201609161151061091227COAI.pdf).   

It is denied that Respondent No. 4’s unregulated conduct actually “generates more revenue for the government by enhancing investments in data networks, and consequent increases in license fees.” [emphasis added].   Even the ITU-APT Foundation of India acknowledges that the infrastructure growth created by OTT providers happens in the USA and not in IndiaSee ITU-APT Foundation of India comments on TRAI OTT consultation (7 January 2019) at 5 (“It is estimated that OTT investments in infrastructure is fast growing, and the bigger OTT players invested 9% of their 2011-2013 revenues in networks and facilities in the US.  This trend can be replicated in India with the right regulatory environment which would recognize and incentivize greater investments rather than stifle the industry with arbitrarily applicable licenses.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/ITUAPT08012019.pdf).  Both the ITU-APT Foundation of India and Respondent No. 4 are wrong, however, given that Respondent No. 2’s failure to enforce existing laws has already created the “right regulatory environment” for the bigger OTT players.  It is also clear neither Respondent No. 3 nor Respondent No. 4 have any intentions of building networks or facilities in India given they have withdrawn their prior physical presence in India and currently neither even have any office in India.

It is submitted that the question is not whether a licensing regime should apply to OTT’s when the existing regime already does apply, but the real question is whether the existing laws and regulations will be regulated and enforced by Respondents No. 1 and No. 2. 

It is submitted that the contents of this Petition seeks liberty of the Court to enforce the laws as written. It is denied that the Petitioner is seeking from the Hon’ble Court to “displace” regulatory authorities  but only to enforce existing law and regulations which are applicable to all providers of Internet Telephony/VoIP services,  even those who claim to  ride on the telecommunications rails built and maintained by other companies. 

It is denied that the Respondent No. 4 was singled out in the writ Petition.  Unlike Respondent No. 4, other similar service provider like “Skype” have near zero market share compared to Respondents No. 3 and 4.   It is submitted that Skype was once the undisputed dominant provider in India but after its corporate parent Microsoft was sued in 2014 by Petitioner, Skype removed the ability to call within India from Skype to mobiles and landlines. In the relevant case, the Hon’ble Court in the United States found that Petitioner was better served filing a writ petition in India rather than in the United States. TI Investment Services, LLC, World Phone World Phone Internet Service Pvt. Ltd. v. Microsoft Corp., 23 F. Supp. 3d 451, 472 (D. N.J. 2014) (“The Courts of India are better positioned to determine whether their own national laws have been violated, and, if so, what the antitrust consequences, if any, are in their national market. If Plaintiffs wish to renew their suit, they should do so in the jurisdiction where they are alleged to have competed with Defendant, to have complied with regulatory laws, and to have suffered injury, and that is India.”).

It is further submitted that unlike Microsoft and even Google, Respondent No. 4 flagrantly violates existing regulatory prohibitions by, for example, allowing Indian users of its free “WhatsApp Business” utilize their landline phone numbers for messaging with customers. See WhatsApp Business App Android Download Page (“You can use WhatsApp Business with a landline (or fixed) phone number and your customers can message you on that number.”) (Publicly available at https://play.google.com/store/apps/details?id=com.whatsapp.w4b&hl=en_IN&gl=IN).  As recognized even by TRAI, such unlicensed services run afoul of the existing licensing regime.  See Consultation Paper on Regulatory Framework for Over-the-top (OTT) services, para 2.40 at page 28 (27 March 2015) (“Under the current telecom licensing regime, voice and messaging services can be offered only after obtaining a license. Apart from traditional voice and messaging, IP based voice and messaging services can also be offered by TSPs as unrestricted Internet Telephony Services, which are permitted under the scope of the Unified Access Service (UAS) license in terms of the UAS Guidelines dated 14th December 2005. Similar provisions exist for Cellular Mobile Telephone Service (CMTS) and Basic Service Licences. However, the scope of the Internet Services Licence was restricted to Internet Telephony Services without connectivity to Public Switch Telephone Network (PSTN)/Public Land Mobile Network (PLMN) in India.”) [emphasis added] (Publicly available at https://trai.gov.in/sites/default/files/OTT-CP-27032015.pdf).   

It is denied that Respondent No. 4 can freely provide telecommunication services and ignore the Unified License Agreement because it relies on networks built by other companies. It is submitted that Respondent No. 4 at one point was building out its physical presence in India for regulatory reasons.  By way of background, on 6 April 2018, the Reserve Bank of India issued its Directive, Storage of Payment System Data, requiring that: “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.”  Directive on Storage of Payment System Data, 6 April 2018, (Publicly available at https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0).    

Soon thereafter Respondent No. 4 announced the appointment of Abhijit Bose as head of “WhatsApp India”– WhatsApp’s first full country team outside of California . . . based in Gurgaon.” Respondent No. 4’s company statement is no longer available on its website but press accounts of this statement can still be found online.  “WhatsApp appoints Abhijit Bose as head of WhatsApp India”, The Economic Times of India (21 Nov 2018) (Publicly available at https://economictimes.indiatimes.com/tech/internet/whatsapp-appoints-abhijit-bose-as-head-of-whatsapp-india/articleshow/66735848.cms). According to Mr. Bose’s November 2018 statement recounted by the India Times:  “WhatsApp can positively impact the lives of hundreds of millions of Indians, allowing them to actively engage and benefit from the new digital economy.” Id. The India Times also reported in that article: “Apart from the traceability request, the government had had asked WhatsApp to set up a local corporate presence. . . .” Id. After finding a way to maneuver around the Reserve Bank of India’s 2018 Directive, on 6 November 2020, Respondent No. 4 announced the launch of its payment platform without having any “local corporate presence” that would store “data related to payments”See “Send Payments in India with WhatsApp”, WhatsApp Blog (6 November 2020) (Publicly available at https://blog.whatsapp.com/send-payments-in-india-with-whatsapp). As with Respondent No. 3’s massive build out of its physical presence in India, Respondent No. 4’s “company statement” regarding the building of “WhatsApp India’s” physical presence in India is no longer found on Respondent No. 4’s website.  

More importantly, as also with Respondent No. 3, Respondent No. 4 now no longer has any physical presence in India – despite the country being Respondent No. 4’s largest country market.  And, without Respondent No. 4 having any physical presence in the country, Mr. Bose – still apparently head of “WhatsApp India”, announced in July 2020:  “Our collective aim over the next two to three years should be to help low-wage workers and the unorganised, informal economy easily accesses three products – insurance, micro-credit and pensions.” See “Facebook’s WhatsApp to partner with more Indian banks in financial inclusion push”, Reuters Article, (22 July 2020) (Publicly available at https://www.reuters.com/article/us-whatsapp-india-idUSKCN24N24E.  It is further submitted that Respondent No. 4 – who already dominants in Internet Telephony, messaging, and mobile payments plans on dominating  in providing access to “insurance, micro-credit and pensions”. It is submitted that this blatant form of digital colonialism should respectfully be rejected  by way of this present writ Petition

Respondent No. 4 submits it need not comply with the Unified License Agreement despite providing “telecommunication services” simply because it uses for free the networks built by others.  The relevant regulatory authorities have been made aware of the matters set forth in the Petition for over five years without enforcing public laws and their own regulations and is why DoT is named as Respondent No. 2 in this matter.  Last year alone, Respondent No. 3 generated revenues of more than US$85 billion and profits of more than US$29 billion.  These numbers will grow exponentially as the “free” unlicensed products currently offered to Indians become further monetized by Respondents No. 3 and No. 4. 

Other than the present writ Petition, there is no available “statutory remedy” that would otherwise cause the enforcement of applicable law.  It is respectfully submitted that the Hon’ble Court should intercede to ensure equal protection under the law. It is further humbly submitted that if the Hon’ble Court does not intercede to stop the digital colonialism of Respondents No. 3 and No. 4, the same will go forward unabated. Considering the foregoing facts and circumstances, it is therefore respectfully prayed to this Hon’ble Court to kindly allow the prayer of relief sought by the Petitioner, in the interest of justice, including enjoining Respondent No. 4 from providing Internet Telephony/VoIP services until such time as Respondent No. 4 is in full compliance with the applicable requirements for providing such services in the Union of India.

Facebook’s Curious Outage

After a six-hour outage on October 4, 2021 that impacted 3.5 billion people relying on three monopolistic properties (Facebook, WhatsApp, and Instagram), Facebook blogged an update on October 5, 2021 regarding the cause:  “We want to make clear that there was no malicious activity behind this outage — its root cause was a faulty configuration change on our end. We also have no evidence that user data was compromised as a result of this downtime.” 

What sort of “faulty configuration change” would take down three separate massive online properties relying on servers and cloud services spread across the world?  According to one cloud provider:  “It was as if someone had “pulled the cables” from their data centers all at once and disconnected them from the Internet.”    Facebook is not disclosing any further details – the fact that it lost about $545,000 in U.S. ad revenue per hour is not sufficient to trigger disclosure given that this outage will likely have little long-term effect on its revenue growth.  Accordingly, only if another Facebook whistleblower steps forward will any real insight become public.

With any luck, on December 6, 2021, one tiny case in India will help pop the Facebook balloon once and for all.

Amazon Shrugs Off Largest Privacy Fine Ever

On July 29, 2021, Amazon disclosed in a regulatory filing that it sustained what is the largest privacy-related fine ever issued for violating EU privacy rules – a massive €746 million ($886 million) fine.  Amazon barely mentions the fine in its latest quarterly report:  “On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”

This disclosure is actually related to a 2018 action brought against Amazon due to its targeted ad efforts – hardly a new action where talk of pursuing a defense makes any sense. Simply put, it is unclear why the filing references a vigorous defense – that time has long passed. Amazon must now appeal what it previously defended and lost – which may end up working out for the company given in recent decisions courts have overturned GDPR privacy fines. Still, the CNPD ruling was appreciated by the privacy group that brought suit given it dwarfs the previous record EU privacy fine of €50 million handed down to Google.

Until this action runs its full appellate course, there is not much solace that plaintiffs should derive from the fine – especially given that Amazon has had three $100 billion quarters in a row and this significant fine can easily be shrugged off from a materiality perspective.

Proposed New York Privacy Law Making Progress

On May 24, 2021, Senator Thomas’ S6701 – the proposed New York Privacy Act, had its third reading before the Senate.  As recounted in its Legislative Intent section:  “Algorithms quietly make decisions with critical consequences for New York consumers, often with no human accountability.  Behavioral advertising generates profits by turning people into products and their activity into assets. New York consumers deserve more notice and more control over their data and their digital privacy.”  

To that end, the proposed law will provide New York consumers with certain new rights, including  “clear notice of how their data is being used, processed and shared; the ability  to  access  and obtain a copy of their data in a commonly used electronic format, with the ability to transfer  it  between  services;  the ability  to  correct  inaccurate  data and to delete their data; and the ability to challenge certain automated decisions.”  

If passed, this bill will become one of the strongest – if not strongest, consumer privacy law in the country and deserves to be carefully watched.  Even though this bill may still be lacking a progressive Right of Compensation, the proposed law includes a private right of action coupled with a consumer agency enforcement mechanism – a groundbreaking backstop that will protect consumers much more so than those few currently enacted consumer privacy laws lacking in a private right of action. 

Exchanges May Crack Down on Ransomware OFAC Risk

On April 22, 2021, Chainalysis published its findings on the OFAC sanctions violation risk tied to ransomware payments.  According to Chainalysis, 15% of ransomware payments paid in 2020 were at risk of OFAC sanctions.  Even though lower than the measured risk from 2016 – 2018, last year’s numbers remain an uptick from 2019.  

Chainalysis discovered ransomware victims paid out in 2020 more than $50 million worth of cryptocurrency to addresses that carried sanctions – with mainstream exchanges receiving “more than $32 million from ransomware strains associated with sanctions risks.”  Given the public market embrace of crypto exchanges, it is very likely those exchanges seeking greater regulatory scrutiny will eventually implement curbs to address the OFAC October 2020 advisory – eventually making it more difficult for smaller businesses to satisfy ransomware demands.

Ransomware Payments Should be Self-Insured

According to Chainalysis, payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.  And, Palo Alto Networks – which claims to use data from ransomware investigations, data-leak sites, and the Dark Web, reports that the average ransom paid by companies in 2020 jumped 171% to more than $312,000.  Despite being around for many years, the rise of ransomware has largely coincided with the diminished value derived from compromised personal data.

The REvil ransomware-as-a-service operation now picks up the phone to add a threatening personal touch to its exploits:  “Calling gives a very good result. We call each target as well as their partners and journalists—the pressure increases significantly.”  According to a published March 16, 2021 interview with a representative of REvil – also known as Sodinokibi, the group has “big plans for 2021.”  

Probably the more interesting point made by this REvil representative was the answer to the following question:  “Do your operators target organizations that have cyber insurance?”  The answer is not much of a surprise:  “Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”   This is the first confirmation from an actual ransomware gang that they target cyber insurance policyholders.

Articles from the Associated Press and ProPublica years earlier suggest that cyber insurers were inadvertently driving up ransomware attacks but neither outlet provided any hard facts to back up their supposition.  Indeed, a leading broker took the natural counterpoint:  “[A]lthough no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransoms against the risk of operational disruptions that could last weeks or months and cost far more.”  

It was never hard to imagine, however, that buying cyber insurance actually places a target on those companies who buy it and do not likely have the security resources necessary to stop ransomware gangs – especially given carriers may be inadvertently providing a roadmap to their house.  Indeed, last year one major cyber insurer was purportedly targeted by the Maze ransomware gang.   And, as of March 2021, there were at least two ongoing investigations involving attacks on major cyber insurers. Unless things change, it will only get worse for insurers and brokers given they are the new holders of the crown jewels.

One tactic that can impede the current claims challenge facing the industry is building on what was recently begun by AIG – a thought leader in this space for over two decades.  In January 2021, AIG became the first lead cyber insurer to require ransomware co-insurance across the board – mandating that insureds share in paying a ransom payment.  Following this lead, the larger markets began hardening on price and their underwriting requirements.  Other markets immediately began to take advantage – only temporarily repairing the holes in the dike.   As pointed out by Inside P&C:  “The retrenchment of capacity and continued upward pricing pressure also continues a reordering of the market in which some of the largest names in US cyber insurance cede market share to upstart InsurTechs.”  

Despite the fact cyber insurer MGAs are heavily funded and are now grabbing as much market share as they can, they still use paper backed by the largest reinsurers in the world – who frankly probably care more about their own profits rather than the market growth strategies of unrelated companies.  In other words, any retrenchment may also eventually hit the MGAs when treaties get renegotiated.   

Retrenchment is a good idea but will not be enough to fully address the problem. The best way to solve this problem is to do exactly what the FBI has said for years – do not pay the ransom.  An October 2020 OFAC Advisory buttresses this “do not pay” advice by warning insurers against making ransomware payments to those on the OFAC list. In other words, law enforcement would prefer that ransomware payments not be made and it may ultimately be in everyone’s best interest if such payments are self-insured – making it much less likely they will actually be paid.

This is not K&R coverage where lives are typically at stake.  Once the ransomware gangs recalibrate knowing there is no available insurance payment, the incidents will resemble earlier times, namely demands that are less frequent and for lower amounts.  These threat actors want to go in and out as fast as possible given they know that the data itself likely has very little real value on the Dark Web – it’s the urgent threat of release that has exploitive value.  If there is no expeditious insurance payment, the actual value of the target diminishes.

Insurance dollars are actually better spent helping insureds bolster their security rather than the coffers of criminals – especially because even with a payment there is no guarantee that data would be properly decrypted or that a Dark Web release or sale would not take place. There is much that can be done to assist insureds improve their risk profile and better avoid ransomware exploits. Some very basic steps include developing trusted partner relationships with vendors and law enforcement before an incident takes place; retaining a security expert to evaluate the current readiness profile; providing consistent education and training of staff; and developing or updating a Business Continuity Plan.  

On a more technical level, full and incremental backups should be consistently performed like your company’s life depended on it; weak passwords of service accounts should be removed; system logs should be maintained and monitored; employee access to sensitive data and information limited; operating systems and applications timely patched; users with admin privileges evaluated to ensure passwords are strong and secure; system safeguards such as Windows Defender Credential Guard deployed; port connections monitored and unnecessary ones removed, etc., etc., etc.  The relevant protocols all have a common goal – harden security sufficiently so that the bear decides to run after the slower runner.  If everyone ends up becoming a fast runner, the hungry bear will eventually tire of the chase and just eat something else for food.

With a robust cyber insurance policy in place, most every resource necessary to assist a ransomware victim is already available to an insured. By focusing on these other valuable first-party coverages, improving an insured’s risk management profile, and curtailing ever increasing payouts to criminals, the industry will continue with its meteoric rise.

Cyber Insurance

UPDATE: March 25, 2021

On March 24, 2021, CNA publicly disclosed that it sustained a cybersecurity attack. As of March 25, 2021, the following is the only information found on its website:

UPDATE: May 10, 2021

The day before the Colonial Pipeline ransomware attack went public, global insurer AXA announced it would cease writing cyber-insurance policies in France that reimburse policyholders for ransomware extortion payments. This is hopefully the start of a much larger trend.

UPDATE: May 12, 2021

On May 12, 2021, security experts labeled as “absolute stupidity” comments regarding the payment of ransomware that were emanating from the White House. A few days prior, the White House’s Deputy National Security Adviser for Cyber, Anne Neuberger, had given the private sector a complete free pass regarding the payment of ransoms: “And they have to just balance off, in the cost-benefit, when they have no choice with regard to paying a ransom.” Unfortunately, this position directly contradicts the long-standing position of the FBI and numerous other government agencies.

UPDATE: December 1, 2021

On November 18, 2021, North Carolina relied on its Operations Appropriations Act of 2021 to add a new article to Chapter 143 of the State’s General Statutes which now reads in part: “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.” This is the first effort by a governmental entity to bar ransomware payments.