This article is written by Debargha Chatterjee who is pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
ID Theft or Identity Theft is recognized as a matter of worldwide concern. With the revolution of technology, and with globalization and digital adaptation currently prevailing across all fields, technology has been influencing the mindset of people quite rapidly. The importance of Information Technology has gradually reached newer heights, having positive and negative effects. Identity Theft has been a growing concern in the recent past, owing to the development and revolution of Information Technology in India.
In this article, the author tries to analyze the various forms of ID theft in India and the present legal framework that exists to combat and counter them.
What is “ID Theft”?
“ID Theft” or ‘identity theft’ mainly refers to the crimes that take place wherein a person wrongfully obtains and uses another person’s data. These may include the theft of name, date of birth, unique identification number, bank account number, credit/debit card number, phone number, and so forth, in some way that involves any fraudulent activity or deception.
This can be done, technically, for economic gain to obtain any kind of goods and services. Criminals may also use such data to fraudulently obtain fake identification cards, bank accounts, birth certificates, and important documents.
Even fingerprints can be used as a weapon of identity theft. A lot of personal data via any fake biometric device can cause a breach of personal data. If a person’s fingerprints fall into the wrong hands, it might allow the criminals to make profits in the former’s name which has been used.
Incidentally, most victims hardly realize that such a breach of personal data has even been done, and by the time the realization arrives, it might even be too late to recover from such an incident.
Recovery from such Identity Thefts is a long process that takes months and years, and yet, the success rate is very low.
Modes of identity thefts
There are various techniques through which data theft could be committed and personal information could be procured through electronic devices. These are as follows –
The persons known as hackers unscrupulously break into the information contained in any other computer system. Section 66 deals with the offense of unauthorized access to the computer resource and defines it as “Whoever with the purpose or intention to cause any loss, damage or to destroy, delete or to alter any information that resides in a public or any person’s computer.
Diminish its utility, values or affects it injuriously by any means, commits hacking.” The offense of hacking is a violation of one’s fundamental right to privacy as provided by the Constitution of India.
It is a method wherein viruses or worms like malware divert information from another computer system by decrypting it to the hacker who after obtaining the information either use it themselves or give it to others to commit fraud using such information.
It uses fake email-ids or messages containing viruses-affected websites. These infected websites urge people to enter their personal information such as login information, account information.
The spoofed e-mail is one that shows its origin to be different from where it actually originated. In SMS spoofing, the offender steals the identity of another person in the form of a phone number and sending SMS via the internet and the receiver gets the SMS from the mobile number of the victim.
Cybercriminals make unauthorized use of ATM debit and credit cards to withdraw money from the bank accounts of the individual.
The cyber-criminal calls the victim by posing to be a bank representative or call center employee, thereby fooling them to disclose crucial information about their identity.
It is a form of online fraud involving malicious code and fraudulent websites, through which cybercriminals install malicious codes on a computer server. These codes automatically direct the user to fraudulent websites without the knowledge or consent of the user. These websites look similar to that of the original website, wherein the users may not even realize the fraudulent activity while submitting personal data and information, as well as their financial data.
Malware refers to the intrusive software that is designed to damage or destroy computer systems and their existing data, to gain unauthorized access to a network. These are malicious software variants, including viruses, ransomware, and spyware. Malware is typically delivered in the form of a link or file over email and requires the user to click on the link or open the file to execute the malware.
Most victims aren’t aware of the possible signs that act as indicators of an identity threat taking place. These indicators are as follows –
Warning/Notice from bank/service provider;
Unauthorized statement of card purchases;
Randomly receiving of One Time Password (OTP) from unknown websites;
Verification calls from bank or service provider;
Small amounts being debited from bank account at frequent or regular intervals.
Cybercriminals make use of unsecured websites to gain access to the user’s personal and financial information. Users are influenced to access these websites and fill in their details which are then received by the cyber attackers or hackers. Websites having the domain name “HTTPS” are considered secured, whereas, websites with the domain name “HTTP” are considered unsecured websites.
Identity theft in the modern era
In the modern age of computerization, globalization, and the internet world, our computers and electronic devices collect a lot of information about every human being and stores them in files secreted deep on its hard drive. Storage of sensitive information such as login IDs and passwords, names, addresses, and even credit card numbers, occur using files like cache, browser history, and other temporary internet files.
Using such sensitive information, a hacker can access this data by wrongful means and can share the same with someone else or can even install some nasty software on the computer and electronic device to extract sensitive and secretive information.
Identity theft possesses a very serious problem for everyone in this age of digitalization. It is a serious crime, increasing at a tremendous rate, causing damage to consumers financially, leading institutions retail establishments, and the economy as a whole. The reality is more complex with electronic identity fraud expanding the range of forms. It is not necessary that such fraud may only impact financially, but it may also cause intense damage to the reputation, time spent dealing with disinformation, and exclusion from particular services since the stolen name has been used improperly.
Time has come in order to consider that electronic networks work as an enabler for identity theft, where the thief intends to gain information online for acting offline, and for the basis of theft or other injuries which shall be caused online.
Identity theft has become the crime of the century – the latest and most horrendous of a string of appalling white-collar crimes. Everyone is unsafe with more and more data fraud cases coloring the headlines by the end of the day.
There has been a rapid increase in data fraud and identity theft cases in developing economies like India, too. Although the Government of India is reluctant enough not to release any data on the number of cases related to identity theft that has taken place in the recent past, it may be assumed with the regular writings in the newspaper columns how dangerous and frequent these identity thefts are occurring in the course of our day-to-day life.
The pandemic effect of identity theft in India
According to the 2021 Norton Cyber Safety Insights Report, the cyber safety major surveyed more than 10,000 adults in 10 countries for the results, among which 1000 adults from India submitted their respective responses. The report indicates that, of 1000 respondents in the country, 36% of Indian adults detected unauthorized access to an account or device in the past 12 months.
Every 2 out of 5 Indians experienced identity theft. 14% of the victims were impacted during the past year alone, which indicates that almost 27 million Indian adults experienced identity theft in the past 12 months, as per the reports. The reports also indicate that almost 60% of the entire population of adults and from the older generation have a fear of their identity being stolen.
Almost 65% of the population of adults feel that they are well protected against the occurrence of any kind of identity theft, whereas, many have no idea about what to do in case of identity theft. The major percent who are unaware of the facts of identity theft wish to have more information on such incidents so that they can prepare themselves accordingly.
A major reason for the frequent and astonishingly high rise in the cases of identity theft in India is regarded as the remote working caused by the pandemic. It has been revealed by studies that almost 7 out of 10 Indian adults have been affected by various cybercriminals and hackers due to the remote working feature that the victims had to adapt to, owing to the circumstances.
Despite such vulnerability concerning remote working, according to reports, only 36% of the total population of adults have purchased security software or increased pre-existing security software after facing unauthorized access to their account or device.
Legal analysis of identity theft in India
“Identity” is the proof of one’s existence, whereas, “theft” is the unlawful possession without ownership or the consent of the entitled person. Thus, identity theft is when an individual possesses another’s existence without the consent or ownership of that person. In simple words, identity is stolen when a person happens to duplicate or impersonate another person who he is not.
The Black Law’s Dictionary states identity theft as the unlawful taking and use of another person’s identifying data for fraudulent purposes. Identity theft is a very broad term and expands to a considerable number of offenses from misrepresentation to forgery, whilst some are considered to be traditional crimes, and the others, such as ATM skimming, phishing, etc., fall under the broader aspect of identity theft.
According to the Indian Law, identity theft is considered to be punishable under two legislations, namely, the Indian Penal Code (IPC), 1860, and Information Technology Act (IT Act), 2000. As an offense, identity theft was recognized after the amendment of the Indian Penal Code by the Information Technology Act, 2000.
These amended provisions mainly deal with electronic records to be specific. The electronic record, according to the IPC, 1860, is similar to the definition as stated in the IT Act, 2000, which implies electronic record as, “data, record, or data generated, image, the sound which is sent or received through any electronic form.
Focussing on the provisions related to the offense of Identity Theft, ‘theft’, under Section 378 of the IPC, 1860, may not cover identity theft since it only extends to the movable, tangible, property, and does not include cyberspace. No specific section in the Indian Penal Code, 1860, mentions “identity theft”, but Sections 463, 464, 465, 469, and 474 of IPC, 1860, provided the provisions for penalizing forgery, and after the amendment of IPC, 1860, identity theft has also been included under the scope of these provisions. Section 419 and 420 of the IPC interpret identity theft as cheating and is equally punishable since it is cheating by impersonation.
Indian Penal Code, 1860, beats around the bush to criminalize identity theft and adds it as an extended forgery or cheating. The term ‘identity theft’ was added into the Information Technology Act, 2000, after its amendment in 2008. It took some time to realize the necessity of offense-specific laws, under Section 66C of the IT Act, 2000, which protects the fraudulent and dishonest use of any identification feature of any person.
Implementing and executing these laws is another big problem that justice faces. There is no personnel to cope up with the constantly updating cybercrimes in India. Also, there is a lack of awareness of these serious cyber-crimes which feeds into the rise in the number of cases of identity theft. National Cyber Security Policy (NCSP), 2013, focuses on the creation of a national nodal agency as well as proper and strict certification policy, yet, lacks in many areas.
Presently, under the IT Act, 2000, there is only one type of certification policy namely ISO027001 ISMS certification, which does not satisfy the legitimacy of such certification and NCSP does not plan to introduce more certification policies. The NCSP, 2013, also encourages compliance with the open standards and public key infrastructure, without the provision of a basic definition.
Also, the policy aims at a human resource of building a team of around 5 lakh personnel in the upcoming five years, which falls short in reality. Overall, the National Cyber Security Policy, 2013, turned out to be more of a superficial plan and distant from the basic reality.
Thus, it can be said that these laws seem to be sufficient in order to be able to tackle the offense of identity theft, however, the growing number of reported cyber outbreaks raise several questions on the existing legislation.
Laws protecting identity theft
Considering the long list of the forms of Identity Theft, let us choose the top two of its ways, i.e., ATM Skimming and Phishing.
ATM skimming –
Understanding ATM skimming –
The idea of “cash anywhere, anytime” has encouraged the setup of machines that would allow easy withdrawal of cash by authorized account holders. Sooner rather than later, automated teller machines (ATMs) became the primary and much-needed facility that has been provided by the banks to their respective customers. ATM frauds have been conducted in various forms for years now, by way of, placing keypad overlays, hacking of the cameras placed in the cabins, to the installation of cameras in the machine itself.
Among all of these, skimming has become a much more advance and concerning the form of financial fraud. Identity theft is considered as the initial point as it webs out to other forms of offenses, and thus, a whole chain of events can cause financial losses.
The definition of ATM skimming has not been specifically provided but ATM “Skimming” is considered to be an illegal activity that involves the installing of a device, that is usually undetectable by ATM users, and which secretly records bank account data when the user inserts an ATM card into the particular machine.
Using such a comprehensive method, the criminals can be able to encode the stolen data onto a blank ATM card and use it to steal money from the account holder’s bank account.
Considering the level of crime such as ATM skimming, the aptness of legislation and accountability for such high-end sinister crime is an angle that needs to be countered while exploring the realm of such offense.
The only provision of the legislation that, to some extent can cope up with crimes related to ATM skimming is the Information Technology Act, 2000, along with the Information Technology (Amendment) Act, 2008.
As stated by the court in the case of Commissioner Of Income Tax-III v/s. M/S NCR Corporation Pvt Ltd., ATMs fall under the jurisdiction of cyber penal laws since any computer system is an integral part of an ATM machine, and based on information processed by such computer system in the respective ATM machine, the mechanical function of the cash dispensation or cash deposit is processed. Therefore, ATMs can be considered as computers within the purview of the Information Technology Act, 2000.
Legal framework –
With only handful of acts that exist to govern cyber law in India, there are a very limited number of provisions that comply and apply to cybercrimes like ATM skimming. Provisions that deal with the crime of ATM skimming under the Information Technology Act, 2000, are Sections 43 & 66. Adding to these two, Sections 43A, 66C, 66D have been added after the amendment of the Information Technology Act, 2008, along with other provisions such as Section 420 of the Indian Penal Code.
Section 43 of the Information Technology Act, 2000, provides the civil liability of a third party, wherein any person, without the permission of the owner or the person in charge of access, downloads, copies, contaminates virus, damages, disrupts, or causes interruption, denies access, provides access to any unauthorized person in accordance to the act, and charges the services availed of by any person to the account of another.
These clauses under Section 43 are accustomed to Section 63 to Section 74 of the IT Act, 2000. It must be noted that clauses (i) and (j) happen to deal with more serious crimes related to tampering of computer source code, alteration, damage, or destroying of any information residing in the computer resource. However, Section 43 only lays down the provisions with the liability of a third party instead of a data processor or data controller.
Attempts have been made in the recent Personal Data Protection Bill, 2019, to include damage and the standard on which such fraudsters can be held liable. Although the Personal Data Protection Bill, 2019, does not specifically define damage or injury, however, it explains “harm” which expressively includes the situation causing bodily or mental injury, loss, distortion, identity theft, and financial loss or loss of property, further identifying the standard on which such criminals can be penalized which are more inclusive of the crucial aspects of ATM skimming.
The shortcomings on data protection and the liability of a corporate body can be comprehensibly marked in Section 43A of the Information Technology (Amendment) Act, 2008, wherein, a body corporate possessing, dealing or handling any ‘sensitive personal data’ is negligent in implementing or maintaining ‘reasonable security practices and procedure’, which further causes any wrongful loss or wrongful gain, and shall be liable to pay compensation to the aggrieved person.
Reasonable security practices and procedures as stated in the explanation may arise by way of agreement, through any law in force or as prescribed by the central government in consonance to expert advice as it may deem fit, and such explanation shall provide a brief outline of what can be constituted as a reasonable practice and procedure rather than that what provides a comprehensive meaning to it.
Subsequently, a wide power and discretion have been given to the central government for providing a suitable meaning to sensitive personal data as well as personal data which is yet to be classified in the Act. However, an effort has been made in the Personal Data Protection Bill, 2019, to give meaning to ‘personal data’ and ‘sensitive personal data’ while omitting Section 43A completely, and further, fragmenting the liability of body corporate into the liability of data processor and data fiduciary.
According to the Personal Data Protection Bill, 2019, personal data includes traits, characteristics, attributes, or any other information of a natural person about the identity of such person whether online or offline also may include any data or information from which an inference can be drawn for profiling.
A more comprehensive approach has been taken while defining sensitive personal data, which not only includes biometric, financial, health, sex life, caste or tribe but also inscribes transgender status, intersex status, and sexual orientation.
Referring to what can be considered as personal data or sensitive personal data, the Personal Data Protection Bill, 2019, also provides an explanation, wherein it states that if disclosure of such data causes significant harm, or, if there is an expectation of confidentiality, such can be classified and sanctioned as sensitive personal data by the authority under the Personal Data Protection Bill, 2019.
This definition incorporates the loss of personal information through ATM skimming and the subsequent financial loss as sensitive personal data. Yet, there is still room left in terms of the categorization of sensitive data and penalty to be imposed based on the seriousness of the loss occurring due to the negligence and inadequate security by such data processors or data fiduciary.
ATM skimming, as criminal liability, is covered concerning other offenses under Section 66 of the Information Technology Act, 2000, which explains that any offense covered under Section 43 shall be punishable with imprisonment for a term of 3 years or with a fine which may extend to five lakh rupees or both.
On the other hand, Section 66C and 66D deal with the punishment for identity theft and cheating by impersonation by using computer resources. These available provisions are still to include ATM skimming or skimming in general as a specific offense.
In the case of Vidyawanti v/s. State Bank of India, a revision petition was submitted by the petitioner to the National Consumer Disputes Redressal Commission, New Delhi. In this case, after a failed transaction at the ATM of State Bank of India installed at Nehru Place, Karnal, several unauthorized transactions took place at the ATM through the account of the complainant.
On the same day, the complainant wrote a letter to the State Bank of Patiala seeking a refund of Rs. 40,000 wrongfully withdrawn from her account. However, the respondents failed to oblige. This led to the filing of the consumer complaint by the aggrieved party. It was held by the court that, from the shreds of evidence shown to the Hon’ble Court, it was clear that a third party had manipulated the ATM machine which had further resulted in unauthorized transactions.
Since the money had been wrongfully withdrawn from the account of the complainant, the body corporate who was in such banking business, earned a profit out of it and was liable to make good of the loss incurred to the aggrieved party.
This case clearly defined the scope of the bank’s liability about the manipulation of such ATMs as the burden of responsibility would be on the banks to make sure that the ATM machines were not altered and ensured compliance with the standard of security.
What is “Phishing”?
Phishing, as per the Oxford Dictionary, is termed as the fraudulent practice of sending e-mails disguised as reputed companies to induce individuals to reveal important personal information such as passwords and credit card numbers, and so forth.
Phishing is a form of identity theft that aims to steal sensitive information such as online banking passwords, credit or debit card numbers, and such relatable information from the users.
It is considered to be a kind of activity that is used to trick people into giving up their financial identity such as, bank account details, pan card numbers, account passwords, etc., over the Internet, or by e-mail, or by other means, and hence, using such sensitive information for fraudulent activities in order to dupe money from the users.
The Indian judiciary system has interpreted “phishing” in the case of the National Association of Software and Service Companies v/s. Ajay Sood. It was held by the court that, ‘Phishing’ is a form of internet fraud.
In the case of phishing, a person pretending to have a legitimate association, such as a bank or an insurance company, in order to extract personal data from a user, such as, access codes, passwords, etc. which are further used for his advantage, and misrepresents on the identity of the legitimate party.
Generally, phishing scams involve persons who pretend to be representing online banks and siphon cash from e-banking accounts after conning the consumers into handing over such confidential banking details.
Although phishing is not a new threat the constant increase in the quality of the attacks makes it even more unpredictable. The introduction of new channels of distribution, like instant messaging and social networks posing newer threats and detection of phishing, becomes furthermore difficult.
Vishing, or also called ‘voice phishing’ has become the most recent development in this field. Vishing attacks are perpetrated through a phone call. Similarly, ‘Smishing’ is a new technique that is being used to phish through SMS.
Subsequently, ‘Pharming’ is the newest method of phishing wherein the attacker redirects the victim to a malicious website of their choice. This is done through the conversion of an alphabetical URL into a numerical IP address to locate and direct the visitors to the malicious website.
From the legal point of view, in India, under the Information Technology Act, 2000, phishing is considered to be punishable since it involves fraudulently acquiring sensitive information through disguising a site as a trusted entity. Some provisions are applicable on phishing, for example, Sections 66, 66A, and 66D of the Information Technology Act, 2000, and Section 420, 379, 468, and 471 of the India Penal Code, 1860.
The repealed clause (c) of Section 66A of the IT Act states that such an act is punishable if any person, using any computer resource, communication device, or any electronic mail sends a message for causing annoyance, inconvenience, to deceive or to mislead the addressee or the recipient about the origin of such message.
In this section, the act of phishing could have been included under clause (c) since phishing is an act of deceiving and misleading the receiver of the mail or SMS or any other electronic form, but this section was later omitted in the year 2015 since it went against the freedom of speech and expression under the Article 19(2) of the Constitution of India.
However, Section 66D of the Information Technology Act, 2000, penalizes cheating by impersonation utilizing any communication device or computer resource with imprisonment as described for a term which may extend to three years, and shall also be liable to a fine which may extend to one lakh rupees.
However, this section does not mention the word ‘phishing’, yet it is still inclusive of ‘Phishing’ and the extended forms, since, in phishing, there is an impersonation for the purpose of cheating or duping people to extract data or money.
While there is a rise in the number of phishing cases, yet there is no such mechanism or authority placed in order to take cognizance of these matters. The only possible way for the victims of phishing to find a remedy is to report at the police station where the crime has been committed.
Due to the lack of technology, the Indian police department is not well-equipped to solve these identity theft-related crimes. For the police department to be able to take stern actions, it is necessarily required to have a cyber-cell, or cyber-crime branch, at each district if not at every police station.
Even in the recently released National Cyber Security Policy, 2013, there are only mere suggestions, with no actual method being formulated to reduce the increasing number of identity frauds.
Case References of identity theft
Let us now study the different landmark cases concerning the various sections under the Information Technology Act, 2000.
Section 43 – Penalty and compensation for damage to a computer, computer system, etc.
In this case, four call center employees who were working at an outsourcing facility operated by “Mphasis” in India, gathered PIN codes from four customers of Mphasis’ client, The Citi Group. These suspected employees were not authorized to obtain such PIN codes. In association with others, the employees opened new accounts at Indian banks using false identities.
Within two months, they used the PIN codes and other account information obtained during their employment at Mphasis to transfer money from the respective bank accounts of The Citi Group customers to the newly created bank accounts at the Indian banks.It was by April 2005 that the Indian police had tipped off to the scam by a bank from the United States, and had quickly identified the individuals involved in the scam.
The accused were arrested when they attempted to withdraw cash from the falsified accounts; approximately $426,000 was stolen; the amount that could be recovered was $230,000. It was held by the Court that Section 43(a) was applicable here due to the nature of unauthorized access involved in committing such transactions.
Section 65 – Tampering with computer source documents.
This case relates to the Tata Indicom employees who were arrested for the manipulation of the electronic 32-bit number, known as ESN, that is programmed into the cell phones which had been stolen exclusively franchised to the Reliance Infocomm. It was held by the Court that such tampering with the source code invoked Section 65 of the Information Technology Act, 2000.
Section 66 – Computer related offences.
In this case, the accused obtained unauthorized access to the Joint Academic Network (JANET) and hence, deleted, added extra files and changed the passwords to deny access to the authorized users of the organization. Upon investigation, it had come to light that, Kumar, the accused, was logging in to the BSNL broadband Internet connection pretending to be the authorized genuine user and ‘altered the computer database of broadband Internet user accounts’ of the subscribers.
The CBI had to register a cyber-crime case against Kumar and carried out investigations based on a complaint raised by the Press Information Bureau, Chennai, which further detected the unauthorized misuse of broadband Internet.
The complaint had also stated that the subscribers had incurred a loss of Rs. 38,248/- due to Kumar’s such wrongful act. It was found that he used to ‘hack’ sites from Bangalore, Chennai, and other cities too, the Press Information Bureau stated.
It was held by The Additional Chief Metropolitan Magistrate, Egmore, Chennai, that the accused, N G Arun Kumar, the techie from Bangalore shall be sentenced to rigorous imprisonment for one year along with a fine of Rs. 5,000/- under Section 420 IPC (cheating) and Section 66 of IT Act (Computer related Offense).
Section 66A – Punishment for sending offensive messages through communication service.
On 9th September 2010, an imposter made a fake profile in the name of the then Hon’ble President of India, Mrs. Pratibha Devi Patil. A complaint was lodged from the Additional Controller, the President Household, and the President Secretariat regarding the four fake profiles which were created in the name of the then Hon’ble President on a social networking website, Facebook.
The mentioned complaint stated that the President’s House had nothing to do with Facebook and the fake profile was misleading the general public. The FIR under Section 469 IPC, and 66A of the Information Technology Act, 2000, was registered based on such complaint at the police station of Economic Offences Wing, the elite wing of Delhi Police, which specializes in the investigation of economic crimes including cyber offenses.
Section 66D – Punishment for cheating by impersonation by using computer resources.
The representative of a Company, which was engaged in the business of trading and distribution of petrochemicals in India and overseas, filed a complaint against nine persons, alleging offenses under Sections 65, 66, 66A, 66C, and 66D of the Information Technology Act, 2000, along with Section 419 and Section 420 of the Indian Penal Code, 1860.
The company had a website in the name of `www.jaypolychem.com’. However, another website, called, `www.jayplychem.org’ was set up in the social platform by the accused Samdeep Varghese, a.k.a., Sam, (who was dismissed by the company) in conspiracy with another accused, including Preeti and Charanjeet Singh, who happen to be the sister and brother-in-law of `Sam’, respectively.
Defamatory statements and malicious matters about the company and its directors were made available publicly on that website. The accused sister and brother-in-law, respectively, of Sam, based in Cochin, and had been acting in collusion with known and unknown persons, who had collectively created the company and committed acts of forgery, impersonation, etc.
Another two of the accused, Amardeep Singh and Rahul had often visited Delhi and Cochin. The first accused and others sent emails from fake email IDs of many of the customers, suppliers, banks, etc., to malign the name and image of the Company and its Directors.
The defamation campaign run by all the said persons named above had caused immense damage to the name and reputation of the Company. Hence, the Company suffered losses of several crores of Rupees from producers, suppliers, and customers and was unable to do business.
Section 66E – Punishment for violation of privacy.
In a severe shock to the prestigious and renowned institute as the Jawaharlal Nehru University, a pornographic MMS clip was made on the campus and transmitted outside the university. Few of the media reports claimed that the two accused students initially intended to extort money from the girl in the video. However, when such an attempt had failed, the accused put the video out on mobile phones, on the internet and even sold it as a CD in the blue film market.
Section 66F – Cyber terrorism.
The Mumbai police had registered a case of ‘cyber terrorism’, one of the first in the state since the Information Technology (Amendment) Act, 2008, came into effect, wherein, a threat email was sent to the BSE and NSE. The MRA Marg police and the Cyber Crime Investigation Cell are jointly probed into the case. The suspect had been detained in this case.
The police said that an email was sent, challenging the security agencies to prevent a terror attack, by one Shahab Md. with email ID, “[email protected]” to the BSE’s administrative email ID, “[email protected]”. The IP address of the sender was traced and it was found out that such mail had come from a village in Patna in Bihar. The ISP was Sify.
The fact that the email ID was created just four minutes before the email was sent had come to light soon. In order to divert the police from tracing the accused, the sender had, while creating such email ID, provided two mobile numbers in the personal details column.
Both the numbers, after investigation, were found out to be belonging to a photo frame-maker in Patna. Consequently, the MRA Marg police registered forgery for purpose of cheating, criminal intimidation cases under the Indian Penal Code, and a cyber-terrorism case under the Information Technology (Amendment) Act, 2008.
Section 67 – Punishment for publishing or transmitting obscene material in electronic form.
This case is related to the posting of obscene, defamatory, and annoying messages about a divorcee woman in the Yahoo message group. Emails were forwarded to the victim for information by the accused through a fake email account opened by the accused in the name of the victim.
These postings led to annoying phone calls coming to the lady. Based on the lady’s complaint, the police tracked and arrested the accused. Upon investigation, it was revealed that he was a well-known family friend of the victim and was interested in marrying her. However, she was married to another person, and that marriage ended in divorce, the accused started contacting her.
On her denial of his proposal to marry him, he started harassing her through the social media platform. It was held that the accused was found guilty of offences under Section 469, Section 509 of the Indian Penal Code, 1860, and Section 67 of the Information Technology Act, 2000. The accused was further sentenced for the offence as follows:
- As per Section 469 of the Indian Penal Code, 1860, he had to undergo rigorous imprisonment for 2 years and had to pay a fine of Rs.500/-.
- As per Section 509 of the Indian Penal Code, 1860, he had to undergo 1 year of simple imprisonment and had to pay Rs.500/-.
- As per Section 67 of the Information Technology Act, 2000, he had to undergo 2 years of imprisonment and had to pay a fine of Rs.4000/-.
All of the above sentences were to run concurrently. The accused paid the fine amount and was lodged at the Central Prison in Chennai. This was considered the first-ever case where the accused had been convicted under Section 67 of the Information Technology Act, 2000, in India.
Section 67B – Punishment for publishing or transmitting of material depicting children in the sexually explicit act, etc., in electronic form.
A Public Interest Litigation (PIL) was submitted, wherein, the petition sought for a blanket ban on pornographic websites. The Non-Governmental Organization had argued that websites displaying such sexually explicit content, especially those that include children, had an adverse effect and influence, leading the youth on a delinquent path.
Protection from Identity Theft
To protect oneself from the increasing rate of identity theft cases, the following measures are being suggested –
- Compulsory use of a strong password or secret security PIN;
- Mandatory change of password regularly;
- Keeping a distance from shady or suspicious websites and links;
- Never providing someone else any personal information;
- Protection of documents and important data;
- Having an authorized security firewall to protect from being hacked into electronic devices;
- Limiting the exposure of credit cards and other personal information cards.
If someone has been a victim of identity theft, it is important to contact the local police station immediately, followed by a complaint at the residing area’s Cyber Cell Police Station and the concerned institution, for eg., if Naveen’s bank details have been compromised and there is an unwanted transaction taken place without consent, Naveen should contact the Bank authorities where he is the authorized account holder.
Identity theft has been a huge invasion of privacy for a person, affecting the victim, both mentally and socially. However, the impact of identity theft is not limited to the individual; it equally poses a threat to organizations and companies as well.
From the legal point of view, Indian laws are on a back-foot when it comes to the protection of identity theft, or, an individual or organization’s data, leaving a huge scope of improvement of laws as well as policies and regulations concerning identity theft.
The lack of specific laws, act as a host of manipulative offences which have rapidly grown in the recent past, as compared to the last two decades. To ensure adequate implementation of the existing laws, and to equally monitor the situation, a proper system with an efficient hierarchy of jurisdiction is necessary.
It is also necessary to curb overlapping of power and employ adequate humane personnel. Lastly, the government needs to create awareness among the consumers for the ways of protecting personal information and safe internet practices. Furthermore, they need to be educated about their rights and redressal of mechanisms that are available to them in case of identity theft.
To minimize the harm and early detection of identity theft, individuals should also keep a track of their credit report and keep a track of the personal data wherever it is being used, and ask for justification as to why such data is being required and how safe it is.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: