Cyber crime is defined as "an unlawful act where information in a computer is used either as a tool, as a target or both". To tackle the growing menace of online crime, the IT Act of 2000 was framed. It was greeted with much fanfare. Upon closer inspection, though, many chinks in its armour have shown up. For example, do you know that you could face imprisonment just for sitting in front of a computer terminal-even if it's off? Far-fetched as that may sound, the current laws can actually be interpreted in a manner so as to make such silly-sounding scenarios a reality. The fact remains that in India, your online safety is not guaranteed, especially if you are the victim.
There are some steps that have been taken of late, though, that may just make it a little safer to stay online. The Mumbai Police recently set up a Cyber Crime lab in association with NASSCOM, and there is also the Bangalore Cyber Crime Police Station, which is actively tackling the growing problem of online crime. However, issues with jurisdiction may just limit the reach and effectiveness of both. The Bangalore Cyber Crime Police Station, for instance, has "the whole state of Karnataka" as its jurisdiction for "offences committed under the Information Technology Act of 2000". Now, with that itself being flawed, the rest of the setup, too, becomes questionable.
Anatomy Of A Cyber Crime?
Of all the cyber crimes committed, hacking and virus-writing are the most common. Businesses in particular are most likely to be victims of these, as compared to any other Internet-related offences.
Establishing a definition of a cyber crime itself can be a task. The Cambridge dictionary defines cyber crimes as crimes committed with the use of computers or relating to computers, especially through the Internet. Universally, cyber crime is understood as an unlawful act wherein a computer is either a tool or a target or both.
According to noted lawyer Paavan Duggal, "The three broad categories of cyber crimes include cyber crimes against persons, property, and nations. Some cyber crimes have been covered under the Indian Cyber Law, namely the Information Technology Act, 2000. These are covered in a detailed chapter-Chapter XI of the IT Act, 2000."
In the IT Act 2000, though, there are provisions to register a complaint if you have been a victim of a cyber crime. To be able to do that, you need to furnish some data. Here's a list:
- Server logs
- Copy(ies) of defaced Web page(s) in soft copy form as well as hard copy format, if your Web site has been defaced
- If data has been compromised on your server, computer, or any other network equipment, soft copy(ies) of original data and soft copy(ies) of compromised data
- Access control mechanism details, i.e., who had what kind of the access to the compromised system
- A list of suspects
- All relevant information that might lead to answers to the following questions:
- What? (What has been compromised?)
- Who? (Who might have committed the crime?)
- When? (When was the crime committed?)
- Why? (Why the crime might have been committed)
- Where? (Where the impact of the attack is; identifying the target system on a network)
- How many? (How many systems have been compromised by the attack)
This is what is required in the case of a large-scale attack. But if you are an individual and your home computer has been compromised, here's what you'll need to bring along as proof:
- Extended headers of offending e-mail(s)
- Soft copy(ies) as well as hard copy(ies) of offending e-mail
- Do not delete the offending e-mail(s) from your inbox
- Save a copy of the offending e-mail(s) on your computer's hard disk
However, he also agrees that the laws are dated. "With the passing of time, new kinds of cyber crimes are emerging, and there is an urgent need to constantly update the laws so they remain effective," he says.
|"Indian cyberlaw is wanting and is defective"|
Which is the best-equipped agency to tackle cyber crime in the world, and which is the best in India?
The best equipped agency to tackle cyber crime in the world is the Federal Bureau of Investigation. It has a distinct division on cyber crime. As far as the best equipped agency in India is concerned, the honours will have to be shared by the Central Bureau of Investigation and some State cyber crime cells, such as the Mumbai Cyber Crime Cell.
The noted cyber crime lawyer, suggests some radical changes to the IT Act, 2000
Do you think Indian agencies are equipped-in terms of knowledge and infrastructure-to tackle cyber crime?
I think that Indian agencies are well equipped with knowledge, in some pockets, to tackle cyber crime. However, we need to update this pool of knowledge by constant strain and orientation. We also need to ensure that we develop a detailed infrastructure for tackling cyber crime in the country. Today's cyber crime regulation is often seen as a peripheral activity to main policing activities. Consequently, we find that not much investment has gone into developing the infrastructure for tackling cyber crimes. We need to provide for distinct cyber crime police stations in cities.
Which is the most widespread cyber crime in India?
The most widespread cyber crime in India is, of course, publishing and transmission of obscene electronic information. This is a cyber crime punishable under Section 67 of the Information Technology Act, 2000. The second-most prominent crime cyber crime in India is hacking. This offence is punishable under Section 66 of the Information Technology Act, 2000.
What are the various laws, if any, that explicitly protect the aggrieved party in a cyber crime?
In India, the only relevant law that protects an aggrieved party against cyber crime is the Indian Information Technology Act, 2000. This law has a detailed chapter, Chapter XI, entitled 'Offences', which details various kinds of offences under Indian cyber law. The major categories of offences covered under the said law include damage to computer source code, hacking, publishing obscene electronic information, breach of confidentiality and privacy, breach of protected systems and publishing Digital Signature Certificates false in certain particulars, or for fraudulent purposes. These offences are punishable with imprisonment ranging from three years to 10 years, and with a fine ranging from Rs 1 lakh to Rs 2 lakh.
In addition, the IT Act of 2000 has also amended the Indian Penal Code of 1860. However, the only material amendment that has been made is that the word "document" has been substituted with the phrase "document or electronic record". In addition, there is a new offence-creating a false electronic record-defined under the Indian Penal Code.
What amendments are needed to current cyber laws to help prevent crimes and prevent perpetrators escaping through loopholes?
If one looks at the preamble of the IT Act of 2000, one realises that to regulate cyber crime is not at all one of the stated objects of Indian cyber law. It right to say that Indian cyber law only has three objectives: firstly, to provide legal recognition to transactions carried out by electronic means of communication, commonly referred to as e-commerce, involving the use of alternatives to paper-based methods of communication and storage of information; secondly, to facilitate electronic filing of documents with government agencies; and thirdly, to amend four different laws of the country-namely, the Indian Penal Code, the Indian Evidence Act, the Bankers' Books Evidence Act and the Reserve Bank of India Act.
Indian cyber law is wanting and defective inasmuch as it does not cover all the existing and emerging cyber crimes. A large number of cyber crimes that are today not covered under Indian cyber law include cyber stalking, cyber harassment, cyber nuisance, cyber defamation and so on. Even cyber terrorism is an offence not totally covered under the IT Act of 2000.
Practical experience after the coming into effect of the Indian cyber law has shown that registration of a cyber crime case requires a lot of time, effort and energy on behalf of the complainant: he needs to constantly pursue, educate and lead the law enforcement agencies into registering the case. I think amendments need to be made to Indian cyber law to provide far more effective legal remedies.
In addition, I am of the strong opinion that the quantum of punishment to be accorded for cyber crimes needs to be enhanced. Today, hacking is only punishable with three years of imprisonment. Therefore, for example, I can technically hack into the systems of one of the most prominent banks, steal information worth crores of rupees, and only be punished with three years of imprisonment and a fine of Rs 2 lakh. In order for punishment to have a deterrent effect, the quantum of punishment needs to be higher.
What has been the most serious cyber crime in India till date?
The most serious cyber crime in India till date has been one involving Dr L Prakash, one of the senior-most orthopaedic surgeons in the country, based in Chennai. Dr Prakash was arrested for taking his patients and clients to his coast house and then forcing them to strip, recording and photographing them in a pornographic, sexually explicit way. This case was registered under Section 67 of the Information Technology Act, 2000, and involved the wives of top-ranking officials and other people. This case merits attention because it is the first and only case of cyber crime conviction in the country.
Are corporates in India prepared to fight cyber crimes against them-economic or otherwise?
In our country, any cyber crime registration receives extensive press coverage, and a lot of the time, companies do not really want to register cyber crimes for fear of undue publicity, or of losing potential business. However, we do have some instances where companies have effectively prosecuted the offenders in cyber crime cases. Ultimately, it is a decision that needs to be taken by the management of the company.
Can ethical hacking be a tool against cyber crime? Can Indian laws interpret it to benefit individuals and organisations?
Ethical hacking can be a tool against cyber crime. Ethical hackers basically try to find security loopholes in computer systems and advise the owners of such systems about the need for patching such loopholes.
In our country, it was thought that ethical hacking is a crime, and as such was not allowed. But if you peruse Section 60 of the IT Act of 2000, you'll realise that the law has made a distinction between hacking and ethical hacking. When dealing with hacking, the law states that the act must be done with the knowledge that it is likely to cause wrongful loss or damage to someone.
However, when one engages in ethical hacking, there is no question of causing wrongful loss to the owner or person in charge of a computer, computer system or computer network, since this is done with implicit consent.
Does the average Indian Internet/computer user know when he is committing a cyber crime or when one is committed against him?
Unfortunately, the average Indian Internet or computer user invariably does not know when he or she is committing a cyber crime. Similarly, he or she also does not know when one is being committed against him. There is an extremely low level of awareness concerning cyber crimes amongst normal Internet users. Even experienced Netizens are normally wary of the IT Act of 2000. People invariably believe that Indian cyber law is a very complex piece of legislation, and that their interests would be best met if they kept away from it.
What plagues the Indian justice system when it comes to tackling cyber crimes?
There's a need to do a lot of activities as far as orienting law enforcement agencies and the judiciary of the country is concerned. The judicial system deals with all kinds of offences in the actual world. However, cyber law being a relatively new law and a special legislation, there's a need for special training and treatment concerning the same. There's a need to constantly educate and orient the judicial system to ensure they are appropriately equipped to deal with cyber crime cases. Right now, very few cyber crime cases eventually land up in court. However, I believe that with each passing month, the number of cyber crime cases in India will increase.
It therefore becomes absolutely imperative that the judges concerned be fully acquainted with the nuances of cyber crime trial and prosecution, and how to deal with various technicalities such as appreciation of electronic evidence, electronic records, as also data or information in electronic form.
Some Recent Incidents In India.
More info on cyber crime is available at: http://www.cyberpolicebangalore.nic.in/
Cyber Crime And The Police
The crimes mentioned above are enough to put you off logging ever again. But wait. Our Police are gearing up and getting their act together. "Although absent initially, law enforcement agencies in India today are taking a lot of initiative to make themselves aware about cyber crimes, their investigation and prevention," assures Debasis Nayak, director, Asian School of Cyber Laws, Pune.
There is only limited coverage of cyber crimes under the Indian IT Act, 2000 as also under the Indian Penal Code
He adds that active steps to remedy the situation are being taken. "The police departments of most states are in the process of establishing specialised cyber crime cells to tackle this. States such as Maharashtra, Goa, Karnataka and Delhi have already established cyber crime cells," says Nayak.
And this is not untrue. The Police have even gone so far as to employ the services of young geniuses-as young as 17 years old-to educate their force about the world of cyber crime, and how to track and tackle it. Recent initiatives are indeed a heartening sight, and a welcome change in the attitude of the Police.
This, however, is not enough. There are a lot of policemen in the country, and while it may not be possible to train them all, a larger section needs to be educated, given the constantly changing nature of cyber crime. Warns Duggal, "The National Police Academy, Hyderabad, is doing some work in this regard, conducting courses on cyber crime. But given the number of police officers in the country, the training efforts can only reach a certain number, and not the entire force. There is an urgent need to ensure that the government sets upallcoates a separate budget for training officials and police officers in various aspects relating to cyber crime investigation, prosecution and registration."
Word Of The Law
Now that it has been widely accepted that the IT Act of 2000 is inadequate in protecting an aggrieved party (individual or corporate), what are the changes that can be brought about?
"I'm of the firm opinion that the Indian IT Act, 2000 needs to have drastic amendments incorporated in order to be in sync with the changing needs of the times. It is important to remember that the IT Act, 2000 was a law that was basically meant for promoting e-commerce. It was passed in 2000 and came into effect on 17 October, 2000. It is an accident of history that a chapter on cyber crime entitled 'offences' got included in the legislation", laments Duggal.
He goes on to suggest changes in the form of a separate cyber law. "I believe that India needs a distinct and separate law on cyber crimes. This should be a special law that would supplement the Information Technology Act of 2000 and the Indian Penal Code as amended. This is because cyber crime is a distinct subject and would require distinct treatment, per se, from law enforcement agencies. Further, amendments should be made to ensure that people are able to effectively register their complaints as cases with the Police."
Duggal goes on to add: "There is only limited coverage of cyber crimes under the Indian IT Act, 2000 as also under the Indian Penal Code. Consequently, we are now beginning to see a number of situations where people are committing cyber crimes with impunity because there is no legal provision under which to book them. It's here that there is an urgent need for India to enact a distinct cyber crime law. This law would need to be supplemental in nature to the Indian Penal Code as also to the Information Technology Act, 2000."
Going one step further, Duggal also advocates the need to include various techniques relating to cyber forensics and cyber crime investigation, prosecution, and trial. "These need to be properly and appropriately imparted to law enforcement agencies in the country. In our country, where a posting to cyber crime cell is invariably perceived as a punishment posting, a lot of effort needs to be taken towards eradicating the current mindset to the entire issue of cyber crime registration, investigation and prosecution."
Strong suggestions that indeed need to be considered, but what will happen, only time can tell.