BY Harsh Vardhan Jajjodia
1. Synopsis Of The Article.Information Technology solutions have paved a way to a new world of internet, business networking and e-banking, budding as a solution to reduce costs, change the sophisticated economic affairs to more easier, speedy, efficient, and time saving method of transactions. Internet has emerged as a blessing for the present pace of life but at the same time also resulted in various threats to the consumers and other institutions for which it's proved to be most beneficial. Various criminals like hackers, crackers have been able to pave their way to interfere with the internet accounts through various techniques like hacking the Domain Name Server (DNS), Internet Provider's (IP) address, spoofing, phishing, internet phishing etc. and have been successful in gaining "unauthorised access" to the user's computer system and stolen useful data to gain huge profits from customer's accounts.
Intentional use of information technology by cyber terrorists for producing destructive and harmful effects to tangible and intangible property of others is called "cyber crime". Cyber crime is clearly an international problem with no national boundaries. Hacking attacks can be launched from any corner of the world without any fear of being traced or prosecuted easily. Cyber terrorist can collapse the economic structure of a country from a place where that country might not have any arrangements like "extradition treaty" to deal with that criminal. The only safeguard would be better technology to combat such technology already evolved and known to the Hackers. But that still has threat of being taken over by the intellect computer criminals.
This paper contributes an understanding of the effects of negative use of Information technology, and how far the present law in India is successful in dealing with the issue, and what way is the legal structure lagging to curb the crime. Possible changes needed in the system and the ways to combat cyber terrorism having safe and trustworthy transactions.
Though there are many techniques evolved to curb the criminal activities by cyber terrorists but still the problem persists in legal structure and has failed to produce a deterring effect on the criminals. If the suggestions are undertaken in light of conclusion there can be a better co-ordination among various national and international agencies to make the system more efficient, and Information Technology Act 2000 more secured and trustworthy. It can still be held good for the objects it had existed to provide the benefits to the society. This paper is contributive of the fact that the till the crime rate is not curbed technology cannot produce adequate benefits for which it's been created.
2. What Is Cyber Crime?
Cyber terrorists usually use the computer as a tool, target, or both for their unlawful act either to gain information which can result in heavy loss/damage to the owner of that intangible sensitive information. Internet is one of the means by which the offenders can gain such price sensitive information of companies, firms, individuals, banks, intellectual property crimes (such as stealing new product plans, its description, market programme plans, list of customers etc.), selling illegal articles, pornography etc. this is done through many methods such as phishing, spoofing, pharming, internet phising, wire transfer etc. and use it to their own advantage without the consent of the individual.
Many banks, financial institutions, investment houses, brokering firms etc. are being victimised and threatened by the cyber terrorists to pay extortion money to keep their sensitive information intact to avoid huge damages. And it's been reported that many institutions in US, Britain and Europe have secretly paid them to prevent huge meltdown or collapse of confidence among their consumers.
2.2. Emergence Of Information Technology Act, 2000.In India, the Information Technology Act 2000 was enacted after the United Nation General Assembly Resolution A/RES/51/162, dated the 30th January, 1997 by adopting the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law. This was the first step towards the Law relating to e-commerce at international level to regulate an alternative form of commerce and to give legal status in the area of e-commerce. It was enacted taking into consideration UNICITRAL model of Law on e- commerce 1996.
3. Some Noteworthy Provisions Under The Information Technology Act, 2000.
Sec.43
Damage to Computer system etc.
Compensation for Rupees 1crore.
Sec.66
Hacking (with intent or knowledge)
Fine of 2 lakh rupees, and imprisonment for 3 years.
Sec.67
Publication of obscene material in e-form
Fine of 1 lakh rupees, and imprisonment of 5years, and double conviction on second offence
Sec.68
Not complying with directions of controller
Fine upto 2 lakh and imprisonment of 3 years.
Sec.70
attempting or securing access to computer
Imprisonment upto 10 years.
Sec.72
For breaking confidentiality of the information of computer
Fine upto 1 lakh and imprisonment upto 2 years
Sec.73
Publishing false digital signatures, false in certain particulars
Fine of 1 lakh, or imprisonment of 2 years or both.
Sec.74
Publication of Digital Signatures for fraudulent purpose.
Imprisonment for the term of 2 years and fine for 1 lakh rupees.
4. Types Of Attacks By Hackers.
Hacker is computer expert who uses his knowledge to gain unauthorized access to the computer network. He's not any person who intends to break through the system but also includes one who has no intent to damage the system but intends to learn more by using one's computer. Information Technology Act 2000 doesn't make hacking per se an offence but looks into factor of mens rea. Crackers on other hand use the information cause disruption to the network for personal and political motives. Hacking by an insider or an employee is quite prominent in present date. Section 66 (b) of the Information Technology Act 2000, provides punishment of imprisonment for the term of 3 years and fine which may extent to two lakhs rupees, or with both
Banks and other financial institutions are threatened by the terrorist groups to use their sensitive information resulting in heavy loss and in turn ask for ransom amount from them. There are various methods used by hackers to gain unauthorised access to the computers apart from use of viruses like Trojans and worms etc.
Therefore if anyone secures access to any computer without the permission of the owner shall be liable to pay damages of one crore rupees under Information Technology Act, 2000. Computer system here means a device including input and output support devices and systems which are capable of performing logical, arithmetical, data storage and retrieval, communication control and other functions but excludes calculators. Unauthorised access under Section 43 of the Information Technology Act 2000 is punishable regardless of the intention or purpose for which unauthorised access to the computer system was made. Owner needn't prove the facto of loss, but the fact of it been used without his authorisation. Case of United States v. Rice would be important in this regard where defendant on the request of his friend (who was been under investigation by IRS officer) tried to find the status of his friend's case by using officer's computer without his consent. Though it didn't cause any damage/loss to the plaintiff (officer) but was convicted by the Jury for accessing the computer system of a Government without his authority and his conviction was later on confirmed. Even if one provides any assistance to the other to gain any unauthorised access to the computer he shall be liable to pay damages by way of compensation of Rupees 1 crore.
Does turning on the computer leads to unauthorized access? The mens rea under section 1 of the Computer misuse Act, 1990 comprises of two elements there must be an intent to secure an access to any programme or data held in any computer, and the person must know that he intends to secure an unauthorized access. e.g. When defendants went to his former employee to purchase certain equipments and the sales person was not looking he was alleged to have keyed in certain commands to the computerized till granting himself substantial discount. Though section 1 (1) (a) requires "that second computer must be involved" but the judiciary in the case of R v. Sean Cropp, believed that the Parliament would have intended to restrict the offence even if single computer system was involved.
A) Computer Viruses: Viruses are used by Hackers to infect the user's computer and damage data saved on the computer by use of "payload" in viruses which carries damaging code. Person would be liable under I.T Act only when the consent of the owner is not taken before inserting virus in his system. The contradiction here is that though certain viruses causes temporary interruption by showing messages on the screen of the user but still it's not punishable under Information Technology Act 2000 as it doesn't cause tangible damage. But, it must be made punishable as it would fall under the ambit of ‘unauthorised access' though doesn't cause any damage. Harmless viruses would also fall under the expression used in the provision "to unsurp the normal operation of the computer, system or network". This ambiguity needs reconsideration.
B) Phishing: By using e-mail messages which completely resembles the original mail messages of customers, hackers can ask for verification of certain information, like account numbers or passwords etc. here customer might not have knowledge that the e-mail messages are deceiving and would fail to identify the originality of the messages, this results in huge financial loss when the hackers use that information for fraudulent acts like withdrawing money from customers account without him having knowledge of it
C) Spoofing: This is carried on by use of deceiving Websites or e-mails. These sources mimic the original websites so well by use of logos, names, graphics and even the code of real bank's site.
D) Phone Phishing: Is done by use of in-voice messages by the hackers where the customers are asked to reveal their account identification, and passwords to file a complaint for any problems regarding their accounts with banks etc.
E) Internet Pharming: Hacker here aims at redirecting the website used by the customer to another bogus website by hijacking the victim's DNS server (they are computers responsible for resolving internet names into real addresses - "signposts of internet), and changing his I.P address to fake website by manipulating DNS server. This redirects user's original website to a false misleading website to gain unauthorised information.
F) Risk Posed On Banks And Other Institutions: Wire transfer is the way of transferring money from one account another or transferring cash at cash office. This is most convenient way of transfer of cash by customers and money laundering by cyber terrorists. There are many guidelines issued by Reserve Bank of India (RBI) in this regard, one of which is KYC (Know Your Customer) norms of 2002. Main objective of which is to:
1) Ensure appropriate customer identification, and
2) Monitor the transaction of suspicious nature and report it to appropriate authority every day bases.
G) Publishing Pornographic Material In Electronic Form: Section 67 of the Information Technology Act, 2000 in parallel to Section 292 of Indian Penal Code, 1860 makes publication and transmission of any material in electronic that's lascivious or appeals to the prurient interest a crime, and punishable with imprisonment which may extend to 5 years and fine of 1 lakh rupees and subsequent offence with an imprisonment extending to 10 years and fine of 2 lakhs.
Various tests were laid down gradually in course of time to determine the actual crime in case of obscene material published in electronic form on net. Hicklin test was adopted in America in the case of Regina v. Hicklin wherein it was held that "if the material has tendency is to deprive and corrupt those whose minds are open to such immoral influences, and into whose hands a publication of this sort may fall". In Indian scenario the case of Ranjeet D. Udeshi v. State of Maharashtra the Supreme Court admitted that Indian Penal Code doesn't define obscenity though it provides punishment for publication of obscene matter. There's very thin line existing between a material which could be called obscene and the one which is artistic. Court even stressed on need to maintain balance between fundamental right of freedom of speech and expression and public decency and morality. If matter is likely to deprave and corrupt those minds which are open to influence to whim the material is likely to fall. Where both obscenity and artistic matter is so mixed up that obscenity falls into shadow as its insignificant then obscenity may be overlooked.
In the case of Miller v. California it was held that local community standard must be applied at the time of determination of the offence. As it can traverse in many jurisdictions and can be accessed in any part of the globe. So wherever the material can be accessed the community standards of that country would be applicable to determine the offence of publication of obscene material posted in electronic form. Though knowledge of obscenity under Information Technology Act 2000 and Indian Penal Code may be taken as mitigating factor but doesn't take the case out of the provision.
Section 72 of Information Technology Act, 2000 provides punishment for an unauthorised access or, disclosure of that information to third person punishable with an imprisonment upto 2 years or fine which may extend to 1 lakh rupees or with both. English courts have also dealt with an issue as to what activities would constitute crime under existing legislation, in the case of R. v. Fellows and Arnold it was held that the legislation before the 1994 amendment would also enable computer data to be considered a ‘copy of an indecent photograph' and making images available for downloading from the website would constitute material being ‘distributed or shown'. Statute is wide enough to deal with the use of computer technology.
(H) Investment Newsletter: We usually get newsletter providing us free information recommending that investment in which field would be profitable. These may sometimes be a fraud and may cause us huge loss if relied upon. False information can be spread by this method about any company and can cause huge inconvenience or loss through junk mails online.
(I) Credit Card Fraud: Huge loss may cause to the victim due to this kind of fraud. This is done by publishing false digital signatures. Most of the people lose credit cards on the way of delivery to the recipient or its damaged or defective, misrepresented etc.
4. Measures To Curb The Crime.Though by passage of time and improvement in technology to provide easier and user friendly methods to the consumer for make up their daily activities, it has lead to harsh world of security threats at the same time by agencies like hackers, crackers etc. various Information technology methods have been introduced to curb such destructive activities to achieve the main objects of the technology to provide some sense of security to the users. Few basic prominent measures used to curb cyber crimes are as follows:
A) Encryption: This is considered as an important tool for protecting data in transit. Plain text (readable) can be converted to cipher text (coded language) by this method and the recipient of the data can decrypt it by converting it into plain text again by using private key. This way except for the recipient whose possessor of private key to decrypt the data, no one can gain access to the sensitive information.
Not only the information in transit but also the information stored on computer can be protected by using Conventional cryptography method. Usual problem lies during the distribution of keys as anyone if overhears it or intercept it can make the whole object of encryption to standstill. Public key encryptograpy was one solution to this where the public key could be known to the whole world but the private key was only known to receiver, its very difficult to derive private key from public key.
B) Syncronised Passwords: These passwords are schemes used to change the password at user's and host token. The password on synchronised card changes every 30-60 seconds which only makes it valid for one time log-on session. Other useful methods introduced are signature, voice, fingerprint identification or retinal and biometric recognition etc. to impute passwords and pass phrases
C) Firewalls: It creates wall between the system and possible intruders to protect the classified documents from being leaked or accessed. It would only let the data to flow in computer which is recognised and verified by one's system. It only permits access to the system to ones already registered with the computer.
D) Digital Signature: Are created by using means of cryptography by applying algorithms. This has its prominent use in the business of banking where customer's signature is identified by using this method before banks enter into huge transactions.
5. Investigations And Search Procedures.
Section 75 of Information Technology Act, 2000 takes care of jurisdictional aspect of cyber crimes, and one would be punished irrespective of his nationality and place of commission of offence. Power of investigation is been given to police officer not below the rank of Deputy Superintendent of police or any officer of the Central Government or a State Government authorised by Central Government. He may enter any public place, conduct a search and arrest without warrant person who is reasonably expected to have committed an offence or about to commit computer related crime. Accused has to be produced before magistrate within 24 hours of arrest. Provisions of Criminal Procedure Code, 1973 regulate the procedure of entry, search and arrest of the accused.
5.1. Problems Underlying Tracking Of Offence.
Most of the times the offenders commit crime and their identity is hard to be identified. Tracking cyber criminals requires a proper law enforcing agency through cyber border co-operation of governments, businesses and institutions of other countries. Most of the countries lack skilled law enforcement personnel to deal with computer and even broader Information technology related crimes. Usually law enforcement agencies also don't take crimes serious, they have no importance of enforcement of cyber crimes, and even if they undertake to investigate they are posed with limitation of extra-territorial nature of crimes.
6. How Efficient Is Information Technology Act 2000?
It can't be disputed that Information Technology Act, 2000 though provides certain kinds of protections but doesn't cover all the spheres of the I.T where the protection must be provided. Copyright and trade mark violations do occur on the net but Copy Right Act 1976, or Trade Mark Act 1994 are silent on that which specifically deals with the issue. Therefore have no enforcement machinery to ensure the protection of domain names on net. Transmission of e-cash and transactions online are not given protection under Negotiable Instrument Act, 1881. Online privacy is not protected only Section 43 (penalty for damage to computer or computer system) and 72 (Breach of confidentiality or privacy) talks about it in some extent but doesn't hinder the violations caused in the cyberspace.
Even the Internet Service Providers (ISP) who transmits some third party information without human intervention is not made liable under the Information Technology Act, 2000. One can easily take shelter under the exemption clause, if he proves that it was committed without his knowledge or he exercised due diligence to prevent the offence. It's hard to prove the commission of offence as the terms "due diligence" and "lack of knowledge" have not been defined anywhere in the Act. And unfortunately the Act doesn't mention how the extra territoriality would be enforced. This aspect is completely ignored by the Act, where it had come into existence to look into cyber crime which is on the face of it an international problem with no territorial boundaries.
7. Data Protection.
Information stored on the owner of the computer would be his property and must be protected there are many ways such information can be misused by ways like ‘unauthorized access, computer viruses, data typing, modification erasures etc. Legislators had been constantly confronted with problem in balancing the right of the individuals on the computer information and other people's claim to be allowed access to information under Human Rights. The first enactment in this regard was Data Protection Act by Germany in the year 1970. This was widely accepted by the world and also contributed to the Information Technology Act.
The origin of laws on date protection dates back to 1972 when United Kingdom formed a committee on privacy which came up with ten principles, on the bases of which data protection committee was set up. Data Protection Act, 1984 (DPA) was United Kingdom's response to the Council of Europe Convention 1981, this Act lacked proper enforcement mechanism and has done little to enforce individual's rights and freedoms. European Union directive in 1995, European Convention of Human Rights (ECHR), Human Rights Acts, and further introduction of Data Protection Act, 1998 have done much in the field of Data protection in today's date. Data Protection Act has following aims and objectives:
Personal information shall only be obtained for lawful purpose, it shall only be used for that purpose, mustn't be disclosed or used to effectuate any unlawful activity, and must be disposed off when the purpose is fulfilled.
Though Data Protection Act aims at protecting privacy issues related to the information but still we find no mention of the word "privacy" in the Act, nor is it defined, further the protection comes with various exemptions, including compulsory notification from the Commissioner in certain cases of the personal data. Due to the change in the regime of information technology for the date European Convention came, on which the Act is based amendments in the Act is advised for matching the present situation and curbing the crime in efficient way.
There is no Data Protection Act in India, the only provisions which talks about data protection are Section 72 and Section 43 of Information Technology Act, 2000. There must be a new Law to deal with the situation for a person to know that the Controller is processing his data concerning him and also that he must know the purpose for which it has been processed. It is a fundamental right of the Individual to retain private information concerning him provided under Article 21 of the Indian Constitution, which says: "No person shall be deprived of his life or personal liberty except according to procedure established by law". And due to the increasing trend of the Crime rate in the field separate legislation is required in this context for better protection of individuals.
8. Conclusion & Suggestions.
No one can deny the positive role of the cyber space in today's world either it be political, economic, or social sphere of life. But everything has its pro's and corns, cyber terrorists have taken over the technology to their advantage. To curb their activities, the Information Technology Act 2000 came into existence which is based on UNICITRAL model of Law on e-commerce. It has many advantages as it gave legal recognition to electronic records, transactions, authentication and certification of digital signatures, prevention of computer crimes etc. but at the same time is inflicted with various drawbacks also like it doesn't refer to the protection of Intellectual Property rights, domain name, cyber squatting etc. This inhibits the corporate bodies to invest in the Information technology infrastructure. Cases like Dawood and Quattrochi clearly reveals the problem of enforceability machinery in India. Cryptography is new phenomenon to secure sensitive information. There are very few companies in present date which have this technology. Other millions of them are still posed to the risk of cyber crimes.
There is an urgent need for unification of internet laws to reduce the confusion in their application. For e.g. for publication of harmful contents or such sites, we have Indian Penal Code (IPC), Obscenity Law, Communication Decency law, self regulation, Information Technology Act 2000 ,Data Protection Act, Indian Penal Code, Criminal Procedure Code etc but as they deal with the subject vaguely therefore lacks efficient enforceability mechanism. Due to numerous Laws dealing with the subject there lays confusion as to their applicability, and none of the Law deals with the subject specifically in toto. To end the confusion in applicability of Legislation picking from various laws to tackle the problem, i would suggest unification of laws by taking all the internet laws to arrive at Code which is efficient enough to deal with all the problems related to internet crimes. Although these legislations talk about the problem but they don't provide an end to it. There's need for a one Cyber legislation which is co-ordinated to look after cyber crimes in all respects.With passage of time and betterment of technology in the present date, has also resulted in numerous number of Information technology related crimes therefore changes are suggested to combat the problem equally fast.
Crucial aspect of problem faced in combating crime is that, most of the countries lack enforcement agencies to combat crime relating to internet and bring some level of confidence in users. Present law lacks teeth to deter the terrorist groups for committing cyber crimes if you see the punishment provides by the Act it's almost ineffective, inefficient and only provides punishment of 3 years at the maximum. Harsher laws are required at this alarming situation to deal with criminals posing threat to security of funds, information, destruction of computer systems etc.Data protection, by promotion of general principles of good information practice with an independent supervisory regime, would enable the law to maintain sufficient flexibility to achieve an appropriate balance between the need to protect the rights of the individuals and to have a control over the way their personal information have been used would be helpful in this increasingly networked economy. Just having two provisions in the Information Technology Act, 2000 for protection of data without any proper mechanism for to tackle the crime makes their mention in the Act redundant.
Information Technology Act is applicable to all the persons irrespective of their nationalities (i.e. to non-citizens also) who commits offence under the Information Technology Act outside India, provided the act or conduct constituting the offence or contravention involves computer, computer systems, or computer networks located in India under Section 1 and Section 75 of the Information Technology Act, but this provision lacks practical value until and unless the person can be extradited to India. Therefore it's advised that we should have Extradition treaties among countries. To make such provisions workable.
It's like ‘eye for an eye' kind of situation where the technology can be curbed only by an understanding of the technology taken over by cyber terrorists. Even if the technology is made better enough to curb the computer related crime there is no guarantee if that would stay out of reach of cyber terrorists. Therefore Nations need to update the Law whether by amendments or by adopting sui generic system. Though Judiciary continues to comprehend the nature of computer related crimes there is a strong need to have better law enforcement mechanism to make the system workable.
Referances.
Sankar Sen, ‘Human Rights & Law Enforcement', 1st ed., 2002, Concept Publishing Co., New Delhi.
Dr. Sub hash Chandra Gupta, ‘Information technology Act, 2000 and its Drawbacks', National Conference on Cyber Laws & Legal Education, Dec. 22-24th 2001, NALSAR, University of Law, Print House, Hyderabad.
Dr. Farooq Ahmed, ‘Cyber Law in India (Laws on Internet)', Pioneer Books, Delhi.
1992 U.S. App. LEXIS 9562 (4th May 4, 1992)
Dr. Farooq Ahmed, ‘Cyber Law in India (Laws on Internet)', Pioneer Books, Delhi.
R v. Sean Cropp, Snearesbrook Crown Court, 4th July 1991. (303)
B.R Suri & T.N Chhabra, ‘Cyber Crime', 1st ed., 2002, Pentagon Press, Delhi.
Dr. Farooq Ahmed, ‘Cyber Law in India (Laws on Internet)', Pioneer Books, Delhi.
Rupam Banerjee, ‘The Dark world of Cyber Crime', July 7, 2006 can be viewed at http://articles.sakshay.in/index.php?article=15257
Prof. Unni, ‘Legal Regulations on Internet Banking', 2007, NALSAR University of Law, Hyderabad.
"Anusuya Sadhu", "The Menace of Cyber Crime", can be viewed at
http://www.legalserviceindia.com/articles/article+2302682a.htm
3 L.R.Q.B. 360, 371 (Q.B. 1868).
AIR 1965 SC 881.
413 U.S 15.24 (1973)
Dr. Farooq Ahmed, ‘Cyber Law in India (Laws on Internet)', Pioneer Books, Delhi.
B.R Suri & T.N Chhabra, ‘Cyber Crime', 1st ed., 2002, Pentagon Press, Delhi.
[1997] 2 All ER 548
Justice S.B. Sinha, ‘Cyber Crime in the Information Age', National Conference on Cyber Laws & Legal Education, Dec. 22-24th 2001, NALSAR, University of Law, Print House, Hyderabad.
Prof. V.K Unni, ‘Legal strategies for a Robust I.T Infrastructure', 2007, NALSAR University of Law Hyderabad.
Dr. Farooq Ahmed, ‘Cyber Law in India (Laws on Internet)', Pioneer Books, Delhi.
Sanker Sen, ‘Human Rights & Law Enforcement', 1st ed., 2002, Concept Publications, New Delhi.
Dr. Farooq Ahmed, ‘Cyber Law in India (Laws on Internet)', Pioneer Books, Delhi.
Ajmal Eddappagath, ‘Cyber Laws and Enforcement'
Can be viewed at http://www.iimahd.ernet.in/egov/ifip/dec2004/article2.htm
Dr. Subhash Chandra Gupta - Information Technology Act, 2000 and its drawbacks, ‘National Conference on Cyber Laws & Legal Education', Dec. 22-24th 2001, NALSAR, University of Law, Print House, Hyderabad.
C. Suman and Duvva Pavan Kumar, ‘Data Protection - An overview', National Conference on Cyber Laws & Legal Education, Dec. 22-24th 2001, NALSAR, University of Law, Print House, Hyderabad.
Cris Reed and John Angel, ‘Computer Law', 5th ed., 2003, Oxford University Press Inc., New York.
S.K Verma and Raman Mittal, ‘Legal Dimensions of Cyber Space, 2004, Indian Law Institute, New Delhi.
Cris Reed and John Angel, ‘Computer Law', 5th ed., 2003, Oxford University Press Inc. New York.
0 Comments