This article has been written by Hema Modi, pursuing the Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho).
Table of Contents
Recently, a new malware has been reported by a team of researchers which can be found when some of the android apps are downloaded from the Google Play Store. The name of the new Malware is “Vultur” which hacks the screen of the targeted phone and steals banking login IDs and password information from users. The malware screen records the information credentials and hackers use it illegally for unlawful purposes. This malware has affected approximately 30,000 phones and now is the time when we (users) have to be aware and protect ourselves. The above-stated illustration is one of the types of hacking methods used by hackers. This article will be dealing with every aspect of hacking and various penal laws relating to it.
Definition of hacking
Hacking is nothing but identifying weakness in computer systems or networks to exploit it to gain access to its data and sources. Hacking is an attempt to invade a private/public/ corporation/organisations network via computer to gather information without permission. In simple words, it is the unauthorised or unconsented access to or control over the computer network and security systems for some wrong or illicit needs and purpose. It is the deliberate and intentional access or infiltration of a computer program without valid consent from its owner. It affects all arms and feet of information and communication technology of an entity. These include threats through the web, communications, and email, social media scams, data breaches, cloud and data storage compromises, and critical data breaches. The sole objective of hackers is to steal confidential data or embezzlement of funds causing business disruptions, etc.
Hacking can be caused in different ways and with the advancement of technology, new methods of hacking are coming up every day. Some of the renowned methods of hacking are discussed below.
Methods of hacking
- Phishing – This simply means duplicating the original website to gain access to the users’ information like account password, credit card details etc. It is the most common hacking technique in which the hackers will either send you a fake message with a fake invoice or ask to confirm some personal information or entice the person with some free stuff.
- Virus attack – By this method of hacking, the hackers release the virus into the files of the website which can corrupt or destroy the important information stored in our computer if they are downloaded or get inside our computer system.
- UI redress – In this method, a fake user interface is created by which when the user clicks on it, it redirects them to another vulnerable website. For instance, if we have to download a song, as soon as we click on the “download” tab, a new page is redirected which is usually a fake website.
- Cookie theft – Sometimes, the website containing information about the users in the form of cookies is hacked using special tools. These cookies can be decrypted and read to reveal one’s identity which can be further used to impersonate the person online. Cookies are generally stored as plain text or in some form of encryption.
- DNS spoofing – The cache data of a website which the user might have forgotten is used by hackers to gather information about users. Here, a user is forced to navigate to a fake website disguised to look like a real one, with the intention of diverting traffic or stealing the credentials of the users.
After discussing the methods of hacking, it is relevant to discuss the legality of hacking in India.
Indian legal provisions for hacking
- Section 43 and Section 66 of the Information Technology Act, 2000 cover the civil and criminal offenses of data theft and hacking respectively.
According to Section 66 of the IT Act, the following are the essentials for an offence to count as hacking:
- There should be the malicious intention of the accused to tamper or break into the computer of the other person and steal or destroy its data or sources.
- A wrongful act or damage to the data must be done pursuant to the wrong intention.
- Also, according to Section 378 of the Indian Penal Code,1860 which relates to “theft” of movable property also applies to theft of any data online or otherwise with the two most important parts of crime i.e., mens rea and actus reus. When a person takes away or steals the information in order to move it away from the access of the authorised user, it can be termed as theft under Section 378 of IPC. If such an act fulfills all the essentials of the theft, the act committed will attract penal consequences under IPC as well.
- Furthermore, laws of torts as well, such as trespass to the person and property,can be applied, as well, since there is trespass to a computer system which is an intangible property. Therefore, any kind of unauthorised intrusion in the computer sources governed by a bad intention can come under the purview of criminal trespass which can make a person liable for the tortious liability as well.
Under the Information and Technology Act, According to Section 66, the punishment is imprisonment up to 3 years, or a fine which may extend up to 2 lakh rupees, or both.
According to Section 43, liability is to pay damages by way of compensation to the person affected by the stealing of the data. Section 66B entails punishment for receiving stolen computer resources or information. The punishment includes imprisonment for one year or a fine of rupees one lakh or both. The maximum punishment for theft under Section 378 of the IPC is imprisonment of up to 3 (three) years or a fine or both.
As soon as cybercrime i.e., hacking is committed, a person should complain about the same to the cyber cell.
Following are the steps to be followed for reporting hacking in India:
STEP 1: Visit https://cyber crime.gov.in/Accept.aspx
STEP 2: Select ‘Report other cyber crimes’ from the menu.
STEP 3: Choose ‘File a Complaint.’
STEP 4: Read the conditions thoroughly and acknowledge them.
STEP 5: Mobile number needs to be registered along with name and State.
STEP 6: Complete all the relevant details about the offence witnessed.
One can also report the offence anonymously.
Indian case laws on hacking
Case law 1: Jagjeet Singh v. The State of Punjab
In this case, it was alleged by the company that some of its ex-employees have stolen their content and databases and transferred it to some other company. The main issue in the case was whether the petitioner can invoke the non-bailable offences under IPC i.e, data theft and hacking?
Verdict – The apex court held that in cases of data theft and hacking, the offences under the Indian Penal Code will also be applied along with the penal provisions of the IT Act, and this would not exclude the application of the IPC. This shows the gravity with which the judiciary has regarded the crime of hacking holding hackers or the culprits liable under two acts i.e., IPC and IT Act.
Case Law 2: Kumar v. Whiteley
The accused, i.e Kumar gained unauthorised access to the Joint Academic Network (JANET) and deleted, added files, and changed the passwords to deny access to the authorised users which led to a loss of Rs 38,248 to the users.
The Additional Chief Metropolitan Magistrate of Chennai sentenced N G Arun Kumar, the accused to undergo rigorous imprisonment for one year with a fine of Rs 5,000 under Section 420 IPC (cheating) and Section 66 of the IT Act (Computer related Offense).
Case law 3: Kamalakanta Tripathy v. Respondent: State of Odisha and Ors.
In this case, the email id of Madhusudan Padhy, IAS, Transport Commissioner, Odisha was hacked by an unknown miscreant. Through this hacked email, the accused used to send incriminating emails to other people and threaten them.
The accused was held liable under Section 66 of the Information Technology Act on the proof that the real accused was culpable as he was hiding behind an alias by masking his own identity. Hence, the Supreme Court observed that the culpability of hacking depends on the presence of mens rea or the object with which the act was carried out for it to be punishable under Section 66 of the IT Act and since considering that the email account of a Senior IAS Officer of the State has been it has been hacked so as to illegally obtain sensitive and confidential documents, the accused is liable for punishment as prescribed under Information Technology Act, 2000.
International legal provisions
Not only India has been facing problems and threats of hacking, but also countries like the United States, Italy, Australia, the U.K, and many more countries have experienced the same. However, countries like the US have well-formulated and implemented stringent laws in order to curtail such acts of illegal stealing of data by hackers. Some of the laws of the US are discussed as below:
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking law that prohibits and controls unauthorized access to other’s computer systems. Initially, the law was formulated to protect the trafficking of computer systems of U.S. government entities and financial institutions, however, the scope of the Act was expanded after making amendments to include all computers in any part of the country (including devices such as desktops, laptops, cell phones, and tablets). This Act is a comprehensive and exhaustive law that provides and includes all the intricacies like what happens if the accused had attempted to hack the government sources and what will be the penalties if they are caught. Not only this, but it also lays emphasis and provides for the conspiracy and the acts of juveniles in such cases of hacking.
Civil violations under the CFAA
The penalties of CFAA are mostly for criminal-related violations and crimes, however, the 1994 amendment expanded the Act to include cause of action for civil suits, in addition to criminal prosecution.
Civil violations include the following:
- To obtain data from a computer and its sources by unauthorized access;
- Getting access to a password that can be used to access information on a device;
- Transmitting spam; and
- Damaging computer data.
- Other federal hacking laws.
- The Stored Communications Act highlights the prohibitions of the CFAA and protects the stored electronic communications and data (including email, texts, short message services (SMS), social media handles, cloud computing and storage, etc.)
In comparison to India, the laws which are in place to deal with the cases of hacking are not stringent and deterrent in nature in order to curb criminals to commit crimes in the future. Furthermore, the laws of the IT Act and IPC are generic in nature and it becomes difficult for the prosecution to prove liability against the accused.
Preventive measures and safeguards
Apart from the laws and legal measures, there are steps which one needs to follow in order to safeguard ourselves from being a victim of hacking. They are:
- One should keep their computers and software frequently updated as outdated programs are more vulnerable to hacking.
- One should be up to date with security programs to protect against malware, spyware, etc.
- All information on hardware must be deleted and destroyed before selling them.
- One must never use open Wi-Fi on their computers, laptops or mobile phones. The Wi-Fi must be encrypted with proper passwords.
- One must protect its device by using passwords such as passcode, fingerprints, etc. the timeout setting of mobile devices must be fairly short as mobile devices are treasure troves of information.
- Along with passwords, two step authentication and verification process make it difficult for the hackers to take over.
- One must never hover over the links or the URLs, if it is not from the person or company claiming to have sent it. It is ideal that if we feel something wrong, we must do a quick search on Google.
- One should always keep the data off the cloud.
- The device must be enabled with remote location device wiping.
- Regular backups of devices must be performed.
As it is rightly said, “It is not that we use technology, we live technology.” This era is indeed known as the technological era and there is no aspect of life that is not touched upon by the technological developments and the comfort in which we are living. But since every coin has two sides, similarly, these developments have both pros and cons. Cybercrime has increased annually and with the advancement, there have been developments in cyber-attacks too.
Therefore, the need of the hour is that the legislative body of India has to also move ahead with the change in the surrounding and frame laws which are effective and useful in curbing the rate of cybercrimes in India. Indian legislature can get inspiration from GDPR (General Data Protection Regulation) of the European Union, Laws from the US, and other countries to frame a stringent and effective law for India. Further, it will be the duty and responsibility of the executive body to implement the laws.
- Vultur Malware Uses New Technique To Steal Banking Credentials, https://techilive.in/vultur-malware-uses-new-technique-to-steal-banking-credentials/.
- What is Hacking? Introduction and Types, GURU99, https://www.guru99.com/what-is-hacking-an-introduction.html#:~:text=A%20Hacker%20is%20a%20person,with%20knowledge%20of%20computer%20security.&text=He%2Fshe%20breaks%20into%20computer,them%20to%20the%20system%20owner.
- What is Hacking? Common Objectives, Types, and How to Guard Against it, Hackernoon, https://hackernoon.com/what-is-hacking-common-objectives-types-and-how-to-guard-against-it-ab99897ff00b, 4th March, 2019
- Wendy Zamora, 10 ways to protect against hackers, MalwarebytesLABS, https://blog.malwarebytes.com/101/2015/10/10-ways-to-protect-against-hackers/, 10th October, 2015
- Sylvine, Laws Against Hacking in India, iPleaders, https://blog.ipleaders.in/laws-hacking-india/, 1st July, 2016
- Vinod Joseph and Deeya Ray, Cyber Crimes Under The IPC and IT Act – An Uneasy Co-Existence, mondaq, https://www.mondaq.com/india/it-and-internet/891738/cyber-crimes-under-the-ipc-and-it-act–an-uneasy-co-existence, 10th February, 2020
- Swati Shalini, What is Cyber Crime in India and How to file Cyber Crime Complaints?, MyAdvo, https://www.myadvo.in/blog/how-to-file-a-cyber-crime-complaint-with-cyber-cell-in-india/, 12th September, 2019
- Jagjeet Singh v. The State of Punjab, SLP (Crl.) No. 3583/2021.
- Kumar v. Whiteley
- Kamalakanta Tripathy Vs. Respondent: State of Odisha and Ors., MANU/OR/0134/2020
- Hacking Laws and Punishments, FindLaw, https://criminal.findlaw.com/criminal-charges/hacking-laws-and-punishments.html, 2nd May, 2019
- Michael Lewis, 10 ways to protect your privacy online and prevent hacking, Money Crashers, https://www.moneycrashers.com/ways-protect-privacy-online-prevent-hacking/
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: