BRIJNANDAN SINGH BHAR & CO
Cyber and Internet Law in relation to India
1. Introduction
In India there is no separate law either in the name of Cyber Law, or The Data Protection Act, but it has enacted a comprehensive legislation in the name and style of “The Information Technology Act, 2000 which was later amended by the Information Technology (amendment) Act of 2008. The offences relating to Cyber crimes are described more amply in Chapters IX and XI. More detailed description about the coverage of various provisions is provided in subsequent sections. It may be noted the references here made to IT Information Act, (2000) also covers the changes made it to from time to time and the amendment incorporated in 2008.
1.1. The need for Cyber & Internet Laws
The advent of the Internet brought along with complex issues which could not be effectively addressed through existing laws. The existing plethora of laws as Indian Penal Code, 1860, Companies Act, 1956, Indian Evidence Act, 1891 etc by themselves are not equipped to handle the needs of cyberspace and hence called for a new legal thinking. For example, emails prior to the enactment of the Information Technology Act, 2000, did not enjoy legal sanctity. Until there was a provision in a law to cover it, the judiciary was reluctant to grant judicial recognition to documents in the electronic format. Further, the sprawling nature of Internet activities required enabling and supportive legal infrastructure to move along with times. Above all, the emergence of E-commerce thought to be the biggest electronic revolution for businesses needed proper legal to enable its healthy growth.
Cyber crime has acquired professional characteristics without geographical boundaries. The motives that drive computer savvy criminals to commit cybercrimes vary largely that it is difficult to categorise them under few headings. For instance, cybercrimes can be committed against persons, property and governments. Cyber crimes involve acts of pornography, hacking, phishing, financial crimes, terrorism, etc. For example, it is used to gain illegal gratification through stealing of financial data and transactions. The Internet space is used for money laundering, or the social space is used for bullying. Spoofing can take place at all levels. The ultimate motive of the cyber criminal is to use the Internet for an illegal act, some of which are guided by thieving motives, some others to compromise security while others could be to satisfy perverted instincts of human beings.
All these developments brought the need for and culminated into the introduction and passage of a law that included such provisions that were and are considered to be relevant to the cyberspace.
2. The Information Technology Act, 2000
The IT Act of 2000 was enacted as a cyber specific legislation. Its origin could be traced to the UNICITRAL Model Law[1], (1996). Nonetheless, its scope is considered to be far more because apart from the E-commerce provisions, it enlarges its scope by defining computer crimes, offences and prescribing punishments. While Chapters IX and XI describe more amply the offences relating to cyber crimes, Ss 43, 65, 66, 67 etc cover and prescribe punishment for such offences. While describing all the sections in detail is not within the scope of this article, two of them are described here. Section 43 deals with unauthorised access, downloading, virus attacks, hacking, damaging, disrupting, denial of services and interference with services to a person which is legally permissible to be availed by him/her. Section 67 enjoins on the intermediaries certain obligations and such intermediaries includes body corporate who are required to retain information for a certain time period.
The manner in which the Act attempts to deal with cyber crimes can be discussed with specific reference to some of the cyber crimes.
(i) Hacking, Trojans, Virus and Worms
Hacking is considered to be an act committed by anybody with an intention to cause wrongful loss or damage either to another person or public by altering, destroying, or deleting any information that is residing in a computer resource or diminish its utility or value.
Viruses of any nature are programmes designed to replicate and spread without the knowledge of the victim. They are designated by different names from time to time. For instance, the words Trojan horse is attributed to Daniel Edwards of National Security Agency, USA. He is credited with identifying the attack form in the report ‘Computer Security Technology Planning Study’.
(ii) Cyber Pornography
The Internet has become a medium for the facilitation of committing of pornography related crimes. Cyber porn is widespread in the net causing multiple problems. The serious nature of the problem could be understood by the fact that it is possible for such criminals to hide themselves and propagate them through the Internet. Some of the forms of this type of crimes are also heinous in nature, as for instance, child pornography.
(iii) Cyber Stalking
Defined as acts of harassment and threatening behaviour of the criminals towards their victims through the medium of Internet, cyber stalking is a growing problem which is especially directed towards teen aged girls.
(iv) Cyber Terrorism
It refers to an act of premeditated use of disruptive activities or threats arising through the cyber space with an intention to cause ideological, religious, social, political etc harms through intimidation of persons to the achievement of such illegal objectives.
(v) Financial Crimes
Fraudsters use the cyber world through deployment of sophisticated techniques to fool the victims on the Internet in order to realise monetary gains through illegal means. Online frauds and cheating has become almost a daily occurrence because of its lucrative nature. It acquires different forms, varies from time to time. Some of the cases that have come to light relate to credit-card, job offerings, online auction frauds, investment schemes etc.
(vi) Denial of service attacks
It relates to a type of service attack on a network that is designed to bring the network down by flooding it through useless and unsought traffic. Some of them, as Ping of Death[2] or Teardrop attack[3] can severely compromise TCP/IP protocols. Yet another type, viz, Distributed Denial of Service (DDoS) is much more severe in nature as in it the perpetrators are many and they are geographically widespread. The severity can be understood by the fact that such attacks have brought down websites as Amazon, eBay, Yahoo etc.
(vii) Email bombing/Spoofing
Email bombing is a form of abusing the net wherein the offender sends huge numbers of mails with a view to flood the mailbox. They are mainly of two types, viz, (i) mass mailing and (ii) list linking of which the later one is more effective in causing damage for the reason the person who is receiving such mails would have to unsubscribe from them manually, if they have not done so by opting not to subscribe for the mails at the time of registration to a website/service.
E-mail spoofing, on the other hand, refers to the carrying out of fraudulent email activities in which the senders address and other parts of the email header are altered to appear as though the mail originated from a source difference to hide its original source. The criminal intention lies in the fact that its purpose is phishing wherein the intention is to make the recipient to open and act as per the instructions contained in the mail in order to secure illegal gratification.
(viii) Data Diddling
Data didling refers to an act of changing data prior or while inputting the same into a computer. Such data is raw in nature and a relatively simple method of committing a computer related crime, but the cost of which is considerable in nature. The Electricity Boards are known bear the brunt of this attack in India.
(ix) Webjacking
The term is modified version of hi jacking and it occurs when a person unauthorisedly takes control of a website by cracking its password and thereafter modifies it. Neither the actual owner knows about it, nor has control over it.
The IT Act, 2000 was heralded into India at a time when she needed a legal framework to exploit the immense potential the net offers and at the same time prevent and handle crimes that could be attributed arising to the use of the computers and Internet. Let us look at some of the positive areas as well as not so positive ones.
Acceptance of documents in electronic format including emails is considered to be so positive that it is expected to reduce the paper work, and also promote transactions of businesses at a quicker pace.
The Indian businesses can now engage themselves into electronic commerce by having a protection under a legal infrastructure and to that extent they can compete in the international competitive Internet space.
E-governance has been made possible as the Government is now empowered to issue notifications on the web.
The Act addresses such issues relating to security by providing protection under the act.
However, when it comes to the question of preventing/controlling cyber crimes, the Act does not seem to have been effective. The Act was amended in 2008 to broaden its scope, but even that seems to have not improved the situation. This would be discussed under the section relating to the effectiveness of the Act.
3. A comparative reference to other acts bearing resemblance to Information Act
Some of the other acts which could be considered similar or baring resemblance to the Information Act, where modifications have been introduced to make IT Act (2002) more compatible with them are discussed below.
Even though the Indian Penal Code provides criminal punishment for various offences committed, yet it had to be amened to include specific offences relating to cyber crimes that has particular relevance to forgery of electronic records, cyber frauds, destroying electronic evidence etc.
The Indian Evidence Act has been amended to take into account the Digital Evidence.
The Bankers’ Book Evidence Act is amended to take care of admission of bank records.
The Reserve Bank of India Act was also amened by the IT Act to make it compatible with Information Act.
The IT Act was amened by the Negotiable Instruments Act, 2002 to permit acceptance of electronic cheques and truncated cheques as official records.
4. Effectiveness of the IT Act, 2000
The effectiveness of the Act could broadly be seen with reference to those on whom it impinges upon, viz, (a) cybercrime against persons, (b) property and (c) government.
Controlling cyber crimes is a mammoth job and since the Act is of recent origin which is undergoing constant changes (as for instance with the amendment of 2008), it is too early to pronounce a judgement.
One major problem with the Indian legal system is that it is characterised more by quantity of law rather than quality. Consequently, confusion arises when offences are tried under a plethora of laws. There seems to be a major flaw in the IT Act in that it does not seem to be singular in nature. Over a period of time, the amendments seem to have diluted the original intention of the Act.
The next issue is providing in place sound enforcement machinery. The enforcement machinery as of now is not that well equipped to deal with cyber laws. Finally, the judicial system is yet to be equipped to try these cases and provide a mechanism of efficient and fair disposal of the cases. This is because of the fact that in any law, some provisions may not be in favour of the citizens. For instance, the powers of the Central Government to block any website, or arrest individuals for posting their opinions in the social network against powerful politicians all point out the negative side of the act which can go against common people.
On an overall analysis, the Act conveys a message of lack of discussion and flexibility to incorporate issues that have not been covered under the Act. For instance, privacy concerns, domain disputes, handling international payment systems etc have all need to be addressed.
5. Conclusions
It is not as if India alone is facing problems in tackling and preventing cyber crimes. All over the world, difficulties are being experienced in identification and booking of cyber criminal. But we need to take note of the fact that India is unable to keep pace with the changes that are being introduced in western countries by responding to challenges. The reason for this could to some extent be found with the Indian bureaucracy wherein policy initiation, follow up and implementation are lethargic.
[1] http://www.uncit ral.org/english/texts/electcom/. [2] A Ping of Death is a kind of attack on a computer network which involves sending a malformed or otherwise malicious ping. A ping is normally of 64 bytes in size. Sending a ping which is larger than the maximum IP packet size can cause crash of the target computer. [3] A tear drop attack is a type of DoS attack where fragmented packets are forged to overlap each other when the receiving host tries to reassemble them.
