We are pleased to bring to you our next guest post co-authored by Ramit Rana and Aman Sagar. Ramit is the founding Partner at STEP NEXT LEGAL, New Delhi. He is a Practising Advocate at the Delhi High Court, and other lower Courts of Delhi with over five years of experience. He has industry experience in Networking and Testing, as he had done B.Tech in Computer Science.He has worked for cases under IPR (Trademark, Patents & Copyright), RERA, CCI, Arbitrations, DRC, Cyber Laws, Data Protection and Privacy laws, Property, Recovery Suits, 138 NI Act, Custom Matters, Arbitration, L.A, N.C.L.T. and all kind of Civil and Criminal matters.
Aman is a final year law student pursuing B.A. LL.B. (H) with a specialization in intellectual property laws at the Central University of South Bihar and he is at present an Intern with STEP NEXT LEGAL.
“One of the main cyber risks is to think they don’t exist. The other is to try to treat all potential risks.
-Stephane Nappo”
Introduction
The era of technology had started from the binary system of 0 & 1 and ended up in different kinds of cyber crimes which was truly distinguished by our unique legislation i.e. Information Technology Act (hereinafter the IT Act) in early 2000. In this modern world, technology has expanded its horizon way beyond what we couldn’t have expected with the introduction of Internet and Communication Technologies (ICT) and Internet of Things (IoT).
“Recently on 16th May 2020, The Indian government’s nodal cybersecurity agency ‘Indian Computer Emergency Response Team’ or ‘CERT-In’ has a warning specifically for android Smartphone users wherein the agency exclusively states that a new banking virus called as EVENTBOT is spreading which is a mobile Trojan that steals data information from banking and other financial aps. According to CERT-In, the new virus is a mobile banking Trojan and infostealer that abuses Android’s in-built accessibility features to steal user data from financial applications, read user SMS messages and intercepts SMS messages allowing malware to bypass two-factor authentication. The banking virus uses several icons to masquerade as a legitimate apps such as Microsoft Word, Adobe Flash etc. and using third-party apps downloading sites to infiltrate into victim’s device.”
The present article is accentuating on the statutory rights which entitles Indian citizens to get through while curbing out cybercrime by reporting the same in an effective manner.
Cyber Crime in General
An illegal activity that takes place with the help of technology is defined as cyber crime and it is considered as a bane of Internet. In other words, crimes that target computer and network systems are deemed to be cyber oriented in nature. Cyber crimes are committed by cyber criminals with the help of technology who tend to use ‘Dark-Web‘ for their illegal hacking and nefarious acts to take place. In the era of technology expanding at a fast pace, with the help of IoT, cyber criminals penetrate within the security measures of our smart devices easily and commit crime. The most frequent modus operandi of these cyber criminals is to initiate cyber crime through emails. However, this practice saw significant change and now cyber crimes are committed through various modes few of which are discussed in detail in the following part.
Types of Cyber Crime
Cyber crimes can range from one to many and just as the criminals vary so do cyber crimes in their nature. The few commonly experienced ones are defined as below:
- Malware: These are the kind of virus which destroy files and disturbs the functionality of the system i.e. computer. It is one the prominent cyber crimes that one comes across often. In general, a malicious code is written down by the hacker and the same is sent to one’s computer to steal important data or ask for ransom money after infecting the computer system.
- Cyber Bulling: Cyber bulling is also one of the most common cybercrimes these days where a unanimous user or even a known user engage in online harassment, including stalking, sexual harassment, doxing and frapping. To put it otherwise, it is an act where a cyber criminal enters into someone’s social media account through hacking without their permission and post a fake post thereby making the person’s security vulnerable.
- Crypto Jacking: When a hacker breaks into one’s system and uses his cryptocurrency without his knowledge or consent, it is referred to as an act under this head.
- Cyber Extortion: The name in itself defines the graveness of the crime in question – an extortion that is initiated electronically using technology. The most common cyber extortion activity is infecting with ransom ware, where hacker infects one’s computer with malware which encrypt all the important files until you pay the desired ransom in order to unlock them. Cyber extortion is used to blackmail victims by using BOTNET driven DDOS attacks so that illegal financial gain could be deduced from the aggrieved person.
- Identity Theft and Other Incidental Frauds: Identity theft is so common these days and a hacker needs personal information of the victim to execute identity theft. The ways by which a hacker can get access to the personal information of a person are:
- Phishing
- Pharming
- Key Logging
- Sniffing
Laws Regulating Cybercrime in India
Since the very beginning, tackling issues pertaining to cyber crimes was always on the priority list of Indian legislative authorities. It was only during the initial days of emergence of internet and cyber technologies when the Indian Government enacted the IT Act, 2000 which was a historical legislation and being one of its kinds in the sub-continent that dealt with recognizing the transactions through electronic communication.
I. Illegal/Criminal Hacking: Hacking, in general sense, refers to gaining access to a foreign computer network. This is termed as illegal when the person whose network is accessed is unaware about such access or when such access in unauthorized by the person who exercises a control over the network. The IT Act recognizes illegal hacking by virtue of Section 43. The law provides that if any person accesses or secures access to a computer or computer network without the consent of the owner or downloads, copies or extracts information from such network or causes damages or disruption to such network shall be liable to compensate the affected person by way of damages. Further, Section 66 imposes criminal liability for illegal hacking i.e. the acts stipulated under Section 43. Commission of such acts may attract an imprisonment up to 3 years or fine up to 5 lakh rupees or both under Section 74.
II. Denial of Service Act: If a person denies or causes denial of access to any other person who possesses an authorization to use a computer or computer network, he shall be deemed liable for imprisonment up to 3 years or fine up to 5 lakh rupees or both under Section 74. Additionally, the IT Act recognizes the same as an act of cyber terrorism provided such act is committed with the intent to threaten the unity, integrity, security and sovereignty of India or to strike terror among the people. It is punishable under Section 66F with an imprisonment for a term which may extend for life.
III. Phishing: The IT Act distinguishes between personal information and sensitive personal information. Procurement of sensitive personal information like passwords, bank account details of a person in order to use it in an unfavourable way, for say deduce financial frauds, is termed as an act of phishing. As per Section 66C of the IT Act, such fraudulent or dishonest use of password, signature or other unique identification feature of a person attracts an imprisonment up to 3 years or fine up to 5 lakh rupees. In addition, Section 66D provides for identical punishment in instances of use of a computer resource to cheat by personation. Furthermore, Section 74 criminalizes creation, publication or making available an e-signature certificate for fraudulent or unlawful objective with a punishment of imprisonment up to 2 years or fine up to 1 lakh rupees or both.
IV. Malware (including ransom ware, spyware, Trojans and viruses): Malware is a program that is intended to harm a computer. As mandated under Section 43(c), it is a punishable offence to introduce or transfer any computer contaminant or virus into any computer or computer network. This shall attract an imprisonment up to 3 years or fine up to 5 lakh rupees or both as provided under Section 74 once proven.
V. Identity Theft: A man is known by his identity or personal traits in this physical world. Similarly, our identity in digital world is known by certain attributes such as information related to our passwords, electronic signature and likewise. In case such identity is lost by way of theft caused by other person fraudulently or dishonestly or causes to cheat through personating other person, then the person causing such identity theft or personation shall be liable for punishment under Sections 66C & 66D respectively of the IT Act which provides for imprisonment up to 3 years or fine up to 1 lakh rupees. Further, the person causing cheating by personation shall also be liable for imprisonment up to 3 years or fine or both under Section 419 of the Indian Penal Code, 1860 (hereinafter IPC).
VI. Electronic Theft: Since we have advanced in a digital age where information is stored digitally, it is pertinent to secure that information. Section 72 of IT Act mandates it as a punishable offence if a person who has secured access to any electronic record, book, information, document or any other material discloses the same without the consent of the owner with an imprisonment up to 2 years or fine up to 1 lakh rupees or both. In addition, Section 409 criminalizes breach of trust by public servant, banker, merchant or agent in terms of property which is entrusted upon them with imprisonment up to 10 years and fine. Further, Section 420 of IPC provides for punishment for cheating and dishonest inducement of delivery, alteration or destruction of a valuable security or anything which is signed and sealed and is capable of turning into a valuable property with imprisonment up to 7 years and fine. Furthermore, Section 63 copyright Act, 1957 enumerates punishment for copyright infringement committed online which shall be not less than 6 months but up to 3 years and fine not less than 50 thousand rupees but up to 2 lakh rupees.
Instances of Judicial Prosecution
A. Hacking: State Bank of India v. Chander Kalani & Ors. (2019) – In this case, officials of Appellant bank furnished information regarding fixed deposits (FD) of Respondents to a fraudster without due verification. Consequently, FD was broken and the amount was transferred to an overseas bank account. On a complaint made by the Respondents under Sections 43(a) and 43A of the IT Act, 2000, the Adjudicating Officer (AO), IT, Government of Maharashtra directed the Appellant Bank to pay compensation of Rs. 40 lakhs. On an appeal preferred against this order before the Bombay HC, the Court asked Appellant Bank to approach Telecom Dispute Settlement and Appellate Tribunal (TDSAT), New Delhi which went on to upheld the order of AO. Aggrieved by the order of Appellate Tribunal, the Appellant Bank preferred an appeal before the Delhi HC under Section 62 of IT Act. However, the Delhi HC held that the appropriate forum for preferring the appeal was Bombay HC since none of parties had ever challenged the jurisdiction of Bombay HC or AO.
B. Phishing: ICICI Bank Umashanker Sivasubramanian (2019) – In the instant case, Appellant Bank was accused of negligence to safeguard personal sensitive information of its customer and assisting the fraudster which resulted in financial loss and denial of access of account. A complaint was filed before Adjudicating Officer (AO), IT, Government of Tamil Nadu under Sections 43 and 85 of the IT Act who found the bank guilty and directed to pay compensation of Rs. 12,85,000 to the Respondent. Appellant Bank preferred an appeal against this order before TDSAT, New Delhi. The Appellate Tribunal held that provisions of section 43(g) would not apply since the act was committed before introduction of such provision. It was further held that assistance would require some positive act and an intention to cause harm, thus bank can only be liable to pay compensation under section 43A of the IT Act. Further, amount of compensation was decreased to Rs. 7,34,327.
C. Cyber squatting: Raymond Limited V. Raymond Pharmaceutical Pvt. Ltd. (2016)– In the instant case, the Defendants were using “Raymond” in their domain name which the Bombay HC restrained them from using after granting an ex-parte injunction in favour of the Plaintiff. The Court also went on to distinguish cyber squatting and trade mark infringement and held that use of the word Raymond by Defendant has not diluted Plaintiff’s. Although Defendant was using the word in question in their domain name, same as adjudged as fair use and safe harbour principle was acknowledged by the Court.
D. Breach of confidentiality: Olive E-Business v. Kirti Dhanawat & Ors.– The Delhi HC passed an ex-parte interim injunction restraining the Defendants from misusing and misappropriating trade secrets and confidential information of the Plaintiff without authorization. As part of this injunction, the court also ordered the Google to block email accounts of the other Defendants in the suit.
Self-Preventive Approach- Need of the Hour
Our IT Act is self-explanatory in itself. But the question remains do we owe a duty too apart from what government is obliged in order to protect ourselves from cyber crimes? The answer leans in affirmative. Undeniably, it is to be borne in our minds that digital habits of the end users have to be transformed to safeguard their interest. Below is a non-exhaustive list of practices which one can follow in order to minimize the risk of cyber crimes.
- Beware of emails with fishy links or unwarranted attachments that you don’t expect. Do not open such attachments.
- Avoid downloading from unknown sources.
- Verify the authenticity of a website or make sure you are on a legitimate website before entering any personal information.
- Keep on downloading software updates only from genuine links.
- Try avoiding usage of unencrypted public wi-fi.
- Use strong and unique passwords and don’t use at least last six used passwords again.
- Turn off the auto-save passwords for different platforms and apps.
- Use two-factor authentication whenever possible.
- Boost your router’s security to protect your home networks.
- While filling personal information or credit card details do not select for saving the details for later or faster usage. This may land you in witnessing large number of unwarranted debits from the credit cards misused by the hackers.
- Seek protection against malware by downloading and updating powerful antivirus software.
Conclusion- The Road Ahead
Technology has always been advanced for good of the society at large. However, there have been instances where technology went into bad hands and was utilized to further evil intentions. Only going into some wrong hands with outlawed motives enable technologies to be vulnerable to cyber crimes and become punishable offences. Therefore, it is significant that we take adequate measures to protect our data which is available digitally in the cyberspace. From the perspective of an organisation, it is equally important to have a close watch over such activities which deem to violate the established norms. Needless to say, only when we are aware, we shall be able to save ourselves from so called “Trojans” (cyber criminals) in cyberspace. Now the time shifts a liability on all the stakeholders to observe due care while dealing with information available digitally so that technology proves to be efficient in growth of every sector. Let’s not forget, cyberspace is protected for us only till then we maintain cyber hygiene or in other words, follow the mandates and protocols provided under various cyber legislations.