INFORMAT MATION TECHNOLOGY ACTS OGY

A Seminar Report Submitted by

AKSHAY SHARMA
In partial fulfilment for the award of the degree of rtial gree

BAC BACHELOR OF TECHNOLOGY

IN COMPUTER SCIENCE At

Vivekana ekananda Institute of Technology- East Ea

February, 2012

Candidates Declaration
I hereby declare that the work, which is being presented in the seminar, entitled INFORMATION TECHNOLOGY ACT in partial fulfilment for the award of Degree of Bachelor of Technology in Dept. of Computer Science Engineering with specialization computer science and submitted to the Department of Computer Science Engineering, Vivekananda Institute of Technology-East is a record of my own investigations carried under the Guidance of Ms. Kiran Khatnal Department of Computer Science Engineering. I have not submitted the matter presented in this seminar anywhere for the award of any other Degree.

Akshay Kumar Sharma Computer Science Enrolment No.: 08E1VVCSM40P008

Supervisor:

Ms. Kiran Khatnal

Head of Department:

Mrs. Poonam Gera

ABSTRACT

Cyber crime is emerging as a serious threat. The growing danger from crimes committed against computers, or against information on computers, is beginning to claim attention in national capitals. Worldwide governments, police departments and intelligence units have started to react. Initiatives to curb cross border cyber threats are taking shape. Indian police has initiated special cyber cells across the country and have started educating the personnel. India entered the regime of regulated Cyber Space on 17th October 2000 when Information Technology Act 2000 (ITA 2000) was notified. The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. The IT Act also penalizes various cyber crimes and provides strict punishments (imprisonment terms up-to 10years and compensation up 1 crore). The Indian Penal Code (as amended by the IT Act) penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc. Digital Evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the IT Act). In case of bank records, the provisions of the Bankers Book Evidence Act (as amended by the IT Act) are relevant. Investigation and adjudication of cyber crimes is done in accordance with the provisions of the Code of Criminal Procedure and the IT Act. The Reserve Bank of India Act was also amended by the IT Act. . A forgotten element of ITA 2000 was an inbuilt mechanism for review through the Cyber Regulations Advisory Committee which was a mandatory consultative body for framing rules and suggesting amendments. This report is an attempt to provide a glimpse on cyber crime, Indian Information Technology Act 2000, its amendment, Digital Signature and Intellectual Property Rights.

Acknowledgement

The satisfaction that accompanies that the successful completion of any task would be incomplete without the mention of people whose ceaseless cooperation made it possible, whose constant guidance and encouragement crown all efforts with success. I express my sincere gratitude to Mrs. Poonam Gera, Head of the Department, and my Seminar Guide for providing me with adequate facilities, ways and means by which I was able to complete this seminar. I express my sincere gratitude to her for constant support and valuable suggestions without which the successful completion of this seminar would not have been possible. I thank all others, and especially my classmates and my family members who in one way or another helped me in the successful completion of this work.

Akshay Kr. Sharma Computer Science Roll No: 08EVVCS008

ii

Table of Contents

Chapter No. Abstract Acknowledgement I Introduction

1.1 1.2 1.3 Cyber Space Cyber Crime

Title

Page No i ii 1
1 1 2 2 2 3 4 4 6 7 10 11 11 12 12

1.2.1 United Nations Definition of Cybercrime Classification of Cyber Crime 1.3.1 Types of attacks 1.3.2 Types of Offenders 1.4 Computer Security 1.4.1 Breaches of physical Security 1.4.2 Breaches of Personnel Security 1.4.3 Breaches of Communications and Data Security 1.4.4 Breaches of Operations Security 1.5 Handling Computer Crime 1.5.1 Steps Taken After the Breach 1.5.2 Methods of Investigations 1.5.3 Recommendations Because of Laws

II

Cyber Laws: A Global Perspective

2.1 2.2 Cyber Laws- worldwide Indian Cyber Law

14
14 16

III

The Information Technology Act, 2000

3.1 3.2 Objective Preliminary 3.2.1 Short title, extent, commencement and application 3.2.2 Definitions

17
17 17 17 18

3.3 3.4 3.5 3.6 3.7 3.8

The salient features of the Information Technology Act, 2000 Important Sections of IT Act, 2000 Offences Penalties and Adjudication Amendments to Other Acts Conclusion

22 23 27 28 31 31

IV

Digital Signature
4.1 4.2 Authentication of electronic records Secure Digital Signatures 4.2.1 Security procedure 4.3 4.4 4.5 Regulation of Certifying Authorities Digital Signature Certificate Duties of Subscriber

32
32 32 32 33 39 42

Information Technology (Amendment) Act, 2008

5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 Background Substitution of digital signature by electronic signature New Definition Added Salient features of the Information Technology (Amendment) Act, 2008 New offences under IT Act Amendment, 2000 5.5.1 Punishment Corporate responsibility introduced Legal validity of electronic documents re-emphasized Conclusion

44
44 45 45 47 49 50 51 52 52

VI

Intellectual Property Rights

6.1 6.2 Introduction Intellectual Property Right Laws 6.2.1 Patents Laws 6.2.2 Copyrights and related rights 6.2.3 Trademarks Laws

54
54 54 55 56 56

6.2.4 Geographical indications 6.2.5 Protection of plant varieties 6.2.6 Industrial designs 6.2.7 Layout designs of integrated circuits 6.2.8 Conclusion

57 57 58 58 58

VII

Cyber Crime Cases in India

7.1 Statistics on Cyber Crimes

59
59

VIII

Case Studies
8.1 8.2 Sony-sambandh.com Case Pune Citibank Mphasis Call Center Fraud

62
62 63

References

64

List of Tables

S No.
1 2 3

Title
Offences Substitution of digital signature by electronic signature in Chapter/section/sub-section/Clause of IT Act, 2000 New offences under IT Act (Amendment), 2000:

Page No
27 45 49

List of Figures

S No.
1

Title
Extent of Progress on Updating Cyber Crime Laws

Page No
15

Chapter I

1.

IntroductionThe world of Internet today has become a parallel form of life and living. Public are now capable of doing things which were not imaginable few years ago. The Internet is fast becoming a way of life for millions of people and also a way of living because of growing dependence and reliance of the mankind on these machines. Internet has enabled the use of website communication, email and a lot of anytime anywhere IT solutions for the betterment of human kind. Internet, though offers great benefit to society, also present opportunities for crime using new and highly sophisticated technology tools. Today e-mail and websites have become the preferred means of communication. Organizations provide Internet access to their staff. By their very nature, they facilitate almost instant exchange and dissemination of data, images and variety of material. This includes not only educational and informative material but also information that might be undesirable or anti-social. Regular stories featured in the media on computer crime include topics covering hacking to viruses, web-jacker, to internet paedophiles, sometimes accurately portraying events, sometimes misconceiving the role of technology in such activities. Increase in cyber crime rate has been documented in the news media. Both the increase in the incidence of criminal activity and the possible emergence of new varieties of criminal activity pose challenges for legal systems, as well as for law enforcement.

1.1

Cyber Space: Cyber space is a collective noun for the diverse range of environments that have arisen using the Internet and the various services. The expression crime is defined as an act, which subjects the doer to legal punishment or any offence against morality, social order or any unjust or shameful act. The offence is defined in the Code of Criminal Procedure to mean as an act or omission made punishable by any law for the time being in force.

1.2

Cyber Crime: In Simple way we can say that cyber crime is unlawful acts wherein the computer is either a tool or a target or both. Cyber crime, also called computer crime, is any illegal behaviour directed by means of electronic operations that targets the Security of computer systems and the data processed. Cyber crimes can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief. Such crimes may threaten a nations Security and financial health. Issues surrounding these types of crime have become high-profile, particularly those surrounding

cracking, copyright infringement, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise. Internationally, both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Activity crossing international borders and involving the interests of at least one nation state is sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions through the International Criminal Court. 1.2.1 United Nations Definition of CybercrimeCybercrime spans not only state but national boundaries as well. Perhaps we should look to international organizations to provide a standard definition of the crime. At the Tenth United Nations Congress on the Prevention of Crime and Treatment of Offenders, in a workshop devoted to the issues of crimes related to computer networks, cybercrime was broken into two categories and defined thus: (a) Cybercrime in a narrow sense (computer crime): Any illegal behaviour directed by means of electronic operations that targets the Security of computer systems and the data processed by them. (b) Cybercrime in a broader sense (computer-related crime): Any illegal behaviour committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession [and] offering or distributing information by means of a computer system or network. 1.3 Classification of Cyber Crime: Cyber crime can be classified in three typesAgainst Property- Financial crimes, cheating on-line, illegal funds transfer Against Persons- On-line harassment, Cyber Stalking, Obscenity Against Nationsinfrastructures 1.3.1 Types of attacksIn this age of automation and connectivity, almost all organizations are vulnerable to cyber crimes. Here are the most common targets for cyber crimes: Military and Intelligence Attacks: Espionage agents may target military and intelligence computers. National Security increasingly depends on computers. Computers store Cyber Terrorism, Damaging critical information

information ranging from the positioning of Air Force satellites to plans for troop deployment throughout the world. Espionage agents have learned that they can get what they want from computers. Business Attacks: Businesses may be the target of their competitors. The worldwide economic competition is becoming fiercer. Industrial espionages have become a growing threat because of the competition among national economies. Even friendly nations in the past have become our economic enemies. Financial Attacks: Professional criminals may target Banks and other financial organizations for financial gain. These days, our money may seem to be nothing but bits in a computer, numbers on a screen, and ink on an occasional bank statement. We tend to depend on more on computer to pay our bills and deposit our checks electronically. Theft and fraud cases are also increasingly done electronically as well. Terrorist Attacks: Terrorists may target any organization but especially government and utility company computers. Their purposes could be to paralyze the government or cause disastrous accidents. Grudge Attacks: Any company can be the target of its own employees or ex-employees. Similarly, universities may be the target of their students and former students. Their goals are for revenge. Fun Attacks: Any organization can be the target of crackers, sometimes theyre seeking for the intellectual challenge, and sometimes they are professionals who may do it to be hired. 1.3.2 Types of OffendersCrackers: Cracker is a person who engages in computer and telecommunications intrusion. Crackers operate in groups or in individuals. The motivation of a cracker is to access a system or data. Criminals: There are three major types of criminal behaviour: espionage, fraud and abuse. The common motivation of a criminal is financial gain.

Vandals: Vandals can be roughly divided into two groups: users and strangers. Users are those who are authorized to use the system they abuse, but they have extended their privileges. Strangers are those who are not authorized to use the system in any way. A main motivation of vandal is to damage the system or data files. 1.4 Computer Security: There are four types of computer security1. Physical Security is protection of the physical building, computer, related equipment, and media (e.g., disks and tapes). 2. Personnel Security includes preventing computer crimes. That is to protect computer equipment and data from a variety of different types of people, including employees, vendors, contractors, professional criminals and others. 3. Communications Security is to protect software and data, especially when it passes from one computer to another computer across a network connection. 4. Operations Security is protection of the procedures used to prevent and detect Security breaches, and the development of methods of prevention and detection. 1.4.1 Breaches of physical SecurityDumpster Diving: Dumpster diving is called trashing. It means searching for access codes or other sensitive information in the trash. With the electronic version of dumpster diving, crackers may try to recover erased data from tapes or disks. Potential offenders are: 1. System users, anyone able to access the trash area. 2. Anyone who has access to computer areas or areas used to store backups. Wiretapping: Wiretapping is Interception of communications signals with the intent to gain access to information transmitted over communications circuits. Telephone and network wiring is often not Secured as it should be. Intruders can physically damage it and can pick up the data flowing across the wires. Criminals sometimes use wiretapping methods to eavesdrop on communications, especially in telephone fraud.

Potential offenders are: 1. 2. 3. 4. Communications technicians and engineers. Agents for competitors. Communications employees, former employees, vendors, and contractors. Agents for foreign intelligence services.

Eavesdropping on Emanations: Computer equipment emits electromagnetic impulses. Whenever you strike a computer key, an electronic impulse is sent into the immediate area. Potential offenders may take advantage of these electronic emanations by monitoring, intercepting, and decoding them. Because of the emanation threat, government computers used to store and process classified information require special physical shielding. Its a major concern for military and intelligence data. Potential offenders are the same as wiretappings. Denial or Degradation of Service: Denial of service is called interdiction. It refers to any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Delay or partial denial is more often called degradation of service. One example may involve flooding a computer resource with more requests than it can handle. The attack is initiated by sending excessive demands to the victims computers, exceeding the limit that the victims servers can support and making the server crash. This causes the resource (e.g. a web server) to crash and cannot provide normal services for authorized users. Its very difficult to prevent such attacks. Recommendation for the Prevention: (physical Security) Physical Security can prevent disaster, or at least to minimize the effects of them. Major concerns of basic physical Security: 1. Locks and keys. The first line of defence against intruders is to keep them out of your building or computer room. 2. Natural disasters, such as fire, flood, lightning, and earthquakes. 3. Environmental threats, such as electricity and heating and air conditioning systems.

1.4.2 Breaches of Personnel SecurityMasquerading: Masquerading is acting as an authorized user, usually trying to gain access to a system. It is similar to spoofing, mimicking, and impersonation. Masquerading may be done in person or remotely. There are two forms of masquerading: physical and electronic. In person, a criminal may use an authorized users identity or access card to get into restricted areas where he can access to computers and data. Electronically, an unauthorized person will use an authorized users logon ID, password personal identification number, or telephone access code to gain access to a computer or to a particular set of sensitive data files. Social Engineering: Social engineering is to gain privileged information about a computer system by skilful lying, usually over a telephone line. Some crackers are very good at social engineering, and use it to discover telephone number, account names, passwords, and other access information of the legitimate users. This is usually done by acting as an authorized user or administrator, and asking for assistance. Harassment: Harassment is using computer methods (e.g., email) to slander or bother someone. Sending threatening email message and slandering people on bulletin board systems and newsgroups are common types. Software Piracy: Software piracy is copying of software without authorization. Potential offenders are: 1. Buyers and users of commercial software. 2. Software pirates. 3. Employees who steal proprietary software. Recommendation for the Prevention: (personnel Security) People are the biggest threat to computer. There are many types of people who imperil computers and information, ex. employees, vendors, contractors, professional criminals. It is necessary to develop a personnel Security program according to different people/different threats. Important components of personnel Security are background checks and careful monitoring on the job.

1.4.3 Breaches of Communications and Data Security1.4.3.1 Data Attacks: There are many types of attacks on the confidentiality, integrity, and availability of data. Confidentiality keeps data Sec ret from those not authorized to see it. Integrity keeps data safe from modification by those not authorized to change it. Availability keeps data available for use. Unauthorized Copying of Data: Piracy is an example of the unauthorized copying of data. Preventing and detecting this type of attack requires coordinated policies among the different categories of computer Security. Traffic Analysis: Traffic analysis means collection and analysis of information. An eavesdropper can get desired information by analysis of message characteristics (e.g., length, frequency, and destination). Sometimes, the attacks on data might not be so obvious. Even data that appears quite ordinary may be valuable to a foreign or industrial spy. For example, travel itineraries for generals and other dignitaries help terrorists plan attacks against their victims. Covert Channels: Covert channels mean a communications channel that allows two cooperating processes to transfer information in a manner that violates the systems Security policy. A smart insider can hide stolen data in other innocent output. For example, a filename or contents of a report could be changed slightly to include Sec ret information that is obvious only to someone who is looking for it. 1.4.3.2 Software Attacks: Trap Doors: Trap door is also called back door. It is a hidden software or hardware mechanism that can be triggered to allow system protection mechanisms to be circumvented. It is one of classical software attacks. Trap door is activated in some innocent-appearing manner (e.g., a special random key sequence or transaction in an application at a terminal). Software developers often include trap doors in their code to enable them to renter the system and perform certain functions.

Session hijacking: Session hijacking is taking over an authorized users terminal session, either physically when the user leaves his terminal unattended or electronically when the intruder carefully connects to a justdisconnected communications line. Session hijacking is a relatively new type of attack in the communications category. Tunneling: Tunneling uses one data transfer method to carry data for another method. Tunneling is an often-legitimate way to transfer data over incompatible networks, but it is illegitimate when it is used to carry unauthorized data in legitimate data packets. Timing Attacks: Timing attacks mean attacks that take advantage of the timing of computer processes and operations to get access. These include the abuse of race conditions and asynchronous attacks. In race conditions, there is a race between two processes operating on a system. The outcome depends on who wins the race. Asynchronous attacks are another way of taking advantage of dynamic system activity to get access. Potential offenders are advanced system analysts, advanced computer programmers. Trojan Horses: Trojan horses are a computer program with an apparently or actually useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of Security or integrity. Trojan horses are a common technique for planting other problems in computers, including viruses, worms, logic bombs and salami attacks. Potential offenders are: 1. 2. 3. 4. 5. 6. Programmers who have detailed knowledge of a program. Employees of former employees. Vendor or contractor programmers. Financial system programmers. Computer users/ operators. Crackers.

Viruses and Worms: A virus is a self-propagating program, which may be embedded in software or firmware. A virus spreads when the program containing executes. A worm is a standalone program that can propagate to other computers via networks. It exists independently of any other programs. A worm simply replicates itself on one computer and tries to infect other computers that may be attached to the same network. There is an important distinction between worms and viruses: a worm operates over a network, but in order to infect a machine, a virus must be physically copied. They have many similarities, and both can be introduced into systems via Trojan horses. Potential offenders are the same as Trojan horses. The best way to prevent viruses and worms from invading a system are: 1. Be vigilant about introducing new and untrusted software into a system. 2. Use virus-scanning software to check for viruses. 3. Do frequent and careful backups. Salamis: Salami technique is the process of secretly and repetitively slicing away tiny amounts of money (like the slices of salami) in a way that is unlikely to be noticed. It works on financial data, e.g., taking advantage of the rounding of decimals in bank interest calculations. Potential offenders are the same as Trojan horses. Logic Bombs: Logic bombs are a resident computer program that triggers an unauthorized act when a certain event (e.g., a date) occurs. A typical logic bomb tells the computer to execute a set of instructions at a certain date and time or under certain specified conditions. Potential offenders are the same as Trojan horses.

Recommendation for the Prevention: (communications Security) As more companies connect their networks to the Internet, communications Security is particularly important. There are many different ways to protect communications: 1. Access control, e.g., the use of good password. It is crucial to enforcing computer Security in networked environments. 2. Cryptographic methods, e.g., encryption of transmitted data. 3. Physical protection and shielding of network cabling. 4. Firewall technology. It can protect internal systems and networks from other networks. 1.4.4 Breaches of Operations SecurityData Diddling: Data diddling, also called false data entry, is to alter data in an unauthorized manner before, during, or after input into a computer system. Potential Offenders are: 1. 2. 3. 4. Participants in transactions being entered or updated. Suppliers of source data. Somebody who prepares the data. Nonparticipant with access.

IP Spoofing: IP spoofing is a method of masquerading in which an attacker forges the addresses on data packets sent over the Internet so they appear to be coming from insider a network in which systems trust each. How can an operations Security program prevent IP spoofing attacks? Two good ways are to require passwords in all cases and to prevent trust relationships. Password Sniffing: Password sniffers mean sniffers are programs that monitor all traffic on a network, collecting a certain number of bytes from the beginning of each session, usually the part where the password is typed unencrypted on certain common Internet service such as FTP and Telnet. One-time passwords and encrypted passwords are good ways to keep password sniffing attacks from compromising systems. Scanning: Scanning is running a program, often called a war dialler or a demon dialler, which ties a set of sequentially changing numbers (e.g.,

10

telephone numbers or passwords) to determine which ones respond positively. For example, with telephone number, the program would report those that successfully connect to modems. It is similar to war dialling a technique often used by novice crackers. Potential offenders are: 1. Malicious intruders. 2. Spies attempting to access systems for targeted data. 3. Criminals intent on committing fraud. Excess Privileges: Users in a system have excess privilegesmore privileges than they ought to have. In UNIX environments, intruders who manage to get root or super user privileges can play havoc with the system. In mainframe systems, abuse of privileges is sometimes called super zapping. Potential offenders are: 1. Programmers with access to Super zap-type programs. 2. Computer operations staff. Recommendation for the Prevention: (operations Security) Operations Security includes two major aspects of computer Security: 1. Ways you can increase awareness among potential victims of possible computer crimes. 2. Ways you can keep computer criminals from actually committing a computer crime. Operations Security cannot exist in a vacuum. The only way it can be effective is if it is integrated into an organizations physical, personnel, and communications Security programs. In fact, operations Security are used to help make those programs more productive. 1.5 Handling Computer Crime: 1.5.1 Steps Taken After the BreachThe first step is to assess the situation. You need ask following question: 1. What is the severity level of the intrusion? 2. Who will be involved in the investigation? 3. Who is responsible for determining future actions?

11

The more such questions have been addressed in advance by the adoption of a written Security policy, the more quickly and accurately the effects of the breach can be ameliorated. The Second step is to repair damage and prevent recurrence. The organization may have to seek help from outside expertise. In the past, following a serious breach, the government is one choice for an organization when investigating computer crime. With the number of computer crimes growing each year, the resources of most governmental agencies have been overburdened. They have insufficient personnel resources to handle the load and inadequate technical expertise to thoroughly research the cases. Private companies specializing in the field of network Security now offer computer crime and forensic evidence services. Such specialists must have the specific knowledge base to efficiently and quickly complete investigations, with a background in recovery and analysis of computer forensics, formal investigations, and the relevant laws. 1.5.2 Methods of InvestigationsInitial assessment includes a careful examination and inventory of all potentially affected systems. The important first step is determining if a criminal still has control of any relevant computer. If they are still logged on, an important decision is to decide whether to terminate the user. Leaving the intruder on the system may provide a better opportunity of profiling and ultimately identifying and apprehending the attacker. On the other hand, if investigator decides to lock the user out and disconnect the system from network they can often limit the damage to what the malicious user has already accomplished. As a general rule, an investigator should not let the attacker know that they are being disconnected or tracked due to unauthorized access. 1.5.3 Recommendations Because of LawsCyber crimes can involve criminal activities that are traditional in nature, such as theft and fraud. However, Cyber crime is different from the traditional crime. Business and governments need legal protection and technical measures to protect themselves from those who would steal or destroy valuable information. Self-protection is not sufficient to make cyberspace a safe place to conduct business. The rule of law must be enforced. At present, the state of global legal protection against cyber crime is weak. There are following suggestions: 1. Firms should secure their networked information. Laws to enforce property rights work only when property owners take reasonable steps to protect their property in the first place.

12

2. Government should assure that their laws apply to cyber crimes. National governments remain the dominant authority for regulating criminal behaviour in most places in the world. Firms, governments, and civil society should work cooperatively to strengthen legal frameworks for cyber Security. To be prosecuted across a border, an act must be a crime in each jurisdiction.

13

Chapter II

2.

Cyber Laws: A Global PerspectiveSuccess in any field of human activity leads to crime that needs mechanisms to control it. Legal provisions should provide assurance to users, empowerment to law enforcement agencies and deterrence to criminals. The law is as stringent as its enforcement. Crime is no longer limited to space, time or a group of people. Cyber space creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies. Back in 1990, less than 100,000 people were able to log on to the Internet worldwide. Now around 500 million people are hooked up to surf the net around the globe. Until recently, many information technology (IT) professionals lacked awareness of an interest in the cyber crime phenomenon. In many cases, law enforcement officers have lacked the tools needed to tackle the problem; old laws didnt quite fit the crimes being committed, new laws hadnt quite caught up to the reality of what was happening, and there were few court precedents to look to for guidance. Furthermore, debates over privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new cases. Finally, there was a certain amount of antipathyor at the least, distrust between the two most important players in any effective fight against cyber crime: law enforcement agencies and computer professionals. Yet close cooperation between the two is crucial if we are to control the cyber crime problem and make the Internet a safe place for its users. Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence and bringing offenders to justice. IT personnel understand computers and networks, how they work, and how to track down information on them. Each has half of the key to defeating the cyber criminal. IT professionals need good definitions of cybercrime in order to know when (and what) to report to police, but law enforcement agencies must have statutory definitions of specific crimes in order to charge a criminal with an offense.

2.1

Cyber Laws- worldwide: Based on its findings in the E-Readiness study, and in the wake of the Philippines inability to prosecute the student responsible for the I Love You virus, McConnell International surveyed its global network of information technology policy officials to determine the state of cyber Security laws around the world. Countries were asked to provide laws that would be used to prosecute criminal acts involving both private and public sector computers.

14

Over fifty national governments responded with recent pieces of legislation, copies of updated statutes, draft legislation, or statements that no concrete course of action has been planned to respond to a cyber attack on the public or private Sector. Countries were provided the opportunity to review the presentation of the results in draft, and this report reflects their comments. Countries that provided legislation were evaluated to determine whether their criminal statutes had been extended into cyberspace to cover ten different types of cyber crime cyberspace in four categories: data related crimes, including interception, modification, and theft; data-related network-related crimes, including interference and sabotage; crimes of access, related including hacking and virus distribution; and associated computer-related crimes, distribution; computer including aiding and abetting cyber criminals, computer fraud, and computer forgery. three Thirty-three of the countries surveyed have not yet updated their laws to address any type of cyber crime. Of the remaining countries, nine have enacted legislation to countries, address five or fewer types of cyber crime, and ten have updated their laws to prosecute against six or more of the ten types of cyber crime. Figure 1 provides a categorization of the 52 countries surveyed.

Fig. 1: Extent of Progress on Updating Cyber Crime Laws

Substantially or Fully Updated (10): Australia, Canada, Estonia, India, Japan, Mauritius, Peru, Philippines, Turkey, United States No Updated Laws (33): Albania, Bulgaria, Burundi, Cuba, Dominican Republic, Egypt, Ethiopia, Fiji, France, Gambia, Hungary, Iceland, Iran, Italy, Jordan, Kazakhstan, Latvia, Lebanon, Lesotho, Malta, Moldova, Morocco, New Zealand, Nicaragua, Nigeria, Norway, Romania, South Africa, Sudan, Vietnam, Yugoslavia, Zambia, Zimbabwe

Partially Updated (9): Brazil, Chile, China, Czech Republic, Denmark, Malaysia, Poland, Spain, United Kingdom

Even among these countries, crimes are not treated uniformly. In some, unauthorized access is a crime only if harmful intent is present; in others, data theft is a crime only if the data relates specifically to an individuals religion or health, or if the intent is to es defraud. Laws tend to be biased in favour of protecting public sector computers.

15

Discrepancies exist even within countries. For example, in September 2000, the Australian Democratic Party criticized the South Australian (state) government for creating a heaven for cyber criminals by not having updated its laws to combat computer-based crime in accordance with the laws of Australias other states. The penalties provided in updated criminal statutes vary widely. Mauritius, the Philippines, and the United States have stronger penalties than many other countries for convictions of covered cyber crimes. However, no country has fully resolved all the issues such as legal, enforcement and prevention of crime. The legislations enacted by different countries cover only few of the classified computer-related offences. However, looking to the dynamic and fast changing technology, new types of offences may pop-up frequently. Some of the major types of offences against which many countries across the globe have enacted various Acts (mostly at preliminary levels) are as follows: 1. Data Interception: Interception of data in transmission. 2. Data Modification: Alteration, destruction, or erasing of data. 3. Data Theft: Taking or copying data, regardless of whether it is protected by other laws, e.g., copyright, privacy, etc. 4. Network Interference: Impeding or preventing access for others. The most common example of this action is instigating a distributed denial of service (DDOS) attack, flooding Web sites or Internet Service Providers. DDOS attacks are often launched from numerous computers that have been hacked to obey commands of the perpetrator. 5. Network Sabotage: Modification or destruction of a network or system. 6. Unauthorized Access: Hacking or cracking to gain access to a system or data. 7. Virus Dissemination: Introduction of software damaging to systems or data. 8. Aiding and Abetting: Enabling the commission of a cyber crime. 9. Computer-Related Forgery: Alteration of data with intent to represent as authentic. 10. Computer-Related Fraud: Alteration of data with intent to derive economic benefit from its misrepresentation. 2.2 Indian Cyber Law: Keeping in line with other countries, India also has passed its first cyber law, The Information Technology Act 2000, which aims to provide the legal backbone for enabling e-commerce in the country. However the arrival of Internet resulted in the rise of new and complex legal issues. As like the rest of the world, the existing laws of India also could not handle the various cyber space activities. As such the need arose for a Cyber Law.

16

Chapter III

3.

The Information Technology Act, 2000The United Nations General Assembly by resolution A/RES/51/162, dated the 30 January 1997 has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law. This is referred to as the UNCITRAL Model Law on E-Commerce. Following the UN Resolution India passed the Information Technology Act 2000 in May 2000 and notified it for effectiveness on October 17, 2000. The Information technology Act 2000 has been substantially amended through the Information Technology Amendment Act 2008 which was passed by the two houses of the Indian Parliament on December 23, and 24, 2008. It got the Presidential assent on February 5, 2009 and was notified for effectiveness on October 27, 2009.

3.1

Objective: The IT Act 2000 provides a legal recognition to transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce, which involve the use of alternatives to paperbased methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.

3.2

Preliminary: 3.2.1 Short title, extent, commencement and application(1) This Act may be called the Information Technology Act, 2000. (2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention there under committed outside India by any person. (3) It shall come into force on such date as the Central Government may, by notification, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the commencement of that provision. (4) Nothing in this Act shall apply to(a) A negotiable instrument as defined in Section 13 of the Negotiable Instruments Act, 1881. (b) A power-of-attorney as defined in Section 1A of the Powers-ofAttorney Act, 1882.

17

(c) A trust as defined in Section 3 of the Indian Trusts Act, 1882. (d) A will as defined in clause (h) of Section 2 of the Indian Succession Act, 1925 including any other testamentary disposition by whatever name called. (e) Any contract for the sale or conveyance of immovable property or any interest in such property. Any such class of documents or transactions as may be notified by the Central government in the Official Gazette. 3.2.2 DefinitionsSome Definitions are defined in IT Act 2000 under Section (1) A. In this Act, unless the context otherwise requires,(a) Access with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network. Addressee means a person who is intended by the originator to receive the electronic record but does not include any intermediary. Adjudicating officer means an adjudicating officer appointed under subsection (1) of Section 46. Affixing digital signature with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature. Appropriate Government means as respects any matter,(i) Enumerated in List II of the Seventh Schedule to the Constitution. (ii) Relating to any State law enacted under List III of the Seventh Schedule to the Constitution. The State Government and in any other case, the Central Government Asymmetric crypto system means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.

(b)

(c)

(d)

(e)

(f)

18

(g) (h)

Certifying Authority means a person who has been granted a licence to issue a Digital Signature Certificate under Section 24. Certification practice statement means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates. computer means any electronic magnetic, optical or other highspeed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network. computer network means the interconnection of one or more computers through (i) The use of satellite, microwave, terrestrial line or other communication media. and (ii) Terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained. Computer resource means computer, computer system, computer network, data, computer data base or software. computer system means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions. Controller means the Controller of Certifying Authorities appointed under sub-Section (l) of Section 17. Cyber Appellate Tribunal means the Cyber Regulations Appellate Tribunal established under sub-Section (1) of Section 48. data means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or

(i)

(j)

(k)

(l)

(m)

(n)

(o)

19

computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. (p) Digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of Section 3. Digital Signature Certificate means a Digital Signature Certificate issued under subsection (4) of Section 35. electronic form with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device. Electronic Gazette means the Official Gazette published in the electronic form. Electronic record means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche. Function, in relation to a computer, includes logic, control arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer. Information includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche.

(q)

(r)

(s)

(t)

(u)

(v)

(w) Intermediary with respect to any particular electronic message means any person who on behalf of another person receives stores or transmits that message or provides any service with respect to that message. (x) Key pair, in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key. Law includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the

(y)

20

case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made there under. (z) Licence means a licence granted to a Certifying Authority under Section 24. Originator means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary. Prescribed means prescribed by rules made under this Act. Private Key means the key of a key pair used to create a digital signature. Public key means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate. Secure system means computer hardware, software, and procedure that(i) Are reasonably secure from unauthorised access and misuse. (ii) Provide a reasonable level of reliability and correct operation. (iii) Are reasonably suited to performing the intended functions. (iv) Adhere to generally accepted Security procedures. Security procedure means the Security procedure prescribed under Section 16 by the Central Government. Subscriber means a person in whose name the Digital Signature Certificate is issued. Verify in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether (i) The initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber.

(za)

(zb) (zc)

(zd)

(ze)

(zf)

(zg)

(zh)

21

(ii)

The initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature.

B. Any reference in this Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area. 3.3 The salient features of the Information Technology Act, 2000: Extends to the whole of India (Section 1) Authentication of electronic records (Section 3) Legal Framework for affixing Digital signature by use of asymmetric crypto system and hash function (Section 3) Legal recognition of electronic records (Section 4) Legal recognition of digital signatures (Section 5) Retention of electronic record (Section 7) Publication of Official Gazette in electronic form (Section 8) Security procedure for electronic records and digital signature (Section 14, 15, 16) Licensing and Regulation of Certifying authorities for issuing digital signature certificates (Section 17-42) Functions of Controller (Section 18) Appointment of Certifying Authorities and Controller of Certifying Authorities, including recognition of foreign Certifying Authorities (Section 19) Controller to act as repository of all digital signature certificates (Section 20) Data Protection (Section 43 & 66) Various types of computer crimes defined and stringent penalties provided under the Act (Section 43 and Section 66, 67, 72) Appointment of adjudicating officer for holding inquiries under the Act (Section 46 & 47) Establishment of Cyber Appellate Tribunal under the Act (Section 48-56) Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any Civil Court (Section 57) Appeal from order of Cyber Appellate Tribunal to High Court (Section 62) Interception of information from computer to computer (Section 69) Protection System (Section 70) Act to apply for offences or contraventions committed outside India (Section 75) Network service providers not to be liable in certain cases (Section 79)

22

Power of police officers and other officers to enter into any public place and search and arrest without warrant (Section 80) Offences by the Companies (Section 85) Constitution of Cyber Regulations Advisory Committee who will advice the Central Government and Controller (Section 88)

3.4

Important Sections of IT Act, 2000: Section 44(Penalty for failure to furnish information, return, etc.)- If any person who is required under the Act or any rules or regulations made there-under to (a) furnish any document, return or report to the Controller or the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lack and fifty thousand rupees for each such failure, (b) file any return or furnish any information, books or other documents within the time specified therefore in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues, (c) Maintain books of account or records fail to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues. Section 45(Residuary penalty) further covers all other offences that may possibly arise under the act. It provides that "whoever contravenes any rules or regulations made under the Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees" to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees. (Power to adjudicate Adjudicating Officer) empowers the Central Government to appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a Stale Government to be an adjudicating officer for holding an inquiry regarding the commission of the offences laid out in Chapter IX in the manner prescribed by the Central Government. The persons appointed shall possess such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central

Section 46-

23

Government. Where more than one adjudicating officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction. This is also discussed in S.Sekar vs. The Principal General Manager (Telecom), (BSNL) MANU/TN/9663/2007. (a) Every adjudicating officer appointed as above shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal under Section 58(2). Further all proceedings before it shall be deemed to be judicial proceedings within the meaning of Sections 193 and 228 of the Indian Penal Code, 1860 and it shall be deemed to be a civil court for the purposes of Sections 345 and 346 of the Code of Criminal Procedure, 1973. (b) The adjudicating officer shall offer the offender a reasonable opportunity for making representation in the matter. If, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of the Act governing such offence. Section 47Prescribes the factors to be taken into account by the adjudicating officer while adjudging the quantum of compensation, namely: (a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (b) the amount of loss caused to any person as a result of the default; (c) The repetitive nature of the default. Section 65Tampering with computer source documents- Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lack rupees, or with both. Tampering with computer source documents was discussed in Syed Asifuddin and Ors. v. The State of Andhra Pradesh and Anr., 2005 Cri L J 4314, Jigar Mayurbhai Shah vs. State of Gujarat, (2008)2GLR1134, Pootholi Damodaran Nair v. Babu, 2005(2)KLT707, and Ravi Shankar Srivastava v. State of Rajasthan, 2005(2)WLC612.

24

Section 66-

(Computer related offences)- This Section deals with hacking the Computer System and states that whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking. It further states that whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lack rupees, or with both. The case of Nirav Navinbhai Shah v. State of Gujarat and Anr. MANU/GJ/8458/2006 involved Section 66. (Punishment for publishing or transmitting obscene material in electronic form)- This Section was in question in Dr. Prakash v. State of Tamil Nadu and Ors., AIR 2002 SC 3533, Fatima Riswana v. State Rep. By A.C.P., Chennai and Ors., (2005) 1 SCC 582, Assistant Commissioner of Police, Crime Record Bureau, Inspector of Police v. Saravanan and others, MANU/TN/1776/2003, Avnish Bajaj v. State (N.C.T.) of Delhi, (2005) 3 Comp L J 364(Del), M.Saravanan v. State of Tamilnadu, MANU/TN/8296/2006, and Maqbool Fida Husain v. Raj Kumar Pandey, MANU/DE/0757/2008 (Penalty for misrepresentation) This Section prescribes a penalty for any misrepresentation or suppression of any material fact from, the Controller or the Certifying Authority for obtaining any licence or Digital Signature Certificate. It states that such cases shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lack rupees, or with both. (Penalty for breach of confidentiality and privacy) Again if any person who, in pursuance of any of the powers conferred under the Act, rules or regulations made there-under, has Secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished under Section 72 with imprisonment for a term which may extend to two years, or with fine which may extend to one lack rupees, or with both. (Penalty for publishing (Electronic Signature) Certificate false in certain particulars) If a Digital Signature Certificate that is false in certain particulars is published or made available by a person to any other person with the knowledge that the Certifying Authority listed in the certificate has not issued it, or the subscriber listed in the

Section 67-

Section 71-

Section 72-

Section 73-

25

certificate has not accepted it, or the certificate has been revoked or suspended, then such person shall be punished under Section 73 with imprisonment for a term which may extend to two years, or with fine which may extend to one lack rupees, or with both. A publication that is for the purpose of verifying a digital signature created prior to such suspension or revocation is not penalized under this Section. Section 74(Publication for fraudulent purpose). This Section states that whoever knowingly creates publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lack rupees, or with both. (Act to apply for offences or contravention committed outside India). This Section accords extra territorial application to the Act and states that the provisions of the Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality. The Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. As per Section 76, any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of the Act, rules, orders or regulations made there-under has been or is being contravened, shall be liable to confiscation. (Compensation, penalties or confiscation not to interfere with other punishment). This Section states that in addition to the penalties prescribed by the IT Act, imposition of any other punishment to which the person affected thereby is liable under any other law for the time being in force may also be made. The Act as amended gives a police officer not below the rank of Inspector the power to investigate any offence under the Act. (Exemption from liability of intermediary in certain cases)- This Section declares that no person providing any service as a network service provider shall be liable under the Act, rules or regulations made there-under for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. This issue was also discussed in the case of Sanjay Kumar Kedia vs. Narcotics Control Bureau and Anr. (2008)2 SCC 294.

Section 75-

Section 77-

Section 79-

26

3.5

Offences: The cyber crimes in the Act are classified into two categories i.e. civil penalties and criminal offences, the details of which are as follows:S No. 1. 2. 3. 4. 5. 6. 7. 8. 9. Unauthorised access Unauthorised copying, downloading and extraction of files Introduction of virus Damage to Computer System and computer Network Disruption of computer, computer network Denying authorised person access to computer Civil-Penalties Section Sec 43(a) Sec 43(b) Sec 43(c) Sec 43(d) Sec 43(e) Sec 43(f)

Providing assistance to any person to facilitate unauthorized Sec 43(g) access to a computer Charging the service availed by a person to an account of another Sec 43(h) person by tampering and manipulation of other computer Failure to furnish information, return, etc. To the Controller or Sec 44 Certifying Authority Criminal offences Tampering with computer source Documents (i.e. listing of Sec 65 programmes) Hacking computer system Sec 66 (1) Electronic forgery i.e. affixing of false digital signature, making Sec 74 false electronic record Sec 74 Electronic forgery for the purpose of cheating Electronic forgery for the purpose of harming reputation Using as genuine a forged electronic record Publication for fraudulent purpose Offences and contravention by companies Unauthorised access to protected system Confiscation of computer, network, etc. Publication of information which is obscene in electronic form Sec 74 Sec 85 Sec 85 Sec 85 Sec 70 Sec 76 Sec 67

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Misrepresentation or suppressing of material fact while obtaining Sec 71 any licence or digital signature Sec 72 Breach of confidentiality and Privacy Publishing fake Digital Signature Certificate Sec 73

27

3.6

Penalties and Adjudication: 3.6.1 Penalty for damage to computer, computer system, etcIf any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, (a) accesses or secures access to such computer, computer system or computer network; (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network; (e) disrupts or causes disruption of any computer, computer system or computer network; (f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there-under; (h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. Explanation- for the purposes of this section,(i) "computer contaminant" means any set of computer instructions that are designed-

28

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network; (ii) "computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource; "Damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.

(iii)

(iv)

3.6.2

Penalty for failure to furnish information return, etcIf any person who is required under this Act or any rules or regulations made there-under to(a) Furnish any document, return or report to the Controller or? he Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lack and fifty thousand rupees for each such failure; (b) file any return or furnish any information, books or other documents within the time specified therefore in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues; (c) Maintain books of account or records, fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues.

3.6.3

Residuary penaltyWhoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to

29

the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees. 3.6.4 Power to adjudicate(1) For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made there-under the Central Government shall, subject to the provisions of sub-section (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officers for holding an inquiry in the manner prescribed by the Central Government. (2) The adjudicating officer shall, after giving the person referred to in sub-section (1) a reasonable opportunity for making representation in the matter and if, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section. (3) No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government. (4) Where more than one adjudicating officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction. (5) Every adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal under sub-section (2) of section 58, and(a) all proceedings before it shall be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code; (b) Shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973. 3.6.5 Factors to be taken into account by the adjudicating officerWhile adjudging the quantum of compensation under this Chapter, the adjudicating officer shall have due regard to the following factors, namely:-

30

(a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (b) the amount of loss caused to any person as a result of the default (c) the repetitive nature of the default 3.7 Amendments to Other Acts through IT Act, 2000: Through the Information Technology Act, amendments have been made in the following other Acts:(i) Indian Evidence Act, 1872 (Sections 3, 17, 22, 34, 35, 39, 47, 59, 65, 67, 73, 81, 85, 88, 90 & 131) (ii) Indian Penal Code, 1860 (Sections 29, 167, 172, 173, 175, 192, 204, 463, 464, 466, 468, 469, 470, 471, 474, 476, & 477) (iii) Bankers Book Evidence Act, 1891(Section 2) (iv) Reserve Bank of India Act, 1934 (Section 58 (Sub-Section (2) Clause (P))

3.8

Conclusion: The Information Technology (IT) Act, 2000, specifies the acts which have been made punishable. Since the primary objective of this Act is to create an enabling environment for commercial use of I.T., certain omissions and commissions of criminals while using computers have not been included. With the legal recognition of Electronic Records and the amendments made in the several sections of the IPC vide the IT Act, 2000, several offences having bearing on cyber-arena are also registered under the appropriate sections of the IPC.

31

Chapter IV

4.
4.1

Digital SignatureAuthentication of electronic records: (1) (2) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature. The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. Explanation- For the purposes of this sub-section, "hash function" means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known' as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm; (b) Those two electronic records can produce the same hash result using the algorithm. (3) (4) Any person by the use of a public key of the subscriber can verify the electronic record. The private key and the public key are unique to the subscriber and constitute a functioning key pair.

4.2

Secure Digital Signatures: If, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was(a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature. 4.2.1 Security procedure: The Central Government shall for the purposes of this Act prescribe the security procedure having regard to commercial circumstances prevailing at the time when the procedure was used, including(a) the nature of the transaction;

32

(b) the level of sophistication of the parties with reference to their technological capacity; (c) the volume of similar transactions engaged in by other parties; (d) the availability of alternatives offered to but rejected by any party; (e) the cost of alternative procedures; and (f) The procedures in general use for similar types of transactions or communications. 4.3 Regulation of Certifying Authorities: 4.3.1 Appointment of Controller and other officers(1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act and May also by the same or subsequent notification appoints such number of Deputy Controllers and Assistant Controllers as it deems fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. (4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central Government. (5) The Head Office and Branch Office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit. (6) There shall be a seal of the Office of the Controller. 4.3.2 Functions of ControllerThe Controller may perform all or any of the following functions, namely:(a) Exercising supervision over the activities of the Certifying Authorities. (b) Certifying public keys of the Certifying Authorities. (c) Laying down the standards to be maintained by the Certifying Authorities. (d) Specifying the qualifications and experience which employees of the Certifying Authorities should possess.

33

(e) Specifying the conditions subject to which the Certifying Authorities shall conduct their business. (f) Specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key. (g) Specifying the form and content of a Digital Signature Certificate and the key, (h) Specifying the form and manner in which accounts shall be maintained by the Certifying Authorities. (i) Specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them. (j) Facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems. (k) Specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers. (l) Resolving any conflict of interests between the Certifying Authorities and the subscribers. (m) Laying down the duties of the Certifying Authorities. (n) Maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public. 4.3.3 Recognition of foreign Certifying Authorities(1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may with the previous approval of the Central Government, and by notification in the Official Gazette, recognize any foreign Certifying Authority as a Certifying Authority for the purposes of this Act. (2) Where any Certifying Authority is recognized under sub-section (1), the Digital Signature Certificate issued by such Certifying Authority shall be valid for the purposes of this Act. (3) The Controller may, if he is satisfied that any Certifying Authority has contravened any of the conditions and restrictions subject to which it was granted recognition under sub-section (1) he may, for reasons to be recorded in writing, by notification in the Official Gazette, revoke such recognition.

34

4.3.4

Controller to act as repository(1) The Controller shall be the repository of all Digital Signature Certificates issued under this Act. (2) The Controller shall(a) Make use of hardware, software and procedures that are secure from intrusion and misuse. (b) Observe such other standards as may be prescribed by the Central Government, to ensure that the secrecy and security of the digital signatures are assured. (3) The Controller shall maintain a computerized data base of all public keys in such a manner that such data base and the public keys are available to any member of the public.

4.3.5

License to issue Digital Signature Certificates(1) Subject to the provisions of sub-section (2), any person may make an application, to the Controller, for a license to issue Digital Signature Certificates. (2) No license shall be issued under sub-section (1), unless the applicant fulfils such requirements with respect to qualification, expertise, manpower, financial resources and other infrastructure facilities, which are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government (3) A license granted under this section shall(a) Be valid for such period as may be prescribed by the Central Government. (b) Not be transferable or heritable. (c) Be subject to such terms and conditions as may be specified by the regulations.

4.3.6

Application for license(1) Every application for issue of a license shall be in such form as may be prescribed by the Central Government. (2) Every application for issue of a license shall be accompanied by(a) A certification practice statement. (b) A statement including the procedures with respect to identification of the applicant. (c) Payment of such fees, not exceeding twenty-five thousand rupees as may be prescribed by the Central Government.

35

(d) Such other documents, as may be prescribed by the Central Government. 4.3.7 Renewal of licenseAn application for renewal of a license shall be(a) In such form. (b) Accompanied by such fees, not exceeding five thousand rupees. As may be prescribed by the Central Government and shall be made not less than forty-five days before the date of expiry of the period of validity of the license. 4.3.8 Procedure for grant or rejection of licenseThe Controller may, on receipt of an application under sub-section (1) of section 21, after considering the documents accompanying the application and such other factors, as he deems fit, grant the license or reject the application: Provided that no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case. 4.3.9 Suspension of license(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a Certifying Authority has(a) Made a statement in, or in relation to, the application for the issue or renewal of the license, which is incorrect or false in material particulars. (b) Failed to comply with the terms and conditions subject to which the license was granted. (c) Failed to maintain the standards specified under clause (b) of sub-section (2) of section 20. (d) Contravened any provisions of this Act, rule, and regulation or order made there-under, revoke the license: Provided that no license shall be revoked unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation. (2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking a license under sub-section (1), by order suspend such license pending the completion of any inquiry ordered by him: Provided that no license shall be suspended for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension.

36

(3) No Certifying Authority whose license has been suspended shall issue any Digital Signature Certificate during such suspension. 4.3.10 Notice of suspension or revocation of license(1) Where the license of the Certifying Authority is suspended or revoked, the Controller shall publish notice of such suspension or revocation, as the case may be, in the database maintained by him. (2) Where one or more repositories are specified, the Controller shall publish notices of such suspension or revocation, as the case may be, in all such repositories: Provided that the data base containing the notice of such suspension or revocation, as the case may be, shall be made available through a web site which shall be accessible round the clock: Provided further that the Controller may, if he considers necessary, publicize the contents of database in such electronic or other media, as he may consider appropriate. 4.3.11 Power to delegateThe Controller may, in writing, authorize the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Chapter. 4.3.12 Power to investigate contraventions(1) The Controller or any officer authorized by him in this behalf shall take up for investigation any contravention of the provisions of this Act, rules or regulations made there under. (2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act. 4.3.13 Access to computers and data (1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system.

37

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary. 4.3.14 Certifying Authority to follow certain proceduresEvery Certifying Authority shall(a) Make use of hardware, software and procedures that are secure from intrusion and misuse. (b) Provide a reasonable level of reliability in its services which are reasonably suited to the performance of intended functions. (c) Adhere to security procedures to ensure that the secrecy and privacy of the digital signatures are assured. And (d) Observe such other standards as may be specified by regulations. 4.3.15 Certifying Authority to ensure compliance of the Act, etcEvery Certifying Authority shall ensure that every person employed or otherwise engaged by it complies, in the course of his employment or engagement, with the provisions of this Act, rules, regulations and orders made there under. 4.3.16 Display of licenseEvery Certifying Authority shall display its license at a conspicuous place of the premises in which it carries on its business. 4.3.17 Surrender of license(1) Every Certifying Authority whose license is suspended or revoked shall immediately after such suspension or revocation, surrender the license to the Controller. (2) Where any Certifying Authority fails to surrender a license under sub-section (1), the person in whose favour a license is issued, shall be guilty of an offence and shall be punished with imprisonment which may extend up to six months or a fine which may extend up to ten thousand rupees or with both.

38

4.3.18

Disclosure(1) Every Certifying Authority shall disclose in the manner specified by regulations(a) Its Digital Signature Certificate which contains the public key corresponding to the private key used by that Certifying Authority to digitally sign another Digital Signature Certificate. (b) Any certification practice statement relevant thereto. (c) Notice of the revocation or suspension of its Certifying Authority certificate, if any. And (d) Any other fact that materially and adversely affects either the reliability of a Digital Signature Certificate, which that Authority has issued, or the Authority's ability to perform its services. (2) Where in the opinion of the Certifying Authority any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a Digital Signature Certificate was granted, then, the Certifying Authority shall(a) Use reasonable efforts to notify any person who is likely to be affected by that occurrence. or (b) Act in accordance with the procedure specified in its certification practice statement to deal with such event or situation.

4.4

Digital Signature Certificate: 4.4.1 Certifying Authority to issue Digital Signature Certificate(1) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government Every such application shall be accompanied by such fee not exceeding twenty five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants'. Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations.

(2)

(3)

39

(4)

On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under subsection (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application: Provided that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that(a) the applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate; (b) the applicant holds a private key, which is capable of creating a digital signature; (c) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant: Provided further that no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection.

4.4.2

Representations upon issuance of Digital Signature CertificateA Certifying Authority while issuing a Digital Signature Certificate shall certify that(a) it has complied with the provisions of this Act and the rules and regulations made there-under, (b) it has published the Digital Signature Certificate or otherwise made it available to such person relying on it and the subscriber has accepted it (c) the subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate; (d) the subscriber's public key and private key constitute a functioning key pair, (e) the information contained in the Digital Signature Certificate is accurate; and (f) It has no knowledge of any material fact, which if it had been included in the Digital Signature Certificate would adversely affect the reliability of the representations made in clauses (a) to (d).

4.4.3

Suspension of Digital Signature Certificate(1) Subject to the provisions of sub-section (2), the Certifying Authority which has issued a Digital Signature Certificate may suspend such Digital Signature Certificate,(a) on receipt of a request to that effect from(i) the subscriber listed in toe Digital Signature Certificate; or (ii) any person duly authorised to act on behalf of that subscriber,

40

(b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest (2) A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber.

(3)

4.4.4

Revocation of Digital Signature Certificate(1) A Certifying Authority may revoke a Digital Signature Certificate issued by it(a) where the subscriber or any other person authorised by him makes a request to that effect; or (b) upon the death of the subscriber, or (c) Upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company. Subject to the provisions of sub-section (3) and without prejudice to the provisions of sub-section (1), a Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time, if it is of opinion that(a) a material fact represented in the Digital Signature Certificate is false or has been concealed; (b) a requirement for issuance of the Digital Signature Certificate was not satisfied; (c) the Certifying Authority's private key or security system was compromised in a manner materially affecting the Digital Signature Certificate's reliability; (d) the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has been dissolved, wound-up or otherwise ceased to exist (3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter. On revocation of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber.

(2)

(4)

41

4.4.5

Notice of suspension or revocation(1) Where a Digital Signature section 37 or section 38, notice of such suspension repository specified in publication of such notice. Certificate is suspended or revoked under the Certifying Authority shall publish a or revocation, as the case may be, in the the Digital Signature Certificate for

(2)

Where one or more repositories are specified, the Certifying Authority shall publish notices of such suspension or revocation, as the case may he in all such repositories.

4.5

Duties of Subscriber: 4.5.1 Generating key pairWhere any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, then, the subscriber shall generate the key pair by applying the security procedure. Acceptance of Digital Signature Certificate(1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorises the publication of a Digital Signature Certificate(a) to one or more persons; (b) In a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. (2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that(a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; (b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; (c) All information in the Digital Signature Certificate that is within the knowledge of the subscriber is true. Control of private key(1) Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure to a person not authorised to affix the digital signature of the subscriber.

4.5.2

4.5.3

42

(2)

If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations.

Explanation- For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.

43

Chapter V

5.
5.1

The Information Technology (Amendment) Act, 2008Background: The Information Technology Act, 2000 was enacted keeping in view technology directions and scenario as it existed at that point of time. As the technology has a habit of reinventing itself into cheaper and more cost effective options, so it becomes imperative to give a fresh look to any technology driven law from time to time. Moreover, due to overall increase in e-commerce, growth in outsourcing business, new forms of transactions, new means of identification, consumers concern, promotion of e-governance and other information technology applications, technology neutrality from its present technology specific form in consonance with development all over the world, security practices and procedures for protection of Critical Information infrastructure, emergence of new forms of computer misuse like child pornography, video voyeurism, identity theft and e-commerce frauds like phishing and online theft, rationalization of punishment in respect of offences with reference to the Indian Penal code, a need was felt to review the Indian Information Technology Act, 2000. In that direction, an Expert Committee was set up in January, 2005 under the Chairmanship of the Secretary, Department of Information Technology. The Expert Committee comprised various representatives of the Government, legal experts in the areas of Cyber Laws, Service Providers, representatives of IT Industry and apex industry Associations, National Association for Software Companies (NASSCOM) and Manufacturers Association of Information Technology (MAIT). The mandate of the Expert Committee was to review the provisions of the IT Act, 2000, to consider the feasibility of making the Act technology neutral and recommend necessary amendments to that effect, and to recommend suitable legislation for Data Protection under the Act. In August, 2005, the Expert Committee submitted its report which was based upon the interactive sessions with various interest groups, deliberations of the Inter-Ministerial Group comprising representatives of Ministries/Departments concerned with the subject matter, presentation made by NASSCOM and feedback on the publication of the report on the DIT website. Now, the Government was left with two approaches i.e. either to enact new and exclusive legislations or to amend the existing legislations to encompass the new crimes and to enact specific legislations to address the issues if amendments to the existent laws do not suffice. As the second approach required minimum effort, the Government preferred it by creating a few more provisions in the Information Technology Act, 2000 and some supplementary provisions by making amendments in other Acts such as the Indian Penal Code and the Code of Criminal Procedures, 1973.

44

5.2

Substitution of digital signature by electronic signature (Clause 2): In the Information Technology Act, 2000 (hereinafter in this Part referred to as the principal Act), for the words digital signature occurring in the Chapter, section, subsection and Clause referred to in the Table below, the words electronic signature shall be substituted. S. No 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. Chapter/section/sub-section/Clause Clause (d), (g), (h) and (zg) of section 2; Section 5 and its marginal heading; Marginal heading of section 6; Clauses (a), (b), (c) and (e) of section 10 and its marginal heading; Heading of Chapter V; Clauses (f) and (g) of section 18; Sub-section (2) of section 19; Sub-sections (1) and (2) of section 21 and its marginal heading; Sub-section (3) of section 25; Clause (c) of section 30; Clauses (a) and (d) of sub-section (1) and sub-section(2) of section 34; Heading of Chapter VII; Section 35 and its marginal heading; Section 64; Section 71; Sub-section (1) of section 73 and its marginal heading; Section 74; and Clauses (d), (n) and (o) of sub-section (2) of Section 87

5.3

New Definition Added (Amendment of Section 2): In section 2 of the principal Act,(A) after clause (h), the following clause shall be inserted, namely:(ha) communication device means cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text, video, audio or image;

45

(B)

for clause (j), the following clause shall be substituted, namely:(j) Computer network means the inter-connection of one or more Computers or computer systems or communication device through(i) the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the inter-connection is continuously maintained;; in clause (n), the word Regulations shall be omitted; after clause (n), the following clauses shall be inserted, namely:(na) Cyber cafe means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public; cyber security means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;.

(C) (D)

(nb)

(E)

after clause (t), the following clauses shall be inserted, namely:(ta) Electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature; Electronic Signature Certificate means an Electronic Signature Certificate issued under section 35 and includes Digital Signature Certificate;

(tb)

(F)

after clause (u), the following clause shall be inserted, namely:(ua) Indian Computer Emergency Response Team means an agency established under sub-section (1) of section 70B;

(G)

in clause (v), for the words data, text, the words data, message, text shall be substituted; for clause (w), the following clause shall be substituted, namely:(w) intermediary, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service

(H)

46

providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;. 5.4 Salient features of the Information Technology (Amendment) Act, 2008: A review of the amendments indicates that there are several provisions relating to data protection and privacy as well as provisions to curb terrorism using the electronic and digital medium that have been introduced into the new Act. Some of the salient features of the Act are as follows: The term digital signature has been replaced with electronic signature to make the Act more technology neutral. A new section has been inserted to define communication device to mean cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text video, audio or image. A new section has been added to define cyber caf as any facility from where the access to the internet is offered by any person in the ordinary course of business to the members of the public. A new definition has been inserted for intermediary. Intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes, but does not include a body corporate referred to in Section 43A. A new section 10A has been inserted to the effect that contracts concluded electronically shall not be deemed to be unenforceable solely on the ground that electronic form or means was used. The damages of Rs. One Crore (approximately USD 200,000) prescribed under section 43 of the earlier Act for damage to computer, computer system etc has been deleted and the relevant parts of the section have been substituted by the words, he shall be liable to pay damages by way of compensation to the person so affected. A new section 43A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body corporate owns, controls or operates. If such body corporate is negligent in implementing and maintaining reasonable security

47

practices and procedures and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. A host of new sections have been added to section 66 as sections 66A to 66F prescribing punishment for offenses such as obscene electronic message transmissions, identity theft, cheating by impersonation using computer resource, violation of privacy and cyber terrorism. Section 67 of the old Act is amended to reduce the term of imprisonment for publishing or transmitting obscene material in electronic form to three years from five years and increase the fine thereof from ` 100,000 (approximately USD 2000) to ` 500,000 (approximately USD 10,000). A host of new sections have been inserted as Sections 67 A to 67C. While Sections 67 A and B insert penal provisions in respect of offenses of publishing or transmitting of material containing sexually explicit act and child pornography in electronic form, section 67C deals with the obligation of an intermediary to preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe. In view of the increasing threat of terrorism in the country, the new amendments include an amended section 69 giving power to the state to issue directions for interception or monitoring of decryption of any information through any computer resource. Further, sections 69 A and B, two new sections, grant power to the state to issue directions for blocking for public access of any information through any computer resource and to authorize to monitor and collect traffic data or information through any computer resource for cyber security. Section 79 of the old Act which exempted intermediaries has been modified to the effect that an intermediary shall not be liable for any third party information data or communication link made available or hosted by him if; (a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; (b) the intermediary does not initiate the transmission or select the receiver of the transmission and select or modify the information contained in the transmission; (c) the intermediary observes due diligence while discharging his duties. However, section 79 will not apply to an intermediary if the intermediary has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act or upon receiving actual knowledge or on being notified that any information, data or communication

48

link residing in or connected to a computer resource controlled by it is being used to commit an unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. A proviso has been added to Section 81 which states that the provisions of the Act shall have overriding effect. The proviso states that nothing contained in the Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957. 5.5 New offences under IT Act (Amendment), 2000: Many cybercrimes for which no express provisions existed in the IT Act, 2000 now stand included by the IT (Amendment) Act, 2008. S. No Description Section

1.

2. 3. 4. 5. 6. 7. 8. 9. 10. 11.

As proposed in ITAA, 2008, this Section combines contraventions indicated in Section 43 with penal effect and reduces the punishment from 3 years to 2 years. It also Sec 66 introduces the pre-conditions of "Dishonesty" and "Fraud" to the current Section 66. Punishment for sending offensive messages through Sec 66 A communication service, etc. Punishment for dishonestly receiving stolen computer resource Sec 66 B or communication device. Punishment for identity theft Punishment for cheating by person by using computer resource. Punishment for violation of privacy. Punishment for cyber terrorism. Sec 66 C Sec 66 D Sec 66 E Sec 66 F

Punishment for publishing or transmitting obscene material in Sec 67 electronic form. Punishment for publishing or transmitting of material Sec 67 A containing sexually explicit act, etc., in electronic form. Punishment for publishing or transmitting of material depicting Sec 67 B children in sexually explicit act, etc., in electronic form. Preservation and retention of information by intermediaries. Misrepresentation to the Controller or the Certifying Authority. Making any misrepresentation to or suppression of any material fact from, the Controller or the Certifying Authority for obtaining any license or Digital Signature Certificate, as the case may be. Sec 67 C

12.

Sec 71

49

13.

Any person, who, in pursuance of any of the powers conferred under IT Act, has secured access to any electronic record, book, register, correspondence, information or document without the consents of the person concerned discloses such electronic record, book, register, correspondence, information, document to any other person. Publishing Digital Signature Certificate false in certain particulars. Publishing a Digital Signature Certificate or otherwise making it available to any other person with the knowledge that the certifying Authority listed in the certificate has not issued to other subscriber listed in the certificate has not accepted it or the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation. Creation, publication or otherwise making available a Digital Signature Certificate for any fraudulent or unlawful purpose. Punishments-

Sec 72

14.

Sec 73

15. 5.5.1

Sec 74

A new offence of Cyber terrorism is added in Section 66 F which prescribes punishment that may extend to imprisonment for life. Section 66 F covers any act committed with intent to threaten unity, integrity, security or sovereignty of India or cause terror by causing DoS attacks, introduction of computer contaminant, unauthorized access to a computer resource, stealing of sensitive information, any information likely to cause injury to interests of sovereignty or integrity of India, the security, friendly relations with other states, public order, decency , morality, or in relation to contempt of court, defamation or incitement to an offence , or to advantage of any foreign nation, group of individuals or otherwise. For other offences mentioned in Section 66 , punishment prescribed is generally up-to three years and fine of one/two lack has been prescribed and these offences are cognisable and bail able. This will not prove to play a deterrent factor for cyber criminals. Further, as per new S. 84B, abetment to commit an offence is made punishable with the punishment provided for the offence under the Act and the new S. 84C makes attempt to commit an offence also a punishable offence with imprisonment for a term which may extend to one-half of the longest term of imprisonment provided for that offence. In certain offences, such as hacking (s 66) punishment is enhanced from 3 years of imprisonment and fine of 2 lacks to fine of 5 lacks. In S. 67, for publishing of obscene information imprisonment term has been reduced from five years to three years (and five years for subsequent offence instead of earlier ten years) and fine has been increased from one lack to five lack (rupees ten lack on subsequent conviction). Section 67A adds an offence of publishing

50

material containing sexually explicit conduct punishable with imprisonment for a term that may extend to 5 years with fine up-to 10 lacks. This provision was essential to curb MMS attacks and video voyeurism. Section 67B punishes offence of child pornography, childs sexually explicit act or conduct with imprisonment on first conviction for a term up-to 5 years and fine up-to 10 lacks. This is a positive change as it makes even browsing and collecting of child pornography a punishable offence. Punishment for disclosure of information in breach of lawful contract under sec 72 is increased from 2 yrs up-to 5 yrs and from one lack to 5 lack or both. This will deter the commission of such crime. By virtue of Section 84 B person who abets a cybercrime will be punished with punishment provided for that offence under the Act. This provision will play a deterrent role and prevent commission of conspiracy linked cybercrimes. Also, punishment for attempt to commit offences is given under Section 84 c which will be punishable with one half of the term of imprisonment prescribed for that offence or such fine as provided or both. 5.6 Corporate responsibility introduced in S. 43A: The corporate responsibility for data protection is incorporated in S 43A in the amended IT Act, 2000 whereby corporate bodies handling sensitive personal information or data in a computer resource are under an obligation to ensure adoption of reasonable security practices to maintain its secrecy, failing which they may be liable to pay damages. Also, there is no limit to the amount of compensation that may be awarded by virtue of this section. This section must be read with Section 85 of the IT Act, 2000 whereby all persons responsible to the company for conduct of its business shall be held guilty in case offence was committed by a company unless no knowledge or due diligence to prevent the contravention is proved. Insertion of this provision is particular significance to BPO companies that handle such sensitive information in the regular course of their business. This provision is important to secure sensitive data and is hence a step in the right direction. However, the challenge is to first elucidate what we qualify as reasonable security practices. The Act in explanation to Section 43A indicates these procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure, or impairment, as may be specified in an agreement between parties or as may be specified by any law for the time being in force and in absence of both, as may be prescribed by Central Government in consultation with professional bodies/associations. The law explaining the definition of reasonable security practices is yet to be laid down and/or Central government is yet to frame its rules thereon. Perhaps, we can take guidance from certain foreign laws on data protection & standards laid down in European Union or by organizations such as OECD in protection of sensitive personal data. It is a challenge for the Central Government to prescribe in consultation with professional bodies the information that will fall within the meaning of sensitive personal data or information.

51

5.7

Legal validity of electronic documents re-emphasized: Two new sections Section 7A and 10A in the amended Act reinforce the equivalence of paper based documents to electronic documents. Section 7A in the amended Act makes audit of electronic documents also necessary wherever paper based documents are required to be audited by law. Section 10A confers legal validity & enforceability on contracts formed through electronic means. These provisions are inserted to clarify and strengthen the legal principle in Section 4 of the IT Act, 2000 that electronic documents are at par with electronic documents and e-contracts are legally recognized and acceptable in law. This will facilitate growth of e-commerce activity on the internet and build citizens confidence.

5.8

Conclusion: The IT Act (Amendment), 2008 from an overall perspective has introduced remarkable provisions and amendments that will facilitate the effective enforcement of cyber law in India. India is now technologically neutral with electronic signatures replacing the requirement of digital signatures. The importance of data protection in todays information technology age cannot be undermined and it finds place in Section 43, 43A, 66, 72 of the IT Act, 2000. In this era of convergence the definition of communication device and intermediary has been rightly inserted/ revisited and validity of e-contracts is reinforced by insertion of Section 10 A, Section 46(5) of the IT Act is a welcome provision that empowers the Adjudicating officers by conferring powers of execution on the office of Adjudicating officer at par with a civil court. Plethora of new cybercrimes has been incorporated under chapter XI as offences under the amended Act to combat growing kinds of cybercrimes particularly, serious crimes such as child pornography, and cyber terrorism. The Intermediaries have been placed under an obligation to maintain and provide access to sensitive information to appropriate agencies to assist in solving cybercrime cases under Section 67C, Section 69. However, liability of ISPs has been revisited and onus shall lie on complainant to prove lack of due diligence or presence of actual knowledge by intermediary as proving conspiracy would be difficult. These are some of the challenges that cyber law enforcement teams will be faced with the power of interception of traffic data and communications over internet will need to be exercised in strict compliance of rules framed under respective Sections in the Act conferring such powers of monitoring, collection, decryption or interception. Power for blocking websites should also be exercised carefully and should not transgress into areas that amount to unreasonable censorship. Many of the offences added to the Act are cognizable but bail able which increases the likelihood of tampering of evidence by cybercriminal once he is released on bail. The police must therefore play a vigilant role to collect and preserve evidence in a timely manner .For this, the police force will need to be well equipped with forensic knowledge and trained in cyber laws to effectively investigate cybercrime cases. The introduction of Examiner of Electronic Evidence will also aid in effective analysis of digital evidence & cybercrime prosecution. Having discussed the new

52

amendments and challenges before Indian cyber law regime, employing the strategies recommended below can facilitate the enforcement of cyber laws in our country (1) Educating the common man and informing them about their rights and obligations in Cyberspace. The practical reality is that most people are ignorant of the laws of the cyberspace, different kinds of cybercrimes, and forums for redressed of their grievances. There is an imperative need to impart the required legal and technical training to our law enforcement officials, including the Judiciary and the Police officials to combat the Cybercrimes and to effectively enforce cyber laws. The reporting and access points in police department require immediate attention. In domestic territory, every local police station should have a cybercrime cell that can effectively investigate cybercrime cases. Accessibility is one of the greatest impediments in delivery of speedy justice. Also we have only one Government recognized forensic laboratory in India at Hyderabad which prepares forensic reports in cybercrime cases. We need more such labs to efficiently handle the increasing volume of cybercrime investigation cases. Trained and well-equipped law enforcement personnel - at local, state, and global levels can ensure proper collection of evidence, proper investigation, mutual cooperation and prosecution of cyber cases. Further under Section 79 of the IT Act, 2000 no guidelines exist for ISPs to mandatorily store and preserve logs for a reasonable period to assist in tracing IP addresses in Cybercrime cases. This needs urgent attention and prompt action. The investigation of cybercrimes and prosecution of cybercriminals and execution of court orders requires efficient international cooperation regime and procedures. Although Section 1(2) read with Section 75 of the IT Act, 2000, India assumes prescriptive jurisdiction to try accused for offences committed by any person of any nationality outside India that involves a computer, computer system or network located in India, on the enforcement front, without a duly signed extradition treaty or a multilateral cooperation arrangement, trial of such offences and conviction is a difficult proposition.

(2)

(3)

(4)

(5)

IT (Amendment) Act, 2008 is a step in the right direction, however, there are still certain lacunae in the Act, (few of which were briefly pointed out in this paper) which will surface while the amendments are tested on the anvil of time and advancing technologies!

53

Chapter VI

6.
6.1

Intellectual Property Rights(IPR)Introduction: The protection of intellectual property rights (IPR) in India until recent times was at a very nascent stage. After the signing of certain conventions and international treaties, IPR protection has gradually been strengthened. There is now a well-established statutory, administrative and judicial framework to safeguard IPRs, whether they relate to patents, trademarks, copyright or industrial designs. Well-known international trademarks have been protected in India even when they were not registered in India. Initially in India, trade marks for goods were extended through court decisions to service marks but now they are statutorily recognised. Computer software and Computer databases have a strong protection under the IPR laws in India. The courts, under the doctrine of breach of confidentiality, accorded an extensive protection of trade secrets.

6.2

Intellectual Property Right Laws: The Intellectual Property Rights (IPR) laws in India include five broad categories: Trademarks, Copyrights, Patents, Industrial Designs and Geographical Indications. India provides protection to IPR in accordance with its obligations under the TRIPS (Trade Related Aspects of Intellectual Property Rights) Agreement of the WTO (World Trade Organisation), as adopted in the respective legislations. India is also a signatory to a number of Conventions and hence the protection under IPR matches the international system at certain level. Conventions are named hereunder: Berne Convention, 1971 Universal Copyright Convention, 1979 Vienna Classification, 1973 Paris Convention for the Protection of Industrial Property, 1979 Geneva Convention for the Protection of Rights of Producers of Phonograms, 1971 Other than the civil remedies and compensation, the Police and enforcement authorities are also empowered to take action against infringement of IPRs.

54

Petitions are filed for infringement of IPRs and are tried in the judicial courts like other suits. Appeals are also filed in the judicial courts against the administrative decisions relating to IPR. Patents LawsPatents are the set of exclusive rights granted by a government to an inventor relating to a Particular invention, for a fixed period of time. The grant of patent to any invention therefore identifies it as the inventors exclusive intellectual property. The registration and protection of patents in India is governed by patents act, 1970 (Patents act), which has been amended from time to time. It is compliant with Indias obligations under the TRIPS agreement of the WTO. Patenting an intellectual property in India is governed by three parameters: inventive step/non obvious novelty utility/usefulness a patent is granted for the following: a new and utility-bearing article/product, produced by a manufacturer; a new process of manufacture to make an article/product, already in Existence; a machine, apparatus or other article; for secondary innovations such as improvements on existing products or Processes Recently, exclusive marketing rights and mail box facility for inventions relating to Chemical and pharmaceutical products was introduced. Product and process patent protection are available. A patent right is granted for a limited period of time. Presently, the Indian patents act, 1970 sets this period of time at 20 years. Foreign Patents Laws The government of India may, by notification in the official gazette, declare a Country to be a convention country for the purposes of granting patents and the Protection of patent rights. Applications for protection can be made within 12 months in respect of an invention in a convention country.

6.2.1

55

6.2.2

Copyrights and related rightsCopyrights are a set of exclusive rights given to an author of a literary or artistic work. This set of rights includes right to copy, right to be credited for the work, right to publication and Broadcasting etc. Berne convention was the first convention which recognised copyrights on an international level. As practiced, a copyright exists in an artistic work from the day of its creation. Registration of Copyrights strengthens the protection but unregistered copyrights have equal protection under India law if proved. Indias copyright law fully reflects the Berne convention on copyrights. Additionally, India is party to the Geneva Convention for the protection of rights of Producers of phonograms and to the universal copyright convention. Recent amendments have introduced provisions for the first time to protect performers Rights as envisaged in the Rome convention. several measures have been adopted to strengthen and streamline the enforcement of Copyright including the setting up of a copyright enforcement advisory council; Training programmes for enforcement officers and setting up special policy cells to Deal with cases relating to infringement of copyright. The copyright is valid for the life of the owner and continues for next 60 succeeding Years after the death of the owner.

6.2.3

Trademarks LawsTrademark means a mark or a symbol being represented graphically which is capable of Distinguishing the goods or services of one person from the others and can include shape of Goods, their packaging, colours etc. Unregistered trademarks can be protected through common law remedy of passing off only and infringement actions are not possible. Hence, to get maximum protection for any trade, it is necessary to register their trade name and marks. India provides protection for marks of goods and services, collective marks, Certification trademarks and well-known marks under the trademarks act, 1999. Application for registration of a trademark should be filed with the trademark registry. Trademark is registered after publication in the trademarks journal to invite opposition and after further examination. Registration is not necessary for protection. However, it is mandatory for taking action against infringement. Registration is

56

valid for an initial Period of ten years and can be renewed for further period of ten years. For unregistered trademarks, only remedies under law of passing off are available. Police officers are empowered to seize, without warrant, the counterfeit goods and Machinery used to commit the offence. Penalties ranging from six months to three Years and fines have been prescribed in the act for trademarks violations.

6.2.4

Geographical indicationsGeographical indications of goods are defined as that aspect of industrial property which Refers to the geographical indication referring to a country or to a place situated therein as Being the country or place of origin of that product. Typically, such a name conveys an Assurance of quality and distinctiveness which is essentially attributable to the fact of its origin in that defined geographical locality, region or country for e.g. scotch whisky is identified With Scotland or champagne with France. Protection to geographical indications is provided under the geographical indications of goods (registration and protection) act, 1999. A geographical indication may be registered with the controller general of patents, Designs and trademarks for all goods originating in a definite territory of a country, or a region or locality in that territory. The geographical indications act provides for additional protection of higher level to Goods notified by the central government. Registration of a geographical indication is for ten years with possible renewal for further ten-year periods.

6.2.5

Protection of plant varieties Protection to plant varieties is provided by the protection of plant varieties and Farmers rights act, 2001 in compliance with Indias obligations under article 27.3 (b) of the trips agreement of the WTO by providing an effective sui generis system For protection of plant varieties. Provides for an effective system for protection of plant varieties and farmers rights to stimulate investments for R&D both in public and private sectors. New plant varieties could be registered under this act for plant breeder rights based on the international criteria of newness, distinctiveness, uniformity and stability. The essentially derived varieties are also registered under this act based on internationally accepted criteria. This act also has some

57

unique features like benefit Sharing, community rights, gene funds, compulsory licensing etc. The protection of plant varieties and farmers rights rules have also been framed under this act. Applications for plant varieties should be filed with the authority. Department of agriculture and cooperation, ministry of agriculture, government of India is the administrative department for implementation of this act.

6.2.6

Industrial designs The designs act, 2000 provides protection for registered designs in accordance with Indias obligations under the trips agreement. Independently created designs that are new or original are protected under this act. The act provides a right to the owner of the registered industrial design to prevent Third parties not having his consent from making, selling or importing articles being or embodying a design, which is a copy or substantially a copy of the protected design when such acts are undertaken for commercial purposes. The duration of the protection is ten years.

6.2.7

Layout designs of integrated circuits The semiconductor integrated circuits layout design act, 2000 provides protection to Semiconductor integrated circuits layout designs in accordance with the provisions of the trips agreement. The act provides for exclusive rights to the registered proprietor of a layout design and also to the registered users. Applications for registration of layout designs should be filed with the registrar. Appeals against the orders of the registrar should be filed with the appellate board. The act also provides for criminal prosecution for infringement of layout designs. The administration department for implementation of the act is dept. of information Technology, ministry of communications and information technology, government of India.

6.2.8

ConclusionProtection of IPR is important for any business. It is advisable for the foreign entrant, before introducing their products, to first take steps to protect their IPRs and then start marketing or using it. This facilitates complete protection to all intellectual properties from the very Beginning.

58

Chapter VII

7.

Cyber Crime Cases in India

Cyber Crimes have emerged as a serious global threat, forcing governments, police departments and intelligence units to adopt counter measures. The CERT (Computer Emergency Response Team), the apex cyber security division under the ministry of information technology of India, found that cyber crime in the country has accelerated about 50 times since 2004. The agency recorded just 23 cyber crime incidents in 2004 in contrast to a huge 1,237 in 2007. These primarily included phishing attacks, distribution of viruses/malicious code and illegal infiltration to computer networks. A high ranking official from the IT ministry told DNA on April 8, 2008 that phishing is a kind of fraud in which an online criminal tricks the user and grabs his/her secret online banking details such as account number, or security codes like password to access those accounts. Further, according to annual report for 2007 of CERT, there were 392 incidents of phishing, 358 cases of virus proliferation and 223 cases of network infiltration recorded in 2007. Compared to this, there were only 3 phishing attacks, 5 cases of virus proliferation and 11 incidents of network infiltration reported in 2004. These statistics from CERT are, however, only indicative without giving the actual picture of cyber crime in India. The agency merely maintains records of cases that are notified to it. Furthermore, a data of the government revealed that in January 2008, 87 security related incidents were recorded in contrast to 45 in December 2007. Of these, 47% involved phishing, 25% related to worm/virus under the malware category, 21% to unauthorized scanning, and 7% to technical help under separate categories.

7.1

Statistics on Cyber Crimes- National Crime Record Bureau: The statistics on Cyber Crimes are collected under the following heads(i) Offences registered under the Information Technology Act 2000. (ii) Offences under the IPC (with use of Computers) (1) Cyber Crimes- Cases of Various Categories under IT Act, 2000 966 cases were registered under IT Act during the year 2010 as compared to 420 cases during the previous year (2009) thereby reporting an increase of 130.0% in 2010 over 2009. 15.8% cases (153 out of 966 cases) were reported from Karnataka followed by Kerala (148), Maharashtra (142), Andhra Pradesh (105) and Rajasthan and Punjab (52 each). 35.8% (346 cases) of the total 966 cases registered under IT Act 2000 were related to Loss/damage to computer resource/utility reported under hacking with computer systems. 233 persons were arrested for committing such offences during 2010. There were 328 cases of obscene publications/transmission in electronic form during the year wherein 361 persons were arrested. Out of the

59

total (510) Hacking cases, the cases relating to Loss / Damage of computer resource/utility under Sec 66(1) of the IT Act were 67.8% (346 cases) whereas the cases related to Hacking under Section 66(2) of IT Act were 32.2% (164 cases). Karnataka (65), Andhra Pradesh (49) and West Bengal (38) registered maximum cases under Sec 66(1) of the IT Act out of total 346 such cases at the National level. Out of the total 164 cases relating to Hacking under Sec. 66(2), most of the cases (39 cases) were reported from Andhra Pradesh followed by Tamil Nadu & Karnataka (26 each) and Rajasthan (17 cases). 17.9% of the 799 persons arrested in cases relating to IT Act, 2000 were from Maharashtra (143) followed by Kerala (105). The age wise profile of persons arrested in Cyber Crime cases under IT Act, 2000 showed that 54.2% of the offenders were in the age group 18 30 years (433 out of 799) and 37.3% of the offenders were in the age group 30 - 45 years (298 out of 799). Uttar Pradesh (7), Maharashtra (5), Karnataka (2), Madhya Pradesh & Kerala (1 each) reported offenders whose age was below 18 years. Crime head-wise and age group wise profile of the offenders arrested under IT Act, 2000 reveals that 45.2% (361 out of 799) of the offenders arrested were under Obscene publication /transmission in electronic form of which 59.2% (214 out of 361 were in the age-group 18 30 years. 51.0% (150 out of 294) of the total persons arrested for 'Hacking with Computer Systems' were in the agegroup of 18- 30 years.) (2) Cyber Crimes Cases of Various Categories under IPC Section A total of 356 cases were registered under IPC Sections during the year 2010 as compared to 276 such cases during 2009 thereby reporting an increase of 29.0%. Maharashtra reported maximum number of such cases (104 out of 356 cases or 29.2%) followed by Andhra Pradesh 18.5% (66 cases) and Chhattisgarh 12.9% (46 cases). Majority of the crimes out of total 356 cases registered under IPC fall under 2 categories viz. Forgery (188) and Criminal Breach of Trust or Fraud (146). Although such offences fall under the traditional IPC crimes, these cases had the cyber overtones wherein computer, Internet or its enabled services were present in the crime and hence they were categorised as Cyber Crimes under IPC. The Cyber Forgery (188 cases) accounted for 0.23% out of the 78,999 cases reported under Cheating. The Cyber Frauds (146) accounted for 0.87% of the total Criminal Breach of Trust cases under IPC (16,678). The Cyber Forgery cases were the highest in Maharashtra (42) followed by Andhra Pradesh (37) Chhattisgarh (32) and Karnataka (17). The cases of Cyber Fraud were highest in Maharashtra (60) followed by Andhra Pradesh (25) Punjab (15) and Chhattisgarh & Tamil Nadu (11 each).

60

A total of 394 persons were arrested in the country for Cyber Crimes under IPC during 2010. 65.2% offenders (257) of these were taken into custody for offences under 'Cyber Forgery, 25.2% (100) for 'Criminal Breach of Trust/Fraud' and 4.6% (16) for 'Counterfeiting Currency/Stamps'. The States such as Andhra Pradesh (126), Maharashtra (64), Chhattisgarh (44) and Punjab (42) have reported higher arrests for Cyber Crimes registered under IPC. The age group-wise profile of the arrested persons under this category showed that 48.9% (193 out of 394) were in the age-group of 30 - 45 years and 32.9% (130 out of 394) of the offenders were in the age-group of 18-30 years. Karnataka reported 1 offender below 18 years of age. Crime head-wise and age wise profile of the offenders arrested under Cyber Crimes (IPC) for the year 2010 reveals that offenders involved in Forgery cases were more in the agegroup of 30 - 45 (50.9%)(131 out of 257). 44% of the persons arrested under Criminal Breach of Trust / Cyber Fraud offences were in the age group 3045 years (44 out of 100).

61

Chapter VIII

8.
8.1

Case Studiessony-sambandh.com Case: India saw its first cybercrime conviction. It all began after a complaint was filed by Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting Non Resident Indians. The website enables NRIs to send Sony products to their friends and relatives in India after they pay for it online.

The company undertakes to deliver the products to the concerned recipients. In May 2002, someone logged onto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordless head phone. She gave her credit card number for payment and requested that the products be delivered to Arif Azim in Noida. The payment was duly cleared by the credit card agency and the transaction processed. After following the relevant procedures of due diligence and checking, the company delivered the items to Arif Azim. At the time of delivery, the company took digital photographs showing the delivery being accepted by Arif Azim. The transaction closed at that, but after one and a half months the credit card agency informed the company that this was an unauthorized transaction as the real owner had denied having made the purchase. The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal Code. The matter was investigated into and Arif Azim was arrested. Investigations revealed that Arif Azim, while working at a Call Center in Noida gained access to the credit card number of an American national which he misused on the companys site. The CBI recovered the colour television and the cordless head phone.

62

In this matter, the CBI had evidence to prove their case and so the accused admitted his guilt. The court convicted Arif Azim under Section 418, 419 and 420 of the Indian Penal Code this being the first time that a cybercrime has been convicted. The court, however, felt that as the accused was a young boy of 24 years and a first-time convict, a lenient view needed to be taken. The court therefore released the accused on probation for one year. The judgment is of immense significance for the entire nation. Besides being the first conviction in a cybercrime matter, it has shown that The Indian Penal Code can be effectively applied to certain categories of cyber crimes which are not covered under the Information Technology Act, 2000. Secondly, a judgment of this sort sends out a clear message to all that the law cannot be taken for a ride. 8.2 Pune Citibank Mphasis Call Center FraudUS $350,000 from accounts of four US customers were dishonestly transferred to bogus accounts. This will give a lot of ammunition to those lobbying against outsourcing in US. Such case happen all over the world but when it happens in India it is a serious matter and we cannot ignore it. It is a case of sourcing engineering. Some employees gained the confidence of the customer and obtained their PIN numbers to commit fraud. They got these under the guise of helping the customers out of difficult situations. Highest security prevails in the Call Center in India as they know that they will lose their business. There was not as much of breach of security but of sourcing engineering. The Call Center employees are checked when they go in and out so they cannot copy down numbers and therefore they could not have noted these down. They must have remembered these numbers, gone out immediately to a cyber caf and accessed the Citibank accounts of the customers. All accounts were opened in Pune and the customers complained that the money from their accounts was transferred to Pune accounts and thats how the criminals were traced. Police has been able to prove the honesty of the call center and has frozen the accounts where the money was transferred. There is need for a strict background check of the call center executives. However, best of background checks can not eliminate the bad elements from coming in and breaching security. We must still ensure such checks when a person is hired. There is need for a national ID and a national data base where a name can be referred to. In this case preliminary investigations do not reveal that the criminals had any crime history. Customer education is very important so customers do not get taken for a ride. Most banks are guilt of not doing this.

63

REFERENCES[1]. [2]. [3]. [4]. [5]. [6]. [7]. [8]. [9]. http://www.mit.gov.in/content/information-technology-act-2000 http://www.mit.gov.in/sites/upload_files/dit/files/RNUS_CyberLaw_15411.pdf http://en.wikipedia.org/wiki/Computer_crime http://en.wikipedia.org/wiki/The_Information_Technology_Act_2000 http://www.cyberlawsindia.net/Information-technology-act-of-india.html http://ncrb.nic.in/CII2010/cii-2010/Chapter%2018.pdf http://www.cyberlaws.net/itamendments/IT%20ACT%20AMENDMENTS.PDF http://164.100.40.18/parliament/standing_reports/loksabha14/REPORT-I.T.-50E.pdf http:// www.legalserviceindia.com/cyber/cyber.html

[10]. http://www.legalindia.in/category/ipr-act-rules

64