VARIOUS ACTS DEALING WITH CYBER CRIMES IN INDIA
1.1 ABOUT THE TOPIC
Information Technology solutions have paved a way to a new world of internet,
business networking and e-banking, budding as a solution to reduce costs, change the
sophisticated economic affairs to more easier, speedy, efficient, and time saving
method of transactions. Internet has emerged as a blessing for the present pace of life
but at the same time also resulted in various threats to the consumers and other
institutions for which it‘s proved to be most beneficial. Various criminals like
hackers, crackers have been able to pave their way to interfere with the internet
accounts through various techniques like hacking the Domain Name Server (DNS),
Internet Provider‘s (IP) address, spoofing, phishing, internet phishing etc. and have
been successful in gaining ―unauthorised access‖ to the user‘s computer system and
stolen useful data to gain huge profits from customer‘s accounts.
Intentional use of information technology by cyber terrorists for producing destructive
and harmful effects to tangible and intangible property of others is called ―cyber
crime‖. Cyber crime is clearly an international problem with no national boundaries.
Hacking attacks can be launched from any corner of the world without any fear of
being traced or prosecuted easily. Cyber terrorist can collapse the economic structure
of a country from a place where that country might not have any arrangements like
―extradition treaty‖ to deal with that criminal. The only safeguard would be better
technology to combat such technology already evolved and known to the Hackers.
But that still has threat of being taken over by the intellect computer criminals.
This seminar contributes an understanding of the effects of negative use of
Information technology, and how far the present law in India is successful in dealing
with the issue, and what way is the legal structure lagging to curb the crime. Possible
changes needed in the system and the ways to combat cyber terrorism having safe and
Though there are many techniques evolved to curb the criminal activities by cyber
terrorists but still the problem persists in legal structure and has failed to produce a
deterring effect on the criminals. If the suggestions are undertaken in light of
conclusion there can be a better co-ordination among various national and
international agencies to make the system more efficient, and Information Technology
Act 2000 more secured and trustworthy. It can still be held good for the objects it had
existed to provide the benefits to the society. This seminar is contributive of the fact
that the till the crime rate is not curbed technology cannot produce adequate benefits
for which it‘s been created.
1.2 WHAT IS CYBER CRIME
Cyber terrorists usually use the computer as a tool, target, or both for their unlawful
act either to gain information which can result in heavy loss/damage to the owner of
that intangible sensitive information. Internet is one of the means by which the
offenders can gain such price sensitive information of companies, firms, individuals,
banks, intellectual property crimes (such as stealing new product plans, its
description, market programme plans, list of customers etc.), selling illegal articles,
pornography etc. this is done through many methods such as phishing, spoofing,
pharming, wire transfer etc. and use it to their own advantage without the consent of
Many banks, financial institutions, investment houses, brokering firms etc. are being
victimised and threatened by the cyber terrorists to pay extortion money to keep their
sensitive information intact to avoid huge damages. And it‘s been reported that many
institutions in US, Britain and Europe have secretly paid them to prevent huge
meltdown or collapse of confidence among their consumers.
1.3 EMERGENCE OF INFORMATION TECHNOLOGY ACT,
In India, the Information Technology Act 2000 was enacted after the United Nation
General Assembly Resolution A/RES/51/162, dated the 30th January, 1997 by
adopting the Model Law on Electronic Commerce adopted by the United Nations
Commission on International Trade Law. This was the first step towards the Law
relating to e-commerce at international level to regulate an alternative form of
commerce and to give legal status in the area of e-commerce. It was enacted taking
into consideration UNICITRAL model of Law on e- commerce 1996.
1.3.1. SOME NOTEWORTHY PROVISIONS UNDER THE INFORMATION
TECHNOLOGY ACT, 2000
SECTION CRIME SENTENCE
Sec.43 Damage to Computer system etc. Compensation for Rupees
Sec.66 Hacking (with intent or
Fine of 2 lakh rupees, and
imprisonment for 3 years.
Sec.67 Publication of obscene material in
Fine of 1 lakh rupees, and
imprisonment of 5years,
and double conviction on
Sec.68 Not complying with directions of
Fine upto 2 lakh and
imprisonment of 3 years.
Sec.70 Attempting or securing access to
Imprisonment upto 10
Sec.72 For breaking confidentiality of
the information of computer
Fine upto 1 lakh and
imprisonment upto 2 years
Sec.73 Publishing false digital
signatures, false in certain
Fine of 1 lakh, or
imprisonment of 2 years or
Table 1.1 – Sections under IT Act 2000
1.4 TYPES OF ATTACKS BY HACKER
Hacker is computer expert who uses his knowledge to gain unauthorized access to the
computer network. He‘s not any person who intends to break through the system but
also includes one who has no intent to damage the system but intends to learn more by
using one‘s computer. Crackers on other hand use the information cause disruption to
the network for personal and political motives. Hacking by an insider or an employee
is quite prominent in present date. Section 66 (b) of the Information Technology Act
2000, provides punishment of imprisonment for the term of 3 years and fine which
may extent to two lakhs rupees, or with both
Banks and other financial institutions are threatened by the terrorist groups to use
their sensitive information resulting in heavy loss and in turn ask for ransom amount
from them. There are various methods used by hackers to gain unauthorised access to
the computers apart from use of viruses like Trojans and worms etc.
Therefore if anyone secures access to any computer without the permission of the
owner shall be liable to pay damages of one crore rupees under Information
Technology Act, 2000. Computer system here means a device including input and
output support devices and systems which are capable of performing logical,
arithmetical, data storage and retrieval, communication control and other functions
but excludes calculators. Unauthorised access under Section 43 of the Information
Technology Act 2000 is punishable regardless of the intention or purpose for which
unauthorised access to the computer system was made. Owner needn‘t prove the facto
of loss, but the fact of it been used without his authorisation. Case of United States v.
Rice would be important in this regard where defendant on the request of his friend
Sec.74 Publication of Digital Signatures
for fraudulent purpose.
Imprisonment for the term
of 2 years and fine for 1
(who was been under investigation by IRS officer) tried to find the status of his
friend‘s case by using officer‘s computer without his consent. Though it didn‘t cause
any damage/loss to the plaintiff (officer) but was convicted by the Jury for accessing
the computer system of a Government without his authority and his conviction was
later on confirmed. Even if one provides any assistance to the other to gain any
unauthorised access to the computer he shall be liable to pay damages by way of
compensation of Rupees 1 crore.
Does turning on the computer leads to unauthorized access? The Section 1 of the
Computer misuse Act, 1990 comprises of two elements there must be an intent to
secure an access to any programme or data held in any computer, and the person must
know that he intends to secure an unauthorized access. e.g. When defendants went to
his former employee to purchase certain equipments and the sales person was not
looking he was alleged to have keyed in certain commands to the computerized till
granting himself substantial discount. Though section 1 (1) (a) requires ―that second
computer must be involved‖ but the judiciary in the case of R v. Sean Cropp, believed
that the Parliament would have intended to restrict the offence even if single computer
system was involved.
A) Computer Viruses: Viruses are used by Hackers to infect the user‘s computer and
damage data saved on the computer by use of ―payload‖ in viruses which carries
damaging code. Person would be liable under I.T Act only when the consent of the
owner is not taken before inserting virus in his system. The contradiction here is that
though certain viruses causes temporary interruption by showing messages on the
screen of the user but still it‘s not punishable under Information Technology Act 2000
as it doesn‘t cause tangible damage. But, it must be made punishable as it would fall
under the ambit of ‗unauthorised access‘ though doesn‘t cause any damage. Harmless
viruses would also fall under the expression used in the provision ―to unsurp the
normal operation of the computer, system or network‖. This ambiguity needs
B) Phishing: By using e-mail messages which completely resembles the original mail
messages of customers, hackers can ask for verification of certain information, like
account numbers or passwords etc. here customer might not have knowledge that the
e-mail messages are deceiving and would fail to identify the originality of the
messages, this results in huge financial loss when the hackers use that information for
fraudulent acts like withdrawing money from customers account without him having
knowledge of it
C) Spoofing: This is carried on by use of deceiving Websites or e-mails. These
sources mimic the original websites so well by use of logos, names, graphics and even
the code of real bank‘s site.
D) Phone Phishing: Is done by use of in-voice messages by the hackers where the
customers are asked to reveal their account identification, and passwords to file a
complaint for any problems regarding their accounts with banks etc.
E) Internet Pharming: Hacker here aims at redirecting the website used by the
customer to another bogus website by hijacking the victim‘s DNS server (they are
computers responsible for resolving internet names into real addresses - ―signposts of
internet), and changing his I.P address to fake website by manipulating DNS server.
This redirects user‘s original website to a false misleading website to gain
F) Risk Posed On Banks And Other Institutions: Wire transfer is the way of
transferring money from one account another or transferring cash at cash office. This
is most convenient way of transfer of cash by customers and money laundering by
cyber terrorists. There are many guidelines issued by Reserve Bank of India (RBI) in
this regard, one of which is KYC (Know Your Customer) norms of 2002. Main
objective of which is to:
1) Ensure appropriate customer identification, and
2) Monitor the transaction of suspicious nature and report it to appropriate authority
every day bases.
G) Publishing Pornographic Material In Electronic Form: Section 67 of the
Information Technology Act, 2000 in parallel to Section 292 of Indian Penal Code,
1860 makes publication and transmission of any material in electronic that‘s
lascivious or appeals to the prurient interest a crime, and punishable with
imprisonment which may extend to 5 years and fine of 1 lakh rupees and subsequent
offence with an imprisonment extending to 10 years and fine of 2 lakhs.
Various tests were laid down gradually in course of time to determine the actual crime
in case of obscene material published in electronic form on net. Hicklin test was
adopted in America in the case of Regina v. Hicklin wherein it was held that ―if the
material has tendency is to deprive and corrupt those whose minds are open to such
immoral influences, and into whose hands a publication of this sort may fall‖. In
Indian scenario the case of Ranjeet D. Udeshi v. State of Maharashtra the Supreme
Court admitted that Indian Penal Code doesn‘t define obscenity though it provides
punishment for publication of obscene matter. There‘s very thin line existing between
a material which could be called obscene and the one which is artistic. Court even
stressed on need to maintain balance between fundamental right of freedom of speech
and expression and public decency and morality. If matter is likely to deprave and
corrupt those minds which are open to influence to whim the material is likely to fall.
Where both obscenity and artistic matter is so mixed up that obscenity falls into
shadow as its insignificant then obscenity may be overlooked.
In the case of Miller v. California it was held that local community standard must be
applied at the time of determination of the offence. As it can traverse in many
jurisdictions and can be accessed in any part of the globe. So wherever the material
can be accessed the community standards of that country would be applicable to
determine the offence of publication of obscene material posted in electronic form.
Though knowledge of obscenity under Information Technology Act 2000 and Indian
Penal Code may be taken as mitigating factor but doesn‘t take the case out of the
Section 72 of Information Technology Act, 2000 provides punishment for an
unauthorised access or, disclosure of that information to third person punishable with
an imprisonment upto 2 years or fine which may extend to 1 lakh rupees or with both.
English courts have also dealt with an issue as to what activities would constitute
crime under existing legislation, in the case of R. v. Fellows and Arnold it was held
that the legislation before the 1994 amendment would also enable computer data to be
considered a ‗copy of an indecent photograph‘ and making images available for
downloading from the website would constitute material being ‗distributed or shown‘.
Statute is wide enough to deal with the use of computer technology.
(H) Investment Newsletter: We usually get newsletter providing us free information
recommending that investment in which field would be profitable. These may
sometimes be a fraud and may cause us huge loss if relied upon. False information
can be spread by this method about any company and can cause huge inconvenience
or loss through junk mails online.
(I) Credit Card Fraud: Huge loss may cause to the victim due to this kind of fraud.
This is done by publishing false digital signatures. Most of the people lose credit
cards on the way of delivery to the recipient or its damaged or defective,
1.5 MEASURES TO CURB THE CRIME
Though by passage of time and improvement in technology to provide easier and user
friendly methods to the consumer for make up their daily activities, it has lead to
harsh world of security threats at the same time by agencies like hackers, crackers etc.
various Information technology methods have been introduced to curb such
destructive activities to achieve the main objects of the technology to provide some
sense of security to the users. Few basic prominent measures used to curb cyber
crimes are as follows:
A) Encryption: This is considered as an important tool for protecting data in transit.
Plain text (readable) can be converted to cipher text (coded language) by this method
and the recipient of the data can decrypt it by converting it into plain text again by
using private key. This way except for the recipient whose possessor of private key to
decrypt the data, no one can gain access to the sensitive information.
Not only the information in transit but also the information stored on computer can be
protected by using Conventional cryptography method. Usual problem lies during the
distribution of keys as anyone if overhears it or intercept it can make the whole object
of encryption to standstill. Public key encryptograpy was one solution to this where
the public key could be known to the whole world but the private key was only known
to receiver, its very difficult to derive private key from public key.
B) Syncronised Passwords: These passwords are schemes used to change the
password at user‘s and host token. The password on synchronised card changes every
30-60 seconds which only makes it valid for one time log-on session. Other useful
methods introduced are signature, voice, fingerprint identification or retinal and
biometric recognition etc. to impute passwords and pass phrases
C) Firewalls: It creates wall between the system and possible intruders to protect the
classified documents from being leaked or accessed. It would only let the data to flow
in computer which is recognised and verified by one‘s system. It only permits access
to the system to ones already registered with the computer.
D) Digital Signature: Are created by using means of cryptography by applying
algorithms. This has its prominent use in the business of banking where customer‘s
signature is identified by using this method before banks enter into huge transactions.
1.6 INVESTIGATION AND SEARCH PROCEDURES
Section 75 of Information Technology Act, 2000 takes care of jurisdictional aspect of
cyber crimes, and one would be punished irrespective of his nationality and place of
commission of offence. Power of investigation is been given to police officer not
below the rank of Deputy Superintendent of police or any officer of the Central
Government or a State Government authorised by Central Government. He may enter
any public place, conduct a search and arrest without warrant person who is
reasonably expected to have committed an offence or about to commit computer
related crime. Accused has to be produced before magistrate within 24 hours of arrest.
Provisions of Criminal Procedure Code, 1973 regulate the procedure of entry, search
and arrest of the accused.
1.6.1 PROBLEMS UNDERLYING TRACKING OF EVENTS
Most of the times the offenders commit crime and their identity is hard to be
identified. Tracking cyber criminals requires a proper law enforcing agency through
cyber border co-operation of governments, businesses and institutions of other
countries. Most of the countries lack skilled law enforcement personnel to deal with
computer and even broader Information technology related crimes. Usually law
enforcement agencies also don‘t take crimes serious, they have no importance of
enforcement of cyber crimes, and even if they undertake to investigate they are posed
with limitation of extra-territorial nature of crimes.
1.7 HOW EFFICIENT IS IT ACT 2000?
It can‘t be disputed that Information Technology Act, 2000 though provides certain
kinds of protections but doesn‘t cover all the spheres of the I.T where the protection
must be provided. Copyright and trade mark violations do occur on the net but Copy
Right Act 1976, or Trade Mark Act 1994 are silent on that which specifically deals
with the issue. Therefore have no enforcement machinery to ensure the protection of
domain names on net. Transmission of e-cash and transactions online are not given
protection under Negotiable Instrument Act, 1881. Online privacy is not protected
only Section 43 (penalty for damage to computer or computer system) and 72 (Breach
of confidentiality or privacy) talks about it in some extent but doesn‘t hinder the
violations caused in the cyberspace.
Even the Internet Service Providers (ISP) who transmits some third party information
without human intervention is not made liable under the Information Technology Act,
2000. One can easily take shelter under the exemption clause, if he proves that it was
committed without his knowledge or he exercised due diligence to prevent the
offence. It‘s hard to prove the commission of offence as the terms ―due diligence‖ and
―lack of knowledge‖ have not been defined anywhere in the Act. And unfortunately
the Act doesn‘t mention how the extra territoriality would be enforced. This aspect is
completely ignored by the Act, where it had come into existence to look into cyber
crime which is on the face of it an international problem with no territorial
1.8 DATA PROTECTION
Information stored on the owner of the computer would be his property and must be
protected there are many ways such information can be misused by ways like
‗unauthorized access, computer viruses, data typing, modification erasures etc.
Legislators had been constantly confronted with problem in balancing the right of the
individuals on the computer information and other people‘s claim to be allowed
access to information under Human Rights. The first enactment in this regard was
Data Protection Act by Germany in the year 1970. This was widely accepted by the
world and also contributed to the Information Technology Act.
The origin of laws on date protection dates back to 1972 when United Kingdom
formed a committee on privacy which came up with ten principles, on the bases of
which data protection committee was set up. Data Protection Act, 1984 (DPA) was
United Kingdom‘s response to the Council of Europe Convention 1981, this Act
lacked proper enforcement mechanism and has done little to enforce individual‘s
rights and freedoms. European Union directive in 1995, European Convention of
Human Rights (ECHR), Human Rights Acts, and further introduction of Data
Protection Act, 1998 have done much in the field of Data protection in today‘s date.
Data Protection Act has following aims and objectives:
Personal information shall only be obtained for lawful purpose, it shall only be used
for that purpose, mustn‘t be disclosed or used to effectuate any unlawful activity, and
must be disposed off when the purpose is fulfilled.
Though Data Protection Act aims at protecting privacy issues related to the
information but still we find no mention of the word ―privacy‖ in the Act, nor is it
defined, further the protection comes with various exemptions, including compulsory
notification from the Commissioner in certain cases of the personal data. Due to the
change in the regime of information technology for the date European Convention
came, on which the Act is based amendments in the Act is advised for matching the
present situation and curbing the crime in efficient way.
There is no Data Protection Act in India, the only provisions which talks about data
protection are Section 72 and Section 43 of Information Technology Act, 2000. There
must be a new Law to deal with the situation for a person to know that the Controller
is processing his data concerning him and also that he must know the purpose for
which it has been processed. It is a fundamental right of the Individual to retain
private information concerning him provided under Article 21 of the Indian
Constitution, which says: ―No person shall be deprived of his life or personal liberty
except according to procedure established by law‖. And due to the increasing trend of
the Crime rate in the field separate legislation is required in this context for better
protection of individuals.
WHAT CONSTITUTES A CYBER CRIME IN THE COUNTRY
2.1 INTRODUCTION TO CYBER CRIME
In simple words, Cyber crime is defined as crime committed over the Internet.
A generalized definition of cyber crime may be ― unlawful acts wherein the computer
is either a tool or target or both”. The computer may be used as a tool in the
following kinds of activity- financial crimes, sale of illegal articles, pornography,
online gambling, intellectual property crime, e-mail spoofing, forgery, cyber
defamation, cyber stalking.
The computer may however be target for unlawful acts in the following cases-
unauthorized access to computer/ computer system/ computer networks, theft of
information contained in the electronic form, e-mail bombing, data didling, salami
attacks, logic bombs, Trojan attacks, internet time thefts, web jacking, theft of
computer system, physically damaging the computer system.
Cyber crime is the latest and perhaps the most complicated problem in the cyber
world. ―Any criminal activity that uses a computer either as an instrumentality, target
or a means for perpetuating further crimes comes within the ambit of cyber crime‖.
The internet in India is growing rapidly. It has given rise to new opportunities in
every field we can think of – be it entertainment, business, sports or education.The
internet, along with its advantages, has also exposed us to security risks that come
with connecting to a large network. Computers today are being misused for illegal
activities like e-mail espionage, credit card fraud, spams, software piracy and so on,
which invade our privacy and offend our senses. Criminal activities in the cyberspace
are on the rise.
"The modern thief can steal more with a computer than with a gun. Tomorrow's
terrorist may be able to do more damage with a keyboard than with a bomb".
1.2 CLASSIFICATION OF CYBER CRIME
Cyber crimes can be basically divided into 3 major categories:
1. Cybercrimes against persons.
2. Cybercrimes against property.
3. Cybercrimes against government.
Cybercrimes committed against persons include various crimes like transmission of
child-pornography, harassment of any one with the use of a computer such as e-mail.
The potential harm of such a crime to humanity can hardly be amplified. This is one
Cybercrime which threatens to undermine the growth of the younger generation as
also leave irreparable scars and injury on the younger generation, if not controlled.
Another example wherein the damage was not done to a person but to the masses is
the case of the Melissa virus. The Melissa virus first appeared on the internet in
March of 1999. It spread rapidly throughout computer systems in the United States
and Europe. It is estimated that the virus caused 80 million dollars in damages to
In the United States alone, the virus made its way through 1.2 million computers in
one-fifth of the country's largest businesses.There are numerous examples of such
computer viruses few of them being "Melissa" and "love bug".
Cyberharassment is a distinct Cybercrime. Various kinds of harassment can and do
occur in cyberspace, or through the use of cyberspace. Harassment can be sexual,
racial, religious, or other. Persons perpetuating such harassment are also guilty of
Cyberharassment as a crime also brings us to another related area of violation of
privacy of citizens. Violation of privacy of online citizens is a Cybercrime of a grave
nature. No one likes any other person invading the invaluable and extremely touchy
area of his or her own privacy which the medium of internet grants to the citizen.
The second category of Cyber-crimes is that of Cybercrimes against property.
These crimes include computer vandalism (destruction of others' property),
transmission of harmful programmes.
A Mumbai-based upstart engineering company lost a say and much money in the
business when the rival company, an industry major, stole the technical database from
their computers with the help of a corporate cyberspy.
The third category of Cyber-crimes relate to Cybercrimes against Government.
Cyberterrorism is one distinct kind of crime in this category. The growth of internet
has shown that the medium of Cyberspace is being used by individuals and groups to
threaten the international governments as also to terrorise the citizens of a country.
This crime manifests itself into terrorism when an individual "cracks" into a
government or military maintained website.
In a report of expressindia. com, it was said that internet was becoming a boon for the
terrorist organisations. According to Mr. A.K. Gupta, Deputy Director (Co-
ordination), CBI, terrorist outfits are increasingly using internet to communicate and
move funds.. During the investigation of the Red Fort shootout in Dec. 2000, the
accused Ashfaq Ahmed of this terrorist group revealed that the militants are making
extensive use of the internet to communicate with the operatives and the sympathisers
and also using the medium for intra-bank transfer of funds".
Cracking is amongst the gravest Cyber-crimes known till date. It is a dreadful feeling
to know that a stranger has broken into your computer systems without your
knowledge and consent and has tampered with precious confidential data and
Coupled with this the actuality is that no computer system in the world is cracking
proof. It is unanimously agreed that any and every system in the world can be
cracked. The recent denial of service attacks seen over the popular commercial sites
like E-bay, Yahoo, Amazon and others are a new category of Cyber-crimes which are
slowly emerging as being extremely dangerous.
1.3 TYPES OF CYBER CRIME
1. CYBER STALKING
Cyber Stalking can be defined as the repeated acts harassment or threatening behavior
of the cyber criminal towards the victim by using Internet services.
Stalking in General terms can be referred to as the repeated acts of harassment
targeting the victim such as
Following the victim
Making harassing phone calls
Killing the victims pet
Vandalizing victims property
Leaving written messages or objects
Stalking may be followed by serious violent acts such as physical harm to the victim
and the same has to be treated and viewed seriously. It all depends on the course of
conduct of the stalker.
Cyber-stalking refers to the use of the Internet, e-mail, or other electronic
communications device to stalk another person. It is a relatively new form of
harassment, unfortunately, rising to alarming levels especially in big cities like
2. DENIAL OF SERVICE
This is an act by a criminal, who floods the bandwidth of the victim‘s network or fills
his e-mail box with spam mail depriving him of the services he is entitled to access or
This act is committed by a technique called spoofing and buffer overflow. The
criminal spoofs the IP address and flood the network of the victim with repeated
requests. Since the IP address is fake, the victim machine keeps waiting for response
from the criminal‘s machine for each request. This consumes the bandwidth of the
network which then fails to serve the legitimate requests and ultimately breaks down.
The diagram below will give you an idea of how the attack happens
Fig. 2.1 How attack happens
Hacking in simple terms means illegal intrusion into a computer system without the
permission of the computer owner/user.
Purposes of hacking
Desire to access forbidden information
Every act committed towards breaking into a computer and/or network is
Hackers write or use ready-made computer programs to attack the target computer.
They possess the desire to destruct and they get the kick out of such destruction. Some
hackers hack for personal monetary gains, such as to stealing the credit card
information, transferring money from various bank accounts to their own account
followed by withdrawal of money. They extort money from some corporate giant
threatening him to publish the stolen information, which is critical in nature.
Government websites are the hot targets of the hackers due to the press coverage they
About Hackers, Crackers and Phreaks
The original meaning of the word "hack" was born at MIT, and originally meant an
elegant, witty or inspired way of doing almost anything. Now the meaning has
changed to become something associated with the breaking into or harming of any
kind of computer or telecommunications system. Purists claim that those who break
into computer systems should be properly called "crackers" and those targeting
phones should be known as "phreaks".
This term is derived from the term hi jacking. In these kinds of offences the hacker
gains access and control over the web site of another. He may even mutilate or change
the information on the site. This may be done for fulfilling political objectives or for
money. E.g. recently the site of MIT (Ministry of Information Technology) was
hacked by the Pakistani hackers and some obscene matter was placed therein. Further
the site of Bombay crime branch was also web jacked. Another case of web jacking is
that of the ‗gold fish’ case. In this case the site was hacked and the information
pertaining to gold fish was changed. Further a ransom of US $ 1 million was
demanded as ransom. Thus web jacking is a process where by control over the site of
another is made backed by some consideration for it.
4. ONLINE FRAUD
The net is a boon for people to conduct business effectively, very quickly. It saves businesses
a lot of time, money and resources. Unfortunately, the net is also an open invitation to
scamsters and fraudsters and online frauds are becoming increasingly rampant.
Spoof websites and email security alerts
Fraudsters create authentic looking websites that are actually nothing but a spoof. The
purpose of these websites is to make the user enter personal information. This information is
then used to access business and bank accounts. Fraudsters are increasingly turning to email
to generate traffic to these websites.
A lot of customers of financial institutions recently received such emails. Such emails
usually contain a link to a spoof website and mislead users to enter User ids and
passwords on the pretence that security details can be updated, or passwords changed.
If you ever get an email containing an embedded link, and a request for you to enter
secret details, treat it as suspicious. Do not input any sensitive information that might
help provide access to your accounts, even if the page appears legitimate. No
reputable company ever sends emails of this type.
Virus hoax emails
It is a sad fact of life that there are those who enjoy exploiting the concerns of others.
Many emailed warnings about viruses are hoaxes, designed purely to cause concern
and disrupt businesses.
These warnings may be genuine, so don't take them lightly, but always check the
story out by visiting an anti-virus site such as McAfee, Sophos or Symantec before
taking any action, including forwarding them to friends and colleagues.
These are letters or emails, which inform the recipient that he/ she has won a prize in
a lottery. To get the money, the recipient has to reply. After which another mail is
received asking for bank details so that the money can be directly transferred. The
email also asks for a processing fee/ handling fee. Of course, the money is never
transferred in this case, the processing fee is swindled and the banking details are used
for other frauds and scams.
Child pornography is a very unfortunate reality of the Internet. The Internet is being
highly used by its abusers to reach and abuse children sexually, worldwide.
The Internet is very fast becoming a household commodity in India. Its explosion has
made the children a viable victim to the cyber crime. As more homes have access to
Internet, more children would be using the Internet and more are the chances of
falling victim to the aggression of pedophiles.
What is Child Pornography?
―Child pornography‖ means any visual depiction, including
1. any photograph
2. film, video, picture, or
3. computer or computer-generated image or picture, of sexually explicit conduct, where
the production of such visual depiction involves the use of a minor engaging in
sexually explicit conduct
6. SOFTWARE PIRACY
Theft of software through the illegal copying of genuine programs or the
counterfeiting and distribution of products intended to pass for the original is termed
as termed as software piracy.
Examples of software piracy
1. End user copying - Friends loaning disks to each other, or organizations
underreporting the number of software installations they have made.
2. Hard disk loading – Hard disk vendors loads pirated software
3. Counterfeiting - large-scale duplication and distribution of illegally copied software.
4. Illegal downloads from the Internet - By intrusion, cracking serial numbers etc.
A consumer of pirated software has a lot to lose…
He gets untested software that may have been copied thousands of times over,
potentially containing hard-drive-infecting viruses
No technical support in case of software failure
No warranty protection
No legal right to use the product
Illegal intrusion, posing as a genuine user
Spoofing means a hacker logs-in to a computer illegally using a different identity than
He is able to do this by having previously obtained actual password.
He creates a new identity by fooling the computer into thinking he is the genuine
Hacker then takes control of the system.
E mail spoofing
A spoofed e-mail may be said to be one, which misrepresents its origin. It shows it's origin to
be different from which actually it originates. Recently spoofed mails were sent on the name
of Mr.Na.Vijayashankar (naavi.org), which contained virus.
Rajesh Manyar, a graduate student at Purdue University in Indiana, was arrested for
threatening to detonate a nuclear device in the college campus. The alleged e- mail was sent
from the account of another student to the vice president for student services. However the
mail was traced to be sent from the account of Rajesh Manyar.
8. USENET NEWSGROUP
(Usenet is a popular means of sharing and distributing information on the web with
respect to specific topic or subjects)
Possible Criminal Uses of Usenet
Distribution/Sale of pornographic material.
Distribution/Sale of pirated softwares
Distribution of Hacking Software
Sale of Stolen credit card numbers
Sale of Stolen Data/Stolen property.
9. VIRUS DESSEMINATION
A computer virus is a program that can ‗infect‘ other legitimate programs by
modifying them to include a possibly ‗evolved‘ copy of itself. Viruses can spread
themselves, without the knowledge or permission of the users, to potentially large
numbers of programs on many machines. A computer virus passes from computer to
computer like a biological virus passes from person to person.
Viruses can also contain instructions that cause damage or annoyance; the
combination of possibly damaging code with the ability to spread is what makes
viruses a considerable concern.
How do viruses spread?
Viruses can often spread without any readily visible symptoms. A virus can start on
event-driven effects (for example, triggered after a specific number of executions),
time-driven effects (triggered on a specific date, such as Friday the 13th) or can occur
Typical action of a virus
1. Display a message to prompt an action which may set of the virus
2. Erase files
3. Scramble data on a hard disk
4. Cause erratic screen behavior
5. Halt the PC
6. Just replicate itself!
Fig 2.2 How can a virus be distributed
World’s Worst Virus Attacks
1. Love Letter
Love Letter is the virus everyone learned to hate in 2000. The infection affected
millions of computers and caused more damage than any other computer virus to date.
Users were infected via e-mail, through Internet chat systems, and through other file
sharing systems. The worm sent copies of itself via Microsoft Outlook's address book
entries. The mail included an executable file attachment with the e-mail subject line,
"ILOVEYOU." The worm had the ability to overwrite several types of files, including
.gif and .jpg files. It modified the Internet Explorer start page and changed Registry
The Klez worm was first detected in October 2001. Klez distributes itself like a virus,
but sometimes acts like a worm, other times like a Trojan horse. Klez isn't as
destructive as other worms, but it is widespread, hard to exterminate--and still active.
It spreads via open networks and e-mail-regardless of the e-mail program you use. It
may corrupt files and disable anti-virus products. It steals data from a victim's e-mail
address book, mixing and matching new senders and recipients for a new round of
The Melissa virus swamped corporate networks with a tidal wave of e-mail messages
in March 1999. Through Microsoft Outlook, when a user opened an e-mail message
containing an infected Word attachment, the virus was sent to the first 50 names in the
user's address book.
So much e-mail traffic was generated so quickly that companies like Intel and
Microsoft had to turn off their e-mail servers. The Melissa virus was the first virus
capable of hopping from one machine to another on its own. And it's another good
example of a virus with multiple variants.
10. INTERNET TIME THEFTS
Normally in these kinds of thefts the Internet surfing hours of the victim are used up by
another person. This is done by gaining access to the login ID and the password. E.g. Colonel
Bajwa’s case- the Internet hours were used up by any other person. This was perhaps one of
the first reported cases related to cyber crime in India. However this case made the police
infamous as to their lack of understanding of the nature of cyber crime.
DEFINITIONS OF ELECTRONIC DOCUMENTS AND
The Information Technology Act, 2000 is India‘s mother legislation regulating the use
of computers, computer systems and computer networks as also data and information
in the electronic format. The said legislation has provided for the legality of the
electronic format as well as electronic contracts. This legislation has touched varied
aspects pertaining to electronic authentication, digital signatures, cybercrimes and
liability of network service providers.
The Act provides for:
1. Legal Recognition of Electronic Documents
2. Legal recognition of Electronic commerce Transactions
3. Admissibility of Electronic data/evidence in a Court of Law
4. Legal Acceptance of digital signatures
5. Punishment for Cyber obscenity and crimes
6. Establishment of Cyber regulations advisory Committee and the Cyber
Regulations Appellate Tribunal.
7. Facilitation of electronic filing maintenance of electronic records.
Person‘s signature on the document is necessary to prove that the document is
belonging to him. Signature is the evidence to prove that the document belong to the
3.2 DIGITAL SIGNATURE
A digital signature (not to be confused with a digital certificate) is an electronic
signature that can be used to authenticate the identity of the sender of a message or the
signer of a document,
A digital signature is basically a way to ensure that an electronic document (e-mail,
spreadsheet, text file, etc.) is authentic. Authentic means that you know who created
the document and you know that it has not been altered in any way since that person
3.2.2 USES OF DIGITAL SIGNATURE
1. Issuing forms and licenses
2. Filing tax returns online
3. Online Government orders/treasury orders
5. Online file movement system
6. Public information records
8. Railway reservations & ticketing
10. Online money orders
11. Secured emailing
3.2.3 HOW TO GET A DIGITAL SIGNATURE CERTIFICATE
The Office of Controller of Certifying Authorities (CCA), issues Certificate only to
Certifying Authorities.CA issue Digital Signature Certificate to end-user. You can
approach any one of the eight CAs for getting Digital Signature Certificate.
Class 0 Certificate: This certificate shall be issued only for demonstration/ test
Class 1 Certificate: Class 1 certificates shall be issued to individuals/private
subscribers. These certificates will confirm that user‘s name (or alias) and E-mail
address form an unambiguous subject within the Certifying Authorities database.
Class 2 Certificate: These certificates will be issued for both business personnel and
private individuals use. These certificates will confirm that the information in the
application provided by the subscriber does not conflict with the information in well-
recognized consumer databases.
Class 3 Certificate: This certificate will be issued to individuals as well as
organizations. As these are high assurance certificates, primarily intended for e-
commerce applications, they shall be issued to individuals only on their personal
(physical) appearance before the Certifying Authorities.
3.2.4 LEGAL RECOGNITION OF DIGITAL SIGNATURE
According to this section, signature of the person need no to be in writing, it can be in
the form of the following.
a. With rubber stamp
b. With pen
c. With pencil
d. With thumb impression
With digital signature which is issued by the certifying authority (government body)
and stored in the computer in the file format.
Digital signature is not like hand writing signature. It is not normally readable. Not
like general hand writing signature. Digital signatures have equal legal recognition
compared with non-digital signatures. Digital signature will be different for each e
document. Digital signature is issued by the certifying authority.
- According to this section digital signature is secure.
- Digital signature will be used as identification of the subscriber.
Any person can apply for the digital signature certification having certain
qualification prescribed by government under the act.
- Any person can apply for digital signature with filling of application.
- Any other documents attached if needed, should be genuine
- Fee of rupees 2500/-
License can be renewed before the 45 days of expiry date of 5 years. Renewal fees is
5000/-. After the expiry of the date, late fee will be collected in addition to the
According to this section license will be cancelled if the applicant provides any false
3.3 AUTHENTICATION OF ELECTRONIC RECORDS [SEC 3]
According to this section any person can use and affix his digital signature to the
electronic record (message or data on computer) to prove/ confirm (authenticate) such
electronic is created by him only and belong to him only. Affixing digital signature to
the electronic record will be a proof that belongs to a specific person.
―Electronic record‖ means data, record or data generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro
fiche; [Sec 2(t)]
This section deals with the computer online process of sending data or message
securely and safely from sender to the receiver. And also deals with the assuring of
message or data to receiver and sender.
Section 2 (f) ―asymmetric crypto system‖ means a system of a secure key pair
consisting of a private key for creating a digital signature and a public key to verify
the digital signature;
3.4 CRYPTOGRAPHIC SYSTEM
Cryptographic mechanism process done by the computer system.
The message or data send out will be encrypt by a cryptographic mechanism.
(the procedures and methods of making and using secret languages, as codes)
Cryptographic mechanism includes private key and public key which are
cryptographic methods provided certifying authorities. (Private Key
encryption is essentially the same as a secret code that the two computers must
each know in order to decode the information. The code would provide the
key to decoding the message)
To decode an encrypted message, a computer must use the public key
provided by the originating computer and its own private key.
Public key and private key or both mathematically related to each other.
Therefore private key is being used to encode the data/message and a public
key is being used to decode the data/ message.
Private key will be with sender only
Private Key with public will be with sender.
Public will be with receiver of data or message.
Hash function=checksum/message digest
Hash function process is done by the computer system
Hash function which mean algorithm is a mathematical function/formula that
converts a large, possibly variable-sized amount of data into a small datum.
This is called as hash result and message digest.
To sign a document, sender by software will crunch down the data or message
into just a few lines by a process called ―hashing algorithm/ hash function‖.
These few lines are called a message digest/ hash result.
Any modification in message or data changes the hash result.With the hash
result we cannot construct the original message or data.
3.5 DIGITAL SIGNATURE VERIFICATION
Sender by software then encrypts the message digest with his private key. The
result is the digital signature.
Finally, sender software attaches / affixes the digital signature to data or
message. All of the data that was hashed has been signed.
Receiver by software will decrypts the signature (using sender public key)
changing it back into a message digest that sender has only signed the
document, because only sender has his relating private key.
Receiver by software then hashes the data or message into a message digest/
hash result. If the message digest/ hash result is the same as the message digest
created when the signature was decrypted, then receiver knows that the signed
data has not been changed.
[A digital signature is another means to ensure integrity, authenticity, and non-
repudiation. A digital signature is derived by applying a mathematical function to
compute the message digest of an electronic message or document, and then encrypt
the result of the computation with the signer's private key. Recipients can verify the
digital signature with the use of the sender's public key.]
3.5.1 HOW IT WORKS
Assume you were going to send the draft of a contract to your lawyer in another town.
You want to give your lawyer the assurance that it was unchanged from what you sent
and that it is really from you.
1. You copy-and-paste the contract (it‘s a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the
3. You then use a private key that you have previously obtained from a public-private
key authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it
will be different each time you send a message.)
At the other end, your lawyer receives the message.
1. To make sure it‘s intact and from you, your lawyer makes a hash of the received
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.
Subscriber will generate the key pair (public key and private key) by certain security
process by through the controller of certifying authorities Public key with hash
algorithm is listed in the digital signature certificate for verification process. Private
Key is kept secret.
3.6 CERTIFYING AUTHORITY TO ISSUE DIGITAL
(1) Any person may make an application to the Certifying Authority for the issue of a
Digital Signature Certificate in such form as may be prescribed by the Central
(2) Every such application shall be accompanied by such fee not exceeding twenty
five thousand rupees as may be prescribed by the Central Government, to be paid to
the Certifying Authority:
Provided that while prescribing fees under sub-section (2) different fees may be
prescribed for different classes of applicants‘.
(3) Every such application shall be accompanied by a certification practice statement
or where there is no such statement, a statement containing such particulars, as may
be specified by regulations.
(4) On receipt of an application under sub-section (1), the Certifying Authority may,
after consideration of the certification practice statement or the other statement under
subsection (3) and after making such enquiries as it may deem fit, grant the Digital
Signature Certificate or for reasons to be recorded in writing, reject the application:
Provided that no Digital Signature Certificate shall be granted unless the Certifying
Authority is satisfied that—
(b) The applicant holds the private key corresponding to the public key to be listed in
the Digital Signature Certificate;
(c) The applicant holds a private key, which is capable of creating a digital signature;
(d) The public key to be listed in the certificate can be used to verify a digital
signature affixed by the private key held by the applicant: Provided further that no
application shall be rejected unless the applicant has been given a reasonable
opportunity of showing cause against the proposed rejection.
3.7 ELECTRONIC GOVERNANCE
(E-Governance or e-gov is broadly defined as an ―application of Information
technology to the functioning of the Government‖. E-gov relies heavily on the
effective use of Internet and other emerging technologies to receive and deliver
information and services easily, quickly, efficiently and inexpensively.)
Government can file, create, use of electronic records in certain format for issue
license, permits, any approval, receipt and payment of money.
Electronic records should be stored in the format which they were created and also
information in electronic records should not be altered. They should be stored for the
specific period for the future reference whenever needed.
According to this section central government has power to make rule in respect of
- Type of digital signature
- Format of digital signature
- Procedure which facilitate identification of the person affixing the digital
- Control on the security and confidentiality of the electronic records.
3.7.1 ACKNOWLEDGEMENT OF RECEIPT
Addressee should indicate sender on the receipt of the electronic record. If
acknowledgement is not received by the sender, it is deemed that electronic record is
not send E.g.: email
If Addressee has designated the specific computer source for the receipt of the
electronic record eg: email address. In such case electronic record is deemed to be
receipt by addressee. If the addressee has not designated the any specific computer to
the sender eg: email. It is deemed to receipt when the addressee retrieve the
information. Retrieve of information can be done from home or at the business place.
Central government appoints the controller of certifying authorities for the purpose of
this act, they discharge their function according to this act.
3.7.2 FUNCTION OF CONTROLLER
(a) Exercising supervision over the activities of the Certifying Authorities;
(b) Certifying public keys of the Certifying Authorities;
(c) Laying down the standards to be maintained by the Certifying Authorities;
(d) Specifying the qualifications and experience which employees of the Certifying
Authorities should possess;
(e) Specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
(f) Specifying the contents of written, printed or visual materials and advertisements
that may be distributed or used in respect of a Digital Signature Certificate and the
(g) Specifying the form and content of a Digital Signature Certificate and the key,
(h) Specifying the form and manner in which accounts shall be maintained by the
(i) Specifying the terms and conditions subject to which auditors may be appointed
and the remuneration to be paid to them;
(j) Facilitating the establishment of any electronic system by a Certifying Authority
either solely or jointly with other Certifying Authorities and regulation of such
(k) Specifying the manner in which the Certifying Authorities shall conduct their
dealings with the subscribers;
(l) Resolving any conflict of interests between the Certifying Authorities and the
(m) Laying down the duties of the Certifying Authorities;
(n) Maintaining a data base containing the disclosure record of every Certifying
Authority containing such particulars as may be specified by regulations, which shall
be accessible to public.
According to this section Digital signatures by foreign certifying authorities is not
valid in the our country
Controller will be the custodian of all the digital signatures certificates issued under
this act. He has to store and retrieve certificates and other Information in need.
Controller has power to investigate in any person and things go opposite to the act. He
can inspect records of company and seize.
If the controller is under the doubt and have suspect, he can check the computer
system, computer networks, data, apparatus and other material connected to the
3.7.3 DUTIES OF SUBSCRIBER
Subscriber should generate key pair, private key and public key.
Subscriber should hold the private key
Subscriber should take care about the private key which he holds
Private Key hold with him should have relationship with the public key affix in the
digital signature certificate.
Subscriber only should affix the digital signature
Any person without the permission of the owner should not do the following activities
(a) Should access the computer system or computer network.
(b) Should not download the data or make copies of it.
(c) Should not introduce virus in to the computer system
(d) Should damage the computer system or network or nay computer program.
(e) Should not cause disruption to computer system or its network.
(g) Should not help/ assist any person to affect the computer system or computer
(h) Should not manipulate the computer system or computer network.
Sec 44 penalties
Any person who ever fails to provide required document by the certifying authorities,
such person is liable for penalty up to 150000/-.
Any person who ever fails to provide required information by the certifying
authorities, such person is liable for penalty up to 5000/-.
Any person who ever fails to maintain records and account books, such person is
liable for penalty up to 10000/-.
Any person who disobey or be oppose to this law or act shall be liable for penalty of
3.8.1 ADJUDICATION OFFICER
Deals with appointment of adjudication officer by central government, who have
experience in field of information technology, for the purpose of holding enquiry on
the matters like violation of rules of the act, etc. he can impose penalty or award
3.9 DIGITAL EVIDENCES
Digital evidence or electronic evidence is any probative information stored or
transmitted in digital form that a party to a court case may use at trial. Before
accepting digital evidence a court will determine if the evidence is relevant, whether it
is authentic, if it is hearsay and whether a copy is acceptable or the original is
The use of digital evidence has increased in the past few decades as courts have
allowed the use of e-mails, digital photographs, ATM transaction logs, word
processing documents, instant message histories, files saved from accounting
programs, spreadsheets, internet browser histories, databases, the contents of
computer memory, computer backups, computer printouts, Global Positioning System
tracks, logs from a hotel‘s electronic door locks, and digital video or audio files.
4.1 INVESTIGATION OF CYBER CRIME
In simple words, Cyber crime is defined as crime committed over the Internet.
A generalized definition of cyber crime may be ― unlawful acts wherein the computer
is either a tool or target or both”. The computer may be used as a tool in the
following kinds of activity- financial crimes, sale of illegal articles, pornography,
online gambling, intellectual property crime, e-mail spoofing, forgery, cyber
defamation, cyber stalking.
4.2.1 GENERAL GUIDELINES ON CYBER SAFETY
Do not give out identifying information such as your name, home address, or
telephone number in a chat room. Even vital details like age, gender should
never be divulged to anyone.
Do not send your photograph to any one on the net unless you know the
person well enough.
Do not respond to messages or bulletin board items that are obscene,
belligerent or threatening.
Never arrange a face-to-face meeting with someone who you have just ‗met‘
on the Internet. In case you have to meet this person, make sure you have
someone with you for the meeting. And inform someone of the person and
place you will be going to. Remember, people online are not always who they
seem to be.
4.2.2 EMAIL SAFETY
If you ever get an email containing an embedded link, and a request for you to enter
secret details, treat it as suspicious. Do not input any sensitive information that might
help provide access to your bank accounts, even if the page appears legitimate. No
reputable company ever sends emails of this type.
4.2.3 VIRUS WARNINGS
Virus warnings are a very common occurrence in the mail box. While you shouldn‘t
take these warnings lightly, a lot of times, such warnings are hoaxes and will do moe
harm than good. Always check the story out by visiting an anti-virus site such as
McAfee, Sophos or Symantec before taking any action, including forwarding them to
friends and colleagues.
4.2.4 FOR HOME PC USERS-
Here are some extremely important guidelines for home computer owners.
1. Use the latest version of a good anti-virus software package that allows
updating from the Internet.
2. Use the latest version of the operating system, web browsers and e-mail
3. Don't open e-mail attachments unless you know the source. Attachments,
especially executables (those having .exe extension) can be dangerous.
4. Confirm the site you are doing business with. Secure yourself against "Web-
Spoofing". Do not go to websites from email links.
5. Create passwords containing at least 8 digits. They should not be dictionary
words. They should combine upper and lower case characters.
6. Use different passwords for different websites.
7. Send credit card information only to secure sites.
8. Use a security program that gives you control over "Cookies" that send
information back to websites. Letting all cookies in without monitoring them
could be risky.
Turn off your computer or disconnect from the network when not in use
Turn off your computer or disconnect its Ethernet interface when you are not using it.
An intruder cannot attack your computer if it is powered off or otherwise completely
disconnected from the network.
Be aware of the risks involved in the use of "mobile code" such as ActiveX, Java, and
site, such as a URL, an element in a form, or a database inquiry. Later, when the web
site responds to you, the malicious script is transferred to your browser.
The most significant impact of this vulnerability can be avoided by disabling all
scripting languages. Turning off these options will keep you from being vulnerable to
malicious scripts. However, it will limit the interaction you can have with some web
Many legitimate sites use scripts running within the browser to add useful features.
Disabling scripting may degrade the functionality of these sites.
Make regular backups of critical data
Keep a copy of important files on removable media such as ZIP disks or recordable
CD-ROM disks (CD-R or CD-RW disks). Use software backup tools if available, and
store the backup disks somewhere away from the computer.
Make a boot disk in case your computer is damaged or compromised
To aid in recovering from a security breach or hard disk failure, create a boot disk on
a floppy disk, which will help when recovering a computer after such an event has
occurred. Remember, however, you must create this disk before you have a security
Use a firewall
We strongly recommend the use of some type of firewall product, such as a network
appliance or a personal firewall software package. Intruders are constantly scanning
home user systems for known vulnerabilities. Network firewalls (whether software or
hardware-based) can provide some degree of protection against these attacks.
However, no firewall can detect or stop all attacks, so it‘s not sufficient to install a
firewall and then ignore all other security measures.
Don't open unknown email attachments
Before opening any email attachments, be sure you know the source of the
attachment. It is not enough that the mail originated from an address you recognize.
The Melissa virus spread precisely because it originated from a familiar address.
Malicious code might be distributed in amusing or enticing programs.
If you must open an attachment before you can verify the source, we suggest the
Be sure your virus definitions are up-to-date
Save the file to your hard disk
Scan the file using your antivirus software
Open the file
For additional protection, you can disconnect your computer's network connection
before opening the file. Following these steps will reduce, but not wholly eliminate,
the chance that any malicious code contained in the attachment might spread from
your computer to others.
4.2.5 FOR PARENTS
By taking responsibility for your children‘s online computer use, parents can greatly
minimize any potential risks of being online.
Make it a family rule to never give out personal information - home address and
telephone number - while chatting or bulletin boards (newsgroup), and be sure you‘re
dealing with someone that both you and your child know and trust before giving out
this information via E-mail.
Be careful before revealing any personal information such as age, marital
status, or financial information while chatting.
Never post photographs of your children on web sites or newsgroups that are
available to the public.
Consider using a fake name, avoid listing your child‘s name and E-mail
address in any public directories and profiles, and find out about your Internet
Service Provider‘s privacy policies and exercise your options for how your
personal information may be used.
Get to know the Internet and any services your child uses. If you don‘t know
how to log on, get your child to show you. Ask your child show you what he
or she does online, and familiarize yourself with all the things that you can do
Never allow a child to arrange a face-to-face meeting with another computer
user without your permission. If a meeting is arranged, make the first one in a
public place, and be sure to accompany your child.
Do not respond to messages or bulletin board items that are suggestive,
obscene, belligerent, threatening, or make you feel uncomfortable. Ask your
children to tell you if they respond to such messages advice them not to do
that. If you or your child receives a message that is harassing, of a sexual
nature, or threatening, forward a copy of the message to your ISP, and ask for
Instruct your child not to click on any links that are contained in E-mail from
persons they don‘t know. Such links could lead to sexually explicit or
otherwise inappropriate web sites.
4.3 CYBER LAW
India has enacted the first I.T.Act, 2000 based on the UNCIRAL model recommended
by the general assembly of the United Nations. Chapter XI of this Act deals with
offences/crimes along with certain other provisions scattered in this Acts .The various
offences which are provided under this chapter are shown in the following table: -
Offence Section under IT Act
Tampering with Computer source documents Sec.65
Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorised access to protected system Sec.70
Breach of Confidentiality and Privacy Sec.72
Publishing false digital signature certificates Sec.73
NOTE: Sec.78 of I.T.Act empowers Deputy Supdt. Of Police to investigate cases
falling under this Act.
Computer Related Crimes Covered under IPC and Special Laws Offence
Sending threatening messages by email Sec 503 IPC
Sending defamatory messages by email Sec 499 IPC
Forgery of electronic records Sec 463 IPC
Bogus websites, cyber frauds Sec 420 IPC
Email spoofing Sec 463 IPC
Web-Jacking Sec. 383 IPC
E-Mail Abuse Sec.500 IPC
Online sale of Drugs NDPS Act
Online sale of Arms Arms Act
4.4 HOW FBI INVESTIGATES CYBER CRIME
Federal law enforcement can only gather proprietary information concerning an
incident in the following ways:
request for voluntary disclosure of information
federal grand jury subpoena
To ensure that your organization can react to an incident efficiently, make sure that
staff knows who is responsible for cyber security and how to reach them. The
following steps will help you document an incident and assist federal, state, and local
law enforcement agencies in their investigation (be sure to act in accordance with
your organization's polices and procedures):
1. Preserve the state of the computer at the time of the incident by making a
backup copy of logs, damaged or altered files, and files left by the intruder.
2. If the incident is in progress, activate auditing software and consider
implementing a keystroke monitoring program if the system log on the
warning banner permits.
3. Document the losses suffered by your organization as a result of the incident.
These could include the
o estimated number of hours spent in response and recovery. (Multiply
the number of participating staff by their hourly rates.)
o cost of temporary help
o cost of damaged equipment
o value of data lost
o amount of credit given to customers because of the inconvenience
o loss of revenue
o value of any trade secrets
4. Contact law enforcement and
o provide incident documentation
o share information about the intruder
o share any ideas about possible motives
4.5 MUMBAI POLICE INVESTIGATION CELL
The Cyber Crime Investigation Cell of Mumbai Police was inaugurated on 18th
December 2000. It deals with the offence related to the computer, computer network,
computer resource, computer systems, computer devices and Internet.
Here are some things you need to know in order to protect yourself from being
1.) There is NO such thing as "free money." If anyone offers you free money, you
should automatically consider him/her a scammer.
2.) No one works for me. I work alone. If anyone says they work for me and have
selected you as a winner of some prize, they are lying.
3.) Never, ever give out your email address to anyone on internet , unless you know
4.) A scammer usually starts by telling you that he/she is looking for a soulmate, they
try to sweet talk to you and make you feel special. Sometimes they even claim to be
part of a church group or whatever. Don‘t fall for their nonsense!
5.) Again, there is NO SUCH THING AS FREE MONEY! A scammer usually asks
for your home address, then they send you a fake check which looks real but it‘s not.
They want you to deposit the check at your bank (usually around $3,000) and want
you to send him/her 90% cash and you keep 10% cash for "helping out."
4.6 WHY TO REPRT CYBER CRIME
Crime in a society is expected to remain at a tolerable level due to the deterrence
factor; early detection of the crime, identification of the criminal who has committed
the crime and awarding of an exemplary punishment to him/her will dissuade other
individuals who would have indulged in such instances in future. An unreported crime
emboldens the criminal to commit further such acts, apart from taking away the
deterrence for others.
Proper reporting also helps policy makers to know of the trends and allocate resources
to adequately tackle newer crimes. Critical infrastructure protection, which has an
impact on a large number of people also benefits by having proper reporting practices.
You may be worried about the loss of reputation or negative publicity; however, most
law enforcement organizations are aware of this and take steps to keep crime details
confidential. They also are sensitive to the fact that the reporting company's business
may depend on the availability of the computer resources involved and can take
appropriate measures to use forensic tools to ensure that business disruption is
4.7 HOW TO REPORT A CYBER CRIME
Filing a complaint/ Writing an application letter.
What details will I be asked to include in my complaint?
You may need to provide the following possible information, along with an
application letter addressing the head of cyber crime investigation cell when filing a
Your mailing address,
Your telephone number,
Specific details on how the offence was committed, along with the names and
addresses of suspects and any other relevant information necessary.
What contents should be there in the application letter?
Contents vary with respect to the type of fraud or crime faced by you.
It is the most common kind of cyber crime happening in India and the victim‘s report
could contain the following information:
Email/IM communications received
Phone numbers of the obscene callers, if any
Website address which contains the profile
Screenshot or the webpage (to be saved and submitted in hard copy)
Other important necessary information could be provided after consulting law
Victims of Cyber Stalking often request webmaster to delete their Profile. Deleting
the profile means the evidence is lost.
When did you access your email account last?
From where and which computer did you browse it?
All information about email account e.g. date of birth entered, pin code
entered and security question and the last password?
What type of documents should be included in my application which can be
considered as proof or evidence in regard to my complaint?
Every possible information which can be provided by you with proper documents can
be included in the application letter and be considered as proof or evidence.
Proof or Evidence may include the following:
Chat-room or newsgroup text or screenshots if taken by you,
Email printouts should contain full email header information,
Transaction acknowledgements or receipts,
Credit card records, transaction details and receipts,
Envelopes or letters received via post courier,
Pamphlets or brochures (if you have received),
Printed or preferably electronic copies of web pages
Keep the necessary information in a safe location; you will be required to
provide them for investigation as and when required.
Note: Proof or documents which will be part of the application are not restricted to
the above list, additional information may be required depending on the nature of
What should I do if I believe my complaint is time sensitive?
You should contact your local police station directly if you believe your matter is time
You can get the crime related information on other below mentioned web sites
Mumbai Police: www.mumbaipolice.org
Pune Police: www.punepolice.com
Thane Police: www.thanepolice.org
Indian Computer Emergency Response
Table 4.1 – Cyber Police Websites
If you think you or anyone you know are in immediate danger, please contact your
local police station or main control room (Phone no. 100) immediately! Online
reporting should NEVER be used in the event of an emergency requiring immediate
(Disclaimer: Contents of this page have been provided for general information and
should not be construed to be legal advice. This web site is not a complete or
authoritative source of legal information. Information on this site therefore should not
be considered legal advice or otherwise relied upon. If you have any specific
questions please contact a lawyer or otherwise seek independent professional advice
before acting on anything contained herein. We do not take any responsibility for
reliance on errors or omissions in the content contained on our web site.)
WHAT TO DO IN CASE OF CYBER CRIME-
we suggest you first contact your local law enforcement authorities (police station)
and let them know what happened, depending on the scope of the crime, it will be
investigated by special cyber crime investigation cell.
INTELLECTUAL PROPERT RIGHTS AND THE LEGAL
FRAMEWORK DEALING WITH IT
Intellectual property (IP) is a term referring to a number of distinct types of
creations of the mind for which a set of exclusive rights are recognized under the
corresponding fields of law. Under intellectual property law, owners are granted
certain exclusive rights to a variety of intangible assets, such as musical, literary, and
artistic works; discoveries and inventions; and words, phrases, symbols, and designs.
Common types of intellectual property rights include copyrights, trademarks, patents,
industrial design rights and trade secrets in some jurisdictions.
Currently, particularly in the United States, the objective of intellectual property
legislators and those who support its implementation is "absolute protection". "If
some intellectual property is desirable because it encourages innovation, they reason,
more is better. The thinking is that creators will not have sufficient incentive to invent
unless they are legally entitled to capture the full social value of their inventions."
This absolute protection or full value view treats intellectual property as another type
of 'real' property, typically adopting its law and rhetoric.
These exclusive rights allow owners of intellectual property to benefit from the
property they have created, providing a financial incentive for the creation of an
investment in intellectual property, and, in case of patents, pay associated research
and development costs.
A Patent is a legal monopoly, which is granted for a limited time by a country to the
owner of an invention. Merely to have a patent does not give the owner the rights to
use or exploit the patented invention. That right may still be affected by other laws
such as health and safety regulation, or the food and drugs regulation or even by other
patents. The patent, in the eyes of the law, is a property right and it can be given
away, inherited, sold, licensed and can even be abandoned. As it is conferred by the
government, the government, in certain cases even after grant or even if it has been, in
the meantime, sold or licensed, can revoke it.
A Patent gives an inventor the right for a limited period to stop others from
making, using, selling or importing an invention without the permission of the
inventor. That is why patent is called a "negative right"
Patents are generally concerned with functional and technical aspects of
products and processes and must fulfill specific conditions to be granted.
Most patents are for incremental improvements in known technology -
evolution rather than revolution. The technology does not have to be complex.
Patent rights are territorial; an Indian patent does not give rights outside of
Patent rights last for up to 20 years in India and in most countries outside
Depending on where you wish your patent to be in effect, you must apply to
the appropriate body. In India, this is The Indian Patent Office. There are
various Patent Offices around the world. Alternatively, a Patent Agent can
apply on your behalf.
5.2.1 LEGAL BASIS
The Patents Act 1970, as amended by The Patents (Amendment) Act 2005.
The Patents Rules, 2003, as amended by The (Amendment) Rules 2006.
5.2.2 FILLING APPLICATION
Any person, even if he or she is a minor, may apply for a patent either alone or jointly
with any other person. Such persons include the inventor, or his assignee or legal
representative in the case of an ordinary application or, in the case of a priority
application, the applicant in the convention country or his assignee or his legal
representative. A corporate body cannot be named as an inventor. Foreigners and
nationals not living in India need an address for service in India for this purpose. They
may appoint a registered agent or representative whose address for service can be the
address for service in India.
5.2.3 PATENT EXAMINATION
Both formal and substantive examinations are made by the Indian Patent Office.
Examination is by request.
5.2.4 PATENT PUBLICATION
Publication takes place 18 months from the date of the application. Urgent publication
is possible on request on payment of fees. On and from the date of publication of
application for patent and until the date of grant of a patent in respect of such
application, the applicant will have the like privileges and rights as if a patent for the
invention had been granted on the date of publication of the application.
5.3 SERVICE MARK
The Trade Mark Act, 1999 has come into force from the 15th of September 2003. An
important feature of the Act is the introduction of the registration of Service Marks in
India. Previously, Service Mark registration in India was not allowed. Protection of
service marks was available only under the common Law. From September 2003, it
has now become possible to separately register and therefore statutorily protect
What are Service Marks? Service Marks are marks used in any form of service
business where actual goods under that mark are not traded. For instance, a Hotel or a
restaurant is a service: under the marks Taj, Oberoi, Sheraton, Meridian, Sher-e-
Punjab, Khyber, Chinese Room, no goods are traded, but services are offered and
purchased, these marks will now be statutorily protected under the Act. Similarly,
marks for software services or business process outsourcing services, or health,
insurance, repair services or airlines services or educational services can be protected
Goods and Services are classified under various classes. Under the old trademark law,
Only 34 classes for goods were available. Under the Act of 99, 11 more classes have
been created for protection of service marks, i.e. classes 35 to 45. The services under
these classes are classified as follows:
Advertising; business management; business administration; office functions
Insurance; financial affairs; monetary affairs; real estate affairs.
Building construction; repair; installation services
Transport; packaging & storage of goods; travel arrangement
Treatment of materials
Education; providing of training; entertainment; sporting & cultural activities
Scientific & technological services, research & design; industrial analysis & research
services; design & development of computer hardware & software; legal services.
Services for providing food & drink; temporary accommodation. Medical services;
veterinary services; hygienic and beauty care for human beings or animals;
agriculture, horticulture and forestry services. Personal and social services rendered
by others to meet the needs of individuals; security services for the protection of
property and individuals.
These are general classes. Each class has hundreds of entries for services falling under
a class. Thus, for instance, Compilation of information into computer databases is a
service falling in class 35 but a service for providing financial information is a service
falling in class 36. Again, a service providing Installation, maintenance and repair of
Computer hardware falls in class 37 but Installation and Maintenance of Computer
software falls in class 42. Class 43 covers hotel and restaurant services. Medical
clinics and Beauty parlors fall in class 44 and horoscope casting in class 45.
5.4 TRADE MARK
A Trademark is any sign which can distinguish the goods and services of one trader
from those of another. A sign includes words, logos, colours, slogans, three-
dimensional shapes and sometimes sounds and gestures.
A trademark is therefore a "badge" of trade origin. It is used as a marketing tool so
that customers can recognise the product of a particular trader. To be registrable in
India it must also be capable of being represented graphically, that is, in words and/or
5.4.1 CHANGES IN THE INDIAN TRADEMARK LAW
A new Trademark regime has been introduced in India since September 15, 2003.
The new Trade Marks Act, 1999 has many innovative features:
 Service Marks:
A mechanism is now available to protect marks used in the service industry. Thus
businesses providing services like computer hardware and software assembly and
maintenance, restaurant and hotel services, courier and transport, beauty and health
care, advertising, publishing, educational and the like are now in a position to protect
their names and marks.
 Collective Marks:
Marks being used by a group of companies can now be protected by the group
 Well-known marks:
Marks, which are deemed to be well known, are defined. Such marks will enjoy
greater protection. Persons will not be able to register or use marks, which are
imitations of well-known trademarks.
 Enlarged scope of registration:
Persons who get their marks registered for particular goods in a particular class and
commence using their marks can sue and prevent other persons from
(i) Using the same or similar marks even for different goods falling in other classes;
(ii) Using the same or similar marks even only as part of their firm name or company
(iii) Using the same or similar mark only in advertising or on business papers;
(iv) Importing or exporting goods under the said trade mark;
(v) Unauthorized oral use of the said trademark.
 Stringent punishment:
Punishment for violating a trademark right has been enhanced. The offence has now
been made cognizable and wide powers have been given to the police to seize
infringing goods. At the same time the power of the Courts to grant ex parte
injunctions have been amplified.
 Appellate Board:
An appellate board (IPAB) has been constituted based in Chennai for speedy disposal
of Appeals and rectification applications.
 Expedited procedure:
Mechanisms have been set in place for expediting search and registration by paying
five times the normal fee.
 Enhanced renewal period:
Registered trademarks need to be renewed every ten years.
 License agreements do not need to be compulsorily registered.
 Marks may include the shape of goods.
 Marks may include a combination of colors.
5.4.2 LEGAL BASIS
The Trade Marks Act, 1999
The Trade Marks Rules, 1959. The law is based mainly on the United
Kingdom Trade Marks law and provides for the registration of trademarks
which are being used, or which will be used, for certain goods to indicate a
connection between them and some person who has the right to use the marks
with or without any indication as to the identity of the person.
Copyright Registration in India gives the creators of a wide range of material, such
as literature, art, music, sound recordings, films and broadcasts, economic rights
enabling them to control use of their material in a number of ways, such as by making
copies, issuing copies to the public, performing in public, broadcasting and use on-
line. It also gives moral rights to be identified as the creator of certain kinds of
material and to object to its distortion or its mutilation. (Material protected by
copyright is termed a "work".)
However, copyright does not protect ideas, names or titles. The purpose of copyright
law in India is to allow copyright registrants to gain economic rewards for their efforts
and so encourage future creativity and the development of new material which
benefits us all. Copyright material is usually the result of creative skill and/or
significant labour and/or investment and without protection, it would often be very
easy for others to exploit material without paying the creator. Most uses of copyright
material therefore require permission from the copyright owner. However there are
exceptions to copyright, so that some minor uses may not result in copyright
Copyright protection is automatic as soon as there is a record in any form of the
material that has been created. Under the Indian Copyright Act there is a provision to
register copyright although this is voluntary.
5.5.1 OWNER OF COPYRIGHT
In the case of a literary, dramatic, musical or artistic work, the general rule is
that the author, i.e. the person who created the work, is the first owner of the
economic rights under copyright. However, where such a work is made in the
course of employment, the employer is the first owner of these rights, unless
an agreement to the contrary has been made with the author.
In the case of a film, the principal director and the film producer are joint
authors and first owners of the economic rights and similar provisions as
referred to above apply where the director is employed.
In the case of a sound recording the record producer is the author and first
owner of copyright; in the case of a broadcast, the broadcaster; and in case of a
published edition, the publisher.
Copyright is, however, a form of property which, like physical property, can be
bought or sold, inherited or otherwise transferred, wholly or in part. So, some or all of
the economic rights may subsequently belong to someone other than the first owner.
In contrast, the moral rights accorded to authors of literary, dramatic, musical and
artistic works and film directors remain with the author or director or pass to his or
her heirs on death. Copyright in material produced by a Government department
belongs to the Government of India.
Copyright owners generally have the right to authorise or prohibit any of the
following things in relation to their works:
Copying of the work in any way eg. photocopying / reproducing a printed
page by handwriting, typing or scanning into a computer / taping live or
Issuing copies of the work to the public.
Public delivery of lectures or speeches etc.
Broadcasting of the work, audio / video or including it in a cable programme.
Making an adaptation of the work such as by translating a literary or dramatic
work, transcribing a musical work and converting a computer program into a
different computer language or code.
Copyright is infringed when any of the above acts are done without authorisation,
whether directly or indirectly and whether the whole or a substantial part of a work,
unless what is done falls within the scope of exceptions to copyright permitting
certain minor uses of material.
There are a number of exceptions to copyright that allow limited use of copyright
works without the permission of the copyright owner. For example, limited use of
works may be possible for research and private study, criticism or review, reporting
current events, judicial proceedings, teaching in schools and other educational
establishments and not for profit playing of sound recordings.
But if you are copying large amounts of material and/or making multiple copies then
you may still need permission. Also where a copyright exception covers publication
of excerpts from a copyright work, it is generally necessary to include an
acknowledgement. Sometimes more than one exception may apply to the use you are
Exceptions to copyright do not generally give you rights to use copyright material;
they just state that certain activities do not infringe copyright. So it is possible that an
exception could be overridden by a contract you have signed limiting your ability to
do things that would otherwise fall within the scope of an exception.
It is important to remember that just buying or owning the original or a copy of a
copyright work does not give you permission to use it the way you wish. For example,
buying a copy of a book, CD, video, computer program etc does not necessarily give
you the right to make copies (even for private use), play or show them in public.
Other everyday uses of copyright material, such as photocopying, scanning,
downloading from a CD-ROM or on-line database, all involve copying the work. So,
permission is generally needed. Also, use going beyond an agreed licence will require
Design means only the features of shape, configuration, pattern or ornament or
composition of lines or color or combination thereof applied to any article whether
two dimensional or three dimensional or in both forms, by any industrial process or
means, whether manual, mechanical or chemical, separate or combined, which in the
finished article appeal to and are judged solely by the eye but does not include any
mode or principle of construction or any thing which is in substance a mere
mechanical device and does not include any trade mark, as defined in clause (v) of
sub-section of Section 2 of the Trade and Merchandise Marks Act, 1958, property
mark or artistic works as defined under Section 2(c) of the Copyright Act, 1957.
In India, designs are protected by two legal rights:
Registered designs and
Design registration in India gives the owner, a monopoly on his or her product, i.e. the
right for a limited period to stop others from making, using or selling the product
without their permission and is additional to any design right or copyright protection
that may exist automatically in the design.
5.6.1 LEGAL BASIS
Designs Act, 2000
Designs Rules, 2001
5.6.2 ARTICLE UNDER THE DESIGNS ACT, 2000
Under the Designs Act, 2000 the "article" means any article of manufacture and any
substance, artificial, or partly artificial and partly natural and includes any part of an
article capable of being made and sold separately.
5.6.3 SET OF ARTICLES UNDER DESIGN ACT, 2000
If a group of articles meets the following requirements then that group of articles may
be regarded as a set of articles under the Designs Act, 2000:
Ordinarily on sale or intended to be used together.
All having common design even though articles are different (same class).
Same general character. Generally, an article having the same design and sold
in different sizes is not considered as a set of articles. Practical example: "Tea
set", "Pen set", "Knife set" etc.
5.6.4 ESSENTIAL REQUIREMENTS FOR REGISTRATION OF DESIGN
The design should be new or original, not previously published or used in any
country before the date of application for registration. The novelty may reside
in the application of a known shape or pattern to new Subject matter. Practical
example: The known shape of "Qutub Minar" when applied to a cigarette
holder the same is registrable. However, if the design for which application is
made does not involve any real mental activity for conception, then
registration may not be considered.
The design should relate to features of shape, configuration, pattern or
ornamentation applied or applicable to an article. Thus, designs of industrial
plans, layouts and installations are not registerable under the Act.
The design should be applied or applicable to any article by any industrial
process. Normally, designs of artistic nature like painting, sculptures and the
like which are not produced in bulk by any industrial process are excluded
from registration under the Act.
The features of the design in the finished article should, appeal to and are
judged, solely by the eye. This implies that the design must appear and should
be visible on the finished article, for which it is meant; Thus, any design in the
inside arrangement of a box, money purse or almirah may not be considered
for showing such articles in the open state, as those articles are generally put
in the market in the closed state.
Any mode or principle of construction or operation or any thing which is in
substance a mere mechanical device, would not be registerable design. For
instance, a key having its novelty only in the shape of its corrugation or bend
at the portion intended to engage with levers inside the lock associated with,
cannot be registered as a design under the Act. However, when any design
suggests any mode or: principle of construction or mechanical or other action
of a mechanism, a suitable disclaimer in respect thereof is required to be
inserted on its representation, provided there are other registerable features in
The design should not include any Trade Mark or property mark or artistic works as
defined under the Copyright Act, 1957.
Copyright is a legal concept, enacted by most governments, giving the creator of an
original work exclusive rights to it, usually for a limited time. Generally, it is "the
right to copy", but also gives the copyright holder the right to be credited for the
work, to determine who may adapt the work to other forms, who may perform the
work, who may financially benefit from it, and other related rights. It is an intellectual
property form (like the patent, the trademark, and the trade secret) applicable to any
expressible form of an idea or information that is substantive and discrete.
Copyright initially was conceived as a way for government to restrict printing; the
contemporary intent of copyright is to promote the creation of new works by giving
authors control of and profit from them. Copyrights are said to be territorial, which
means that they do not extend beyond the territory of a specific state unless that state
is a party to an international agreement. Today, however, this is less relevant since
most countries are parties to at least one such agreement. While many aspects of
national copyright laws have been standardized through international copyright
agreements, copyright laws of most countries have some unique features. Typically,
the duration of copyright is the whole life of the creator plus fifty to a hundred years
from the creator's death, or a finite period for anonymous or corporate creations.
Some jurisdictions have required formalities to establishing copyright, but most
recognize copyright in any completed work, without formal registration. Generally,
copyright is enforced as a civil matter, though some jurisdictions do apply criminal
Most jurisdictions recognize copyright limitations, allowing "fair" exceptions to the
creator's exclusivity of copyright, and giving users certain rights. The development of
digital media and computer network technologies have prompted reinterpretation of
these exceptions, introduced new difficulties in enforcing copyright, and inspired
additional challenges to copyright law's philosophic basis. Simultaneously, businesses
with great economic dependence upon copyright have advocated the extension and