This article is written by Srishti Sinha, a student at the Institute of Law, Nirma University. This article deals with the laws governing cybercrime and landmark judgments related to cybercrime in India.
As technology advances, humans have become reliant on the internet for all of their requirements. The internet has provided us with quick access to everything while being seated in one location. Every imaginable thing that one can think of can be done through the medium of the internet, including social networking, online shopping, data storage, gaming, online schooling, and online jobs. The internet is used in nearly all aspects of life. As the internet and its associated advantages grew in popularity, so did the notion of cybercrime. Different types of cybercrime have evolved with the increasing dependency on the internet. There was a dearth of understanding about the crimes that might be perpetrated over the internet a few years ago but today in terms of cybercrime, India is not far behind the other countries, where the rate of occurrence of cybercrime is also on the rise.
According to the report of Norton Lifelock, a cybersecurity software company, in the last 12 months, 27 million Indian adults have been victims of identity theft, and 52 percent of people in the nation are unaware of how to defend themselves against cybercrime.
Further, on August 30, 2019, the Ministry of Home Affairs launched the National Cyber Crime Reporting Portal to offer people a centralized system for reporting all sorts of cybercrime occurrences online, with a special focus on cybercrimes against women and children. According to the statistics of the portal, 3,17,439 cybercrime events and 5,771 FIRs have been recorded in the country since its establishment up to February 28, 2021, with 21,562 cybercrime occurrences and 87 FIRs in Karnataka and 50,806 cybercrime incidents and 534 FIRs in Maharashtra. We can see from the data that the number of victims of cybercrime is not a small figure hence, cybercrime is an issue of serious concern.
Cybercrime : an overview
Cybercrime is defined as illegal behaviour involving a computer, a computer network, or a networked device. Most, but not all, cybercrime is conducted by profit-driven cybercriminals or hackers. Some cybercrimes target computers or devices directly in order to harm or disable them, while others target computers or networks in order to disseminate malware, unlawful information, pictures, or other things. Some cybercrime targets computers in order to infect them with a computer virus, which subsequently spreads to other computers and, in some cases, whole networks.
How do cybercrimes work
Cybercrime may start everywhere there is digital data, opportunity, or motivation. From a lone user engaging in cyberbullying to state-sponsored attackers, cybercriminals come in many shapes and sizes. Cybercrime does not happen in a vacuum; it is, in many respects, a dispersed phenomenon. That is, hackers frequently enlist the help of other parties to execute their schemes. This is true whether it’s a malware developer selling code on the dark web, a distributor of illicit medicines utilizing cryptocurrency brokers to keep virtual money in escrow, or state threat actors stealing intellectual property through technological subcontractors. Cybercriminals employ a variety of attack vectors to carry out their cyberattacks, and they are always looking for new ways to achieve their objectives while evading discovery and prosecution.
Malware and other forms of software are frequently used by cybercriminals, but social engineering is typically a key component in the execution of most types of cybercrime. Phishing emails are a key component of many forms of cybercrime, but they’re especially crucial in targeted assaults like business email compromise, in which an attacker impersonates a firm owner through email in order to persuade workers to pay false bills.
Types of cybercrimes
Cybercrime can be conducted by targeting anything useful for a person or a country and hence, cybercrimes are divided into certain types. Let us have a look at these types accordingly.
When a criminal obtains access to a user’s personal information, they can use it to steal money, access private information, or commit tax or health insurance fraud. They can also use the individual’s name to create a phone/internet account, organize criminal activities, and claim government benefits in your name. They might do so by breaking into users’ passwords, stealing personal information from social media, or sending out phishing emails.
Hackers send malicious email attachments or URLs to users in order to obtain access to their accounts or computers in instances of such attacks. Many of these emails are not identified as spam because cybercriminals are getting more established. Users are duped into clicking on links in emails that suggest they need to change their password or update their payment information, allowing thieves access to their accounts.
Criminals use social engineering to make direct contact with you, generally via phone call or email. They generally act as a customer service person in order to earn your trust and obtain the information they want. This information can include your passwords, your employer’s name, or your bank account number. Cybercriminals will gather as much information about you as possible on the internet before attempting to add you as a buddy on social media sites. They can sell your information or open accounts in your name after they obtain access to an account.
Cyberstalking is something in which the criminals stalk you on your social media accounts to gather your private information so that they can use that information to get benefits in your name. They can gather your information in a number of ways. They could do so by gaining access to users’ credentials, stealing personal information from social media, or sending out phishing emails. Threats, libel, slander, sexual harassment, and other activities to control, influence, or intimidate their victim, are all examples of this type of behaviour.
Botnets are networks made up of infected machines that are managed from afar by hackers. These botnets are then used by remote hackers to transmit spam or attack other computers. Botnets may also be used to conduct harmful operations and serve as malware.
In this type of cybercrime, the cybercriminals share those contents which are offensive and highly disturbing. Here, offensive and disturbing content is not only limited to sexual activities but also includes violent videos, criminal videos, and videos related to terrorist activities. This sort of information may be found on both the public internet and the dark web, which is an anonymous network.
Cybercrime under IPC and the IT Act
There are a lot of statutes and regulations enacted by various authorities that penalize cybercrime. The Indian Penal Code, 1860 (IPC) and the Information Technology Act, 2000 (IT Act) both penalize a variety of cybercrimes and unsurprisingly, many clauses in the IPC and the IT Act overlap.
Laws governing cybercrimes in India
Cybercrime refers to illegal activities in which a computer is used as a tool, a target, or both. Traditional criminal actions such as theft, fraud, forgery, defamation, and mischief, all of which are covered under the Indian Penal Code, might be included in cybercrimes. The Information Technology Act of 2000 addresses a variety of new-age offences that have arisen as a result of computer abuse. The Indian Penal Code 1860, the Bankers’ Books Evidence Act 1891, the Indian Evidence Act 1872, and the Reserve Bank of India Act 1934 were all swiftly amended by the IT Act. The Amendments brought under the Sections of these Acts were to make them compliant with new technologies. By establishing stringent legal recognition, these modifications attempted to tone down all electronic transactions/communications, bringing them beneath the radar.
The following judgments are the landmark judgments on cybercrime in India. The first cybercrime occurred in 1992 when the first polymorphic virus was released. The case of Yahoo v. Akash Arora (1999) was one of the earliest examples of cybercrime in India. The defendant, Akash Arora, was accused of utilizing the trademark or domain name ‘yahooindia.com,’ and a permanent injunction was sought in this case. The case of Vinod Kaushik and others v. Madhvika Joshi and others (2012) is the other example in which the court held that according to Section 43 of the IT Act, 2000, accessing the e-mail accounts of the spouse and father-in-law without their consent is prohibited. In 2011, a decision was reached in this matter. All of these instances deal with the question of how cybercrime has evolved, with a focus on India.
CBI v. Arif Azim (Sony Sambandh Case) (2013)
In 2013, India had its first cybercrime conviction. It all started when Sony India Private Ltd, which owns the website www.sony-sambandh.com and targets Non-Resident Indians (NRI), filed a complaint. NRIs may use the service to transfer Sony items to friends and family in India after paying for them online.
The firm guarantees that the items will be delivered to the intended recipients. In May 2002, someone using the name Barbara Campa went onto the website and bought a Sony Color Television and cordless headphone. She provided her credit card information and asked for the items to be sent to Arif Azim in Noida. The credit card company cleared the payment, and the transaction was completed. The products were delivered to Arif Azim after the business completed the necessary due diligence and inspection processes.
The firm took digital photos of Arif Azim accepting the package at the time of delivery. The transaction was completed at that point, but after one and a half months, the credit card company told the firm that the purchase was illegal since the true owner had denied making it. The firm reported internet cheating to the Central Bureau of Investigation (CBI), which opened an investigation under Sections 418, 419, and 420 of the Indian Penal Code. Arif Azim was detained once the incident was examined. Arif Azim obtained the credit card number of an American national while working at a contact centre in Noida, which he abused on the company’s website, according to investigations.
In this one-of-a-kind cyber fraud case, the CBI retrieved the colour television and cordless headphone. The CBI had enough evidence to establish their case in this instance, therefore the accused acknowledged his guilt. Arif Azim was found guilty under Sections 418, 419, and 420 of the Indian Penal Code, marking it the first time that a cybercriminal has been found guilty. The Court, on the other hand, believed that because the accused was a young kid of 24 years old and a first-time offender, a compassionate approach was required. As a result, the Court sentenced the accused to a year of probation. The decision has enormous ramifications for the entire country. Apart from being the first cybercrime conviction, it has demonstrated that the Indian Penal Code may be effectively used for some types of cybercrime that are not covered under the Information Technology Act 2000.
Pune Citibank Mphasis Call Center Fraud (2005)
In 2005, $ 3,50,000 was fraudulently moved from four Citibank accounts in the United States to a few fake accounts over the internet. The workers won the clients’ trust and got their PINs under the idea that they would be able to assist them in dealing with tough situations. Instead of decoding encrypted software or breaching firewalls, they were looking for flaws in the MphasiS system.
According to the Court, the defendants, in this case, are MphasiS contact centre ex-employees. Every time an employee enters or exits, they are examined. As a result, the staff had the numbers memorized. SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, was used to transmit the money. Unauthorized access to the consumers’ electronic accounts was used to commit the crime. As a result, this case is classified as a “cybercrime.” The IT Act is wide enough to cover these types of crimes, and any IPC infarction involving the use of electronic documents can be prosecuted on the same level as crimes involving traditional materials.
Because of the kind of illegal access that is involved in committing transactions, the Court determined that Section 43(a) of the IT Act, 2000 is relevant. The defendants were additionally charged under Sections 66 of the Information Technology Act, 2000, as well as Sections 420, 465, 467, and 471 of the Indian Penal Code, 1860.
Nasscom v. Ajay Sood & Others (2005)
The National Association of Software and Service Companies (Nasscom), India’s largest software association, was the plaintiff in this lawsuit. The defendants ran a placement firm that specialized in headhunting and recruitment. The defendants prepared and sent emails to third parties in the name of Nasscom in order to collect personal data that they might utilize for headhunting reasons. According to the Court, the plaintiff’s trademark rights were recognized by the High Court of Delhi, which issued an ex-parte ad interim injunction prohibiting the defendants from using the trade name or any other name that is confusingly similar to Nasscom. The defendants were also barred from claiming to be affiliated with or a part of Nasscom.
During the process of search, the defendants, under whose names the illegal emails were sent, were revealed to be fake identities fabricated by an employee on the defendants’ orders in order to evade detection and legal action. The defendant was liable to pay damages to the plaintiff for violating his trademark rights.
This was the landmark case in which the Court declared that “phishing” on the internet is an illegal activity and entails injunction and recovery of damages.
Poona Auto Ancillaries Pvt. Ltd., Pune v. Punjab National Bank, HO New Delhi & Others (2013)
In 2013, Maharashtra’s IT secretary Rajesh Aggarwal ordered Punjab National Bank (PNB) to pay Rs 45 lakh to the complainant Manmohan Singh Matharu, MD of Pune-based business Poona Auto Ancillaries, in one of the biggest compensation awards in a judicial adjudication of a cybercrime case. After Matharu responded to a phishing email, a fraudster deposited Rs 80.10 lakh from his PNB account in Pune. Since he reacted to the phishing email, the complainant was requested to share the blame, but the bank was deemed responsible owing to a lack of appropriate security checks against fraud accounts created to deceive the Complainant.
State of Tamil Nadu v. Suhas Katti (2004)
The lawsuit stems from an obscene, defamatory, and harassing remark against a divorced lady that was posted on a Yahoo chat group. The accused also forwarded emails to the victim seeking information using a fake email account he created in the victim’s name. Due to the publishing of the message, the lady received a slew of unpleasant phone calls from people who thought she was soliciting.
The defendant paid the fine and was sent to Chennai’s Central Prison. This is the first case in India to be convicted under Section 67 of the Information Technology Act of 2000.
The IT Act and the Rules promulgated thereunder regulate the cyber law regime. When the IT Act is unable to provide for any specific sort of offence or if it does not include exhaustive provisions with regard to an offence, one may also turn to the provisions of the Indian Penal Code, 1860. However, the current cyber law system is still insufficient to cope with the wide range of cybercrimes that exist. With the country advancing towards the ‘Digital India’ movement, cybercrime is continuously developing, and new types of cybercrime are being added to the cyber law regime on a daily basis. So, there is a need to bring some amendments to the laws to reduce such crimes.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: