Published on

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. 2 CHAPTER 1 VARIOUS ACTS DEALING WITH CYBER CRIMES IN INDIA 1.1 ABOUT THE TOPIC Information Technology solutions have paved a way to a new world of internet, business networking and e-banking, budding as a solution to reduce costs, change the sophisticated economic affairs to more easier, speedy, efficient, and time saving method of transactions. Internet has emerged as a blessing for the present pace of life but at the same time also resulted in various threats to the consumers and other institutions for which it‘s proved to be most beneficial. Various criminals like hackers, crackers have been able to pave their way to interfere with the internet accounts through various techniques like hacking the Domain Name Server (DNS), Internet Provider‘s (IP) address, spoofing, phishing, internet phishing etc. and have been successful in gaining ―unauthorised access‖ to the user‘s computer system and stolen useful data to gain huge profits from customer‘s accounts. Intentional use of information technology by cyber terrorists for producing destructive and harmful effects to tangible and intangible property of others is called ―cyber crime‖. Cyber crime is clearly an international problem with no national boundaries. Hacking attacks can be launched from any corner of the world without any fear of being traced or prosecuted easily. Cyber terrorist can collapse the economic structure of a country from a place where that country might not have any arrangements like ―extradition treaty‖ to deal with that criminal. The only safeguard would be better technology to combat such technology already evolved and known to the Hackers. But that still has threat of being taken over by the intellect computer criminals. This seminar contributes an understanding of the effects of negative use of Information technology, and how far the present law in India is successful in dealing with the issue, and what way is the legal structure lagging to curb the crime. Possible changes needed in the system and the ways to combat cyber terrorism having safe and trustworthy transactions.
  2. 2. 3 Though there are many techniques evolved to curb the criminal activities by cyber terrorists but still the problem persists in legal structure and has failed to produce a deterring effect on the criminals. If the suggestions are undertaken in light of conclusion there can be a better co-ordination among various national and international agencies to make the system more efficient, and Information Technology Act 2000 more secured and trustworthy. It can still be held good for the objects it had existed to provide the benefits to the society. This seminar is contributive of the fact that the till the crime rate is not curbed technology cannot produce adequate benefits for which it‘s been created. 1.2 WHAT IS CYBER CRIME Cyber terrorists usually use the computer as a tool, target, or both for their unlawful act either to gain information which can result in heavy loss/damage to the owner of that intangible sensitive information. Internet is one of the means by which the offenders can gain such price sensitive information of companies, firms, individuals, banks, intellectual property crimes (such as stealing new product plans, its description, market programme plans, list of customers etc.), selling illegal articles, pornography etc. this is done through many methods such as phishing, spoofing, pharming, wire transfer etc. and use it to their own advantage without the consent of the individual. Many banks, financial institutions, investment houses, brokering firms etc. are being victimised and threatened by the cyber terrorists to pay extortion money to keep their sensitive information intact to avoid huge damages. And it‘s been reported that many institutions in US, Britain and Europe have secretly paid them to prevent huge meltdown or collapse of confidence among their consumers. 1.3 EMERGENCE OF INFORMATION TECHNOLOGY ACT, 2000 In India, the Information Technology Act 2000 was enacted after the United Nation General Assembly Resolution A/RES/51/162, dated the 30th January, 1997 by
  3. 3. 4 adopting the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law. This was the first step towards the Law relating to e-commerce at international level to regulate an alternative form of commerce and to give legal status in the area of e-commerce. It was enacted taking into consideration UNICITRAL model of Law on e- commerce 1996. 1.3.1. SOME NOTEWORTHY PROVISIONS UNDER THE INFORMATION TECHNOLOGY ACT, 2000 SECTION CRIME SENTENCE Sec.43 Damage to Computer system etc. Compensation for Rupees 1crore. Sec.66 Hacking (with intent or knowledge) Fine of 2 lakh rupees, and imprisonment for 3 years. Sec.67 Publication of obscene material in e-form Fine of 1 lakh rupees, and imprisonment of 5years, and double conviction on second offence Sec.68 Not complying with directions of controller Fine upto 2 lakh and imprisonment of 3 years. Sec.70 Attempting or securing access to computer Imprisonment upto 10 years. Sec.72 For breaking confidentiality of the information of computer Fine upto 1 lakh and imprisonment upto 2 years Sec.73 Publishing false digital signatures, false in certain particulars Fine of 1 lakh, or imprisonment of 2 years or both.
  4. 4. 5 Table 1.1 – Sections under IT Act 2000 1.4 TYPES OF ATTACKS BY HACKER Hacker is computer expert who uses his knowledge to gain unauthorized access to the computer network. He‘s not any person who intends to break through the system but also includes one who has no intent to damage the system but intends to learn more by using one‘s computer. Crackers on other hand use the information cause disruption to the network for personal and political motives. Hacking by an insider or an employee is quite prominent in present date. Section 66 (b) of the Information Technology Act 2000, provides punishment of imprisonment for the term of 3 years and fine which may extent to two lakhs rupees, or with both Banks and other financial institutions are threatened by the terrorist groups to use their sensitive information resulting in heavy loss and in turn ask for ransom amount from them. There are various methods used by hackers to gain unauthorised access to the computers apart from use of viruses like Trojans and worms etc. Therefore if anyone secures access to any computer without the permission of the owner shall be liable to pay damages of one crore rupees under Information Technology Act, 2000. Computer system here means a device including input and output support devices and systems which are capable of performing logical, arithmetical, data storage and retrieval, communication control and other functions but excludes calculators. Unauthorised access under Section 43 of the Information Technology Act 2000 is punishable regardless of the intention or purpose for which unauthorised access to the computer system was made. Owner needn‘t prove the facto of loss, but the fact of it been used without his authorisation. Case of United States v. Rice would be important in this regard where defendant on the request of his friend Sec.74 Publication of Digital Signatures for fraudulent purpose. Imprisonment for the term of 2 years and fine for 1 lakh rupees.
  5. 5. 6 (who was been under investigation by IRS officer) tried to find the status of his friend‘s case by using officer‘s computer without his consent. Though it didn‘t cause any damage/loss to the plaintiff (officer) but was convicted by the Jury for accessing the computer system of a Government without his authority and his conviction was later on confirmed. Even if one provides any assistance to the other to gain any unauthorised access to the computer he shall be liable to pay damages by way of compensation of Rupees 1 crore. Does turning on the computer leads to unauthorized access? The Section 1 of the Computer misuse Act, 1990 comprises of two elements there must be an intent to secure an access to any programme or data held in any computer, and the person must know that he intends to secure an unauthorized access. e.g. When defendants went to his former employee to purchase certain equipments and the sales person was not looking he was alleged to have keyed in certain commands to the computerized till granting himself substantial discount. Though section 1 (1) (a) requires ―that second computer must be involved‖ but the judiciary in the case of R v. Sean Cropp, believed that the Parliament would have intended to restrict the offence even if single computer system was involved. A) Computer Viruses: Viruses are used by Hackers to infect the user‘s computer and damage data saved on the computer by use of ―payload‖ in viruses which carries damaging code. Person would be liable under I.T Act only when the consent of the owner is not taken before inserting virus in his system. The contradiction here is that though certain viruses causes temporary interruption by showing messages on the screen of the user but still it‘s not punishable under Information Technology Act 2000 as it doesn‘t cause tangible damage. But, it must be made punishable as it would fall under the ambit of ‗unauthorised access‘ though doesn‘t cause any damage. Harmless viruses would also fall under the expression used in the provision ―to unsurp the normal operation of the computer, system or network‖. This ambiguity needs reconsideration. B) Phishing: By using e-mail messages which completely resembles the original mail messages of customers, hackers can ask for verification of certain information, like account numbers or passwords etc. here customer might not have knowledge that the e-mail messages are deceiving and would fail to identify the originality of the
  6. 6. 7 messages, this results in huge financial loss when the hackers use that information for fraudulent acts like withdrawing money from customers account without him having knowledge of it C) Spoofing: This is carried on by use of deceiving Websites or e-mails. These sources mimic the original websites so well by use of logos, names, graphics and even the code of real bank‘s site. D) Phone Phishing: Is done by use of in-voice messages by the hackers where the customers are asked to reveal their account identification, and passwords to file a complaint for any problems regarding their accounts with banks etc. E) Internet Pharming: Hacker here aims at redirecting the website used by the customer to another bogus website by hijacking the victim‘s DNS server (they are computers responsible for resolving internet names into real addresses - ―signposts of internet), and changing his I.P address to fake website by manipulating DNS server. This redirects user‘s original website to a false misleading website to gain unauthorised information. F) Risk Posed On Banks And Other Institutions: Wire transfer is the way of transferring money from one account another or transferring cash at cash office. This is most convenient way of transfer of cash by customers and money laundering by cyber terrorists. There are many guidelines issued by Reserve Bank of India (RBI) in this regard, one of which is KYC (Know Your Customer) norms of 2002. Main objective of which is to: 1) Ensure appropriate customer identification, and 2) Monitor the transaction of suspicious nature and report it to appropriate authority every day bases. G) Publishing Pornographic Material In Electronic Form: Section 67 of the Information Technology Act, 2000 in parallel to Section 292 of Indian Penal Code, 1860 makes publication and transmission of any material in electronic that‘s lascivious or appeals to the prurient interest a crime, and punishable with imprisonment which may extend to 5 years and fine of 1 lakh rupees and subsequent offence with an imprisonment extending to 10 years and fine of 2 lakhs.
  7. 7. 8 Various tests were laid down gradually in course of time to determine the actual crime in case of obscene material published in electronic form on net. Hicklin test was adopted in America in the case of Regina v. Hicklin wherein it was held that ―if the material has tendency is to deprive and corrupt those whose minds are open to such immoral influences, and into whose hands a publication of this sort may fall‖. In Indian scenario the case of Ranjeet D. Udeshi v. State of Maharashtra the Supreme Court admitted that Indian Penal Code doesn‘t define obscenity though it provides punishment for publication of obscene matter. There‘s very thin line existing between a material which could be called obscene and the one which is artistic. Court even stressed on need to maintain balance between fundamental right of freedom of speech and expression and public decency and morality. If matter is likely to deprave and corrupt those minds which are open to influence to whim the material is likely to fall. Where both obscenity and artistic matter is so mixed up that obscenity falls into shadow as its insignificant then obscenity may be overlooked. In the case of Miller v. California it was held that local community standard must be applied at the time of determination of the offence. As it can traverse in many jurisdictions and can be accessed in any part of the globe. So wherever the material can be accessed the community standards of that country would be applicable to determine the offence of publication of obscene material posted in electronic form. Though knowledge of obscenity under Information Technology Act 2000 and Indian Penal Code may be taken as mitigating factor but doesn‘t take the case out of the provision. Section 72 of Information Technology Act, 2000 provides punishment for an unauthorised access or, disclosure of that information to third person punishable with an imprisonment upto 2 years or fine which may extend to 1 lakh rupees or with both. English courts have also dealt with an issue as to what activities would constitute crime under existing legislation, in the case of R. v. Fellows and Arnold it was held that the legislation before the 1994 amendment would also enable computer data to be considered a ‗copy of an indecent photograph‘ and making images available for downloading from the website would constitute material being ‗distributed or shown‘. Statute is wide enough to deal with the use of computer technology.
  8. 8. 9 (H) Investment Newsletter: We usually get newsletter providing us free information recommending that investment in which field would be profitable. These may sometimes be a fraud and may cause us huge loss if relied upon. False information can be spread by this method about any company and can cause huge inconvenience or loss through junk mails online. (I) Credit Card Fraud: Huge loss may cause to the victim due to this kind of fraud. This is done by publishing false digital signatures. Most of the people lose credit cards on the way of delivery to the recipient or its damaged or defective, misrepresented etc. 1.5 MEASURES TO CURB THE CRIME Though by passage of time and improvement in technology to provide easier and user friendly methods to the consumer for make up their daily activities, it has lead to harsh world of security threats at the same time by agencies like hackers, crackers etc. various Information technology methods have been introduced to curb such destructive activities to achieve the main objects of the technology to provide some sense of security to the users. Few basic prominent measures used to curb cyber crimes are as follows: A) Encryption: This is considered as an important tool for protecting data in transit. Plain text (readable) can be converted to cipher text (coded language) by this method and the recipient of the data can decrypt it by converting it into plain text again by using private key. This way except for the recipient whose possessor of private key to decrypt the data, no one can gain access to the sensitive information. Not only the information in transit but also the information stored on computer can be protected by using Conventional cryptography method. Usual problem lies during the distribution of keys as anyone if overhears it or intercept it can make the whole object of encryption to standstill. Public key encryptograpy was one solution to this where the public key could be known to the whole world but the private key was only known to receiver, its very difficult to derive private key from public key.
  9. 9. 10 B) Syncronised Passwords: These passwords are schemes used to change the password at user‘s and host token. The password on synchronised card changes every 30-60 seconds which only makes it valid for one time log-on session. Other useful methods introduced are signature, voice, fingerprint identification or retinal and biometric recognition etc. to impute passwords and pass phrases C) Firewalls: It creates wall between the system and possible intruders to protect the classified documents from being leaked or accessed. It would only let the data to flow in computer which is recognised and verified by one‘s system. It only permits access to the system to ones already registered with the computer. D) Digital Signature: Are created by using means of cryptography by applying algorithms. This has its prominent use in the business of banking where customer‘s signature is identified by using this method before banks enter into huge transactions. 1.6 INVESTIGATION AND SEARCH PROCEDURES Section 75 of Information Technology Act, 2000 takes care of jurisdictional aspect of cyber crimes, and one would be punished irrespective of his nationality and place of commission of offence. Power of investigation is been given to police officer not below the rank of Deputy Superintendent of police or any officer of the Central Government or a State Government authorised by Central Government. He may enter any public place, conduct a search and arrest without warrant person who is reasonably expected to have committed an offence or about to commit computer related crime. Accused has to be produced before magistrate within 24 hours of arrest. Provisions of Criminal Procedure Code, 1973 regulate the procedure of entry, search and arrest of the accused. 1.6.1 PROBLEMS UNDERLYING TRACKING OF EVENTS Most of the times the offenders commit crime and their identity is hard to be identified. Tracking cyber criminals requires a proper law enforcing agency through cyber border co-operation of governments, businesses and institutions of other countries. Most of the countries lack skilled law enforcement personnel to deal with
  10. 10. 11 computer and even broader Information technology related crimes. Usually law enforcement agencies also don‘t take crimes serious, they have no importance of enforcement of cyber crimes, and even if they undertake to investigate they are posed with limitation of extra-territorial nature of crimes. 1.7 HOW EFFICIENT IS IT ACT 2000? It can‘t be disputed that Information Technology Act, 2000 though provides certain kinds of protections but doesn‘t cover all the spheres of the I.T where the protection must be provided. Copyright and trade mark violations do occur on the net but Copy Right Act 1976, or Trade Mark Act 1994 are silent on that which specifically deals with the issue. Therefore have no enforcement machinery to ensure the protection of domain names on net. Transmission of e-cash and transactions online are not given protection under Negotiable Instrument Act, 1881. Online privacy is not protected only Section 43 (penalty for damage to computer or computer system) and 72 (Breach of confidentiality or privacy) talks about it in some extent but doesn‘t hinder the violations caused in the cyberspace. Even the Internet Service Providers (ISP) who transmits some third party information without human intervention is not made liable under the Information Technology Act, 2000. One can easily take shelter under the exemption clause, if he proves that it was committed without his knowledge or he exercised due diligence to prevent the offence. It‘s hard to prove the commission of offence as the terms ―due diligence‖ and ―lack of knowledge‖ have not been defined anywhere in the Act. And unfortunately the Act doesn‘t mention how the extra territoriality would be enforced. This aspect is completely ignored by the Act, where it had come into existence to look into cyber crime which is on the face of it an international problem with no territorial boundaries. 1.8 DATA PROTECTION Information stored on the owner of the computer would be his property and must be protected there are many ways such information can be misused by ways like
  11. 11. 12 ‗unauthorized access, computer viruses, data typing, modification erasures etc. Legislators had been constantly confronted with problem in balancing the right of the individuals on the computer information and other people‘s claim to be allowed access to information under Human Rights. The first enactment in this regard was Data Protection Act by Germany in the year 1970. This was widely accepted by the world and also contributed to the Information Technology Act. The origin of laws on date protection dates back to 1972 when United Kingdom formed a committee on privacy which came up with ten principles, on the bases of which data protection committee was set up. Data Protection Act, 1984 (DPA) was United Kingdom‘s response to the Council of Europe Convention 1981, this Act lacked proper enforcement mechanism and has done little to enforce individual‘s rights and freedoms. European Union directive in 1995, European Convention of Human Rights (ECHR), Human Rights Acts, and further introduction of Data Protection Act, 1998 have done much in the field of Data protection in today‘s date. Data Protection Act has following aims and objectives: Personal information shall only be obtained for lawful purpose, it shall only be used for that purpose, mustn‘t be disclosed or used to effectuate any unlawful activity, and must be disposed off when the purpose is fulfilled. Though Data Protection Act aims at protecting privacy issues related to the information but still we find no mention of the word ―privacy‖ in the Act, nor is it defined, further the protection comes with various exemptions, including compulsory notification from the Commissioner in certain cases of the personal data. Due to the change in the regime of information technology for the date European Convention came, on which the Act is based amendments in the Act is advised for matching the present situation and curbing the crime in efficient way. There is no Data Protection Act in India, the only provisions which talks about data protection are Section 72 and Section 43 of Information Technology Act, 2000. There must be a new Law to deal with the situation for a person to know that the Controller is processing his data concerning him and also that he must know the purpose for which it has been processed. It is a fundamental right of the Individual to retain private information concerning him provided under Article 21 of the Indian Constitution, which says: ―No person shall be deprived of his life or personal liberty
  12. 12. 13 except according to procedure established by law‖. And due to the increasing trend of the Crime rate in the field separate legislation is required in this context for better protection of individuals.
  13. 13. 14 CHAPTER 2 WHAT CONSTITUTES A CYBER CRIME IN THE COUNTRY 2.1 INTRODUCTION TO CYBER CRIME In simple words, Cyber crime is defined as crime committed over the Internet. A generalized definition of cyber crime may be ― unlawful acts wherein the computer is either a tool or target or both”. The computer may be used as a tool in the following kinds of activity- financial crimes, sale of illegal articles, pornography, online gambling, intellectual property crime, e-mail spoofing, forgery, cyber defamation, cyber stalking. The computer may however be target for unlawful acts in the following cases- unauthorized access to computer/ computer system/ computer networks, theft of information contained in the electronic form, e-mail bombing, data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web jacking, theft of computer system, physically damaging the computer system. Cyber crime is the latest and perhaps the most complicated problem in the cyber world. ―Any criminal activity that uses a computer either as an instrumentality, target or a means for perpetuating further crimes comes within the ambit of cyber crime‖. The internet in India is growing rapidly. It has given rise to new opportunities in every field we can think of – be it entertainment, business, sports or education.The internet, along with its advantages, has also exposed us to security risks that come with connecting to a large network. Computers today are being misused for illegal activities like e-mail espionage, credit card fraud, spams, software piracy and so on, which invade our privacy and offend our senses. Criminal activities in the cyberspace are on the rise.
  14. 14. 15 "The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb". 1.2 CLASSIFICATION OF CYBER CRIME Cyber crimes can be basically divided into 3 major categories: 1. Cybercrimes against persons. 2. Cybercrimes against property. 3. Cybercrimes against government. Cybercrimes committed against persons include various crimes like transmission of child-pornography, harassment of any one with the use of a computer such as e-mail. The potential harm of such a crime to humanity can hardly be amplified. This is one Cybercrime which threatens to undermine the growth of the younger generation as also leave irreparable scars and injury on the younger generation, if not controlled. Another example wherein the damage was not done to a person but to the masses is the case of the Melissa virus. The Melissa virus first appeared on the internet in March of 1999. It spread rapidly throughout computer systems in the United States and Europe. It is estimated that the virus caused 80 million dollars in damages to computers worldwide. In the United States alone, the virus made its way through 1.2 million computers in one-fifth of the country's largest businesses.There are numerous examples of such computer viruses few of them being "Melissa" and "love bug". Cyberharassment is a distinct Cybercrime. Various kinds of harassment can and do occur in cyberspace, or through the use of cyberspace. Harassment can be sexual, racial, religious, or other. Persons perpetuating such harassment are also guilty of cybercrimes. Cyberharassment as a crime also brings us to another related area of violation of privacy of citizens. Violation of privacy of online citizens is a Cybercrime of a grave
  15. 15. 16 nature. No one likes any other person invading the invaluable and extremely touchy area of his or her own privacy which the medium of internet grants to the citizen. The second category of Cyber-crimes is that of Cybercrimes against property. These crimes include computer vandalism (destruction of others' property), transmission of harmful programmes. A Mumbai-based upstart engineering company lost a say and much money in the business when the rival company, an industry major, stole the technical database from their computers with the help of a corporate cyberspy. The third category of Cyber-crimes relate to Cybercrimes against Government. Cyberterrorism is one distinct kind of crime in this category. The growth of internet has shown that the medium of Cyberspace is being used by individuals and groups to threaten the international governments as also to terrorise the citizens of a country. This crime manifests itself into terrorism when an individual "cracks" into a government or military maintained website. In a report of expressindia. com, it was said that internet was becoming a boon for the terrorist organisations. According to Mr. A.K. Gupta, Deputy Director (Co- ordination), CBI, terrorist outfits are increasingly using internet to communicate and move funds.. During the investigation of the Red Fort shootout in Dec. 2000, the accused Ashfaq Ahmed of this terrorist group revealed that the militants are making extensive use of the internet to communicate with the operatives and the sympathisers and also using the medium for intra-bank transfer of funds". Cracking is amongst the gravest Cyber-crimes known till date. It is a dreadful feeling to know that a stranger has broken into your computer systems without your knowledge and consent and has tampered with precious confidential data and information. Coupled with this the actuality is that no computer system in the world is cracking proof. It is unanimously agreed that any and every system in the world can be cracked. The recent denial of service attacks seen over the popular commercial sites
  16. 16. 17 like E-bay, Yahoo, Amazon and others are a new category of Cyber-crimes which are slowly emerging as being extremely dangerous. 1.3 TYPES OF CYBER CRIME 1. CYBER STALKING Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using Internet services. Stalking in General terms can be referred to as the repeated acts of harassment targeting the victim such as  Following the victim  Making harassing phone calls  Killing the victims pet  Vandalizing victims property  Leaving written messages or objects Stalking may be followed by serious violent acts such as physical harm to the victim and the same has to be treated and viewed seriously. It all depends on the course of conduct of the stalker. Cyber-stalking refers to the use of the Internet, e-mail, or other electronic communications device to stalk another person. It is a relatively new form of harassment, unfortunately, rising to alarming levels especially in big cities like Mumbai. 2. DENIAL OF SERVICE This is an act by a criminal, who floods the bandwidth of the victim‘s network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide. This act is committed by a technique called spoofing and buffer overflow. The criminal spoofs the IP address and flood the network of the victim with repeated
  17. 17. 18 requests. Since the IP address is fake, the victim machine keeps waiting for response from the criminal‘s machine for each request. This consumes the bandwidth of the network which then fails to serve the legitimate requests and ultimately breaks down. The diagram below will give you an idea of how the attack happens Fig. 2.1 How attack happens 3. HACKING Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user.
  18. 18. 19 Purposes of hacking Greed Power Publicity Revenge Adventure Desire to access forbidden information Destructive mindset Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money. They extort money from some corporate giant threatening him to publish the stolen information, which is critical in nature. Government websites are the hot targets of the hackers due to the press coverage they receive. About Hackers, Crackers and Phreaks The original meaning of the word "hack" was born at MIT, and originally meant an elegant, witty or inspired way of doing almost anything. Now the meaning has changed to become something associated with the breaking into or harming of any kind of computer or telecommunications system. Purists claim that those who break into computer systems should be properly called "crackers" and those targeting phones should be known as "phreaks". Web Jacking This term is derived from the term hi jacking. In these kinds of offences the hacker gains access and control over the web site of another. He may even mutilate or change the information on the site. This may be done for fulfilling political objectives or for
  19. 19. 20 money. E.g. recently the site of MIT (Ministry of Information Technology) was hacked by the Pakistani hackers and some obscene matter was placed therein. Further the site of Bombay crime branch was also web jacked. Another case of web jacking is that of the ‗gold fish’ case. In this case the site was hacked and the information pertaining to gold fish was changed. Further a ransom of US $ 1 million was demanded as ransom. Thus web jacking is a process where by control over the site of another is made backed by some consideration for it. 4. ONLINE FRAUD The net is a boon for people to conduct business effectively, very quickly. It saves businesses a lot of time, money and resources. Unfortunately, the net is also an open invitation to scamsters and fraudsters and online frauds are becoming increasingly rampant. Spoof websites and email security alerts Fraudsters create authentic looking websites that are actually nothing but a spoof. The purpose of these websites is to make the user enter personal information. This information is then used to access business and bank accounts. Fraudsters are increasingly turning to email to generate traffic to these websites. A lot of customers of financial institutions recently received such emails. Such emails usually contain a link to a spoof website and mislead users to enter User ids and passwords on the pretence that security details can be updated, or passwords changed. If you ever get an email containing an embedded link, and a request for you to enter secret details, treat it as suspicious. Do not input any sensitive information that might help provide access to your accounts, even if the page appears legitimate. No reputable company ever sends emails of this type. Virus hoax emails It is a sad fact of life that there are those who enjoy exploiting the concerns of others. Many emailed warnings about viruses are hoaxes, designed purely to cause concern and disrupt businesses.
  20. 20. 21 These warnings may be genuine, so don't take them lightly, but always check the story out by visiting an anti-virus site such as McAfee, Sophos or Symantec before taking any action, including forwarding them to friends and colleagues. Lottery Frauds These are letters or emails, which inform the recipient that he/ she has won a prize in a lottery. To get the money, the recipient has to reply. After which another mail is received asking for bank details so that the money can be directly transferred. The email also asks for a processing fee/ handling fee. Of course, the money is never transferred in this case, the processing fee is swindled and the banking details are used for other frauds and scams. 5. PORNOGRAPHY Child pornography is a very unfortunate reality of the Internet. The Internet is being highly used by its abusers to reach and abuse children sexually, worldwide. The Internet is very fast becoming a household commodity in India. Its explosion has made the children a viable victim to the cyber crime. As more homes have access to Internet, more children would be using the Internet and more are the chances of falling victim to the aggression of pedophiles. What is Child Pornography? ―Child pornography‖ means any visual depiction, including 1. any photograph 2. film, video, picture, or 3. computer or computer-generated image or picture, of sexually explicit conduct, where the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct 6. SOFTWARE PIRACY
  21. 21. 22 Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original is termed as termed as software piracy. Examples of software piracy 1. End user copying - Friends loaning disks to each other, or organizations underreporting the number of software installations they have made. 2. Hard disk loading – Hard disk vendors loads pirated software 3. Counterfeiting - large-scale duplication and distribution of illegally copied software. 4. Illegal downloads from the Internet - By intrusion, cracking serial numbers etc. A consumer of pirated software has a lot to lose… He gets untested software that may have been copied thousands of times over, potentially containing hard-drive-infecting viruses No technical support in case of software failure No warranty protection No legal right to use the product 7. SPOOFING Illegal intrusion, posing as a genuine user Spoofing means a hacker logs-in to a computer illegally using a different identity than his own. He is able to do this by having previously obtained actual password. He creates a new identity by fooling the computer into thinking he is the genuine system operator. Hacker then takes control of the system. E mail spoofing A spoofed e-mail may be said to be one, which misrepresents its origin. It shows it's origin to be different from which actually it originates. Recently spoofed mails were sent on the name of Mr.Na.Vijayashankar (, which contained virus. Rajesh Manyar, a graduate student at Purdue University in Indiana, was arrested for threatening to detonate a nuclear device in the college campus. The alleged e- mail was sent
  22. 22. 23 from the account of another student to the vice president for student services. However the mail was traced to be sent from the account of Rajesh Manyar. 8. USENET NEWSGROUP (Usenet is a popular means of sharing and distributing information on the web with respect to specific topic or subjects) Possible Criminal Uses of Usenet Distribution/Sale of pornographic material. Distribution/Sale of pirated softwares Distribution of Hacking Software Sale of Stolen credit card numbers Sale of Stolen Data/Stolen property. 9. VIRUS DESSEMINATION A computer virus is a program that can ‗infect‘ other legitimate programs by modifying them to include a possibly ‗evolved‘ copy of itself. Viruses can spread themselves, without the knowledge or permission of the users, to potentially large numbers of programs on many machines. A computer virus passes from computer to computer like a biological virus passes from person to person. Viruses can also contain instructions that cause damage or annoyance; the combination of possibly damaging code with the ability to spread is what makes viruses a considerable concern. How do viruses spread? Viruses can often spread without any readily visible symptoms. A virus can start on event-driven effects (for example, triggered after a specific number of executions), time-driven effects (triggered on a specific date, such as Friday the 13th) or can occur at random.
  23. 23. 24 Typical action of a virus 1. Display a message to prompt an action which may set of the virus 2. Erase files 3. Scramble data on a hard disk 4. Cause erratic screen behavior 5. Halt the PC 6. Just replicate itself!
  24. 24. 25 Fig 2.2 How can a virus be distributed World’s Worst Virus Attacks 1. Love Letter Love Letter is the virus everyone learned to hate in 2000. The infection affected millions of computers and caused more damage than any other computer virus to date. Users were infected via e-mail, through Internet chat systems, and through other file sharing systems. The worm sent copies of itself via Microsoft Outlook's address book entries. The mail included an executable file attachment with the e-mail subject line, "ILOVEYOU." The worm had the ability to overwrite several types of files, including .gif and .jpg files. It modified the Internet Explorer start page and changed Registry keys. 2. Klez The Klez worm was first detected in October 2001. Klez distributes itself like a virus, but sometimes acts like a worm, other times like a Trojan horse. Klez isn't as destructive as other worms, but it is widespread, hard to exterminate--and still active. It spreads via open networks and e-mail-regardless of the e-mail program you use. It may corrupt files and disable anti-virus products. It steals data from a victim's e-mail address book, mixing and matching new senders and recipients for a new round of infection. 3. Melissa The Melissa virus swamped corporate networks with a tidal wave of e-mail messages in March 1999. Through Microsoft Outlook, when a user opened an e-mail message
  25. 25. 26 containing an infected Word attachment, the virus was sent to the first 50 names in the user's address book. So much e-mail traffic was generated so quickly that companies like Intel and Microsoft had to turn off their e-mail servers. The Melissa virus was the first virus capable of hopping from one machine to another on its own. And it's another good example of a virus with multiple variants. 10. INTERNET TIME THEFTS Normally in these kinds of thefts the Internet surfing hours of the victim are used up by another person. This is done by gaining access to the login ID and the password. E.g. Colonel Bajwa’s case- the Internet hours were used up by any other person. This was perhaps one of the first reported cases related to cyber crime in India. However this case made the police infamous as to their lack of understanding of the nature of cyber crime.
  26. 26. 27 CHAPTER 3 DEFINITIONS OF ELECTRONIC DOCUMENTS AND EVIDENCES 3.1 INTRODUCTION The Information Technology Act, 2000 is India‘s mother legislation regulating the use of computers, computer systems and computer networks as also data and information in the electronic format. The said legislation has provided for the legality of the electronic format as well as electronic contracts. This legislation has touched varied aspects pertaining to electronic authentication, digital signatures, cybercrimes and liability of network service providers. The Act provides for: 1. Legal Recognition of Electronic Documents 2. Legal recognition of Electronic commerce Transactions 3. Admissibility of Electronic data/evidence in a Court of Law 4. Legal Acceptance of digital signatures 5. Punishment for Cyber obscenity and crimes 6. Establishment of Cyber regulations advisory Committee and the Cyber Regulations Appellate Tribunal. 7. Facilitation of electronic filing maintenance of electronic records. Person‘s signature on the document is necessary to prove that the document is belonging to him. Signature is the evidence to prove that the document belong to the particular person.
  27. 27. 28 3.2 DIGITAL SIGNATURE 3.2.1 DEFINITION Definition 1 A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, Definition 2 A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document and you know that it has not been altered in any way since that person created it. 3.2.2 USES OF DIGITAL SIGNATURE 1. Issuing forms and licenses 2. Filing tax returns online 3. Online Government orders/treasury orders 4. Registration 5. Online file movement system 6. Public information records 7. E-voting 8. Railway reservations & ticketing
  28. 28. 29 9. E-education 10. Online money orders 11. Secured emailing 3.2.3 HOW TO GET A DIGITAL SIGNATURE CERTIFICATE The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities.CA issue Digital Signature Certificate to end-user. You can approach any one of the eight CAs for getting Digital Signature Certificate. Class 0 Certificate: This certificate shall be issued only for demonstration/ test purposes. Class 1 Certificate: Class 1 certificates shall be issued to individuals/private subscribers. These certificates will confirm that user‘s name (or alias) and E-mail address form an unambiguous subject within the Certifying Authorities database. Class 2 Certificate: These certificates will be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well- recognized consumer databases. Class 3 Certificate: This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e- commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities. 3.2.4 LEGAL RECOGNITION OF DIGITAL SIGNATURE According to this section, signature of the person need no to be in writing, it can be in the form of the following. a. With rubber stamp b. With pen c. With pencil
  29. 29. 30 d. With thumb impression With digital signature which is issued by the certifying authority (government body) and stored in the computer in the file format. Digital signature is not like hand writing signature. It is not normally readable. Not like general hand writing signature. Digital signatures have equal legal recognition compared with non-digital signatures. Digital signature will be different for each e document. Digital signature is issued by the certifying authority. Sec 15 - According to this section digital signature is secure. - Digital signature will be used as identification of the subscriber. Sec21 Any person can apply for the digital signature certification having certain qualification prescribed by government under the act. Sec22 - Any person can apply for digital signature with filling of application. - Any other documents attached if needed, should be genuine - Fee of rupees 2500/- Sec23 License can be renewed before the 45 days of expiry date of 5 years. Renewal fees is 5000/-. After the expiry of the date, late fee will be collected in addition to the renewal fee. Sec25 According to this section license will be cancelled if the applicant provides any false information 3.3 AUTHENTICATION OF ELECTRONIC RECORDS [SEC 3]
  30. 30. 31 According to this section any person can use and affix his digital signature to the electronic record (message or data on computer) to prove/ confirm (authenticate) such electronic is created by him only and belong to him only. Affixing digital signature to the electronic record will be a proof that belongs to a specific person. ―Electronic record‖ means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche; [Sec 2(t)] [sec3 (2)] This section deals with the computer online process of sending data or message securely and safely from sender to the receiver. And also deals with the assuring of message or data to receiver and sender. Section 2 (f) ―asymmetric crypto system‖ means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature; 3.4 CRYPTOGRAPHIC SYSTEM Cryptographic mechanism process done by the computer system.  The message or data send out will be encrypt by a cryptographic mechanism. (the procedures and methods of making and using secret languages, as codes)  Cryptographic mechanism includes private key and public key which are cryptographic methods provided certifying authorities. (Private Key encryption is essentially the same as a secret code that the two computers must each know in order to decode the information. The code would provide the key to decoding the message)  To decode an encrypted message, a computer must use the public key provided by the originating computer and its own private key.  Public key and private key or both mathematically related to each other.  Therefore private key is being used to encode the data/message and a public key is being used to decode the data/ message.  Private key will be with sender only
  31. 31. 32  Private Key with public will be with sender.  Public will be with receiver of data or message. Hash function=checksum/message digest  Hash function process is done by the computer system  Hash function which mean algorithm is a mathematical function/formula that converts a large, possibly variable-sized amount of data into a small datum. This is called as hash result and message digest.  To sign a document, sender by software will crunch down the data or message into just a few lines by a process called ―hashing algorithm/ hash function‖. These few lines are called a message digest/ hash result.  Any modification in message or data changes the hash result.With the hash result we cannot construct the original message or data. 3.5 DIGITAL SIGNATURE VERIFICATION  Sender by software then encrypts the message digest with his private key. The result is the digital signature.  Finally, sender software attaches / affixes the digital signature to data or message. All of the data that was hashed has been signed.  Receiver by software will decrypts the signature (using sender public key) changing it back into a message digest that sender has only signed the document, because only sender has his relating private key.  Receiver by software then hashes the data or message into a message digest/ hash result. If the message digest/ hash result is the same as the message digest created when the signature was decrypted, then receiver knows that the signed data has not been changed. [A digital signature is another means to ensure integrity, authenticity, and non- repudiation. A digital signature is derived by applying a mathematical function to compute the message digest of an electronic message or document, and then encrypt the result of the computation with the signer's private key. Recipients can verify the digital signature with the use of the sender's public key.]
  32. 32. 33 3.5.1 HOW IT WORKS Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you. 1. You copy-and-paste the contract (it‘s a short one!) into an e-mail note. 2. Using special software, you obtain a message hash (mathematical summary) of the contract. 3. You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash. 4. The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.) At the other end, your lawyer receives the message. 1. To make sure it‘s intact and from you, your lawyer makes a hash of the received message. 2. Your lawyer then uses your public key to decrypt the message hash or summary. 3. If the hashes match, the received message is valid. [Sec 40] Subscriber will generate the key pair (public key and private key) by certain security process by through the controller of certifying authorities Public key with hash algorithm is listed in the digital signature certificate for verification process. Private Key is kept secret.
  33. 33. 34 3.6 CERTIFYING AUTHORITY TO ISSUE DIGITAL SIGNATURE CERTIFICATE (1) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government (2) Every such application shall be accompanied by such fee not exceeding twenty five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants‘. (3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. (4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under subsection (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application: Provided that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that— (b) The applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate; (c) The applicant holds a private key, which is capable of creating a digital signature; (d) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant: Provided further that no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection.
  34. 34. 35 3.7 ELECTRONIC GOVERNANCE (E-Governance or e-gov is broadly defined as an ―application of Information technology to the functioning of the Government‖. E-gov relies heavily on the effective use of Internet and other emerging technologies to receive and deliver information and services easily, quickly, efficiently and inexpensively.) Sec 6 Government can file, create, use of electronic records in certain format for issue license, permits, any approval, receipt and payment of money. Sec 7 Electronic records should be stored in the format which they were created and also information in electronic records should not be altered. They should be stored for the specific period for the future reference whenever needed. Sec 10 According to this section central government has power to make rule in respect of digital signatures - Type of digital signature - Format of digital signature - Procedure which facilitate identification of the person affixing the digital signature - Control on the security and confidentiality of the electronic records. 3.7.1 ACKNOWLEDGEMENT OF RECEIPT Sec12
  35. 35. 36 Addressee should indicate sender on the receipt of the electronic record. If acknowledgement is not received by the sender, it is deemed that electronic record is not send E.g.: email Sec13 If Addressee has designated the specific computer source for the receipt of the electronic record eg: email address. In such case electronic record is deemed to be receipt by addressee. If the addressee has not designated the any specific computer to the sender eg: email. It is deemed to receipt when the addressee retrieve the information. Retrieve of information can be done from home or at the business place. Sec 17 Central government appoints the controller of certifying authorities for the purpose of this act, they discharge their function according to this act. 3.7.2 FUNCTION OF CONTROLLER Sec 18 (a) Exercising supervision over the activities of the Certifying Authorities; (b) Certifying public keys of the Certifying Authorities; (c) Laying down the standards to be maintained by the Certifying Authorities; (d) Specifying the qualifications and experience which employees of the Certifying Authorities should possess; (e) Specifying the conditions subject to which the Certifying Authorities shall conduct their business; (f) Specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key;
  36. 36. 37 (g) Specifying the form and content of a Digital Signature Certificate and the key, (h) Specifying the form and manner in which accounts shall be maintained by the Certifying Authorities; (i) Specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; (j) Facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; (k) Specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers; (l) Resolving any conflict of interests between the Certifying Authorities and the subscribers; (m) Laying down the duties of the Certifying Authorities; (n) Maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public. Sec 19 According to this section Digital signatures by foreign certifying authorities is not valid in the our country Sec 20 Controller will be the custodian of all the digital signatures certificates issued under this act. He has to store and retrieve certificates and other Information in need. Sec 28 Controller has power to investigate in any person and things go opposite to the act. He can inspect records of company and seize.
  37. 37. 38 Sec 28 If the controller is under the doubt and have suspect, he can check the computer system, computer networks, data, apparatus and other material connected to the computer system. 3.7.3 DUTIES OF SUBSCRIBER Sec 40 Subscriber should generate key pair, private key and public key. Subscriber should hold the private key Subscriber should take care about the private key which he holds Private Key hold with him should have relationship with the public key affix in the digital signature certificate. Subscriber only should affix the digital signature Sec 43 Any person without the permission of the owner should not do the following activities (a) Should access the computer system or computer network. (b) Should not download the data or make copies of it. (c) Should not introduce virus in to the computer system (d) Should damage the computer system or network or nay computer program. (e) Should not cause disruption to computer system or its network. (f) Hacking (g) Should not help/ assist any person to affect the computer system or computer networks.
  38. 38. 39 (h) Should not manipulate the computer system or computer network. 3.8 PENALTIES Sec 44 penalties Any person who ever fails to provide required document by the certifying authorities, such person is liable for penalty up to 150000/-. Any person who ever fails to provide required information by the certifying authorities, such person is liable for penalty up to 5000/-. Any person who ever fails to maintain records and account books, such person is liable for penalty up to 10000/-. Sec45 Any person who disobey or be oppose to this law or act shall be liable for penalty of 25000/-. 3.8.1 ADJUDICATION OFFICER Sec 46 Deals with appointment of adjudication officer by central government, who have experience in field of information technology, for the purpose of holding enquiry on the matters like violation of rules of the act, etc. he can impose penalty or award compensation. 3.9 DIGITAL EVIDENCES Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.
  39. 39. 40 The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel‘s electronic door locks, and digital video or audio files.
  40. 40. 41 CHAPTER 4 INVESTIGATION MEATHODS 4.1 INVESTIGATION OF CYBER CRIME In simple words, Cyber crime is defined as crime committed over the Internet. A generalized definition of cyber crime may be ― unlawful acts wherein the computer is either a tool or target or both”. The computer may be used as a tool in the following kinds of activity- financial crimes, sale of illegal articles, pornography, online gambling, intellectual property crime, e-mail spoofing, forgery, cyber defamation, cyber stalking. 4.2 PREVENTION- 4.2.1 GENERAL GUIDELINES ON CYBER SAFETY Do not give out identifying information such as your name, home address, or telephone number in a chat room. Even vital details like age, gender should never be divulged to anyone. Do not send your photograph to any one on the net unless you know the person well enough. Do not respond to messages or bulletin board items that are obscene, belligerent or threatening. Never arrange a face-to-face meeting with someone who you have just ‗met‘ on the Internet. In case you have to meet this person, make sure you have someone with you for the meeting. And inform someone of the person and place you will be going to. Remember, people online are not always who they seem to be. 4.2.2 EMAIL SAFETY If you ever get an email containing an embedded link, and a request for you to enter secret details, treat it as suspicious. Do not input any sensitive information that might
  41. 41. 42 help provide access to your bank accounts, even if the page appears legitimate. No reputable company ever sends emails of this type. 4.2.3 VIRUS WARNINGS Virus warnings are a very common occurrence in the mail box. While you shouldn‘t take these warnings lightly, a lot of times, such warnings are hoaxes and will do moe harm than good. Always check the story out by visiting an anti-virus site such as McAfee, Sophos or Symantec before taking any action, including forwarding them to friends and colleagues. 4.2.4 FOR HOME PC USERS- Here are some extremely important guidelines for home computer owners. 1. Use the latest version of a good anti-virus software package that allows updating from the Internet. 2. Use the latest version of the operating system, web browsers and e-mail programs. 3. Don't open e-mail attachments unless you know the source. Attachments, especially executables (those having .exe extension) can be dangerous. 4. Confirm the site you are doing business with. Secure yourself against "Web- Spoofing". Do not go to websites from email links. 5. Create passwords containing at least 8 digits. They should not be dictionary words. They should combine upper and lower case characters. 6. Use different passwords for different websites. 7. Send credit card information only to secure sites. 8. Use a security program that gives you control over "Cookies" that send information back to websites. Letting all cookies in without monitoring them could be risky. Turn off your computer or disconnect from the network when not in use Turn off your computer or disconnect its Ethernet interface when you are not using it. An intruder cannot attack your computer if it is powered off or otherwise completely disconnected from the network.
  42. 42. 43 Disable Java, JavaScript, and ActiveX if possible Be aware of the risks involved in the use of "mobile code" such as ActiveX, Java, and JavaScript. A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser. The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Turning off these options will keep you from being vulnerable to malicious scripts. However, it will limit the interaction you can have with some web sites. Many legitimate sites use scripts running within the browser to add useful features. Disabling scripting may degrade the functionality of these sites. Make regular backups of critical data Keep a copy of important files on removable media such as ZIP disks or recordable CD-ROM disks (CD-R or CD-RW disks). Use software backup tools if available, and store the backup disks somewhere away from the computer. Make a boot disk in case your computer is damaged or compromised To aid in recovering from a security breach or hard disk failure, create a boot disk on a floppy disk, which will help when recovering a computer after such an event has occurred. Remember, however, you must create this disk before you have a security event. Use a firewall We strongly recommend the use of some type of firewall product, such as a network appliance or a personal firewall software package. Intruders are constantly scanning home user systems for known vulnerabilities. Network firewalls (whether software or hardware-based) can provide some degree of protection against these attacks. However, no firewall can detect or stop all attacks, so it‘s not sufficient to install a firewall and then ignore all other security measures.
  43. 43. 44 Don't open unknown email attachments Before opening any email attachments, be sure you know the source of the attachment. It is not enough that the mail originated from an address you recognize. The Melissa virus spread precisely because it originated from a familiar address. Malicious code might be distributed in amusing or enticing programs. If you must open an attachment before you can verify the source, we suggest the following procedure: Be sure your virus definitions are up-to-date Save the file to your hard disk Scan the file using your antivirus software Open the file For additional protection, you can disconnect your computer's network connection before opening the file. Following these steps will reduce, but not wholly eliminate, the chance that any malicious code contained in the attachment might spread from your computer to others. 4.2.5 FOR PARENTS By taking responsibility for your children‘s online computer use, parents can greatly minimize any potential risks of being online. Make it a family rule to never give out personal information - home address and telephone number - while chatting or bulletin boards (newsgroup), and be sure you‘re dealing with someone that both you and your child know and trust before giving out this information via E-mail. Be careful before revealing any personal information such as age, marital status, or financial information while chatting. Never post photographs of your children on web sites or newsgroups that are available to the public. Consider using a fake name, avoid listing your child‘s name and E-mail address in any public directories and profiles, and find out about your Internet
  44. 44. 45 Service Provider‘s privacy policies and exercise your options for how your personal information may be used. Get to know the Internet and any services your child uses. If you don‘t know how to log on, get your child to show you. Ask your child show you what he or she does online, and familiarize yourself with all the things that you can do online. Never allow a child to arrange a face-to-face meeting with another computer user without your permission. If a meeting is arranged, make the first one in a public place, and be sure to accompany your child. Do not respond to messages or bulletin board items that are suggestive, obscene, belligerent, threatening, or make you feel uncomfortable. Ask your children to tell you if they respond to such messages advice them not to do that. If you or your child receives a message that is harassing, of a sexual nature, or threatening, forward a copy of the message to your ISP, and ask for their assistance. Instruct your child not to click on any links that are contained in E-mail from persons they don‘t know. Such links could lead to sexually explicit or otherwise inappropriate web sites. 4.3 CYBER LAW India has enacted the first I.T.Act, 2000 based on the UNCIRAL model recommended by the general assembly of the United Nations. Chapter XI of this Act deals with offences/crimes along with certain other provisions scattered in this Acts .The various offences which are provided under this chapter are shown in the following table: - Offence Section under IT Act Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 Publishing obscene information Sec.67 Un-authorised access to protected system Sec.70 Breach of Confidentiality and Privacy Sec.72
  45. 45. 46 Publishing false digital signature certificates Sec.73 NOTE: Sec.78 of I.T.Act empowers Deputy Supdt. Of Police to investigate cases falling under this Act. Computer Related Crimes Covered under IPC and Special Laws Offence Section Sending threatening messages by email Sec 503 IPC Sending defamatory messages by email Sec 499 IPC Forgery of electronic records Sec 463 IPC Bogus websites, cyber frauds Sec 420 IPC Email spoofing Sec 463 IPC Web-Jacking Sec. 383 IPC E-Mail Abuse Sec.500 IPC Online sale of Drugs NDPS Act Online sale of Arms Arms Act 4.4 HOW FBI INVESTIGATES CYBER CRIME Federal law enforcement can only gather proprietary information concerning an incident in the following ways: request for voluntary disclosure of information court order federal grand jury subpoena search warrant
  46. 46. 47 Gathering information To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization's polices and procedures): 1. Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder. 2. If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if the system log on the warning banner permits. 3. Document the losses suffered by your organization as a result of the incident. These could include the o estimated number of hours spent in response and recovery. (Multiply the number of participating staff by their hourly rates.) o cost of temporary help o cost of damaged equipment o value of data lost o amount of credit given to customers because of the inconvenience o loss of revenue o value of any trade secrets 4. Contact law enforcement and o provide incident documentation o share information about the intruder o share any ideas about possible motives 4.5 MUMBAI POLICE INVESTIGATION CELL The Cyber Crime Investigation Cell of Mumbai Police was inaugurated on 18th December 2000. It deals with the offence related to the computer, computer network, computer resource, computer systems, computer devices and Internet.
  47. 47. 48 Here are some things you need to know in order to protect yourself from being scammed. 1.) There is NO such thing as "free money." If anyone offers you free money, you should automatically consider him/her a scammer. 2.) No one works for me. I work alone. If anyone says they work for me and have selected you as a winner of some prize, they are lying. 3.) Never, ever give out your email address to anyone on internet , unless you know them personally. 4.) A scammer usually starts by telling you that he/she is looking for a soulmate, they try to sweet talk to you and make you feel special. Sometimes they even claim to be part of a church group or whatever. Don‘t fall for their nonsense! 5.) Again, there is NO SUCH THING AS FREE MONEY! A scammer usually asks for your home address, then they send you a fake check which looks real but it‘s not. They want you to deposit the check at your bank (usually around $3,000) and want you to send him/her 90% cash and you keep 10% cash for "helping out." 4.6 WHY TO REPRT CYBER CRIME Crime in a society is expected to remain at a tolerable level due to the deterrence factor; early detection of the crime, identification of the criminal who has committed the crime and awarding of an exemplary punishment to him/her will dissuade other individuals who would have indulged in such instances in future. An unreported crime emboldens the criminal to commit further such acts, apart from taking away the deterrence for others. Proper reporting also helps policy makers to know of the trends and allocate resources to adequately tackle newer crimes. Critical infrastructure protection, which has an impact on a large number of people also benefits by having proper reporting practices.
  48. 48. 49 You may be worried about the loss of reputation or negative publicity; however, most law enforcement organizations are aware of this and take steps to keep crime details confidential. They also are sensitive to the fact that the reporting company's business may depend on the availability of the computer resources involved and can take appropriate measures to use forensic tools to ensure that business disruption is minimized. 4.7 HOW TO REPORT A CYBER CRIME Filing a complaint/ Writing an application letter. What details will I be asked to include in my complaint? You may need to provide the following possible information, along with an application letter addressing the head of cyber crime investigation cell when filing a complaint: Your name, Your mailing address, Your telephone number, Specific details on how the offence was committed, along with the names and addresses of suspects and any other relevant information necessary. What contents should be there in the application letter? Contents vary with respect to the type of fraud or crime faced by you. Cyber Stalking: It is the most common kind of cyber crime happening in India and the victim‘s report could contain the following information: Email/IM communications received Phone numbers of the obscene callers, if any Website address which contains the profile
  49. 49. 50 Screenshot or the webpage (to be saved and submitted in hard copy) Other important necessary information could be provided after consulting law enforcement agency. Note: Victims of Cyber Stalking often request webmaster to delete their Profile. Deleting the profile means the evidence is lost. Password Hacking: When did you access your email account last? From where and which computer did you browse it? All information about email account e.g. date of birth entered, pin code entered and security question and the last password? What type of documents should be included in my application which can be considered as proof or evidence in regard to my complaint? Every possible information which can be provided by you with proper documents can be included in the application letter and be considered as proof or evidence. Proof or Evidence may include the following: E-mail printouts, Chat-room or newsgroup text or screenshots if taken by you, Email printouts should contain full email header information, Transaction acknowledgements or receipts, Credit card records, transaction details and receipts, Envelopes or letters received via post courier, FAX copies, Pamphlets or brochures (if you have received), Phone bills, Printed or preferably electronic copies of web pages Keep the necessary information in a safe location; you will be required to provide them for investigation as and when required.
  50. 50. 51 Note: Proof or documents which will be part of the application are not restricted to the above list, additional information may be required depending on the nature of crime. What should I do if I believe my complaint is time sensitive? You should contact your local police station directly if you believe your matter is time sensitive. You can get the crime related information on other below mentioned web sites links:- Mumbai Police: Pune Police: Thane Police: Indian Computer Emergency Response Team: Table 4.1 – Cyber Police Websites If you think you or anyone you know are in immediate danger, please contact your local police station or main control room (Phone no. 100) immediately! Online reporting should NEVER be used in the event of an emergency requiring immediate attention. (Disclaimer: Contents of this page have been provided for general information and should not be construed to be legal advice. This web site is not a complete or authoritative source of legal information. Information on this site therefore should not be considered legal advice or otherwise relied upon. If you have any specific questions please contact a lawyer or otherwise seek independent professional advice before acting on anything contained herein. We do not take any responsibility for reliance on errors or omissions in the content contained on our web site.)
  51. 51. 52 WHAT TO DO IN CASE OF CYBER CRIME- we suggest you first contact your local law enforcement authorities (police station) and let them know what happened, depending on the scope of the crime, it will be investigated by special cyber crime investigation cell.
  52. 52. 53 CHAPTER 5 INTELLECTUAL PROPERT RIGHTS AND THE LEGAL FRAMEWORK DEALING WITH IT 5.1 INTRODUCTION Intellectual property (IP) is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized under the corresponding fields of law. Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and words, phrases, symbols, and designs. Common types of intellectual property rights include copyrights, trademarks, patents, industrial design rights and trade secrets in some jurisdictions. Currently, particularly in the United States, the objective of intellectual property legislators and those who support its implementation is "absolute protection". "If some intellectual property is desirable because it encourages innovation, they reason, more is better. The thinking is that creators will not have sufficient incentive to invent unless they are legally entitled to capture the full social value of their inventions." This absolute protection or full value view treats intellectual property as another type of 'real' property, typically adopting its law and rhetoric. These exclusive rights allow owners of intellectual property to benefit from the property they have created, providing a financial incentive for the creation of an investment in intellectual property, and, in case of patents, pay associated research and development costs. 5.2 PATENTS A Patent is a legal monopoly, which is granted for a limited time by a country to the owner of an invention. Merely to have a patent does not give the owner the rights to
  53. 53. 54 use or exploit the patented invention. That right may still be affected by other laws such as health and safety regulation, or the food and drugs regulation or even by other patents. The patent, in the eyes of the law, is a property right and it can be given away, inherited, sold, licensed and can even be abandoned. As it is conferred by the government, the government, in certain cases even after grant or even if it has been, in the meantime, sold or licensed, can revoke it. A Patent gives an inventor the right for a limited period to stop others from making, using, selling or importing an invention without the permission of the inventor. That is why patent is called a "negative right" Patents are generally concerned with functional and technical aspects of products and processes and must fulfill specific conditions to be granted. Most patents are for incremental improvements in known technology - evolution rather than revolution. The technology does not have to be complex. Patent rights are territorial; an Indian patent does not give rights outside of India. Patent rights last for up to 20 years in India and in most countries outside India. Depending on where you wish your patent to be in effect, you must apply to the appropriate body. In India, this is The Indian Patent Office. There are various Patent Offices around the world. Alternatively, a Patent Agent can apply on your behalf. 5.2.1 LEGAL BASIS The Patents Act 1970, as amended by The Patents (Amendment) Act 2005. The Patents Rules, 2003, as amended by The (Amendment) Rules 2006. 5.2.2 FILLING APPLICATION Any person, even if he or she is a minor, may apply for a patent either alone or jointly with any other person. Such persons include the inventor, or his assignee or legal representative in the case of an ordinary application or, in the case of a priority application, the applicant in the convention country or his assignee or his legal representative. A corporate body cannot be named as an inventor. Foreigners and
  54. 54. 55 nationals not living in India need an address for service in India for this purpose. They may appoint a registered agent or representative whose address for service can be the address for service in India. 5.2.3 PATENT EXAMINATION Both formal and substantive examinations are made by the Indian Patent Office. Examination is by request. 5.2.4 PATENT PUBLICATION Publication takes place 18 months from the date of the application. Urgent publication is possible on request on payment of fees. On and from the date of publication of application for patent and until the date of grant of a patent in respect of such application, the applicant will have the like privileges and rights as if a patent for the invention had been granted on the date of publication of the application. 5.3 SERVICE MARK The Trade Mark Act, 1999 has come into force from the 15th of September 2003. An important feature of the Act is the introduction of the registration of Service Marks in India. Previously, Service Mark registration in India was not allowed. Protection of service marks was available only under the common Law. From September 2003, it has now become possible to separately register and therefore statutorily protect Service Marks. What are Service Marks? Service Marks are marks used in any form of service business where actual goods under that mark are not traded. For instance, a Hotel or a restaurant is a service: under the marks Taj, Oberoi, Sheraton, Meridian, Sher-e- Punjab, Khyber, Chinese Room, no goods are traded, but services are offered and purchased, these marks will now be statutorily protected under the Act. Similarly, marks for software services or business process outsourcing services, or health, insurance, repair services or airlines services or educational services can be protected by registration.
  55. 55. 56 Goods and Services are classified under various classes. Under the old trademark law, Only 34 classes for goods were available. Under the Act of 99, 11 more classes have been created for protection of service marks, i.e. classes 35 to 45. The services under these classes are classified as follows: Class 35: Advertising; business management; business administration; office functions Class 36: Insurance; financial affairs; monetary affairs; real estate affairs. Class 37: Building construction; repair; installation services Class 38: Telecommunications. Class 39: Transport; packaging & storage of goods; travel arrangement Class 40: Treatment of materials Class 41: Education; providing of training; entertainment; sporting & cultural activities Class 42: Scientific & technological services, research & design; industrial analysis & research services; design & development of computer hardware & software; legal services. Services for providing food & drink; temporary accommodation. Medical services; veterinary services; hygienic and beauty care for human beings or animals;
  56. 56. 57 agriculture, horticulture and forestry services. Personal and social services rendered by others to meet the needs of individuals; security services for the protection of property and individuals. These are general classes. Each class has hundreds of entries for services falling under a class. Thus, for instance, Compilation of information into computer databases is a service falling in class 35 but a service for providing financial information is a service falling in class 36. Again, a service providing Installation, maintenance and repair of Computer hardware falls in class 37 but Installation and Maintenance of Computer software falls in class 42. Class 43 covers hotel and restaurant services. Medical clinics and Beauty parlors fall in class 44 and horoscope casting in class 45. 5.4 TRADE MARK A Trademark is any sign which can distinguish the goods and services of one trader from those of another. A sign includes words, logos, colours, slogans, three- dimensional shapes and sometimes sounds and gestures. A trademark is therefore a "badge" of trade origin. It is used as a marketing tool so that customers can recognise the product of a particular trader. To be registrable in India it must also be capable of being represented graphically, that is, in words and/or pictures. 5.4.1 CHANGES IN THE INDIAN TRADEMARK LAW A new Trademark regime has been introduced in India since September 15, 2003. The new Trade Marks Act, 1999 has many innovative features: [1] Service Marks: A mechanism is now available to protect marks used in the service industry. Thus businesses providing services like computer hardware and software assembly and maintenance, restaurant and hotel services, courier and transport, beauty and health
  57. 57. 58 care, advertising, publishing, educational and the like are now in a position to protect their names and marks. [2] Collective Marks: Marks being used by a group of companies can now be protected by the group collectively. [3] Well-known marks: Marks, which are deemed to be well known, are defined. Such marks will enjoy greater protection. Persons will not be able to register or use marks, which are imitations of well-known trademarks. [4] Enlarged scope of registration: Persons who get their marks registered for particular goods in a particular class and commence using their marks can sue and prevent other persons from (i) Using the same or similar marks even for different goods falling in other classes; (ii) Using the same or similar marks even only as part of their firm name or company name; (iii) Using the same or similar mark only in advertising or on business papers; (iv) Importing or exporting goods under the said trade mark; (v) Unauthorized oral use of the said trademark. [5] Stringent punishment: Punishment for violating a trademark right has been enhanced. The offence has now been made cognizable and wide powers have been given to the police to seize infringing goods. At the same time the power of the Courts to grant ex parte injunctions have been amplified. [6] Appellate Board:
  58. 58. 59 An appellate board (IPAB) has been constituted based in Chennai for speedy disposal of Appeals and rectification applications. [7] Expedited procedure: Mechanisms have been set in place for expediting search and registration by paying five times the normal fee. [8] Enhanced renewal period: Registered trademarks need to be renewed every ten years. [9] License agreements do not need to be compulsorily registered. [10] Marks may include the shape of goods. [11] Marks may include a combination of colors. 5.4.2 LEGAL BASIS The Trade Marks Act, 1999 The Trade Marks Rules, 1959. The law is based mainly on the United Kingdom Trade Marks law and provides for the registration of trademarks which are being used, or which will be used, for certain goods to indicate a connection between them and some person who has the right to use the marks with or without any indication as to the identity of the person. 5.5 COPYRIGHT Copyright Registration in India gives the creators of a wide range of material, such as literature, art, music, sound recordings, films and broadcasts, economic rights enabling them to control use of their material in a number of ways, such as by making
  59. 59. 60 copies, issuing copies to the public, performing in public, broadcasting and use on- line. It also gives moral rights to be identified as the creator of certain kinds of material and to object to its distortion or its mutilation. (Material protected by copyright is termed a "work".) However, copyright does not protect ideas, names or titles. The purpose of copyright law in India is to allow copyright registrants to gain economic rewards for their efforts and so encourage future creativity and the development of new material which benefits us all. Copyright material is usually the result of creative skill and/or significant labour and/or investment and without protection, it would often be very easy for others to exploit material without paying the creator. Most uses of copyright material therefore require permission from the copyright owner. However there are exceptions to copyright, so that some minor uses may not result in copyright infringements. Copyright protection is automatic as soon as there is a record in any form of the material that has been created. Under the Indian Copyright Act there is a provision to register copyright although this is voluntary. 5.5.1 OWNER OF COPYRIGHT In the case of a literary, dramatic, musical or artistic work, the general rule is that the author, i.e. the person who created the work, is the first owner of the economic rights under copyright. However, where such a work is made in the course of employment, the employer is the first owner of these rights, unless an agreement to the contrary has been made with the author. In the case of a film, the principal director and the film producer are joint authors and first owners of the economic rights and similar provisions as referred to above apply where the director is employed. In the case of a sound recording the record producer is the author and first owner of copyright; in the case of a broadcast, the broadcaster; and in case of a published edition, the publisher.
  60. 60. 61 Copyright is, however, a form of property which, like physical property, can be bought or sold, inherited or otherwise transferred, wholly or in part. So, some or all of the economic rights may subsequently belong to someone other than the first owner. In contrast, the moral rights accorded to authors of literary, dramatic, musical and artistic works and film directors remain with the author or director or pass to his or her heirs on death. Copyright in material produced by a Government department belongs to the Government of India. Copyright owners generally have the right to authorise or prohibit any of the following things in relation to their works: Copying of the work in any way eg. photocopying / reproducing a printed page by handwriting, typing or scanning into a computer / taping live or recorded music. Issuing copies of the work to the public. Public delivery of lectures or speeches etc. Broadcasting of the work, audio / video or including it in a cable programme. Making an adaptation of the work such as by translating a literary or dramatic work, transcribing a musical work and converting a computer program into a different computer language or code. Copyright is infringed when any of the above acts are done without authorisation, whether directly or indirectly and whether the whole or a substantial part of a work, unless what is done falls within the scope of exceptions to copyright permitting certain minor uses of material. There are a number of exceptions to copyright that allow limited use of copyright works without the permission of the copyright owner. For example, limited use of works may be possible for research and private study, criticism or review, reporting current events, judicial proceedings, teaching in schools and other educational establishments and not for profit playing of sound recordings. But if you are copying large amounts of material and/or making multiple copies then you may still need permission. Also where a copyright exception covers publication of excerpts from a copyright work, it is generally necessary to include an
  61. 61. 62 acknowledgement. Sometimes more than one exception may apply to the use you are thinking of. Exceptions to copyright do not generally give you rights to use copyright material; they just state that certain activities do not infringe copyright. So it is possible that an exception could be overridden by a contract you have signed limiting your ability to do things that would otherwise fall within the scope of an exception. It is important to remember that just buying or owning the original or a copy of a copyright work does not give you permission to use it the way you wish. For example, buying a copy of a book, CD, video, computer program etc does not necessarily give you the right to make copies (even for private use), play or show them in public. Other everyday uses of copyright material, such as photocopying, scanning, downloading from a CD-ROM or on-line database, all involve copying the work. So, permission is generally needed. Also, use going beyond an agreed licence will require further permission. 5.6 DESIGN Design means only the features of shape, configuration, pattern or ornament or composition of lines or color or combination thereof applied to any article whether two dimensional or three dimensional or in both forms, by any industrial process or means, whether manual, mechanical or chemical, separate or combined, which in the finished article appeal to and are judged solely by the eye but does not include any mode or principle of construction or any thing which is in substance a mere mechanical device and does not include any trade mark, as defined in clause (v) of sub-section of Section 2 of the Trade and Merchandise Marks Act, 1958, property mark or artistic works as defined under Section 2(c) of the Copyright Act, 1957. In India, designs are protected by two legal rights: Registered designs and Artistic copyright
  62. 62. 63 Design registration in India gives the owner, a monopoly on his or her product, i.e. the right for a limited period to stop others from making, using or selling the product without their permission and is additional to any design right or copyright protection that may exist automatically in the design. 5.6.1 LEGAL BASIS Designs Act, 2000 Designs Rules, 2001 5.6.2 ARTICLE UNDER THE DESIGNS ACT, 2000 Under the Designs Act, 2000 the "article" means any article of manufacture and any substance, artificial, or partly artificial and partly natural and includes any part of an article capable of being made and sold separately. 5.6.3 SET OF ARTICLES UNDER DESIGN ACT, 2000 If a group of articles meets the following requirements then that group of articles may be regarded as a set of articles under the Designs Act, 2000: Ordinarily on sale or intended to be used together. All having common design even though articles are different (same class). Same general character. Generally, an article having the same design and sold in different sizes is not considered as a set of articles. Practical example: "Tea set", "Pen set", "Knife set" etc. 5.6.4 ESSENTIAL REQUIREMENTS FOR REGISTRATION OF DESIGN The design should be new or original, not previously published or used in any country before the date of application for registration. The novelty may reside in the application of a known shape or pattern to new Subject matter. Practical example: The known shape of "Qutub Minar" when applied to a cigarette holder the same is registrable. However, if the design for which application is made does not involve any real mental activity for conception, then registration may not be considered.
  63. 63. 64 The design should relate to features of shape, configuration, pattern or ornamentation applied or applicable to an article. Thus, designs of industrial plans, layouts and installations are not registerable under the Act. The design should be applied or applicable to any article by any industrial process. Normally, designs of artistic nature like painting, sculptures and the like which are not produced in bulk by any industrial process are excluded from registration under the Act. The features of the design in the finished article should, appeal to and are judged, solely by the eye. This implies that the design must appear and should be visible on the finished article, for which it is meant; Thus, any design in the inside arrangement of a box, money purse or almirah may not be considered for showing such articles in the open state, as those articles are generally put in the market in the closed state. Any mode or principle of construction or operation or any thing which is in substance a mere mechanical device, would not be registerable design. For instance, a key having its novelty only in the shape of its corrugation or bend at the portion intended to engage with levers inside the lock associated with, cannot be registered as a design under the Act. However, when any design suggests any mode or: principle of construction or mechanical or other action of a mechanism, a suitable disclaimer in respect thereof is required to be inserted on its representation, provided there are other registerable features in the design. The design should not include any Trade Mark or property mark or artistic works as defined under the Copyright Act, 1957.
  64. 64. 65 CHAPTER 6 COPYRIGHT ACTS 6.1 COPYRIGHT? Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time. Generally, it is "the right to copy", but also gives the copyright holder the right to be credited for the work, to determine who may adapt the work to other forms, who may perform the work, who may financially benefit from it, and other related rights. It is an intellectual property form (like the patent, the trademark, and the trade secret) applicable to any expressible form of an idea or information that is substantive and discrete. Copyright initially was conceived as a way for government to restrict printing; the contemporary intent of copyright is to promote the creation of new works by giving authors control of and profit from them. Copyrights are said to be territorial, which means that they do not extend beyond the territory of a specific state unless that state is a party to an international agreement. Today, however, this is less relevant since most countries are parties to at least one such agreement. While many aspects of national copyright laws have been standardized through international copyright agreements, copyright laws of most countries have some unique features. Typically, the duration of copyright is the whole life of the creator plus fifty to a hundred years from the creator's death, or a finite period for anonymous or corporate creations. Some jurisdictions have required formalities to establishing copyright, but most recognize copyright in any completed work, without formal registration. Generally, copyright is enforced as a civil matter, though some jurisdictions do apply criminal sanctions. Most jurisdictions recognize copyright limitations, allowing "fair" exceptions to the creator's exclusivity of copyright, and giving users certain rights. The development of digital media and computer network technologies have prompted reinterpretation of these exceptions, introduced new difficulties in enforcing copyright, and inspired additional challenges to copyright law's philosophic basis. Simultaneously, businesses with great economic dependence upon copyright have advocated the extension and