CYBER CRIMES IN INDIA R. Muralidharan muralimanu@gmail.com 1 ROADMAP • • • • • • • • • • • • INTRODUCTION COVENTIONAL VS. CYBER CRIME JURISDICTION REASONS, MODES , CLASSIFICATION AND HAZARDS PORNOGRAPHY LAWS IN INDIA ADJUDICATION, PENALTIES AND COMPENSATION UNDER IPC CASE LAWS LATEST DEVELOPMENT RECOMMENDATIONS CONCLUSION 2 CYBER CRIMES 3 INTRODUCTION contd… Genesis • Back in 1990 less than 100,000 people logged on to the net worldwide, now it has crossed 500 million. Crime is no longer limited to space, time or a group of people. • Criminals often used unauthorized access to subvert security systems as they modified data for financial gain or destroyed data out of vendetta. • As telecommunication spread, programmers started writing malicious software, including self-replicating programs, to interfere with sensitive and confidential data stored on personal computers. • The genesis of every cyber crime is available in the general criminal law of that country i.e. in The IPC, 4 1860 in case of India. INTRODUCTION contd… Definitions • The term ‘cyber crime’ is a misnomer. This term has nowhere been defined in any statute /Act passed or enacted by the Indian Parliament. • Generically Cybercrimes are unlawful acts wherein the computer is either a tool or a target or both. • Cybercrime transgresses national boundaries so perhaps international organizations should be looked at for providing a standard definition of cybercrime which is otherwise difficult. 5 INTRODUCTION contd… Definitions • Definition by The United Nations Cybercrime in narrow sense (computer crime): Any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them. Cybercrime in a broader sense (computer-related crime): Any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession [and] offering or distributing information by means of a computer system or network. 6 CONVENTIONAL CRIME VS. CYBER CRIME contd… • Both include conduct whether act or omission, which cause breach of rules of law and counterbalanced by the sanction of the state. • Cyber crime may be said to be those species, of which, genus is the conventional crime. • The demarcation lies in the involvement of the virtual cyber medium which is sine qua non in cases of cyber crime. • Criminal law of the country has to be overhauled to tackle Cybercrime. 7 CONVENTIONAL CRIME VS. CYBER CRIME contd... • The advent of cyber crime has exploded many of the prevailing hypotheses in criminal law. Some of them are enumerated as under: The offender is normally an illiterate without skills, who depends more on the body than the brains, often wielding weapons. The criminal has a motive for the crime and often leaves a lot of evidence which would make crime detection possible for a trained investigator. 8 CONVENTIONAL CRIME VS. CYBER CRIME contd… As for the victims, most are men, who traditionally are the persons controlling the property or exercising power. The victims of the offences are clearly identifiable. In terms of damage, damage to the victim is localized and can easily be quantified and compensated. Cyber crimes have proved all the above hypotheses wrong. 9 Jurisdiction • • • • Active Nationality Principle Passive Nationality Principle Territoriality Principle Sovereign Integrity Principle 10 Jurisdiction • COMPUSERVE Inc. Vs Patterson (1996) • Facts: Patterson from Texas entered in to an agreement with COMPUSERVE that permitted the use of the services of COMPUSERVE in the making and selling of an internet navigation product. When COMPUSERVE later marketed its own internet navigation software, IP dispute arouse and the COMPUSERVE filed a declaratory suit to clear its name as a possible infringer. 11 Jurisdiction • There was a question regarding the jurisdiction • Patterson had an electronic contract with COMPUSERVE which was governed by Ohio laws. • He had also sent email to COMPUSERVE from Ohio. The court in Ohio therefore assumed jurisdiction on the ground of doctrine of minimum contacts 12 Lotus Case • There was a collision in international waters in which a French ship and a Turkish ship was involved. • Turkey arrested the French ship Captain and sought to prosecute him • French government contended that since the collision occurred in International waters, the “Flag State” alone could exercise jurisdiction and that the Turks must hand them over 13 Lotus Case • The PCIJ rejected the French contention. • In the past the Flag State had normally exercised jurisdiction. The convenience of the state, as manifested in the uniform state practice over 300 years cannot take away the right of a victim state to exercise jurisdiction as and when the State feels that its interest is affected. • The Court held that there cannot be any such adverse presumptions on sovereignty. 14 BENSUSAN VS KING(1996) • The Doctrine of minimum contacts cannot be stretched too far. • If the contact is of de minimus non curat lex, the Court would not exercise jurisdiction over a dispute without considering the nature of nexus between the situs and the forum. 15 BENSUSAN VS KING(1996) • Facts: King posted a “Site” in the World Wide Web to promote his club. The website was located on a computer server at Missouri and contained an advertisement logo that was allegedly substantially similar to the logo used by Bensusan. King moved the court to dismiss the case for the lack of jurisdiction • The Court decided that the facts did not merit the assumption of personal jurisdiction to decide the case. 16 REASONS FOR CYBER CRIMES • The reasons for the vulnerability of computers may be said to be: Capacity to store data in comparatively small space Easy to access Complex Negligence Loss of evidence 17 MODE OF COMMITTING CYBER CRIME • • • • • • • • • • • Hacking Theft of information contained in electronic form Email bombing: Data diddling Salami attacks Denial of Service ( DOS)attack Virus / worm attacks Logic bombs Trojan attacks Internet time thefts Web jacking 18 CLASSIFICATION OF CYBER CRIMES • Cyber Crimes against Persons: Harassment via E-Mails, Facebook, Twitter Cyber-Stalking Dissemination of Obscene Material Defamation Hacking Cracking E-Mail Spoofing SMS Spoofing 19 CLASSIFICATION OF CYBER CRIMES Carding Cheating & Fraud Child Pornography Assault by Threat 20 CLASSIFICATION OF CYBER CRIMES • Crimes Against Person’s Property: Intellectual Property Crimes Cyber Squatting Cyber Vandalism Hacking Computer System Transmitting Virus Cyber Trespass Internet Time Thefts 21 CLASSIFICATION OF CYBER CRIMES • Cybercrimes Against Government: Cyber Terrorism Cyber Warfare Distribution of pirated software Possession of Unauthorized Information 22 CLASSIFICATION OF CYBER CRIMES contd.. • Cybercrimes Against society at large: Child Pornography Cyber Trafficking Online Gambling Financial Crimes Forgery 23 CYBER CRIME RELATED PROFESSIONALS • IT or Tech Professionals : Network Engineers, Cyber Security Software Professionals, Cyber Forensic Experts, IT Governance Professionals, Certified Internet Security Auditors, Ethical Hackers etc. • Cyber Law Experts: They handle - Patent and Patent Infringements or other Business Cyber crimes, Cyber Security for Identity thefts and Credit Cards and other Financial transactions, General Cyber Law. • Cyber Law Implementation Professionals: EGovernance agencies, law and enforcement agencies, cybercrime research cells and cyber forensic labs. 24 CYBER CRIMES HAZARDS: INSTANCES contd.. • 20% - 30% of Internet pornography consumption is by children of ages 12 - 17. • MySpace is being used by predators to meet and entice kids online. • Specific marketing strategies are being used to attract children to porn sites. 25 CYBER CRIMES HAZARDS: INSTANCES contd.. • After Pokhran II test on May 11 – May 13, 1998, a group of hackers called ’Milworm’ broke into Bhabha Atomic Research Centre (BARC) site and posted anti Indian and antinuclear messages. • In 1999, website of Indian Science Congress Association was defaced and the hacker posted provocative comments about Kashmir. 26 Pornography • In India, watching or possessing pornographic materials is legal. Distribution is illegal • Prior to ITA, this was guided by Section 292 IPC. Now its also under Section 67 ITA. Section 67B ITA, deals with child pornography. Section 292 prohibits: – Selling, renting, distributing, exhibiting or circulating – importing, exporting or conveying – Advertising or offering or attempting to do any act which is an offence 27 Pornography • 67. Publishing of information which is obscene in electronic form. • Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished • Punishment: – 1st conviction: imprisonment to the extend of five years and with fine which may extend to 1 lakh Rs. – 2nd conviction: imprisonment to the extend of ten years and also with fine which may extend to 2 lakh Rs. 28 Pornography • In The People v James D Kent, 2012, the New York court of Appeal ruled that “streaming” child pornography online is not the same as possessing it. Hence, he was released from conviction. This is in effect saying that watching child pornography online is not an offence. In India, following is prohibited with regard to porography: – Circulation: passing of something, such as money or news, from place to place or person to person. – Transmission: act or process of sending a message, picture, or other information from one location to one or more other locations by means of radio waves, electric signals, light signals etc. – Transfer: to make over the possession or legal title of. 29 LAWS FOR COMBATING CYBER CRIMES IN INDIA • "INFORMATION TECHNOLOGY ACT, 2000" [ITA- 2000]- Enacted by the Indian parliament protect the field of e-commerce, e-governance, e-banking, to facilitate filing of electronic records with the Government as well as penalties and punishments in the field of cyber crimes. • "INFORMATIONTECHNOLOGY(AMENDME NT) ACT, 2008"[ITAA- 2008]-Act punishes various cyber crimes including cyber terrorism, increases the scope and applicability of ITA-2000 by incorporating changes like increasing the scope of “ communication devices”, replacing section 43 with section 66, naming “hacking” as “data theft”, making “digital signatures” valid etc. 30 LAWS FOR COMBATING CYBER CRIMES contd… The Indian Penal Code 1860 The Indian Evidence Act 1872 The Banker’s Book Evidence Act 1891 The Reserve Bank of India Act 1934 Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 • Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 • • • • • 31 LAWS FOR COMBATTING CYBER CRIMES contd… • Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 • The Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009 • Cyber Appellate Tribunal (Procedure for Investigation of Misbehavior or Incapacity of Chairperson and Members) Rules, 2009 32 ITAA-2008 ACT: SPOTLIGHT • Eight new cyber offenses added viz: 1. Sending offensive messages through a computer or mobile phone (Section 66A)(Anti-Thackeray Facebook row and FIR against Taslima for Twitter comment) computer resource or 2. Receiving stolen communication device (Section 66B) 3. Punishment for identity theft (Section 66C) 4. Punishment for cheating by personation using computer resource (Section 66D) 5. Punishment for violating privacy or video voyeurism (Section 66E) 6. Cyber Terrorism (Section 66F) 7. Publishing or transmitting material in electronic form containing sexually explicit act (Section 67A) 33 ITAA-2008 ACT: SPOTLIGHT contd… • Section 43: Require corporates to maintain reasonable security practices, and procedures as to sensitive personal data or information. • Section 43A: A body corporate shall be liable to pay compensation if it is negligent in implementing “reasonable security precautions” with respect to “sensitive personal data”. The liability would arise if the negligence leads to a wrongful loss or wrongful gain to a person. • Section 69 & 69A : Empowers the state to issue directions for interception, monitoring, decryption of any information through any computer resource; and for blocking websites in the interest of national security, and friendly relations with foreign states. • Section 69B : Empowers the government to authorize to monitor, collect traffic data or information through any computer resource for cyber security. 34 ITAA-2008 ACT: SPOTLIGHT contd… • Section 72A: A person including an intermediary is held liable if he discloses “personal information” which he accessed while providing services under a contract. The liability arises if the disclosure was made with an intention to cause or knowing that he is likely to cause wrongful loss or wrongful gain to a person. • Section 66E: Defends privacy and now one cannot publish or transmit nude photo of a person without his/her permission. • Section 77A: Compounding of offenses has been incorporated under this newly introduced section, but the second conviction is not compoundable and it also not compoundable where such offence affects the socio-economic conditions of the country or has been committed against a child below the age of 18 years or a woman. 35 ITAA-2008 ACT: SPOTLIGHT contd… • Offences made bailable, less stringent: Now most of the offences are considered “Cognizable” but “Bailable” and “Compoundable”. Now offences, punishable with imprisonment of more than three years are only non bailable. • Abetment of the offences under the act is also made punishable with the punishment provided for the offence committed in pursuance of such under IT AA, 2008. • The level of investigation has been brought down to the level of inspector from that of DSP. 36 ITAA-2008 ACT: SPOTLIGHT contd… • Offence of hacking only if with dishonest or fraudulent intention: Now, the hacking of computer is covered u/s 66 IT Act only if it is done dishonestly or fraudulently as defined under the IPC. If it is not done dishonestly or fraudulently, it would be covered under Section 43 which is civil in nature. Thus, the moment one commits hacking, he would be either criminally liable or face civil liability. 37 ADJUDICATION • Section 46 - Section 64 deals with adjudication. • The I.T. Secretary in any state is normally the nominated Adjudicator for all civil offences arising out of data thefts and resultant losses in the particular state. • There is an appellate procedure under this process and the composition of Cyber Appellate Tribunal at the national level, has also been described in the Act. • Every adjudicating officer has the powers of a civil court and the Cyber Appellate Tribunal has the powers vested in a civil court under the Code of Civil Procedure. 38 PENALTIES & COMPENASTION • Section 75 of the ITAA-2008 in accordance with the IPC makes the provisions of the Act applicable to any offense committed outside of India only if the act or conduct constituting offense located in India. • Tampering with Computer Source Documents (Section 65): Punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. 39 PENALTIES & COMPENASTION contd… • Computer Related Offences (Section 66): If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. • Punishment for cyber terrorism (Section 66F): Punishable with imprisonment which may extend to imprisonment for life. 40 PENALTIES & COMPENASTION • Punishment for publishing or transmitting obscene material in electronic form (Section 67): Imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees. 41 PENALTIES & COMPENASTION • Preservation and Retention of information by intermediaries (Section 67C): Punished with an imprisonment for a term which may extend to three years and shall also be liable to fine. • Section 43: It deals with the unauthorized access, unauthorized downloading, virus attacks or any contaminant, causes damage, disruption, denial of access, interference with the service availed by a person. This section provide for a fine up to Rs. 1 Crore by way of remedy. • Section 85: All persons responsible to the company for conduct of its business shall be held guilty in case offense was committed by a company unless no knowledge or due diligence to prevent the convention is proved. 42 CYBER OFFENSES UNDER IPC CYBER CRIME SECTION UNDER INDIAN PENAL CODE, 1860 (IPC) Sending threatening message by email S. 506 Sending defamatory message by email S.499 Sending a mail outraging the modesty S.509 Forgery of electronic records S.465 Bogus websites, cyber frauds, phishing S.420 Email spoofing S. 465, 419 Web-jacking S.383 Criminal breach of trust S.406,409 Obscenity S.292, 293, 294 Theft of Computer Hardware S.378, 379 43 CYBER OFFENSES UNDER IPC AND SPECIAL LAWS contd… • Piracy - Section 51, 63, 63B, Copyright Act • Obscenity - Indecent Representation of Women Act, 1986 • Online sale of Drugs – NDPS Act • Online sale of Arms – Arms Act These Acts have been changed to make them compatible with the Act of 2008. So that they may regulate and control the affairs of the cyber world in an effective manner. While framing charges the penal provisions are read with these special provisions. 44 CASE LAWS • Sony-sambandh.com case: India saw its first cybercrime conviction recently. It all began after a complaint was filed by Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting Non Resident Indians. The website enables NRIs to send Sony products to their friends and relatives in India after they pay for it online. In May 2002, someone logged onto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordless head phone , credit card number was given and the address where the product was supposed to be delivered was furnished. The address was of Arif Azim, Noida. 45 CASE LAWS contd… The transaction closed at that, but after one and a half months the credit card agency informed the company that this was an unauthorized transaction as the real owner had denied having made the purchase. The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal Code. The matter was investigated into and Arif Azim was arrested. Investigations revealed thatArif Azim, while working at a call centre in Noida gained access to the credit card number of an American national which he misused on the company’s site. The case has shown that IPC can come in handy where ITA2000 did not cover certain categories of cyber crimes. 46 CASE LAWS contd… • Pune Citibank MphasiS Call Center Fraud: US $ 3,50,000 from accounts of four US customers were dishonestly transferred to bogus accounts. Some employees of the call center gained the confidence of the customer and obtained their PIN numbers to commit fraud. There was not as much of breach of security but of sourcing engineering. There is need for a strict background check of the call center executives. There is need for a national ID and a national data base where a name can be referred to. Customer education is very important so customers do not get taken for a ride. Most banks are guilt of not doing this. 47 CASE LAWS contd… • Pranav Mitra’s email spoofing fraud: Pranab Mitra, former executive of Gujarat Ambuja Cement posed as a woman, Rita Basu, and created a fake e-mail ID through which he contacted one V.R. Ninawe an Abu Dhabi businessman. Mitra sent an e-mail that ''she would commit suicide'' if Ninawe ended the relationship. He also gave him ''another friend Ruchira Sengupta's'' e-mail ID which was in fact his second bogus address. When Ninawe mailed at the other ID he was shocked to learn that Mitra had died and police is searching for Ninawe. Mitra extorted few lakhs Rupees as advocate fees etc. Mitra even sent e-mails as High court and police officials to extort more money. Ninawe finally came down to Mumbai to lodge a police case. 48 CASE LAWS contd… • Chhatrapati Shivaji defamation picture case: An Indian posts ‘insulting images’ of respected warrior-saint Shivaji on Google’s Orkut. Google, India handed over the IP address to the Indian police in compliance with Indian legal process. The computer with that IP address is using Airtel, India as the ISP to connect to the internet and Orkut. Airtel gives police the name of an innocent person using a different IP address. An innocent Indian, Lakshmana Kailash K, is arrested in Bangalore and thrown in jail for 3 weeks. Eventually, his innocence is proved and he is released in Oct, 2007. Airtel was asked to pay a monetary compensation of 2 lakhs by the Bombay High court (Aurangabad bench). 49 CASE LAWS contd… • Bazee.com case (Avnish Bajaj vs. State): CEO of Bazee.com was arrested in December 2004 because a CD containing MMS of a DPS, R.K. Puram girl was being sold and hosted on the website. This opened up the question as to what kind of distinction do we draw between Internet Service Provider and Content Provider. The burden rests on the accused that he was the Service Provider and not the Content Provider. It also raises a lot of issues regarding how the police should handle the cyber crime cases and a lot of education is required. CEO was held liable by the Delhi High Court under Section 67 read with Section 85 of the IT Act recognizing the concept of an automatic criminal liability attaching to the director where the company is an accused. 50 CASE LAWS contd… • State of Tamil Nadu Vs. Suhas Katti : The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. E-Mails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. Charge Sheet was filed u/s 67 of IT Act 2000, 469 and 509 IPC Court relied upon the expert witnesses and other evidence produced before it, including the witnesses of the Cyber Cafe owners and came to the conclusion that the crime was conclusively proved. 51 CASE LAWS contd… • The Bank NSP Case: A management trainee of the bank was engaged to be married. The couple exchanged many emails using the company computers. After some time the two broke up and the girl created fraudulent email ids such as “indianbarassociations” and sent emails to the boy’s foreign clients. She used the bank’s computer to do this. The boy’s company lost a large number of clients and took the bank to court. The bank was held liable for the emails sent using the bank’s system. 52 CASE LAWS contd… • Parliament attack case: The laptop seized contained several evidences that confirmed of the two terrorists’ motives, namely the sticker of the Ministry of Home that they had made on the laptop and pasted on their ambassador car to gain entry into Parliament House and the fake ID card that one of the two terrorists was carrying with a Government of India emblem and seal. The emblems (of the three lions) were carefully scanned and the seal was also craftly made along with residential address of Jammu and Kashmir. But careful detection proved that it was all forged and made on the laptop. 53 CASE LAWS contd… • Andhra Pradesh Tax Case: The owner of a plastics firm was arrested and Rs 22 crore cash was recovered from his house by sleuths of the Vigilance Department. The accused person submitted 6,000 vouchers to prove the legitimacy of trade d but after careful scrutiny of vouchers and contents of his computers it revealed that all of them were made after the raids were conducted. It later revealed that the accused was running five businesses under the guise of one company and used fake and computerized vouchers to show sales records and save tax. 54 CASE LAWS contd… • Nasscom vs. Ajay Sood & Others: A landmark judgment by the Delhi High Court ‘phishing’ on the internet was declared to be an illegal act, entailing an injunction and recovery of damages. Court stated that phishing is a form of internet fraud where a person pretends to be a legitimate association, such as a bank or an insurance company in order to extract personal data from a customer such as access codes, passwords, etc. The Delhi HC stated that even though there is no specific legislation in India to penalize phishing still the court held the act of phishing as passing off and tarnishing the Nasscom’s image. 55 CYBER LAW TRENDS OF INDIA 2013 • The issues that may be challenging of various stakeholders in 2013 include legal issues of cyber security, privacy and data protection requirements, cloud computing security and privacy issues, e-surveillance and Internet, cyber due diligence requirements, social media due diligence, data privacy laws, online IP violations including copyright violations issues, etc. • Companies like Google, Yahoo, Microsoft, Facebook, etc are already facing criminal prosecution under the cyber law of India and other criminal laws. So serious is the situation that the executives of parent companies of these companies have been summoned to personally appear before Indian court. 56 CYBER LAW TRENDS OF INDIA 2013 contd… • New fields like e-legal due diligence and technological legal due diligence in India would also assume significance. • Online pharmacies websites of India has been brought under regulatory scanner and punishment may follow . • SEBI would get power to monitor investor’s call records and conduct Searches at companies suspected of wrongdoing. • Election commission of India would scrutinize social media platforms for model code of conduct violations. • Indian Supreme Court has issued notice to Maharashtra government and deity for framing cyber crimes investigation guidelines. 57 RECOMMENDATIONS FOR THE BETTERMENT OF ITAA-2008 • The statement of object and reasons must be stretched to cover crimes committed in the cyber space, and not limited to safeguard electronic commerce and related communications only. • Cyber terrorism must be broadly defined to include the usage of cyber space and cyber communication. • An altogether new chapter dedicated for cyber terrorism and extremist speeches in the main legislation should be introduced. • The act refers to on-line privacy in only two areas, namely in sections 43 & 72, which is not sufficient. • Provisions should be made for the Intellectual property regime, which is the backbone of any e- commerce transaction. • The Act is silent about the regulation of the payment gateways. • Other related Acts should be amended accordingly to safeguard against the atrocities of cyber crimes. 58 CONCLUSION • Information Technology Act, 2000, itself is a comprehensive legislation but it has had some inherent shortcomings. • The amended act is a welcoming attempt to fill gaps in old act in India, for instance, introducing legal recognition to electronic signatures, data protection obligations and mechanisms, provisions to combat emerging cyber security threats such as cyber terrorism, identity theft, spamming, video voyeurism, pornography on internet, and other crimes. It paved the way for removing the implementation of the IT Act by removing certain undesirable wordings in some sections. • It can be expected that the lacunae in ITAA-2008 may also be eliminated with the time as and when more problems will be encountered by the Judiciary. 59 CONCLUSION contd… • Successful criminal prosecution and civil litigation will require that members of the legal community familiarize themselves with the various hacking techniques to ensure that the perpetrators are tried and convicted under the relevant statutes. • It is impossible to create permanent solutions in the criminal legislation, and it can be maintained that the legislation will always be more or less behind the real development. In order to keep this gap as narrow as possible, close and continuous cooperation between the law enforcement and legislative authorities is required, as well as active following of the technical development. Also international cooperation is also very significant because of the transnational nature of the IT crimes. 60 THANK YOU 61