Blogs

  • Vijayant Goel

NASSCOM v. Ajay Sood & Ors.

Aniket Jadhav, Student, Government Law College, Mumbai

Introduction

The IT revolution gave birth to cyber frauds such as hacking, identity theft, and popularly phishing that saw an upsurge over a decade, and cybercrime is a newly evolved crime. As we are emerging to a cashless and more digitalised banking system we have become more vulnerable to cybercrimes such as phishing, which means sending an e-mail that falsely claims to be a particular enterprise that asks for sensitive financial information. Phishing is an attempt to scam the user into surrendering private information that will then be used by the scammer for his own benefit. The person who attacks users with spoofed e-mails and fraudulent websites that looks very similar to the real ones thus fooling the recipients into giving out their personal data. Most phishing attacks ask for banking details such as card numbers, internet banking and passwords. In India, the Reserve Bank of India makes people aware of such frauds from time to time through advertisings. A recent example of Phishing was the popular “Jamtara Case” where few villagers from the district duped people across the country through banking fraud. Although there are no specific law on Phishing, the Information Technology Act, 2000 penalised phishing and other IT and data frauds.


Background

The case deals with Phishing, which is kind of Internet fraud. A fraudulent personation was done in the name of “National Association of Software and Service Companies” also known as “NASSCOM” which is India's premier software association. Defendants were operating a placement agency involved in recruitment and headhunting. Disguised as NASSCOM, defendants, in order to obtain personal data from various addresses, which they could then use for head-hunting, went on the website as if they were a legitimate selection and recruitment firm. An employee of the defendant created fictitious e-mail Ids and sent them in the name of NASSCOM to third parties with a view to extract personal data. The accused used different fictitious identities to avoid recognition and legal action. Plaintiff NASSCOM has then filled the suit inter alia praying for a decree of permanent injunction restraining the defendants or any person acting under their authority from circulating fraudulent E-mails purportedly originating from the plaintiff of using the trademark 'NASSCOM' or any other mark confusingly similar in relation to goods or services. A similar case of significance is Autodesk, Inc. & Anr. v. Mr. Prashant Deshmukh & Ors.[1]in which the Delhi High Court granted the plaintiff permanent injunction sought for as punitive damages against the defendant for copyright and registered trademarks infringement.


Analysis

The application was filed under Order 23 Rule 3 CPC by NASSCOM praying for a decree of permanent injunction restraining the defendants or any person acting under their authority from circulating fraudulent E-mails purportedly originating from the plaintiff of using the trademark 'NASSCOM' or any other mark confusingly similar in relation to goods or services. The infringement of the trademark was done to gather data of the third parties which caused punitive damages to the plaint. The data was then used for phishing by using the trademarks of NASSCOM.


While giving the judgement the honourable High Court made a crucial observation that there is no specific legislation in India to penalise phishing, it held phishing to be an illegal act by defining it under Indian law as “a misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumer but even to the person whose name, identity or password is misused.”[2]


The Delhi High court-appointed commission to carry out research at the defendant’s place where two hard disks of the computers from which the fraudulent e-mails were sent by the defendants to various parties were taken into custody by the local commissioner appointed by the court. The offending e-mails were then retrieved from the hard disks and presented as evidence in court. After subsequent findings, the defendants admitted their illegal activities and agreed to suffer decree to pay a sum of 1. 6 million INR for damages caused to the plaintiff for violation of trademarks rights and also the hard disks were handed over to the plaintiff which was found at the defendant’s place. In the suit proceedings, the settlement was accepted on record, the Code of Civil Procedure (CPC) in Rule 3A of Order 23 states: "No suit shall lie to set aside a decree on the ground that the compromise on which the decree is based was not lawful."[3] Hence, Suit would stand decreed as the compromise effected between the parties and as contained in IA No. 2351/2005. Said application shall form lawful part of the decree to be drawn. The high court recognised the trademark rights of the plaintiff and passed an ex-parte ad interim injunction in favour of plaintiff restraining the defendants from using the trade name or any other name deceptively similar to NASSCOM. The court further restrained the defendants from holding themselves out as being associated with or a part of NASSCOM.


This case is a landmark in the history of the IP rights and recognised the need for specific legislation for phishing. This judgement laid a precedent in India to decide on the technicalities of the scam done in the internet world, the court further elaborated that the typical phishing scam involves persons who presented online bank and siphon case from the banking accounts after conning customers into handing over confidential banking details which were than used for conning third parties, targeting individuals and companies. While the cyber world is used by almost all the company, it has also been grossly misused by some fraudulent companies. There was a time when cybercrime was very hard to detect but as our agencies getting more advanced it has ease the work of judiciary to ensure speedy justice to the aggrieved parties. Phishing via emails is the most common fraud that was also seen in this case, the defendant used emails to collect the data such type of fraud is also known as email spoofing which means a spoofed e-mail may be said to be one, which misrepresents its origin. It shows its origin to be different from which actually it originates. The only act that exists in India to govern the crimes of the cyber world is the Information Technology Act, 2000 while this act helps in bringing justice it also provides security. In this judgement it was stated that there are no specific legislation for spoofing, the number of mobile internet and email users keep on increasing day by day and the whole data is stored virtually. The Honourable Delhi High Court declared in the said order that phishing is an illegal act done in the internet world. The relief was provided to the plaintiff by compensating the loss in monetary terms and the party was assured that their rights are protected; it also assured not only the specific entities but all those who wish to do business in India. While assuring damage protection the court and the Indian Judiciary also assured the business owners their right of owning and using intellectual property. The case dealt widely with phishing, trademarks and reputation of the aggrieved.


In India, if any party infringes the intellectual property rights of others then there could be the imposition of penalties and grant of the injunction (temporary or permanent) against the party. Even the foreign entities are entitled to the protection of their trademark right In Milmet Oftho Industries & Ors. v. Allergan Inc.[4] the Supreme Court granted trademark protection to a well-known foreign brand and restrained an Indian company from using the mark OCUFLOX. Even though the brand was not registered in India the court held their right as they were the first to enter the market and adopt the mark.


After such landmark cases the Government of India has come up with various policies and research in cyber frauds such as phishing. India has several authorities which deal with cybersecurity, the Computer Emergency Response Team (CERT-In) are assigned in each state which objective is to secure India’s cyberspace. The National Security Council Secretariat (NSCS) has sent a detailed analysis of India cyber threats. The National Cyber Security Policy, 2013 [5] aims at protecting the businesses, individuals and the Government. Under Section 70A of the Information Technology Act, 2000[6], the National Critical Information Infrastructure Protection Centre was established. A position by Prime Minister’s Office is designated as National Cyber Security Coordinator for advising the Government. The Reserve Bank of India also issues an advisory to the banks from time to time to ensure adequate protection of critical functions and processes. Although it is challenging to draft umbrella legislation, the judiciary paved the way to help interpret the existing laws.


A comparative case study of Microsoft Corp. v. Doe[7], where the defendants were charged with similar conduct of phishing, the defendants allege to have transmitted misleading and deceptive "Account Update" emails to Microsoft customers in an effort to fraudulently obtain user names and passcodes for customers' Microsoft accounts. It was an unlawful attempt by defendants’ companies to access credentials from Microsoft customers; it was a type of email phishing. The plaintiff Microsoft is a well-reputed international corporation in the software business, one such product of the company is “Office 365”, which gives their customers access to software with cloud storage, using so requires the customers to have an online account which is accessible generally by entering credentials like email and password. The plaintiff specifically alleged that the defendants were involved in phishing the software “Office 365”, the defendants created spoof emails that attracted the recipients to fake websites that tricked them into divulging sensitive information, such as financial account data, login credentials and other personally identifiable information. The fake website uses Microsoft’s trademarks and other designs to create the appearance of being a legitimate Microsoft webpage when in reality it is a counterfeit of Microsoft's Office 365 logo page. After an internal investigation from Microsoft, they were unable to determine the identity of the persons behind the website from public records.


It was prayed to the court by the plaint to expedite early discovery in the case to find out the person(s). So the court examined whether the need of expedite discovery is in good cause and also examined whether John Doe who is the defendant is a real person and can be sued in federal court. The court came to the understanding that plaintiff has not yet established good cause to engage in early discovery to identify the John Doe defendants, the court noted that plaintiff has associated the John Doe defendants with phishing activities, and has been able to trace the activities as originating from certain IP address and servers, it has not alleged that the IP address and/or any of the hosting companies or servers are located in this judicial District. Here, the court came to the conclusion that it is unable to recognise the defendant John Doe, who can be sued in the court of law. Hence, Plaintiff Microsoft’s motion for expedited discovery was denied although the court precludes that once the deficiencies are resolved than the plaintiff can renew its motion.


The aforementioned case was discussed in the United States District Court. The company has been an entity of esteemed repute worldwide was unable to get relief as it was difficult to prove and identify the existence of the defendants and even a secure and safe company like Microsoft was vulnerable to phishing and cyber-crimes. Comparatively, in both the cases the similarity was the accused tried to use different fictitious identities to avoid recognition and legal action but the US Supreme Court case was confined to technicalities and fall short of providing any relief to the software company and also to its millions of third-party users whereas in the NASSCOM case, the defendant agreed to suffer the decree for damages done to the plaintiff and also the court of justice ensured the lawful rights of the plaintiff and was granted relief of injunction despite the fact that no particular law as such that dealt with phishing exists, it sent a strong message to the businesses that their rights are secure and they can freely do businesses in India. It made an environment of security and safety of rights and that of a reputation for the entities.


Conclusion

The case NASSCOM v. Ajay Sood & Ors. is of great significance in protecting the rights of the entities to run their businesses in a safe environment. Thereby giving a precedent in the history of Information and technology. The cyber-crime is a type of fraud that a criminal commits with the aid of stolen identifying data, individuals and businesses. It causes harm to the reputation of the company as well as their business that in turn affects the third party and common people. The case decided by the Delhi High Court gave a strong message that Indian judiciary upholds the lawful rights of the aggrieved and the aggrieved is free to knock the court’s door to maintain its lawful activities. The court perspicuously expressed that phishing is an illegal act and recognised the trademarks rights of the software company; it delivered justice and protected the intangible property rights of the Intellectual Property owners, it provided adequate relief to the plaintiff with the help of existing quintessential laws. The court ensured monetary relief as well as protected the reputation of the entity from tumbling. The case laid a landmark significant vision for developing laws to meet the needs of today's’ world of internet for cyber frauds such as phishing. A strong legislative framework will also fundamental in combating identity theft, and specific mechanisms may be developed to bring phishing under the ambit of criminal conduct that poses increasing threats to consumers, financial institutions, and commercial enterprises. The limpid observation by the court affirmed the faith in the Indian judiciary and paved the way for the legislation to do their work in policy drafting and of lawmaking.

[1] 2011 ( 122 ) DRJ 606. [2] NASSCOM v. Ajay Sood And Ors,119 (2005) DLT 596. [3] Order 3A, Rule 23, The Code of Civil Procedure, 1908. [4]Milmet Oftho Industries & Ors v. Allergan Inc., Civil Appeal No. 5791 of 1998 (Supreme Court, 07/05/2004). [5] Ministry of Communication and Information Technology, National Cyber Security Policy (2013), available at https://nciipc.gov.in/documents/National_Cyber_Security_Policy-2013.pdf. [6] S. 70(A), The Information and Technology Act, 2000 [7] Microsoft Corp. v. Doe, C17-1880 RSM (2017, Supreme Court of the United States).