The Information Technology Act
When Internet was developed, there was hardly any inclination that Internet could transform itself into an all pervading revolution which could be misused for criminal activities and which required regulation.
Today, there are many disturbing things happening in cyberspace. Due to the anonymous nature of the Internet, it is possible to engage into a variety of criminal activities in cyberspace. All existing laws had to be amended to suit the latest developments.
Since other laws cannot handle cyber legislations completely, the need was felt to introduce cyber law as a separate discipline. Reasonable Security Measures must be adopted while handling, storing, processing Sensitive Personal Information and Data. This paper examines the various aspects of Cyber Legal System.
Keywords- Cyber Crimes, Cyber Crime Investigation, Cyber Forensics, Cyber Space, Cyber Law, Data Protection, Digital Signatures, E-Contracts, Intellectual property rights, IT Act
INTRODUCTION
The growth of Information Technology has given rise to a new society named Cyber Society. Computers and allied technology is used as a basic tool in Communication, Storage, and Control. Cyber Society includes Cyber Space which is no different from physical space in real society. Information and Communications Technology popularly known as ICT is considered as an integration of computers, software, storage, visual systems, telecommunications that enables a user to access, store, transmit and handle information.
To maintain harmony and co-existence in Cyber Space, a need was felt for a legal regime which we call as “Cyber Law”. In simple words, Cyber Law is the law governing and regulating cyber space. Cyber Laws impact every aspect of Cyber Society be it Education, Entertainment, Business etc and are considered as basic laws of Cyber Space.
INFORMATION TECHNOLOGY ACT
Indian Cyber Law comprises mainly of Information Technology Act. The Information Technology Act was enacted in the year 2000 and came into force since then. IT Act 2000 is not a penal statute. The Act is intended to promote e-governance of which an essential part is e-commerce. All cyber crimes do not come under the ambit of IT Act; many crimes are covered under IPC.
The objective of IT Act 2000 is to provide legal recognition to electronic records and transactions carried out by way of electronic data interchange.
CYBER CRIMES
Cyber Crimes require no special introduction. In this information technology era, computers and technology are used in every phase be it Business, Education, Governance, Communication, Booking of Rail, Air, Cinema Tickets to name a few. Crimes committed in the Cyber World are Cyber Crimes.
In general, cyber crimes can be explained as crimes committed by using a computer either as a tool or a target or sometimes both. There are a variety of Cyber Crimes including Unauthorized Access, Tampering Computer Source Code, Electronic Documents, Forgery, Virus, Trojans, Online Defamation, Cyber Trespass, Stalking, Email Harassments, and Lottery Scams etc. New types of crimes are evolving day by day.
Information Technology Act 2000 discusses certain types of Cyber Offences and provides Civil and Criminal Remedies thereon. The punishment is also provided under Information Technology Act 2000, Indian Penal Code, Criminal Law, and Banking Law etc.
Therefore, any crime committed on the Cyber Space or by use of Cyber tools is punishable under Indian Law. These Laws are also applicable for persons residing outside India provided any computer, computer network, computer resource in India is used to commit a crime.
E-CONTRACTS & DIGITAL SIGNATURES
A contract is considered as a key element in business. All agreements enforceable in a court of law only are called contracts. The ICT has given a new medium to transact business which is the electronic medium. A new form of business called e-business has become popular today which led to a revolution in commerce by way of e-commerce.
With the rise in e-commerce, e-business, the business essentials also turned electronic. This has bought in a revived approach to paper based contracts by introducing e-contracts or online contracts. Information Technology Act has provided legal recognition to all e-contracts. The Act has advanced a unique form of authentication by way of e-authentication which includes digital and electronic signatures.
An Electronic document to be legally valid has to be affixed with digital/ electronic signature. The digital signature is needed to use a PKI (public key infrastructure) authentication mechanism. Digital Signature forms an important component of E-contracts and a standard one way hash algorithm is adopted for checking the data integrity.
In simple words, there is a public key which in the public domain and there is a private key which is known only to the private user, only if both the keys correspond the document is validated. The Government has licensing authorities called CA’s (Certifying Authorities) who would be responsible for issuing a standard key generation systems to the public. A digital certificate would be issued based on application and certain approved procedures. At present there are four agencies established for this purpose including NIC, IDRBT and two private agencies like TCS, Safe Scrypt.
IT Act 2000 has also provided a clarification as to determining the time and place of an electronic document when it is transmitted from one place to other. Any electronic document including a webpage, e-mail or any computer generated document can be held against the originator for legal purpose under the ambit of this law.
Any automatic system which is either a hardware or software like programs, servers, routers can be considered as an Agent of the owner and any action taken by such a system may be legally held to be an action taken by the owner himself.
DIGITAL RIGHTS
Freedom of Speech and Right to Privacy are considered as certain rights which all the Citizens enjoy in the nation. Correspondingly, these rights also exist in the digital world. Just as freedom of speech is guaranteed by the Constitution of India, the same also extends to Online Speech or Cyber Speech that might include expression on a website, rights of regulators to restrict the freedom in the interest of sovereignty and integrity of the country, maintaining friendly relations with its neighbors as well as to retain harmony and peace in the society.
The Information Technology Act provides that the Controller of Certifying Authorities can order decryption of any information and failing to co-operate with the concerned authority could lead to imprisonment. In addition, under POTA (Prevention of Terrorism Act), the appropriate authorities can intercept communication including emails under approved procedures without the knowledge of the user of the email.
Likewise, an investigating Police officer has certain rights to not only intercept and monitor communication but also provide requisition support of the Network administrator for the purpose under Criminal Law read along with Information Technology Act.
Right to privacy is a personal right that is guaranteed by the Constitution of India. In the world, whenever a person visits a website or sends out an e-mail his digital identities are being recorded by several systems. Additionally, users share their personal information for varied reasons to different websites. This information is covered under the privacy rights of a user.
INTELLECTUAL PROPERTY
There exists digital property in cyber world as like the real property in real world. The digital property is also known as Intellectual Property. It is an intangible asset and a vital element in the e-business. It comprises of Copyright, Patent, Trade Mark, Trade Secret, Domain Name, Semi Conductors and Industrial Layouts, Designs.
Domain Name is a crucial digital property which a website owner possesses. There is a contractual arrangement between the Domain Name Registrant and Domain Name Registrar. Domain Name registrars are those who are authorized for the purpose by ICANN (Internet Corporation for Assigned Names and Numbers) and the law regarding domain names is governed indirectly by the policies of the ICANN.
Laws relating to domain names is associated and linked closely to Trade Mark Law. Generally, the person holding a trademark right can claim priority to possess a corresponding domain name.
Content is another cyber property that needs to be considered. Content either within a file or on a website confers a copyright to the original author. The holder of copyright can assign or license the copyright for a price or allow it to be freely used by the public. Infringement, Punishments, Remedies are provided under the Copyright Law.
Copyright in cyber world has some grey areas mainly due to a strict definition of Copyright law as applicable to the Meta Society would make “Caching”, “Proxy Server Setting”, “Meta Tags setting”, “Caching by a search engine”, “Hyper linking”, “Framing”, “File Sharing” etc as possible copyright infringements.
Another area where digital property can be recognized is patents on Software and Web Utilities. These are encompassed under the Patent laws. A patent holder can enforce payment of licensing fee or damages if a Patent system is used by another person without specific authorization.
Patents in the cyber world are facing a dilemma especially in regard to aspects of technology that are needed to keep the Internet going like Framing, Hyper Linking etc since they are claimed as patented products by the patent holders.
DIGITAL EVIDENCE
Evidence is the element which probablises a case in a court of law. The evidence in digital form is called Digital Evidence. This digital evidence may be found in computer hard disks, cell phones, iPods, pen drives, digital cameras, CDs, DVDs, floppies, computer networks, the Internet etc.
In Civil Law, evidence is analyzed on the principle of PREPONDERANCE OF PROBABILITY. In Criminal Law, evidence is analyzed on the principle of BEYOND RESONABLE DOUBT.
Digital Evidence is relatively difficult to destroy. Even if it is “deleted,” digital evidence can be recovered. When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
The Present Legal Scenario mandates two sets of quantum of evidence
• STRINGENT
• RELAXED
FACTORS OF DIGITAL EVIDENCE
• IDENTIFICATION
• PROCUREMENT
• PRESERVATION
• ANALYSIS
• PRESENTATION IN A COURT OF LAW
If it can be proved that the chain is not compromised and from the time the sample is taken a standard protocol was followed,the defence tries to demonstrate that there was a possibility of compromise in the chain and proves that he is entitled for a benefit of doubt.(NDPS ACT ,FOOD ADULTERATION).
The basic philosophy of understanding or accepting evidence is to know its authenticity. A document should be demonstrated or proved that it is the same document what is purports to be. The forensic skills, technology may be used to prove or demonstrate before a court of law. Section 65 B of the Indian Evidence Act 1872- a certificate similar to Section 3, 4 of Banker’s Book Evidence Act.
LOGIC BEHIND THE LAW
In a secure environment, if persons are to transact there should be a trusted authority. The authority would supervise things to check the integrity, attributions and to prevent non- repudiation. If all these characteristics are given to any environment, the legal system of any country would accept it as legally admissible evidence.
TRUSTED AUTHORITY
The certificate issued by a trusted authority there is a general tendency to believe it to be true. There are many cases of manipulation of these certificates, but still such systems are not scrapped off.
Eg: Voter ID, Passport
There cannot be a 100% fool proof system. If it can be demonstrated before a court of law that the new technology is reasonably reliable which would indicate that if manipulated can be found out, then it is accepted by the court.
The trusted authority is the certifying authority. It certifies the digital signature. There is an attribution or a presumption & a corresponding amendment in the Evidence Act all these together make a presumption. All presumptions are rebuttable.
The presumption shifts the onus or burden to the other party to prove the compromise. It applies to civil and criminal law. It is the passport office of the digital world.
CYBER CRIME INVESTIGATION
It is the Collection, Analysis, investigation of digital evidence, cyber trails. The various techniques of cyber crime investigation include forensic analysis of digital information -using forensic tools, use of sound forensic procedure to identify and detect evidence, examination of evidence, observation of proper custody of evidence, control procedures, documentation of procedures, findings to ensure admissibility in a court of law, preparation of comprehensive written notes, reports.
INCIDENT RESPONSE
It is considered as a pre-cursor to techniques of cyber crime investigation, forensic tools. Incident Response may be referred to as precise set of actions to handle any security incident in a responsible, meaningful and timely manner.
The goals of incident response include confirming whether an event has occurred, educating senior management, helping in detection or prevention of such incidents, minimizing disruption, facilitating criminal action against perpetrators.
Various steps of incident response are detection of incidents, initial response, investigation of event, reporting, resolution, pre-incident preparation.
CYBER FORENSICS
It is considered as the use of investigative, analytical techniques to identify, collect, examine, preserve and present evidence or information which is magnetically stored or encoded. Cyber Forensics can be also defined as the scientific method of examining, analyzing data from computer storage media so that data can be used as evidence in court
The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Computer evidence is just like any other evidence in the sense that it must be authentic, accurate, complete, convincing to Juries, in conformity with common law and legislative rules.
EXAMINER OF ELECTRONIC RECORDS
Section 79 A of IT Amended Act 2008 empowers the Central government to appoint any department or agency of Central or State government as Examiner of Electronic Evidence.
This agency will play a crucial role in providing expert opinion on electronic form of evidence
The explanation to the Section has an inclusive definition of “electronic form evidence” that means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines.
With the increasing number of cybercrime cases it will become necessary to set up at least one Examiner of Electronic Evidence in each State.
The CDAC cyber forensics lab in Trivandrum, CFSIL laboratory in Hyderabad are playing similar role at present in cybercrime.
COMPUTER- LEGAL DEFINITION
COMPUTER is defined under Section 2(1)(i) of the IT Act as:-
“Computer” means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;[1]
ANALYSIS OF DEFINTION
The term computer has been defined in a very wide sense. Considering the definition, devices like microwave ovens, washing machines, scanners, printers, desktops, personal computers, mobile phones etc are considered as a computer under Information Technology Act.
COMMUNICATION DEVICE
Similarly the word ‘communication devices’ inserted in the Information Technology Amended Act 2008 has been given an inclusive definition, taking into its coverage cell phones, personal digital assistance or such other devices used to transmit any text, video etc like what was later being marketed as iPad or other similar devices on Wi-Fi and cellular models.
CYBER SECURITY
There is a need to create a secure environment in cyber space and also prevent unauthorized access and misuse of computer system. In simple words, the security of the cyber space can be called cyber security. Cyber security is critical due to the dangers that threats in cyber world. It requires a global co-operation and effort from all stake holders.
DEFINITION
The term “Cyber Security” is for the first time given a legal definition under Indian Cyber Law. “Cyber Security” has been newly added in the IT Amended Act 2008, under Section 2 (nb) which is as under-
“Cyber Security” means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. [2]
ANALYSIS OF DEFINTION
The said definition provides security in terms of both, physical security to the devices and security to the information stored therein such devices.
The above definition also provides protection for unauthorized access, use, disclosure, disruption, modification and destruction to both physical device and the information stored therein.
All communication devices like phones, smart phones and other devices used to communicate audio, video, image, text is covered under the ambit of the definition.
DATA PROTECTION LEGAL REGIME
Processing of data raises considerable issues on privacy, e-security, misuse of individual information and data. Personal data like credit cards, debit cards etc are normally routed via many countries.
The Government of India recently notified the “Reasonable security practices and procedures and sensitive personal data or Information Rules, 2011” (“Rules”) under Section 43A of the Information Technology Act, 2000 (“ITA”). These Rules have been made effective from April 11, 2011.
Section 43A of the ITA inter alia deals with protection of data in electronic medium1 by providing that when an body corporate is negligent in implementing and maintaining ‘reasonable security practices and procedures’ in relation to any ‘sensitive personal data or information’ which it possesses, deals or handles in a computer resource which it owns, controls or operates and such negligence causes wrongful loss or wrongful gain to any person, such entity shall be liable to pay damages by way of compensation to the person so affected.
Section 43A applies to data or information “in a computer resource”.
The Rules define “Personal Information and “Sensitive personal data or information” to mean as follows:
“Personal Information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person
“Sensitive personal data or information” means such personal information which consists of information relating to;-
(i) Password;
(ii)Financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) Physical, physiological and mental health condition;
(iv) Sexual orientation;
(v) Medical records and history;
(vi) Biometric information;
(vii) Any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.[3]
EXCEPTION TO SENSITIVE PERSONAL DATA OR INFORMATION
Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force is not to be regarded as sensitive personal data or information.
ANALYSIS
Definition of ‘personal information’ is wider than ‘sensitive personal data or information’ (SPDI). The definition of SPDI is in the nature of an exhaustive list of items. Hence, no other information apart from the one listed above, would be considered as SPDI. It is interesting to note that Section 43A only included SPDI within its ambit, but some of its provisions of the Rules have been made applicable to ‘Personal Information’.
It is appropriate to note that these Rules apply to personal information irrespective of the nationality of the provider of the information; thus information provided not only by Indian nationals but also by nationals in different jurisdictions, whose information is stored, dealt or handled by a corporate entity in a computer resource in India would attract the provisions of the ITA. The applicability is driven by the location of computer resource in India, as can be seen from the wording of Section 43A of the ITA read with the Rules.
Rules will also be applicable in cases where the information is collected in India and is transferred to any computer resource outside India and also in cases where the information is neither collected nor stored in India, but is dealt with or handled in India E.g. even accessed from India.
Thus, typical outsourcing businesses where personal information of foreign nationals is transferred to Indian entity (ies) who deal or handle such information would henceforth attract the provisions of the IT Act.
DATA PRIVACY RULES & SECURITY MEASURES
The Data Privacy Rules require that the body corporate and the Data Processor implement reasonable security practices and standards; have a comprehensively documented information security program, and security policies.
These must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected and with the nature of business.
The International Standard IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’ is recognized as an approved security practices standard that the body corporate or the Data Processor could implement to comply with security measures under the Data Privacy Rules.
Any other security standard approved by the Central Government may also be adopted by the body corporate or the Data Processor in compliance with the security measures under the Data Privacy Rules.
The security standards adopted by the body corporate and the Data Processor should be audited by an auditor approved by the Central Government. The audit must be carried out at least once every year, or at such times as the body corporate or the Data Processor undertakes a significant upgrade of its process or computer resource.
If there is an information security breach, the body corporate or the Data Processor will be required, upon request from a governmental agency, to demonstrate that it has implemented the security control measures as per its documented information security program and information security policies.
A corporation is required to designate a Grievance Officer to address the grievances of the Provider. The name and contact details of the Grievance Officer must be published on the website of the body corporate. The Grievance Officer must address the grievances within 1 month from the date of receipt of grievance.
JURISDICTION
Since the cyber world is a boundary less world, there are lots of issues regarding Jurisdiction, which laws would apply. Material may be lawful at one place, but unlawful somewhere else for instance the places from where is it accessed. The Yahoo Case is a classic example.
ILLUSTRATION
Consider a scenario, where a person “A” is employed as a computer programmer by a bank in Country X.
The programmer managed to instruct a computer to transfer money to his account in Country Y.
A case was registered against the programmer in Country X. On Appeal, the Court in Country X had no jurisdiction over matters from Country Y.
Though S.75 of IT Act provides for extra-territorial operations of this law, but these should be enforced with orders and warrants of external authorities and demands a highest level of inter-agency cooperation.
ADJUDICATING AUTHORITY
ADJUDICATING OFFICER –
Up to Rs.5 Crores –
IT SECRETARY OF THE STATE.
CYBER APPELLATE TRIBUNAL – appellate jurisdiction.
SUB COURT or CITY CIVIL COURT.
CYBER CRIME PROSECUTION
Section 67 C to play a significant role in cyber crime prosecution- Section 67 C brings a very significant change in the IT Act, 2000.
According to this section, intermediaries shall be bound to preserve and retain such information as may be prescribed by the Central government and for such duration and format as it may prescribe.
Any intermediary that contravenes this provision intentionally or knowingly shall be liable on conviction for imprisonment for a term not exceeding 2 yrs or fine not exceeding one lakh or both.
Many cybercrime cases cannot be solved due to lack of evidence and in many cases this is due to the fact that ISP failed to preserve the record pertaining to relevant time .
This provision is very helpful in collection of evidence that can prove indispensable in cybercrime cases
POSSIBLE RELIEFS TO A CYBERCRIME VICTIM- STRATEGY ADOPTION
A victim of cybercrime needs to immediately report the matter to his local police station and to the nearest cybercrime cell
Depending on the nature of crime there may be civil and criminal remedies.
In civil remedies, injunction and restraint orders may be sought, together with damages, delivery up of infringing matter and/or account for profits.
In criminal remedies, a cybercrime case will be registered by police if the offence is cognizable and if the same is non cognizable, a complaint should be filed with metropolitan magistrate
For certain offences, both civil and criminal remedies may be available to the victim
CONCLUSION
The word cyber crime is not mentioned in the IT ACT for the reason that not to scare away the potential users and keeping in mind the basic philosophy of reducing the digital divide(computer literate or not ) .
Reasonable measures should be adopted. The IT Act is an articulation of all existing laws with “e” added to most of the provisions. The dark or grey areas should not alone be highlighted.
We can therefore conclude that cyber law knowledge is the need of the hour for the persons working with computers, computer systems, computer networks, computer resources and information communication technology since these laws cover the legal aspects of the information technology and ignorance of law is no excuse in the eyes of law.
Order Now