Chetana (formerly Kavach/Vajra) — Legal Risk Register

Last Updated: 8 March 2026 Maintained By: Paul Desai (Utpal Ajitkumar Desai) Review Frequency: Quarterly or after any material change Product: Chetana — AI-powered scam detection and digital protection for India Live URL: https://chetana.activemirror.ai/ui Interfaces: Web UI, Telegram Bot, WhatsApp Bot, REST API Tech: Python/FastAPI, Ollama LLM (local), rule-based risk engine, crowdsourced verification lattice Status: Free public service. N1 Intelligence (OPC) Pvt Ltd exists; product and operator boundaries should still remain explicit in contracts, public docs, and billing.

Risk Matrix

#	Risk	Severity	Likelihood	Mitigation Status
1	False negative — user trusts "LOW RISK", loses money	CRITICAL	Medium	Mitigated (disclaimer on every result)
2	False positive — legitimate business flagged as scam	HIGH	Medium	Mitigated (safe harbor language, "assessment not fact")
3	Government impersonation perception	MEDIUM	Low	Mitigated (renamed to Chetana, "NOT a government service" notice)
4	Personal or operator liability ambiguity	HIGH	Low	Partially mitigated (corporate entity exists; operator and product boundaries should stay explicit)
5	DPDP non-compliance (up to Rs 250 crore)	CRITICAL	Low	Mitigated (full compliance framework)
6	Crowdsource data poisoning → defamation	HIGH	Medium	Mitigated (min 3 reports, anti-poisoning, disclaimer)
7	Intermediary liability (IT Act S.79)	MEDIUM	Low	Mitigated (tool positioning, not platform)
8	AI hallucination in analysis text	MEDIUM	Medium	Mitigated (rule-based primary, AI supplementary, disclaimer)
9	Third-party API failure or ToS change	MEDIUM	Medium	Mitigated (graceful degradation, dependency docs)
10	Govt whitelist gap — real scheme not whitelisted	MEDIUM	High	Mitigated (disclaimer: whitelist not exhaustive)
11	Consumer Protection Act 2019 jurisdiction	MEDIUM	Low	Mitigated (free service, as-is, ToS jurisdiction)
12	UPI/phone data as personal data under DPDP	MEDIUM	Medium	Mitigated (legitimate interest, anti-fraud purpose)
13	CERT-In 6-hour breach notification	HIGH	Low	Documented (incident response plan below)
14	Children under 18 (DPDP S.9)	MEDIUM	Low	Mitigated (age notice, no active collection)
15	Competition law — flagging specific payment providers	LOW	Low	Mitigated (neutral algorithm, no targeting)
16	Copyright in reproduced scam messages	LOW	Very Low	Mitigated (public safety fair use)
17	Bhashini/Google Safe Browsing API compliance	MEDIUM	Low	Documented (dependency terms below)
18	IT Act S.66A-style censorship perception	LOW	Low	Mitigated (user-initiated only, no auto-scanning)

Detailed Risk Analysis

1. FALSE NEGATIVE LIABILITY (CRITICAL)

Scenario: User scans a scam message. Chetana returns "LOW RISK". User proceeds and loses money.

Legal exposure:

Negligence claim under Indian Contracts Act / Consumer Protection Act
Potential tort liability for financial loss

Mitigations:

Every scan result includes disclaimer: "Not 100% accurate. Not liable for financial loss. Always verify independently."
Terms of Service explicitly exclude liability for false negatives (S.3)
Service provided "as is" with no accuracy guarantees
Maximum liability capped at zero (free service)
Disclaimer shown in BOTH English and Hindi
API responses include disclaimer field in metadata

Residual risk: Medium. No disclaimer is absolute. A court could find duty of care if Chetana is widely trusted.

Action items:

[ ] Consider professional indemnity insurance when revenue allows
[ ] Track false negative reports for continuous improvement
[x] Disclaimer on every result card (code: DisclaimerManager.wrap_response())

2. FALSE POSITIVE / DEFAMATION (HIGH)

Scenario: Chetana flags a legitimate business's UPI ID, phone number, or URL as "HIGH RISK" or "suspicious". Business discovers this and sues for defamation under IPC S.499/500 or claims tortious interference.

Legal exposure:

Criminal defamation (IPC S.499/500) — up to 2 years imprisonment
Civil defamation — unlimited damages
Tortious interference with business relations

Mitigations:

All results framed as "risk assessment" not "scam verdict" — probabilistic language only
No named entities in results (never says "SBI is a scam")
Disclaimer: "This is an automated risk assessment, not a factual determination"
UPI/phone checks use statistical patterns, not named accusations
Good faith defense: public interest in fraud prevention (IPC S.499 Exception 9)
Truth defense: results based on verifiable pattern matching, not opinions
Safe harbor: ToS states assessments are machine-generated, not editorial

Residual risk: Medium. Defamation suits are easy to file in India. Even frivolous ones cost time/money.

Action items:

[x] Never output "This IS a scam" — always "This MAY be suspicious"
[x] Safe harbor language in ToS
[ ] Monitor for false positive reports; remove flagged entries promptly
[ ] Legal counsel review of output language when budget allows

3. GOVERNMENT IMPERSONATION (MEDIUM — reduced after rename)

Scenario: Users or authorities believe Chetana is an official government tool. "Chetana" (meaning "consciousness/awareness" in Sanskrit) is a common word, not trademarked by any government body. However, users could still mistake it for an official tool given the government-scheme-verification features.

Legal exposure:

Impersonation of government authority
Regulatory cease-and-desist

Mitigations:

Product renamed from "Vajra" to "Chetana" — eliminates NIC Vajra naming conflict
Prominent notice: "Chetana is an independent project by MirrorDNA. NOT affiliated with any government body."
No government logos, emblems, or color schemes (no Ashoka Chakra, no tricolor)
No ".gov.in" domains
Branded as "MirrorDNA" project, not government initiative

Residual risk: Low. "Chetana" is a generic Sanskrit word with no known government trademark conflict.

Action items:

[x] Renamed from Vajra to Chetana (clear namespace)
[x] "Not a government service" disclaimer in UI, ToS, and Privacy Policy
[x] No government branding elements
[ ] Trademark search for "Chetana" in Class 9/42 (software/SaaS) — recommended before commercial launch

4. PERSONAL LIABILITY (HIGH)

Scenario: Chetana is publicly associated with Paul Desai while the wider operating environment also has a registered company. If contractual, billing, and operator boundaries are not explicit, claims can still be aimed at the individual operator and create confusion about who is responsible for what.

Legal exposure:

Unlimited personal liability for all Chetana actions
Personal assets at risk in any lawsuit
No separation between personal and project finances

Mitigations:

Strong ToS with indemnification clause
Liability disclaimer on every touchpoint
Registered entity exists (N1 Intelligence (OPC) Pvt Ltd)
Public docs can be aligned so contact, jurisdiction, and operator details are not contradictory

Residual risk: Medium. A company exists, but documentation drift can still reopen operator-liability confusion.

Action items:

[ ] Keep product terms, privacy policy, billing, and dispute handling aligned to the actual operating entity and named contact
[ ] Use a dedicated project or company bank account for any future revenue
[ ] Professional indemnity insurance when affordable

5. DPDP ACT 2023 NON-COMPLIANCE (CRITICAL)

Maximum penalty: Rs 250 crore per violation.

Current compliance status:

Obligation	Status	Implementation
Lawful purpose & consent (S.4-6)	Done	ConsentManager, purpose limitation
Notice before collection (S.5)	Done	Disclaimer shown pre-scan
Purpose limitation (S.6)	Done	Only fraud detection
Data minimization	Done	Only user-submitted data
Retention limitation (S.8)	Done	7-day auto-purge, DataRetention class
Right to access (S.11)	Done	/api/privacy/export
Right to correction (S.12)	Done	Contact mechanism
Right to erasure (S.13)	Done	/api/privacy/delete
Right to grievance (S.14)	Done	Grievance officer designated
Children's data (S.9)	Partial	Age notice but no verification
Data breach notification (S.15)	Documented	See CERT-In plan below
Significant Data Fiduciary (S.10)	Not applicable yet	Monitor if volume grows

Residual risk: Low if current framework maintained. Monitor for DPDP rules/regulations as they're issued.

6. CROWDSOURCE DATA POISONING (HIGH)

Scenario: Bad actor submits false reports to the verification lattice, targeting a competitor's UPI or phone number. Chetana then flags the competitor's legitimate payment channel as "reported fraud."

Legal exposure:

Defamation liability (Chetana becomes the vehicle for the false accusation)
Tortious interference with business
Potential criminal complaint

Mitigations:

Minimum 3 independent reports required before flagging (anti-poisoning threshold)
Source diversity check: reports must come from different user IDs
No auto-flagging: crowdsource data supplements, doesn't override, rule-based scoring
Disclaimer: "Reports are community-submitted and not verified by Chetana"
Ability to remove false reports on request
Audit trail on all submissions

Residual risk: Medium. 3-report threshold can still be gamed with sock puppets.

Action items:

[x] Anti-poisoning rules in VerificationLattice
[ ] Add IP/device fingerprint diversity check
[ ] Implement dispute mechanism (reported entity can contest)
[ ] Consider requiring evidence (screenshot) for reports

7. INTERMEDIARY LIABILITY — IT ACT S.79

Scenario: Chetana is treated as an "intermediary" under the IT Act. Intermediaries must comply with IT Rules 2021 due diligence (appoint Grievance Officer, Chief Compliance Officer, Nodal Contact Person for India-based intermediaries with 5M+ users).

Analysis:

Chetana is a tool, not a platform. Users don't communicate through it.
No user-generated content is published to other users.
Crowdsource reports are aggregated, not published.
Most likely classification: information technology service, not intermediary.

Mitigations:

Position as analysis tool, not communication platform
No user-to-user interaction
Designated Grievance Officer regardless (good practice)
Comply proactively with due diligence norms

Residual risk: Low. Tool classification is defensible.

8. AI HALLUCINATION IN ANALYSIS (MEDIUM)

Scenario: Ollama LLM generates incorrect, misleading, or harmful analysis text. For example: "This message is from the real SBI" (false reassurance) or "The sender is a known criminal" (false accusation).

Mitigations:

Rule-based scoring is PRIMARY — AI text is supplementary explanation only
Risk score is deterministic (pattern matching), not AI-generated
AI explanations are wrapped with disclaimer
Deep scan explicitly labeled as "AI analysis" to set expectations
Output sanitization: no named entity accusations in AI responses

Residual risk: Medium. LLM output is inherently unpredictable.

Action items:

[x] Disclaimer wrapper on all AI responses
[ ] Post-processing filter: strip any named entity accusations from AI output
[ ] Monitor AI explanations for quality degradation

9. THIRD-PARTY API DEPENDENCIES

Dependency	Used For	Risk	Mitigation
Google Safe Browsing	URL reputation	ToS change, rate limit, data sharing	Graceful degradation; cache results; comply with attribution
Bhashini (MeitY)	Hindi translation	API downtime, policy change	Fallback to English; local translation cache
Ollama (local)	LLM analysis	Model update breaks output	Pin model version; rule-based fallback
Telegram Bot API	Telegram interface	Platform ban, API change	No dependency for core functionality

Action items:

[x] All external APIs have try/catch with graceful degradation
[ ] Document Google Safe Browsing attribution requirements
[ ] Pin Ollama model version in config

10. GOVERNMENT WHITELIST GAPS (MEDIUM)

Scenario: User receives a message from a real government scheme (e.g., new state program) that isn't in govt_whitelist.json. Chetana returns MEDIUM/HIGH risk. User ignores a legitimate government benefit.

Mitigations:

Disclaimer: "Our government scheme database may not be exhaustive"
Whitelist is supplementary — presence lowers risk, absence doesn't raise it
Direct users to verify at official .gov.in portals
Regular whitelist updates

Residual risk: Medium. India has hundreds of state and central schemes, keeping up is impractical.

13. CERT-IN INCIDENT RESPONSE PLAN

Requirement: CERT-In Directions 2022 require reporting cyber incidents within 6 hours.

Plan:

Detect breach (monitoring, user report, or automated alert)
Within 1 hour: Assess scope, take affected systems offline
Within 6 hours: Report to CERT-In via [email protected] (mandatory)
Notify any additional regulator, board, or authority required by the law in force at the time
Within 72 hours: Notify affected users with: what happened, what data exposed, what to do
Document: incident details, root cause, remediation, lessons learned

CERT-In contact: [email protected] Reporting format: Per CERT-In Directions Annexure

Third-Party Compliance Checklist

Requirement	Source	Status
Google Safe Browsing attribution	Google ToS	Pending
Bhashini API terms compliance	MeitY Bhashini	Pending review
Telegram Bot ToS compliance	Telegram	Compliant
DPDP alignment and controls	Govt of India	Controls implemented; formal legal review still recommended
IT Act S.43A reasonable security	Govt of India	Compliant (local storage, hashing)
CERT-In incident reporting readiness	CERT-In	Documented (this file)
Consumer Protection Act positioning	Govt of India	Documented (free, as-is service)

Recommended Legal Structure Timeline

When	Action	Cost	Benefit
Now	Current setup (individual)	Rs 0	Simplicity
At first revenue	Register LLP	Rs 3,500	Limited liability
At 1,000 users	Appoint Grievance Officer formally	Rs 0	DPDP compliance
At 10,000 users	Professional legal review of ToS/PP	Rs 15,000-50,000	Expert validation
At 50,000 users	Assess Significant Data Fiduciary status	Rs 0	DPDP S.10 compliance
At revenue	Professional indemnity insurance	Rs 10,000-50,000/yr	Litigation protection

This document is a risk assessment tool, not legal advice. Professional legal counsel is recommended for any material legal decisions.

Parent mark

Active Mirror™

Trust by Design™

Active Mirror™ is the parent trust mark behind Chetana’s public legal and recovery surfaces.