This article is written by Ms Sankalpita Pal, who is currently pursuing BBA.LL.B (Hons) from Symbiosis Law School, Pune. This article mainly deals with Cyber laws through the lens of National Security Concerns in India.
Table of Contents
Introduction
The boundaries of acceptable behaviour are ambiguous in Cyberspace. With rising cyber crimes, data privacy issues and protection of identity from online impersonation have become a serious concern. In fact with the advent of new technology, deception and disguise are not easy to spot, along with that financial resources are always on target. Therefore, a real point to ponder upon is that what all types of information should be considered as property on the network.
To put it simply, cyber crime consists of such types of illegal activities that require computer and internet as a medium to facilitate either contact or communication. Crime is, in fact, timeless and with the intervening cyberspace, it has got a new interface. While technology is being put to use in order to commit traditional crimes, there are also new types of crimes which are being facilitated. For example phishing schemes, cyberterrorism and mal-viruses are a few types of contributory presences which ultimately constitute grave crimes.
The new era’s growing dependence on computers and its networks has given way to cyber crimes. Especially, communication technologies give way to a lot of different types of cyber crimes. Cybersecurity, on the other hand, is the protection from cyber-threats. There are various ways in which data stored in hardware and software is protected from unauthorised access and malware attack. This will be further dealt with in the article.
Now the main issues regarding cybersecurity and unauthorized surveillance, themes which remained unprioritized and often went unnoticed until recently have started to attract the attention of the authorities. An increasing number of news reports have made it clear that our country needs to do justice to the victims of cyber crime more than ever.
The historical aspect of cyber crimes
It cannot be denied that the advent of the internet has indeed changed our lives radically. The Internet has become an effective mode of communication with a faster ability to exchange information. Just like every other crime, Cyber crimes have an eventful history.
The 1870s to early 1980s
If a broad perspective is taken while tracing the earliest signs of cyber crime, many have argued that the actual first occurrence cannot be determined. In fact, Frederick B. Cohen in his Protection and Security of the Information Superhighway (1992) stated that mechanical cryptography and information gathering is about 5000 years old in concept. Long back computer crimes actually involved either long-distance telephone network subversion or the physical damage of computer systems. Computers gained momentum between the 1970s to 1980s.
The earliest instances of superficial hacking can be traced back to the 1870s when telephones were used for deception through telephone phreaking (Hacking long-distance telephone networks illegally in order to make free telephone calls). The United States is where the internet originated and thus the US experienced the first-ever computer-facilitated crime in 1969. It must also be noted that the world’s first computer-specific law was enacted by Hesse (German state). The Data Protection Act, 1970 was enacted in order to regulate cyber technology.
Cyber pornography also evolved by the end of the 1970s. This cyber crime is not only a legal challenge for India but also several other countries across the world. The Inter Networking Working Group was founded in 1972 in order to regulate the standards of the Internet. In 1983 the first known computer ‘virus’ was created and experimented in a weekly seminar presented by author Len Adleman. In 1984 the UK enacted a couple of legislations governing cyber crimes and security.
The late 1980s to 1990s
One of the first instances of cybertheft took place when sensitive information possessed by the US air force and NASA were broken into and accessed by hackers. In the infamous case of R v. Thompson [(1984) 79 Cr App R 191], the accused, a computer programmer was an employee at a bank in Kuwait. Firstly, he defrauded the bank through a programme. As a result, there was an automatic transfer of money from existing accounts to the newly created accounts. After the transfer, the computer programmer fled to England from Kuwait in order to stay out of sight and suspicion and reduce the risks of detection. In his final step of the plan, he opened multiple accounts in English banks. Then he requested for transfer of the money from Kuwait bank accounts to the English Bank accounts. Finally, the court made him liable and he was convicted of computer fraud and deception.
In the case of R. v. Gold ([1988] 2 WLR 984), 2 alleged hackers were involved. They were journalists and had access to the computer network of British Telecom Prestel Gold and they modified data without proper authorisation.
Another significant case is the United States of America v. Jake Baker and Arthur Gonda [(1995) 890 F.Supp, 1375 (E.D. Mich)], the accused were found guilty of charges of threatening and kidnapping executed via objectionable materials. Since the whole incident was facilitated by electronic messages, this became one of the landmark cases.
India’s first brush with cyber crime was back in 1999 in the case of Yahoo, Inc v. Akash Arora [(1999) 19 PTC 229 (Delhi)]. Yahoo basically filed a suit seeking a permanent injunction in order to restrain the defendants and their partners, agents or servants utilising the domain name ‘Yahooindia.com’ while doing business. The Court specifically held that Yahoo! Trademark cannot be used by other businesses as it creates a deception for customers.
The Past Decade- since 2000
In the year 2000, the Indian Parliament finally passed a definite law to combat cyber crimes. The Information Technology Act (ITA), 2000 was enacted with the sole objective to provide a proper legal framework for commercial transactions taking place on cyberspace.
In Rediff Communications Ltd. V. Cyberbooth (AIR 2000 Bom 27), the Indian judiciary took proper note of the number of cases listing trademark breaches and reiterated the Yahoo! Judgment. It was realised that numerous issues must be cleared before solving cyber crimes. However, between 2004 to 2005, data breaches started to take place frequently having a negative impact on business. Cybercriminals started causing a huge amount of losses to businesses by stealing data or gaining unauthorised access to customer information. Some started doing it professionally along with the promotion of the same. Thus, most cyber crimes committed during this time period were for the purpose of luring money and also the rise of professional expertise.
Post-2004 International credit card fraud became the norm for cybercriminals and this technique was known as “carding”. In fact, the US Secret Service’s Operation Firewall was conducted and it became one of the most successful investigations ever conducted.
In 2010, a massive cyberattack took place known as ‘“Operation Aurora”’. Search engine giant Google along with major organizations like Yahoo, Adobe Systems and Symantec were under attack. The recent instances of cyberattacks will be discussed in the latter part of this article.
Cyber laws in India
It was important to understand the historical backdrop against which the India Government was persuaded to enact the Information Technology Act, 2000.
The main objectives of the Act are provided under its preface itself. They are:
- to provide necessary legal recognition for electronic commercial transactions which are carried via electronic data interchange. Such transactions involve the use of electronic storage facilities as an alternative to the paper-based document storage system.
- to facilitate the electronic filing of documents even with the Government agencies and in the court of law.
- to amend the existing criminal as well as a few specific legislation in India. For example the IT Act, 2000 amended the Indian Penal Code, the Bankers’ Books Evidence Act, 1891, the Indian Evidence Act, 1872 and the Reserve Bank of India Act, 1934.
The IT Act essentially emphasizes on the following areas:
- Legal Recognition of Electronic Documents
- Justice Dispensation Systems for cyber crimes
- Legal Recognition of Digital Signatures
- Offences and Contraventions
It is rather interesting to note that the collective term of ‘Cyber Crime’ has not been provided with any concrete definition under the Information Technology Act 2000. Even after the amendments, this point was missed.
Section 66 is one of the most important sections under this Act as it deals with Computer-related offences. The offence of hacking is stated under Section 66. Data theft which is another concern is dealt with under Section 43. This section makes the act of data theft punishable offence if it is done dishonestly or fraudulently and awards imprisonment up to 3 years or a fine of 5 lakh rupees or even both.
Offences under Section 66 of ITA, 2000
- Section 66A was struck down as unconstitutional in 2015 which will be discussed briefly later on under the Shreya Singhal case.
- Section 66B deals with offences where stolen computer resources or communication devices received dishonestly. Such an offence is awarded with punishment for up to 3 years or a fine of 1 lakh rupees.
- Section 66C– identity theft was dealt with under this section. Identity theft can be committed through electronic signature. Using someone else’s password is also categorised as identity theft. Under this section also punishment is imprisonment up to 3 years or one lakh rupees fine is applicable or both.
- Section 66D, impersonation is a form of cheating and this section deals with the same. If someone wrongfully and deceptively utilises electronic communication devices or any other computer resource to cheat by personation is punishable up to 3 years of imprisonment or liable to pay a fine of 1 lakh rupees.
- Section 66E Privacy violation – Publishing or transmitting the private area of any person without his or her consent etc. Punishment is three years imprisonment or two lakh rupees fine or both.
- Section 66F deals with Cyber terrorism which is one of the greatest concerns with regard to national security. The Indian armed forces and other major government organisations are always under threat of cyberattack. This section includes the implications of criminal intention by stating phrases like ‘Intent to threaten’. This section also specifies that unity, integrity, security or sovereignty of the nation are of primary importance and that any unauthorised access to the same must be prohibited.
In fact, this section provides a wide interpretation as this kind of access is punishable. Even denying rightful access to the computer resource by any authorised person is also treated as an offence under Section 66F. Computer Viruses like Trojan horse come under the ambit of this section. Punishment for the offence of cyber terrorism is life imprisonment.
It is to be noted that all offences under Section 66 are cognizable and non-bailable offences. As discussed above, intention or the complete knowledge to cause wrongful loss to others is dealt with under Section 66F. Mens Rea or criminal intention to cause destruction, deletion, diminishing or alteration in the value of data makes this section one of the most important under Section 66. In order to summarise this part of the article, it can be said that civil liabilities and supposed compensations and damages under Section 43, have been referred to under this section.
Section 67 and 67A of ITA, 2000
Section 67 prevents the publishing of or transmitting obscene images or materials in electronic form. The scope of Section 67 was widened under the amendments under the Information Technology (Amendment) Act, 2008. This section made child pornography illegal and also the retention of records by intermediaries was all included.
Section 67A includes the prevention of publishing or transmitting sexually explicit material in any electronic form. There is a specific implication under this section with regards to the penalties under it. When the contents of Section 67 is combined with that of Section 67A then only the penalties under this section can be attracted. Child Pornography is exclusively dealt with under Section 67B.
Legislations amended by ITA, 2000
The IT Act has amended a number of legislations. As for IPC the ITA 2000 has amended several sections in order to keep its own relevance free of intervening legal provisions from other legislations. Various Sections 192, 204, 463, 464, 471, 476 etc were amended.
Most of these sections deal with records and documents in the IPC. and in order to bring in electronic documents under the law, the IT Act simply inserted the word ‘electronic’. Thus, as a result of that electronic records and documents came at par with physical records. This way even an electronic false entry or document will be tried in court in the same way a physical false document would have been.
The Indian Evidence Act 1872, is another legislation amended by the ITA. Before 2000 all pieces of evidence in a court were only in the physical form. However, with the passing of the ITA, 2000 electronic records and documents have received the due recognition which otherwise were difficult to deal with owing to lack of laws before 2000. It was a general deduction that the evidentiary legislation was amended in order to emphasize the relevance of the IT Act. Another important part is the admissibility of electronic evidence in the court of law. When electronic records were declared to be treated as pieces of evidence, as enshrined under Section 65B of the Indian Evidence Act, many held up cases found a way to make it out of litigation. This elaborate section is considered to be a landmark piece of legislation. Electronic evidence has revolutionised the factum of acceptability of the types of evidence under any court of law.
The Bankers’ Books Evidence (BBE) Act 1891 was also amended by the ITA, 2000. Prior to the passing of the ITA, a bank was supposed to produce the original ledger. An original ledger is basically a physical ledger which can be produced before the court as evidence. However, after the enactment of ITA, 2000, the definition of “bankers’ books” include ledgers, day-books, cashbooks, account-books etc that can now be stored electronically. If computer resources are used to prepare the ledger then also it can be considered as evidence.
How effective have these laws been?
The effectiveness of cyber laws is debatable. Even though the parliament has tried to provide a proper legal framework to regulate and set the standard of user information that can be circumvented within cyberspace. In fact, the Parliament’s effort is commendable as it even amended a lot of legislation in order to fit the purpose of the IT act. In spite of all the positive aspects of the novel legislation, there are a few remaining grey areas which intervene with the effectiveness of the Cyber laws in India.
The lack of major initiatives taken on common repositories of pieces of electronic evidence is posing a problem
If original evidence were transformed into electronic pieces of evidence then they could have been stored by a trusted third party who would produce the same information contained in the discs and software in case of a dispute, then the original device could be returned to the owner who can still use it at will. Third-party software like ‘EnCase’ and the Indian ‘C-DAC’ will help in preserving the original version along with a date stamp. Thus, written documents won’t have to be maintained unnecessarily.
Inadequate coverage of many emerging cyber issues
One of the reasons as to why Indian cyber laws are failing at the forefront is due to the non-coverage of many types of emerging cyber crimes. India has only one legislation which still has a limited scope of applicability due to its narrow ambit. Hence, many issues remain outside the ambit of the Act. thus, giving way for its unprecedented growth. Many significant cyber crimes like spam emails, data privacy breaches, cybersquatting with the intention to extort money, copyright infringements and ISP’s accountability towards it hasn’t received adequate coverage as of now.
Weak implementation of cyber laws
Shri Pavan Duggal, Supreme Court advocate and cyber expert has stated a significant point. Even though the lawmakers must be complimented for their commendable effort on trying to remove the lacuna in cyber laws, unless and until the laws are made more technologically neutral and have a more strict application over crimes under its ambit, the purpose of the IT Act will remain defeated. It has been observed that the present legislation is soft on cybercriminals. This means that such legislation will always remain ineffective. The quantum of punishment must be revised.
The extremely low Conviction rate for cyber crimes
The conviction rate is an important indication of the applicability of any law. A vast number of legislations will not solve the problem of weak implementation of laws. However, an impactful conviction rate will show the effectiveness of the cyber laws in India. A low conviction rate contributes to the present ineffectiveness of the cyber laws in India. The certainty of punishment is more important than the severity of a punishment that will portray the deterrent value of the current legislation.
Recent instances of cyber attack and criticism raised
One of the first cases of conviction under Section 67 of the Information Technology Act, 2000 in India took place in 2004. In the 2004 case State of Tamil Nadu v. Suhas Katti [(2004) Cr. Comp 4680], defamatory, obscene and repetitive messages were posted on a yahoo messaging group. The victim used to receive annoying phone calls over and over again thus resulting in her mental distress. Over the years a number of such cases of cyberstalking and abuse of women (especially) have been reported.
In 2016, Juniper Research conducted a thorough study on the estimated cost involved in committing cyber crimes. The research revealed that such a cost could possibly be as high as 2.1 trillion by the end of the decade. Till date, massive data breaches still take place even with the hacking of biometric information.
In 2015 Section 66A of the IT Act, 2000 came under the spotlight through the case of Shreya Singhal v. Union of India (AIR 2015 SC 1523). In this case, a PIL writ petition was filed under Article 32 of the Indian Constitution. The petition sought the striking down of Section 66A as it was argued to be unconstitutional. The pith of the arguments is that Section 66A of ITA, 2000 is wide, vague and ambiguous thus making its scope incapable of judgment on objective standards. Due to such a vague interpretation of this Section, it can easily be subjected to wanton abuse.
Notable cyberattacks in the recent past
- July 2016- UNION BANK OF INDIA HEIST
Union Bank of India lost about $171 million in June 2016 when a phishing email was sent to a bank employee. The hackers were able to access the credentials for the execution of a fund transfer. However, they weren’t successful in swindling the money as prompt action was taken and most of the money was recovered in time.
- May 2017- WANNACRY RANSOMWARE
This was a significantly big cyberattack as thousands of computers were completely shut down by hackers who were seeking ransom in return for restoration. West Bengal State utilities and the Andhra Pradesh police data store were impacted the most due to this attack.
- May 2017- DATA THEFT AT ZOMATO
Zomato is a food tech company, their internal customer data storage system was hacked by an ‘ethical’ hacker. Sensitive data like consumer names, email IDs, even passwords were hacked. The Hacker possessed the data of about 17 million app users. His demand was that the company must realize its data security vulnerabilities on cyberspace and put it up for sale on the Dark Web.
- June 2017- PETYA RANSOMWARE
The Petya ransomware attack was a large-scale one as it impacted nations all across the world. In India, the main impact of the ransomware was a Danish firm named AP Moller-Maersk and Mumbai’s Jawaharlal Nehru Port Trust.
- September 2019- ZYNGA
In this cyber attack, about 218 million accounts were impacted. Zynga (Farmville creator) is one of the biggest market players for gaming. In 2019, Pakistani hacker Gnosticplayers hacked Zynga’s database. Later on, the company confirmed that SHA-1 hashed passwords, emails, phone numbers, user IDs and other user info was stolen from Zynga and Facebook.
National security concerns and general challenges
- Cybersecurity is an important concern from the national security perspective as well. In fact, Information Communication in cyberspace and technology have brought up new kinds of concerns with regard to national security. There is no room for doubt for the fact that cyberspace is providing new platforms and opportunities like never before and has, in fact, revolutionised our lives. However, at the same time, it also poses challenges to national security.
- Now that governments all around the world have a necessary cyber platform to receive and spread information regarding their schemes, welfare activities and reports; not only that, even sensitive information is stored on cyberspace; hackers and cyber terrorists can access such information easily and harm innocent citizens.
- Any information on cyberspace is relatively more accessible than information stored as a hardcopy. Data privacy is an emerging issue nowadays along with cyber warfare, cyber terrorism etc. Hacktivism is also a new type of threat which is done in the name of political issues. However, the real purpose behind it is to cause political destabilisation.
- Another national security concern is cyber espionage, for example, Estonia 2007. Even in India such privacy breaches keep happening thus posing a huge threat to the country’s cyber as well as national security. On a more individual level, a lot of women and men are victims of cyberstalking and teenagers that of cyberbullying.
- Various national projects such as the National Critical Information Infrastructure Protection Centre (NCIPC) & National Cyber Coordination Centre (NCCC) are yet to materialize. In December 2019 a thorough report on Kudankulam Cyberattack revealed that critical infrastructure such as power plants, financial institutions, power grids etc. needs to be protected from cyber-attacks.
- The Indian defence sector receives threats which are politically motivated either from outsiders who steal sensitive information or by criminals trading their own country. The Indian Navy was exposed to a cyberattack named “Pubby” back in 2012. After these attacks, it was also predicted that even the National Security Agency and the Indian Air Force may be targeted in the future. The Indian Navy never really revealed what kind of information was targeted in Pubby 2012.
Now there are a few general challenges with regard to cyberspace and security as also admitted in the NITI Aayog report.
- Inherent vulnerabilities of Cyberspace till date have not been removed. Also, it is a pretty acceptable possibility that such vulnerabilities will never be removed. Cyberspace is an open platform thus there is no doubt that any and every information out there will have the potential to suffer breach or theft.
- There are umpteen number of entry points to cyber portals. Thus, no matter what is the level of the protection there will always be a way to access sensitive information.
- The Internet makes the misdirection of attribution assigned to other parties much easier than before.
- Computer Network Defense techniques, tactics and practices largely protect individual systems and networks rather than critical operations (missions).
- One of the most important developments is that methods of cyberattacks have evolved massively as compared to the slow-paced development of defence technology. Cybersecurity modules must update themselves in order to keep pace with the new methods of attack technology.
- Various Nations, States, outsider organizations with ill motives as well as individuals at peer level are perfectly capable of waging attacks of internal government software on cyberspace.
Conclusion
Society today is dependent upon technology. Thus, crime committed via an electronic medium is bound to increase. After weighing the pros and cons of the cyber laws and the cyberspace it is abundantly clear that the IT Act still has a long way to go and requires a number of amendments. While some problems will perennially exist due to the fact that cyberspace is relatively open and some level of vulnerability will always be involved and cannot be cancelled out completely. Thus, the ethical use of cyberspace is encouraged. The endeavour of legal machinery must be in accordance with the changing times and must fulfil the expectations. In order to check the crimes rate, the conviction rate needs to be increased.
Hence, it is only through the persistent efforts of lawmakers to ensure that governing laws of technology will keep pace with the ongoing trends and emerging cyber crimes.
References
- M.E. Kabay, A Brief History of Computer Crime, (2008)
- United Nations Manual on the Prevention and Control of Computer-Related Crime (1994)
- Rohit K. Gupta, India: An Overview Of Cyber Laws vs. Cyber Crimes: In Indian Perspective (2013)
- Dr V.K. Saraswat (Member), NITI Aayog Report on Cyber Security
- Sushma Devi Parmar, Cybersecurity in India: An Evolving Concern for National Security (Central University of Gujarat)
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: