This action might not be possible to undo. Are you sure you want to continue?
GAURAV TIWARI INTRODUCTION: The founding fathers of Internet barely had any proclivity that Internet could transform itself into an all pervading revolution which could be tainted for criminal activities and which required law. These days, there are many troubling incidents in cyberspace. Due to the mysterious nature of the Internet, it is probable to engage into a variety of criminal activities with impunity and people with intelligence, have been hideously misusing this aspect of the Internet to perpetuate criminal activities in cyberspace. . The advancement in this field has been multiplying exponentially but cybercrimes are also thriving rapidly. Although generous progress in technology, uncertainty still prevails and the efforts to trace, identify and bring the criminal to books have not borne much fruit. If cybercrimes are not combated at the early stage, the posterity will suffer from the human values, which will have very damaging effects on the society at large and innocent individuals in particular.
The very character of crime itself has undergone complete
transformation. There is a conjectural shift in terms of the costs of criminal behaviour and the forms of criminality, which merits state attention. The globalization of the world¶s economy and the resultant exponential increase in the way business is carried out has given rise to a new wave of crime, which requires more attention than traditional forms of violent crimes that currently command the vast share of state law enforcement resources. Territorial boundaries are no longer the barriers, as it may also exist in cyberspace, where corporations, which serve computer and
M. Ponnaian,, July- September 2000 ³Cyber crimes, Modern crimes and Human rights´, P R P Journal of Human Rights, Vol. 4, at 13-14
telecommunications networks also control access. The capacity of criminals has been enhanced to carry out serious offences manifolds due to progress in computer and communications technologies and that too with a greatly diminished risk of apprehension. The defence mechanisms of states appear fragile when it comes to advanced technology, telecommunications and cyberspace. The concept of jurisdiction becomes meaningless when an individual has only an address on a computer network as identity. This century will therefore, be known not only for greater technological innovation, but also be remembered for unpreparedness of legal and law enforcement communities for the cyberspace crime, which is increasing unabated. The everexpanding financial resources of criminals will render them increasingly important players in global financial markets.2 With the advent of the internet, cyberlaw has become an emerging field. Cyberlaw encompasses electronic commerce, freedom of expression, intellectual property rights, jurisdiction and choice of law, and privacy rights.3 There have been various kinds of computer and internet related crimes. In fact, the growth of crime on the internet is directly proportional to the growth of the internet itself, and so is the variety of crimes being committed or attempted.4
FUNDAMENTAL PRINCIPLES OF CRIME The fundamental principles of crime are founded on rules of equity, justice and fair play, which provide adequate guidelines for the formulation of a rational penal policy and at the same time ensure even-handed dispensation of justice to litigants. It is general principle of criminal law
M.P. Shahi,(2000), ³Crime and Corruption in the Digital Age´, at 27 J. Kaufman Winn and R. Warner, ³Course: Law of the internet´, Southern Methodist University School of Law at <http://www.smu.edu/~jwinn/inetlaw.htm> 4 ³Computer and internet Crimes´, at <http://www.cyberspacelaws.com/crime.asp>
that a person may not be convicted of a crime unless the prosecution has proved beyond reasonable doubt that: y He has caused a certain event, or responsibility is to be attributed to him for the existence of a certain state of affairs, which is forbidden by criminal law; and y He had a defined state of mind in relation to the causing of the event or the existence of the state of affairs. Thus, a crime essentially consists of two elements, namely, actus reus and mens rea. ACTUS REUS The word actus connotes, a physical result of human conduct. The actus reus includes all the elements in the definition of the crime except the mental element of the accused. It is not
merely an act but may consist of a state of affairs not including an act at all. Actus reus is defined as ³such result of human conduct as the law seeks to prevent´.5 The actus reus is made up generally, but not always, of conduct, and sometimes it¶s consequences and also the circumstances in which the conduct takes place, or which constitute the state of affairs, in so far as they are relevant. Sometimes a particular state of mind on the part of the victim is required by the definition of the crime. If so, that state of mind is a part of the actus reus.6 Actus reus in internet crimes The element of actus reus in internet crimes is relatively easy to identify, but is very difficult to prove. The fact of the occurrence of the act that can be termed as a crime can be said to have taken place when a person is:
J.C. Smith and B. Hogan,(1988) ³Criminal Law´, at 31-36 Thus, in the prosecution of rape the absence of consent on the part of the prosecutrix is an essential constituent of the actus reus. If the prosecution fails to prove such absence of consent the actus reus is not proved and the prosecution must fail.
making use of computer function;7 accessing data stored on a computer or from a computer which has access to data stored outside;8
attempt to gain access through internet or passes signals through various computers and made computers to perform a function on the instruction which the person gave to the first computer in the chain. Such function can be said to constitute actus reus.9
trying to login, even though attempts are useless.
For example, hackers have an
automated system of trying passwords of different systems, the very running of which can be considered to be a function being performed.10 MENS REA Mens rea is the second essential element, which constitutes crime is called ³a guilty mind´. This construalhad undergone gradual changes until modern criminal law came to regard a guilty mind of some kind or some other such mental element as always being necessary.11 Mens rea consist of a number of different mental attitudes including intention, recklessness and negligence.12 Intention refers to the state of mind of a man who not only foresees but also wills the possible consequences of his conduct. There cannot be intention unless there is foresight, since a man who intends a particular act must have reasonable foresight of the consequences of
This is done by using input devices like the keyboard, mouse, etc A hacker uses an authorized person¶s password to login to any company¶s main server, hoping to gain access to the company¶s customer details. The computer to which he logs in to stores these details in a huge data storage unit, which is, locate elsewhere. The data itself is stored on a magnetic tape. The processing unit of the computer retrieves the information the storage unit. The computer would be thought to include the magnetic tape, and so the data would still be considered as being µheld in a computer¶. See, C. Gringras,(1997) ³The Laws of the internet´, at 216 9 For example, a hacker uses his computer to access an unauthorized account at an Internet Service Provider (ISP). It is enough for the prosecution to prove that either of the computers belonging to the hacker or the ISP were made to function. However, the prosecution would choose to prove that the ISP¶s computer was made to function only when it is not possible or extremely difficult for the prosecution to prove that the functioning of the ISP¶s computer was a result of the instructions given by the hacker unless there is other evidence to prove the same. 10 A hacker oversees a password being entered by someone logging in to a remote computer. The login prompt specifies that the user must be authorized to access the computer. Later, the hacker attempts to use the password himself, but fails owing to the remote computer allowing only one login each day. This would still be actus reus as the rejection itself constitutes a function and this function was caused by the hacker using the password without authorization at the wrong time. 11 Smith and Hogan,(1988)Supra note 7 at 55 12 J.W. Cecil Turner (ed.), Kenny¶s, ³Outlines of Criminal Law´, 18th ed., Cambridge University Press, Cambridge, at 31- 36
such act. Though intention cannot exist without foresight, the converse is not necessarily true, i.e., there can be foresight without intention. A person who does not intend to cause a harmful result may take an unjustifiable risk of causing it. If a man foresees the possible or even probable consequences of his conduct and yet, without desiring them, still persists with such conduct, he knowingly runs the risk of bringing about the unwished result. Such conduct may be defined as recklessness. Finally, a man may bring about an event without having any intention or foresight. He may never have considered the possible consequences of his conduct and the end result may come as a surprise even to him. Under Common Law, there is no criminal liability for harm caused by one¶s inadvertent or unintended and unforeseen conduct.13 Mens rea in internet crimes An essential ingredient for determining mens rea in internet crime, on the part of the offender is that he or she must have been aware at the time of causing the computer to perform the function that the access intended to be secured was unauthorized. There must be, on the part of the hacker, intention to secure access, though this intention can be directed at any computer and not at a particular computer. Thus, the hackerneed not be aware of which computer exactly he or she was attacking. 14 Further, this intention to secure access also need not be directed at any particular or particular kind of, programme or data. It is enough that the hacker intended to secure access to programmes or data per se.15
Professor Kenny gives the example of manslaughter cases where it has been laid down time and again that harm caused inadvertently does not carry criminal liability. Thus, he concludes that there are only two states of mind, which constitute mens rea in criminal law, namely, intention and recklessness. Under Law of Torts harm caused by negligence is interpreted differently. The courts have evolved the concept of ³the reasonable man´ for determining liability in tort law. Thus, a person might be liable for harm caused by his negligence if the consequences of his conduct were foreseeable by a reasonable man in possession of all ordinary faculties and placed in the same circumstances. However, if the consequences were not foreseeable by such reasonable man, then the person would not be guilty for the unintended consequences of his negligent act. 14 This suits the prosecution in matters relating to unauthorized access on the internet, because it is often complicated to prove that a person intended to login to a particular computer. 15 Gringras,(1997)Supra note 10 at 221
Thus, there are two vital ingredients for mens rea for hackers or crackers who gain unauthorized access to the system:
y There must be unauthorized access intended to be secured; y The hacker should have been aware of the same at the time he or she tried to secure the
access. The second ingredient is easier to prove if the accused hacker is a person from outside who has no authority whatsoever to access the data stored in the computer or the computers; however, it is difficult to prove the same in the case of a hacker with limited authority.16 On deeper analysis one finds that our obsolete and primitive civil and criminal statutes of the Common Law vintage have somehow been made to subverse the ends of the present day Indian society primarily through judicial innovation and ingenuity. Needless to add that such statutes are overdue for a total review and replacement. The nature of cyber crimes and the skills involved are such that existing legal framework cannot do much to control and contain the same. In fact, the cyberspace technology has undermined to a major extent the traditional legal concepts like property and has impacted the rules of evidence like burden of proof, locus standi and concepts of µmens rea¶. Cybercrimes have set in a debate as to whether a new legislation is needed to deal with them or existing legal regime is flexible enough to effectively deals with this new form of criminality. Generally the countries that have shown concern to combat cybercrimes have adopted two
A common example of this is where the accused hacker is an employee of a company and is accused of using the companies Intranet outside their authority. The problem arises in such a case of a person who is entitled to limited access but not access of the kind in question i.e. he is exceeding the limits of his authority. The question to be asked here is whether the person knew that he was unauthorized in that sense. The question of fact as to whether the hacker knew the limits of authority is often a finely balanced one. The difficulty with partial authority raises an issue of relevance for server operators also.
strategies, i.e., to approach computer crime both as traditional crime committed by/on high tech computers and as crime unique in nature requiring new legal framework.17 DEFINITION OF CYBERCRIMES Cybercrime has recently become a catchy term for a group of security issues in cyberspace. However, despite its frequent use there is no commonly accepted definition. Surely, cybercrime is related to the realm of computers, however, there is no consensus on whether those computers have to be interconnected or not. Some definitions exclude explicitly computer related crimes that are not committed online, as they view cybercrime in the narrow sense, while others prefer broader definitions including all kinds of computer related offenses. However, it is evident that most computer crimes are committed online. The UN Manual on the prevention and control of computer-related crime provides the following definition of cybercrime: Computer crime can involve activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of which are generally subject everywhere to criminal sanctions. The computer has also created a host of potentially new misuses or abuses that may, or should be criminal as well (UN 1994, par. 22).18 In July 1996, the UK National Criminal Intelligence Service launched a study of computer crime called Project Trawler. In the study the terms computer crime, information technology crime and cybercrime are interchangeable. Project Trawler defines computer crime as follows: An offence in which a computer network is directly and significantly instrumental in the commission of the crime. Computer interconnectivity is the essential characteristic (UKNCIS).19
In America 31 States have passed new legislations to deal with computer related crimes whereas others have amended the definitions of Larceny to include electronic media. See Michael D. Rostorker et al. ³Computer Jurisprudence, Legal Response to the Information Revolution´, (1986) at 344 In India also, the Indian Penal Code has been amended to cover computer related crimes and some such offences have been separately covered under the IT Act, 2000. See also, British Computer Misuse Act, 1990, Singapore Computer Misuse Act, 1993 (as amended 1998), Malaysian Computer Crimes Act, 1997. 18 <http://www.uncjin.org/Documents/irpc4344.pdf> 19 <http://www.ncis.co.uk/newpage1.htm>
According to UNO expert recommendations, the term of ³cybercrimes´ covers any crime committed by using computer systems or networks, within their frameworks or against them. Theoretically, it embraces any crime that can be committed in the electronic environment. In other words, crimes committed by using e-computers against information processed and applied in the internet can be referred to cybercrimes. Cyber or Computer crimes are white-collar crimes and are committed by students, nonprofessional computer programmers, business rivals, individuals having vested interest and criminals. To define such a crime, one has to utter these three points: y y When a computer is used in committing such a crime. When computer technology is responsible for the wrongful loss and wrongful gain of two individuals in a single transaction. y When any person commits an of the following acts, he is guilty of a computer crime: Knowingly or intentionally accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer database, computer, computer system, or computer network in order to(i) Devise or execute any unlawful scheme (ii) Devise to defraud, deceive, or extort, or (iii) Wrongfully control or obtain money, property, or data. Knowingly or intentionally accesses and without permission takes, copies, or makes use of any data or computer database from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
Knowingly or intentionally accesses and without permission adds, alters, damages, deletes, destroys any data, computer software, computer programs or computer database which reside or exist internal or external to a computer, computer system, or computer network.
Knowingly or intentionally accesses and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
Knowingly or intentionally accesses and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network.
Knowingly or intentionally accesses and with the intent to defraud, obtains, or attempts to obtain, or aids or abets another in obtaining, any commercial computer service by false representation, false statement, unauthorized charging to the account of another, by installing or tampering with any facilities or equipment or by any other means.
Knowingly or intentionally accesses and without permission accesses or causes to be accessed any computer, computer system, or computer network.
Knowingly or intentionally introduces or allows the introduction of any computer contaminant or computer virus into any computer, computer system, or computer network.20
CLASSIFICATIONS OF CYBERCRIMES: DIFFERENT BASIS The internet with its speed and global access has made these crimes much easier, efficient, riskfree, cheap and profitable to commit. New crimes created with the internet itself or for
Suresh T. Viswanathan,(2001), ³The Indian Cyber laws´, at 81-83
commission of old crimes or incidental for commission of crime.21 Broadly stated, µcybercrime¶ can be said to be an act of commission or omission, committed on or through or with the help of or connected with, the internet, whether directly or indirectly, which is prohibited by any law and for which punishment, monetary and/or corporal, is provided A) Internet crime: The internet crimes include that group of crimes that make criminal use of the internet infrastructure. These are: y Hacking (a) Theft of information (b) Theft of passwords (c) Theft of credit cards numbers (d) Launch of malicious programmes y y Espionage Spamming
B) Web based crime: Web based crimes have been categorized separately and have been further classified separately and have been further classified into four subcategories. (a) Web site related crime y y y y y Cheating and frauds Insurance frauds Gambling Distribution of pornography Sale of pirated software
(b) Crimes through e-mail
Vivek Sood,(2001), ³Cyber Law Simplified´ at 39
y y y y y
Threats Extrotion E-mail bombing Defamation Launching of malicious programmes
(c) Usenet related crime y y y y y Distribution/sale of pornography material Distribution/sale of pirated software Discussion on methods of jacking Sale of stolen credit card numbers Sale of stolen data
(d) Internet relay chat crime y y y y y y Cyberstalking Fraudsters use chat rooms for developing relations with unsuspecting victims Criminals use it for meeting conspirators Hackers use it for discussing their expertise of showing the techniques Pedophiles use chat rooms to allure small children.22
Offences against the confidentiality, integrity and availability of computer data and systems (a) Illegal access (b) Illegal interception (c) Data interference
Subhas P. Rathore and Bharat B. Das,(2001) ³Cyber Crimes: The emerging trends and Challenges, Souvenir, National Conference on Cyberlaws and Legal Education´, NALSAR University of Law, at 56-57
(d) System interference (e) Illegal devices y Offences related to computer (a) Computer-related forgery (b) Computer-related fraud (c) Computer sabotage (d) Cyberstalking y Offences related to contents (a) Offences related to child pornography (b) Offences related to infringements of copyright and related rights y Offences related to crime on web (a) Computer network break-ins (b) Industrial espionage (c) Software piracy (d) Cyber pornography (e) Mail bombings (f) Password sniffers (g) Spoofing (h) Credit card fraud (i) Cybersquatting CIVIL LIABILITY OR CRIMINAL LIABILITY IN CYBERCRIMES The civil offences in Indian law impose only a liability for compensation to the person, who has suffered, while the criminal offences may be punished with imprisonment and fine payable to the
State. There are crimes, which as come under both civil wrong and criminal offences so called as hybrids. Various cyber crimes are there, which are mainly categorized into two broad ways: Civil Liability: Civil liability provides remedy for compensation only which includes following crimes, viz; y y y y y y y y Defamation Cybersquatting Internet time theft Copyright theft Design theft Patent theft Software piracy Spamming
Criminal wrong: Criminal liability provides remedy of punishment to offenders as well as compensation to victims; y y y y y y y y y Cyberstalking Cyber pornography/Child pornography Sending threatening emails Hacking Cracking Sending malicious programmes Denial of service attack Network sabotage Sending virus and worms
y y y y y y y y y y
Sending logic bombs, trojan horse, virus hoax Cyber terrorism/Cyber warfare Cyber frauds Cyber gambling Cyber cheating Forgery Cyber money laundering Credit card frauds Information theft Data theft
OBJECTIVES OF INFORMATION TECHNOLOGY ACT, 2000 The objectives of The Information Technology Act, 2000 are defined as: ³To provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as ³electronic commerce´, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers¶ Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.´ In other words, the objectives are:y To grant legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as ³electronic commerce´, in place of paper-based methods of communication;
To give legal recognition to Digital Signature for authentication of any information or matter which requires authentication under any law;
y y y
To facilitate electronic filing of documents with Government departments; To facilitate electronic storage of data; To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions;
To give legal recognition for keeping books of account by Bankers in electronic form.
The first 17 sections of the Act are largely based on Model Law on Electronic Commerce adopted by United Nations Commission on International Trade Law. It contains 94 clauses divided into XIII chapters. It has 4 schedules, Schedule I seeks to amend the Indian Penal Code; Schedule II seeks to amend the Indian Evidence Act; Schedule III seeks to amend the Bankers¶ Book Evidence Act; and Schedule IV seeks to amend the Reserve Bank of India Act. Towards that end, the Act stipulates numerous provisions. It aims to provide for a legal
framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. SALIENT FEATURES OF THE INFORMATION TECHNOLOGY ACT, 2000 The Act has defined cybercrimes for the first time and provided for penalties, punishment and compensation for hacking, unauthorised access to computer networks, altering database, introducing computer viruses, disruption of services, copying of Intellectual Property Rights (IPR) protected software, tampering with electronic documents and committing electronic forgery. The IT Act has a provision of penalties up to Rs. 1 crore for damaging computer systems and three-year jail term with a fine of Rs. 2 lakhs for hackers. But these penalties don¶t mean much if the existing police investigating officers, forensic scientists, and the judiciary are
not familiar with the intricacies of the internet. The Act covers a totally uncharted field with no past experience even in other countries. Accordingly, future modifications, based on experience, are not ruled out. The salient features of the IT Act 2000 are as follows: y y Provides legal recognition to e-commerce, which means that contracts can be enforced. Records can be kept in an electronic form. Written records also mean electronic records for the purposes of law. y Provides legal recognition for digital signatures. Digital signatures to be authenticated by Certifying Authorities. Certifying Authorities. y y Cyber crimes defined for the first time. Adjudicating authorities to decide if cyber crimes have been committed. Also provide cyber regulation advisory committee.23 y The Information Technology Rules, 2000 provides The Information Technology (Certifying Authorities) Rules, 2000 and The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000.24 y Cyber Law Appellate Tribunal 25 to be set up to hear appeals against adjudicating authorities. y Amendment of Indian Penal Code (1860), Indian Evidence Act (1872), Bankers¶ Book Evidence Act (1891) and the Reserve Bank of India Act (1934)26 to bring them in tune with the information technology regime. Certifying Authorities to be overseen by a Controller of
See also Cyber Regulation Advisory Committee See also The Information Technology Rules, 2000 25 See also Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000 26 See also Schedules to the Information Technology Act, 2000
The Information Technology (Certifying Authorities) Rules, 2000 27 also stipulate the Information Technology Security Guidelines in Schedule II.28
Also provide security guidelines 29 for the management and operation of Certifying Authorities (CAs) and is aimed at protecting the integrity, confidentiality and availability of their services, data and systems.
The Act has paved the way for an exponential growth of e-commerce and other internet enabled services like e-trading, e-shopping and e-banking. The provisions of the Act do not apply to a negotiable instrument, a power of attorney, a trust, a will, and any contract for the sale or conveyance of immovable property, or any interest in such property. It is significant that it applies to any offence or contravention committed outside India by any person (irrespective of his nationality), if it involves a computer, computer system, or computer network located in India. It excludes network service providers from its ambit for any third party information (that is, any information dealt with by them in their capacity as intermediaries) or data made available by them, if they prove that the offence was committed without their knowledge, and they had taken all precautions to prevent such commission. However, more explicitly, various computer crimes that are not yet defined in the Act may be taken up to deal with the rapid technological changes that would be taking place in future. The Information Technology Act 2000 being India¶s first cyber law is the central legislation, which has been passed by the Parliament of India. Interestingly, it applies not only to the whole of India including the State of Jammu & Kashmir but also applies to any contravention or violation committed thereunder by any person anywhere in the world. State Governments have also been given the powers to enact appropriate rules in the field of Information Technology. In
See also The Information Technology (Certifying Authorities) Rules, 2000 See also Information Technology (IT) Security Guidelines 29 See also Security Guidelines for Certifying Authorities
fact, Section 90 of the IT Act categorically states that the State Government may, by notification in the official gazette, make rules to carry out the provisions of the Information Technology Act. The rules to be made by the State Governments may include the electronic forms through which common man communicates with the Government Departments or the format in which electronic records shall be filed, created or issued and the manner of payment of any fee or charges for filing, creation or issue of any electronic record. The State governments have appropriate powers to legislate rules there under, apart from having powers to legislate on various steps enumerated in the State List, which is detailed in the Constitution of India. Of course, it is imperative to note that every rule made by the State Government under Section 90 of the IT Act shall immediately be laid before each House of the State legislature for approval.30 In its resent form, the Act, therefore, not only recognizes the usefulness of e-commerce and provide the necessary safeguards for the transactions by creating a necessary legal framework but it also makes consequential amendments in the Indian Penal Code, Indian Evidence Act, Reserve Bank of India Act and Bankers Book of Evidence Act, so that the offences relating to documents and papers based transactions is made equal to the offences in respect of the transactions carried out through the electronic media and further to facilitate electronic funds transfer between the financial institutions and banks, and also to give legal sanctity to books of accounts maintained in the electronic form by the banks.31 JURISDICTION- THE CONCEPT The effectiveness of a judicial system rests on core of regulations, which define every aspect of a system¶s functioning; and principally, its jurisdiction. A court must have jurisdiction, venue and appropriate service of process in order to hear a case and render an effective judgement.
Pavan Duggal,(2002), ³CyberLaw- The Indian Perspective´, at 1-5 U.K. Chaudhary,Jan 2001 , ³Information Technology Act, 2000: A step in the right direction´, CS vol. 31 at 30-31
Jurisdiction is the power of a court to hear and determine a case. Without jurisdiction, a court¶s judgement is ineffective and impotent. Such jurisdiction is essentially of two types, namely subject matter jurisdiction and personal jurisdiction. Subject matter jurisdiction is defined as the competence of the court to hear and determine a particular category of cases. It requires
determination whether a claim is actionable in the court where the case is filed and personal jurisdiction is simply the competence of the court to determine a case against a particular category whether the person is subject to the court in which the case is filed. These two jurisdictions must be conjunctively satisfied for a judgement to take effect. It is the presence of jurisdiction that ensures the power of enforcement to a court and in the absence of such power, the verdict of a court, is of little or no use.32 INDIAN CONTEXT The Information Technology Act, 2000 passed in India, is illustrative of the prevailing confusion in the area of jurisdiction in the context of the internet. Section 1 of the Information Technology Act, 2000, deals with the issue of applicability of this new law. Normally, the applicability of laws within India can be broadly divided into the following major categories: 1. Laws applicable to all states of India barring Jammu & Kashmir. 2. Laws applicable only to Jammu & Kashmir. 3. Laws applicable to the entire country. Jammu & Kashmir has been granted a special status under the Constitution of India and special laws are applicable to that state. Keeping in mind the universal nature of the impact of computers and Internet, the legislature has decided that the IT Act 2000 shall be applicable to the whole of India including Jammu & Kashmir.
32 Nandan Kamath,(2000) ³Law Relating to Computers internet & E-Commerce : A guide to Cyber Laws & the IT Act,2000 with Rules & Regulations´ at 20
The Act begins by saying, in clause (2) to section 1, that it shall extend to the whole of India and, save as otherwise provided in the Act, it applies also to any offence or contravention thereunder committed outside India by any person. Clause (2) of section 75 of the Act simply states that, ³« this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India´. Provisions of this nature are unlikely to be effective for a number of reasons. Firstly, it is unfair to suggest that the moment an Indian computer system is used, an action defined by Indian laws as an ³offence´ would be subject to jurisdiction of Indian courts. To illustrate, let us consider a web site located in a foreign country. The site may host content that would be perfectly legal in its home country, but may be considered offensive or illegal in India. If an Indian chooses to view this site on a computer situated in India, does that mean the site can be prosecuted in an Indian courts? This would appear to violate principles of justice. As explained earlier, the judicial trend of examining the amount of activity that a site undertakes in a particular jurisdiction is a far more equitable method to determine jurisdiction. Further, even if Indian Courts are to claim jurisdiction and pass judgements on the basis of the principle expostulated by the IT Act, it is unlikely that foreign Courts will enforce these judgements since they would not accept the principles utilized by the Act as adequate to grant Indian courts jurisdiction. This would also render the Act ineffective. The Indian jurisprudence with regard to jurisdiction over the internet is almost non-existent. In the first place, as the result of the strongly unitary model of government prevalent in India, interstate disputes never assume the level of private international law. Hence, there has been precious little by way of development of private international law rules in India. Furthermore,
there have been few cases in the Indian courts where the need for the Indian courts to assume jurisdiction over a foreign subject has arisen. Such jurisprudential development would however, become essential in the future, as the internet sets out to shrink borders and merge geographical and territorial restrictions on jurisdiction. It is worthwhile to consider the issue of jurisdiction at two levels. In the first place, given the manner in which foreign courts assume jurisdiction over the internet related issues (as evidenced by the cases discussed above), the consequences of a decree passed by a foreign court against an Indian citizen must be examined. In other words, under what circumstance can the decision of a foreign court be enforced against an Indian citizen or a person resident in India? It is necessary to examine the circumstance under which the Indian courts would assume jurisdiction over foreign citizens in order to better understand the rights of an Indian citizen who is affected by the act of a foreign citizen.
CYBERJURISDICTION IN INFORMATION TECHNOLOGY ACT, 2000 However, the law has gone much further. It shall also apply to any violation or contravention of the provisions of this Act done by any person anywhere in the world. By means of this provision, the law is assuming jurisdiction over violators of The Information Technology Act, 2000 outside the territorial boundaries of India. This provision is explained perhaps by the unique nature of cyberspace, which knows no boundaries. The Information Technology Act, 2000 specifically provides that unless otherwise provided in the Act, the Act also applies to any offence or contravention thereunder committed outside India by any person irrespective of his nationality.33 It is however clarified that the Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention, involves a
Sec. 1(2) of IT Act, 2000
computer, computer system or computer network, located in India.34 The words ³act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India´ are very significant to determine jurisdiction ofthe IT Act over acts committed outside India. For assuming jurisdiction over an act constituting an offence or
contravention under the IT Act, which is committed outside India, it has to be proved that the said act involves a computer, computer system or computer network located in India. For instance, where a website is created in the US which contains pornographic material, it shall not give the IT Act jurisdiction to question the site unless the creation or maintenance or running ofthe site involves a computer, computer system or computer network located in India. But where the said website uses a server or any other computer network located in India, the IT Act would assume jurisdiction to question the website under section 67 of the IT Act. Another instance to explain the jurisdiction of the IT Act is where a person from the US hacks a computer system or network in India, section 66 of the IT Act would come into play to punish the accused for hacking because his act involves a computer in India. Similarly, where a person anywhere in the world plants a virus into a computer system located in India, he would be liable under section 43(c) of the IT Act to pay damages by way of compensation net exceeding Rs 1 crore to the victim. Section 75 of the IT Act is restricted only to those offences or contraventions provided therein and not to other offences under other laws such as the Indian Penal Code, 1860. Jurisdiction over other cyber crimes, for instance under the Indian Penal Code, 1860, has to be determined by the provisions of the Criminal Procedure Code, 1973. The fundamental principle on jurisdiction is the same under the IT Act35 and the Criminal Procedure Code, 1973, though stated differently.
Sec. 75 of IT Act, 2000 Sec. 1(2) r/w Sec 75 of IT Act, 2000
The basic legal principle of jurisdiction under the Code of Criminal Procedure, 1973 is that every offence shall ordinarily be inquired into and tried by a court within whose local jurisdiction it was committed. 36 These principles in the Code of Criminal Procedure, 1973 apply for
determining jurisdiction in trial by courts as well as in investigation by the police. In a case where an offence is committed in more places than one, or partly in one place and partly in another, or where it is continuing and continues to be committed in more than one local area, or where the offence consists of several acts done in different local areas, then it may be inquired into or tried by a court having jurisdiction over either of such areas.37 In the event where it is uncertain in which of several areas the offence was committed, again it may be inquired into or tried by a court having jurisdiction over either of such areas of uncertainty.38 In a case where an act is an offence by reason of anything, which has been done and of a consequence, which has ensued, the offence may be inquired into or tried by a court within whose local jurisdiction such act has been done or such consequence has ensued.39 For instance, in a case of defamation, either of the courts, i.e. of the place from where the defamatory letter was e-mailed and the place at which it was published or received, if different, shall have jurisdiction to inquire and try the same. To cite another instance; where in pursuance of misrepresentation by A through e-mail from place X, property was delivered at place Y, A can be tried for the offence of cheating either at place X or Y. In a case where a person in Bombay does an act of hacking of a computer system located in Delhi, he may be tried either in Bombay or Delhi. In a case where an act is an offence by reason of its relation to any other act which is also an offence or which would be an offence if the doer was capable of committing an offence, the first mentioned offence may be inquired into or tried by a court within whose local jurisdiction either
Sec. 177 of Cr.P.C., 1973 Sec. 178 of Cr.P.C., 1973 38 Sec. 178(a) of Cr.P.C., 1973 39 Sec. 179 of Cr.P.C., 1973
of the acts was done. For instance, in a case of manufacture of sub-standard fertilizer in place X, which is marketed through e-commerce at place Y, prosecution can be launched at either of the said places because the marketing of the sub-standard fertilizer is an offence by reason of substandard manufacture. Certain specified offences have been required by law to be inquired into or tried in certain places.40 For instance, an offence of criminal misappropriation or of criminal breach of trust, may be inquired into or tried by a court within whose local jurisdiction the offence was committed or any part of the property which is the subject of the offence was received or retained or was required to be returned or accounted for, by the accused person.41 For example, if an employee of a company based at Delhi, by operating through the internet bank account of his employer company in a Bombay bank, transfers funds to his account at Calcutta, the case of misappropriation can be tried either at Delhi or Bombay where the offence was partially committed or at Calcutta where the money was received and retained. The law also provides that in the case of any offence which includes cheating, if the deception is practiced by means of letters or telecommunication messages, it may be inquired into or tried by any court within whose jurisdiction such letters or messages were sent or where the same were received. 42 Moreover, any offence of cheating and dishonestly inducing delivery of property may be inquired into or tried by a court having jurisdiction on the place where the property was delivered by the person deceived or where it was received by the accused person.43 In a case where two or more courts take cognizance of the same offence and a question arises as to which of the courts has jurisdiction to inquire into or try that offence, this question shall be
Sec. 180 of Cr.P.C., 1973 Sec. 181 of Cr.P.C., 1973 42 Sec. 182 of Cr.P.C., 1973 43 Sec. 182 of Cr.P.C., 1973
decided by the High Court, under whose jurisdiction both such courts function.44 However, if the courts are not subordinate to the same High Court, the question of jurisdiction shall be decided by the High Court within whose appellate criminal jurisdiction the proceedings were first commenced.45 In such circumstances, all other proceedings with respect to that offence shall be discontinued. Where two or more courts have jurisdiction over an offence, the choice of the court for institution of the case lies with the complainant. He will obviously choose the forum, which is most convenient for him and most inconvenient for the accused. The law of jurisdiction stated in the Criminal Procedure Code, 1973 and section 75 of the IT Act, 2000, as discussed herein, is clear, specific and covers different situations which are likely to generally arise in cyber crime cases. The internet by its nature and purpose operates when the parties interacting or transacting are not physically face to face with one another. Due to the global access of the internet, cyber crimes generally tend to transcend or disregard geographical boundaries. These factors imply that in most cases of cyber crime, except where insiders are involved, there would be two or more places, one from where the cyber criminal inflicts the injury-for instance hacks, and the place where the injury is inflicted-for instance at the location of the victim computer, which is hacked. This is in contrast to traditional crimes of rape, murder and kidnapping where the criminal and the victim are at the same place. Moreover, every criminal makes all possible attempts to conceal his identity and place of operation. Alibi is a common defence in criminal matters. This basic tendency of a criminal coupled with the permissible anonymity provided by the internet makes the cyber criminal almost invisible. Thus, in terms of practical application of the law of jurisdiction over cyber crimes, in most cases, the
Sec. 186 (a) of Cr.P.C., 1973 Sec. 186 (b) of Cr.P.C., 1973
place of jurisdiction shall be where the victim is inflicted with the injury, whether personally, for instance by fraud, or on his computer, computer system or computer network. There is a valid point in the criticism that such a law assuming extra territorial jurisdiction passed by the legislature is not enforceable in the real world. It is contrary to the principles of international law to assume jurisdiction over citizens of another country, and so, it is likely to lead to conflict of jurisdiction of different courts situated in different national jurisdictions. Also it is important to note that there are differences between national legislations, laws, legal processes and procedures. Further compounding the problem is the issue that a particular act in one national jurisdiction is legal and not barred by law but the same activity is illegal and barred by law, prevailing in another national jurisdiction. Another ground of criticism has been that Section 1 does not lay down the parameters of how such a provision would be enforceable in practical terms across transnational boundaries and jurisdictions. Governments can take recourse to the extradition process to bring to book the cyber criminals outside the territorial jurisdiction of their country, provided there is a valid extradition treaty in place between the relevant countries. But the route, as stipulated in Section 1 of the IT Act, 2000 is likely to throw up a complex arena of difficulties in actual day-to-day implementation. The existing international law pertaining to sovereignty of a nation also details that a sovereign notion can make laws affecting people who reside within its territorial boundaries. However, the birth of Internet has seen geography become history and transactions taking place over networks are transnational in nature, thereby complicating the entire issue of jurisdiction. This becomes all the more evident from the emerging principles from various judgments relating to Jurisdiction over Internet. From the beginning of Internet, the issue of jurisdiction has continued to challenge
legal minds, societies and nations in the context of the peculiarly inherent character of the Internet. Section 1(2) and Section 75 of the IT Act, 2000 provide for extra-territorial jurisdiction of the Indian courts, which, however, seem implausible to be implemented. The courts in India at present have not been uniform in following the US trend of asserting jurisdiction on the basis of active accessibility of site. So far, in various Internet domain names related cases, the Delhi High Court has assumed jurisdiction merely on the basis of accessibility of Internet. In the famous Yahoo! France case entitled Yahoo! Inc. v. La Ligue Contre Le Racisme et L µAntisemitisme46, the judicial thinking on jurisdiction got further refined. This judgment has far reaching significance and consequences on the entire subject of jurisdiction. Till now, the courts anywhere in the world could assume and were assuming jurisdiction on Internet transactions and websites that were located outside the country. This decision underlines the principle that even if a foreign court passes a judgment or direction against a legal entity of a particular country say country A, then that judgment or direction would not be applicable automatically to country A¶s legal entities or citizens. The decision or direction of the foreign court will need to be scrutinized by country A¶s courts keeping in mind the touch stone and basic principles enshrined in the Constitution of the country as also enshrined in the local laws of that country, before it can be enforceable in country A. It is evident that the courts are looking into the totality of the circumstances when determining whether to exercise jurisdiction over individuals involved in Internet related activities. However, the coming of the Zippo case in the US changed the legal principles concerning assuming of jurisdiction. In this case, the American Court decided that there must be ³something more´ than mere Internet access in order to enable the court to assume jurisdiction. It is yet to be seen how the Indian approach on jurisdiction emerges with the coming of the IT Act, specially Section 1
2001 U.s. Dist. LEXIS 18378 (N.D. Cal. 2001) & 145 F. Supp. 2d 1168 (N.D.Cal. 2001)
(2) and Section 75 (1) of its provisions, which specifically provides for its extraterritorial jurisdiction. This extraterritorial jurisdiction all across the world can be exercised if the offence or contravention of the IT Act concerns or impacts or affects a computer, computer system or computer network which is located in India. In practical terms, such an extraterritorial jurisdiction can hardly be enforced given the present growth and context of international Law, Cyber law and cyber space. As per sub-section (3) of Section 1, the Information Technology Act, 2000 shall came into force on such date as the Central Government may by notification appoint. The Central Government issued a notification on 17th October 2000 bringing into force The Information Technology Act, 2000. POSITIVE ASPECTS OF THE INFORMATION TECHNOLOGY ACT, 2000 The Information Technology Act, 2000 is a laudable effort to create the necessary legal infrastructure for promotion and growth of electronic commerce. Prior to the coming into effect of the IT Act, 2000, the judiciary in India was reluctant to accept electronic records and communications as evidence. Even email was not accepted under the prevailing statutes of India as an accepted legal form of communication and as evidence in a court of law. The IT Act, 2000 changed this scenario by legal recognition of the electronic format. Indeed, the IT Act, 2000 is a step forward. From the perspective of the corporate sector, the IT Act 2000 and its provisions contain the following positive aspects: 1. The implications of these provisions for the corporate sector are that email is now be a valid and legal form of communication in our country, which can be duly produced and proved in a court of law. The corporates today thrive on email, not only as the form of
communication with entities outside the company but also as an indispensable tool for intra company communication. Corporates ought to understand that they shall need to be more careful while writing emails, whether outside the company or within, as emails, in whatever language, could be proved as a legal document in a court of law, sometimes to the detriment of the company. Even intra company notes and memos, till now used only for official purposes, shall come within the ambit of the IT Act, 2000 and will be admissible as evidence in a court of law. A lot would of course depend upon how these emails are proved in a court of law. 2. Companies shall be able to carry out electronic commerce using the legal infrastructure provided by the IT Act, 2000. Till the coming into effect of the Indian cyberlaw, the growth of electronic commerce was impeded in our country basically because there was no legal infrastructure to regulate commercial transactions online. 3. Corporate will now be able to use digital signatures to carry out their transactions online as legal validity and sanction given under the IT Act, 2000. 4. The IT Act, 2000 also throws open the doors for the entry of corporate in the business of being Certifying Authorities for issuing Digital Signature Certificates. The law does not make any distinction between any legal entity for being appointed as a Certifying Authority so long as the norms stipulated by the IT Act, 2000, rules and regulations made thereunder have been followed. 5. The Act also enables the companies to file any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate government in the electronic form as may be prescribed by the appropriate government, thereby saving costs, time and wastage of precious manpower.
6. Corporate is mandated by different laws of the country, to keep and retain, valuable and corporate information. The IT Act, 2000 enables companies legally to retain the
information in the electronic form, if y the information contained therein remains accessible so as to be usable for a subsequent reference; y the electronic record is retained in the format in which it was originally generated, sent or received or in a format, which can be demonstrated to represent accurately the information originally generated, sent or received; y the details, which will facilitate the identification of the origin, destination, date and time of despatch or receipt of such electronic record, are available in the electronic record. 7. The IT Act, 2000 addresses important issues of security, which are so critical to the success of electronic transactions. The Act has given legal definition to the concept of secure digital signatures, which would be required to have been passed through a system of a security procedure, as agreed to by the parties concerned. In times to come, secure digital signatures shall playa major role in the New Economy, particularly from the perspective of the corporate sector, as they will enable more secure transactions online.
GREY AREAS OF THE INFORMATION TECHNOLOGY ACT, 2000 1.The IT Act, 2000 purports to be applicable to not only the whole of India but also to any offence or contravention thereunder committed outside India by any person. This provision in Section 1 (2) is not clearly drafted. It is not clear as to how and in what particular manner, the Act shall apply to any offence or contravention thereunder committed outside India by any
person. 2. There is no logic in excluding negotiable instruments from the applicability of the IT Act, 2000. The net effect of this exclusion is that any dispute regarding payments, received by means of any negotiable instruments for an e-commerce transaction, are excluded from the protection of the IT Act, 2000. It refers to promoting electronic commerce and begins by excluding
immovable property from the ambit of electronic commerce, a reasoning that defies logic. 3. The IT Act, 2000 has failed to legalize electronic fund transfer in the country. The IT Act, 2000 does not recognize the concept of electronic payments, digital cash, electronic cash, electronic money or other existing systems of electronic payments. 4. Domain names have not been defined and the rights and liabilities of domain name owners do not find any mention in the law . 5. The IT Act, 2000 does not deal with any issues concerning the protection of Intellectual Property Rights. 6. The language of Section 40 of the IT Act, 2000. Section 40 provides for generating key pairs in Chapter VIII dealing with the duties of subscribers. It states that where any Digital Signature Certificate, the public key of which corresponds to the private key of the subscriber, which is to be listed in the Digital Signature Certificate, has been accepted by a subscriber, then, the subscriber shall generate the key pair by applying the security procedure. The entire wording of Section 40 is faulty and has been shown in such a way as to denote that the acceptance of the Digital Signature Certificate precedes the generation of key pair by the subscriber. 7. IT Act, 2000 covers only a limited number of cyber crimes such as damage to computer source code, hacking, publishing obscene electronic information, breach of protected systems, publishing Digital Signature Certificates false in certain particulars or for fraudulent purposes.
Barring these offences, no other cyber crimes are covered under the IT Act. The IT Act 2000 does not cover various cybercrimes including cyber stalking, cyber harassment, cyber defamation, cyber terrorism, spamming, cyber fraud, cyber gambling, Theft of internet hours, Cyber theft, Cyber Cheating, Cyberventing, Credit Card Fraud, Cyber Forgery, Identity Fraud, E-mail Spoofing, Credit Card Fraud, Chat room abuse, Cyber Money Laundering, Password Sniffing, Spamming, Electronic Evesdropping, Child Pornography, Mail Bombing, E-mail Scams, etc. 8. The IT Act, 2000 is silent on covering all kinds of offences dealing with abuses of chat rooms. 9. The IT Act, 2000 is that it is silent on the issue of online credit card payments, misuse and misappropriation of credit card numbers online. 10. The IT Act, 2000 is completely silent about the bailability or otherwise of the offences prescribed in Chapter XI. There is no categorical mention at any point in Chapter XI from Section 65 till Section 78 as to whether the offences prescribed under the sections are bailable or not. 11. The Information Technology Act, 2000 has not tackled several vital issues pertaining to ecommerce sphere like privacy and content regulation to name a few. Privacy issues have not been touched at all. The right to privacy is recognized as a fundamental right under Article 21 of the Constitution. CHALLENGES OF CYBER CRIME IN INDIA Cyber crime in India is no longer an illusion. The situation could go out of hand if computer users, both in the government and the private sector, do not sit up and brace themselves to the challenge. For the police, the temptation especially to view attacks on computer systems, as just
another form of crime is great. Three aspects of cyber crime deserve focused attention. These are: y y y the legal safeguards that are available; the adequacy of training of prosecutors and the judiciary; and the nature of links forged by the Indian police with foreign law enforcement agencies so that cooperation in matters of investigation and training is readily forthcoming. Cyber crime does not recognise national borders. More than 30 countries have separate laws in their statute book to check this menace. This Act is solely meant to quell cyber crime. It is a piece of legislation intended mainly to lend legal recognition to e-commerce. It is also meant to facilitate electronic filing of documents with the government agencies. The Indian Penal Code is so well drafted that offences not listed in the IT Act right now can still be tackled through it, till such time we are convinced that the IT Act needs to be recast in order to cope with the expanding contours of cybercrime. We may also have to examine whether we need more than one enactment. The volume and nature of cybercrime in our country would demand in course of time a variety of laws. Apart from private digital enterprises, law enforcement agencies
including the Central Bureau of Investigation (CBI), the Enforcement Directorate, the Directorate of Revenue Intelligence and the Income-Tax Investigation Wing, could provide valuable inputs to the government. There is also the need to draw from the international
experience. No systematic effort has been made till now to impart training to prosecutors and judges, although there is evidence of their keenness to become knowledgeable. Possibly, the initiative may have to come from law enforcement agencies that have quality instructors and training institutions. It is not difficult to draft special capsules for this purpose. Policing in cyber space was a challenging job.
CONCLUSION In sum, though cyber space is a global phenomenon that cannot be easily tackled but the Information Technology Act, 2000 is a great step forward and it is the right initiative at the right time. There is no doubt that such a law is absolutely necessary in the country today. The medium that the Act seeks to regulate and facilitate has so profound an impact on human life that it is beyond the comprehension of contemporary visionaries. It is perhaps only in hindsight, several years later, that the extent and scale of the impact could be gauged. It could not therefore have been allowed to run lawlessly without any system of checks and without clearly defined rights and liabilities and forums in which to enforce them effectively. The law has not, therefore, come a moment too soon and it is sincerely hoped that the Act would pave way for proper legal control regime at national level.