Cybercrime and Privacy

Posted by Prasad Krishna at Aug 31, 2010 11:55 AM |
Filed under: ,
Elonnai Hickok examines privacy in the context of India’s legal provisions on cybercrime. She picks up the relevant provisions of the Information Technology Act as amended in 2008 dealing with cyber crimes and provides a fair analysis of the pros and cons of the amended Act.

What is Cybercrime?

Looking at the recent Facebook ‘break in’ where 100,000 of users’ information was downloaded and made accessible through a simple search engine, , and the new Microsoft virus that attacked 10,000 machines, it is clear that cybercrime is no longer an issue to be taken lightly. Cybercrime is defined as an unlawful act committed using a computer either as a tool or as a target (or both) for facilitating a crime. Although there is an overlap, some are more likely to use the computer as a tool, and others use it as a target. Examples of the former include: fraud, forgery, DOS, consumption of limited resources, cyberterrorism, IPR violations, software piracy, copyright infringement, trademarks violations, patent violations, cyber squatting, credit card frauds, forgery, EFT frauds, pornography, banking/credit card related crimes, sale or purchase of illegal articles, cyberstalking, phishing, theft, and breaches in privacy, and gambling. Crimes where the computer is made a target include: computer theft, physical destruction or alteration of network components, theft of computer source code, hacking, defacing websites, creation of viruses, destruction or alteration of configuration information and email spamming.

What is India's current legislation on cybercrime?

The Information Technology Act 2000 (amended in 2008)

The Information Technology Act was first drawn up in 2000, and has been revised most recently 2008. The Information Technology (Amendment) Bill, 2008 amended sections 43 (data protection), 66 (hacking), 67 (protection against unauthorised access to data), 69 (cyberterrorism), and 72 (privacy and confidentiality) of the Information Technology Act, 2000, which relate to computer/cybercrimes.

Section 43 [Penalty and Compensation for damage to computer, computer system, etc.] amended vide Information Technology Amendment Act 2008 reads as under:

If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network:

  • accesses or secures access to such computer, computer system or computer network or computer resource (ITAA2008)
  • downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
  • introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
  • damages or causes to be damaged any computer, computer system or computer  network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
  • disrupts or causes disruption of any computer, computer system or computer network;
  • denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;
  • provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;
  • charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
  • destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means (Inserted vide ITAA-2008); and
  • Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, (Inserted vide ITAA 2008) he shall be liable to pay damages by way of compensation to the person so affected. (change vide ITAA 2008)

Critique: In comparison to the laws enacted in other countries, this provision still falls short of a strong data protection law. In most other countries data protection laws specify:

  • the definition and classification of data types;
  • the nature and protection of the categories of data;
  • that equal protection will be given to data stored offline and data stored manually;
  • that data controllers and data processors have distinct roles;
  • clear restrictions on the manner of data collection;
  • clear guidelines on the purposes for which the data can be put and to whom it can be sent;
  • standards and technical measures governing the collection, storage, access to, protection, retention, and destruction of data;
  • that providers of goods or services must have a clear opt - in or opt - out option; and
  • in addition, most countries provide strong safeguards and penalties against breaches of any of the above

Section 66 [Computer Related Offences] amended vide Information Technology Amendment Act 2008 reads as under:

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

Explanation: For the purpose of this section,-

  • the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code;
  • the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code. 

[Section 66 A] [Punishment for sending offensive messages through communication service, etc.] 
(Introduced vide ITAA 2008):

Any person who sends, by means of a computer resource or a communication device,-

  • any information that is grossly offensive or has menacing character; or
  • any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device;
  • any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.

[Section 66 B] [Punishment for dishonestly receiving stolen computer resource or communication device] (Inserted Vide ITA 2008):
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

[Section 66C] [Punishment for identity theft] (Inserted Vide ITA 2008):

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

[Section 66D] [Punishment for cheating by personation by using computer resource] (Inserted Vide ITA 2008):
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

[Section 66E] [Punishment for violation of privacy] (Inserted Vide ITA 2008):
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both

Explanation - For the purposes of this section--

  • “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
  • “capture”, with respect to an image, means to videotape, photograph, film or record by any means;
  • “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
  • “publishes” means reproduction in the printed or electronic form and making it available for public;
  • “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that:
  1. he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
  2. any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[Section 66F] [Punishment for cyber terrorism]:
(1) Whoever,-

(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –
  • denying or cause the denial of access to any person authorized to access computer resource; or 
  • attempting to penetrate or access a computer resource without authorisation or exceeding authorized access; or
  • introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or
(B) knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life’.

Critique
: We find the terminology in multiple sections too vague to ensure consistent and fair enforcement. The concepts of ‘annoyance’ and ‘insult’ are subjective. Clause (d) makes it clear that phishing requests are not permitted, but it is not clear that one cannot ask for information on a class of individuals.

Section 67 [Publishing of information which is obscene in electronic form] amended vide Information Technology Amendment Act 2008 reads as under:
Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.


[Section 67 A] [Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form] (Inserted vide ITAA 2008):
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

  • the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art, or learning or other objects of general concern; or
  • which is kept or used bona fide for religious purposes.
[Section 67 B] Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form:
Whoever,-
(a) publishes or transmits or causes to be published or transmitted material in any electronic
form which depicts children engaged in sexually explicit act or conduct or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting children in
obscene or indecent or sexually explicit manner or
(c) cultivates, entices or induces children to online relationship with one or more children for
and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or
(d) facilitates abusing children online or
(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:
Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-
(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bonafide heritage or religious purposes 
Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.
 

[Section 67 C] [Preservation and Retention of information by intermediaries]:

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Critique: This provision adequately protects both the corporate and the citizen in a positive way.

Section 69 [Powers to issue directions for interception or monitoring or decryption of any information through any computer resource] amended vide Information Technology Amendment Act 2008 reads as under:
(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.
(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to –
(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or
(b) intercept or monitor or decrypt the information, as the case may be; or 
(c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.
[ Section 69B] Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security:
(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.
(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of subsection
(2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Explanation: For the purposes of this section,
(i) "Computer Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.
Critique: Though we recognize how important it is for a government to protect its citizens against cyberterrorism, we are concerned at the friction between these provisions and the guarantees of free dialog, debate, and free speech that are Fundamental Rights under the Constitution of India.
Specifically:
a) there is no clear provision of a link between an intermediary and the information or resource that is to be monitored.
c)the penalties laid out in the clause are believed to be too harsh, and when read in conjunction with provision 66, there is no distinction between minor offenses and serious offenses.
e) the ITA is too broad in its categorization of acts of cyberterrorism by including information that is likely to cause: injury to decency, injury to morality, injury in relation to contempt of court, and injury in relation to defamation.

Section 72 [Breach of confidentiality and privacy] amended vide Information Technology Amendment Act 2008 reads as under:
Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
 
[Section 72 A] Punishment for Disclosure of information in breach of lawful contract (Inserted vide ITAA-2008):
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

General Notes and Critiques:

As general notes on the ITA and data protection we find that the Act is lacking in many ways, including:
  • there is no definition of “sensitive personal data or information” and that term is used indiscriminately without.
  • the provisions and protections cover only electronic data and not stored data or non-electronic systems of media
  • in the absence of a data controller, liability is often imposed on persons who are not necessarily in a position to control data
  • civil liability for data breach arises where negligence is involved
  • criminal liability only applies to cases of information obtained in the context of a service contract.
Filed under: ,