This article is written by Devagni Vatsaraj who is pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.

Introduction

In general, cyber law is a legislation that focuses on the proper use of technology, such as hardware and software, the internet, and networks. It also reflects on how people use technology in their daily lives. Cyber law protects users by allowing for the detection and prosecution of online criminal activity. It covers the activities of individuals, associations, the media, government, and private organisations. The law looks at crimes committed in the real world that are made possible by cyberspace. There is a growing need for regulating cyber laws that can address jurisdictional and privacy concerns, as well as intellectual property rights and other legal issues.

Following the breakup of the Soviet Union, Russia inherited a strong friendship with India, which culminated in the establishment of a Special Relationship between the two countries. The strategic partnership between India and Russia is based on five major pillars: politics, defence, civil energy, counter-terrorism cooperation, and space. In recent years, a sixth dimension, centred on an economic front, has grown in importance. The ongoing partnership in the field of science and technology, as part of the Integrated Long-Term Programme of Cooperation (ILTP), is India and Russia’s largest co-operation programme in this region.

The Indian Department of Science and Technology, as well as the Academy of Sciences, Ministry of Science and Education, and Ministry of Industry and Commerce, coordinate the ILTP. Development of SARAS Duet aircraft, semiconductor products, supercomputers, poly-vaccines, laser science and technology, seismology, high-purity materials, software & IT and Ayurveda are some of the priority areas of cooperation under the ILTP. In August 2007, the Department of Science and Technology and the Russian Foundation of Basic Research in Moscow signed a Memorandum of Understanding.

Russia’s take on cyber laws

The Russian legal system is based on the civil law of the continent. There is federal and regional legislation; however, in the event of a conflict, federal legislation takes precedence. Data privacy is regulated at the federal level, but some Russian regions have not enacted any specific laws or regulations in this area.

Each individual has the right to privacy and personal/family secrecy; this was introduced in 1993 in the Russian Constitution. They still have the right to keep their communications private, and any restrictions on this right must be approved by a judge. Only with their permission may information about their private lives be collected, used, stored, and distributed. The protection of these basic rights is regulated by special laws and also specific regulations enacted in relation to these laws.

The Federal Bureau of Investigation (FBI) discovered a series of break-ins into the operating networks of numerous companies in the United States in 2000. Vasiliy Gorshkov and Alexey Ivanov, both Russians, were named as the perpetrators of such cyber-attacks by the FBI. A scheme was devised to entice them into the United States of America by forming the Invita Company. Both of them were then invited to an interview at the company. Gorshkov and Ivanov were asked to demonstrate their computer hacking skills during the interview. They were given a laptop from which they could access their home computers, which housed their hacking equipment. The Russians were unaware that the FBI had used a technique to obtain the hackers’ user id and password. Following the event, Gorshkov and Ivanov were arrested right away.

The FBI then used the user ID and password to download details from Gorshkov and Ivanov’s home computers in Russia, which they used as evidence against the two of them without a warrant. Gorshkov filed a motion to remove the evidence after they were convicted, claiming that their rights under the Fourth Amendment and Russian law had been violated. The FBI argued that because downloading from a computer source does not constitute a search, it is not appropriate to obtain Russian authorities’ consent. The court dismissed Gorshkov and Ivanov’s petition, arguing that the Fourth Amendment should only be used when there is a search and seizure within the scope of the amendment. The act of copying the data on the Russian machines, on the other hand, did not conflict with the defendant’s possessory interest in the data, and the FBI agents’ act of accessing information from a device in another country did not constitute a search or seizure.

In 2007, Russia passed a law governing data privacy problems. The Personal Data Law (Federal Law No. 152-FZ on Personal Data, dated 27.07.2006) covers nearly all aspects of data security, including what constitutes personal data, what forms of data can be collected and processed, how and under what circumstances data can be collected and processed, and what safeguards must be implemented by agencies collecting data. There is no distinction between data controllers and data processors in the Personal Data Law. As a result, any individual or agency working with personal data is subject to the provisions of this Law.

There are also a number of relevant legislation that cover the technical aspects of data processing and help to explain the rules of the Personal Data Law. Such regulations are provided by the Russian government’s data protection authority, the Federal Service for Supervision in the Sphere of Communication, Information Technology, and Mass Communications (DPA), and/or other security agencies, such as the Federal Service for Technical and Export Control (FSTEK) or the Russian Federal Security Service.

Since the year 2014, data protection has been a hot topic of debate. The government’s approach to privacy became more protectionist. The Russian parliament passed changes to the Personal Data Law (the Data Localisation Law), requiring data operators who collect citizens’ personal data to store and process that data only in databases located in Russia, similar to Indian laws. Despite the fact that the Data Localisation Law was heavily criticised by companies and the media, it went into effect on September 1, 2015.

In addition to the Data Localisation Law, Russia amended the Russian Federal Laws on Information and Information Technology, as well as the Russian Federal Law on Information Protection. Companies that offer video, audio, or text communication services must register with the authorities, store messages or audio or video calls for up to six months, and provide decryption keys to the authorities if the messages are encrypted, according to the amendments.

Recent years have been very intense for Russian data protection law. The Federal Law No. 97-FZ of 05.05.2014 significantly amended Federal Law No. 149-FZ dated 27.07.2006, the Information Law and some other Russian regulations. The Information Law was later substantially strengthened with a few additional amendments, finally coming into force on 01.07.2018. Authored by Irina Yarovaya, the amendments (the Yarovaya Law) directly affected Russia’s telecoms and internet industries. In particular, the mobile operators were to store the recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while the internet companies were required to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year.

Furthermore, the Yarovaya Law mandates such operators to provide all such communications to Russian police and intelligence upon their request, to instal special systems for investigative purposes, and to provide decryption keys if the messages are encrypted to the security authorities.

The DPA compiled a list of infringing websites based on the Data Localisation Law. A comprehensive ‘notice and take down’ process is outlined in the statute. Since Russian citizens’ personal data must be stored and processed in Russia, the location of databases containing their personal data must be reported to the DPA. Recently, lawmakers adopted amendments that dramatically increased the fines for non-compliance.

The leading Russian computer security firm Group-IB cites two reasons for the country’s rapid and continuing rise in cybercrime. First, Russia’s legislative framework for combating cybercrime is ineffective, and cybercrime punishment in Russia is very light, with sentences for computer-related offences being either very short or suspended. Second, various hacker groups collaborate with one another in order to increase income and fund their illegal activities.

In Russia, the term “informationization,” which refers to the intense exploration and use of digital tools for social and economic advancement, is often used by the authorities, while the term “cyber” is usually reserved for the medical and academic sector. Even though the terms “cyber-crime” and “cyber-warfare” or “cyber-attack” do not appear in any of the official public documents, the use of terms such as information security, computer information crime, computer crime and informational resistance, makes it clear that the government distinguishes between regular cybercrimes and cyber-warfare.

India’s take on cyber laws

With so much misuse of technology in India and no statute to control it, strict statutory laws were required to regulate criminal activities in the cyber world and protect users from harm in the fields of e-commerce, e-governance, e-banking, and so on. The Indian Parliament passed the “Information Technology Act, 2000.” The IT (Amendment) Act, 2008 was enacted to amend the Act. The Amendment Act broadened the reach and applicability of the law. Section 43 has been replaced with Section 66, and the term “hacking” has been replaced with “data theft” in this section. Sections 66A to 66F now have a broader reach as a result of the amendment. 

The crimes discussed in this section are – sending of offensive messages through communication service, misleading the recipient of the origin of such messages, dishonestly receiving stolen computers or other communication devices, stealing electronic signature or identity such as using another person’s password or electronic signature, cheating by personation through computer resource or a communication device, publicly publishing the information about any person’s location without prior permission or consent, cyber terrorism, the acts of access to a commuter resource without authorization, such acts which can lead to any injury to any person or result in damage or destruction of any property, while trying to contaminate the computer through any virus like Trojan etc. Section 66 criminal offences are both cognizable and non-bailable.

Whereas the consequences of Section 43 of the previous Act is civil in nature, with only penalties and restitution as remedies, under Section 66 of the Amendment Act, if such act is performed with criminal intent, or mens rea, it would incur criminal liability, with remedies including imprisonment, fines, or both.

Following the passage of the Information Technology Act of 2000, India’s main statutes were revised. By adding the term “electronic” into the Indian Penal Code, electronic records and documents are treated equally to physical records and documents. Sections dealing with false entry in a record or false document (e.g., 192, 204, 463, 464, 468 to 470, 471, 474, 476, etc.) have since been amended to include “electronic record and electronic document,” bringing them under the IPC’s jurisdiction. During the commission of acts of forgery or falsification of physical records in a crime, electronic records and electronic documents are now treated the same as physical records and documents. After the above amendment, the investigating agencies file the cases/charge-sheet quoting the relevant sections from IPC under section 463,464, 468 and 469 read with the IT Act/IT Amendment Act under Sections 43 and 66 in like offences to ensure the evidence and/or punishment can be covered and proved under either of these or under both legislations. 

Prior to the enactment of the IT Act, all evidence in a court was in physical form only. After the existence of the IT Act, electronic records and documents were recognized. The definition part of the Indian Evidence Act was amended as “all documents including electronic records” were substituted. Other words e.g. ‘digital signature’, ‘electronic form’, ‘secure electronic record’ ‘information’ as used in the IT Act, were also inserted to make them part of the evidentiary importance under the Act. The important amendment was seen by recognition of admissibility of electronic records as evidence as enshrined in Section 65B of the Act. As regards to the Bankers’ Books Evidence Act 1891; before passing the IT Act, a bank was supposed to produce the original ledger or other physical documents during evidence.

After enactment of the IT Act, the definitions part of the Act stood amended as: “bankers books include ledgers, day-books, cashbooks, account-books and all other books used in the ordinary business of a bank whether kept in the written form or as printouts of data stored in a floppy, disc, tape or any other form of electromagnetic data storage device”. Preservation of evidence is also a big issue. Many issues in cybercrime are still left uncovered. 

Scope of the countries for expansion

In Russia, the number of lawsuits involving data privacy is rising, and furthers compliance actions are anticipated, as well as more court clarifications in this region. In India, we’d like to develop a comprehensive national cybersecurity strategy, as well as a large amount of investment in the field. Countries must actively engage in all forms of international cybersecurity cooperation in order to facilitate more cohesive strategies in the face of cyber threats. We must also ensure that current regulations are properly enforced so that they do not become toothless tigers. 

Considering the hardship in detecting cybercrime or estimating the damage of cyber attacks, countries should have some illusions about the extent of cyber risks and possible threat to the national infrastructure, business and individuals. However, there is a growing public perception that cyber attacks are becoming more sophisticated and widespread. Owing to technological advancements, the increase in potential benefits from committing cybercrime, and therefore the lower probability of judicial sentences being enforced, cyber threats have become more prevalent in recent years.

Since fighting cybercrime solely on a national level is nearly impossible, policymakers’ efforts to secure cyberspace are hampered by a lack of inter-jurisdictional and international cooperation. Relations of Russia and India are at a premeditated front; President Vladimir Putin stated in a piece of writing for The Hindu, “The Declaration on Strategic Partnership between India and Russia signed in October 2000 became a truly historic step.”  

Conclusion

To summarise, the proliferation and development of computer networks are inextricably linked to the growth and development of our society in the long run, and we need to raise public awareness of this reality. The future war will be waged in a virtual network rather than on the field. To foster an international agreement on cyber deterrence, all countries must take the necessary measures. Vasudev Kutumbkum, which means “the universe is one family,” is a term stated in the Vedas. We must regard the entire cyberspace community as one big family, and we must be happy and able to contribute all we can to ensure the peaceful coexistence of everyone.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: