This article is written by Nandini Biswas, a law student studying BBA LLB from Narsee Monjee Institute of Management Studies (NMIMS) School of Law, Bangalore.
Table of Contents
Introduction
The scope of technology is multiplying day by day. With each passing day, humans are coming up with newer methods to use technology to benefit them and to make their life easy. Technology is giving rise to many new things like e-payment, e-shopping, e-courts, e-filings, e-classrooms, virtual offices, blockchain, cloud computing, and much more.
More developments give rise to more scope and newer ways of committing crimes. Such crimes have to be bought under legal regulations and punishments for crimes have to be established. This needs a lot of understanding of technology and predicting all the possible methods of committing crimes.
The point to be noted here is, all these new technological developments are not well regulated in India and even across the globe. Not much has been achieved so far to bring all these aspects and developments in technology under the legal purview. This is not good since it gives ample space to the criminals to commit crimes and get away with it or with being sentenced to a frivolous punishment. This encourages more and more and more technology-related crimes. Crimes committed by using technology as a medium is known as Cybercrime and the laws governing them are known as Cyber laws. In India, the meaning of the term ‘Cybercrime’ is not defined in the Information Technology Act, 2000. It is not defined in any of the legislation in India. The Information Technology Act, 2000 (henceforth referred to as IT Act) is the only law that majorly deals with technology and its related issues. There are other laws like the Indian Penal Code, 1860, The Indian Evidence, 1872, The Bankers’ Books Evidence Act, 1891, Prevention of Money Laundering Act, 2002 e-records maintenance policy by banks. These legislations do not deal with technology-related laws in a wholesome manner, rather they touch upon some important aspects that are covered under the subject matter of the legislation.
Technology laws in India
Technology is ever developing so are the ways of using it. This calls for new laws that can govern such development and prevent or punish its misuse. To govern activities related to technology, introducing new laws is not enough. Certain amendments are also required to be made in the existing laws since they have to be updated with the changing times. India has only one law that completely deals with technology-related activities, which is the Information Technology Act, 2000. This act also amends some of the existing legislation of the country.
1. The Information technology Act, 2000
The Ministry of Commerce, Government of India had first drafted the ECommerce Act, 1998. It was subsequently redrafted as the Information Technology Bill in 1999 and was passed in May 2000. This came after the United Nations Commission on International Trade Law (UNCITRAL) adopted the model law on Electronic Commerce in 1996 to bring uniformity in the laws of various countries. After enacting the IT Act, 2000, India became the 12th country to have adopted cyber laws. This act has also amended other legislations which did not deal with technology-related crimes. The IT Act was amended in 2008.
The IT Act, 2000 is spread across 13 chapters and 4 schedules (2 of which have been omitted). The act provides legal recognition of authenticating the electronic records by digital and electronic signatures, lays down provisions for e-governance and e-records. It provides procedures to secure electronic signatures. It then goes on to mention the penalties, compensation, and the kind of adjudicating system that will be followed if any discrepancy arises under this act. The act further lays down the provisions of constituting an appellate tribunal and the kinds of offences that this act has the authority to look into. It also has other miscellaneous provisions.
Objectives of the Act
- The act attempts to legalize alternative methods to traditional paper-based communication and data storage. This act gives legal recognition to electronic transactions and electronic communication, electronic filing of documents with the government agencies.
- It legally recognizes electronic signature and digital signatures as a means to legally authenticate documents.
- Legally allows electronic storage of data.
- Provides legal sanctions to electronic transfer of funds between banks and other financial institutions.
- Legally permits bankers to maintain their books of accounts in an electronic form.
Features of the Act
- Electronic contracts made through secure electronic channels are valid contracts.
- Digital signatures are legally recognized.
- Methods to ensure the security of digital records and digital signatures are also discussed.
- For the purpose of carrying out inquiries under this act, a procedure to appoint adjudicating officers who would carry out this inquiry is mentioned.
- The act further lays down the provision to establish a Cyber Regulatory Appellate Tribunal that will hear appeals made against the decisions or orders passed by the Controller or Adjudicating officer.
- Giving the High Court the power to hear appeals against the decision of the Tribunal.
- Allowing digital signatures to legally use an asymmetric cryptosystem or a hash function.
- The extent of the act also applies to offences and contraventions carried out outside the country.
- Giving powers to senior police officers or other officers to enter and search public places and arrest people on suspicion without a warrant.
- Constitution of a body called Cyber Regulations Advisory Committee that would advise the Controller and the Central Government.
Applicability of the Act
Section 1(2) of the Act mentions that this act is applicable to the entire country including Jammu and Kashmir. When this act was enacted, Article 370 was operational and thus the Government used Article 253 to make this act applicable to Jammu and Kashmir. Further, Section 1(2) when reading along Section 75 says that the Act extends to persons outside India who commit offences under this act, provided that the nature of the offence involves a computer or a computer-based network situated in India. If such an offence is committed, then, irrespective of the person’s nationality, such a person is liable to be punished under this act.
The Act extends to the whole of India and except as otherwise provided, it applies to any offence or contravention thereunder committed outside India by any person. There are some specific exclusions to the Act (ie where it is not applicable) as detailed in the First Schedule, stated below:
- A negotiable instrument (Other than a cheque) as defined in the Negotiable Instruments Act, 1881;
- A power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
- A trust as defined in Section 3 of the Indian Trusts Act, 1882;
- A will as defined in clause (h) of Section 2 of the Indian Succession Act, 1925 including any other testamentary disposition;
- Any contract for the sale or conveyance of immovable property or any interest in such property;
- Any such class of documents or transactions as may be notified by the Central Government.
2. Indian Penal Code (IPC), 1860
The IT Act, 2000 amends certain sections of the IPC. Sections under IPC that dealt with documents and records were traditionally based on paper or physical records and documents. The IT act amended these sections and extended the scope of such sections to include electronic records and documents.
Certain sections of the IPC and the IT Act are invoked together so as to ensure that punishments or the evidence stated in either of the act can be easily brought out. For this, the investigating agencies, while filing cases, quote, for eg, offences under IPC 463, 464, 468, and 469 to be read with the IT Act Sections 43 and 66.
3. Indian Evidence Act, 1872
This is another legislation that the IT Act, 2000 amended. As the IT Act gave legal recognition to all the electronic records and documents, it was required that evidence in a similar form should also be backed up by proper legal recognition. Terms like “electronic record”, digital signature, secure electronic record, etc. were inserted by the amendment.
Further, Section 65B was introduced that dealt with the legality of the electronic evidence and required someone to assure the authentication of such evidence by issuing a certificate certifying the same. To explain the section, in a nutshell, evidence (information) taken from computers or electronic storage devices and produced as print-outs or in electronic media are valid if they are taken from system handled properly with no scope for manipulation of data and ensuring the integrity of data produced directly with or without human intervention, etc and accompanied by a certificate signed by a responsible person declaring as to the correctness of the records taken from a system a computer with all the precautions as laid down in the section.
4. Bankers’ Books Evidence (BBE) Act, 1981
This legislation was also amended by the IT Act. Prior to such an amendment, if any evidence from the bank had to be produced in a court, it required producing the original ledger or other registers for verification at some stage with the copy retained in the court records as exhibits. But after this legislation was amended, it made any printout taken from a computer, or tape, or floppy, or any other electronic device admissible as evidence provided that a certificate along with such evidence was produced that would testify the authenticity of the evidence and further notify that such evidence was produced from an electronic device which can ensure data integrity.
5. Reserve Bank of India Act, 1934
This Act too was amended by the IT Act, 2000. A clause was inserted into Section 58(2). The clause regulated the transfer of money between banks through electronic mechanisms like Real Time Gross Settlement (RTGS), National Electronic Funds Transfer (NEFT) to legally back up such modes of money transfer and provide legal admissibility to the documents and records therein.
6. Prevention of Money Laundering Act (PMLA), 2002
This Act came after the enactment of the IT Act, 2000. Money laundering is basically covering up the illegal source of money and making it look legal by multiple layerings. Such layerings are done by making various online bank transactions to transfer money so that the real source of the money gets hidden within such transactions. The PMLA requires the banks to report the accounts which make deposits more than 10 lakhs in a month so as to monitor subsequent transactions involving such money. This act thus empowers the authorities to use technology and online data sharing to monitor such transactions.
7. E-Records Maintenance Policy of Banks
Before the introduction of ITA and the recognition of electronic records, banks used to follow the conventional way of maintaining all sorts of records, vouchers, registers, ledgers, documents, letters, etc. This required them to have a record maintenance policy that is approved by the RBI and its individual board. This policy stipulated the period of maintaining and preserving all sorts of above-mentioned records. With the introduction of ITA and recognition given to electronic records, banks are now required to mandatorily maintain a proper computerized system of all electronic records.
With the advent of this computerized data maintenance, the banks became responsive to this new computerized environment and few of the banks have started to formulate their own Electronic Records Maintenance Policy. Indian Banks’ Association took the initiative in bringing out a book on Banks’ e-Records Maintenance Policy to serve as a model for use and adoption in banks suiting the individual bank’s technological set- up. Hence banks should ensure that e-records maintenance policy with details of e-records, their nature, their upkeep, the technological requirements, off-site backup, retrieval systems, access control, and access privileges initiatives should be in place, if not done already. Further, banks should strive well to prove that they have all the security policies in places like compliance with ISO 27001 standards, etc, and e-records are maintained. Besides, the certificate to be given as an annexure to e-evidences as stipulated in the BBE Act also emphasizes this point of maintenance of e-records in a proper manner ensuring proper backup, always ensuring confidentiality, integrity, availability, and Non-Repudiation.
Data privacy laws in India
Another area of major concern is the breach of data privacy that happens with the misuse of technology. Breach of data privacy can cause personal information of a person available to the wrong hands without that person’s consent which can then be misused. Therefore, it is important that laws should be made that deal with this concern.
India does not have any specific legislation devoted to data privacy as of now. The existing IT Act, 2000, and IT Rules, 2011 govern data privacy-related issues. But the Parliamentarians have drafted a Protection of Data Privacy Bill, 2019. The drafting of the bill is the country’s first step towards trying to domestically legislate data protection.
- Protection of Data Privacy Bill
The Bill derives its inspiration from a previous draft version prepared by a committee headed by retired Justice BN Srikrishna. However, the present bill differs from what was recommended by Justice B N Srikrishna committee.
What does the Protection of Data Privacy (PDP) Bill put forward
- The bill divides the data into 3 categories-
- Personal Data– data that helps in identifying individuals like their name, address, etc.
- Sensitive Personal Data (SPD)– data relating to finance, health, sexual orientation, biometric, genetic, caste, etc.
- Critical data– data that the government at any time can declare to be critical like military or defence-related information or national security data.
- The personal data is required to be stored in India. If it has to be processed abroad, there are certain conditions that have to be fulfilled along with the approval of a Data Protection Agency (DPA).
- Critical data can only be processed and stored in India.
- Non-personal data like traffic patterns or demographic information should be shared with the government whenever demanded.
- In order to decrease the anonymity of users and prevent trolling, the bill recommends social media companies to develop their own user verification mechanism.
- The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including the security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
- In order to check audits, assessments and definition making, the bill creates an independent regulator Data Protection Authority(DPA).
- Data Protection Officer (DPO), set up by each company, shall liaison with the DPA for auditing, grievance redressal, recording maintenance, and more.
- According to the “Purpose limitation” and “Collection limitation” clauses of the bill, data can be collected only for “clear, specific, and lawful” purposes.
- The right to data portability and the ability to access and transfer one’s own data also has been granted to the individuals by the bill.
- Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
- The Bill stated the penalties as Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
Exemptions
The central government can exempt any of its agencies from the provisions of this act in order to maintain sovereignty, integrity, and security of the State and its friendly relations with other nations. Another reason for such an exemption can be to prevent the commission of any cognizable incidents like, arresting without a warrant under the law that compulsorily requires a warrant to arrest a person.
2. Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011
The IT Act, 2000 after its amendment in 2008 included various sections that cater to data privacy issues and thus lay down laws and penalties.
Section 43
This section deals with civil liability of tampering with data, data theft, or introducing viruses on the computer. Any person who accesses a computer without the permission of the owner or the person in charge of the computer, misuses the data, downloads or accesses files, denies permission to an authorized computer, introduces virus in the computer or tampers with the computer or the data contained in the computer by any other means will have to bear the civil liability under this section. Such a person will have to pay compensation of not more than Rs. 1 crore to the affected person.
Soon the need for introducing a corporate liability for data protection for felt. The amendment of 2008 fulfilled this need by introducing Section 43-A.
Section 43-A
This section ensures that the corporates who do not practice reasonable data security norms and thereby if any person suffers from such reason, the corporate will have to compensate that person for his wrongful loss by paying a sum of money, not more than Rs. 5 crores. Thus, by the nature of this section, the corporates have to implement data security practices.
Section 66C
This section deals with fraudulent identity theft for using a person’s electronic signature, or any other symbol unique to the person’s identity without the consent of the person. Such theft is punishable with imprisonment which can extend up to 3 years and is liable to pay a fine up to Rs. 1 lakhs.
Section 66E
This section punishes the person who intentionally captures, circulates, or publishes a picture of any other person without the person’s consent. The punishment awarded in such a case is imprisonment that can extend up to 3 years or fine not more than Rs. 2 lakhs or both.
Section 72
This section punishes the disclosure of any electronic record, book, register, information, correspondence, document, or any other material without the concerned person’s consent by a person who has secured access to all of these. Such a person will be liable for imprisonment for a term which may extend to 2 years, or for a fine that can extend to INR 1 lakh, or for both.
Section 72A
This section deals with a situation where any person including an intermediary, gets access to any personal information while delivering services or performing actions under a lawful contract. If that person or intermediary discloses such information knowing that such a disclosure may cause wrongful gain or wrongful loss, that person can be punished with imprisonment which may extend up to 3 years or with a fine up to Rs. 5 lakh or with both.
Rule 4
This rule mandates that any corporate body or person who on behalf of other corporate body stores, deals, receives, possesses, or handles personal information of their clients or employees under a lawful contract should have a privacy policy in place. Such a policy should be made available to the corporate body who gave them such a contract and should be published on the website.
Rule 5
This rule lays down the procedure to be followed for the collection of information by the body corporate or any person on its behalf.
- The individual whose individual information will be gathered needs to give his assent for such assortment subsequent to knowing the reason for which such information must be gathered. Such assent can be acquired through a composed letter, fax, or email.
- No personal information of any individual will be gathered except if—
a) it is associated with an action or an element of the body corporate or some other individual for its sake and the data is gathered for a legitimate reason
b) it is important to the assortment of sensitive personal information or data for that reason.
- For gathering the data from any individual, the corporate so gathering the data ought to advise the individual about:
a) the way that the data is being gathered;
b) the reason for which the data is being gathered;
c) the expected beneficiaries of the data; and
d) the name and address of:
(i) the organization that is gathering the data;
(ii) the organization that will hold the data.
- Further, the body corporate or any individual for its benefit holding delicate personal information or data can’t hold that data for longer than is required for the reason for which the data may legitimately be utilized or is generally required under some other law for the present in power. The data gathered must be utilized for the reason for which it has been gathered.
- Body corporate or any individual for its sake will allow the suppliers of data, as and when mentioned by them, to audit the data they have given and guarantee that any close to home data or touchy individual information or data discovered to be erroneous or lacking is adjusted or changed as doable. Nonetheless, a body corporate isn’t answerable for the genuineness of the individual data or touchy individual information or data provided by the supplier of data to such body corporate or some other individual following up for the benefit of such body corporate.
- Body corporate or any individual for its benefit will, before the assortment of data including touchy individual information or data, give an alternative to the supplier of the data to not give the information or data looked to be gathered. The supplier of data will, whenever while benefiting the administrations or something else, additionally have a choice to pull back its agreement offered before to the body corporate. Such withdrawal of the assent will be sent recorded as a hard copy to the body corporate. On account of a supplier of data not giving or later on pulling back its assent, the body corporate has the alternative not to give products or administrations to which the said data was looked for.
- Body corporate or any individual for its sake is needed to keep the data secure.
Rule 6
This rule deals with the disclosure of information to a third party.
- If any personal information of any person has to be disclosed to a third party, the consent of the person is required before disclosure of the information, unless, such a disclosure was not stated in the contract. Further, consent is not required if the information has to be shared with government agencies as mandated under the law. Such information may be required by the government for purposes like verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency has to send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.
- Any sensitive personal data on information can be disclosed to any third party by an order under the law for the time being in force.
- The body corporate or any person on its behalf cannot publish sensitive personal data or information.
- The third-party receiving the sensitive personal data or information from body corporate or any person on its behalf cannot disclose it further.
3. Indian Telegraph Act, 1885
Section 5
This section gives power to the government to intercept the messages for reasons of public emergency, public safety, public interest, maintaining friendly relations with foreign states, to stop the incitement of an offence, etc. In such a case, the Central or the State governments or any other authority as authorized by either of the governments if satisfied that such an interception is required shall give a written record of the reason for the same. They can then by an order direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order.
Section 24
This section deals with the unlawful interception of the messages. If any person or entity intercepts any message with the intention to unlawfully do so or commits any offence under this act, such a person can be punished with imprisonment that may extend up to 1 year along with the fine that the person is liable to pay under this section.
Crimes related to technology
Technology is growing day by day, so are the crimes related to it. Such crimes range from online scams to identity theft, fraudulent lottery schemes, hijacking, travel, and credit-related frauds to name a few. Such crimes are the online extensions of the traditional crimes that were so far carried out offline in a physical form. The Internet has made the commission of crimes easier by providing quick access to the online base of targeted consumers and also plenty of opportunities to elude legal enforcement laws of the land as such criminals do not need to reside in the same country or even the same hemisphere as their chosen targets!
Most of these crimes are based out of a fraudulent platform that is disguised as a genuine one with the sole purpose of committing such frauds.
As indicated by the Norton Cybercrime Report 2012, 66% of Indian online grown-ups have been a casualty of digital extortion in the course of their life. In the previous year, 56% of online grown-ups in India have encountered digital misrepresentation.
According to the report, at any rate, 1,15,000 individuals fall prey to digital misrepresentation consistently, while 80 every moment and more than one every second prompting an ascent in the normal direct money related expense per casualty to around Rs 10,500.
As indicated by the overview, the cybercriminals have now moved their concentration to the inexorably mainstream social stages. One out of three grown-ups online Indians (32%) have been either social or versatile cybercrime casualties.
While most web clients erase dubious messages and are cautious with their own subtleties on the web, 25% don’t utilize complex passwords or change their passwords oftentimes and 38% don’t check for the latched image in the program before entering delicate individual data.
Online grown-ups are likewise unconscious of the development of most normal types of cybercrime. Indeed, 68% of grown-ups don’t realize that malware can work in a tactful design, making it difficult to know whether a PC has been undermined, and 33% (35%) are not sure that their PC is presently perfect and free of infections.
1. Cyber pornography
This would include pornographic websites; pornographic magazines produced using computers to publish and print the material and the Internet to download and transmit pornographic pictures, photos, writings, etc. Technology has created a platform where people can now view thousands of porn on their mobile or laptops, they even have access to upload pornographic content online.
2. Sale of illegal articles
This includes selling things that are illegal in the nation or selling legal articles in an illegal manner. For eg, consumption of narcotic substances like Cannabis is prohibited for general or recreational purposes but can be used for medical and scientific purposes. Such articles are sold by posting information on websites, auction websites, and bulletin boards or simply by using email communication. E.g. Many of the auction sites even in India are believed to be selling cocaine in the name of ‘honey’.
3. Online platforms
There are many online platforms, most of whose servers are located abroad, that aid in online gambling. There are claims that most of these platforms actually cater to the offence of Money Laundering too. There have been hawala transaction cases reported to have used or stemmed from such platforms. The use of such platforms for drug trafficking has not yet been reported. Cases of cyber lotto have also come to light in recent times. An interesting one to be mentioned was the Kola Mohan case. A man called Kola Mohan made up a story of him winning the Euro Lottery. To realize this made-up story, he created a fake website and an email address ‘[email protected]’. This website would claim that Mr Kola Mohan has won a lottery worth 12.5 million pounds. A Telugu newspaper published this news in his newspaper. Kola Mohan could then use this fake story to collect huge sums from the public as well as from some banks for mobilization deposits in foreign currency. This fraud was discovered when a cheque discounted by him with the Andhra Bank for Rs. 1.73 million bounced.
4. Intellectual Property crimes
Cybersquatting is a group of crimes that include software piracy, infringement of copyright, trademarks violation, computer source code theft, etc. A renowned case in place can be Satyam vs. Spiffy. In this case, Some cybersquatters had registered domain names like barticellular.com and bhartimobile.com with Network solutions under various fictitious names. After knowing this, Bharti Cellular filed a case relating to this in the Delhi High court. The court ordered the Network solutions to not transfer the domain names to any third-party. In another case, Yahoo dragged a man named Aakash Arora to the court after he used the domain name ‘yahooindia.Com’. This was considered to be deceptively similar to Yahoo’s domain name, ‘Yahoo.com’
5. Email spoofing
A spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g. Rajat has an e-mail address [email protected]. An email spoofer spoofs his email and sends emails containing wrong information or offensive information to all his clients. Since the e-mails appear to have originated from Rajat, his clients would think that Rajat has sent the mail. This may disrupt his business.
Email spoofing can also lead to wrongful monetary gains and losses. In a case in America, a teenage guy earned millions of dollars by email spoofing. He spread false information claiming that the shares of some companies are doing bad. This misinformation was spread by email spoofing and the emails appeared to have originated from news agencies like Reuters and were primarily sent to brokers and investors. Even after the truth was burst, the shares of those companies did not go back to the original rate, as a result, a lot of investors lost their money.
A branch of a bank also suffered due to email spoofing. Many customers decided to encash all their money into their accounts and close their accounts. It led to a financial loss to a great extent for that branch as well as the bank in general. Upon investigation, it was discovered that many of its customers of that particular branch got spoofed emails saying that the bank was not financially sound, and thus their money was at risk since the bank might close down all its operations soon. Due to the heavy losses incurred by the bank due to the spoofed emails, the bank had to actually close down that branch. Another example of email spoofing is a case where the email spoofer pretended to be a girl and cheated on an Abu Dhabi based NRI for crores by blackmailing tactics.
6. Forgery
Computers having high-quality printers and scanners are used to counterfeit a number of things like postage and revenue stamps, currency notes, mark sheets, etc. There are many places that make and sell fake mark sheets and certificates. This has become a booming market in India which involves thousands of rupees. It is difficult to understand the difference between original and fake ones due to their near similarity in physical appearance.
7. Cyber defamation
Cyber defamation is said to have been done when defamation takes place online with the help of computers and the Internet. E.g. publishing defamatory statements about someone on a website or sending emails containing defamatory information to all of that person’s friends. Defamation happens when the image of the person in( the front of the right-minded people) degrades. India’s first cyber defamation is based on a company’s employee who was sending derogatory and defamatory about his Managing Director. On knowing this, the Managing director filed a case regarding that employee. The employee was identified with the help of a private computer expert. The company issued an ad-interim injunction and has restrained the employee for sending, publishing, and transmitting emails, which are defamatory or derogatory to the plaintiffs.
8. Cyberstalking
The Oxford dictionary defines stalking as “pursuing stealthily”. In simple words, just like stalking the movements of any person offline, cyberstalking is following the activities of a person online. Cyberstalking involves following a person’s movements across the internet or social media. Stalking a person’s social media account is normal and is not a crime. Cyberstalking becomes ugly when the stalker starts to harass the person with false accusations or threatens the person.
9. Unauthorized access to computer systems
It is a commonplace practice to use the terms ‘hacking’ and ‘unauthorized access’, in terms of computers, interchangeably. But the Indian laws require these two terms to be separately used. According to the Indian laws, a person derives unauthorized access to a computer when the computer has been hacked. Once the computer system is hacked, the hacker now has access to the victim’s information that has been stored in the computer device. Such information can include, professional data, personal information, credit card details, pictures, etc. The hacker can also get access to the victim’s social media handles like Facebook, Gmail, etc. This information can be used by hackers in an unethical manner. This can lead to other cybercrimes like identity theft, misuse of data, data theft. The hackers generally target home or office computers since they are connected to the internet. Such a connection exposes the computer to the world at large and the internet acts as a gateway for this. Such computers are thus at risk of attack from across the globe.
10. Denial of Service attack (DoS)
Denial of Service attack as the name suggests is a cyberattack on the online resource, website, network, etc. to deny access to their authorized users. Such cyberattacks target the digital Intellectual Property Rights and the infrastructure. The cyber attackers target and exploit the software vulnerability of a system by exhausting the RAM and CPU of the server. This is done by overloading the bandwidth of the server by sending rapid and continuous requests to the target server. For doing this, the cyber attackers use only one internet connection and only one device. The damage done can be repaired in the short run by setting up a firewall. A firewall is a network security system that controls incoming and outgoing network traffic by creating a barrier between the internal network and untrusted external networks like the internet. Since a DoS attack only has one IP address, the IP address can be easily fished out and denied further access using a firewall. However, there is a type of DoS attack that is not so easy to detect – Distributed Denial of Service (DDoS) attack.
A Distributed Denial of Service (DDoS) attack uses multiple infected devices and connections spread around the world as a botnet. A botnet is a network of personal devices that have been compromised by cybercriminals without the knowledge of the owners of the devices. The hackers infect the computers with malicious software to gain control of the system to send spam and fake requests to other devices and servers. A target server that falls victim to a DDoS attack will experience an overload due to the hundreds or thousands of phoney traffic that comes in. Because the server is attacked from multiple sources, detecting all the addresses from these sources may prove difficult. Also separating legitimate traffic from the fake traffic may also be impossible to do, hence, another reason why it is hard for a server to withstand a DDoS attack.
Unlike most cyberattacks that are initiated to steal sensitive information, initial DDoS attacks are launched to make websites inaccessible to their users. However, some DDoS attacks are used as a façade for other malicious acts. When servers have been successfully knocked down, the culprits may go behind the scenes to dismantle the websites’ firewalls or weaken their security codes for future attack plans.
A DDoS attack can also be used as a digital supply chain attack. If the cyber attackers cannot penetrate the security systems of their multiple target websites, they can find a weak link that is connected to all the targets and attack the link instead. When the link is compromised, the primary targets would automatically be indirectly affected as well.
11. Virus attacks and worm attacks
Computer viruses are a kind of program that needs to attach themselves to the computer in order to carry out its unauthorized functions. These viruses spread from one computer to the other through the common network that they are connected to. This means that if a computer having that virus is connected to network A, then the virus can spread from that computer to all the computers on network A. Such viruses can delete or alter the data stored in the computer.
A virus called VBS_LOVELETTER or commonly known as the Love Bug or the ILOVEYOU virus was spread in May 2000. This virus program was written by a Filipino graduate. This virus uses the email addresses on Microsoft Outlook and mailed itself to those email addresses. The title of the mail was catchy- ILOVEYOU. Thus people who refrained from opening mails from unknown sources also fell prey to this. The mail further had an attachment file named “LOVE-LETTER-FOR-YOU.TXT.vbs”. Once the attachment was downloaded to be opened, the virus got attached to the computer. This attack caused a lot of monetary harm globally since every 1 in 5 computers was attacked by this virus. There was a loss of up to the US $10 billion.
Worms, unlike viruses, do not need the host to attach themselves too. They just make useful duplicates of themselves and do this consistently they gobble up all the accessible space on a PC’s memory.
Presumably, the world’s most popular worm was the Internet worm let free on the Internet by Robert Morris at some point in 1988. The Internet was, at that point, still in its creating years and this worm, which influenced a large number of PCs, nearly carried its improvement to a total end. It took a group of specialists just about three days to dispose of the worm and meanwhile, a significant number of the PCs must be separated from the system.
12. Logic bombs
A logic bomb virus depends upon the happening of an event. Till the time a particular event does not occur, the virus will lay dormant in the computer system. The occurrence of a particular event triggers the virus and it subsequently spreads in the computer system. So, one can never come to know if there is a logic bomb in their computer systems until the time the virus is triggered. Such a triggering event can be anything, it can also be a date.
13. Trojan attacks
A Trojan is an unauthorized program that functions in a way that it seems to be an authorized program. It, therefore, is able to successfully conceal what functions are actually being carried out by the program. This program is used by cyber hackers to gain unauthorized access to someone’s computer system. A trojan can be installed in someone else’s computer system without them even knowing it. This can be done by spoofing emails and attaching a file in the mail that contains the Trojan application. Once the attachment is downloaded, the Trojan program automatically gets installed and the hacker now has access to the person’s computer system.
14. Internet time theft
Internet theft is an authorised person using Internet hours whose payment is made by another person. The 1st case of Internet theft was registered in May 2000 against one Mukesh Gupta, an engineer with Nicom System (P) Ltd. This case was registered at the economic offences wing, IPR section crime branch of Delhi police. He had caused a wrongful loss of 100 Internet hours to the victim. In another case, the Economic Offences Wing of Delhi Police arrested a computer engineer who got hold of the password of an Internet user, accessed the computer and stole 107 hours of Internet time from the other person’s account. He was booked for the crime by a Delhi Court during May 2000.
15. Web jacking
Web-jacking is basically hacking a website or gaining unauthorized access to the website. This can be done by decoding the password and later changing it. By changing the password, the actual owner will not be able to access the website and the contents of the websites. In the USA, the owner of a hobby website for children received an email stating that a group of hackers has gained access to the website. The website owner was a school teacher so did not take the email seriously. But, after three days, it was found that the mail was true and indeed a group of hackers had attacked the website. This came to light since the hackers had altered the content of the website. A portion of the website was titled ‘How to have fun with a goldfish’, this has changed and the places where the word ‘goldfish’ was mentioned, it was substituted by the word ‘Piranhas’ Piranhas are small but a dangerous flesh-eating fish. All the children who visited and followed the instructions mentioned on this portion of the website were seriously injured.
Offences and Penalties
1. Offences and penalties under the IT Act, 2000
Section under IT Act, 2000 |
Offence |
Penalty |
Damage to computers, computer systems, etc. |
Compensation up to INR 1 crore to the affected person |
|
Body corporate failure to protect data |
Compensation up to INR 5 crore to the affected person |
|
Failure to furnish document, return or report to the Controller or the Certifying Authority |
Penalty up to 1 lakh and fifty thousand rupees for each such failure |
Failure to file any return or furnish any information, books or other documents within the time specified |
Penalty up to 5 thousand rupees for every day during which such failure continues |
|
Failure to maintain books of account or records |
Penalty up to 10 thousand rupees for every day during which the failure continues |
|
Where no penalty has been separately provided |
Compensation up to 25 thousand rupees to the person affected by such contravention or a penalty not exceeding 25 thousand rupees |
|
Tampering with computer source documents |
Imprisonment up to 3 years, or with fine which may extend up to 2 lakh rupees, or with both |
|
Hacking with Computer systems, Data alteration, etc. |
Imprisonment up to 3 years or with fine which may extend to five lakh rupees or with both |
|
Sending offensive messages through communication service etc. |
Imprisonment up to 3 years and with fine |
Retains any stolen computer resource or communication device |
Imprisonment up to 3 years or with fine which may extend to rupees 1 lakh or with both |
|
Fraudulent use of electronic signature |
Imprisonment up to 3 years and shall also be liable to fine which may extend to rupees 1 lakh |
|
Cheats by personating by using computer resource |
Imprisonment up to 3 years and shall also be liable to fine which may extend to one lakh rupees |
|
Publishing obscene images |
Imprisonment up to 3 years or with fine not exceeding two lakh rupees, or with both |
|
Cyber terrorism |
Imprisonment which may extend to imprisonment for life |
|
Publishes or transmits unwanted material |
Imprisonment up to 3 years and with fine up to 5 lakh rupees & in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to 5 years and also with fine which may extend to ten lakh rupees |
|
Publishes or transmits sexually explicit material |
Imprisonment up to 5 years and with fine up to 10 lakh rupees and in the event of second or subsequent conviction with imprisonment of either description up to 7 years and also with fine which may extend to 10 lakh rupees |
Abusing children online |
Imprisonment up to 5 years and with a fine which may extend to 10 lakh rupees and in the event of second or subsequent conviction with imprisonment of either description up to 7 years and also with fine which may extend to 10 lakh rupees |
|
Preservation of information by an intermediary |
Imprisonment up to three years and shall also be liable to fine |
|
Unauthorized access to a protected system |
Imprisonment up to 10 years and shall also be liable to fine |
|
Misrepresentation to the Controller or the Certifying Authority for obtaining license or Electronic Signature Certificate |
Imprisonment up to 2 years, or with fine which may extend to 1 lakh rupees, or with both. |
Breach of Confidentiality and Privacy |
Imprisonment up to 2 years, or with fine which may extend to 1 lakh rupees, or with both |
|
Disclosure of information in breach of contract |
Imprisonment up to 3 years, or with a fine which may extend to 5 lakh rupees, or with both |
|
Sec.73 & 74 |
Publishing false digital signature certificates |
Imprisonment up to 2 years, or with fine which may extend to 1 lakh rupees, or with both |
2. Offences under other legislation
Offence |
Law
|
Sending threatening messages by email |
Sec.503 IPC (Indian Penal Code) |
Sending defamatory messages by email |
|
Forgery of electronic records |
|
Bogus websites, cyber frauds |
Web-Jacking |
|
E-Mail Abuse and Email Spoofing |
|
Online sale of Drugs |
|
Online sale of Arms |
3. Offences and penalties under Protection of Data Privacy Bill
Any data transferred or processed not in accordance with the act or is in violation of any provisions of the act, is punishable with a fine of Rs. 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher.
Failure to conduct a data audit is punishable with a fine of Rs. 5 crores or 2% of the annual turnover of the fiduciary.
Author’s Analysis
This article has so far covered various laws relating to technology crimes and the types of technology. Minute observation would reveal that there are more crimes than the laws! This article lists just 15 crimes that have been identified. There are many more crimes that happen with the use of technology and are under study. We can further see that there is only 1 legislation as of now that entirely deals with crimes committed by the use of technology. This means that there are areas that are not covered by the technology laws of our country.
Since technology is growing, more concepts are being introduced. Such concepts also need to be monitored legally through legislation. Such new concepts include blockchain, cryptocurrencies, cloud computing, online working, or learning by using platforms like Zoom app or Microsoft Teams, etc. Such new concepts should also have some kind of legal regulations, if not a full-fledged law. This is important since such new developments have high potential risks of cybercrimes.
Also, the government has to be quick enough to come up with legislation around the same. It can be validly considered that the framing of legislation is a long process and requires a considerable amount of time given the intricacies and technicalities of this subject. Thus, the state can come up with interim rules and regulations that will be operative till the time the laws are not made.
Technology crimes are not only a concern for the Indian government, rather, this a concern for the world at large. Technology knows no geographical boundaries. In fact, the internet makes geographical boundaries less effective. This phenomenon of technology makes it a global issue. Anyone sitting in any country can commit a cybercrime in any other country. When this happens, problems of jurisdiction crops up due to overlapping laws. For eg, the IT Act in Section 1(2) when reading with Section 75 says that the act extends to persons outside India who commit offences under this act, provided that the nature of the offence involves a computer or a computer-based network situated in India. If such an offence is committed, then, irrespective of the person’s nationality, such a person is liable to be punished under this act.
So, if a cybercrime of this nature has been committed, and the aggrieved party is a citizen of country XYZ, and according to the law of that country, such a crime should be charged by their country. To make this example a bit more complicated, let us add another fact- The criminal is a citizen of country ABC and the laws in that country say that they have the jurisdiction to punish such a criminal. In this case, what will be the jurisdiction? This is just one example, there can be many other points of legal contravention that can arise. Such contraventions make it easy for criminals to escape their liability. Thus, according to the author, countries should come together and roll out an international law that takes due regards to all the possible legal contraventions and requires the countries to ratify the law in their country and make legal provisions according to it.
Lastly, to answer the question that the topic poses, laws related to technology are immensely important since they lay down a formal procedure to deal with cybercrimes and punish the criminals. Though the existing laws are not very fruitful in doing so, at the ground level at least some of the crimes are being dealt with. It also has been appreciated that without the existence of these laws, we could not achieve whatever we have so far in terms of making technology legal and safe to use. As far as the loopholes are concerned, the world is still immature in handling technological developments since there the world has witnessed a great upsurge and advancements in technology in recent decades. Thus, the government and the countries are at a learning stage.
References
- http://iibf.org.in/documents/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf
- https://indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
- https://digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf
- https://elplaw.in/wp-content/uploads/2018/08/Data-Protection-26-Privacy-Issues-in-India.pdf
- https://www.drishtiias.com/daily-updates/daily-news-editorials/personal-data-protection-bill-2019
- http://caaa.in/Image/cyber%20laws%20overview.pdf
- https://www.investopedia.com/terms/d/denial-service-attack-dos.asp
- https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: