28 Nov 2020 5:13 AM GMT
The technological revolution has ushered in new platforms and methods for a variety of crimes in and though cyber-space. Cyber-crimes can be perpetrated against the government or individual agents, on physical or intangible properties. The borderless nature of cybercrime poses an immediate, grave threat globally, taking on forms ranging from electronic versions of traditional...
The technological revolution has ushered in new platforms and methods for a variety of crimes in and though cyber-space. Cyber-crimes can be perpetrated against the government or individual agents, on physical or intangible properties. The borderless nature of cybercrime poses an immediate, grave threat globally, taking on forms ranging from electronic versions of traditional robbery, scamming, fraud, and identity theft to entirely new crimes as phishing, hacking, cyber-bullying, etc. (Jahankhani, Al-Nemrat and Hosseinian-Far, 2014; Kaspersky, 2020; Wang, 2016). Cybercrimes have several varying characteristics to determine the motivating factor behind attempting the crime, strategies that the criminal used and the damage it caused (Jahankhani, Al-Nemrat and Hosseinian-Far, 2014; Kaspersky, 2020; Wang, 2016).
Cybercrime can be categorized under two main categories (Interpol Cybercrime Directorate, 2020; Jahankhani, Al-Nemrat and Hosseinian-Far, 2014; Kaspersky, 2020):
Phishing is a type of social engineering attack used to steal user data, login credentials, credit card numbers, internal data and insurance details. The attacker disguises as a trusted individual or organisation and dupes the target to open the email or message, luring them to click on links or download an attachment (Jahankhani, Al-Nemrat and Hosseinian-Far, 2014; Lazar, 2018). According to Verizon's 2020 Data Breach Investigations Report (DBIR), one-third of all the cyber-attacks involve phishing (Rosenthal, 2020; Verizon, 2020) . Majority of these use email's as their weapon. Phishing is one of the best-known methods to distribute a malware hidden inside a non-malignant attachment.
BEC scams target companies who conduct wire transfers abroad. Keyloggers are used to compromise email accounts of finance related employees or the email accounts are spoofed through phishing attacks to defraud the corporate network (FBI, 2017). This results in loss of thousands of dollars (BEC attacks caused an average loss of US $140,000 for companies worldwide in 2016)(Barracuda Networks, 2019).
DDoS attacks bring down websites and online services by overloading servers and networks with traffic. Bots, i.e. zombie computers, are mobilized for DDoS attack. A network of bots, known as a botnet, is formed to flood targeted websites, network, or servers with connection requests or incoming messages. Botnets can range from thousands to millions of computers and are also used for several other attacks, including malware and spam (Weisman, 2020).
Identity theft occurs when an offender uses another individual's personal identifying information without their permission to commit fraud or other crimes. Personal identifiers include mobile numbers, birth dates, addresses, e-mail addresses, Aadhar cards, banking details etc. (Fianyi, 2015).
Hacking involves identifying and exploiting vulnerabilities within networks to obtain unauthorized access into a computer system (or a network of systems) by cracking codes, stealing password, and/or modifying or destroying data.
Online Harassment refers to the use of the internet to harass, threaten or maliciously embarrass the victim (India code, 2011). It can be in the form of verbal, sexual, social-abuse with the intent of tormenting or terrorizing an individual, a group or an organisation. Examples of online harassment can also include:
Cyber defamation: sending, posting or sharing derogatory content over the internet including obscene messages or graphical content with the help of hacking or identity theft by creating fake profiles. Most of the victims of cyber defamation and harassment are women; the intent is to cause mental agony and trauma to the victim. 8 out of 10 women in India have been a victim to online harassment, of which 41% were sexual (Matta, 2020).
Cyberstalking: Harassment occurring over social media, online forums, blogs or emails. Harassment of this kind is frequently planned, can often persist for a long period of time, and may involve unwanted, annoying, frightening, intrusive or negative comments. Offenders monitor victim's online accounts and use the information gathered for other types of cybercrimes like phishing or identity theft. Some criminals create multiple fake profiles and distribute enemy propaganda to seek revenge, anger or sexual favors.
Cyberextortion: The offender demands money, sexual indulgence, theft of company's information or property or other materials from the victim by threatening to inflict physical harm upon the victim or damage the victim's property or reputation. (FBI, 2017)
The INTERPOL defines Child Pornography as "any means of depicting or promoting sexual abuse of a child, including print and/or audio, centered on sex acts of the genital organs of children" (Taylor and Quayle, 2004). "Children" are classified as persons below the age of 18 years.
Child abusers may use online chat rooms to win childrens' confidence and start personal interactions (Mislan et al., 2017). Pedophiles may lure children to distribute obscene content, meet them for sex, or take their nude photographs in sexual positions.
Prior to the ITA-2000 the only laws that were applicable to cyber related offences was from the Indian Penal Code (IPC), 1860. The evolution of computer technology advanced an indispensable need to introduce concomitant changes to the IPC and the Indian Evidence Act, 1872. The provisions of the ITA in 2000 followed by its amendment in 2008 were based on the following objectives (India code, 2011; Raj et al., 2018):
1. To provide transactions through electronic commerce a legal recognition.
2. To facilitate electronic documentation with government agencies.
3. To add new types of crimes related to technology, computers and the internet.
Cybercrime under ITA-2000 is the primary law dealing with cybercrime and e-commerce in India. The ITA-2000 provides a structural framework for electronic governance by defining cybercrimes and the penalties for such crimes. To make the ITA-2000 complaisant with newer technologies, several sections of the IPC-1860, Indian Evidence Act, 1872, the Reserve Bank of India Act, 1934 and the Banker's Book Evidence Act, 1892 were amended (Sujata Pawar, 2015).
Section 43 of the ITA-2000 provides a framework defining penalty and compensation for damage to computer, computer system, etc. (India code, 2011). If any person accesses, downloads, copies, extracts data or introduces contamination or virus, causes damage to the computer, disrupts the network or the system, steals, conceals or alters any information without the consent of the owner or person in charge of the system he shall be liable to pay damages as compensation not exceeding Rs.100,00,000 to the person affected. Section 43A details compensation for failure to protect data in a computer resource. Chapter IX of ITA-2000 deals with offences under ITA-2000 (table 1) (Information Technology Act, 2008; Raj et al., 2018; Vinod Joseph, 2020).
Table 1: A summary of chapter IX from the Information Technology Act, 2000 (with amendments from 2008) (India code, 2011; Information Technology Act, 2008; Raj et al., 2018; Sujata Pawar, 2015).
Tampering with computer source documents knowingly or intentionally: conceals, destroys or alters
Computer related offences: dishonestly or fraudulently does any act referring to section 43 and hacking.
Sending offensive messages through communication device, service or computer resource including attachments in text, graphics or other electronic record.
Dishonestly receiving or knowingly retaining stolen computer resource or communication device
Identity theft of electronic signature, password or any other unique identification feature of a person
Cheating by personation by using computer resource
Violation of privacy by intentionally or knowingly capturing, publishing or transmitting the image of a private area of any person without his or her consent
Cyber terrorism with an intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people that causes death or injuries to people or property and cause disruption to supplies of life
Publishing or transmitting obscene information in electronic form
-For first conviction:
-For subsequent convictions:
Publishing or transmitting of material containing sexually explicit act, etc., in electronic form
Publishing or transmitting of material depicting children in sexually explicit act, etc., in electronic form
Intermediaries who intentionally or knowingly contravenes preservation and retention of information as specified for the duration, manner and format
Intentionally or knowingly failing to comply with any order stated by the Controller to give directions or cease carrying on activities under the provisions of this Act
Power to issue directions for interception or monitoring or decryption of any information through any computer resource
Power to issue directions for blocking for public access of any information through any computer resource
Intermediaries who intentionally or knowingly contravenes the provisions to authorize to monitor and collect traffic data or information through any computer resource for cyber security
Misrepresenting or suppressing any material fact from the Controller or the Certifying Authority for obtaining any licence or Certificate
Breach of confidentiality and privacy by having secured access to any electronic record, book, register or information without consent of the person concerned
Disclosure of information in breach of lawful contract by securing access to any material containing personal information about another person with an intent to cause wrongful loss without their consent
Publishing electronic signature Certificate false in certain particulars or making it available to any other person
Creating, publishing or making available a Certificate with electronic signature for any fraudulent of unlawful purpose
Most cybercrimes covered under the ITA-2000 are punishable by imprisonment of three years or less. Crimes carrying heavier sentences include section 67, 67A, 67B (Child pornography) and 66F (Cyber terrorism). The law is uncompromising with cases related to publishing or transmitting child porn such that retaining or downloading is considered an offence carrying maximum imprisonment and fine.
A major amendment to the ITA was made in 2008, substituting or inserting proviso into the legislation, including Section 69, which added provisions to collect and monitor traffic data. Penalties were revised for certain crimes. Sections 67A and B were detailed to curb pornography-related offences.
The Information Technology Act, 2000 and the Indian Penal Code, 1860 (IPC) each have provisions to penalize cybercrimes and often overlap or run parallel to each other (Indian Penal Code, 1860; Raj et al., 2018; Vinod Joseph, 2020). Some examples include:
Section 292 of the IPC deals with Obscenity making it an offence to distribute, import, export, exhibit, advertise lascivious content through print media. Section 67, 67A, 67B of ITA similarly criminalize publishing or transmitting obscene content through electronic media. Section 294 of the IPC makes any obscene acts that cause annoyance to others in public places an offence. In addition to the amendments to the ITA in 2008, victims of child pornography can apprehend provisions of the Prevention of Children from Sexual Offences Act, 2012 (POCSO) (Desai, 2017; Ministry of Women and Child Development, 2012).
Section 378 of the IPC deals with theft related to movable property, coinciding with sections 43 and 66 of the ITA penalizing activities such as hacking, theft of data, contamination of computer systems and disrupting the network by an unauthorised person or entity. The maximum punishment for these offences is imprisonment of up to three years or a fine or both. Section 425 of the IPC deals with offences of persons who with an intent to cause wrongful damage to the public or any person or physical property, akin to section 43 of ITA (Vinod Joseph, 2020).
All cybercrimes under the IPC are bailable except for the offences under section 420, 468, 378 and 409. Similarly, most offences under the IPC are cognizable, except sections 425, 426, 463, 465.
Section 65 of the ITA provides a framework for punishment related to tampering with computer source documents by unauthorised persons who knowingly or intentionally conceals, destroys or alters or causes another person to do the modifications. Section 409 of the IPC partially mirrors this offence, deviating in that Section 65 does not require the offender to be entrusted whereas under section 409, the breach should be committed by someone to whom the property was consigned (Vinod Joseph, 2020).
Section 66F of the ITA prescribes penalties for cyber-terrorism, there is no specific provision that replicating that. Section 121 of the IPC addresses waging, attempting or abetting to wage a war against the Government of India. The punishment for cyber terrorism is imprisonment up to a lifetime whereas the punishment under section 121 is the death penalty.
Cybercrime has been one of the greatest threats to mankind, with the incidence of cybercrimes increasing enormously during the Covid-19 pandemic. The government of India has legislated the IT Act, 2000 followed by revisions to the IPC, 1860, the Indian Evidence Act, 1872, the Reserve Bank of India Act, 1934 and the Banker's Books Evidence Act 1891. Features of the internet like borderless transactions, anonymity, ease of access, speed, 'work from anywhere' facility and lack of knowledge about cyber laws are some of the reasons for an unprecedented growth in crimes related to the computer. It is essential that the citizens are educated and reminded of the preventive measures. Citizens who fall prey to such cybercrimes are advised to immediately file report at the National Cyber Crime Reporting Portal (https://cybercrime.gov.in), and contact local police or cyber
Dr. Vinod Surana is the Managing Partner & CEO of Surana & Surana International Attorneys. Views are Personal.
Barracuda Networks (2019) Business Email Compromise (BEC). Available at: https://www.barracuda.com/glossary/business-email-compromise (Accessed: 16 October 2020).
Benoji, L.M. (2004) Cyber Terrorism., Legal Services India Available at: http://www.legalservicesindia.com/article/1263/Cyber-Terrorism---Quick-glance.html (Accessed: 16 October 2020).
CID, O.P. (2000) Offences and Relevant Penal Sections in Cyber Crime., Odisha Police Available at: http://odishapolicecidcb.gov.in/sites/default/files/Relevant Penal sections Cyber Crime.pdf (Accessed: 16 October 2020).
Desai, N. (2017) Technology Law Analysis. Available at: http://www.nishithdesai.com/information/news-storage/news-details/newsid/3793/html/1.html (Accessed: 16 October 2020).
FBI (2017) 'Annual Internet Crime Report 2017', Federal Bureau of Investigation - Internet Crime Complaint Center, USA, p. 29. Available at: https://pdf.ic3.gov/2017_IC3Report.pdf (Accessed: 3 November 2020).
Fianyi, I.D. (2015) 'Curbing cyber-crime and enhancing e-commerce security with digital forensics', International Journal of Computer Science Issues (IJCSI), 12(6), pp. 78–85. Available at: http://www.ijcsi.org/ (Accessed: 7 October 2020).
India code (2011) The Information Technology Act, 2000. India Code. Foundation Books, Delhi, India Available at: 10.1017/UPO9788175968660.018 (Accessed: 16 October 2020).
Indian Penal Code, 1860 (1860) The Indian Penal Code. India Code, India Available at: https://www.indiacode.nic.in/bitstream/123456789/4219/1/THE-INDIAN-PENAL-CODE-1860.pdf (Accessed: 16 October 2020).
Information Technology Act (2008) 'IT security of IIBF', in Ch 19. TaxMann Publish, pp. 1–20.
Interpol Cybercrime Directorate (2020) Covid-19 Cyber Threats., Interpol Available at: https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats (Accessed: 8 November 2020).
Jahankhani, H., Al-Nemrat, A. and Hosseinian-Far, A. (2014) 'Cybercrime classification and characteristics', Cyber Crime and Cyber Terrorism Investigator's Handbook, (September 2017), pp. 149–164. Available at: 10.1016/B978-0-12-800743-3.00012-8 (Accessed: 15 October 2020).
Kaspersky (2020) What is cybercrime? Types and how to protect yourself | Kaspersky. Available at: https://www.kaspersky.co.in/resource-center/threats/what-is-cybercrime (Accessed: 16 October 2020).
Lazar, L. (2018) Our Analysis of 1,019 Phishing Kits., Imperva Available at: https://www.imperva.com/blog/our-analysis-of-1019-phishing-kits/ (Accessed: 9 November 2020).
Matta, A. (2020) Know Your Rights: Protection Against Online Harassment | The Swaddle., The Swaddle Available at: https://theswaddle.com/know-your-rights-protection-against-online-harassment/ (Accessed: 16 October 2020).
Ministry of Women and Child Development (2012) MINISTRY OF WOMEN AND CHILD DEVELOPMENT Model Guidelines under Section 39 of The Protection of Children from Sexual Offences Guidelines for the Use of Professionals and Experts under the POCSO Act, 2012. Available at: https://wcd.nic.in/sites/default/files/POCSO-ModelGuidelines.pdf (Accessed: 16 October 2020).
Mislan, R., Goldman, J., Debrota, S., Rogers, M. and Wedge, T. (2017) 'Computer Forensics Field Triage Process Model', The Journal of Digital Forensics, Security and Law, 1(2)
Raj, S.P., Rajan, A., Sciences, T. and Sciences, T. (2018) 'Comparison between Information Technology Act, 2000 & 2008', International Journal of Pure and Applied Mathematics, 119(17) Chennai, India, pp. 1741–1756. Available at: https://acadpubl.eu/hub/2018-119-17/2/141.pdf (Accessed: 16 October 2020).
Rosenthal, M. (2020) Must-Know Phishing Statistics: Updated 2020 | Tessian., Tessian Available at: https://www.tessian.com/blog/phishing-statistics-2020/#covid-scams-phishing (Accessed: 16 October 2020).
Sujata Pawar, Y.K. (2015) Essentials of Information Technology Law. Satara, India. Available at: https://notionpress.com/read/essentials-of-information-technology-law (Accessed: 16 October 2020).
Taylor, M. and Quayle, E. (2004) 'Child pornography: An internet crime', Child Pornography: An Internet Crime, (June) London, United Kingdom, pp. 1–238. Available at: 10.4324/9780203695548 (Accessed: 15 October 2020).
Verizon (2020) Data Breach Investigations Report. Available at: https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf (Accessed: 10 November 2020).
Vinod Joseph, D.R. (2020) Cyber Crimes Under The IPC And IT Act - An Uneasy Co-Existence - Media, Telecoms, IT, Entertainment - India., Mondaq Available at: https://www.mondaq.com/india/it-and-internet/891738/cyber-crimes-under-the-ipc-and-it-act--an-uneasy-co-existence (Accessed: 16 October 2020).
Wang, Q. (2016) 'A Comparative Study of Cybercrime in Criminal Law : Een vergelijkende studie naar de strafbaarstelling van cybercriminaliteit : Qianyun Wang', (december), p. 381.
Weisman, S. (2020) What Is a DDoS Attack? Distributed Denial-of-Service Attack Explained | Norton., NortonLifeLock Available at: https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html (Accessed: 16 October 2020).