VIDYALANKAR SCHOOL OF INFORMATION TECHNOLOGY

BUSINESS LAW
INFORMATION TECHNOLGY ACT-2000 & CYBER CRIME
1
Index
Sr No Particular Page No
1 Introduction 3-4
2 Information Technology ACT 2000 5-13
3 Cyber Crime 14-18
4 Types of Crime 19-22
5 Cyber Criminal 23-25
6 Facts & Figures 26-29
7 Case Study 30-36
8 Conclusion 37-38
9 Bibliography 39-40
Introduction
2
Success in any field of human activity leads to crime that needs mechanisms to control it. Legal provisions
should provide assurance to users, empowerment to law enforcement agencies and deterrence to criminals. The
law is as stringent as its enforcement. Crime is no longer limited to space, time or a group of people. Cyber
space creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies.
Bac in !""#, less than !##,### people were able to log on to the Internet worldwide. $ow around %## million
people are hooed up to surf the net around the globe.
&ith increased use of computers in homes and offices, there has been a proliferation of computer'related
crimes.
These crimes include(
)i* Crimes committed by using computers as a means, including conventional crimes.
)ii* Crimes in which computers are targets.
The Internet in India is growing rapidly. It has given rise to new opportunities in every field we can thin of +
be it entertainment, business, sports or education. There are two sides to a coin. Internet also has its own
disadvantages. ,ne of the ma-or disadvantages is Cybercrime + illegal activity committed on the Internet. The
Internet, along with its advantages, has also exposed us to security riss that come with connecting to a large
networ. Computers today are being misused for illegal activities lie e'mail espionage, credit card fraud,
spams, and software piracy and so on, which invade our privacy and offend our senses. Criminal activities in
the cyberspace are on the rise.
"The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to
do more damage with a key board than with a bomb".
.ntil recently, many information technology )IT* professionals laced awareness of an interest in the cyber
crime phenomenon. In many cases, law enforcement officers have laced the tools needed to tacle the
problem/ old laws didn0t 1uite fit the crimes being committed, new laws hadn0t 1uite caught up to the reality of
what was happening, and there were few court precedents to loo to for guidance2 3urthermore, debates over
privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new
cases. 3inally, there was a certain amount of antipathy4or at the least, distrust4 between the two most
important players in any effective fight against cyber crime( law enforcement agencies and computer
professionals. 5et close cooperation between the two is crucial if we are to control the cyber crime problem and
mae the Internet a safe 6place7 for its users.
In the world of cyber crime, evil bytes are fast replacing whi88ing bullets. The Indian authorities are aware of
the fight ahead. But the future does not loo optimistic, shares experts. Life is about a mix of good and evil. So
is the Internet. 3or all the good it does us, cyberspace has its dar sides too. .nlie conventional communities
3
though, there are no policemen patrolling the information super highway, leaving it open to everything from
Tro-an horses and viruses to cyber staling, trademar counterfeiting and cyber terrorism.
9iven the unrestricted number of free &eb sites, the Internet is undeniably open to exploitation. :nown as
cyber crimes, these activities involve the use of computers, the Internet, cyberspace and the &orld &ide &eb.
;<ny criminal activity that uses a computer either as an instrumentality, target or a means for perpetuating
further crimes comes within the ambit of cyber crime,; says Supreme Court advocate and cyber law expert
=avan >uggal.
&hile the worldwide scenario on cyber crime loos blea, the situation in India isn?t any better. There are no
concrete statistics but, according to >uggal, Indian corporate and government sites have been attaced order
faced more than @A# times between 3ebruary B#!# and >ecember B#!#.
.ntil recently, many information technology )IT* professionals laced awareness of an interest in the cyber
crime phenomenon. In many cases, law enforcement officers have laced the tools needed to tacle the
problem/ old laws didn0t 1uite fit the crimes being committed, new laws hadn0t 1uite caught up to the reality of
what was happening, and there were few court precedents to loo to for guidance. 3urthermore, debates over
privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new
cases. 3inally, there was a certain amount of antipathy4or at the least, distrust4 between the two most
important players in any effective fight against cyber crime( law enforcement agencies and computer
professionals. 5et close cooperation between the two is crucial if we are to control the cyber crime problem and
mae the Internet a safe 6place 6for its users.
Law enforcement personnel understand the criminal mindset and now the basics of gathering evidence and
bringing offenders to -ustice. IT personnel understand computers and networs, how they wor, and how to
trac down information on them. Cach has half of the ey to defeating the cyber criminal.
IT professionals need good definitions of cybercrime in order to now when )and what* to report to police, but
law enforcement agencies must have statutory definitions of specific crimes in order to charge a criminal with
an offense. The first step in specifically defining individual cybercrimes is to sort all the acts that can be
considered cybercrimes into organi8ed categories.
Information Technology Act 2000
Connectivity via the Internet has greatly abridged geographical distances and made communication even more
rapid. &hile activities in this limitless new universe are increasing incessantly, laws must be formulated to
4
monitor these activities. Some countries have been rather vigilant and formed some laws governing the net. In
order to eep pace with the changing generation, the Indian =arliament passed the much'awaited Information
Technology <ct, B### .<s they say,
"It`s better late than never".
Dowever, even after it has been passed, a debate over certain controversial issues continues. < large portion of
the industrial community seems to be dissatisfied with certain aspects of the <ct. But on the whole, it is a step
in the right direction for India.
The Information Technology Act 2000, regulates the transactions relating to the computer and the Internet
.
The ob-ectives of the <ct as reflected in the =reamble to the <ct are(
!. The =reamble to the <ct states that it aims at providing legal recognition for transactions carried out by
means of electronic data interchange and other means of electronic communication, commonly referred to as
;electronic commerce;, which involve the use of alternatives to paper'based methods of communication and
storage of information and aims at facilitating electronic filing of documents with the 9overnment agencies.
B. To facilitate electronic filing of the document with the government of India. The 9eneral <ssembly of the
.nited $ations had adopted the Eodel Law on Clectronic Commerce adopted by the .nited $ations
Commission on International Trade Law ).$CITF<L* in its 9eneral <ssembly resolution <GFCSGH!G!%B
dated Ianuary J#, !""@. The Indian <ct is in eeping with this resolution that recommended that member
nations of the .$ enact and modify their laws according to the Eodel Law.
Thus with the enactment of this <ct, Internet transactions will now be recogni8ed, on'line contracts will be
enforceable and e'mails will be legally acnowledged. It will tremendously augment domestic as well as
international trade and commerce.
The Information Technology <ct extends to the whole of India and, saves as otherwise provided in this Act,
it applies also to any offence or contravention there under committed outside India by any person.
Dowever The <ct does not apply to(
!. a negotiable instrument as defined in section !J of the $egotiable Instruments <ct,!AA!/
B. a power'of'attorney as defined in section !< of the =owers'of' <ttorney <ct, !AAB/
J. a trust as defined in section J of the Indian Trusts <ct, !AAB/
K. < will as defined in clause )h* of section B of the Indian Succession <ct, !"BHincluding any other
testamentary disposition by whatever name called/
H. <ny contract for the sale or conveyance of immovable property or any interest in such property/
%. <ny such class of documents or transactions as may be notified by the Central 9overnment in the ,fficial
9a8ette.
5
Some of the Important Definition:
!.;Adjudicating officer; means an ad-udicating officer appointed under subsection of section K%/
B.;Affixing digital signature; with its grammatical variations and cognate expressions means adoption of any
methodology or procedure by a person for the purpose of authenticating an electronic record by means of
digital signature/
J.;Appropriate Government; means as respects any matter,4
)i* Cnumerated in List II of the Seventh Schedule to the Constitution/
)ii* Felating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State
9overnment and in any other case, the Central 9overnment/
K.;Asymmetric crypto system; means a system of a secure ey pair consisting of a private ey for creating a
digital signature and a public ey to verify the digital signature/
H.;Certifying Authority; means a person who has been granted a licence to issue a >igital Signature
Certificate under section BK/
%.;Certification practice statement; means a statement issued by a Certifying <uthority to specify the
practices that the Certifying <uthority employs in issuing >igital Signature Certificates/
@.;Cyber Appellate Tribunal; means the Cyber Fegulations <ppellate Tribunal established under sub'section
)!* of section KA/
A.;Digital signature; means authentication of any electronic record by a subscriber by means of an electronic
method or procedure in accordance with the provisions of section J/
".;Digital Signature Certificate; means a >igital Signature Certificate issued under subsection of section JH/
!#.;Electronic form; with reference to information means any information generated, sent, received or stored
in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device/
!!.;Electronic Gazette; means the ,fficial 9a8ette published in the electronic form/
!B.;Secure system; means computer hardware, software, and procedure that4
)a* are reasonably secure from unauthorised access and misuse/
)b* provide a reasonable level of reliability and correct operation/
)c* are reasonably suited to performing the intended functions/ and
)d* adhere to generally accepted security procedures/
Legitimacy and Use of Digital Signatures
The <ct has adopted the =ublic :ey Infrastructure for securing electronic transactions. <s per Section J of the
<ct, a digital signature means an authentication of any electronic record by a subscriber by means of an
electronic method or procedure in accordance with the other provisions of the <ct. Thus a subscriber can
authenticate an electronic record by affixing his digital signature. < private ey is used to create a digital
6
signature whereas a public ey is used to verify the digital signature and electronic record. They both are
uni1ue for each subscriber and together form a functioning ey pair.
Section H provides that when any information or other matter needs to be authenticated by the signature of a
person, the same can be authenticated by means of the digital signature affixed in a manner prescribed by the
Central 9overnment.
.nder Section !#, the Central 9overnment has powers to mae rules prescribing the type of digital signature,
the manner in which it shall be affixed, the procedure to identify the person affixing the signature, the
maintenance of integrity, security and confidentiality of electronic records or payments and rules regarding any
other appropriate matters.
3urthermore, these digital signatures are to be authenticated by Certifying <uthorities )C<0s* appointed under
the <ct. These authorities would inter alias/ have the license to issue >igital Signature Certificates )>SC0s*.
The applicant must have a private ey that can create a digital signature. This private ey and the public ey
listed on the >SC must form the functioning ey pair
,nce the subscriber has accepted the >SC, he shall generate the ey pair by applying the security procedure.
Cvery subscriber is under an obligation to exercise reasonable care and caution to retain control of the private
ey corresponding to the public ey listed in his >SC. The subscriber must tae all precautions not to disclose
the private ey to any third party. If however, the private ey is compromised, he must communicate the same
to the Certifying <uthority )C<* without any delay.
Writing requirements
Section K of the <ct states that when under any particular law, if any information is to be provided in writing or
typewritten or printed form, then not withstanding that law, the same information can be provided in electronic
form, which can also be accessed for any future reference. This non'obstinate provision will mae it possible to
enter into legally binding contracts on'lineL
Attribution, Acknowledgement and Dispatch of Electronic Records
Cxplicates the manner in which electronic records are to be attributed, acnowledged and dispatched. These
provisions play a vital role while entering into agreements electronically.
Section !! states that an electronic record shall be attributed to the originator as if it was sent by him or by a
person authori8ed on his behalf or by an information system programmed to operate on behalf of the originator.
<s per Section !B, the addressee may acnowledge the receipt of the electronic record either in a particular
manner or form as desired by the originator and in the absence of such re1uirement, by communication of the
7
acnowledgement to the addresses or by any conduct that would sufficiently constitute acnowledgement.
$ormally if the originator has stated that the electronic record will be binding only on receipt of the
acnowledgement, then unless such acnowledgement is received, the record is not binding. Dowever, if the
acnowledgement is not received within the stipulated time period or in the absence of the time period, within a
reasonable time, the originator may notify the addressee to send the acnowledgement, failing which the
electronic record will be treated as never been sent.
Section !J specifies that an electronic record is said to have been dispatched the moment it leaves the computer
resource of the originator and said to be received the moment it enters the computer resource of the addressee.
Utility of electronic records and digital signatures in Government Audits Agencies
<ccording to the provisions of the <ct, any forms or applications that have to be filed with the appropriated
9overnment office or authorities can be filed or any license, permit or sanction can be issued by the
9overnment in an electronic form. Similarly, the receipt or payment of money can also tae place
electronically.
Eoreover, any documents or records that need to be retained for a specific period may be retained in an
electronic form provided the document or record is easily accessible in the same format as it was generated,
sent or received or in another format that accurately represents the same information that was originally
generated, sent or received. The details of the origin, destination, date and time of the dispatch or receipt of the
record must also be available in the electronic record.
3urthermore, when any law, rule, regulation or byelaw has to be published in the ,fficial 9a8ette of the
9overnment, the same can be published in electronic form. If the same are published in printed and electronic
form, the date of such publication will be the date on which it is first published.
Dowever, the above'mentioned provisions do not give a right to anybody to compel any Einistry or
>epartment of the 9overnment to use electronic means to accept issue, create, retain and preserve any
document or execute any monetary transaction. $evertheless, if these electronic methods are utili8ed, the
9overnment will definitely save a lot of money on paperL
Regulation of Certifying Authorities (CAs)
< C< is a person who has been granted a license to issue digital signature certificates. These C<s are to be
supervised by the Controller of C<s appointed by the Central 9overnment. >eputy or <ssistant Controllers
may also assist the Controller. The Controller will normally regulate and monitor the activities of the C<s and
lay down the procedure of their conduct.
8
The Controller has the power to grant and renew licenses to applicants to issue >SCs and at the same time has
the power to even suspend such a license if the terms of the license or the provisions of the <ct are breached.
The C<s has to follow certain prescribed rules and procedures and must comply with the provisions of the <ct.
Issuance, Suspension and Revocation of Digital Signature Certificates (DSCs)
<s per Section JH, any interested person shall mae an application to the C< for a >SC. The application shall
be accompanied by filing fees not exceeding Fs. BH,### and a certification practice statement or in the absence
of such statement/ any other statement containing such particulars as maybe prescribed by the regulations. <fter
scrutinising the application, the C< may either grant the >SC or re-ect the application furnishing reasons in
writing for the same.
&hile issuing the >SC, the C< must inter alias, ensure that the applicant holds a private ey which is capable
of creating a digital signature and corresponds to the public ey to be listed on the >SC. Both of them together
should form a functioning ey pair.
The C< also has the power to suspend the >SC in public interest on the re1uest of the subscriber listed in the
>SC or any person authorised on behalf of the subscriber. Dowever, the subscriber must be given an
opportunity to be heard if the >SC is to be suspended for a period exceeding fifteen days. The C< shall
communicate the suspension to the subscriber.
There are two cases in which the >SC can be revoed. 3irstly, as per Section JA )!*, it may be revoed either
on the re1uest or death of the subscriber or when the subscriber is a firm or company, on the dissolution of the
firm or winding up of the company. Secondly, according to Section JA)B*, the C< may sue moto revoe it if
some material fact in the >SC is false or has been concealed by the subscriber or the re1uirements for issue of
the >SC are not fulfilled or the subscriber has been declared insolvent or dead et al. < notice of suspension or
revocation of the >SC must be published by the C< in a repository specified in the >SC.
Penalties for Computer Crimes
<s per the <ct, civil liability and stringent criminal penalties may be imposed on any person who causes
damage to a computer or computer system. The offender would be liable to pay compensation not exceeding
Fs.! Crore )!# million* for gaining unauthori8ed access to a computer or computer system, damaging it,
introducing a virus in the system, denying access to an authori8ed person or assisting any person in any of the
above activities.
3urthermore, the <ct also defines specific penalties for violation of its provisions or of any rules or regulations
made there under. Dowever, if any person contravenes any rules or regulations framed under the <ct for which
no specific penalty is prescribed, he will be liable to pay compensation not exceeding Fs. BH,###.
9
Eoreover, any person who intentionally or nowingly tampers with computer source documents would be
penali8ed with imprisonment up to three years or a fine of up to Fs. B lah or both. In simpler terminology,
hacing is made punishable.
The <ct also disallows the publishing and dissemination of obscene information and material. The introduction
of this provision should curtail pornography over the net. <ny person who disobeys this provision will be
punishable with imprisonment of two years and a fine of Fs. BH,### for the first conviction. In the event of a
subse1uent conviction, the imprisonment is five years and the fine double to Fs. H#,###.
The Controller has the power to issue directions for complying with the provisions of the <ct. 3ailure to
comply with his directions is punishable. Eoreover, the interference with protected systems or the reluctance to
assist a 9overnment <gency to intercept information in order to protect state sovereignty and security is also
made punishable.
The ad-udicating court also has the powers to confiscate any computer, computer system, floppies, compact
diss, tape drives or any accessories in relation to which any provisions of the <ct are being violated. $o
penalty or confiscation made under this <ct will affect the imposition of any other punishment under any other
law in force.
If penalties that are imposed under the <ct are not paid, they will be recovered, as arrears of land revenue and
the licence or >SC shall be suspended till the penalty is paid.
Adjudicating Officers
The Central 9overnment shall appoint an officer not below the ran of >irector to the 9overnment of India or
e1uivalent officer of the State 9overnment as an ad-udicating officer to ad-udicate upon any in1uiry in
connection with the contravention of the <ct. Such officer must have the legal and -udicial experience as may
be prescribed by the Central 9overnment in that behalf.
The <d-udicating ,fficer must give the accused person an opportunity to be heard and after being satisfied that
he has violated the law, penalise him according to the provisions of the <ct. &hile ad-udicating, he shall have
certain powers of a Civil Court.
Cyber Regulations Appellate Tribunal (CRAT)
< Cyber Fegulations <ppellate Tribunal )CF<T* is to be set up for appeals from the order of any ad-udicating
officer. Cvery appeal must be filed within a period of forty'five days from the date on which the person
10
aggrieved receives a copy of the order made by the ad-udicating officer. The appeal must be the appropriate
form and accompanied by the prescribed fee. <n appeal may be allowed after the expiry of forty'five days if
sufficient cause is shown.
The appeal filed before the Cyber <ppellate Tribunal shall be dealt with by it as expeditiously as possible and
endeavour shall be made by it to dispose of the appeal finally within six months from the date of receipt of the
appeal. The CF<T shall also have certain powers of a civil court.
<s per Section %!, no court shall have the -urisdiction to entertain any matter that can be decided by the
ad-udicating officer or the CF<T. Dowever, a provision has been made to appeal from the decision of the
CF<T to the Digh Court within sixty days of the date of communication of the order or decision of the CF<T.
The stipulated period may be extended if sufficient cause is shown. The appeal may be made on either any
1uestion of law or 1uestion of fact arising from the order.
Police Powers
< police officer not below the ran of deputy superintendent of police has the power to enter any public place
and arrest any person without warrant if he believes that a cyber crime has been or is about to be committed.
This provision may not turn to be very effective for the simple reason that most of the cyber crimes are
committed from private places such as one0s own home or office. Cyber'cafMs and public places are rarely used
for cyber crimes. Dowever, if the <ct did give the police department powers to enter people0s houses without
search warrants, it would amount to an invasion of the right to privacy and create pandemonium. :eeping this
in mind, the Legislature has tried to balance this provision so as to serve the ends of -ustice and at the same
time, avoid any chaos.
,n being arrested, the accused person must, without any unnecessary delay, be taen or sent to the magistrate
having -urisdiction or to the officer'in'charge of a police station. The provisions of the Code of Criminal
=rocedure, !"@J shall apply in relation to any entry, search or arrest made by the police officer.
Network Service Providers not liable in certain cases
To 1uote Section @A, it states(
;3or the removal of doubts, it is hereby declared that no person providing any service as a networ service
provider shall be liable under this <ct, rules or regulations made there under for any third party information or
data made available by him if he proves that the offence or contravention was committed without his
nowledge or that he had exercised all due diligence to prevent the commission of such offence or
contravention.;
;Cxplanation. 3or the purposes of this section,
)a* $etwor service provider means an intermediary/
11
)b* Third party information means any information dealt with by a networ service provider in his capacity as an
intermediary.;
Thus a plain reading of the section indicates that if the networ service provider is unable to prove its innocence
or ignorance, it will be held liable for the crime.
Possible Uses of E-Governance-
The future of e'governance is very bright. &ith the help of information technology, the daily matters can be
effectively taen care of irrespective of the field covered by it. 3or instance, the >elhi =olice Dead1uarter has
launched a website, which can be used for lodging a 3irst Information Feport Similarly/ the =atna Digh Court
has taen a bold step of granting bail on the basis of an online bail application. The educational institutions,
including universities, are issuing admission forms electronically, which can be downloaded from their
respective websites. The results of examinations of various educational institutions, both school level and
university level, are available online, which can be obtained without any trouble. These are but some of the
instances of the use of technology for a better e'governance. The beneficial concept of e'governance can be
utili8ed for the following purposes(
N To have access to public documents.
N 3or maing online payments of various bills and dues.
N To file statutory documents online.
N To file the complaints, grievances and suggestions of citi8ens online.
N The online facility can be used to enter into a partnership the appropriate government in cases of government
contracts.
N The citi8ens can use the online facility to file their income tax returns.
N The citi8ens will en-oy the facility of online services.
Digital Signature
>igital Signature means authentication of any electronic record by a subscriber by means of an electronic
method or procedure.
Fapid developments in e'business pose a growing need for online security and authentication. Eany emerging
technologies are being developed to provide online authentication. The ma-or concern in e'business transactions
is the need for the replacement of the hand'written signature with an online0 signature. The traditional e'mail
system, which has problems of message integrity and non'repudiation, does not fulfil the basic re1uirements for
an online signature. 3urther, since the Internet communication system is prone to various types of security
breaches, the discussion of robust and authenticated e'business transactions is incomplete without consideration
of Osecurity0 as a prominent aspect of Oonline signatures0.
12
,ne may consider an e'signature as a type of electronic authentication. Such authentication can be achieved by
means of different types of technologies. < >igital Signature )>S* can be considered as a type of e'signature,
which uses a particular ind of technology that is >S technology.>S technology involves encrypting messages
in such a way that only legitimate parties are able to decrypt the message. Two separate but interrelated Oeys0
carry out this process of encryption and decryption.
,ne party in the transactions holds the secret ey, or the private ey, and the other party holds the public ey or
the ey with wide access. The selection and use of an encryption techni1ue plays a crucial role in the design
and development of eys. In short, a >S satisfies all the functions, such as authenticity, non'repudiation, and
security, of a hand'written signature. Such a Osignature0 can be viewed as a means of authentication and can be
owned by an individual. &hile using this technology, there must be third party involvement orders to handle
the liability issues that may be raised by bilateral transactions. &ith this existing legal infrastructure and the
rapid emergence of software security products, it is important to understand the role of emerging technologies
lie >S in e'business. ,ne of the ma-or indicators of technological improvements is the maret development
and commerciali8ation of that technology.
Introduction to Cyber Crime
The first recorded cyber crime too place in the year !AB#L That is not surprising considering the fact that the
abacus, which is thought to be the earliest form of a computer, has been around since JH## B.C. in India, Iapan
and China. The era of modern computers, however, began with the analytical engine of Charles Babbage. Cyber
13
crime is an evil having its origin in the growing dependence on computers in modern life. In a day and age
when everything from microwave ovens and refrigerators to nuclear power plants is being run on computers,
cyber crime has assumed rather sinister implications. Ea-or Cyber crimes in the recent past include the
Citiban rip off. .S P !# million were fraudulently transferred out of the ban and into a ban account in
Swit8erland. < Fussian hacer group led by Qladimir :evin, a renowned hacer, perpetrated the attac. The
group compromised the ban?s security systems. Qladimir was allegedly using his office computer at <,
Saturn, a computer firm in St. =etersburg, Fussia, to brea into Citi ban computers. De was finally arrested on
Deathrow airport on his way to Swit8erland.
.nited $ations0 >efinition of Cybercrime
Cybercrime spans not only state but national boundaries as well. =erhaps we should loo to international
organi8ations to provide a standard definition of the crime. <t the Tenth .nited $ations Congress on the
=revention of Crime and Treatment of ,ffenders, in a worshop devoted to the issues of crimes related to
computer networs, cybercrime was broen into two categories and defined thus(
a. Cybercrime in a narrow sense )computer crime*( <ny illegal behaviour directed by means of electronic
operations that targets the security of computer systems and the data processed by them.
b. Cybercrime in a broader sense )computer'related crime*( <ny illegal behaviour committed by means of, or in
relation to, a computer system or networ, including such crimes as illegal possession RandS offering or
distributing information by means of a computer system or networ.
,f course, these definitions are complicated by the fact that an act may be illegal in one nation but not in
another.
There are more concrete examples, including
i. .nauthori8ed access
ii >amage to computer data or programs
iii Computer sabotage
iv .nauthori8ed interception of communications
v Computer espionage
These definitions, although not completely definitive, do give us a good starting point4one that has some
international recognition and agreement4for determining -ust what we mean by the term cybercrime.
In Indian law, cyber crime has to be voluntary and wilful, an act or omission that adversely affects a person or
property. The IT <ct provides the bacbone for e'commerce and India0s approach has been to loo at e'
governance and e'commerce primarily from the promotional aspects looing at the vast opportunities and the
14
need to sensiti8e the population to the possibilities of the information age. There is the need to tae in to
consideration the security aspects.
In the present global situation where cyber control mechanisms are important we need to push cyber laws.
Cyber Crimes are a new class of crimes to India rapidly expanding due to extensive use of internet. 9etting the
right lead and maing the right interpretation are very important in solving a cyber crime. The @ stage
continuum of a criminal case starts from perpetration to registration to reporting, investigation, prosecution,
ad-udication and execution. The system cannot be stronger than the weaest lin in the chain. In India, there
are J# million policemen to train apart from !B,### strong Iudiciary. =olice in India are trying to become cyber
crime savvy and hiring people who are trained in the area. Cach police station in >elhi will have a computer
soon which will be connected to the Dead Tuarter.. The pace of the investigations however can be faster/
-udicial sensitivity and nowledge need to improve. 3ocus needs to be on educating the police and district
-udiciary. IT Institutions can also play a role in this area.
Technology nuances are important in a spam infested environment where privacy can be compromised and
individuals can be sub-ected to become a victim unsuspectingly. &e need to sensiti8e our investigators and
-udges to the nuances of the system. Eost cyber criminals have a counter part in the real world. If loss of
property or persons is caused the criminal is punishable under the I=C also. Since the law enforcement agencies
find it is easier to handle it under the I=C, IT <ct cases are not getting reported and when reported are not
necessarily dealt with under the IT <ct. < lengthy and intensive process of learning is re1uired.
< whole series of initiatives of cyber forensics were undertaen and cyber law procedures resulted out of it.
This is an area where learning taes place every day as we are all beginners in this area. &e are looing for
solutions faster than the problems can get invented. &e need to move faster than the criminals. The real issue is
how to prevent cyber crime. 3or this, there is need to raise the probability of apprehension and conviction. India
has a law on evidence that considers admissibility, authenticity, accuracy, and completeness to convince the
-udiciary. The challenge in cyber crime cases includes getting evidence that will stand scrutiny in a foreign
court.
3or this India needs total international cooperation with specialised agencies of different countries. =olice has to
ensure that they have sei8ed exactly what was there at the scene of crime, is the same that has been analysed
and the report presented in court is based on this evidence. It has to maintain the chain of custody. The threat is
not from the intelligence of criminals but from our ignorance and the will to fight it. The law is stricter now on
producing evidence especially where electronic documents are concerned.
The computer is the target and the tool for the perpetration of crime. It is used for the communication of the
criminal activity such as the in-ection of a virusGworm which can crash entire networs.
15
The Information Technology )IT* <ct, B###, specifies the acts which have been made punishable. Since the
primary ob-ective of this <ct is to create an enabling environment for commercial use of I.T., certain omissions
and commissions of criminals while using computers have not been included. &ith the legal recognition of
Clectronic Fecords and the amendments made in the several sections of the I=C vide the IT <ct, B###, several
offences having bearing on cyber'arena are also registered under the appropriate sections of the I=C.
Cybercrime is not on the decline. The latest statistics show that cybercrime is actually on the rise. Dowever, it is
true that in India, cybercrime is not reported too much about. Conse1uently there is a false sense of
complacency that cybercrime does not exist and that society is safe from cybercrime. This is not the correct
picture. The fact is that people in our country do not report cybercrimes for many reasons. Eany do not want to
face harassment by the police. There is also the fear of bad publicity in the media, which could hurt their
Feputation and standing in society. <lso, it becomes extremely difficult to convince the police to register any
cybercrime, because of lac of orientation and awareness about cybercrimes and their registration and handling
by the police.
< recent survey indicates that for every A## cybercrime incidents that tae place, only H# are reported to the
police and out of that only one is actually registered. These figures indicate how difficult it is to convince the
police to register a cybercrime. The establishment of cybercrime cells in different parts of the country was
expected to boost cybercrime reporting and prosecution. Dowever, these cells haven0t 1uite ept up with
expectations. $eti8ens should not be under the impression that cybercrime is vanishing and they must reali8e
that with each passing day, cyberspace becomes a more dangerous place to be in, where criminals roam freely
to execute their criminals intentions encouraged by the so called anonymity that internet provides.
The absolutely poor rate of cyber crime conviction in the country has also not helped the cause of regulating
cybercrime. There have only been few cybercrime convictions in the whole country, which can be counted on
fingers. &e need to ensure that we have speciali8ed procedures for prosecution of cybercrime cases so as to
tacle them on a priority basis. This is necessary so as to win the faith of the people in the ability of the system
to tacle cybercrime. &e must ensure that our system provides for stringent punishment of cybercrimes and
cyber criminals so that the same acts as a deterrent for others.
What is a Computer Crime?
a. Criminals Can Operate Anonymously Over the Computer Networks.
!. Be careful about taling to ;strangers; on a computer networ. &ho are these people anyway2 Femember
that people online may not be who they seem at first. $ever respond to messages or bulletin board items that
are( Suggestive of something improper or indecent/ ,bscene, filthy, or offensive to accepted standards of
16
decency/ Belligerent, hostile, combative, very aggressive/ and Threaten to do harm or danger towards you or
another
B. Tell a grown'up right away if you come across any information that maes you feel uncomfortable.
J. >o not give out any sensitive or personal information about you or your family in an Internet ;chat room.;
Be sure that you are dealing with someone you and your parents now and trust before giving out any personal
information about yourself via e'mail.
K. $ever arrange a face'to'face meeting without telling your parents or guardians. If your parent or guardian
agrees to the meeting, you should meet in a public place and have a parent or guardian go with you.
b. Hackers Invade Privacy
!. >efine a hacer +
< hacer is someone who breas into computers sometimes to read private e'mails and other files.
B. &hat is your privacy worth2 &hat information about you or your parents do you thin should be considered
private2
3or example, medical information, a diary, your grades, how much money your parents owe, how much money
your family has in as savings account or in a home safe, and your letters to a friend. &ould this ind of invasion
of your privacy be any different than someone breaing into your school locer or your house to get this
information about you and your family2
c. Hackers Destroy "Property" in the Form of Computer Files or Records
!. Dacers delete or alter files
B. &hen you write something, lie a term paper or report, how important is it to be able to find it again2
&ould this be different if someone broe into your locer and stole your term paper2
J. Dow important is it that data in computers lie your term paper, a letter, your ban records, and medical
records, not be altered2 Dow important is it for a drug company or a pharmacy to not have its computer
files altered or deleted by hacers2 &hat would happen if a hacer altered the chemical formulas for
prescription drugs, or theflight patterns and other data in air traffic control computers2 &hat does the term
;tamper; mean2 To interfere in a harmful way or to alter improperly. Is tampering with computer files
different from tampering that occurs on paper files or records2
d. Hackers Injure Other Computer Users by Destroying Information Systems
!. Dacers cause victims to spend time and money checing and re'securing systems after brea'in. They
also cause them to interrupt service. They thin its fine to brea'in and snoop in other people?s files as long
as they don?t alter anything. They thin that no harm has been done.
17
B. Dacers steal telephone and computer time and share unauthori8ed access codes and passwords. Euch
of the stealing is very low'tech.;Social engineering; is a term used among cracers for cracing techni1ues
that rely on weanesses in human beings rather than on software. ;>umpster diving; is the practice of
sifting refuse from an office or technical installation to extract confidential data, especially security
compromising information. &ho do you thin pays for this2 Dow much stealing of computer time do you
thins there is2 3or example, there is PB billion annually in telephone toll fraud alone. &ould you want
someone going through your garbage2 Dave you ever thrown away private papers or personal notes.
J. Dacers crash systems that cause them to malfunction and not wor.
Dow do we use computer information systems in our daily lives2 &hat could happen if computers suddenly
stopped woring2 3or example, would public health and safety be disrupted and lives are endangered if
computers went down2
e. Computer "Pirates" Steal Intellectual Property
!. Intellectual property is the physical expression of ideas contained in boos, music, plays, movies, and
computer software. Computer pirates steal valuable property when they copy software, usic,
graphicsGpictures, movies, boos )all available on the Internet*.
B. Dow is the person who produced or developed these forms of entertainment harmed2 Is this different
from stealing a product )computer hardware* which someone has invented and manufactured2 &ho pays
for this theft2
J. It may seem simple and safe to copy recordings, movies and computer programs by installing a peer'to'
peer )=B=* file sharing software program. Dowever, most material that you may want to copy is protected
by copyright which means that you are restricted from maing copies unless you have permission to do so.
Eaing copies of intellectual property including music, movies and software''without the right to do so is
illegal. =B= software and the files traded on the =B=networs may also harm your computer by installing
viruses or spyware, or allow others to access the files contained on your hard drive beyond those you
intend to share.
K. Copyright violations have civil and criminal remedies.
a. Civil remedy: copyright holder can sue infringer for money to cover loss of sales or other loss caused by
infringement.
b.Criminal remedy: -ail or fine paid to the government )not copyright holder* where person infringes a
copyright for commercial advantage or private gain. 3or example, a person who maes multiple copies of a
video, and sell the copies.
18
Defining Cyber Crime
>efining cyber crimes, as ;acts that are punishable by the Information Technology <ct; would be unsuitable as the
Indian =enal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sending
threatening emails etc. < simple yet sturdy definition of cyber crime would be ;unlawful acts wherein the computer
is either a tool or a target or both;.
Financial crimes
This would include cheating, credit card frauds, money laundering etc.To cite a recent case, a website offered to sell
<lphonso mangoes at a throwaway price. >istrusting such a transaction, very few people responded to or supplied
the website with their credit card numbers. These people were actually sent the <lphonso mangoes. The word about
this website now spread lie wildfire. Thousands of people from all over the country responded and ordered
mangoes by providing their credit card numbers. The owner0s of what was later proven to be a bogus website then
fled taing the numerous credit card numbers and proceeded to spend huge amounts of money much to the chagrin
of the card owners.
Cyber pornography
This would include pornographic websites/ pornographic maga8ines produced using computers )to publish and print
the material* and the Internet )to download and transmit pornographic pictures, photos, writings etc*. Fecent Indian
incidents revolving around cyber pornography include the <ir 3orce Balbharati School case. < student of the <ir
3orce Balbharati School, >elhi, was teased by all his classmates for having a pocmared face. Tired of the cruel
-oes, he decided to get bac at his tormentors. De scanned photographs of his classmates and teachers, morphed
them with nude photographs and put them up on a website that he uploaded on to a free web hosting service. It was
only after the father of one of the class girls featured on the website ob-ected and lodged a complaint with the police
that any action was taen.
In another incident, in Eumbai a Swiss couple would gather slum children and then would force them to appear for
obscene photographs. They would then upload these photographs to websites specially designed for paedophiles.
The Eumbai police arrested the couple for pornography.
Sale of illegal articles
This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auction
websites, and bulletin boards or !%@simply by using email communication. C.g. many of the auction sites even in
India are believed to be selling cocaine in the name of ?honey?.
Phishing
In computing, phishing )also nown as carding and spoofing* is a form of social engineering, characteri8ed by
attempts to fraudulently ac1uire sensitive information, such as passwords and credit card details, by mas1uerading as
19
a trustworthy person or business in an apparently official electronic communication, such as an email or an instant
message. The term phishing arises from the use of increasingly sophisticated lures to ;fish; for users? financial
information and passwords.
Online gambling
There are millions of websites/ all hosted on servers abroad, that offer online gambling. In fact, it is believed that
many of these websites are actually fronts for money laundering.
Intellectual Property crimes
These include software piracy, copyright infringement, trademars violations, theft of computer source code etc.
Email spoofing
< spoofed email is one that appears to originate from one source but actually has been sent from another source. C.g.
=oo-a has an e'mail addresspoo-aUasianlaws.org. Der enemy, Sameer spoofs her e'mail and sends obscene
messages to all her ac1uaintances. Since the e'mails appear to have originated from =oo-a, her friends could tae
offence and relationships could be spoiled for life. Cmail spoofing can also cause monetary damage. Inan <merican
case, a teenager made millions of dollars by spreading false information about certain companies whose shares he
had short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies lie
Feuters, to share broers and investors who were informed that the companies were doing very badly. Cven after the
truth came out the values of the shares did not go bac to the earlier levels and thousands of investors lost a lot of
money.
Forgery
Counterfeit currency notes, postage and revenue stamps, mar sheet set can be forged using sophisticated computers,
printers and scanners. ,utside many colleges across India, one finds touts soliciting the sale of fae mar sheets or
even certificates. These are made using computers, and high 1uality scanners and printers. In fact, this has becoming
a booming business involving thousands of Fupees being given to student gangs in exchange for these bogus but
authentic looing certificates.
Cyber Defamation
This occurs when defamation taes place with the help of computers and or the Internet. C.g. someone publishes
defamatory matter about someone on a website or sends e'mails containing defamatory information to all of that
person?s friends.
Cyber stalking
The ,xford dictionary defines staling as ;pursuing stealthily;. Cyber taling involves following a person?s
movements across the Internet by posting messages )sometimes threatening* on the bulletin boards fre1uented by the
20
victim, entering the chat'rooms fre1uented by the victim, constantly bombarding the victim with emails etc.
3re1uently .sed Cyber Crimes .nauthori8ed access to computer systems or networs
This activity is commonly referred to as hacing. The Indian law hash owever given a different connotation to the
term hacing, so we will not usethe term ;unauthori8ed access; interchangeably with the term ;hacing7. Theft of
information contained in electronic form this includes information stored in computer hard diss, removable storage
media etc
Email bombing
Cmail bombing refers to sending a large number of emails to the victim resulting in the victim?s email account )in
case of an individual* or mail servers )in case of a company or an email service provider* crashing.
Some of the ma-or email related crimes are(
!. Cmail spoofing
B. Sending malicious codes through email
J. Cmail bombing
K. Sending threatening emails
H. >efamatory emails
%. Cmail frauds
Data diddling
This ind of an attac involves altering raw data -ust before it is processed by a computer and then changing it bac
after the processing is completed. Clectricity Boards in India have been victims to data diddling programs inserted
when private parties were computeri8ing their systems.
Salami attacks
These attacs are used for the commission of financial crimes. The ey here is to mae the alteration so insignificant
that in a single case it would go completely unnoticed.
Denial of Service attack
This involves flooding a computer resource with more re1uests than it can handle. This causes the resource )e.g. a
web server* to crash thereby denying authori8ed users the service offered by the resource. <nother variation to a
typical denial of service attac is nown as a >istributed >enial of Service )>>oS* attac wherein the perpetrators
are many and are geographically widespread. It is very difficult to control such attacs. The attac is initiated by
sending excessive demands to the victim?s computer)s*, exceeding the limit that the victim?s servers can support and
maing the server0s crash.
Virus / worm attacks
21
Qiruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to
other computers on a net wor. They usually affect the data on a computer, either by altering or deleting it. &orms,
unlie viruses do not need the host to attach themselves to. They merely mae functional copies of themselves and
do this repeatedly till they eat up all the available space on a computer?s memory
Logic bombs
These are event dependent programs. This implies that these programs are created to do something only when a
certain event )nown as a trigger event* occurs. C.g. even some viruses may be termed logic bombs because they lie
dormant all through the year and become active only on a particular date
Trojan attacks
< Tro-an as this program is aptly called is an unauthori8ed program which functions from inside what seems to be
an authori8ed program, thereby concealing what it is actually doing.
Internet time thefts
This connotes the usage by an unauthori8ed person of the Internet hours paid for by another person. In a case
reported before the enactment of the Information Technology <ct, B### Colonel Ba-wa, a resident of $ew >elhi,
ased a nearby net cafe owner to come and set up his Internet connection. 3or this purpose, the net cafe owner
needed to now his username and password. <fter having set up the connection he went away with nowing the
present username and password. De then sold this information to another net cafe. ,ne wee later Colonel Ba-wa
found that his Internet hours were almost over. ,ut of the !## hours that he had bought, "K hours had been used up
within the span of that wee. Surprised, he reported the incident to the >elhi police. The police could not believe
that time could be stolen. They were not aware of the concept of time'theft at all. Colonel Ba-wa?s report was
re-ected. De decided to approach The Times of India, $ew >elhi. They, in turn carried are port about the inade1uacy
of the $ew >elhi =olice in handling cybercrimes. The Commissioner of =olice, >elhi then too the case into his
own hands and the police under his directions raided and arrested the net cafe owner under the charge of theft as
defined by the Indian =enal Code. The net cafe owner spent several wees loced up in Tihar -ail before being
granted bail
Web jacking
This occurs when someone forcefully taes control of a website )by cracing the password and later changing it*.
The actual owner of the website does not have any more control over what appears on that website in a recent
incident reported in the .S< the owner of a hobby website for children received an e'mail informing her that a
group of hacers had gained control over her website.
Theft of computer system This type of offence involves the theft of a computer, some parts of a computer or a
peripheral attached to the computer. =hysically damaging a computer system. This crime is committed by physically
damaging a Computer or its peripherals.
Cyber Criminals
22
Kids (age group 9-16 etc.)
It seems really difficult to believe but it is true. Eost amateur hacers and cyber criminals are teenagers. To them,
who have -ust begun to understand what appears to be a lot about computers, it is a matter of pride to have haced
into a computer system or a website. There is also that little issue of appearing really smart among friends. These
young rebels may also commit cyber crimes without really nowing that they are doing anything wrong.
Organized hacktivists
Dactivists are hacers with a particular )mostly political* motive. In other cases this reason can be social activism,
religious activism, etc. The attacs on approximately B## prominent Indian websites by a group of hacers nown as
=aistani Cyber &arriors are a good example of political hactivists at wor.
Disgruntled employees
,ne can hardly believe how spiteful displeased employees can become. Till now they had the option of going on
strie against their bosses. $ow, with the increase independence on computers and the automation of processes, it is
easier for disgruntled employees to do more harm to their employers by committing computer related crimes, which
can bring entire systems down.
Professional hackers (corporate espionage)
Cxtensive computeri8ation has resulted in business organi8ations storing all their information in electronic form.
Fival organi8ations employ hacers to steal industrial secrets and other information that could be beneficial to them.
The temptation to use professional hacers for industrial espionage also stems from the fact that physical presence
re1uired to gain access to important documents is rendered needless if hacing can retrieve those.
Denial of Service Tools
>enial'of'service )or >oS* attacs are usually launched to mae a particular service unavailable to someone who is
authori8ed to use it. These attacs may be launched using one single computer or many computers across the world.
In the latter scenario, the attac is nown as a distributed denial of service attac. .sually these attacs do not
necessitate the need to get access into anyone?s system.
These attacs have been getting decidedly more popular as more and more people reali8e the amount and magnitude
of loss, which can be caused through them.
&hat are the reasons that a hacer may want to resort to a >oS attac2 De may have installed a Tro-an in the
victim?s computer but needed to have the computer restarted to activate the Tro-an. The other good reason also may
be that a business may want to harm a competitor by crashing his systems.
>enial'of'service attacs have had an impressive history having, in the past, bloced out websites lie <ma8on,
C$$, 5ahoo and eBay. The attac is initiated by sending excessive demands to the victim?s computer?s, exceeding
23
the limit that the victim?s servers can support and maing the server0s crash. Sometimes, many computers are
entrenched in this process by installing a Tro-an on them/ taing control of them and then maing them send
numerous demands to the targeted computer. ,n the other side, the victim of such an attac may see many such
demands )sometimes even numbering tens of thousands* coming from computers from around the world.
.nfortunately, to be able to gain control over a malicious denial'of'service attac would re1uire tracing all the
computers involved in the attac and then informing the owners of those systems about the attac. The compromised
system would need to be shut down or then cleaned. This process, which sounds fairly simple, may prove very
difficult to achieve across national and later organi8ational borders.
Cven when the source)s* of the attac are traced there are many problems, which the victim may be faced with. De
will need to inform all the involved organi8ations in control of the attacing computers and as them to either clean
the systems or shut them down. <cross international boundaries this may prove to be a titanic tas. The staff of the
organi8ation may not understand the language. They may not be present if the attac were to be launched during the
night or during weeends.
The computers that may have to be shut down may be vital for their processes and the staff may not have the
authority to shut them down. The staff may not understand the attac, system administration, networ topology, or
any number of things that may delay or halt shutting down the attacing computers. ,r, more simply, the
organi8ation may not have the desire to help.
If there are hundreds or even thousands of computers on the attac, with problems lie the ones mentioned above,
the victim may not be able to stop the attac for days by which time the damage would have been done. Dis servers
would be completely incapacitated to administer to so many demands and conse1uently would crash. It is very
simple for anyone to launch an attac because denial'of'service tools can easily be procured from the $et. The
ma-or versions of distributed denial of service attac tools are Trinoo )or trin##*, T3$, T3$B:and Stacheldraht.
>enial'of'Service tools allow the attacers to automate and preset the times and fre1uencies of such attacs so that
the attac is launched and then stopped to be launched once again later. This maes it very difficult, in fact almost
impossible, to trace the source of the attac.
These tools also provide another service by which the attacing computer can change its source address randomly
thereby maing it seem as if the attac is originating from many thousands of computers while in reality there may
be only a few. >istributed denial'of'service attacs are a very perturbing problem for law enforcement agencies
mainly because they are very difficult to trace. In addition, usually these attacs are directed towards very sensitive
systems or networs sometimes even those that are vital to national security. Sometimes, even when the perpetrators
can be traced, international extradition laws may prove to be a hitch in bringing them under the authority of the law.
<s seen above that how the cyber crime have been escalating in the India and the damage it can do to a company,
hence to protect the importance of privacy of a company the government of India reali8ed the significance to create
24
a governance to regulate and eep a tab on the activity of cyber crime. The main aim to create the Information
Technology Act 2000 was to safeguard a business organi8ation from cyber crime
Facts and Figures
25
In B##%, this number more than doubled to B## incidents. $ot only
were attacs being launched in India but B##% saw the maximum phishing
attacs being launched from India on other countries as well. Security expert, Surinder Singh says, ?<s per
&eb'sense Security Lab, we find that at any given point in time in B##%, there were B to J## websites
being hosted. There was a spurt in ,ctober where we identified @"# websites
which were hosted in India and being used to carry out attacs.
7The .nited States remains at the top with BA.@AV of all phishing sites
located out of the .nited States and !!."%V out of China. :orea, 9ermany,
<ustralia, Canada, Iapan, .nited :ingdom, Italy and India are the other
countries where phishing attacs are prevalent. <s of now, B.!!V of the
phishing sites are located in India.
Singh says, ?India on the threshold of having more and more people getting into online baning or taing online
personal loans. So, it won?t be a surprise if someday someone tells me that out of the total si8e of frauds
happening ' India would be at !V or BV ' but even that would be Fs B## crore.7
KB# cases were registered under IT <ct during the year B##" as compared to BAA cases during the previous year
)B##A* thereby reporting an increase of KH.AV in B##" over B##A. BJ.!V cases )"@ out of KB# cases* were
reported from :arnataa followed by :erala )%K*, Eaharashtra )HJ*, <ndhra =radesh )J#* and =un-ab )BA*.
JJ.!V )!J" cases* of the total KB# cases registered under IT <ct B### were related to obscene
publicationGtransmission in electronic form, normally nown as cyber pornography. !K! persons were
arrested for committing such offences during B##". There were BJJ cases of Dacing with
Computer Systems during the year wherein !#@ persons were arrested.
,ut of the total )BJJ* Dacing cases, the cases relating to Loss G >amage of computer resourceGutility under
Sec %%)!* of the IT <ct were K".KV )!!H cases* whereas the cases related to Dacing under Section %%)B* of IT
<ct were H#.%V )!!A cases*. Eaharashtra )BH*,<ndhra =radesh )B!* and :erala )!H* registered maximum cases
under Sec %%)!* of the IT <ct out of total !!H such cases at the $ational level. ,ut of the total !!A cases
relating to Dacing under Sec. %%)B*, most of the cases )"! cases* were reported from :arnataa followed by
Tamil $adu )A* and Eadhya =radesh )%*. B@.!V of the BAA persons arrested in cases relating to IT <ct,B###
were from Eaharashtra )@A* followed by :erala )K@*. The age'wise profile of persons arrested in Cyber Crime
cases under IT <ct, B### showed that %K.%V of the offenders were in the age group !A + J# years )!A% out of
26
BAA* and BA.AV of the offenders were in the age group J# ' KH years )AJ out of BAA*. Eaharashtra )%* and
:erala )K* reported offenders whose age was below !A years.
Crime head'wise and age' group wise profile of the offenders arrested under IT <ct, B### reveals that K".#V
)!K! out of BAA* of the offenders arrested were under O,bscene publicationG transmission in electronic form0 of
which %A.!V )"% out of !K!* were in the age'group !A +J# years. H@."V )%B out of !#@* of the total persons
arrested for ?Dacing with Computer Systems? were in the age'group of !A ' J# years.
Cyber Crimes - Cases of Various Categories under IPC Section
< total of B@% cases were registered under I=C Sections during the year B##" as compared to !@% such
cases during B##A thereby reporting an increase of H%.AV.Eaharashtrareported maximum number of such cases
)!#A out of B@% cases or J".!V* followed by Chhattisgarh !%.@V )K% cases* and =un-ab !#.!V )BA cases*.
Ea-ority of the crimes out of total B@% cases registered under I=C fall under B categories vi8. 3orgery )!HA* and
Criminal Breach of Trust or 3raud )"#*. <lthough such offences fall under the traditional I=C crimes, these cases
had the cyber overtones wherein computer, Internet or its enabled services were present in the crime and hence
they were categorised as Cyber Crimes under I=C. The Cyber 3orgery )!HA cases* accounted for #.B!V out of
the @B,@!A cases reported under Cheating. The Cyber 3rauds )"#* accounted for #.HHV of the total Criminal
Breach of Trust cases under I=C )!%,JB%*.
The Crime head and State G .T'wise analysis of Cyber Crimes under I=C are presented in Table !A.@. The
Cyber 3orgery cases were the highest in Eaharashtra )%@* followed by Chhattisgarh )JB* and 9u-arat )!J*. The
cases of Cyber 3raud were highest in Eaharashtra )J#* followed by =un-ab )!"* and 9u-arat W Tamil $adu )!!
each*. < total of B%J persons were arrested in the country for Cyber Crimes under I=C during B##". %!.BV
offenders )!%!* of these were taen into custody for offences under ?Cyber 3orgery0, J#.#V )@"* for ?Criminal
Breach of TrustG3raud? and A.@V )BJ* for ?Counterfeiting?.
The States such as Eaharashtra )A"*, =un-ab )KA*, and Chhattisgarh )KK* have reported higher arrests for Cyber
Crimes registered under I=C. The age group'wise profile of the arrested persons under this category showed
that KH.BV )!!" out of B%J* were in the age'group of J# ' KH years andK!.AV )!!# out of B%J* of the offenders
were in the age'group of !A'J# years. $o offenders were below !A years of age.
Crime head'wise and age wise profile of the offenders arrested under Cyber Crimes )I=C* )Table!A.H* for the
year B##" reveals that offenders involved in 3orgery cases were more in the age'group of !A 'J# )K@.BV* )@%
out of !%!*. K".KV of the persons arrested under Criminal Breach of Trust G Cyber 3raud offences were in the
age group J#'KH years )J" out of @"*.
Incidence of Cyber Crimes in Cities
27
!K out of JH mega cities did not report any case of Cyber Crime i.e., neither under the IT <ct nor under I=C
Sections during the year B##".B# mega cities have reported!@A cases under IT <ct and !K megacities reported
!%A cases under various section of I=C. There was an
Increase of BJ.%V )from !KK cases inB##A to !%A cases in B##"* in cases under IT <ct as compared to previous
year )B##A*, and an increase ofJ##.#V )from KB cases in B##A to !%A cases in B##"* of cases registered under
various sections of I=C .Bengaluru )"@*, <hmadabad)!#*, Bhopal, Coimbatore and :ochi)% each* and >elhi
City, Indore, Ludhiana and =une )H each* have reported high incidence of cases )!KH out of !@A cases*
registered under IT <ct, accounting for more than half of the cases )A!.HV* reported under the IT <ct. $asi
has reported the highest incidence )%A out of !%A cases* of cases reported under I=C sections accounting for
K#.HV followed by Eumbai )JH or B#.AV*.
28
29
Indian Case Studies
1. Pune Citibank Mphasis Call Center Fraud
.S P J, H#,### from accounts of four .S customers were dishonestly transferred to bogus accounts. This will
give a lot of ammunition to those lobbying against outsourcing in .S. Such cases happen all over the world but
when it happens in India it are a serious matter and we cannot ignore it. It is a case of sourcing engineering.
Some employees gained the confidence of the customer and obtained their =I$ numbers to commit fraud. They
got these under the guise of helping the customers out of difficult situations. Dighest security prevails in the call
centres in India as they now that they will lose their business. There was not as much of breach of security but
of sourcing engineering.
The call canter employees are checed when they go in and out so they cannot copy down numbers and
therefore they could not have noted these down. They must have remembered these numbers, gone out
immediately to a cyber cafM and accessed the Citiban accounts of the customers.
<ll accounts were opened in =une and the customers complained that the money from their accounts was
transferred to =une accounts and that0s how the criminals were traced. =olice has been able to prove the honesty
of the call centre and has fro8en the accounts where the money was transferred.
There is need for a strict bacground chec of the call center executives. Dowever, best of bacground checs
can not eliminate the bad elements from coming in and breaching security. &e must still ensure such checs
when a person is hired. There is need for a national I> and a national data base where a name can be referred
to. In this case preliminary investigations do not reveal that the criminals had any crime history. Customer
education is very important so customers do not get taen for a ride. Eost bans are guilt of not doing this.
30
2. Bazee.com case
CC, of Ba8ee.com was arrested in >ecember B##K because a C> with ob-ectionable material was being sold
on the website. The C> was also being sold in the marets in >elhi. The Eumbai city police and the >elhi
=olice got into action. The CC, was later released on bail. This opened up the 1uestion as to what ind of
distinction do we draw between Internet Service =rovider and Content =rovider. The burden rests on the
accused that he was the Service =rovider and not the Content =rovider. It also raises a lot of issues regarding
how the police should handle the cyber crime cases and a lot of education is re1uired.
3. State of Tamil Nadu Vs Suhas Katti
The Case of Suhas :atti is notable for the fact that the conviction was achieved successfully within a relatively
1uic time of @ months from the filing of the 3IF. Considering that similar cases have been pending in other
states for a much longer time, the efficient handling of the case which happened to be the first case of the
Chennai Cyber Crime Cell going to trial deserves a special mention.
The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the
yahoo message group. C'Eails were also forwarded to the victim for information by the accused through a false
e'mail account opened by him in the name of the victim. The posting of the message resulted in annoying
phone calls to the lady in the belief that she was soliciting.
Based on a complaint made by the victim in 3ebruary B##K, the =olice traced the accused to Eumbai and
arrested him within the next few days. The accused was a nown family friend of the victim and was reportedly
interested in marrying her. She however married another person. This marriage later ended in divorce and the
accused started contacting her once again. ,n her reluctance to marry him, the accused too up the harassment
through the Internet.
,n BK'J'B##K Charge Sheet was filed uGs %@ of IT <ct B###, K%" and H#" I=C before The Don0ble <ddl. CEE
Cgmore by citing !A witnesses and JK documents and material ob-ects. The same was taen on file in
C.C.$,.K%A#GB##K. ,n the prosecution side !B witnesses were examined and entire documents were mared as
Cxhibits.
The >efence argued that the offending mails would have been given either by ex'husband of the complainant or
the complainant herself to implicate the accused as accused alleged to have turned down the re1uest of the
complainant to marry her.
3urther the >efence counsel argued that some of the documentary evidence was not sustainable under Section
%H B of the Indian Cvidence <ct. Dowever, the court relied upon the expert witnesses and other evidence
31
produced before it, including the witnesses of the Cyber Cafe owners and came to the conclusion that the crime
was conclusively proved.
Ld. <dditional Chief Eetropolitan Eagistrate, Cgmore, delivered the -udgement on H'!!'#K as follows(
6 The accused is found guilty of offences under section K%", H#" I=C and %@ of IT <ct B### and the accused is
convicted and is sentenced for the offence to undergo FI for B years under K%" I=C and to pay fine of Fs.H##G'
and for the offence uGs H#" I=C sentenced to undergo ! year Simple imprisonment and to pay fine of Fs.H##G'
and for the offence uGs %@ of IT <ct B### to undergo FI for B years and to pay fine of Fs.K###G' <ll sentences
to run concurrently.7
The accused paid fine amount and he was lodged at Central =rison, Chennai. This is considered as the first case
convicted under section %@ of Information Technology <ct B### in India.
4. The Bank NSP Case
The Ban $S= case is the one where a management trainee of the ban was engaged to be married. The couple
exchanged many emails using the company computers. <fter some time the two broe up and the girl created
fraudulent email ids such as 6Indian bar associations7 and sent emails to the boy0s foreign clients. She used the
bans computer to do this. The boy0s company lost a large number of clients and too the ban to court. The
ban was held liable for the emails sent using the ban0s system.
5. SMC Pneumatics (India) Pvt. Ltd. v. 1ogesh Kwatra
In India?s first case of cyber defamation, a Court of >elhi assumed -urisdiction over a matter where a
corporate0s reputation was being defamed through emails and passed an important ex'parte in-unction.
In this case, the defendant Iogesh :watra being an employ of the plaintiff company started sending derogatory,
defamatory, obscene, vulgar, filthy and abusive emails to his employers as also to different subsidiaries of the
said company all over the world with the aim to defame the company and its Eanaging >irector Er. F :
Ealhotra. The plaintiff filed a suit for permanent in-unction restraining the defendant from doing his illegal acts
of sending derogatory emails to the plaintiff.
,n behalf of the plaintiffs it was contended that the emails sent by the defendant were distinctly obscene,
vulgar, abusive, intimidating, humiliating and defamatory in nature. Counsel further argued that the aim of
sending the said emails was to malign the high reputation of the plaintiffs all over India and the world. De
further contended that the acts of the defendant in sending the emails had resulted in invasion of legal rights of
the plaintiffs. 3urther the defendant is under a duty not to send the aforesaid emails. It is pertinent to note
that after the plaintiff company discovered the said employ could be indulging in the matter
32
of sending abusive emails, the plaintiff terminated the services of the defendant.
<fter hearing detailed arguments of Counsel for =laintiff, Don?ble Iudge of the >elhi Digh Court passed an ex'
parte ad interim in-unction observing that a prima facie case had been made out by the plaintiff. Conse1uently,
the >elhi Digh Court restrained the defendant from sending derogatory, defamatory, obscene, vulgar,
humiliating and abusive emails either to the plaintiffs or to its sister subsidiaries all over the world including
their Eanaging >irectors and their Sales and Eareting departments. 3urther, Don?ble Iudge also restrained
the defendant from publishing, transmitting or causing to be published any information in the actual world as
also in cyberspace which is derogatory or defamatory or abusive of the plaintiffs.
This order of >elhi Digh Court assumes tremendous significance as this is for the first time that an Indian Court
assumes -urisdiction in a matter concerning cyber defamation and grants an ex'parte in-unction restraining the
defendant from defaming the plaintiffs by sending derogatory, defamatory, abusive and obscene emails either to
the plaintiffs or their subsidiaries.
6. PARLIAMENT ATTACK CASE
Bureau of =olice Fesearch and >evelopment at Dyderabad had handled some of the top cyber cases, including
analysing and retrieving information from the laptop recovered from terrorist, who attaced =arliament. The
laptop which was sei8ed from the two terrorists, who were gunned down when =arliament was under siege on
>ecember !J B##!, was sent to Computer 3orensics >ivision of B=F> after computer experts at >elhi failed to
trace much out of its contents.
The laptop contained several evidences that confirmed of the two terrorists0 motives, namely the sticer of the
Einistry of Dome that they had made on the laptop and pasted on their ambassador car to gain entry into
=arliament Douse and the fae I> card that one of the two terrorists was carrying with a 9overnment of India
emblem and seal.
The emblems )of the three lions* were carefully scanned and the seal was also craftly made along with
residential address of Iammu and :ashmir. But careful detection proved that it was all forged and made on the
laptop.
7. Andhra Pradesh Tax Case
>ubious tactics of a prominent businessman from <ndhra =radesh was exposed after officials of the department
got hold of computers used by the accused person.
The owner of a plastics firm was arrested and Fs BB crore cash was recovered from his house by sleuths of the
Qigilance >epartment. They sought an explanation from him regarding the unaccounted cash within !# days.
33
The accused person submitted %,### vouchers to prove the legitimacy of trade and thought his offence would
go undetected but after careful scrutiny of vouchers and contents of his computers it revealed that all of them
were made after the raids were conducted.
It later revealed that the accused was running five businesses under the guise of one company and used fae and
computerised vouchers to show sales records and save tax.
8. SONY.SAMBANDH.COM CASE
India saw its first cybercrime conviction recently. It all began after a complaint was filed by Sony India =rivate
Ltd, which runs a website called www.sony'sambandh.com, targeting $on Fesident Indians. The website
enables $FIs to send Sony products to their friends and relatives in India after they pay for it online.
The company undertaes to deliver the products to the concerned recipients. In Eay B##B, someone logged
onto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordless
head phone.
She gave her credit card number for payment and re1uested that the products be delivered to <rif <8im in
$oida. The payment was duly cleared by the credit card agency and the transaction processed. <fter following
the relevant procedures of due diligence and checing, the company delivered the items to <rif <8im.
<t the time of delivery, the company too digital photographs showing the delivery being accepted by <rif
<8im.
The transaction closed at that, but after one and a half months the credit card agency informed the company that
this was an unauthori8ed transaction as the real owner had denied having made the purchase.
The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a
case under Section K!A, K!" and KB# of the Indian =enal Code.
The matter was investigated into and <rif <8im was arrested. Investigations revealed that <rif <8im, while
woring at a call centre in $oida gained access to the credit card number of an <merican national which he
misused on the company0s site.
The CBI recovered the colour television and the cordless head phone.
34
In this matter, the CBI had evidence to prove their case and so the accused admitted his guilt. The court
convicted <rif <8im under Section K!A, K!" and KB# of the Indian =enal Code 4 this being the first time that a
cybercrime has been convicted.
The court, however, felt that as the accused was a young boy of BK years and a first'time convict, a lenient view
needed to be taen. The court therefore released the accused on probation for one year.
The -udgment is of immense significance for the entire nation. Besides being the first conviction in a
cybercrime matter, it has shown that the the Indian =enal Code can be effectively applied to certain categories
of cyber crimes which are not covered under the Information Technology <ct B###. Secondly, a -udgment of
this sort sends out a clear message to all that the law cannot be taen for a ride.
9. Nasscom vs. Ajay Sood & Others
In a landmar -udgment in the case of $ational <ssociation of Software and Service Companies vs <-ay Sood
W ,thers, delivered in Earch, O#H, the >elhi Digh Court declared Xphishing0 on the internet to be an illegal act,
entailing an in-unction and recovery of damages.
Claborating on the concept of Ophishing0, in order to lay down a precedent in India, the court stated that it is a
form of internet fraud where a person pretends to be a legitimate association, such as a ban or an insurance
company in order to extract personal data from a customer such as access codes, passwords, etc. =ersonal data
so collected by misrepresenting the identity of the legitimate party is commonly used for the collecting party0s
advantage. court also stated, by way of an example, that typical phishing scams involve persons who pretend to
represent online bans and siphon cash from e'baning accounts after conning consumers into handing over
confidential baning details.
The >elhi DC stated that even though there is no specific legislation in India to penalise phishing, it held
phishing to be an illegal act by defining it under Indian law as 6a misrepresentation made in the course of trade
leading to confusion as to the source and origin of the e'mail causing immense harm not only to the consumer
but even to the person whose name, identity or password is misused.7 The court held the act of phishing as
passing off and tarnishing the plaintiff0s image.
The plaintiff in this case was the $ational <ssociation of Software and Service Companies )$asscom*, India0s
premier software association.
The defendants were operating a placement agency involved in head'hunting and recruitment. In order to obtain
personal data, which they could use for purposes of headhunting, the defendants composed and sent e'mails to
third parties in the name of $asscom. The high court recognised the trademar rights of the plaintiff and passed
35
an ex'parte adinterim in-unction restraining the defendants from using the trade name or any other name
deceptively similar to $asscom. The court further restrained the defendants from holding themselves out as
being associates or a part of $asscom.
The court appointed a commission to conduct a search at the defendants0 premises. Two hard diss of the
computers from which the fraudulent e'mails were sent by the defendants to various parties were taen into
custody by the local commissioner appointed by the court. The offending e'mails were then downloaded from
the hard diss and presented as evidence in court.
>uring the progress of the case, it became clear that the defendants in whose names the offending e'mails were
sent were fictitious identities created by an employee on defendants0 instructions, to avoid recognition and legal
action. ,n discovery of this fraudulent act, the fictitious names were deleted from the array of parties as
defendants in the case. Subse1uently, the defendants admitted their illegal acts and the parties settled the matter
through the recording of a compromise in the suit proceedings. <ccording to the terms of compromise, the
defendants agreed to pay a sum of Fs!.% million to the plaintiff as damages for violation of the plaintiff0s
trademar rights. The court also ordered the hard diss sei8ed from the defendants0 premises to be handed over
to the plaintiff who would be the owner of the hard diss.
This case achieves clear milestones( It brings the act of 6phishing7 into the ambit of Indian laws even in the
absence of specific legislation/ It clears the misconception that there is no 6damages culture7 in India for
violation of I= rights/ This case reaffirms I= owners0 faith in the Indian -udicial system0s ability and willingness
to protect intangible property rights and send a strong message to I= owners that they can do business in India
without sacrificing their I= rights.
10. Infinity e-Search BPO Case
The 9urgaon B=, fraud has created an embarrassing situation for Infinity e'Search, the company in which Er
:aran Bahree was employed.
< British newspaper had reported that one of its undercover reporters had purchased personal information of
!,### British customers from an Indian call'center employee. Dowever, the employee of Infinity eSearch, a
$ew >elhi'based web designing company, who was reportedly involved in the case has denied any
wrongdoing. The company has also said that it had nothing to do with the incident.
In the instant case the -ournalist used an intermediary, offered a -ob, re1uested for a presentation on a C> and
later claimed that the C> contained some confidential data. The fact that the C> contained such data is itself
not substantiated by the -ournalist.
36
In this sort of a situation we can only say that the -ournalist has used ;Bribery; to induce a ;,ut of normal
behavior; of an employee. This is not observation of a fact but creating a factual incident by intervention.
Investigation is still on in this matter.
Conclusion
<s we can see that there where so many cyber crimes happening in India
before the amendment of information technology act the rate of crime have
not stopped nor it have come down but it is reaching its high.
&e have try to find out various reasons that despite of such a tight act and
high penalties and punishments what are the lope holes in the act which is
blocing the proper implementation of such a force full act.
Cyber Law in India is in its infancy stage. < lot of efforts and initiatives are
re1uired to mae it a mature legal instrument. Law has been instrumental in
giving Cyber Law in India a shape that it deserves. To mae the circle
complete we are proudly introducing another effort in this direction.
Following are some of the lope holes which we have tried to figure out:
!. Feporting of important matters pertaining to Cyber Law in India(
B. <nalysis of Cyber Law scenario in India,
J. =roviding a comprehensive database for cases and incidents related to Cyber Law in India,
K. < ready reference for problems associated with Cyber Law in India, etc.
Besides these grey areas India is also facing problems of lac of Cyber
Security in India as well as ICT Security in India. < techno'legal base is the need of the hour. .nfortunately,
we do not have a sound and secure ICT
Security Base in India and Cyber security in India is still an ignored &orld.
37
If opening of Cyber Cells and Cyber .nits is Cyber Security than perhaps India
is best in the &orld at managing Cyber Security issues. .nfortunately ICT
Security in India is e1uated with face saving exercises of false claims and
redundant exercises. The truth remains that ICT Security in India is a myth
and not reality. The Cyber Law in India re1uires a dedicated and pro active
approach towards ICT and Cyber Security in India. In the absence of a
dedicated and sincere approach, the Cyber Law in India is going to collapse.$ow as we now what are the
ma-or lope holes in the act let us try to fine the possible suggestion to overcome these and try to learn from
what usGu are following in order to have a virus free cyber.
Suggestion:
Recruitment
There is a high need to increase the strength of staff for proper functioning of the <CT.
Red coding System
Set ' up a red coding system, with the help of which the government can eep a tap on mails, chat, etc. this
system will help the government to detect the possibility of further cyber crime.
Training and Development
,ne of the most important re1uirements for the proper function of the
<CT is that, there should be good 1uality training programs on a regular
base.
Domain
It is necessary/ >omain should be treated as a separate entity rather than treating it as I= <CT.
Cyber theft, cyber stalking, cyber harassment and cyber defamation are presently not covered under the
act. These crimes need to have specific provisions in the act to enable the police to tae 1uic action.
Vague Definitions
>efinitions, prescriptions of punishment and certain provisions )such as that dealing with hacing* need
specific amendment.
Parameters for its implementation
Law enforcement officials need to be trained for effective enforcement.
38
Bibliography
IT <CT B### =ublished by The 9a8ette of India
www.google.com
www.google.com ( <sian School of Cyber Law
Notes on Information Technology Act by Shri.Talwant Singh Addl. Distt. & Sessions Judge, Delhi
$<SSC,E <$$.<L FC=,FT B#!#'B#!!
Crime In India B##" by Statistic $ational Crime Fecords Bureau (http://ncrb.gov.in)
39
40
Disclaimer
This presentation is prepared for nowledge sharing and awareness. &e can use the information provided here
with proper credits. &e have tried not to hide original credits as far as possible, nor we are using this
presentation for any personal financial gain. Information available in this presentation is not enforceable by
law/ however these are our view about the topic which we feel should be shared. <ny errors, omissions,
misstatements, and misunderstandings set forth in the presentation are sincerely apologi8ed. Felying on the
contents will be sole responsibility of the users.
41