VIDYALANKAR SCHOOL OF INFORMATION TECHNOLOGY                 BUSINESS LAW INFORMATION TECHNOLGY ACT-2000 & CYBER CRIME    ...
IndexSr No             Particular              Page No 1               Introduction               3-4 2      Information T...
IntroductionSuccess in any field of human activity leads to crime that needs mechanisms to control it. Legal provisionssho...
In the world of cyber crime, evil bytes are fast replacing whizzing bullets. The Indian authorities are aware ofthe fight ...
Information Technology Act 2000Connectivity via the Internet has greatly abridged geographical distances and made communic...
4. A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925including any othertestamentary disposit...
Legitimacy and Use of Digital SignaturesThe Act has adopted the Public Key Infrastructure for securing electronic transact...
Explicates the manner in which electronic records are to be attributed, acknowledged and dispatched. Theseprovisions play ...
Regulation of Certifying Authorities (CAs)A CA is a person who has been granted a license to issue digital signature certi...
Rs.1 Crore (10 million) for gaining unauthorized access to a computer or computer system, damaging it,introducing a virus ...
The Adjudicating Officer must give the accused person an opportunity to be heard and after being satisfied thathe has viol...
To quote Section 78, it states:"For the removal of doubts, it is hereby declared that no person providing any service as a...
Rapid developments in e-business pose a growing need for online security and authentication. Many emergingtechnologies are...
Introduction to Cyber CrimeThe first recorded cyber crime took place in the year 1820! That is not surprising considering ...
v Computer espionageThese definitions, although not completely definitive, do give us a good starting point—one that has s...
For this India needs total international cooperation with specialised agencies of different countries. Police has toensure...
tackle them on a priority basis. This is necessary so as to win the faith of the people in the ability of the systemto tac...
"tamper" mean? To interfere in a harmful way or to alter improperly. Is tampering with computer files   different from tam...
viruses or spyware, or allow others to access the files contained on your hard drive beyond those you     intend to share....
In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear forobscene ph...
a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus butauthentic loo...
These attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificantthat...
defined by the Indian Penal Code. The net cafe owner spent several weeks locked up in Tihar jail before beinggranted bailW...
In the latter scenario, the attack is known as a distributed denial of service attack. Usually these attacks do notnecessi...
the attack is launched and then stopped to be launched once again later. This makes it very difficult, in fact almostimpos...
Facts and FiguresIn      2006,        this         number        more       than     doubled          to      200        i...
arrested for committing such offences during 2009. There were 233          cases of       Hacking           withComputer S...
Breach of Trust/Fraud and 8.7% (23) for Counterfeiting.The States such as Maharashtra (89), Punjab (48), and Chhattisgarh ...
29
Indian Case Studies1. Pune Citibank Mphasis Call Center FraudUS $ 3, 50,000 from accounts of four US customers were dishon...
The call canter employees are checked when they go in and out so they cannot copy down numbers andtherefore they could not...
accused started contacting her once again. On her reluctance to marry him, the accused took up the harassmentthrough the I...
In Indias first case of cyber defamation, a Court of Delhi assumed jurisdiction over a matter where acorporate’s reputatio...
The laptop contained several evidences that confirmed of the two terrorists’ motives, namely the sticker of theMinistry of...
She gave her credit card number for payment and requested that the products be delivered to Arif Azim inNoida. The payment...
Elaborating on the concept of ‘phishing’, in order to lay down a precedent in India, the court stated that it is aform of ...
trademark rights. The court also ordered the hard disks seized from the defendants’ premises to be handed overto the plain...
We         have         try     to      find        out            various       reasons            that            despit...
There is a high need to increase the strength of staff for proper functioning of the ACT.Red coding SystemSet - up a red c...
Bibliography IT ACT 2000 Published by The Gazette of India www.google.com www.google.com: Asian School of Cyber Law No...
41
DisclaimerThis presentation is prepared for knowledge sharing and awareness. We can use the information provided herewith ...
Upcoming SlideShare
Loading in...5
×

It act 2000 & cyber crime 111111

14,328

Published on

Published in: Business, Education
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
14,328
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
635
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Transcript of "It act 2000 & cyber crime 111111"

  1. 1. VIDYALANKAR SCHOOL OF INFORMATION TECHNOLOGY BUSINESS LAW INFORMATION TECHNOLGY ACT-2000 & CYBER CRIME 1
  2. 2. IndexSr No Particular Page No 1 Introduction 3-4 2 Information Technology ACT 2000 5-13 3 Cyber Crime 14-18 4 Types of Crime 19-22 5 Cyber Criminal 23-25 6 Facts & Figures 26-29 7 Case Study 30-36 8 Conclusion 37-38 9 Bibliography 39-40 2
  3. 3. IntroductionSuccess in any field of human activity leads to crime that needs mechanisms to control it. Legal provisionsshould provide assurance to users, empowerment to law enforcement agencies and deterrence to criminals. Thelaw is as stringent as its enforcement. Crime is no longer limited to space, time or a group of people. Cyberspace creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies.Back in 1990, less than 100,000 people were able to log on to the Internet worldwide. Now around 600 millionpeople are hooked up to surf the net around the globe.With increased use of computers in homes and offices, there has been a proliferation of computer-relatedcrimes.These crimes include:(i) Crimes committed by using computers as a means, including conventional crimes.(ii) Crimes in which computers are targets.The Internet in India is growing rapidly. It has given rise to new opportunities in every field we can think of –be it entertainment, business, sports or education. There are two sides to a coin. Internet also has its owndisadvantages. One of the major disadvantages is Cybercrime – illegal activity committed on the Internet. TheInternet, along with its advantages, has also exposed us to security risks that come with connecting to a largenetwork. Computers today are being misused for illegal activities like e-mail espionage, credit card fraud,spams, and software piracy and so on, which invade our privacy and offend our senses. Criminal activities inthe cyberspace are on the rise."The modern thief can steal more with a computer than with a gun. Tomorrows terrorist may be able todo more damage with a key board than with a bomb".Until recently, many information technology (IT) professionals lacked awareness of an interest in the cybercrime phenomenon. In many cases, law enforcement officers have lacked the tools needed to tackle theproblem; old laws didn’t quite fit the crimes being committed, new laws hadn’t quite caught up to the reality ofwhat was happening, and there were few court precedents to look to for guidance? Furthermore, debates overprivacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these newcases. Finally, there was a certain amount of antipathy—or at the least, distrust— between the two mostimportant players in any effective fight against cyber crime: law enforcement agencies and computerprofessionals. Yet close cooperation between the two is crucial if we are to control the cyber crime problem andmake the Internet a safe “place” for its users. 3
  4. 4. In the world of cyber crime, evil bytes are fast replacing whizzing bullets. The Indian authorities are aware ofthe fight ahead. But the future does not look optimistic, shares experts. Life is about a mix of good and evil. Sois the Internet. For all the good it does us, cyberspace has its dark sides too. Unlike conventional communitiesthough, there are no policemen patrolling the information super highway, leaving it open to everything fromTrojan horses and viruses to cyber stalking, trademark counterfeiting and cyber terrorism.Given the unrestricted number of free Web sites, the Internet is undeniably open to exploitation. Known ascyber crimes, these activities involve the use of computers, the Internet, cyberspace and the World Wide Web."Any criminal activity that uses a computer either as an instrumentality, target or a means for perpetuatingfurther crimes comes within the ambit of cyber crime," says Supreme Court advocate and cyber law expertPavan Duggal.While the worldwide scenario on cyber crime looks bleak, the situation in India isnt any better. There are noconcrete statistics but, according to Duggal, Indian corporate and government sites have been attacked orderfaced more than 780 times between February 2010 and December 2010.Until recently, many information technology (IT) professionals lacked awareness of an interest in the cybercrime phenomenon. In many cases, law enforcement officers have lacked the tools needed to tackle theproblem; old laws didn’t quite fit the crimes being committed, new laws hadn’t quite caught up to the reality ofwhat was happening, and there were few court precedents to look to for guidance. Furthermore, debates overprivacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these newcases. Finally, there was a certain amount of antipathy—or at the least, distrust— between the two mostimportant players in any effective fight against cyber crime: law enforcement agencies and computerprofessionals. Yet close cooperation between the two is crucial if we are to control the cyber crime problem andmake the Internet a safe “place “for its users.Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence andbringing offenders to justice. IT personnel understand computers and networks, how they work, and how totrack down information on them. Each has half of the key to defeating the cyber criminal.IT professionals need good definitions of cybercrime in order to know when (and what) to report to police, butlaw enforcement agencies must have statutory definitions of specific crimes in order to charge a criminal withan offense. The first step in specifically defining individual cybercrimes is to sort all the acts that can beconsidered cybercrimes into organized categories. 4
  5. 5. Information Technology Act 2000Connectivity via the Internet has greatly abridged geographical distances and made communication even morerapid. While activities in this limitless new universe are increasing incessantly, laws must be formulated tomonitor these activities. Some countries have been rather vigilant and formed some laws governing the net. Inorder to keep pace with the changing generation, the Indian Parliament passed the much-awaited InformationTechnology Act, 2000 .As they say, "It’s better late than never".However, even after it has been passed, a debate over certain controversial issues continues. A large portion ofthe industrial community seems to be dissatisfied with certain aspects of the Act. But on the whole, it is a stepin the right direction for India.The Information Technology Act 2000, regulates the transactions relating to the computer and the Internet.The objectives of the Act as reflected in the Preamble to the Act are:1. The Preamble to the Act states that it aims at providing legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information and aims at facilitating electronic filing of documents with the Government agencies.2. To facilitate electronic filing of the document with the government of India. The General Assembly of the United Nations had adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its General Assembly resolution A/RES/51/162 dated January 30, 1997. The Indian Act is in keeping with this resolution that recommended that member nations of the UN enact and modify their laws according to the Model Law.Thus with the enactment of this Act, Internet transactions will now be recognized, on-line contracts will beenforceable and e-mails will be legally acknowledged. It will tremendously augment domestic as well asinternational trade and commerce.The Information Technology Act extends to the whole of India and, saves as otherwise provided in this Act,it applies also to any offence or contravention there under committed outside India by any person.However The Act does not apply to:1. a negotiable instrument as defined in section 13 of the Negotiable Instruments Act,1881;2. a power-of-attorney as defined in section 1A of the Powers-of- Attorney Act, 1882;3. a trust as defined in section 3 of the Indian Trusts Act, 1882; 5
  6. 6. 4. A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925including any othertestamentary disposition by whatever name called;5. Any contract for the sale or conveyance of immovable property or any interest in such property;6. Any such class of documents or transactions as may be notified by the Central Government in the OfficialGazette.Some of the Important Definition:1."Adjudicating officer" means an adjudicating officer appointed under subsection of section 46;2."Affixing digital signature" with its grammatical variations and cognate expressions means adoption of anymethodology or procedure by a person for the purpose of authenticating an electronic record by means ofdigital signature;3."Appropriate Government" means as respects any matter,—(i) Enumerated in List II of the Seventh Schedule to the Constitution;(ii) Relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the StateGovernment and in any other case, the Central Government;4."Asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating adigital signature and a public key to verify the digital signature;5."Certifying Authority" means a person who has been granted a licence to issue a Digital SignatureCertificate under section 24;6."Certification practice statement" means a statement issued by a Certifying Authority to specify thepractices that the Certifying Authority employs in issuing Digital Signature Certificates;7."Cyber Appellate Tribunal" means the Cyber Regulations Appellate Tribunal established under sub-section(1) of section 48;8."Digital signature" means authentication of any electronic record by a subscriber by means of an electronicmethod or procedure in accordance with the provisions of section 3;9."Digital Signature Certificate" means a Digital Signature Certificate issued under subsection of section 35;10."Electronic form" with reference to information means any information generated, sent, received or storedin media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;11."Electronic Gazette" means the Official Gazette published in the electronic form;12."Secure system" means computer hardware, software, and procedure that—(a) are reasonably secure from unauthorised access and misuse;(b) provide a reasonable level of reliability and correct operation;(c) are reasonably suited to performing the intended functions; and(d) adhere to generally accepted security procedures; 6
  7. 7. Legitimacy and Use of Digital SignaturesThe Act has adopted the Public Key Infrastructure for securing electronic transactions. As per Section 3 of theAct, a digital signature means an authentication of any electronic record by a subscriber by means of anelectronic method or procedure in accordance with the other provisions of the Act. Thus a subscriber canauthenticate an electronic record by affixing his digital signature. A private key is used to create a digitalsignature whereas a public key is used to verify the digital signature and electronic record. They both areunique for each subscriber and together form a functioning key pair.Section 5 provides that when any information or other matter needs to be authenticated by the signature of aperson, the same can be authenticated by means of the digital signature affixed in a manner prescribed by theCentral Government.Under Section 10, the Central Government has powers to make rules prescribing the type of digital signature,the manner in which it shall be affixed, the procedure to identify the person affixing the signature, themaintenance of integrity, security and confidentiality of electronic records or payments and rules regarding anyother appropriate matters.Furthermore, these digital signatures are to be authenticated by Certifying Authorities (CA’s) appointed underthe Act. These authorities would inter alias; have the license to issue Digital Signature Certificates (DSC’s).The applicant must have a private key that can create a digital signature. This private key and the public keylisted on the DSC must form the functioning key pairOnce the subscriber has accepted the DSC, he shall generate the key pair by applying the security procedure.Every subscriber is under an obligation to exercise reasonable care and caution to retain control of the privatekey corresponding to the public key listed in his DSC. The subscriber must take all precautions not to disclosethe private key to any third party. If however, the private key is compromised, he must communicate the sameto the Certifying Authority (CA) without any delay.Writing requirementsSection 4 of the Act states that when under any particular law, if any information is to be provided in writing ortypewritten or printed form, then not withstanding that law, the same information can be provided in electronicform, which can also be accessed for any future reference. This non-obstinate provision will make it possible toenter into legally binding contracts on-line!Attribution, Acknowledgement and Dispatch of Electronic Records 7
  8. 8. Explicates the manner in which electronic records are to be attributed, acknowledged and dispatched. Theseprovisions play a vital role while entering into agreements electronically.Section 11 states that an electronic record shall be attributed to the originator as if it was sent by him or by aperson authorized on his behalf or by an information system programmed to operate on behalf of the originator.As per Section 12, the addressee may acknowledge the receipt of the electronic record either in a particularmanner or form as desired by the originator and in the absence of such requirement, by communication of theacknowledgement to the addresses or by any conduct that would sufficiently constitute acknowledgement.Normally if the originator has stated that the electronic record will be binding only on receipt of theacknowledgement, then unless such acknowledgement is received, the record is not binding. However, if theacknowledgement is not received within the stipulated time period or in the absence of the time period, within areasonable time, the originator may notify the addressee to send the acknowledgement, failing which theelectronic record will be treated as never been sent.Section 13 specifies that an electronic record is said to have been dispatched the moment it leaves the computerresource of the originator and said to be received the moment it enters the computer resource of the addressee.Utility of electronic records and digital signatures in Government Audits AgenciesAccording to the provisions of the Act, any forms or applications that have to be filed with the appropriatedGovernment office or authorities can be filed or any license, permit or sanction can be issued by theGovernment in an electronic form. Similarly, the receipt or payment of money can also take placeelectronically.Moreover, any documents or records that need to be retained for a specific period may be retained in anelectronic form provided the document or record is easily accessible in the same format as it was generated,sent or received or in another format that accurately represents the same information that was originallygenerated, sent or received. The details of the origin, destination, date and time of the dispatch or receipt of therecord must also be available in the electronic record.Furthermore, when any law, rule, regulation or byelaw has to be published in the Official Gazette of theGovernment, the same can be published in electronic form. If the same are published in printed and electronicform, the date of such publication will be the date on which it is first published.However, the above-mentioned provisions do not give a right to anybody to compel any Ministry orDepartment of the Government to use electronic means to accept issue, create, retain and preserve anydocument or execute any monetary transaction. Nevertheless, if these electronic methods are utilized, theGovernment will definitely save a lot of money on paper! 8
  9. 9. Regulation of Certifying Authorities (CAs)A CA is a person who has been granted a license to issue digital signature certificates. These CAs are to besupervised by the Controller of CAs appointed by the Central Government. Deputy or Assistant Controllersmay also assist the Controller. The Controller will normally regulate and monitor the activities of the CAs andlay down the procedure of their conduct.The Controller has the power to grant and renew licenses to applicants to issue DSCs and at the same time hasthe power to even suspend such a license if the terms of the license or the provisions of the Act are breached.The CAs has to follow certain prescribed rules and procedures and must comply with the provisions of the Act.Issuance, Suspension and Revocation of Digital Signature Certificates (DSCs)As per Section 35, any interested person shall make an application to the CA for a DSC. The application shallbe accompanied by filing fees not exceeding Rs. 25,000 and a certification practice statement or in the absenceof such statement; any other statement containing such particulars as maybe prescribed by the regulations. Afterscrutinising the application, the CA may either grant the DSC or reject the application furnishing reasons inwriting for the same.While issuing the DSC, the CA must inter alias, ensure that the applicant holds a private key which is capableof creating a digital signature and corresponds to the public key to be listed on the DSC. Both of them togethershould form a functioning key pair.The CA also has the power to suspend the DSC in public interest on the request of the subscriber listed in theDSC or any person authorised on behalf of the subscriber. However, the subscriber must be given anopportunity to be heard if the DSC is to be suspended for a period exceeding fifteen days. The CA shallcommunicate the suspension to the subscriber.There are two cases in which the DSC can be revoked. Firstly, as per Section 38 (1), it may be revoked eitheron the request or death of the subscriber or when the subscriber is a firm or company, on the dissolution of thefirm or winding up of the company. Secondly, according to Section 38(2), the CA may sue moto revoke it ifsome material fact in the DSC is false or has been concealed by the subscriber or the requirements for issue ofthe DSC are not fulfilled or the subscriber has been declared insolvent or dead et al. A notice of suspension orrevocation of the DSC must be published by the CA in a repository specified in the DSC.Penalties for Computer CrimesAs per the Act, civil liability and stringent criminal penalties may be imposed on any person who causesdamage to a computer or computer system. The offender would be liable to pay compensation not exceeding 9
  10. 10. Rs.1 Crore (10 million) for gaining unauthorized access to a computer or computer system, damaging it,introducing a virus in the system, denying access to an authorized person or assisting any person in any of theabove activities.Furthermore, the Act also defines specific penalties for violation of its provisions or of any rules or regulationsmade there under. However, if any person contravenes any rules or regulations framed under the Act for whichno specific penalty is prescribed, he will be liable to pay compensation not exceeding Rs. 25,000.Moreover, any person who intentionally or knowingly tampers with computer source documents would bepenalized with imprisonment up to three years or a fine of up to Rs. 2 lakh or both. In simpler terminology,hacking is made punishable.The Act also disallows the publishing and dissemination of obscene information and material. The introductionof this provision should curtail pornography over the net. Any person who disobeys this provision will bepunishable with imprisonment of two years and a fine of Rs. 25,000 for the first conviction. In the event of asubsequent conviction, the imprisonment is five years and the fine double to Rs. 50,000.The Controller has the power to issue directions for complying with the provisions of the Act. Failure tocomply with his directions is punishable. Moreover, the interference with protected systems or the reluctance toassist a Government Agency to intercept information in order to protect state sovereignty and security is alsomade punishable.The adjudicating court also has the powers to confiscate any computer, computer system, floppies, compactdisks, tape drives or any accessories in relation to which any provisions of the Act are being violated. Nopenalty or confiscation made under this Act will affect the imposition of any other punishment under any otherlaw in force.If penalties that are imposed under the Act are not paid, they will be recovered, as arrears of land revenue andthe licence or DSC shall be suspended till the penalty is paid.Adjudicating OfficersThe Central Government shall appoint an officer not below the rank of Director to the Government of India orequivalent officer of the State Government as an adjudicating officer to adjudicate upon any inquiry inconnection with the contravention of the Act. Such officer must have the legal and judicial experience as maybe prescribed by the Central Government in that behalf. 10
  11. 11. The Adjudicating Officer must give the accused person an opportunity to be heard and after being satisfied thathe has violated the law, penalise him according to the provisions of the Act. While adjudicating, he shall havecertain powers of a Civil Court.Cyber Regulations Appellate Tribunal (CRAT)A Cyber Regulations Appellate Tribunal (CRAT) is to be set up for appeals from the order of any adjudicatingofficer. Every appeal must be filed within a period of forty-five days from the date on which the personaggrieved receives a copy of the order made by the adjudicating officer. The appeal must be the appropriateform and accompanied by the prescribed fee. An appeal may be allowed after the expiry of forty-five days ifsufficient cause is shown.The appeal filed before the Cyber Appellate Tribunal shall be dealt with by it as expeditiously as possible andendeavour shall be made by it to dispose of the appeal finally within six months from the date of receipt of theappeal. The CRAT shall also have certain powers of a civil court.As per Section 61, no court shall have the jurisdiction to entertain any matter that can be decided by theadjudicating officer or the CRAT. However, a provision has been made to appeal from the decision of theCRAT to the High Court within sixty days of the date of communication of the order or decision of the CRAT.The stipulated period may be extended if sufficient cause is shown. The appeal may be made on either anyquestion of law or question of fact arising from the order.Police PowersA police officer not below the rank of deputy superintendent of police has the power to enter any public placeand arrest any person without warrant if he believes that a cyber crime has been or is about to be committed.This provision may not turn to be very effective for the simple reason that most of the cyber crimes arecommitted from private places such as one’s own home or office. Cyber-cafés and public places are rarely usedfor cyber crimes. However, if the Act did give the police department powers to enter people’s houses withoutsearch warrants, it would amount to an invasion of the right to privacy and create pandemonium. Keeping thisin mind, the Legislature has tried to balance this provision so as to serve the ends of justice and at the sametime, avoid any chaos.On being arrested, the accused person must, without any unnecessary delay, be taken or sent to the magistratehaving jurisdiction or to the officer-in-charge of a police station. The provisions of the Code of CriminalProcedure, 1973 shall apply in relation to any entry, search or arrest made by the police officer.Network Service Providers not liable in certain cases 11
  12. 12. To quote Section 78, it states:"For the removal of doubts, it is hereby declared that no person providing any service as a network serviceprovider shall be liable under this Act, rules or regulations made there under for any third party information ordata made available by him if he proves that the offence or contravention was committed without hisknowledge or that he had exercised all due diligence to prevent the commission of such offence orcontravention.""Explanation. For the purposes of this section,(a) Network service provider means an intermediary;(b) Third party information means any information dealt with by a network service provider in his capacity as anintermediary."Thus a plain reading of the section indicates that if the network service provider is unable to prove its innocenceor ignorance, it will be held liable for the crime.Possible Uses of E-Governance-The future of e-governance is very bright. With the help of information technology, the daily matters can beeffectively taken care of irrespective of the field covered by it. For instance, the Delhi Police Headquarter haslaunched a website, which can be used for lodging a First Information Report Similarly; the Patna High Courthas taken a bold step of granting bail on the basis of an online bail application. The educational institutions,including universities, are issuing admission forms electronically, which can be downloaded from theirrespective websites. The results of examinations of various educational institutions, both school level anduniversity level, are available online, which can be obtained without any trouble. These are but some of theinstances of the use of technology for a better e-governance. The beneficial concept of e-governance can beutilized for the following purposes:• To have access to public documents.• For making online payments of various bills and dues.• To file statutory documents online.• To file the complaints, grievances and suggestions of citizens online.• The online facility can be used to enter into a partnership the appropriate government in cases of governmentcontracts.• The citizens can use the online facility to file their income tax returns.• The citizens will enjoy the facility of online services.Digital SignatureDigital Signature means authentication of any electronic record by a subscriber by means of an electronicmethod or procedure. 12
  13. 13. Rapid developments in e-business pose a growing need for online security and authentication. Many emergingtechnologies are being developed to provide online authentication. The major concern in e-business transactionsis the need for the replacement of the hand-written signature with an online’ signature. The traditional e-mailsystem, which has problems of message integrity and non-repudiation, does not fulfil the basic requirements foran online signature. Further, since the Internet communication system is prone to various types of securitybreaches, the discussion of robust and authenticated e-business transactions is incomplete without considerationof ‘security’ as a prominent aspect of ‘online signatures’.One may consider an e-signature as a type of electronic authentication. Such authentication can be achieved bymeans of different types of technologies. A Digital Signature (DS) can be considered as a type of e-signature,which uses a particular kind of technology that is DS technology.DS technology involves encrypting messagesin such a way that only legitimate parties are able to decrypt the message. Two separate but interrelated ‘keys’carry out this process of encryption and decryption.One party in the transactions holds the secret key, or the private key, and the other party holds the public key orthe key with wide access. The selection and use of an encryption technique plays a crucial role in the designand development of keys. In short, a DS satisfies all the functions, such as authenticity, non-repudiation, andsecurity, of a hand-written signature. Such a ‘signature’ can be viewed as a means of authentication and can beowned by an individual. While using this technology, there must be third party involvement orders to handlethe liability issues that may be raised by bilateral transactions. With this existing legal infrastructure and therapid emergence of software security products, it is important to understand the role of emerging technologieslike DS in e-business. One of the major indicators of technological improvements is the market developmentand commercialization of that technology. 13
  14. 14. Introduction to Cyber CrimeThe first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that theabacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japanand China. The era of modern computers, however, began with the analytical engine of Charles Babbage. Cybercrime is an evil having its origin in the growing dependence on computers in modern life. In a day and agewhen everything from microwave ovens and refrigerators to nuclear power plants is being run on computers,cyber crime has assumed rather sinister implications. Major Cyber crimes in the recent past include theCitibank rip off. US $ 10 million were fraudulently transferred out of the bank and into a bank account inSwitzerland. A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack. Thegroup compromised the banks security systems. Vladimir was allegedly using his office computer at AOSaturn, a computer firm in St. Petersburg, Russia, to break into Citi bank computers. He was finally arrested onHeathrow airport on his way to Switzerland.United Nations’ Definition of CybercrimeCybercrime spans not only state but national boundaries as well. Perhaps we should look to internationalorganizations to provide a standard definition of the crime. At the Tenth United Nations Congress on thePrevention of Crime and Treatment of Offenders, in a workshop devoted to the issues of crimes related tocomputer networks, cybercrime was broken into two categories and defined thus:a. Cybercrime in a narrow sense (computer crime): Any illegal behaviour directed by means of electronicoperations that targets the security of computer systems and the data processed by them.b. Cybercrime in a broader sense (computer-related crime): Any illegal behaviour committed by means of, or inrelation to, a computer system or network, including such crimes as illegal possession [and] offering ordistributing information by means of a computer system or network.Of course, these definitions are complicated by the fact that an act may be illegal in one nation but not inanother.There are more concrete examples, includingi. Unauthorized accessii Damage to computer data or programsiii Computer sabotageiv Unauthorized interception of communications 14
  15. 15. v Computer espionageThese definitions, although not completely definitive, do give us a good starting point—one that has someinternational recognition and agreement—for determining just what we mean by the term cybercrime.In Indian law, cyber crime has to be voluntary and wilful, an act or omission that adversely affects a person orproperty. The IT Act provides the backbone for e-commerce and India’s approach has been to look at e-governance and e-commerce primarily from the promotional aspects looking at the vast opportunities and theneed to sensitize the population to the possibilities of the information age. There is the need to take in toconsideration the security aspects.In the present global situation where cyber control mechanisms are important we need to push cyber laws.Cyber Crimes are a new class of crimes to India rapidly expanding due to extensive use of internet. Getting theright lead and making the right interpretation are very important in solving a cyber crime. The 7 stagecontinuum of a criminal case starts from perpetration to registration to reporting, investigation, prosecution,adjudication and execution. The system cannot be stronger than the weakest link in the chain. In India, thereare 30 million policemen to train apart from 12,000 strong Judiciary. Police in India are trying to become cybercrime savvy and hiring people who are trained in the area. Each police station in Delhi will have a computersoon which will be connected to the Head Quarter.. The pace of the investigations however can be faster;judicial sensitivity and knowledge need to improve. Focus needs to be on educating the police and districtjudiciary. IT Institutions can also play a role in this area.Technology nuances are important in a spam infested environment where privacy can be compromised andindividuals can be subjected to become a victim unsuspectingly. We need to sensitize our investigators andjudges to the nuances of the system. Most cyber criminals have a counter part in the real world. If loss ofproperty or persons is caused the criminal is punishable under the IPC also. Since the law enforcement agenciesfind it is easier to handle it under the IPC, IT Act cases are not getting reported and when reported are notnecessarily dealt with under the IT Act. A lengthy and intensive process of learning is required.A whole series of initiatives of cyber forensics were undertaken and cyber law procedures resulted out of it.This is an area where learning takes place every day as we are all beginners in this area. We are looking forsolutions faster than the problems can get invented. We need to move faster than the criminals. The real issue ishow to prevent cyber crime. For this, there is need to raise the probability of apprehension and conviction. Indiahas a law on evidence that considers admissibility, authenticity, accuracy, and completeness to convince thejudiciary. The challenge in cyber crime cases includes getting evidence that will stand scrutiny in a foreigncourt. 15
  16. 16. For this India needs total international cooperation with specialised agencies of different countries. Police has toensure that they have seized exactly what was there at the scene of crime, is the same that has been analysedand the report presented in court is based on this evidence. It has to maintain the chain of custody. The threat isnot from the intelligence of criminals but from our ignorance and the will to fight it. The law is stricter now onproducing evidence especially where electronic documents are concerned.The computer is the target and the tool for the perpetration of crime. It is used for the communication of thecriminal activity such as the injection of a virus/worm which can crash entire networks.The Information Technology (IT) Act, 2000, specifies the acts which have been made punishable. Since theprimary objective of this Act is to create an enabling environment for commercial use of I.T., certain omissionsand commissions of criminals while using computers have not been included. With the legal recognition ofElectronic Records and the amendments made in the several sections of the IPC vide the IT Act, 2000, severaloffences having bearing on cyber-arena are also registered under the appropriate sections of the IPC.Cybercrime is not on the decline. The latest statistics show that cybercrime is actually on the rise. However, it istrue that in India, cybercrime is not reported too much about. Consequently there is a false sense ofcomplacency that cybercrime does not exist and that society is safe from cybercrime. This is not the correctpicture. The fact is that people in our country do not report cybercrimes for many reasons. Many do not want toface harassment by the police. There is also the fear of bad publicity in the media, which could hurt theirReputation and standing in society. Also, it becomes extremely difficult to convince the police to register anycybercrime, because of lack of orientation and awareness about cybercrimes and their registration and handlingby the police.A recent survey indicates that for every 800 cybercrime incidents that take place, only 50 are reported to thepolice and out of that only one is actually registered. These figures indicate how difficult it is to convince thepolice to register a cybercrime. The establishment of cybercrime cells in different parts of the country wasexpected to boost cybercrime reporting and prosecution. However, these cells haven’t quite kept up withexpectations. Netizens should not be under the impression that cybercrime is vanishing and they must realizethat with each passing day, cyberspace becomes a more dangerous place to be in, where criminals roam freelyto execute their criminals intentions encouraged by the so called anonymity that internet provides.The absolutely poor rate of cyber crime conviction in the country has also not helped the cause of regulatingcybercrime. There have only been few cybercrime convictions in the whole country, which can be counted onfingers. We need to ensure that we have specialized procedures for prosecution of cybercrime cases so as to 16
  17. 17. tackle them on a priority basis. This is necessary so as to win the faith of the people in the ability of the systemto tackle cybercrime. We must ensure that our system provides for stringent punishment of cybercrimes andcyber criminals so that the same acts as a deterrent for others.What is a Computer Crime?a. Criminals Can Operate Anonymously Over the Computer Networks.1. Be careful about talking to "strangers" on a computer network. Who are these people anyway? Rememberthat people online may not be who they seem at first. Never respond to messages or bulletin board items thatare: Suggestive of something improper or indecent; Obscene, filthy, or offensive to accepted standards ofdecency; Belligerent, hostile, combative, very aggressive; and Threaten to do harm or danger towards you oranother2. Tell a grown-up right away if you come across any information that makes you feel uncomfortable.3. Do not give out any sensitive or personal information about you or your family in an Internet "chat room."Be sure that you are dealing with someone you and your parents know and trust before giving out any personalinformation about yourself via e-mail.4. Never arrange a face-to-face meeting without telling your parents or guardians. If your parent or guardianagrees to the meeting, you should meet in a public place and have a parent or guardian go with you.b. Hackers Invade Privacy1. Define a hacker –A hacker is someone who breaks into computers sometimes to read private e-mails and other files.2. What is your privacy worth? What information about you or your parents do you think should be consideredprivate?For example, medical information, a diary, your grades, how much money your parents owe, how much moneyyour family has in as savings account or in a home safe, and your letters to a friend. Would this kind of invasionof your privacy be any different than someone breaking into your school locker or your house to get thisinformation about you and your family?c. Hackers Destroy "Property" in the Form of Computer Files or Records1. Hackers delete or alter files2. When you write something, like a term paper or report, how important is it to be able to find it again? Would this be different if someone broke into your locker and stole your term paper?3. How important is it that data in computers like your term paper, a letter, your bank records, and medical records, not be altered? How important is it for a drug company or a pharmacy to not have its computer files altered or deleted by hackers? What would happen if a hacker altered the chemical formulas for prescription drugs, or theflight patterns and other data in air traffic control computers? What does the term 17
  18. 18. "tamper" mean? To interfere in a harmful way or to alter improperly. Is tampering with computer files different from tampering that occurs on paper files or records?d. Hackers Injure Other Computer Users by Destroying Information Systems 1. Hackers cause victims to spend time and money checking and re-securing systems after break-in. They also cause them to interrupt service. They think its fine to break-in and snoop in other peoples files as long as they dont alter anything. They think that no harm has been done. 2. Hackers steal telephone and computer time and share unauthorized access codes and passwords. Much of the stealing is very low-tech."Social engineering" is a term used among crackers for cracking techniques that rely on weaknesses in human beings rather than on software. "Dumpster diving" is the practice of sifting refuse from an office or technical installation to extract confidential data, especially security compromising information. Who do you think pays for this? How much stealing of computer time do you thinks there is? For example, there is $2 billion annually in telephone toll fraud alone. Would you want someone going through your garbage? Have you ever thrown away private papers or personal notes. 3. Hackers crash systems that cause them to malfunction and not work. How do we use computer information systems in our daily lives? What could happen if computers suddenly stopped working? For example, would public health and safety be disrupted and lives are endangered if computers went down?e. Computer "Pirates" Steal Intellectual Property 1. Intellectual property is the physical expression of ideas contained in books, music, plays, movies, and computer software. Computer pirates steal valuable property when they copy software, usic, graphics/pictures, movies, books (all available on the Internet). 2. How is the person who produced or developed these forms of entertainment harmed? Is this different from stealing a product (computer hardware) which someone has invented and manufactured? Who pays for this theft? 3. It may seem simple and safe to copy recordings, movies and computer programs by installing a peer-to- peer (P2P) file sharing software program. However, most material that you may want to copy is protected by copyright which means that you are restricted from making copies unless you have permission to do so. Making copies of intellectual property including music, movies and software--without the right to do so is illegal. P2P software and the files traded on the P2Pnetworks may also harm your computer by installing 18
  19. 19. viruses or spyware, or allow others to access the files contained on your hard drive beyond those you intend to share. 4. Copyright violations have civil and criminal remedies. a. Civil remedy: copyright holder can sue infringer for money to cover loss of sales or other loss caused by infringement. b.Criminal remedy: jail or fine paid to the government (not copyright holder) where person infringes a copyright for commercial advantage or private gain. For example, a person who makes multiple copies of a video, and sell the copies.Defining Cyber CrimeDefining cyber crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as theIndian Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sendingthreatening emails etc. A simple yet sturdy definition of cyber crime would be "unlawful acts wherein the computeris either a tool or a target or both".Financial crimesThis would include cheating, credit card frauds, money laundering etc.To cite a recent case, a website offered to sellAlphonso mangoes at a throwaway price. Distrusting such a transaction, very few people responded to or suppliedthe website with their credit card numbers. These people were actually sent the Alphonso mangoes. The word aboutthis website now spread like wildfire. Thousands of people from all over the country responded and orderedmangoes by providing their credit card numbers. The owner’s of what was later proven to be a bogus website thenfled taking the numerous credit card numbers and proceeded to spend huge amounts of money much to the chagrinof the card owners.Cyber pornographyThis would include pornographic websites; pornographic magazines produced using computers (to publish and printthe material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). Recent Indianincidents revolving around cyber pornography include the Air Force Balbharati School case. A student of the AirForce Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face. Tired of the crueljokes, he decided to get back at his tormentors. He scanned photographs of his classmates and teachers, morphedthem with nude photographs and put them up on a website that he uploaded on to a free web hosting service. It wasonly after the father of one of the class girls featured on the website objected and lodged a complaint with the policethat any action was taken. 19
  20. 20. In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear forobscene photographs. They would then upload these photographs to websites specially designed for paedophiles.The Mumbai police arrested the couple for pornography.Sale of illegal articlesThis would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auctionwebsites, and bulletin boards or 167simply by using email communication. E.g. many of the auction sites even inIndia are believed to be selling cocaine in the name of honey.PhishingIn computing, phishing (also known as carding and spoofing) is a form of social engineering, characterized byattempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading asa trustworthy person or business in an apparently official electronic communication, such as an email or an instantmessage. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users financialinformation and passwords.Online gamblingThere are millions of websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed thatmany of these websites are actually fronts for money laundering.Intellectual Property crimesThese include software piracy, copyright infringement, trademarks violations, theft of computer source code etc.Email spoofingA spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g.Pooja has an e-mail addresspooja@asianlaws.org. Her enemy, Sameer spoofs her e-mail and sends obscenemessages to all her acquaintances. Since the e-mails appear to have originated from Pooja, her friends could takeoffence and relationships could be spoiled for life. Email spoofing can also cause monetary damage. Inan Americancase, a teenager made millions of dollars by spreading false information about certain companies whose shares hehad short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies likeReuters, to share brokers and investors who were informed that the companies were doing very badly. Even after thetruth came out the values of the shares did not go back to the earlier levels and thousands of investors lost a lot ofmoney.ForgeryCounterfeit currency notes, postage and revenue stamps, mark sheet set can be forged using sophisticated computers,printers and scanners. Outside many colleges across India, one finds touts soliciting the sale of fake mark sheets oreven certificates. These are made using computers, and high quality scanners and printers. In fact, this has becoming 20
  21. 21. a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus butauthentic looking certificates.Cyber DefamationThis occurs when defamation takes place with the help of computers and or the Internet. E.g. someone publishesdefamatory matter about someone on a website or sends e-mails containing defamatory information to all of thatpersons friends.Cyber stalkingThe Oxford dictionary defines stalking as "pursuing stealthily". Cyber talking involves following a personsmovements across the Internet by posting messages (sometimes threatening) on the bulletin boards frequented by thevictim, entering the chat-rooms frequented by the victim, constantly bombarding the victim with emails etc.Frequently Used Cyber Crimes Unauthorized access to computer systems or networksThis activity is commonly referred to as hacking. The Indian law hash owever given a different connotation to theterm hacking, so we will not usethe term "unauthorized access" interchangeably with the term "hacking”. Theft ofinformation contained in electronic form this includes information stored in computer hard disks, removable storagemedia etcEmail bombingEmail bombing refers to sending a large number of emails to the victim resulting in the victims email account (incase of an individual) or mail servers (in case of a company or an email service provider) crashing.Some of the major email related crimes are:1. Email spoofing2. Sending malicious codes through email3. Email bombing4. Sending threatening emails5. Defamatory emails6. Email fraudsData diddlingThis kind of an attack involves altering raw data just before it is processed by a computer and then changing it backafter the processing is completed. Electricity Boards in India have been victims to data diddling programs insertedwhen private parties were computerizing their systems.Salami attacks 21
  22. 22. These attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificantthat in a single case it would go completely unnoticed.Denial of Service attackThis involves flooding a computer resource with more requests than it can handle. This causes the resource (e.g. aweb server) to crash thereby denying authorized users the service offered by the resource. Another variation to atypical denial of service attack is known as a Distributed Denial of Service (DDoS) attack wherein the perpetratorsare many and are geographically widespread. It is very difficult to control such attacks. The attack is initiated bysending excessive demands to the victims computer(s), exceeding the limit that the victims servers can support andmaking the server’s crash.Virus / worm attacksViruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and toother computers on a net work. They usually affect the data on a computer, either by altering or deleting it. Worms,unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves anddo this repeatedly till they eat up all the available space on a computers memoryLogic bombsThese are event dependent programs. This implies that these programs are created to do something only when acertain event (known as a trigger event) occurs. E.g. even some viruses may be termed logic bombs because they liedormant all through the year and become active only on a particular dateTrojan attacksA Trojan as this program is aptly called is an unauthorized program which functions from inside what seems to bean authorized program, thereby concealing what it is actually doing.Internet time theftsThis connotes the usage by an unauthorized person of the Internet hours paid for by another person. In a casereported before the enactment of the Information Technology Act, 2000 Colonel Bajwa, a resident of New Delhi,asked a nearby net cafe owner to come and set up his Internet connection. For this purpose, the net cafe ownerneeded to know his username and password. After having set up the connection he went away with knowing thepresent username and password. He then sold this information to another net cafe. One week later Colonel Bajwafound that his Internet hours were almost over. Out of the 100 hours that he had bought, 94 hours had been used upwithin the span of that week. Surprised, he reported the incident to the Delhi police. The police could not believethat time could be stolen. They were not aware of the concept of time-theft at all. Colonel Bajwas report wasrejected. He decided to approach The Times of India, New Delhi. They, in turn carried are port about the inadequacyof the New Delhi Police in handling cybercrimes. The Commissioner of Police, Delhi then took the case into hisown hands and the police under his directions raided and arrested the net cafe owner under the charge of theft as 22
  23. 23. defined by the Indian Penal Code. The net cafe owner spent several weeks locked up in Tihar jail before beinggranted bailWeb jackingThis occurs when someone forcefully takes control of a website (by cracking the password and later changing it).The actual owner of the website does not have any more control over what appears on that website in a recentincident reported in the USA the owner of a hobby website for children received an e-mail informing her that agroup of hackers had gained control over her website.Theft of computer system This type of offence involves the theft of a computer, some parts of a computer or aperipheral attached to the computer. Physically damaging a computer system. This crime is committed by physicallydamaging a Computer or its peripherals. Cyber CriminalsKids (age group 9-16 etc.)It seems really difficult to believe but it is true. Most amateur hackers and cyber criminals are teenagers. To them,who have just begun to understand what appears to be a lot about computers, it is a matter of pride to have hackedinto a computer system or a website. There is also that little issue of appearing really smart among friends. Theseyoung rebels may also commit cyber crimes without really knowing that they are doing anything wrong.Organized hacktivistsHacktivists are hackers with a particular (mostly political) motive. In other cases this reason can be social activism,religious activism, etc. The attacks on approximately 200 prominent Indian websites by a group of hackers known asPakistani Cyber Warriors are a good example of political hacktivists at work.Disgruntled employeesOne can hardly believe how spiteful displeased employees can become. Till now they had the option of going onstrike against their bosses. Now, with the increase independence on computers and the automation of processes, it iseasier for disgruntled employees to do more harm to their employers by committing computer related crimes, whichcan bring entire systems down.Professional hackers (corporate espionage)Extensive computerization has resulted in business organizations storing all their information in electronic form.Rival organizations employ hackers to steal industrial secrets and other information that could be beneficial to them.The temptation to use professional hackers for industrial espionage also stems from the fact that physical presencerequired to gain access to important documents is rendered needless if hacking can retrieve those.Denial of Service ToolsDenial-of-service (or DoS) attacks are usually launched to make a particular service unavailable to someone who isauthorized to use it. These attacks may be launched using one single computer or many computers across the world. 23
  24. 24. In the latter scenario, the attack is known as a distributed denial of service attack. Usually these attacks do notnecessitate the need to get access into anyones system.These attacks have been getting decidedly more popular as more and more people realize the amount and magnitudeof loss, which can be caused through them.What are the reasons that a hacker may want to resort to a DoS attack? He may have installed a Trojan in thevictims computer but needed to have the computer restarted to activate the Trojan. The other good reason also maybe that a business may want to harm a competitor by crashing his systems.Denial-of-service attacks have had an impressive history having, in the past, blocked out websites like Amazon,CNN, Yahoo and eBay. The attack is initiated by sending excessive demands to the victims computers, exceedingthe limit that the victims servers can support and making the server’s crash. Sometimes, many computers areentrenched in this process by installing a Trojan on them; taking control of them and then making them sendnumerous demands to the targeted computer. On the other side, the victim of such an attack may see many suchdemands (sometimes even numbering tens of thousands) coming from computers from around the world.Unfortunately, to be able to gain control over a malicious denial-of-service attack would require tracing all thecomputers involved in the attack and then informing the owners of those systems about the attack. The compromisedsystem would need to be shut down or then cleaned. This process, which sounds fairly simple, may prove verydifficult to achieve across national and later organizational borders.Even when the source(s) of the attack are traced there are many problems, which the victim may be faced with. Hewill need to inform all the involved organizations in control of the attacking computers and ask them to either cleanthe systems or shut them down. Across international boundaries this may prove to be a titanic task. The staff of theorganization may not understand the language. They may not be present if the attack were to be launched during thenight or during weekends.The computers that may have to be shut down may be vital for their processes and the staff may not have theauthority to shut them down. The staff may not understand the attack, system administration, network topology, orany number of things that may delay or halt shutting down the attacking computers. Or, more simply, theorganization may not have the desire to help.If there are hundreds or even thousands of computers on the attack, with problems like the ones mentioned above,the victim may not be able to stop the attack for days by which time the damage would have been done. His serverswould be completely incapacitated to administer to so many demands and consequently would crash. It is verysimple for anyone to launch an attack because denial-of-service tools can easily be procured from the Net. Themajor versions of distributed denial of service attack tools are Trinoo (or trin00), TFN, TFN2Kand Stacheldraht.Denial-of-Service tools allow the attackers to automate and preset the times and frequencies of such attacks so that 24
  25. 25. the attack is launched and then stopped to be launched once again later. This makes it very difficult, in fact almostimpossible, to trace the source of the attack.These tools also provide another service by which the attacking computer can change its source address randomlythereby making it seem as if the attack is originating from many thousands of computers while in reality there maybe only a few. Distributed denial-of-service attacks are a very perturbing problem for law enforcement agenciesmainly because they are very difficult to trace. In addition, usually these attacks are directed towards very sensitivesystems or networks sometimes even those that are vital to national security. Sometimes, even when the perpetratorscan be traced, international extradition laws may prove to be a hitch in bringing them under the authority of the law.As seen above that how the cyber crime have been escalating in the India and the damage it can do to a company,hence to protect the importance of privacy of a company the government of India realized the significance to createa governance to regulate and keep a tab on the activity of cyber crime. The main aim to create the InformationTechnology Act 2000 was to safeguard a business organization from cyber crime 25
  26. 26. Facts and FiguresIn 2006, this number more than doubled to 200 incidents. Not onlywere attacks being launched in India but 2006 saw the maximum phishingattacks being launched from India on other countries as well. Security expert, Surinder Singh says, As perWeb-sense Security Lab, we find that at any given point in time in 2006, there were 2 to 300 websitesbeing hosted. There was a spurt in October where we identified 790 websiteswhich were hosted in India and being used to carry out attacks.”The United States remains at the top with 28.78% of all phishing siteslocated out of the United States and 11.96% out of China. Korea, Germany,Australia, Canada, Japan, United Kingdom, Italy and India are the othercountries where phishing attacks are prevalent. As of now, 2.11% of thephishing sites are located in India.Singh says, India on the threshold of having more and more people getting into online banking or taking onlinepersonal loans. So, it wont be a surprise if someday someone tells me that out of the total size of fraudshappening - India would be at 1% or 2% - but even that would be Rs 200 crore.”420 cases were registered under IT Act during the year 2009 as compared to 288 cases during the previous year(2008) thereby reporting an increase of 45.8% in 2009 over 2008. 23.1% cases (97 out of 420 cases) werereported from Karnataka followed by Kerala (64), Maharashtra (53), Andhra Pradesh (30) and Punjab (28).33.1% (139 cases) of the total 420 cases registered under IT Act 2000 were related to obscenepublication/transmission in electronic form, normally known as cyber pornography. 141 persons were 26
  27. 27. arrested for committing such offences during 2009. There were 233 cases of Hacking withComputer Systems during the year wherein 107 persons were arrested. Out of the total (233) Hacking cases, the cases relating to Loss / Damage of computer resource/utility underSec 66(1) of the IT Act were 49.4% (115 cases) whereas the cases related to Hacking under Section 66(2) of ITAct were 50.6% (118 cases). Maharashtra (25),Andhra Pradesh (21) and Kerala (15) registered maximum casesunder Sec 66(1) of the IT Act out of total 115 such cases at the National level. Out of the total 118 casesrelating to Hacking under Sec. 66(2), most of the cases (91 cases) were reported from Karnataka followed byTamil Nadu (8) and Madhya Pradesh (6). 27.1% of the 288 persons arrested in cases relating to IT Act,2000were from Maharashtra (78) followed by Kerala (47). The age-wise profile of persons arrested in Cyber Crimecases under IT Act, 2000 showed that 64.6% of the offenders were in the age group 18 – 30 years (186 out of288) and 28.8% of the offenders were in the age group 30 - 45 years (83 out of 288). Maharashtra (6) andKerala (4) reported offenders whose age was below 18 years.Crime head-wise and age- group wise profile of the offenders arrested under IT Act, 2000 reveals that 49.0%(141 out of 288) of the offenders arrested were under ‘Obscene publication/ transmission in electronic form’ ofwhich 68.1% (96 out of 141) were in the age-group 18 –30 years. 57.9% (62 out of 107) of the total personsarrested for Hacking with Computer Systems were in the age-group of 18 - 30 years.Cyber Crimes – Cases of Various Categories under IPC SectionA total of 276 cases were registeredunder IPC Sections during the year 2009 as compared to 176 suchcases during 2008 thereby reporting an increase of 56.8%.Maharashtrareported maximum number of such cases(108 out of 276 cases or 39.1%) followed by Chhattisgarh 16.7% (46 cases) and Punjab 10.1% (28 cases).Majority of the crimes out of total 276 cases registered under IPC fall under 2 categories viz. Forgery (158) andCriminal Breach of Trust or Fraud (90). Although such offences fall under the traditional IPC crimes, these caseshad the cyber overtones wherein computer, Internet or its enabled services were present in the crime and hencethey were categorised as Cyber Crimes under IPC. The Cyber Forgery (158 cases) accounted for 0.21% out ofthe 72,718 cases reported under Cheating. The Cyber Frauds (90) accounted for 0.55% of the total CriminalBreach of Trust cases under IPC (16,326). The Crime head and State / UT-wise analysis of Cyber Crimes under IPC are presented in Table 18.7. TheCyber Forgery cases were the highest in Maharashtra (67) followed by Chhattisgarh (32) and Gujarat (13). Thecases of Cyber Fraud were highest in Maharashtra (30) followed by Punjab (19) and Gujarat & Tamil Nadu (11each). A total of 263 persons were arrested in the country for Cyber Crimes under IPC during 2009. 61.2%offenders (161) of these were taken into custody for offences under Cyber Forgery’, 30.0% (79) for Criminal 27
  28. 28. Breach of Trust/Fraud and 8.7% (23) for Counterfeiting.The States such as Maharashtra (89), Punjab (48), and Chhattisgarh (44) have reported higher arrests for CyberCrimes registered under IPC. The age group-wise profile of the arrested persons under this category showedthat 45.2% (119 out of 263) were in the age-group of 30 - 45 years and41.8% (110 out of 263) of the offenderswere in the age-group of 18-30 years. No offenders were below 18 years of age.Crime head-wise and age wise profile of the offenders arrested under Cyber Crimes (IPC) (Table18.5) for theyear 2009 reveals that offenders involved in Forgery cases were more in the age-group of 18 -30 (47.2%) (76out of 161). 49.4% of the persons arrested under Criminal Breach of Trust / Cyber Fraud offences were in theage group 30-45 years (39 out of 79).Incidence of Cyber Crimes in Cities14 out of 35 mega cities did not report any case of Cyber Crime i.e., neither under the IT Act nor under IPCSections during the year 2009.20 mega cities have reported178 cases under IT Act and 14 megacities reported168 cases under various section of IPC. There was anIncrease of 23.6% (from 144 cases in2008 to 168 cases in 2009) in cases under IT Act as compared to previousyear (2008), and an increase of300.0% (from 42 cases in 2008 to 168 cases in 2009) of cases registered undervarious sections of IPC .Bengaluru (97), Ahmadabad(10), Bhopal, Coimbatore and Kochi(6 each) and DelhiCity, Indore, Ludhiana and Pune (5 each) have reported high incidence of cases (145 out of 178 cases)registered under IT Act, accounting for more than half of the cases (81.5%) reported under the IT Act. Nasikhas reported the highest incidence (68 out of 168 cases) of cases reported under IPC sections accounting for40.5% followed by Mumbai (35 or 20.8%). 28
  29. 29. 29
  30. 30. Indian Case Studies1. Pune Citibank Mphasis Call Center FraudUS $ 3, 50,000 from accounts of four US customers were dishonestly transferred to bogus accounts. This willgive a lot of ammunition to those lobbying against outsourcing in US. Such cases happen all over the world butwhen it happens in India it are a serious matter and we cannot ignore it. It is a case of sourcing engineering.Some employees gained the confidence of the customer and obtained their PIN numbers to commit fraud. Theygot these under the guise of helping the customers out of difficult situations. Highest security prevails in the callcentres in India as they know that they will lose their business. There was not as much of breach of security butof sourcing engineering. 30
  31. 31. The call canter employees are checked when they go in and out so they cannot copy down numbers andtherefore they could not have noted these down. They must have remembered these numbers, gone outimmediately to a cyber café and accessed the Citibank accounts of the customers.All accounts were opened in Pune and the customers complained that the money from their accounts wastransferred to Pune accounts and that’s how the criminals were traced. Police has been able to prove the honestyof the call centre and has frozen the accounts where the money was transferred.There is need for a strict background check of the call center executives. However, best of background checkscan not eliminate the bad elements from coming in and breaching security. We must still ensure such checkswhen a person is hired. There is need for a national ID and a national data base where a name can be referredto. In this case preliminary investigations do not reveal that the criminals had any crime history. Customereducation is very important so customers do not get taken for a ride. Most banks are guilt of not doing this.2. Bazee.com caseCEO of Bazee.com was arrested in December 2004 because a CD with objectionable material was being soldon the website. The CD was also being sold in the markets in Delhi. The Mumbai city police and the DelhiPolice got into action. The CEO was later released on bail. This opened up the question as to what kind ofdistinction do we draw between Internet Service Provider and Content Provider. The burden rests on theaccused that he was the Service Provider and not the Content Provider. It also raises a lot of issues regardinghow the police should handle the cyber crime cases and a lot of education is required.3. State of Tamil Nadu Vs Suhas KattiThe Case of Suhas Katti is notable for the fact that the conviction was achieved successfully within a relativelyquick time of 7 months from the filing of the FIR. Considering that similar cases have been pending in otherstates for a much longer time, the efficient handling of the case which happened to be the first case of theChennai Cyber Crime Cell going to trial deserves a special mention.The case related to posting of obscene, defamatory and annoying message about a divorcee woman in theyahoo message group. E-Mails were also forwarded to the victim for information by the accused through a falsee-mail account opened by him in the name of the victim. The posting of the message resulted in annoyingphone calls to the lady in the belief that she was soliciting.Based on a complaint made by the victim in February 2004, the Police traced the accused to Mumbai andarrested him within the next few days. The accused was a known family friend of the victim and was reportedlyinterested in marrying her. She however married another person. This marriage later ended in divorce and the 31
  32. 32. accused started contacting her once again. On her reluctance to marry him, the accused took up the harassmentthrough the Internet.On 24-3-2004 Charge Sheet was filed u/s 67 of IT Act 2000, 469 and 509 IPC before The Hon’ble Addl. CMMEgmore by citing 18 witnesses and 34 documents and material objects. The same was taken on file inC.C.NO.4680/2004. On the prosecution side 12 witnesses were examined and entire documents were marked asExhibits.The Defence argued that the offending mails would have been given either by ex-husband of the complainant orthe complainant herself to implicate the accused as accused alleged to have turned down the request of thecomplainant to marry her.Further the Defence counsel argued that some of the documentary evidence was not sustainable under Section65 B of the Indian Evidence Act. However, the court relied upon the expert witnesses and other evidenceproduced before it, including the witnesses of the Cyber Cafe owners and came to the conclusion that the crimewas conclusively proved.Ld. Additional Chief Metropolitan Magistrate, Egmore, delivered the judgement on 5-11-04 as follows:“ The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000 and the accused isconvicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/-and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentencesto run concurrently.”The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered as the first caseconvicted under section 67 of Information Technology Act 2000 in India.4. The Bank NSP CaseThe Bank NSP case is the one where a management trainee of the bank was engaged to be married. The coupleexchanged many emails using the company computers. After some time the two broke up and the girl createdfraudulent email ids such as “Indian bar associations” and sent emails to the boy’s foreign clients. She used thebanks computer to do this. The boy’s company lost a large number of clients and took the bank to court. Thebank was held liable for the emails sent using the bank’s system.5. SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra 32
  33. 33. In Indias first case of cyber defamation, a Court of Delhi assumed jurisdiction over a matter where acorporate’s reputation was being defamed through emails and passed an important ex-parte injunction.In this case, the defendant Jogesh Kwatra being an employ of the plaintiff company started sending derogatory,defamatory, obscene, vulgar, filthy and abusive emails to his employers as also to different subsidiaries of thesaid company all over the world with the aim to defame the company and its Managing Director Mr. R KMalhotra. The plaintiff filed a suit for permanent injunction restraining the defendant from doing his illegal actsof sending derogatory emails to the plaintiff.On behalf of the plaintiffs it was contended that the emails sent by the defendant were distinctly obscene,vulgar, abusive, intimidating, humiliating and defamatory in nature. Counsel further argued that the aim ofsending the said emails was to malign the high reputation of the plaintiffs all over India and the world. Hefurther contended that the acts of the defendant in sending the emails had resulted in invasion of legal rights ofthe plaintiffs. Further the defendant is under a duty not to send the aforesaid emails. It is pertinent to notethat after the plaintiff company discovered the said employ could be indulging in the matterof sending abusive emails, the plaintiff terminated the services of the defendant.After hearing detailed arguments of Counsel for Plaintiff, Honble Judge of the Delhi High Court passed an ex-parte ad interim injunction observing that a prima facie case had been made out by the plaintiff. Consequently,the Delhi High Court restrained the defendant from sending derogatory, defamatory, obscene, vulgar,humiliating and abusive emails either to the plaintiffs or to its sister subsidiaries all over the world includingtheir Managing Directors and their Sales and Marketing departments. Further, Honble Judge also restrainedthe defendant from publishing, transmitting or causing to be published any information in the actual world asalso in cyberspace which is derogatory or defamatory or abusive of the plaintiffs.This order of Delhi High Court assumes tremendous significance as this is for the first time that an Indian Courtassumes jurisdiction in a matter concerning cyber defamation and grants an ex-parte injunction restraining thedefendant from defaming the plaintiffs by sending derogatory, defamatory, abusive and obscene emails either tothe plaintiffs or their subsidiaries.6. PARLIAMENT ATTACK CASEBureau of Police Research and Development at Hyderabad had handled some of the top cyber cases, includinganalysing and retrieving information from the laptop recovered from terrorist, who attacked Parliament. Thelaptop which was seized from the two terrorists, who were gunned down when Parliament was under siege onDecember 13 2001, was sent to Computer Forensics Division of BPRD after computer experts at Delhi failed totrace much out of its contents. 33
  34. 34. The laptop contained several evidences that confirmed of the two terrorists’ motives, namely the sticker of theMinistry of Home that they had made on the laptop and pasted on their ambassador car to gain entry intoParliament House and the fake ID card that one of the two terrorists was carrying with a Government of Indiaemblem and seal.The emblems (of the three lions) were carefully scanned and the seal was also craftly made along withresidential address of Jammu and Kashmir. But careful detection proved that it was all forged and made on thelaptop.7. Andhra Pradesh Tax CaseDubious tactics of a prominent businessman from Andhra Pradesh was exposed after officials of the departmentgot hold of computers used by the accused person.The owner of a plastics firm was arrested and Rs 22 crore cash was recovered from his house by sleuths of theVigilance Department. They sought an explanation from him regarding the unaccounted cash within 10 days.The accused person submitted 6,000 vouchers to prove the legitimacy of trade and thought his offence wouldgo undetected but after careful scrutiny of vouchers and contents of his computers it revealed that all of themwere made after the raids were conducted.It later revealed that the accused was running five businesses under the guise of one company and used fake andcomputerised vouchers to show sales records and save tax.8. SONY.SAMBANDH.COM CASEIndia saw its first cybercrime conviction recently. It all began after a complaint was filed by Sony India PrivateLtd, which runs a website called www.sony-sambandh.com, targeting Non Resident Indians. The websiteenables NRIs to send Sony products to their friends and relatives in India after they pay for it online.The company undertakes to deliver the products to the concerned recipients. In May 2002, someone loggedonto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordlesshead phone. 34
  35. 35. She gave her credit card number for payment and requested that the products be delivered to Arif Azim inNoida. The payment was duly cleared by the credit card agency and the transaction processed. After followingthe relevant procedures of due diligence and checking, the company delivered the items to Arif Azim.At the time of delivery, the company took digital photographs showing the delivery being accepted by ArifAzim.The transaction closed at that, but after one and a half months the credit card agency informed the company thatthis was an unauthorized transaction as the real owner had denied having made the purchase.The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered acase under Section 418, 419 and 420 of the Indian Penal Code.The matter was investigated into and Arif Azim was arrested. Investigations revealed that Arif Azim, whileworking at a call centre in Noida gained access to the credit card number of an American national which hemisused on the company’s site.The CBI recovered the colour television and the cordless head phone.In this matter, the CBI had evidence to prove their case and so the accused admitted his guilt. The courtconvicted Arif Azim under Section 418, 419 and 420 of the Indian Penal Code — this being the first time that acybercrime has been convicted.The court, however, felt that as the accused was a young boy of 24 years and a first-time convict, a lenient viewneeded to be taken. The court therefore released the accused on probation for one year.The judgment is of immense significance for the entire nation. Besides being the first conviction in acybercrime matter, it has shown that the the Indian Penal Code can be effectively applied to certain categoriesof cyber crimes which are not covered under the Information Technology Act 2000. Secondly, a judgment ofthis sort sends out a clear message to all that the law cannot be taken for a ride.9. Nasscom vs. Ajay Sood & OthersIn a landmark judgment in the case of National Association of Software and Service Companies vs Ajay Sood& Others, delivered in March, ‘05, the Delhi High Court declared `phishing’ on the internet to be an illegal act,entailing an injunction and recovery of damages. 35
  36. 36. Elaborating on the concept of ‘phishing’, in order to lay down a precedent in India, the court stated that it is aform of internet fraud where a person pretends to be a legitimate association, such as a bank or an insurancecompany in order to extract personal data from a customer such as access codes, passwords, etc. Personal dataso collected by misrepresenting the identity of the legitimate party is commonly used for the collecting party’sadvantage. court also stated, by way of an example, that typical phishing scams involve persons who pretend torepresent online banks and siphon cash from e-banking accounts after conning consumers into handing overconfidential banking details.The Delhi HC stated that even though there is no specific legislation in India to penalise phishing, it heldphishing to be an illegal act by defining it under Indian law as “a misrepresentation made in the course of tradeleading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumerbut even to the person whose name, identity or password is misused.” The court held the act of phishing aspassing off and tarnishing the plaintiff’s image.The plaintiff in this case was the National Association of Software and Service Companies (Nasscom), India’spremier software association.The defendants were operating a placement agency involved in head-hunting and recruitment. In order to obtainpersonal data, which they could use for purposes of headhunting, the defendants composed and sent e-mails tothird parties in the name of Nasscom. The high court recognised the trademark rights of the plaintiff and passedan ex-parte adinterim injunction restraining the defendants from using the trade name or any other namedeceptively similar to Nasscom. The court further restrained the defendants from holding themselves out asbeing associates or a part of Nasscom.The court appointed a commission to conduct a search at the defendants’ premises. Two hard disks of thecomputers from which the fraudulent e-mails were sent by the defendants to various parties were taken intocustody by the local commissioner appointed by the court. The offending e-mails were then downloaded fromthe hard disks and presented as evidence in court.During the progress of the case, it became clear that the defendants in whose names the offending e-mails weresent were fictitious identities created by an employee on defendants’ instructions, to avoid recognition and legalaction. On discovery of this fraudulent act, the fictitious names were deleted from the array of parties asdefendants in the case. Subsequently, the defendants admitted their illegal acts and the parties settled the matterthrough the recording of a compromise in the suit proceedings. According to the terms of compromise, thedefendants agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of the plaintiff’s 36
  37. 37. trademark rights. The court also ordered the hard disks seized from the defendants’ premises to be handed overto the plaintiff who would be the owner of the hard disks.This case achieves clear milestones: It brings the act of “phishing” into the ambit of Indian laws even in theabsence of specific legislation; It clears the misconception that there is no “damages culture” in India forviolation of IP rights; This case reaffirms IP owners’ faith in the Indian judicial system’s ability and willingnessto protect intangible property rights and send a strong message to IP owners that they can do business in Indiawithout sacrificing their IP rights.10. Infinity e-Search BPO CaseThe Gurgaon BPO fraud has created an embarrassing situation for Infinity e-Search, the company in which MrKaran Bahree was employed.A British newspaper had reported that one of its undercover reporters had purchased personal information of1,000 British customers from an Indian call-center employee. However, the employee of Infinity eSearch, aNew Delhi-based web designing company, who was reportedly involved in the case has denied anywrongdoing. The company has also said that it had nothing to do with the incident.In the instant case the journalist used an intermediary, offered a job, requested for a presentation on a CD andlater claimed that the CD contained some confidential data. The fact that the CD contained such data is itselfnot substantiated by the journalist.In this sort of a situation we can only say that the journalist has used "Bribery" to induce a "Out of normalbehavior" of an employee. This is not observation of a fact but creating a factual incident by intervention.Investigation is still on in this matter. ConclusionAs we can see that there where so many cyber crimes happening in Indiabefore the amendment of information technology act the rate of crime havenot stopped nor it have come down but it is reaching its high. 37
  38. 38. We have try to find out various reasons that despite of such a tight act andhigh penalties and punishments what are the lope holes in the act which isblocking the proper implementation of such a force full act.Cyber Law in India is in its infancy stage. A lot of efforts and initiatives arerequired to make it a mature legal instrument. Law has been instrumental ingiving Cyber Law in India a shape that it deserves. To make the circlecomplete we are proudly introducing another effort in this direction.Following are some of the lope holes which we have tried to figure out: 1. Reporting of important matters pertaining to Cyber Law in India: 2. Analysis of Cyber Law scenario in India, 3. Providing a comprehensive database for cases and incidents related to Cyber Law in India, 4. A ready reference for problems associated with Cyber Law in India, etc.Besides these grey areas India is also facing problems of lack of CyberSecurity in India as well as ICT Security in India. A techno-legal base is the need of the hour. Unfortunately,we do not have a sound and secure ICTSecurity Base in India and Cyber security in India is still an ignored World.If opening of Cyber Cells and Cyber Units is Cyber Security than perhaps Indiais best in the World at managing Cyber Security issues. Unfortunately ICTSecurity in India is equated with face saving exercises of false claims andredundant exercises. The truth remains that ICT Security in India is a mythand not reality. The Cyber Law in India requires a dedicated and pro activeapproach towards ICT and Cyber Security in India. In the absence of adedicated and sincere approach, the Cyber Law in India is going to collapse.Now as we know what are themajor lope holes in the act let us try to fine the possible suggestion to overcome these and try to learn fromwhat us/uk are following in order to have a virus free cyber.Suggestion:Recruitment 38
  39. 39. There is a high need to increase the strength of staff for proper functioning of the ACT.Red coding SystemSet - up a red coding system, with the help of which the government can keep a tap on mails, chat, etc. thissystem will help the government to detect the possibility of further cyber crime.Training and DevelopmentOne of the most important requirements for the proper function of theACT is that, there should be good quality training programs on a regularbase.DomainIt is necessary; Domain should be treated as a separate entity rather than treating it as IP ACT.Cyber theft, cyber stalking, cyber harassment and cyber defamation are presently not covered under theact. These crimes need to have specific provisions in the act to enable the police to take quick action.Vague DefinitionsDefinitions, prescriptions of punishment and certain provisions (such as that dealing with hacking) needspecific amendment.Parameters for its implementationLaw enforcement officials need to be trained for effective enforcement. 39
  40. 40. Bibliography IT ACT 2000 Published by The Gazette of India www.google.com www.google.com: Asian School of Cyber Law Notes on Information Technology Act by Shri.Talwant Singh Addl. Distt. & Sessions Judge, Delhi NASSCOM ANNUAL REPORT 2010-2011 Crime In India 2009 by Statistic National Crime Records Bureau (http://ncrb.gov.in) 40
  41. 41. 41
  42. 42. DisclaimerThis presentation is prepared for knowledge sharing and awareness. We can use the information provided herewith proper credits. We have tried not to hide original credits as far as possible, nor we are using thispresentation for any personal financial gain. Information available in this presentation is not enforceable bylaw; however these are our view about the topic which we feel should be shared. Any errors, omissions,misstatements, and misunderstandings set forth in the presentation are sincerely apologized. Relying on thecontents will be sole responsibility of the users. 42

×