Q 1.

Explain the following terms:

a. Cybercrime

b. Meanings of illegal

c. Degrees of unlawful access

d. APEC Framework Principals

e. SPAM mails

a) Cybercrime:

Cybercrime is any criminal activity that involves a computer, networked device or a network.
Semester 7 Digital Forensics (3170725)
While most cybercrimes are carried out in order to generate profit for the cybercriminals, some
cybercrimes are carried out against computers or devices directly to damage or disable them.
Others use computers or networks to spread malware, illegal information, images or other
materials. Some cybercrimes do both -- i.e., target computers to infect them with a computer
virus, which is then spread to other machines and, sometimes, entire networks.

A primary effect of cybercrime is financial. Cybercrime can include many different types of
profit-driven criminal activity, including ransomware attacks, email and internet fraud, and
identity fraud, as well as attempts to steal financial account, credit card or other payment card
information.

Cybercriminals may target an individual's private information or corporate data for theft and
resale. As many workers settle into remote work routines due to the pandemic, cybercrimes are
expected to grow in frequency in 2021, making it especially important to protect backup data.

b) Meanings of illegal

Meanings of illegal:

• prohibited by law; against the law; unlawful; illicit; also, not authorized or sanctioned, as

by rules.

• an alien who has entered a country illegally.

Digital Forensics (3170725) Assignment (Unit 5)

c) Degrees of unlawful access:

1) A person is guilty of unlawful access to a computer in the first degree when he or she, without
the effective consent of the owner, knowingly and willfully, directly or indirectly accesses,
causes to be accessed, or attempts to access any computer software, computer program, data,
computer, computer system, computer network, or any part thereof, for:

1. Devising or executing any scheme or artifice to defraud; or

2. Obtaining money, property, or services for themselves or another employing false or

fraudulent pretenses, representations, or promises.

2) Unlawful access to a computer in the first degree is a Class C felony.

d) APEC Framework Principals:

The "APEC Privacy Framework" promotes a flexible approach to information privacy protection
across APEC member economies, while avoiding the creation of unnecessary barriers to
information flows. The framework:

Improves information sharing among government agencies and regulators;

Facilitates the safe transfer of information between economies;

Establishes a common set of privacy principles;

Encourages the use of electronic data as a means to enhance and expand business; and

Provides technical assistance to those economies that have yet to address privacy from a
regulatory or policy perspective.

The nine principles in the APEC Privacy Framework are preventing harm, notice, collection
limitations, uses of personal information, choice, integrity of personal information, security
safeguards, access and correction, accountability. Businesses have developed a code of conduct
based on these nine principles and will obtain third-party certification of their compliance. A
network of privacy enforcement authorities from participating APEC economies, such as the
FTC, will be able to take enforcement actions against companies that violate their commitments
under the code of conduct.

1
Digital Forensics (3170725) Assignment (Unit 5)

e) SPAM mails:

Spam email, AKA junk email, is an email sent without explicit consent from the recipient. Spam
emails usually try to sell questionable goods or are downright deceitful. This is the dark side of
email marketing. Since the 1990s, spam email has been becoming a more advanced phenomenon
in terms of its outreach and the technical solutions for bypassing restrictions.

2
Digital Forensics (3170725) Assignment (Unit 5)

Q 2. How cybercrime differs from terrestrial crimes?

Simply put, cybercrime is a crime committed using the means of technology and the internet.

Although we talk about cybercrime as a separate entity from traditional crime, it is carried out by

the same types of criminals for the same type of reasons.

These hackers are professional thieves, criminal gangs, disgruntled employees, professional

competition, activists, disillusioned youth, and state adversaries. They have the same motivations

as traditional criminals such as boredom and vandalism, ideological or political support, malice or

revenge, monetary gain through extortion or sale of illegally obtained data, terrorism or notoriety,

and sensationalism.

The methods that cybercriminals use to gather data and perform an attack are comparable to

physical „traditional‟ crimes. For example, let’s compare how a criminal gang might go about

breaking into a bank to steal money against how a cybercriminal gang might go about breaking

into a computer network to steal data.

The Scale Attacks can be conducted on a scale not possible in the physical world. A traditional

bank robber may only be able to hit one or two banks a week, a cyber attack can target 100s if not

1000s of sites at once.

The Reach Attacks can be performed from anywhere in the world; they can be performed

anonymously and within jurisdictions where the consequences of those actions may not, or cannot,

be addressed by the criminal justice system. Attackers are also able to extract far more data

digitally than would ever be possible in the physical world. For example, 1 gigabyte of data is

approximately 4,500 paperback books. Think of how many gigabytes of data is held on a system,

hackers can extract this within a matter of minutes.

3
Digital Forensics (3170725) Assignment (Unit 5)

Q 3. Describe summary of Information technology act 2000 and amendments.

The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the

Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India

dealing with cybercrime and electronic commerce.

Secondary or subordinate legislation to the IT Act includes the Intermediary Guidelines Rules

2011 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code)

Rules, 2021.

Summary

The original Act contained 94 sections, divided into 13 chapters and 4 schedules. The laws apply

to the whole of India. If a crime involves a computer or network located in India, persons of other

nationalities can also be indicted under the law.

The Act provides a legal framework for electronic governance by giving recognition to electronic

records and digital signatures. It also defines cyber crimes and prescribes penalties for them. The

Act directed the formation of a Controller of Certifying Authorities to regulate the issuance of

digital signatures. It also established a Cyber Appellate Tribunal to resolve disputes rising from

this new law. The Act also amended various sections of the Indian Penal Code, 1860, the Indian

Evidence Act, 1872, the Banker's Book Evidence Act, 1891, and the Reserve Bank of India Act,

1934 to make them compliant with new technologies.

4
Digital Forensics (3170725) Assignment (Unit 5)

Amendments

A major amendment was made in 2008. It introduced Section 66A which penalized sending

"offensive messages". It also introduced Section 69, which gave authorities the power of

"interception or monitoring or decryption of any information through any computer resource".

Additionally, it introduced provisions addressing - pornography, child porn, cyber terrorism and

voyeurism. The amendment was passed on 22 December 2008 without any debate in Lok Sabha.

The next day it was passed by the Rajya Sabha. It was signed into law by President Pratibha Patil,

on 5 February 2009.

5
Digital Forensics (3170725) Assignment (Unit 5)

Q 4. Discuss the new IT act 2021.

Key Features of the Rules

Social media intermediaries, with registered users in India above a notified threshold, have been
classified as significant social media intermediaries (SSMIs). SSMIs are required to observe
certain additional due diligence such as appointing certain personnel for compliance, enabling
identification of the first originator of the information on its platform under certain conditions,
and deploying technology-based measures on a best-effort basis to identify certain types of
content.

The Rules prescribe a framework for the regulation of content by online publishers of news and
current affairs content, and curated audio-visual content.

All intermediaries are required to provide a grievance redressal mechanism for resolving
complaints from users or victims. A three-tier grievance redressal mechanism with varying
levels of self-regulation has been prescribed for publishers.

Key Issues and Analysis

The Rules may be going beyond the powers delegated under the Act in certain cases, such as
where they provide for the regulation of significant social media intermediaries and online
publishers, and require certain intermediaries to identify the first originator of the information.

Grounds for restricting online content are overbroad and may affect freedom of speech.

There are no procedural safeguards for requests by law enforcement agencies for information
under the possession of intermediaries.

Requiring messaging services to enable the identification of the first originator of information on
its platform may adversely affect the privacy of individuals.

KEY FEATURES

Due diligence by intermediaries: Under the IT Act, an intermediary is not liable for the third-
party information that it holds or transmits. However, to claim such exemption, it must adhere to
the due diligence requirements under the IT Act and the Information Technology (Intermediary
Guidelines and Digital Media Ethics Code) Rules, 2021 (which replace the earlier 2011 Rules).
Under the 2011 Rules, the requirements included: (i) specifying, in service agreements, the
categories of content that users are not allowed to upload or share, (ii) taking down content

6
Digital Forensics (3170725) Assignment (Unit 5)

within 36 hours of receiving a court or government order, (iii) assisting law enforcement
agencies, (iv) retaining blocked content and associated records for 90 days, and (v) providing a
grievance redressal mechanism for users and affected persons, and designating a grievance
officer. The 2021 Rules retain these requirements, while: (i) modifying the categories of content
that users are not allowed to upload or share, and (ii) prescribing stricter timelines for the above
requirements.

Significant social media intermediaries: The 2021 Rules define social media intermediaries as
intermediaries which primarily or solely enable online interaction between two or more users.
Intermediaries with registered users above a notified threshold will be classified as significant
social media intermediaries (SSMIs). The additional due diligence to be observed by these
SSMIs include:

Personnel: An SSMI must appoint: (i) a chief compliance officer for ensuring compliance with
the Rules and the Act, (ii) a nodal person for coordination with law enforcement agencies, and
(iii) a grievance officer, all of whom should reside in India.

Identifying the first originator of information: An SSMI, which primarily provides messaging
services, must enable the identification of the first originator of information within India on its
platform. This may be required by an order of a Court or the competent authority under the IT
Act. Such orders will be issued on specified grounds including prevention, detection, and
investigation of certain offences such as those relating to national security, public order, and
sexual violence. Such orders will not be issued if the originator could be identified by less
intrusive means.

Technology-based measures: SSMIs will endeavour to deploy technology-based measures to

identify: (i) content depicting child sexual abuse and rape, or (ii) information that is identical to
the information previously blocked upon a court or government order. Such measures: (i) must
be proportionate to interests of free speech and privacy of users, and (ii) have a human oversight
and be reviewed periodically.

User-centric requirements: SSMIs must provide users with: (i) a voluntary identity verification
mechanism, (ii) a mechanism to check the status of grievances, (iii) an explanation if no action is
taken on a complaint, and (iv) a notice where the SSMI blocks the user’s content on its own
accord, with a dispute resolution mechanism.

Digital Media Publishers: The 2021 Rules prescribe certain requirements for online publishers
of: (i) news and current affairs content which include online papers, news portals, aggregators
and agencies; and (ii) curated audio-visual content, which is defined as a curated catalogue of
audio-visual content (excluding news and current affairs) which is owned by, licensed by, or
contracted to be transmitted by publishers and available on demand. The Rules institute a three-
tier structure for regulating these publishers: (i) self-regulation by publishers, (ii) self-regulation
by associations of publishers, and (iii) oversight by the central government.

7
Digital Forensics (3170725) Assignment (Unit 5)

Code of Ethics: For publishers of news and current affairs, the following existing codes will
apply: (i) norms of journalistic conduct formulated by the Press Council of India, and (ii)
programme code under the Cable Television Networks Regulation Act, 1995. For online
publishers of curated content, the Rules prescribe the code of ethics. This code requires the
publishers to: (i) classify content in specified age-appropriate categories, restrict access of age-
inappropriate content by children, and implement an age verification mechanism, (ii) exercise
due discretion in featuring content affecting the sovereignty and integrity of India, national
security, and likely to disturb public order, (iii) consider India’s multiple races and religions
before featuring their beliefs and practices, and (iv) make content more accessible to disabled
persons.

Grievance redressal: Any person aggrieved by the content of a publisher may file a complaint
with the publisher, who must address it within 15 days. If the person is not satisfied with the
resolution, or the complaint is not addressed within the specified time, the person may escalate
the complaint to the association of publishers, who must also address the complaint within 15
days. The complaint will be considered by an inter-departmental committee constituted by the
Ministry of Information and Broadcasting if: (i) escalated by the complainant or the association
under certain conditions, or (ii) referred by the Ministry itself.

Oversight by Ministry: The Ministry of Information and Broadcasting will: (i) publish a charter
for self-regulating bodies, including Codes of Practices, (ii) issue appropriate advisories and
orders to publishers; (iii) have powers to block content on an emergency basis (subject to review
by the inter-departmental committee). Any directions for blocking content will be reviewed by a
committee headed by the Cabinet Secretary.

8
Digital Forensics (3170725) Assignment (Unit 5)

Q 5. What are the reasons for enactment of cyber laws in India?

Cyberlaw in India is not a separate legal framework. It‟s a combination of Contracts, Intellectual

property, Data protection, and privacy laws. With the Computer and internet taking over every

aspect of our life, there was a need for strong cyber law. Cyber laws supervise the digital

circulation of information, software, information security, e-commerce, and monetary transactions.

The Information Technology Act, 2000 addresses the gamut of new-age crimes. Computer

technology, mobile devices, software, and the internet are both mediums and targets of such crimes.

All Traditional criminal activities are such as theft, fraud, forgery, defamation, and mischief are

part of cyberspace. These were addressed in the Indian Penal Code already.

Strong cyber-Law was needed to address:

1. Cyber Crimes

2. Electronic and Digital Signatures

3. Intellectual Property

4. Data Protection and Privacy

9
Digital Forensics (3170725) Assignment (Unit 5)

Q 6. Describe European data protection directives.

EU Data Protection Directive (also known as Directive 95/46/EC) is a regulation adopted by the
European Union to protect the privacy and protection of all personal data collected for or about
citizens of the EU, especially as it relates to processing, using or exchanging such data.

The EU Data Protection Directive is based on recommendations first proposed by the

Organization for Economic Co-operation and Development (OECD). These recommendations
are founded on seven principles:

1. Subjects whose data is being collected should be given notice of such collection.

2. Subjects whose personal data is being collected should be informed as to the party or

parties collecting such data.

3. Once collected, personal data should be kept safe and secure from potential abuse, theft,

or loss.

4. Personal data should not be disclosed or shared with third parties without consent from its

subject(s).

5. Subjects should be granted access to their data and allowed to correct any inaccuracies.

6. Data collected should be used only for the stated purpose(s) and for no other purposes.

7. Subjects should be able to hold personal data collectors accountable for adhering to all seven
of these principles.

The Data Protection Directive is superseded by the General Data Protection Regulation (GDPR),
which was adopted by the European Parliament and European Council in April 2016 and will
become enforceable in May 2018. The new regulation expands upon previous requirements for
collecting, storing, and sharing personal data and requires the subject's consent to be given
explicitly and not checked off by default.

10
Digital Forensics (3170725) Assignment (Unit 5)

Q 7. Discuss the Personal Data Protection Bill 2019.

In 2017, after the Right to Privacy was deemed a fundamental right, the Central government set

up the Justice BN Srikrishna Committee to assess personal data and its protection. The committee

prepared and presented its draft in 2018. Post that, based on the draft and after multiple inter-

ministerial consultations, the Personal Data Protection Bill was cleared by the Union Cabinet, and

it was tabled in Parliament on December 11, 2019.

The Bill, in its essence, aimed at protecting personal data of individuals and their Right to Privacy

by bringing in regulations to oversee the manner in which personal data is processed, as well as

for remedies or penalties for people who have been affected by data breaches, unlawful processing

of data, and so on.

What did the Bill propose?

The Bill proposed the creation of a Data Protection Authority, a government-established, singular

data protection body. This proposed authority would look into breaches of personal data, ensure

compliance of data fiduciary, and ensure compliance of such fiduciaries with the Bill.

According to the PDP Bill 2019, a data fiduciary is an entity or individual who decides the means

and purposes of processing personal data. It also contained provisions of appointing data protection

officers (DPO), who would be appointed by data fiduciaries, and would be responsible for adhering

to provisions of the Bill.

11
Digital Forensics (3170725) Assignment (Unit 5)

Overall, the Bill proposed restrictions on the use of personal data without consent of citizens. In

terms of processing of data, the Bill proposed a framework that would regulate cross-border

transfer of data, and accountability of data fiduciaries handling such data, among others.

12