CYBER-CRIMES AND INDIAN LEGAL REGULATORY FRAMEWORK – A REVIEW

INTRODUCTION

With the expansion of usage of Cyber technology a need was felt to adopt a law framework in order to address abuse of this technology by the perpetrators of crime. On one hand in order to regulate new forms of crimes that emerged along with the technology new laws were framed while on the other hand, to regulate conventional crimes committed with the usage of this technology, the existing traditional criminal law was extended to the domain. Hence cyber laws of today is a combination of provisions from both conventional criminal law as well as from the Indian Information Technology Act of 2000.

Cyber technology has today become a tool or a target of criminal activities. Various crimes are committed on cyber space including on social media platform.  “While the internet and other information technologies are bringing enormous benefits to society, they also provide new opportunities for criminal behavior.”[1] Offenders of crime by abusing the technology have contributed not just to an increase in the number of cyber-crimes but also to the expansion of its forms of cyber-crimes.

Cybercrimes as well as conventional crimes committed with the use of cyber technology are increasing day by day. The reports of the National Crimes Record Bureau [NCRB] indicates a periodical rise in the number of cyber-crimes committed throughout the country. From 2012 to 2018, there were over 90 thousand cyber-crime incidents registered across India, of which, over 27 thousand cases were registered in 2018 alone, marking an increase of more than 121 percent since 2016.[2] During 2018, 55.2% of cyber-crime cases registered were for the motive of fraud (15,051 out of 27,248 cases) followed by sexual exploitation with 7.5% (2,030 cases) and causing disrepute with 4.4% (1,212 cases).[3] Hence cyber-crimes includes offences of various kinds, targeting varied victims with varied motive. Cyber-crimes also includes breach of cyber security.  Further the fact that cyber-crimes are increasing in multitude and are becoming insidiously complex cannot be denied.

Cyber technology facilitates commission of crimes in many ways. It has opened new avenues to fraudsters and other cyber criminals, by making it easier for them to communicate, conspire and commit crime ‘over’ and ‘via’ internet. Cyber criminals can easily hide their identities, commit offences having devastating effects at various locations, thereby taking the statistics of cyber-crimes to a higher graph and plane. It is often difficult to take preventive measures against cyber-crimes as often its impact is realized and assessed only once it is committed. Compared to traditional crimes, cyber crime affects more number of victims and carries more destruction with it. Estimating the incidence, prevalence, cost, or some other measure of computer related crime is a difficult challenge, unlike bank robberies or fatal motor vehicle accidents; computer related crimes tend to defy quantification.[4]

REGULATION OF CYBER CRIMES IN INDIA

Regulation of cyber-crimes though is a difficult task yet is vital to a legal system. Countries are attempting to regulate them by adopting both technical as well as legal measures. Government of India enacted the Information Technology Act in the year 2000, which however failed in effectively tackling cyber crimes as it was more inclined towards facilitating Electronic commerce and Electronic governance. Amendments made to the Act in 2008 however shifted its focus to regulation of cyber-crimes. The 2008 amendment has attempted to fill in the gaps which existed in the earlier 2000 enactment.

Currently the law provides for:

• Expansion of the definition of various terms referred to in the Act, thereby widening the ambit of the Act. Some of such terms includes – computer, communication devices, computer resource, etc. Terms like Communication Device’, ‘computer network’, ‘intermediary’ are now well defined to cover a larger area then it was covered under 2000 enactment.

To illustrate, ‘communication device’ in defined to include ‘Cell Phones, Personal Digital Assistance (Sic), or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image’. Similarly  ‘Computer network’ now includes use of satellite, microwave, terrestrial line, wire, wireless or other communication media, and other terminals or any complex consisting of interconnected [both temporary as well as permanent] computers or communication device. 

Also the term “Intermediary” with respect to any particular electronic records, now covers “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.”

• Enlarging the scope of cyber-crime regulating provisions, by way of bringing under its ambit various forms of cyber-crimes. It is important to note that the Act now also has specific provisions that provides for civil remedies as against some forms of cyber wrongs, including hacking, data stealing, and data destruction. The Act provides for mechanism to regulate cyber civil wrongs, apart from laying down procedure for such mechanism.
• The Act criminalizes offences of identity stealing, cheating by personation, data theft, adult as well as child pornography, breach of confidentiality, etc.
• The Act empowers States with power to monitor and intercept interactions and communications on and via the technology for permitted purposes such as investigation and regulation of crimes, protection of sovereignty and public interest, etc. State is also empowered to block access to contents on internet or even websites as well as to conduct internet monitoring and E-surveillance.
• Certain wrongs are recognized both as civil as well as criminal wrongs.[5] Section 66 criminalizes a wrong which is under Section 43 a civil wrong. Criminal liability can be imposed if such civil wrong is committed ‘dishonestly’ or ‘fraudulently.’
• Most importantly, Criminal liability is imposed for:
  • dishonestly receiving stolen computer resource or communication device under Section 66 B of the IT 2008 Act.
  • identity theft under Section 666C,
  • cheating by personation committed with the use of any means of communication device or computer resource under section 66D,
  • voyeurism under Section 66E
  • Pornography and Obscenity under Section 67 and 67A and child pornography under Section 67B. Offences under Section 67, 67A and 67B are exempted from criminal liability if they are committed in ‘good faith’ or ‘in the interest of science, literature, art or learning or other objects of general concern’ or if they are kept or used ‘bona fide for religious purposes’.

IT Act imposes obligation upon a person who or an institution which while providing services under the terms of lawful contract, gets secured access to any material containing personal information of another person, intentionally or with the knowledge of causing wrongful loss or wrongful gain or in breach of a lawful contract, discloses such information to another person without the consent of the such person.[6]

Making any misrepresentation or suppressing material fact from the Controller or the Certifying Authority while obtaining any license or Electronic Signature Certificate is criminalized under section 71. Acts constituting ‘cyber terrorism’ is dealt with under section 66 F, which is so widely worded that it can also regulate cyber war. Sections 84A and 84 C punishes abetment and attempt of crimes, respectively.

Corporate liability is also imposed upon companies for offences committed by or in companies under Section 85.  The provision even allows for extension of such liability upon the officers run the affairs of such company such as its Manager or Director, provided such offence is committed with his knowledge or if he had failed to adhere to ‘due diligence’

Thus the present Information Technology law provides for a more structured legal framework addressing various issues, which were not covered under the original IT Law, thereby providing more power for the authorities involved in combating cyber crimes. Apart from having a special law to deal with cyber crimes, Government of India and some State Governments have taken other measures to combat cyber crimes. India. Separate cells and police stations are constituted to investigate cyber-crimes specifically. The Central Bureau of India has also developed a specialized structure to regulate cyber-crimes, including by establishing the Cyber Crime Investigation Cell and Cyber Forensics Laboratory.[7]

For timely and effective regulation of threats to cyber security, the ‘Indian Computer Emergency Response Team’ [CERT-In] [8] has been established by the Department of Information Technology. It collects, analyzes and disseminates information relating to incidences of cyber-crime. It also provides forecast and alerts to the investigating teams regarding threats to cyber security and co-ordinates with such teams when necessary. Most importantly it responds to cyber crime incidents by taking necessary measures in case of emergencies.

Powers of regulation also includes government’s power to monitor and regulation online content. As mentioned earlier, the IT Act empowers government with powers to conduct e-surveillance, monitor internet, order for decryption of encrypted data and to block illegal contents. Section 69 (1) empowers the Central Government to issue directions to any government agencies to intercept, monitor or decrypt any information transmitted through any computer resource, if its necessary or expedient to do so on the following grounds:

• interest of sovereignty / integrity of India,
• defense of India,
• security of the State,
• friendly relations with foreign states, or
• for public order, or
• for preventing incitement to the commission of any cognizable offence relating to the above, or
• for investigation of any offence.

The government for the above, can impose an obligation upon a subscriber or an intermediary or any person in charge of the computer resource to provide all essential facilities and technical assistance to Government and if such person fails to comply with such order, he can be punished with imprisonment extending to 7 years. Similarly, Section 69A empowers the Central Government or its authorized officer to order any government agency / intermediary to block access of any information generated, transmitted, received, stored or hosted in any computer resource, if it is felt as essential or expedient to do so on grounds prescribed thereunder which is infact in conformity with Article 19(2) of the Constitution. Failure to comply with the above directions can be punished under Section 69A (3).  Additionally, Section 69B authorizes government agencies to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

By providing for declaration of systems that facilitates functioning of “Critical Information Infrastructure”[9] as ‘Protected systems’, Section 70 confers extra legal protection to such systems. Under this provisions, if a person illegally gains or attempts to gain access to such systems, he can be punished with stringent punishment.[10] Under Section 70(A)(3), an intermediary is required to inform the Computer Emergency Response Team of India [CERT-IN], about incidences of cyber security threats and failure to inform is subjected to criminal liability.[11]

IT Act aims to also regulate abuse of powers of State authorities. Under Section 72, if a person secures access in pursuance of powers conferred under the enactment or its rules and regulations, to any electronic record, book, register, correspondence, information, document or other material but discloses the same without the consent of the concerned person, he can be punished with criminal liability.

PROCEDURAL ASPECTS:

IT Act empowers an officer not below the rank of Inspector to conduct investigation of cyber-crimes.  An inspector rank officer investigating the case is specifically empowered to conduct search and seizure procedure. Offences punishable with imprisonment up to 3 years or more than 3 years are made cognizable, hence mandating investigation. In addition to specifically set up Cyber Crime Police Stations, regular police are also empowered to take up investigation of cyber-crime cases. Offence punishable with less than 3 years of imprisonment are made bailable and compoundable, unless they are committed against women, children and State.  Investigation and prosecution of cyber-crimes except where it is otherwise contradictory, will be bound by the rules laid down under Criminal Procedure Code.

DRAWBACKS IN THE SYSTEM:

Regulation of cyber-crimes suffers with certain challenges. Being a techno-legal offence, it mandates compliance to both legal as well as certain technical procedures, thereby necessitating law enforcement agencies to have expertise in both the fields. It involves collection of intangible evidences which is one of the hardest errands of an Investigating Officer and requires technical knowledge and special skill. While cyber forensics plays an important role in regulation of cyber-crimes, laws fails to expressly incorporate the same in the legally laid down procedural rules. However most of the investigating agencies have adopted their own Standard Operating Procedure [SOP] which includes forensic aspects. In order to establish authenticity and reliability of digital evidences it becomes crucial to comply with such SOPs.

As data’s stored by criminals have no physical boundaries and can be accessed by criminals from anywhere in the world, it makes it a complicated affair for the Investigating Officers to collect, appreciate, analyze and preserve evidences of cyber-crimes. Hence jurisdiction related challenges continue to affect legal procedure. Cyber space being transnational in nature facilitates a cyber offender to commit offence from one place while causing its impact in another. On the other hand, the system used as a tool to commit the offence may be from an third country. In such cases, extending jurisdiction as well as effectively conducting criminal procedure becomes too complicated task. Additionally unless the internet service provider coordinates with the law enforcement agencies, it becomes difficult to collect evidence as well as conduct procedures of surveillance, blocking as well as internet monitoring.

RECOMMENDATIONS:

Indian legal approach in regulating cyber-crimes currently is dealt with largely under the Information Technology Act. While most of its substantive provisions are wide in scope, what lacks is a better procedural law framework. Further technical nature of crimes makes the task of regulation hard. To address these issues it is important to legally recognize and facilitate cyber forensic process. State must resolve jurisdiction related issues by way of entering into bilateral and multilateral agreements with counties and wherever possible with regional or international arrangements in form of conventions. Consultation, coordination and cooperation even between and amongst Governments and law enforcement agencies on one hand and private sectors well equipped with technical knowledge and skill on the other hand is also important. This can be used to harmonize probable measures, practices and procedures essential to embark cyber-crimes. Industries using information technology must hence develop and embrace initiatives to protect its consumers. They must also cooperate with law enforcement agencies and try to bring in a balance between their clients’ interests in protecting their privacy and public interest that requires a safer cyber space to transact. The research and development wing of the investigating departments should continuously research and develop sophisticated technologies essential to embark upon all intricacies involved in detecting cybercrimes. Periodical security survey must be conducted to assess the level of security awareness of people and take necessary measures to raise such awareness. National initiative must be taken to examine all essential issues relating to unlawful use of new communications technologies, especially the internet and its role in the distribution of offensive contents like child porn and other sexually explicit material. These integrated measures can add to effective implementation of the existing regulatory framework in the country.

CONCLUSION:

Healthy growth of information technology requires a secure environment which can only be ensured by adequate legal provisions and suitable enforcement measures. [12] Misuse of cyber technology can affect the security of nations as well as international community including the safety of individuals. A safer cyber world is the one that involves proactive approach by State and other stakeholders who can together contribute to the effective regulation of cyber-crimes.

This Article has been written by DR. NAGARATHNA. A, Working as an Associate Professor of Law & Chief Coordinator, Advanced Centre on Training, Research and Development in Cyber Law and Forensics, National Law School of India University, Bangalore.

References:

[1] The Electronic Frontier, ‘The Challenge of Unlawful Conduct involving the use of the Internet – A Report of the President’s Working Group on Unlawful Conduct on the Internet’ (March 2000), quoting Janet Reno, available at http://www.usdoj.gov/criminal/cybercrime/kvd0698.htm#Q2, last accessed 24^th June 2020.

[2]See:

Sanika Diwanji, Total number of cyber-crimes reported across India from 2012 to 2018, https://www.statista.com/statistics/309435/india-cyber-crime-it-act/, accessed on 25^th June 2020.

[3] https://ncrb.gov.in/sites/default/files/Crime%20in%20India%202018%20-%20Volume%201.pdf, last accessed on 21^st June 2020.

[4] Dr. Peter Grabosky, ‘Cyber Crime and Information Warfare’, paper presented at the Translational Crime Conference, Australian Institute of Criminology in association with the Australian Federal Police and Australian Customs Service, Canberra, 9-10 March 2000.

[5] See Section 43 & 66.

[6] Section 72 A

[7] See for details CBI website – http://www.cbi.gov.in/aboutus/manuals/Chapter_18.pdf

[8] This became operation from January, 2004.

[9] “Critical Information Infrastructure” is defined as the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety

[10] Any person who secures access or attempts to secure access to a protected system in contravention of this act will be punished with imprisonment up to 10 years and fine.

[11] Section 70 A (3)

[12] Economic and Political Weekly, ‘Dithering over Cyber Laws’,  Vol. 34, No 20 [May 15, 1999] at p 1151