Uber failed in ITA 2008 Compliance

apna_ad_nov24

Before we proceed, let me make one point clear. Banning of Uber and other “App Based Taxi Services” is completely unacceptable. It is an immature reaction to the incident and should be reversed immediately.

We need to learn from the incident and make a root cause analysis to identify what improvements can be brought into the system. If we have any hope of building “Smart Cities”,we need to be capable of  managing “Smart Taxi Services”. If a similar approach had been adopted to Banking where there have been hundreds of frauds, we would have closed internet and mobile banking long back.

The app based taxi services such as Uber, Ola or Taxi For Sure are extremely convenient to the public. It is also a great way of providing employment where individuals can throw up their resources  to a pool and earn a living. In Bengaluru, Ola is extending the service to Autos and it can be a great boon to the public if properly handled. The benefits of the service are too over whelming to be be denied to the public just because of the misdeed of one driver.

We need to find out how the service can be improved and made more secure without banning the service. In this context we can explore if ITA 2008 compliance would have assisted the app based companies to improve the security of their service.

Under ITA 2008, the services of the app based taxi operators would be recognized as an “Intermediary”. They receive messages from members and transmit them to the service providers. In the process they add value to the service by various means. Such service could also be provided by a telephone call center. The app is a digital tool that does the work better.

The “App Center” which could be a “Web Site” that operates in the background need to be compliant with Section 79 of ITA 2008. According to ITA 2008 the App Center (Or its owner who is the company such as Uber) need to exercise “Due Diligence” and “Reasonable Security Practice” failing which they would be liable for any contravention of ITA 2008.

The offence in question however falls under IPC committed with the use of electronic documents to lure the customer. However when the driver switched off the app to facilitate the crime, he caused “Disruption” of service which is a contravention under Section 43 of ITA 2008 as well as an offence under Section 66 of ITA 2008. It will also attract Section 85 of the Company according to which the individuals who are in charge of business of the company may be held liable personally for the civil and criminal liabilities arising out of the incident.

If the app company needs to defend against the liabilities arising out of the contravention, it needs to show observance of “Due Diligence” and “Reasonable Security Practice”.

A proper interpretation of the provisions of ITA 2008 indicate that there should be a “Privacy Policy” and appropriate disclosure policy while the intermediary collects and uses sensitive personal information from public for providing the service. The enrolled drivers would be “Business Associates” of the company and the company (Intermediary) needs to have appropriate policies, procedures and controls in place to ensure that information passed on to them is used only for the purpose for which it was provided, namely to provide the taxi service and nothing else.

Such security measures would include an anticipation of the failure of the network when the service provider loses connectivity with the driver either because he can switch it off or because the network may not be available and the counter measures that are required to address the consequences which are considered reasonable. This is a “Threat” and a “Vulnerability” that leads to a “Risk” that needs to be mitigated.

Such reasonable counter measures could be “Alerting the Passenger” and his/her emergency contacts that “The taxi in which the passenger is travelling is temporarily out of contact and its last known location was ….” and also alerting the nearest police control room. In the instant case, it would have woken up the  passenger and enabled her to protect herself better.

The Police may say that they donot have the resources to respond to such alerts since there would be too many false alarms. But if the first alert from the app is corroborated by a subsequent alert from say the passenger using some security app of their own, then the police can swing into action through the patrol vehicles to check. Also the passenger can confirm when the booking is made  if he/she has accompanying passengers or is travelling alone which can tag the alert as “Non Critical” or “Critical”.

The back ground verification of the drivers would however be an essential part of the security and can be used to tag the drivers as “Verified” or otherwise.

The beauty of technology is that if we are innovative, we can up the security several notches and make the life of the citizens that much more secure.

We hope that our administrators understand the power of technology and use it properly rather than banning the use of technology for managing the taxi services. In the coming days the app based transport services will be an integral part of “smart city life” and it would be unwise to interrupt this technology development.

I also urge the app taxi operators to immediately form a forum of their own and develop a “Standard Security Procedure” to be an “industry practice”. They can then seek approval of such information security practice under Section 43A of ITA 2008 as a “Reasonable Security Practice”.

This would protect their business from knee jerk and arbitrary regulations from different Governments and harassment from corrupt politicians and police.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in ITA 2008. Bookmark the permalink.

One Response to Uber failed in ITA 2008 Compliance

  1. Dips says:

    Uber has scant respect for safety or security.The same is amply demonstrated by their views on 2F authentication. Read here for details. http://blog.uber.com/2FA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.