Naavi.org

Naavi has been singlehandedly fighting against legalization of Bitcoins in India. Bitcoin is a poison that can corrupt any body. Those who already have a stake in Bitcoins will always fight for legalization of the Crypto currency system. Some of them are tech experts and even industry giants. But that does not mean that their views are good for the country.

Rihanna may be a celebrity singer. But her views on farm laws donot deserve to be heard.

Similarly the views of industry giants which the PR machinery of Bitcoin industry are promoting need to be dumped with contempt it deserves.

In the midst of planted articles in the media including Economic Times and Business standard, it was refreshing to see an article today in Financial express titled “Is it smart to invest in Cryptocurrency right now?”  by Mr Varun Malhotra, Director & Founder of Financial Services (EIFS).

Before Mr Nandan Nilakeni joined the bandwagon of Bitcoin supporters, Elon Musk of Telsa was a vocal supporter. It is now reported that Mr Elon Musk invested $1.5 billion in Bitcoin recently and therefore there is no surprise that he supports Bitcoin.

On the otherhand, Mr Warren Buffet has taken a stand “Cryptocurrencies basically have no value and they don’t produce anything…In terms of value: zero. I don’t have any cryptocurrency and I never will,”

It does not take rocket science to understand why Cryptos are being encouraged by people who want to hold digital black wealth. Bureaucrats, Politicians and even Judges in India or elsewhere may still favour Bitcoins but we know why they may have a soft corner for the Crypto currency. It is the greatest technology tool for Cyber Criminals and anti social elements including drug peddlers, illegal weapon dealers, cyber terrorists etc.

But why is it that the Indian Government is still hesitant to ban Crypto currencies? Why is that the Cabinet of Mr Narendra Modi has not passed the Bill? is an enigma.

Has it got anything to do with elections in West Bengal? or Kerala? Are Modi and Shah not courageous enough to take on the digital black wealth holders before the elections?…is a question we should pose to the BJP as well as the RSS.

I have sent many requests even to RSS and its known ideologues regarding the Bitcoin ban and even they seem to keep tight lipped.

Corruption has a wide footprint. We never know how powerful it can be. Let us see if there is a strategy behind this silence.

Naavi

Recently, we have seen how Twitter challenged the sovereignty of India by refusing to abide by the lawful notices issued by the Government on removal of content which were false, some of them posted under fake accounts and attempting to promote violence and rioting in India. WhatsApp also has been resisting the directions from the Government to assist them in law enforcement issues when the platform is used for promoting communal disharmony and riots.

The Government after hesitating to take a firm action for several years, finally came down with a firm hand with the Intermediary and Social Media Guidelines issued on February 25th which addresses both the Twitter arrogance and WhatsApp reluctance.

However, true to the nature of Indian democracy, the Supreme Court has now stepped in to take over the executive functions of the Government and determine whether the Gazette notifications should be first approved by the Court.

Now that Mr Ravi Shankar Prasad joining hands with Mr Prakash Javdekar together exhibited some courage which was missing with the Government for a long time, Mrs Nirmala Sitharaman on her own is still in the zone of hesitancy when it comes to the decision on Crypto Currencies. Mrs Sitharaman is presently concerned with the passage of her bill and perhaps has no energy to open another front of conflict on Bit Coins particularly when many in the bureacracy and political circles are themselves wedded to Bitcoins as the “Currency of the Corrupt”.

One of the first disappointments for the undersigned was when Mr Rajeev Chandrashekar met the Crypto lobby in Bangalore and gave a moral support. Now Mr Nandan Nilekeni

the Executive Chairman of Infosys has been roped in by the Bitcoin lobby to oppose the move of the Government to introduce a bill to ban Crypto Currencies.

Mr Nandan was once a blue eyed boy of Sonia Congress and even stood for election in Congress ticket in the constituency presently represented by Mr Tejasvi Surya. But his pet tech project namely the Aadhaar was actually given life by the Narendra Modi Government and not the UPA Government which he supported.

After Mr Nandan went back to the corporate world he had consciously avoided  controversies. However, by entering a debate on Crypto Currencies which the Government and the RBI has an inclination to ban, he seems to have strayed back into the domain of controversy.

I hereby call upon him to clarify the context in which he made the statement

“We need to look at how it will help Indians, how MSMEs can access capital using Bitcoins. “

He was in a conversation with Balaji Srinivasan an investor who appears to have expressed a view

“India should champion decentralized cryptocurrencies like Bitcoin and Ethereum to safeguard national security, prevent de-platforming and hasten India’s development as a global power”

According to the report in Money Control which is part of the larger PR exercise with articles expressing similar sentiments in Economic Times, Business Standard etc., there are 75 lakh investors from India and 10000 to 15000 crore worth Crypto currencies in the hands of Indians.

We would like to read this as 75 lakh tax evaders with Rs 10000 to 15000 crores of digital black money in their hands which needs to be brought into the main stream economy.

The Crypto exchange leaders are keeping up a bold face and are even stating that the rumour of banning is actually increasing the investments in crypto currencies. If we believe this statement, there is a scramble for moving the Indian official currency holdings to foreign destinations.

Mr Nandan and others are trying to take cover of their support to “Digital Money Laundering” by holding out the “Block Chain” technology as a great innovation. Even if we accept that Block Chain is a good technology, it does not mean that it should be encouraged to host digital black money.

I would like Mr Nandan and Mr Balaji to clarify with all their economic wisdom, how they consider that shifting  Currency holdings of Indian Citizens to a decentralized form of currency namely “Bitcoin” would not starve the economy of legit currency holdings and not  create a chaotic level of disruption that will destroy the country.

In order to preserve their vested business interests, Mr Nandan and Balaji should not take a view that is inimical to the national sovereignty over currency. We are today not under a “Nityananda regime in Kailash” and if the world order should remain in tact, such support to Bitcoins by industry giants need to be condemned.

We are aware that Mrs Nirmal Sitharaman is too soft to call a spade a spade and would like to beat around the bush to be apologetic. But truth has to be called out.

Bitcon is evil. All connected crypto currencies to which Bitcoin is convertible are by association also evil. They are a challenge to the Indian sovereignty.

We must therefore be bold enough to say no to Bitcoin everytime…

Naavi

I refer to my previous articles related to an e-mail from a company with a domain name privacybee.com registered at  Seattle P O Box address in the state of Washington.

The company is not a resident company in California nor in EU region. But it quotes privacy laws such as

“Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation.”

to state that if its request to “Delete” a certain personal information is not adhered to,

“Privacy Bee, are reserving the right to take legal action against ..and to lodge a complaint with the responsible supervisory authority.“

For people who know the privacy laws it is a threat that GDPR supervisory authority may fine upto 4% of your turnover or the AG of California may impose a fine of at least $7500/.

This is a harassment of the mail recipient.

We can also note that the company quotes a “Power of attorney” which has no recognition and uses e-mail address and a name without any verification such as a digital certificate etc,

There are hyperlinks to be clicked for further information which will install many cookies and there is no guarantee that they are not malware in themselves.

Even if you visit their web page several javascripts may become active and whether they have any malicious effect is to be checked.

The Privacy policy of privacybee.com itself may not be fully  compliant with CCPA nor GDPR and certainly not the laws of India as applicable now for such websites.

This company is using the cover of Privacy laws to scare Indian companies and encouraging Indians to part with their e-mail address for a “Scan” which itself could be a way of collecting personal information without accountability.

There is a need for the Indian industry to study the business model of this company and prevent it from illegal collection of personal data of Indians.

We may re-iterate that PDPB 2019 expects such agencies to register themselves as “Consent Manager” with the DPA and subject itself to the discipline of a “Data Fiduciary” which includes submission of a “Privacy By Design” policy with more details of the processes used by the company to handle the PII of Indians.

Further there is a transfer of information out of India and even under the current ITA 2000/8 without considering the due diligence of PDPB 2019, there are “Reasonable Security Practices” which the company may not be following.

I wish CERT-In conducts an enquiry of such companies who are like “Ambulance chasers” and discredit the Privacy Regulations meant to protect the genuine victims of identity theft and privacy infringement.

I request every professional to think if they receive the kind of email referred to in my previous article how would they respond.

Since compliance to the request would mean providing an assurance that

“We donot have the personal details of the data subject and/or we have deleted all copies of information related to this data subject from all the resources of our company and our dub contractors”

each of the professionals may also consider what would be the cost of attempting to address this speculative query which is unverified and not backed by legal authority

Naavi

The undersigned had reported the activity of Privacybee.com discussed in the following two articles:

India does not allow PrivacyBee.com type of extortion companies to flourish
“Privacy Bee” stings…

As anticipated, it appears that several other companies in India have received the spam e-mail  containing a Cyber Threat and potential attempt at Cyber Extortion.

Naavi.org has therefore raised a complaint with the Attorney General California and the FTC, USA to stop this illegal activity.

We have also endorsed the copy of the complaint to the Secretary DIT and CERT-IN besides some of the prominent MPs as well as the NASSCOM. Hope it would be followed up by them in the interest of the Indian industry.
Copy of the letter is given below:

Vijayashankar Nagaraja Rao
Netizen Activist and Privacy Consultant
No 37, Ujvala, 20^th Main, BSK First Stage
Bangalore 560050
www.naavi.org: naavi@naavi.org

16^th March 2021

To

Respected Mr Xavier Becerra

The Attorney General, State of California
Office of the Attorney General
455 Golden Gate Avenue, Suite 11000
San Francisco, CA 94102-7004

Through: email: AGelectronicservice@doj.ca.gov.

Subject: Complaint of Fraud and attempted extortion on Privacybee.com

Dear Sir

I am a Netizen Activist rom India and founder of www.naavi.org. I have recently come across a company operating from the website www.privacybee.com which is spamming and threatening many Indian companies in the name of certain individuals who claim to have rights under the CCPA demanding deletion of personal data without legal right to do so.

This company is liable under the Indian law for committing an attempt at cyber extortion.

However, since the Company is quoting both CCPA and is a resident of USA, I have brought to your notice that your office should conduct an enquiry on the business model of the company and their modus operandi.

Our general observation indicates that the company is like many fraudulent companies which try to sell anti malware software by falsely claiming that the user’s computer is infected.

If your office does not take action against this company, it would appear as if it has the support of your office for committing this Cyber Crime.

Kindly investigate and also file a complaint from your side with the FTC to prevent the company to continue indulging in its extortion racket.

I am enclosing a typical spam mail being sent by this company to the Indian companies.

I am looking forward to an early response from your end and I am also endorsing the copy of this letter to the regulatory authorities in India.

Since your website does not contain proper e-mail contact and the form provided is meant only for US residents, I am sending this communication through the email. If US resident companies are using CCPA as an excuse to send extortion and spam emails to residents of other countries, it is necessary that your office take the responsibility to atleast receive complaints from outside USA and try to redress the grievances.

Regards

Thanking you

Digitally Signed

Yours faithfully

 Attachment:

A Typical Extortion E Mail from Privacybee.com

From: Privacy Bee
Sent: .. M.. 2021 ..:..
To: DPO <>
Subject: Urgent Followup: Legal Request for Data Deletion and Opt-Out of Resale [Request ID: …..]

Concerns: ….

Request ID: ….
Signed Power of Attorney: Yes
Request Date: ….
Respond At: https://app.privacybee.com/request/

To Data Protection Officer or Legal Counsel:

I am hereby submitting a follow-up to a personal data request pursuant to Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation. If you feel my data is exempt from privacy legislation for any reason, I’m still asking you to respect my wishes regardless, as I believe privacy is a universal human right and I’m hopeful the integrity of your organization will honor my request with or without legal requisite.

The initial request was sent …. …….. and I still have not received a response that my request has been fulfilled.  This is a reminder that you only have 5 days left to respond!

Specifically for …..:
– Data Deletion: I hereby request the immediate and complete purging of any and all information your company has on me including but not limited to: user accounts, marketing data, transaction data, behavioral data, social data, CRM records, or absolutely anything that that contains my personal information.
– No Dissemination: if any information is being or has been disclosed, resold, licensed, rented, or otherwise disseminated by your company to third parties, I hereby request to opt-out of that data sharing, and request you communicate this request for opt-out and deletion to those entities as well.

If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR, or other applicable legislation), I am hereby withdrawing said consent. In addition, I am objecting to the processing of personal data concerning me (which includes profiling).

As I’m legally permitted, please confirm your compliance of my request without undue delay and in any event within one month of receipt of this request.

I am including the following information necessary to identify me:

Name: ….
Primary Email: ..
If you require additional information to resolve my identity, to view my signed Power of Attorney authorizing this request, or to respond to this request, please visit: https://app.privacybee.com/request/

You can also find my full privacy preferences in relation to .. by visiting the previous link.

If you do not answer my request within the stated period, I and my legal privacy advocate, Privacy Bee, are reserving the right to take legal action against ..and to lodge a complaint with the responsible supervisory authority.

Thank you.

The Karnataka High Court in the course of a judgement  has urged the Police to prepare a detailed guideline for seizure of electronic evidence and pending such development, has issued its own minimum guidelines to be implemented.

The judgement has also made some references to the Privacy aspects involved in Forensics and provide some clarity on Polygraph test as well as whether password to a computer device can be refused by the device owner under Privacy issues.

The judgement is likely to be a reference judgement to many Cyber Law practitioners and Forensic investigators.

The  single bench of Justice Suraj Govindaraj said “It would be in the interest of all the stakeholders that detailed guidelines on seizure of electronic evidence by the Police are prepared by the police”.

The copy of the judgement is available here

The Case involved the arrest of an IT professional, subjecting him to a polygraph test to which he has not consented, forcing him to part with the password for his mobile etc. The conduct of the Polygraph test without consent was rejected by the Court.

It did refer to the Puttaswamy Judgement and debated if forcing the password to be disclosed would be a violation of the Privacy.

The Court gave the following opinions on different questions that arose during the investigation.

1. The Investigating Officer, during the course of an investigation could always issue any direction and/or make a request to the accused or other persons connected with the matter to furnish information to provide material objects or the like. This includes  a request to furnish the password.
2. The Court cannot per-se/suo moto issue any directions to the accused to furnish the passwords and direction to cooperate would not amount to a direction to furnish password.
3. In the event the accused not providing the password, the IO can approach the Court seeking for necessary directions to the accused to provide the same. The investigating officer could approach the concerned court seeking for issuance of a search warrant to carry out a search of the electronic equipment.
4. In terms of section 102 of CrPC, if there are any emergency circumstances, including the “Suspicion of any commission of an offence” ,the Police officer could seize the equipment. In such scenario. there must be a recording in writing made by the IO specifying in writing the reasons etc. In normal course IO may issue a notice under section 91 of CrPC calling upon the accused to produce the particular document and if not produced, seek a search warrant from a Court. The data gathered during the course of investigation should not by itself be a proof of guilt which has to be separately established.
5. The Use of data during the course of investigation would not amount to a violation of the right to privacy and would come under the exceptions carved out in the Puttaswamy case. However, in no case could such details be provided by the IO to any third party without written permission of a Court. In case of dereliction of this duty the IO can be proceeded against.
6. The Investigating agency would be at liberty to engage a specialized agency required to crack the password if the password given is wrong.
7. Provision of the password does not amount to providing testimony. The data available on the mobile or computer has to be separately proved.

The Court however did not highlight the role of a non cooperating intermediary and whether he could be proceeded against as an abetter.

Following the above observations, Court felt that the following minimum guidelines may be implemented by the Police for seizure.

17.5.1: When carrying out a search of the premises as regards any electronic equipment, Smartphone or e-mail account the search team to be accompanied by a qualified Forensic Examiner.

17.5.2. When carrying out a search of the premises, the investigating officer should not use the computer or attempt to search a computer for evidence. The usage of the computer and/or search should be conducted by a properly authorized and qualified person, like a properly qualified forensic examiner.

17.5.3. At the time of search, the place where the computer is stored or kept is to be photographed in such a manner that the connections of wires including power, network,. etc., are captured in such photographs.

17.5.4. The front and back of the computer and or the laptop while connected to all the peripherals are to be taken.

17.5.5. A diagram should be prepared showing the manner in which the computer and/or the laptop is connected.

17.5.6. If the computer or laptop is in the power-off mode, the same should not be powered on.

17.5.7. If the computer is powered on and the screen is blank, the mouse could be moved and as and when the image appears on the screen, the photograph of the screen to be taken.

17.5.8. If the computer is powered on, the investigating officer should not power off the computer. As far as possible, the investigating officer to secure the services of a computer forensic examiner to download the data available in the volatile memory i.e., RAM since the said data would be lost on the powering down of the computer or laptop.

17.5.9. If the computer is switched on and connected to a network the investigating officer to secure the services of a forensic examiner to capture the volatile net work data like IP address, actual net work connections, net work logs, etc.,

17.5.10. The MAC address also to be identified and secured,

17.5.11. In the unlikely event of the Forensic examiner not being available, then unplug the computer, pack the computer and the wires in separate faraday overs after labeling them.

17.5.12. In case of a laptop if the removal of the power cord does not shut down the laptop to locate and remove the battery.

17.5.13. If the laptop battery cannot be removed, then shut down the laptop and pack it in a faraday bag so as to block any communication to the said laptop since most of the laptops, nowadays have wireless communication enabled even when the laptop is in the stand by mode.

17.6. Seizure of networked devices: Apart from the above steps taken as regards seizure of the computer, laptop, etc., if the said equipment is connected to a network:

17.6.1. To ascertain as to whether the said equipment is connected to any remote storage devices or shared network drives, if so to seize the remote storage devices as also the shared network devices.

17.6.2. To seize the wireless access points, routers, modems, and any equipment connected to such access points, routers, modems which any some times be hidden.

17.6.3. To ascertain if any unsecured wireless network can be accessed from the location. If so identify the same and secure the unsecured wireless devices since the accused might have used the said unsecured wireless devices.

17.6.4. To ascertain who is maintaining the network and to identify who is running the network – get all the details relating to the operations of the network and role of the equipment to be seized from such network manager.

17.6.5. To obtain from the network manager, network logs of the machine to be searched and/or seized so as to ascertain the access made by the ·said machine of the net work.

17.7. Mobile devices: 

Mobile devices would mean an include smartphone mobile phone, tablets GPS units, etc., during the course of seizure of any of the mobile devices apart from the steps taken in respect of a computer and/or laptop, the following additional steps to be taken.

17.7.1 Prevent the device from communicating to network and/or receiving any wireless communication either through wifi or mobile data by packing the same in a faraday bag.

17.7.2. Keep the device charged throughout, since if the battery drains out, the data available in the volatile memory could be lost.

17.7.3. Look for slim-slots remove the sim card so as to prevent any access to the mobile network, pack the sim card separately in a faraday bag.

17.7.4. If the device is in power off mode, the battery could also be removed and kept separately.

17.7.5. If the device is powered on, then put it in an aeroplane mode in android device or airplane mode in a lOS device.

17.8. In an the cases above, the seized equipment should be kept as far as possible in a dust free environment and temperature controlled.

17.9. While conducting the search, the investigating officer to seize any electronic storage devices like CD, DVD, Blu-Ray, pen drive, external hard drive, USB thumb drives, solid-state drives etc., located in the premises, label and pack them separately in a faraday bag.

17.10. The computer storage media, laptop, etc., to be kept away from magnets, radio transmitters, police radios etc., since they could have an adverse impact on the data in the said devices.

17.11. To carry out a search of the premises to obtain instructions manuals, documentation, etc., as also to ascertain if a password is written down somewhere since many a time person owning equipment would have written the password in a bo0k, writing pad or the like at the said location.

17.12. The entire process and procedure followed to be documented in writing from the time of entry of the investigation/search team in to the premises until they exit.

It appears that the Police did not invoke Section 69/69A of the ITA 2000 with a due notification from an appropriate authority.

It is to be appreciated that the honorable judge has taken enormous efforts to put together a guideline which will be useful to the Police.

Naavi

US is a land where commercial exploitation is the natural business strategy. The Face Book, Google, WhatsApp are all representations of such  “Money First” approach. The laws are therefore often used to make money while pretending to protect the common man.

The “Ambulance Chasers” are a creation of this tendency. A new genre of “Ambulance Chasers” are now emerging in the light of the “Privacy Laws” which try to provide several rights to the Data Subjects to protect their sense of Privacy.

We had discussed in our earlier article “How Do I harass a Company with GDPR”?how a Company was harassed by a data subject by an unreasonable pursuit of a a valid right with no substantiation of the “Harm”.

Presently it appears that some companies in USA have started a business by which they can represent such data subjects and raise claims on other companies apparently in trying to protect the interest of the data subject but more surreptitiously to extort money from companies.

The business model of Privacybee.com is one such attempt where  the modus operandi starts with an innocuous looking e-mail is sent to a company stating that X is my customer and please let me know whether his/her personal data is being processed by your company. There will be no “Verification” of the data subject nor a digitally signed e- mail request. It does not substantiate what harm has been caused to the data subject by the suspected processing of personal data of their customer by the noticee.

To answer this query the Company has to search its data base for the name of the data subject with only such supporting information as an “E Mail Address”.  Even if the Company cannot find any data, if the Company has to commit it through an e-mail, it has to make a “Personal Data Discovery attempt” probably through an external consultant and certify the findings under Section 65B of Indian Evidence Act before responding that no data is being processed for X.

The cost of this exercise is disproportionate to the basic cause which is “Prevention of harm to the data subject”. Privacybee.com does not send/ provide evidence about how it has obtained the right to represent the data subject. Instead it sends out a link which is meant to promote subscription to its service. It refers to a page claiming to show “Power of Attorney” authorizing the request which may lead to a 404 page.

Indian companies may remember that a “Power of Attorney through Electronic Document” is not recognized under Indian ITA 2000 (Section 1).

The notice exercises a “Right to Forget” which according to Indian PDPB 2019 requires adjudication.

The notice does not provide any context where the consent might have been given and simply declares that consent is withdrawn. Indian PDPB makes it necessary for withdrawal of consent to be justified and in unreasonable withdrawal, expect the data subject to bear the cost.

The notice makes references to several  data protection laws both from US jurisdiction and EU jurisdiction (known to privacybee.com) without establishing how the data subject and the notice receiving company is related to the relevant law.

As expected the notice ends with a “Threat” of legal action if no reply is sent within one month. In the absence of the proof of damage or harm caused to the data subject the threat of legal action does not stand judicial scrutiny.

When such e-mail notices are received by Indian companies, Naavi.org considers them as an “Attempt to harass and extort money” from Indian companies. We have flagged this incident with the Ministry of Information Technology and the CERT-IN .

While the PDPB-2019 was being drafted, we have repeatedly brought to the notice of the Justice Srikrishna Committee as well as the JPC that Indian data processing companies need to be protected against misuse of such privacy related notices by introducing a provision that

“No legal action against a registered Indian data processor would be permitted without sanction from the Indian Data Protection Authority.”

We called it as the “Umbrella Protection”

We have also repeatedly suggested that Indian companies should provide for a GDPR Exclusion clause in their Privacy Policies to expressly disclaim the jurisdiction of GDPR and other foreign laws.

This issue is some thing that Nasscom should address in the interest of the Indian data processing companies. However NASSCOM and DSCI may be more interested in fighting against Indian data protection legislation rather than taking up such public causes.

A time has come now for Naavi.org to consider representing such victim companies who are being harassed by privacybee.com type of vultures.

We may remember that such activities (like what Privacybee.com wans to undertake) under Indian PDPB 2019 are allowed only of the organization itself gets registered with the Indian DPA as a “Consent Manager”. A consent Manager is himself a “Data Fiduciary” and is expected to follow law. We can observe that privacybee.com does not follow privacy principles under either CCPA regulation nor the GDPR regulation but projects itself as the Privacy Saviour.

We invite companies affected by such companies to come together as an “Association of Data Processing Organizations in India” and fight for their justice against international data invaders. We request MeitY to take a lead in guiding such companies. This can also be part of the PDPB 2019 revised after the JPC discussions. We await the final version of the PDPB 2019 when it is presented in the Parliament.

The privacybee.com is registered as a company in USA and we request FTC to conduct an enquiry about the activities of this company and for Attorney General of Califorina and Washington also to conduct their own enquiries on this extraction racket.

If this tendency to misuse law is not curbed, the genuine data subjects who are really harmed and need to take the protection under a data protection law will also get discredited and their rights will get diluted.

Naavi

Also refer:

Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights

Protect Indian Companies from possible GDPR overreach

Need for a Regulatory gateway

Following is the reply received from Privacybee.com

P.S: We are happy to note that the  company acknowledges its restricted jurisdiction. Our intention is to point out that the business model built on sending a roving enquiry  relying on a general power of attorney without a company specific request from the data subject  when the data may not belong to a EU citizen, is unethical.