ane ee Una C AA Chanter (8 & CYBER OFFENCES Synopsis Cyber crime Classification of cyber crimes Prevention of cyber crimes Cyber crimes existing in the society 256 Cyber Crimes: Cyber Offences and cyber contraventions under Information Technology Act, 2000 260 16.5.1 Cyber contraventions under Information Technology Act, 2000 260 16.5.1.a Penalty and compensation for damage to computer computer system, etc. [Section 43] 261 16.5.1.b Compensation for failure to protect sensitive personal data [Section 43A] 266 16.5.1.c Penalty for failure to furnish information, return, etc [Section 44] - 16.5.1. _ Residuary penalty [Section 45] 16.5.2 Adjudication of contravention [Section 46 & 47} Cyber offences [Section 65-78] 16.6.1 Essentials of cyber offences 16.6.2 Cyber offences under the Information Technology Act. 2000 1663 Extra-territorial jurisdiction & miscellaneous provisions relating to offences J new technologies have facilitated the e ime New crimes bee On the one hand ssion of old crimes by the bad elements and at the s have originated commonly called as cyber crimes248 Cyber Laws & Information Technology Chap. 16 United Nations has foreseen this problem way back in 2000 and gave ‘warning signals that fi tral pan and-for purses Of all forms of economic and sexual exploitation’ Criminals under pseudo identities enter the internet “Chat-rooms” and exploit helpless women, girls, children, and even men Jurist Lalitha Sridhar rightly pointed out that “Our understanding of the virtual world is woefully slim; and of cyber crimes, even less. But, as law enforcers are finding out, their effect on the real’ world is devastating” Therefore, the effect of cyber crimes committed through virtual world on the real World is devastating, Historically, thesfitstréeorded cyber crime took place in the year 4820 avhen Joseph Merrie Jacquaid, ajtextile manufacturer in France produced the loom This device allowed the repetition of a series of steps in the weaving of special fabric, This resulted in a fear amongst Jacquaid’s employees that their traditional employment and livelihood were being threatened. They committed act of sabotage to discourage Jucquaid from further use of new technology.* In fact the term iGybet Crime’ )s frequently used in 21st century knowlege society and is created by combination of two words eyber and crimé. The term lenoies.the\cyber space J.e, vital space and it means the informational space modeled through computer, in which various objects or symbol images of informatfba Exist Therefore its the place where the computer programs work and data is processed. fers to a social and economic phenome ol soviet. Crime is a legal concept and has punishment unde: ‘We can say that Crime is a legal wrong that can be followed by criminal proceedings which may fesult into punishmenis.* The hallmark of criminality is that, 1s breach of the criminal law. As per Lord Atkin “the criminal quality of aan act cannot be discovered by reference to any standacd but one: is the act prohibited with penal consequences”.* = ‘Thus a simple definition of Cyber Crime is any unlawful act where computer is either (fool)ortargeVor both. However, some other definition “Gyber crime may be said to be those species, of which, genus is the conve rim ind where either the computer is an cbject or subject 6! the 1 United Nations. The Bejing "Outcome Document," New York, 2000, 2 Sridhar, Lalitha. “Cyber Crimes and the Real Worl,” Women’s Feature Service, !hup/www surinenglish.comvnoticias php? Noticia=286, 8-14 August, 2003. Source (htp//eybererime planctindia.ne/nto him) accessed on 28.09 2008. Granvil ilians Brain's Med: How They Are Related (996, Proprietalyticles Trade Association v. AG. for Canada, (1932), Cyber Crime by Parthasarathi Pai available at hp:/www.naavi orp/patifati_cybercrimes._ ee03.htm, day es a computer either as an instrumentality, er crimes comes within the ambit of eyber Chap. 26 Cyber Crimes: Cyber Gontraventions & Cyber Ciffences “Any criminal activity that us target or a means for perpetuating furth Another name of Cyber Crimes is Computer Crimes and imports, definitions of computer crime are : “Computer crime is an intentional act associated in any way with cone ‘where a vietim has suffered or could have suffered a loss, and a perpetraior a for could have made a gain.” an ~Any illegal or tnauthorized activity involving computers car. be treated7as ipuiercrime. The crime can be against an individual or an organization, Tt can even be against the aation endangering or threatening 10 endanger its integrity band security.” ce Computer crime is an individual's attempt, fraudulent or otherwise to prevent the computer to perform its duties as designed, or to slowdown its Feorcrations, or to corrupt the data or software, or to copy the data or software Bewithout proper authority.” “Computer crime can broadly be defined as the occurrence of one or the 4na_compyler environment. The events are~ Gtalk i programme. ory Sealing of Jata or programmes in any manner, unauthorised physical and/or logical) entry into the computer network environirent” “The US Department of justice defined computer erime as any illegal act that sentially requires the knowledge of computer technology for its perpetration, Byestigation, or prosecution. Accordingly, the offences that constitute computer Brime are intrusion of the public switched network, computer network intrusion, Betwork integrity viclation, privacy violation, and industrial espionage.” ‘The computer(maypbe used as & foollin the various activities such as fin: gal’ eines ie oF Meena. ‘gomography. online _gamblirg> imelectal yp ¢ operty crime F-mail spoofing, forgery, cyber defamationseybe ul ii The iter may however be (irget wwful acts in some other cases such as authorized access to computer/computer system/computer networks, theft of TA information contained in the electronic Toray Ernall boabing Tada ami attacks, logic bombs, trojan attacks, Internet flsj Web jacking, theit ‘Computer system, physically damaging the computer system, | Basically cyber_crimes are aimed at stealing the computer, damaging ormation, or stealing information. Computer crime is not necessarily technical ei? origin. Most criminal acts against computers do not directly involve thnology. In fact, 72 percent of the computer crimes reported to the FBI in 003 izvolved simple hardware theft, Earan Duggal. convergence on cyber time, avilable st hip:vww.cybelawindin.comy convergencearicl htm. De RK Tewan, PK, Say a KV. Ravi Kur, Comper Crne ond Conpune Forensics, pp. 63-64, (2002). ooV2) (Crimean he interes] gy aiwid WY Noy (id Against S 250 Chap. 16 Compared to 2001. In that year alone, federal officials arrested 135 cyber criminals and scized over $17° million in assets, Criminal actions included setting up fraudulent bank websites to steal account information from unsuspecting customers, auction fraud, and non delivery of | merchandise. Credit and debt card frauds were significant in 2002. The losses reported by the victims totaled $54 million, versus $17 million the year before, and complaints referred to law enforcement totaled 48,252 compared to 16,755 in 2001 {Cusine aber aTmey u Whether an old crime is committed on or thrangh computer or a new crime is committed, cyber crimes are of following types: ay of Crimes ¢ Internet; ahd ssion of old crime’, New crimes used for commission of o (i) Crimes “on” the Internet: These are the old crimes which are committed on or through the new medium of the Internet. For example, cheating fraud, misappropriatiOn, defamation) threats, etc, committed of! or through or with the help of the Intemet. The Internet with its speed, and global access has made these crimes much easier, efficient, risk-free, cheap and profitable to commit, (ii) Crimes “of” the Internet: These are new crimes. committed with the help of Internet itself, such as diackingY planting viruseDandIPR thefts> New crimes used for commis imes: For example, where. hacking is committed to Further dependi classified under three heads: a (i) (Against Individuals: Gi) (Against Organizations; and ociety at lar to Agetast dteduot Uni his eatogory ean gee isthe eal Poe nea ae (a) Harassment via E-mails ) © @ © o (e) ) @ @ wo @ (m) () @) (b) © @ (ii) Against O7 Cyber Crimes: Cyber Contraventions & Cyber Offences 251 Cyber-stalkings — Dissemination of obscene material Defamation, Unauthorized control/access over computer system, Indecent exposure. E-mail spoofing? Cheating and Fraud. (Computer vandalism. Transmitting virus, Net trespass, Unauthorized control/access over computer system. Intellectual Property crimes. Internet time thefts izations: Against organization it can be through the means Unauthorized controV/access over computer system, Possession of unauthorized information, Cyber terrorism against the government organization Distribution of pirated software ete. (lit) Against society af large: Under this category it can be through: (@ (b) © @) Pomograpiy (basically child pornography). Polluting the youth through indecent exposure. ‘Trafficking. Financial crimes. Sale of illegal articles,yer Crimes: Cyber Contraventions & Cyber Offences ~~, Benes es of this form of computer emet sites like Yahoo, CNN” ise and their variants a1ooLoran act IPievioltionyy online SETS any Te hi-tech ee Cyber Laws & Information Technology Chap. 16 Chap. 16 cel information hacked from computer systems: EXIT crimes is the denial of service attacks on popular into! etc. and the spreed of the ‘Melissa’ and “I Love vous i) Computer as a tool of crime: Computer can be (ii) Computer a of ie s can also, mes, Such crimes (i) Social cyber crimes: In some countries problems have arisen by use of new ICTS eg. trafficking in women and children for purposes of all forms of evonomic and sexual exploitation. Someiime criminals under pseudo identity enter the Intemet chat room and exploit helpless women and girls, Further studies have shown that about 60% pf websites are sexual in content and 20% of c f 5 them solicited their visitors. Main social crimes are: ef iegal oad. Comp inelude automated cequioment for committing traditional es ioe a ermachine (ATM) frauds; credit card frauds; frauds involving E frauds; counterfeiting and software piracy. These are also called computer Hae coer ed the computer is sed as an active weapon for perpetuating assisted crimes. When the computer is used as per the crime, itis also termed as ‘information crime’, as it could not be committed E in absence of informaticn technology. 1ess to Crime: A computer need not be only victim fines o the offence, The examples of Computer as a Witness to Crime are the money launde! bulietin board system (BBS tie Purulla arms drop case, wherein the dewils of monetary Wansactons Were siored in a laptop computer). Further a computer system may be used to detect information, which assists the c ime, For example, ‘an employee of Barclays Bank in the USA used the banis’s computer to discover | a dormant account, forged the account holder's signature and withdrew £2,100, In such cases the computer is incidental to other crimes, (5) Based on nature, source and motive Depending upon source, nature, motive following types: ® Computer crimes, (ii) Computer-related. crimes __ (iii) Network crimes E (i) Computer crimes: Cor misuse _is_a_crime_comn a computer_systsm_or other digital media. It includes digit ch as : compte ating Wee aos) wean ee unauthorised intrusion or abuse. i) Computerarelated crimes: Such crimes include computer Gomo} theft of intellectual tware copyright etc, JF) Somoprephs (iii) Network crimes; iler_network crime or t (@) Trafficking. (b) Cyber obscenity and pomography (©)_ Cyber terrorism, (4) Cyber fraud, (e) Cyber gambling. . ii) Economic eyber-crimes: Economic offences affecting more than $1.2 (Git) Computer as a} tillion E-commerce industry worldwide include following, (2) Cre (©) System corruption (6) Intemet Fraud. (@) Dot com job scams. (©) Compo (f) Mafia and drug peddlers. (2) Mult-site gambling websites. (4) Based on the rote of computers) Depending upon the role played by the computer in perpetrating crime, the computer may be involved as a victim of crime, or an instrument used to commit a crime or a repository of evidence related to the crime, ie, () Computer as «ictimatcrime;— Tare! wc (ii) Computer as «witness grime () Computer as d victim) of crime: A computer or a computer network could be the target of an offence wherein the computer becomes the victim~In such ceases, the computer's ity, integrity, or accessibility ig attacked) The informa ‘tored of the service provided by the victim 1s jor the victim is J crippled and damaged. Such crimes involve disrupting the functioning of the Computer, computer systems or computer network; corrupting the operating {ystem and programmes; theft or disturb data/information (e.g. marketing information), intellectual property violations and blackmailing by usi ing personal a mee 1 Dr Rik, Tovar, PAK, Say and KV, Rani Kuma, Compuler 6 ‘omer Forensics, pp. 63-68, (2002), vinta lit Card schemes (Australian Lottery). -and political espionage. mputer as «tool pf crime; and 1 Dr RK. Tewari, PAK. Sastry and K.V, Ravi Kumar, Computer Crime and Computer Forensics, p $3468, 2002).types: information common comput Ober Lains & Information Technology Chap. 16 Chap.16 Cyber Crimes: Cyber Contraventions & Cyber Offences 255 remotely located computer, by using the legitimate password, or breaking the password, Such data is sold to others at a very high price. * Scavenging: It is a method of obtaining or re-using the informatjon, which might have been left-afier-processing. in or around a computer system. Depending upon the criminal activities, computer crimes are of followi @) Physical crimes: (ii)_Data-related crimes; iii) Software-related crime: (iii) Software-related crimes: In such_crimes, the system as well_as the i) Software-related crimes. application Solfware are affected or camupted. As his Ts a very sophisticated {@ Physical crimes: The physical crimes are related to computer or its form of crime and is much more dangerous so it is difficult to detect. Further it associated peripherals, Hardware, software or the computer time. involves changing existing programmes in the computer system or inserting new Examples of such cri Programmes or routines and the computer programmers, analysts and other experts are involved in commissioning or making alterations in the sofiware. The E software-related crimes could be perpetrated by using various techniques like ‘d crimes, unauthorised data_or Computer Viruses, Computer Worms, Trojan Horse, Trap Door, Super Zapping, ‘era in the computer systems or the data that Wire-trapping, Time Bombs, Logic Bombs and Salami Logic. fred is altered. suppressed or corrupied by the criminals S0-us-to in undue advantages. Computer fraud by input manipulation is the most me. which is easy to perpetrate and difficult to detect. The crimes could further be sub-classified into one of four main cs aré thefi? breakege, destroying the data, output or Media and inter-processing manipulations (ii) Data-related crimes: In the data-relate é digital form ig should be er © Seay wrt : Itis always recommended to keep changing the password at regular infervals. ae one gets the tip-off being Se ly action can taken. + Data diddling: Data didd © most common form of computer, crime, which is carried out by input manipulations It involved changin the_data, with malicious intentions, during or before feeding it into a Computer and provides undue advantage to a specific party. It also includes adding fraudulent input data, altering the input data, omitting the desired input data, wrongly posting a transaction, making alterations or additions in the master file records, posting the transactions partial destroying the output, and substituting the counterfeit output. Such type of changes can be affected by anyone associated with the process of creating, recording encoding, examiring, checking, converting and transporting data that enters a computer. * Data leakage: It involves illegally copying the master file infarmation of | the computer for ransom, blackmailing or any other fraudulent purposes, Install all necessary softwares at Data spying: It is important to note that for spying_on the sen information of a person, his computer network is assessed fr Dr. RK. Tewari, PK. Sastry and K.V. Ravi Kumar, Co Forensics, pp. 63-68, (2042).1 250 Cyber Laws & Inform Chap. 16 ation Technology * Always keep backup of the data stored on your computer to safeguard against virus. 16.4 Cyber Crimes Existing in the Society L JLis considered to be the the intemet. Tt means publishing or transmitting of any obscene material in electronic form. Jor on-line harassment: Cyber stalking is a recent pmenon and women, generally, are the main’ ost serious. Phieno cybererime.“According to the Oxford dictionary stalking mei “pursuing _stealthily”. Cyber_stalking_involves_following_a_person’s ments_across the Imlemet_by _posting messages “(sometimes Hreatening) on the Bulletin boards Trequented by The victim, entering the frequented by the victim, constantly bombarding the Victim Therefore, Cyber stalking” involves threatening, s directed by one net user to another and other forms of online with emails unwarranted behaviour or advan medium of Intemet user using the Ritu Kohlive her telephone number in the general chat room. It is important to note that the general chatting facility is provided by some websites like MIRC and ICQ, where a person can easily chat without sisclosing his true identity. The friend of husband also encouraged these chatlers to speak in slang language to Ms. Kohli, She was stalked by the ‘Though the said case came up before 2000 i.e, before the coming into force of the Information Technology Act, 2000, still it_wa registered and decided under section{509 of IPC) 3+ yber-defamationi}n general, defamstion-means to lower dawn the Teputat _person_without justification. However, when defamation takes place with the help of computers and/or the Internet it is_known as (Cyber defamation) Eg. someone publishes defamatory matter about someone on a website or sends e-mails containing defamatory information to victim's friends,-Therefore, cyber defamation as an act, deed, word or gesture etc. in cyber space to harm reputation of other person._ derogatory, mails were anonymous and frequent, and were sent to many of thei i ci ish the i the business"jssociates to tarnish the image and goodwill of the company. hhup://#ww.indiaforensic.com/comperime hum accessed on 28.08.2010. ¢] was India’s/first eyber stalking casd A friend of her defamatory and obscene e-mails about its Managing Director. The e= | tn Cyber Crimes; Cyber Contraventions & Cyber Offerces 287 a 1 i ¢-with the help of a The company was able.to identify.the employee. wit private computer expert and moved the Delhi High Court. The court ranted an ad-interim injunction and restrained the employee from nding, publishing and transmitting e-mails, which are defamatory or Chap. 10 635 Steroaaery i the pai, ee It means to capture;ypublish) oF ofp of any person. without ais or Rer consent, resulting in violating the privacy of that person. JAny act done opline with an intent to theeaten, the unity, integrity, sécurity or sovereignty of a coun oF to stk Keron 0 the"people or any Section of the people. Such an act can be denial of sco@ss o ay person authorized o access computer resource or securing access without authority or introducing or causes to introduce any computer contaminant into the computer resource of other person so as {o produce following consequences: + death or injuries to persons; or © damage to or destruction of property; or + knowing that itis likely to cause damage or disruption of supplies or services essential (othe life of the community. Jn general cyber terrorism is use of computer resource to threaten the unity, integrity, security or sovereignty of a country or to strike terror in the people or any Section of the people and to intimidate or coerce them. 6. iminals generally get personal or financial credit card information i noSEN pe Persons and sell it to the counterfeiters of ‘credit cards at very high price. For this there is no need to seal credit card peel Se eae ae eT information on credit and bank card magnetic strips. " TBE Taney Any alteration eos in(E)document or creating false fou called cyber TS MpOrtaNt to note that quality oPforgad documento jocument is indistin; hate from original. “online amin thee are millions of websites which offer online ‘EiMbling. Infact, itis believed thar fronts for money laundering. Cases of(hawala transactions ey laundering over the Intemet have been reporfed. Whether these sites have any relationship with drug trafficking is yet to be explored. Recent Indian case about cyber lotto was very interesting. A man called Kola Mohan invented the story of winning the Euro Lottery. He himself created a -vebsite and an email address on the Internet with the address ‘eurolottery@usa.net.' Whenever accessed, the site would name him as the beneficiary of the 16.5 million pound. After confirmation a telugu newspaper published this as a news. He collected huge sums from thevst system. 32" (b) Recreational hacking: This type of hacking is done for(p rand QQ Pn here hacker attempts to prove his ability without doing any damag ~ ‘to another person: — r3 ma a I Ze 5 A . .. . ae I ne (©) Intelligence hacking:. This type of hacking is done (@ infringe Xhe Ny ju (\ cfeative work of another person} Here also hacker often engages i Y \ data diddling te. forging sean. changing record for personal gait: af on" attempt to copy the data from the penetrated system, 3 po (d) Grudge & Military hacking: This type offhacking is carried out b Vv thechacker with a_grievance_against_some individual or some organisation or against_a State and such attacks are frequent oa) destructive. 4 yy py (e) Terrorist_hacking:, Harm done by terrorist hackers can Lo we { Mi yy” We, \f hutp://www. indiaforensic,com/comperime.htm a For details'$ee chapter | Ryder, Guide to Cyber Laws, p. 1077, (2007), Norton, Introduction to Computers, p. 489 (2006) \ objective hacking can be of following types:* Cyber Laws & Information Technology “ Chap. 1 Public as well as from some banks for mobilization of the deposits i foreign currency, However, the fraud came to light when a cheque discounted by him with the Andhra Bank for %1.73 million bounced, Mohan had pledged with Andhra Bank the copy of a bond certificate purportedly issued by Midland Bank, Sheffields, London stating that term deposit of 16.5 million was held in his name. es Computer sabotage [Malware attack]: I means to affect the normaly uunctionin; c Of computer by introducing malwares? i.e. worms, viruses > bombs time bombs, Trojan horses and so on. Generally it is done ‘Onomic advantage over a competitor or to commit any terrorists ck or steal data or program for extortion,’ 10. nother nam for hacking is breaking into the Computer resource Depending upon the (a) Financial or business hacking: This is generally done to cause los 0 competitor or to win the confidence of clients. Here hacker ofteg engages in data diddling i.e. forging or changing gain? (attempting to copy) data) from catastrophic. Further, hackers use Three important methods are: iffingy It means finding a user's password. There are three w snifT a password, password sharing, password guessing and passwon capture, Se ssed on 28.08.2010.er pap.16 Cyber Crimes: Cyber Contraventions & Cyber Offences 259 Password sharing)/Generally passw out of simple ignorance where he does might be used against his wish Pass’ ay * Password guessing: In password guessing a hacker tres to guess a user”s password and keep on trying until he catches the right password. * Password capture? In password capture a program is obtained yo by some type of malware programme and forwarded to the ap hacker, re shared by a person alise that password (bY Spoofing: It is an act of disguising one computer to electronically look like@another compute? to access to_a_system which is generally restricted, In this type of hacking, hackers may alter an | email header to make it appear that a request for information originated from another address. They can gain electronic entry by pretending to be at a legitimate computer, which is called IP spoofing. Using this technique, the hacker intercepts a message or gains access to the system by posing as an authorized user. On a network, this is done by altering the message information to make it appear that it organized from a trusted computer.’ (c) Social engineering: Social engineering used to be called “runniig a_ confidence game”. The hacker may use any number of frauds to “con” victims out of their_passwords. It _might_be_as_simple_as dumpster diving. Just as in identity theft, a password thief searches the victim’s trash in order to find useful access information. Another form of social engineering is the “phone survey”, the “application”, and the “emergency situation”. In these situations, a hacker may contract potential victims by phone or email. and ask the victims to provide password information for an apparently legitimate reason This method is sometimes referred to as phishing.” can be of following three types: /e copyright infringement: In this case the offender violates the cop’ of author by using Computer r (b) (Software piracy! or fi —> Software see is_a_big problem because iis very easy (0 ‘Anyone can take any software CD and make a copy of it. Every (software conipanies Ylose) billions of dollars_in sale_because_of software piracy. Though some instructions are generally given by the software developers but pirates pay no attention to such restrictions. In 1994 in US v David Law Macchia,’ the court did not punish the wers, p. 490 (2006), Norton, Introduction to Comput Ibid. Crim, A. No, 94-10092-RGS, U.S. Dist. D. Mass. 28.16.1994 cag yee LTTChap. 16 260 Cyber Laws & Information Technology offender for unauthorised copying of computer program on the a ground that he did not get any financial gain from this infringement. = However, court held that civil or criminal penalties must be provided to the defendant who is involved in wilful, multiple infringements of the copyrighted software even if the infringer lacks any commercial motive. But the court left it to the legislature to define the crime and = < —\__to establish penalty. 1o 4 AL 12. Online espi :| Spying is very important_for government and | . ree vce about The produc and market product and market strategy of their ON “enemy. Electronic media has provided new opportunities 2 information by spying. (Spamming?) The biggest problem while working on email is that a7 person offen receives unsolicited bulk e-mails (UBE) which he has not @ asked for. This receiving of unsolicited bulk emails is known #& Spams): erm unsolicited means that mails which are not ple aoe d Th general unsolicited means unwanted é.g., junk e-mail. These spams are generally sent by commercial companies as advertisement of their products and services especially when they were = cross-posted to several newsgroups. ' 1 eae hishing is an (legal _a di information is acquired nih ‘as Passwordsyand cfedit person/entity by Mmistepresenting business in an apparently offici wunication, Gea ‘ation. Therefore, phishing is criminally fraudulent process of attempting to acquire sensiti information such as usernames, passwords and credit card. The: Communications purporting to be from popular social web sites, auctior sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting. Phishing is typically carried out by en or instant messaging and it often directs users to enter details at a fz website whose look and feel are almost identical to the legitimate one Even when using server authentication, it may require tremendous ski! to detect that the website is fake. Some jurists believe that cyber crime is a wider term and it includes bot cyber offences and cyber contraventions (c.vil wrong). Under Informatie! Technology Act, 2000 cyber offences are given in Chapter XI (Sections 65-7: whereas cyber contraventions are mentioned under chapters LX (Sections 43-45) 16.5.1 Cyber contraventions under Information Technology Act, 2000Chap. 16 wrong where affected person can « Cyber Crimes: Cyber Contraventions & Cyber Offerices 261 y der 16.5.1.a Penalty and compensation for damage to computer. computer system, E etc. [Section 43] If any person without permission of the owner or any other person who is = incharge of a computer, computer system or computer network does any of the following act then he “the person so affected: (a) accesses or secures (b) hall be liable to pay damages by way of compensation to s to such computer, computer system or computer network or computer resource; > Access [Section 2(1)(a)]: Access with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function of a computer, computer system or computer network; Example: Mr. A without the permission of Mr. B er any person incharge of Mr. B’s computer secures access to Mr. B’s computer then he shall be liable to pay damages under section 43(a). Therefore, 43(a) covers cases of cracking computer, computer trespass, violation of privacy and so on. Downloads, copies or extracts: any data, computer data base or information from such computer, computer system or computer network; or : information or data held or stored in any removable storage medium: It is important to note that Section 43(b) covers three expression, download, copying and extraction. Download: It means to retrieve a file from any computer, computer system or computer network without the consent of owner or person incharge. Copying: It means to retrieve a file from any computer, computer system or computer network and then saving it on hard disk or any removable storage medium. Extraction: \t means retrieving a file from any computer, computer system or computer network and then selectively extracting a part of it. Data (Section 2(1)(0)]: It means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has bzen processed in a computer262 | i it | | (©) » Computer database {Explanation ii to Section 43): It means a@ > Information [Section 2(1)(b)}: It includes “data, message, text”, > Computer contaminant [Explanation i to Section 43): It means a > Computer virus (Explanation Cyber Laws & Information Technology Chap. 16 § sys stem or computer network, and may be in any form (including g computer printouts magnetic or optical storage media, punched* cards, punched tapes) or stored internally in the memory of the computer. representation of information, knowledge, facts, concepts org instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; images, sound, voice, codes, computer programmes, software and databases or micro film or computer.generated micro fiche. » Removable storage medium: It means and includes: © magnetic media ie. floppy disk, micro film, magnetic tay magnetic stripe card; or © optical storage media i.e. CD, DVD, pendrive; punched cards; * punched tape, etc. Therefore, Section 43(b) covers the cases of digital copying, data a computer database theft and violation of privacy etc network; Section 43(c) mainly covers two specific malicious computer codes i.¢ computer contaminant and computer virus. set of computer instructions that are designed: * to modify, destroy, record, transmit data or programme residi within a‘computer, computer system or computer network; or * by any means to usurp the normal operation of the computef computer system, or computer network; to Section 43): It means any) computer instruction, information, data or programme that destro! damages, degrades or adversely affects the performance of a compute TEsource or attaches itself to another computer resource and operates) when a programme, data or instruction is executed or some other events takes place in that computer resource. It is important to note that evefil 3Chap. 16 Cyber Crimes: Cyber Contravi ations & Cyber Offences 263 attempt to introduce such malicious computer code i.e. computer contaminant or compute virus into computer, computer system or compute network of another person without his consent is also a cyber contravention. Example: Mr. A sends a file infected by computer virus to Mr. B, thus introducing such virus into Mr. B’s computer without his consent. Therefore, Mr. A is liable under Section 43(c) Therefore, Section 43(c) covers any deletion, alteration, damage or modification of any data or computer program by introducing computer contaminant or computer resource of another person. (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any program residing in such computer, computer system or computer network. > Damage [Explanation iv to Section 43): It means to destroy, alter, delete, add, modify or rearrange any computer resource by any means. Further, where a person induces another person to cause damage to the third person then he is also liable under Section 43(d). It is important to note that damage includes both physical as well as virtual damage to any computer, computer system or computer network, data, database or any other program residing in such computer, computer sy computer network. However, physical damage means manually tem or changing the original or earlier hardware/software configuration of any computer, computer system or computer network: or ¢ destroying, altering, deleting, adding, modifying or rearranging the files residing in any computer, computer system or computer network,! Further virtual damage means doing any of the following act by using satellite, microwave, terrestrial line or any other communication media in an unauthorized manner changing the original or earlier hardware/software configuration of any computer, computer system or computer network; oF + destroying, altering, deleting, adding, modifying or rearranging the files residing in any computer, computer system or computer network? Example: Mr. A induced Mr, B to cause damage to computer, computer system or computer network of Mr, C then Mr. A is liable under Section 43(d). Therefore, Section 43(d) covers the cases of computer forgery, ete Sharma Vakul, Information Technology, Law and Practice, p. 105 (2010) 2 Sharma Vakul, Information Technology, Law and Practice, p, 105 (2010)264 Cyber Laws & Information Technology Chap. 16 (g (h (e) disrupts or causes disruption of any computer, computer system or computer network; » Disruption: Literal meaning of disruption is to affect the nol functioning of the computer or unexpected deviation in not operation of any computer, computer system or computer network. Example: Mr. A without permission of Mr. B does something where! affecting the normal functioning of Mr. B’s computer. Therefore, Mr. is liable under Section 43(e). (A) denies or causes the denial of access to any person authorized to acce: any computer, computer system or computer network by any means; 7 Access (Section 2(1)(a)]: It means gaining entry into, instructing communicating with the logical, arithmetical, or memory functi resources of a computer, computer system or computer networ However, it involves physical as well as virtual access by manipulati the access code, password, user id, etc. by altering or modifyi dismantling or bypassing or any other means, Example: Mr. A by altering user ID of Mr. B denies access to him to an computer, Computer system or computer network whereby Mr. B w: authorised to secure access, hence, he (Mr. A) is liable under Sectioy 43(f) £xample: Mr. A induces Mr. X to den: Computer system or computer networ authorized to secure access to suc! computer network. Hence, Mr y access to Mr. B to any comput rk by any means where Mr. B ig ‘h computer, computer system Ais liable under Section 43(/), Therefore, Section 43(/) covers the cases of computer system or computer network devices ete. any interference in comput or any misuse of compu Provides any assistance to any person to facilitate access to a comput computer system or computer network in contravention of the provisi of this Act, rules or regulations made thereunder; It is important to note that Section 43 Virtual assistance provided by any person to another person to access to any computer, computer system or computer network. Example: Mr. A Provides any assistance to Mr. B, by any means, d Secure access to any computer, computer system or computer netw. where Mr. B was not authorised to Secure access. Hence, Mr. A is lial under section 43(g), 4 (g) covers both physical as well B E g = g 3 8 a é a availed of by a person to the account of ano! ers y or manipulating any co; 5 system or computer network; peed OaEchap.16 Cyber Crimes: Cyber Contraventions & Cyber Offences 265 It is important to note that main object of Section 43(A) is to protect the rights of an account holder of an Internet service provider so as to prevent theft, misappropriation, fraud, or forgery of access code, user ID or password etc. by a person on behalf of another person by tampering, with or manipulating any computer, computer system Or computer network. Example: Mr. A is a intermediary providing service to B and C (account holders).For services availed of by B, charges are received by the intermediary (A) from C by tampering with or manipulating any computer, computer system or computer network. Therefore, it covers cases of online fraud and phishing (an illegal act whereby fraudulently sensitive information is acquired, such as passwords and credit card details, by a person/entity by misrepresenting himself as a trustworthy person or business in an apparently official electronic communication, such an E-mail or instantaneous communication). (i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or its utility or affects it injuriously by any means; ' It is important to note that section 43(i) has been incorporated by Information Technology (Amendment) Act, 2008 however, before the amendment various acts as mentioned under section 43(i) were covered under Chapter Cyber Offences under section 66° ic. Hacking with computer system. However, under section 66 mens rea (with the intent to cause or knowing that he is likely to cause wrongful loss or damage to public or any person) was an essential requisite. Example: Mr. A by any means alters any figure given in Mr. B’s computer thereby diminishing the value of that data. Mr. A is liable under Section 43(i). (j) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage; It is important to note that Section 43(/) is incorporated by Information Mechnology (Amendment) Act, 2008. The main objective of Section 43(/) is to Otect_ computer source code residing in a computer. However, under -d by Information Technology (Amendment) Act, 2008. lacking with computer system [earlier Section 66 of Information Technology Act, 2000]: vhoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack”. Ibid.: 266 Cyber Laws & Information Technology ~ Chap. 167 Explanation V to Section 43@) computer source code means the, listing. of, Programmes, computer commai inds, design and layout and Programme analysis of # computer resource in any form. Therefore, if an of any computer, destroys or alters such then he shall be liable under Section 43(j), Example: Mr. A Steals computer source code used for Mr. B’s computer, It is significant to note that before Information Technology (Amendment)) Act, 2008 maximum compensation under Section 43 was 21 crore. However, thig limit has been abolished by this amendment Act. Therefore, now the adjudicat officer has discretion to decide the amount of compensation under Section 43, But such discretion must be used judiciously, 16.5.1.b Compensation for failure to protect Sensitive personal data [Section 43A)' — Where a body corporate, possessi Personal data or information in controls or operates. Teasonable security ing, dealing or handling any sensitivg @ computer resource which it owns » 8 negligent in implementing and maintaining Practices and procedures and thereby causog Wrongful loss or wrongful gain to any person; — Tien such body corporate shall be liable compensation to the person so affected. » Body corporate (Explanation I t and includes a firm, individuals engaged in co1 Duties of Body Corporate: to pay damages by way of (o Section 43A): It means any comp Sole proprietorship or other association mmercial or professional activities. The body corporate has following duties: 1. To provide policy for privacy and disclosure of information 2. To collect information 3. Prior Permission before disclosure of information 4. Transfer of information L To provide policy for privacy and disclosure of information [Rule 4 9 The Information Technology (Reasonable Security Practices and Procedures And Sensitive Personal Data or Information) Rules, 201 (1) The body corporate or any person who on behalf of body corporates collects, receives, possess, stores, deals or handle information of provider off information, must provide a privacy policy for handling of or dealing i Personal information including sensitive personal data or information a Inserted by Information Technology (Amendment) Act, 2008, Came into force on 13.04.2011. neChap.16 Cyber Crimes: Cyber ¢ ontraventions & Cyber Offences 267 ensure that the same are available Who has provided such informatio be published on website of body must provide for: QW) Cle » (ii) for view by such providers of information n under lawful contract. Such policy must Corporate or any person on its behalf and ind easily accessible statements ofits practices and policies; ‘ype of personal or sensitive personal data or information collected: (id) purpose of collection and usage of such information; (iv) disclosure of information includi ing sensitive personal data or information; (¥) reasonable security practices and procedures, 2. To collect information [Rule 5 of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011):' (a) Body corporate or any person on its behalf must obtain consent in writing through letter or Fax or email from the Provider of the sensitive Personal data or information regarding purpose of usage before collection of such information. (b) Body corporate or any person on its behalf must not collect sensitive personal data or information unless: (the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf: and (i) the collection of the sensitive personal data or information is considered necessary for that purpose. (c) While collecting information directly from the person concemed, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of: (a) the fact that the information is being collected; (b) the purpose for which the information is being collected; (c) the intended recipients of the information; and (d) the name and address of: (i) the agency that is collecting the information; and (ii) the agency that will retain the information. (d) Body corporate or any person on its behalf holding sensitive personal data or information must not retain that information for longer than is Came into force on 13.04.2011268 Cyber Laws & Information Technology Chap. 16 required for the purposes for which the information may lee used or is otherwise required under any other law for the time being in force. (c)_ The information collected must be used for the purpose for which it has been collected. (1) Body corporate or any person on its behalf permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient must be corrected or amended as feasible: However, a body corporate must not be responsible for the authenticity of the personal information or sensitive personal data or information) supplied by the provider of information to such boy corporate or an} other person acting on behalf of such body corporate. (g) Body corporate or any person on its behalf must, prior to the collecti of information including sensitive personal data or information, provi an option to the provider of the information to not to provide the data information sought to be collected. The provider of information must, any time while availing the services or otherwise, also have an option t withdraw its consent given earlier to the body corporate. Sucl withdrawal of the consent must be sent in writing to the body cor In the case of provider of information not providing or later withdrdwing his consent, the body corporate must have the option not Provide goods or services for which the said information was sought. (h) Body corporate or any person on its behalf must keep the informati secure as provided in rule 8. (Body corporate must address any discrepancies and grievances of thei provider of the information with respect to processing of information in website. The Grievance Officer must redre: of information expeditiously but within o1 receipt of grievance. ss the grievances or provi ne month ' from the date o 3. Prior Permission before disclosure of Information Technology (Reasonable Security Practices and Procedurs And Sensitive Personal Data or Information) Rules, 2011):! (2) Disclosure of sensitive personal data or information by body corporate any third party must require prior permission from the provider of s information, who has provided such information under lawful contract otherwise, unless such disclosure has been agreed to in the between the body corporate and Provider of information, or where disclosure is necessary for compliance of a legal obligation: 1 Came into force on 13.04.2011ES = Chap. 16 © Cyber Crimes: Cyber Contraventions & Cyber Offences 265 Further the information must be shared, without obtaining prior consent from provider of information, with Government ‘agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for Prevention, detection, investigation including cyber incidents, prosecution, and punishmen: of offences. The Government agency must send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency must also state that the information so obtained must not be published or shared with any other person. (b) Any sensitive personal data on Information must be disclosed to any third party by an order under the law for the time being in force. (c) The body corporate or any person on its behalf must not publish the sensitive personal data or information. (4) The third party receiving the sensitive personal data or information from body corperate or any person on its behalf, must not disclose it further. 4. Transfer of information [Rule 7 of The Information Technology (Reasonable Security Practices and Procedures And Sensitive Personal Data or Information) Rules, 2011):! A body corporate o: any person on its behalf may transfer sensitive personal ata or information including any information, to any other body corporate or a pPerson in India, or located in any other country, that ensures the same level of Gata protection that is adhered to by the transferor body corporate. However the — transfer may be allowed only if it is necessary for the performance of the lawful a “contract between the body corporate or any person on its behalf and provider of = information or where such person has consented to data transfer. * Reasonable security practices and procedures (Explanation ii to Section 43A]: It means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law. such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. However Rule 8 of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 201 further provides that:? Came into force on 13.64.2011 Came into force on 13.¢4,2011(aimee 270 Cyber Laws & Information Technology Chap. 167 (a) A body corporate or a person on its behalf must be considered | have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and) have a comprehensive documented information security program! and information security policies that contain managerial, technicaly operational and physical security control measures that commensurate with the information assets being protected with nature of business. In the event of an information security breach, body corporate or a person or: its behalf must be required demonstrate, as and when called upon to do so by the age! mandated under the law, that they have implemented security contrd measures as per their documented information security programm and information security policies. 4 (b) The international Standard IS/ISO/IEC 27001 on "Informati@ Technology - Security Techniques - Information Securit} Management System - Requirements” is one such standard. (c) Any industry association or an entity formed by such an associatio whose members are self-regulating by following other IS/ISO/IEC codes of best practices for data protection must get itf codes of best practices duly approved and notified by the Centra Government for effective implementation. ! (d) The body corporate or a person on its behalf who have implement | either IS/ISO/IEC 27001 standard or the codes of best practices f@ + data protection as approved and notified must be deemed to hav complied with re: curity practices and procedures provi that such standard or the codes of practices have been certi or audited on a regular basis by entities through independent auditd “ duly approved by the Central Government. The audit of reasonabl security practices and procedures must be carried cut by an auditor least once a year or as and when the body corporate or a person on. behalf undertake significant upgradation of its process and comput resource. > Sensitive personal data or information (Explanation iii to Sect 43A); It means such personal information as may be prescribed A sensitive by the Central Government in consultation with professional bodies or associations as it may deem fit. According to Rule 3 of The Information Technology (Reasonable Secu Practices and Procedures and Sensitive Personal Data or Informatio Rules, 2011! Sensitive pe data or information of a person means sue personal information which consists of information relating to:hap. 16 Cyber Crimes: Cyber Contraventions & Cyber Offences 27 (i) password; (ii) Zinancial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (vy) medical records and history; (vi) Biometric information; B (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: However any information that is freely available or accessible in public ain or furnished under the Right to Information Act, 2005 or any other law the time being in force must not be regarded as sensitive personal data or informatior. for the purposes of these rules. It is important to note that main object of section 43A is that any body Eorporate kandling personal data and information must use reasonable security practice and procedure so as to prevent any wrongful losses or wrongful gains to ny persor. However, where such body corporate fails to do so and thus cause Wrongful losses, or wrongful gains to any person it must be liable to pay damages by way of compensation to the effective person. Further, no limit of compensation is mentioned under this Section, thus leaving the adjudicating bfficer to exercise his discretion in deciding the amount of compensation. lowever, this discretion must be exercised judiciously Unclear Enforcement of 43A and associated rul The “Fifty Second port on Cyber Crime, Cyber Security, and Right to Privacy”! issued by the 2013 -2014 Standing Committee on Information Technology on February E12th 2014 pointed out that there is no publicly available information regarding Faudits ensuring compliance with 43A or information about the number of mpanies that have been found to be compliant. The Centre for Internet and BSociety recommended to encourage that this information be made public, and compliance with 43A be enforced at the organizational lev el. 5165.1 c. Penalty for failure to furnish info If any person who is required under this Act or any rul thereunder to: (a) furnish any document, Authority fails to furnish the same, he mi mation, return, etc. [Section 44] les or regulations made return or report to the Controller or the Certifying ust be liable to pay a penalty not ndia,org/internet-governance/ ccurity-right-to-privacy a Jolog/cis-welcomes-fifty-second-report-on-cyber ecessed on 05.07.2014.272 Cyber Laws & Information Technology Chap. 16 exceeding one lakh and fifty thousand rupees (21.5 lakhs) for each such failure (6) file any return or furnish any information, books or other documents within the time specified thereunder in the regulations fails to file retum j or furnish the same within the time specified thereunder in the regulations, he must be liable to a penalty not exceeding five thousand § rupees (5,000) for every day during which such failure continues: (©) maintain books of account or records, fails to maintain the same, he must be liable to a penalty not exceeding ten thousand rupees (210,000) for | every day during which the failure continues, 3 to furnish any document, retum or Teport either to the Controller of Certifying Authorities (CCAs) or to Certifying Authority (CA). And such person can be subscriber, CA, Auditor or person incharge of any computer resource which can be either any company or association or individual or body of individual whethé incorporated or not or local authority, government organization or any 44(b) is applicable Example: Mr. A (CA) is required to file return on or before due date, fails to do so must b8 tidble to pay a penalty of 75,000 for each day of default, It is significant to note that under Section 44 maximum amount of penalty i mentioned which can either be 71.5 lakh or 25,000 or %10,000 for differed failures. Therefore it avoids the discretion of adjudicating officer in fixing hi limit of penalty, 16.5.1.d Residuary penalty [Section 45] — Whoever contravenes any rules or regulations made under this Act, fo the contravention of which no penalty has been separately Provided; — then must be liable to pay a compensation not exceeding twenty-five thousand rupees (%25,000) to the person affected by such contraventio ora penalty not exceeding twenty-five thousand Tupees (%25,000). Section 45 provides residuary penalty i.e. penalty for violating the provisiong of any rules or regulations made under Information Technology Act, 2000, whi is not covered anywhere in this Act, Therefore, where contravention is no covered either under Section 43, 43A or 44 then residuary penalty of maxim %25,000 must be levied. ’ . sth = | Ss | Section 43 lion Cyber Contravention Penalty Where any person without the permission of Oiner or person in charge of a computer, i | computer system, or computer network;Chap. 16 Section (a) (b) @ “downloads, copies or extracts Cyber Chimes: Cyber Contraventions & Cyber Offences Cyber Contravention accesses or secures access to such computer, tem or computer network or | computer sy computer resource; | |e any data, computer data base or | information from such computer, computer | system or computer network; or | © information or data held or stored in any removable storage medium: No maximum limit is fixed. ear | | No maximum | limit is fixed. | introduces or causes to be introduced any | computer contaminant or computer virus into any computer, computer system or computer network; network, data, computer data base or any program residing in such computer, computer system or computer network. No maximum limit is fixed. damages or causes to be damaged any | No maximum computer, computer system or computer | limit is fixed. | | disrupts or causes disruption of any computer, computer system or computer network; | No maximum | limit is fixed. denies or causes the denial of access to any person authorized to access any computer, | computer system or computer network by any means; | provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or | regulations made thereunder; limit is fixed. No maximum limit is fixed. No maximum | charges the servers availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network; No maximum limit is fixed. destroys, deletes or alters any information residing in a computer resource or diminishes its value or its utility or affects it injuriously by any means; No maximum limit is fixed,