Project PGDCL & Ipr

CYBER CRIME: LIMITATIONS IN IT ACT AND NEED FOR
COMPREHENSIVE LAW
DISSERTATION SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE

AWARD OF P.G.DIPLOMA
POST GRADUATE DIPLOMA

IN
CYBER LAWS AND INTELLECTUAL PROPERTY RIGHTS
SUBMITTED BY
PITTA ISAAC NEWTON
(19CL00994 12)
UNDER GUIDANCE OF
DR.RAJEEV WANKAR
CENTRE FOR DISTANCE AND VIRTUAL LEARNING
UNIVERSITY OF HYDERABAD
NAMPALLY STATION ROAD, ABIDS, HYDERABAD 500 001.
CYBER CRIME: LIMITATIONS IN IT ACT AND NEED FOR

COMPREHENSIVE LAW
POST GRADUATE DIPLOMA

IN
CYBER LAWS AND INTELLECTUAL PROPERTY RIGHTS
SUBMITTED BY
PITTA ISAAC NEWTON
(19CL00994 12)
2
CERTIFICATE
This is to certify this project report entitled CYBER CRIME: LIMITATIONS IN IT
ACT AND NEED FOR COMPREHENSIVE LAW by PITTA ISAAC NEWTON (Enrolment
Number: 19CL00994 12), submitted in partial fulfilment of the requirement for the
P.G.DIPLOMA IN CYBER LAWS AND NTELLECTUAL PROPERTY RIGHTS of the
University of Hyderabad, during academic year 2012 2013.
The result embodied in this report has not been submitted to any other University or
Institution for the award of any diploma.
Certified further to the best of our knowledge that the candidate has not submitted the
work along with the results presented in this project report at any other place for the award of
any other diploma.
PROJECT BY
(P. ISAAC NEWTON)
(EXTERNAL EXAMINAR)
COURSE DIRECTOR
ACKNOWLEDGMENT
I express my deepest sense of gratitude to Dr.Rajeev Wankar, Course Director for
Valuable guidance and constant Supervision over my work. He has helped me to observe
things clearly. I consider it as a unique Privilege on my behalf to study under his guidance. I
have taken this opportunity to express my sincere thanks and gratitude for valuable guidance
given to me from time to time. Last but not least, I would like to thanks the centre for
distance and virtual learning staff members, in general, for extending a helping hand at
every juncture of need.
Student Name: PITTA ISAAC NEWTON (19CL00994 12)
ABSTRACT
In the year 2000, India enacted its first law on Information Technology namely, the
Information Technology Act, 2000. The IT Act, 2000 is based on the Model law of
Ecommerce adopted by UNCITRAL in 1996. The preamble to the IT Act, 2000 points out a
threefold objective, firstly, to provide legal recognition for transactions carried out through
electronic means, secondly, to facilitate the electronic filing of documents with government
agencies, and thirdly to amend certain Acts, interalia, the Indian Penal Code,1860, Indian
Evidence Act, 1872. The IT Act, 2000 gave legal validity and recognition to electronic
documents and digital signatures and enabled conclusion of legally valid & enforceable econtracts. It also provided a regulatory regime to supervise the Certifying Authorities issuing
digital signature certificates and created civil and criminal liabilities for contravention of the
provisions of the IT Act, 2000. It also conferred on the Central Government the power to
appoint Adjudicating Authority to adjudge whether a person has committed a contravention
within the meaning of the Act and conferred on this Authority the powers vested in a civil
court. With the passage of time, as technology developed further and new methods of
committing crime using Internet & computers surfaced, the need was felt to amend the IT
Act, 2000 to insert new kinds of cyber offences and plug in other loopholes that posed
hurdles in the effective enforcement of the IT Act, 2000.
This led to the passage of the Information Technology (Amendment) Act, 2008 which was
made effective from 27 October 2009. The IT (Amendment) Act, 2008 has brought marked
changes in the IT Act, 2000 on several counts.
METHODOLOGY:
Since I have to carry out Analytical study of all the facts and figures of the surveyed data and
other information and observations, before giving some of the new concepts, abstract ideas
and my recommendations for the implementation of Cyber Law and Prevention of Cyber
Crime and for the prosperity of E-Commerce in India, it would be more appropriate to call it
a combination of the Descriptive, Analytical and Empirical type of research.
Here I consulted Bare Act, books, websites, cases, articles and journals for conducting
the research attained from College Library and resources from the World Wide Web.
CHAPTER 1
INTRODUCTION
INTRODUCTION
Crime is both a social and economic phenomenon. It is as old as human society. Many
ancient books right from pre-historic days, and mythological stories have spoken about
crimes committed by individuals be it against another individual like ordinary theft and
burglary or against the nation like spying, treason etc. Kautilyas Arthashastra written around
350 BC, considered to be an authentic administrative treatise in India, discusses the various
crimes, security initiatives to be taken by the rulers, possible crimes in a state etc. and also
advocates punishment for the list of some stipulated offences. Different kinds of punishments
have been prescribed for listed offences and the concept of restoration of loss to the victims
has also been discussed in it.
Crime in any form adversely affects all the members of the society. In developing
economies, cyber crime has increased at rapid strides, due to the rapid diffusion of the
Internet and the digitisation of economic activities. Thanks to the huge penetration of
technology in almost all walks of society right from corporate governance and state
administration, up to the lowest level of petty shop keepers computerizing their billing
system, we find computers and other electronic devices pervading the human life. The
penetration is so deep that man cannot spend a day without computers or a mobile. Snatching
some ones mobile will tantamount to dumping one in solitary confinement!
Cyber Crime is not defined in Information Technology Act 2000 or in the I.T. Amendment
Act 2008 or in any other legislation in India. In fact, it cannot be too. Offence or crime has
been dealt with elaborately listing various acts and the punishments for each, under the Indian
Penal Code, 1860 and quite a few other legislations too. Hence, to define cyber crime, we can
say, it is just a combination of crime and computer. To put it in simple terms any offence or
crime in which a computer is used is a cyber crime. Interestingly even a petty offence like
stealing or pick-pocket can be brought within the broader purview of cyber crime if the basic
data or aid to such an offence is a computer or information stored in a computer used (or
misused) by the fraudster. The I.T. Act defines a computer, computer network, data,
information and all other necessary ingredients that form part of a cyber crime.
In a cyber crime, computer or the data itself the target or the object of offence or a tool in
committing some other offence, providing the necessary inputs for that offence. All such acts
of crime will come under the broader definition of cyber crime.
1.0 The Genesis of IT legislation in India: Mid 90s saw an impetus in globalization and
computerisation, with more and more nations computerizing their governance, and ecommerce seeing an enormous growth.
Until then, most of international trade and
transactions were done through documents being transmitted through post and by telex only.
Evidences and records, until then, were predominantly paper evidences and paper records or
other forms of hard-copies only. With much of international trade being done through
electronic communication and with email gaining momentum, an urgent and imminent need
was felt for recognizing electronic records i.e. the data what is stored in a computer or an
external storage attached thereto. The United Nations Commission on International Trade
Law (UNCITRAL) adopted the Model Law on e-commerce in 1996. The General Assembly
of United Nations passed a resolution in January 1997 inter alia, recommending all States in
the UN to give favourable considerations to the said Model Law, which provides for
recognition to electronic records and according it the same treatment like a paper
communication and record.
1.1 Objectives of I.T. legislation in India: It is against this background the Government of
India enacted its Information Technology Act 2000 with the objectives as follows, stated in
the preface to the Act itself.
to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as
"electronic commerce", which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with
the Government agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934
and for matters connected therewith or incidental thereto.
The Information Technology Act, 2000, was thus passed as the Act No.21 of 2000, got
President Assent on 9 June and was made effective from 17 October 2000.
The Act essentially deals with the following issues:
Legal Recognition of Electronic Documents
Legal Recognition of Digital Signatures
Offenses and Contraventions
Justice Dispensation Systems for cyber crimes.

9
1.2 Amendment Act 2008: Being the first legislation in the nation on technology, computers
and ecommerce and e-communication, the Act was the subject of extensive debates, elaborate
reviews and detailed criticisms, with one arm of the industry criticizing some sections of the
Act to be draconian and other stating it is too diluted and lenient. There were some
conspicuous omissions too resulting in the investigators relying more and more on the timetested (one and half century-old) Indian Penal Code even in technology based cases with the
I.T. Act also being referred in the process and the reliance more on IPC rather on the ITA.
Thus the need for an amendment a detailed one was felt for the I.T. Act almost from the
year 200304 itself. Major industry bodies were consulted and advisory groups were formed
to go into the perceived lacunae in the I.T. Act and comparing it with similar legislations in
other nations and to suggest recommendations. Such recommendations were analysed and
subsequently taken up as a comprehensive Amendment Act and after considerable
administrative procedures, the consolidated amendment called the Information Technology
Amendment Act 2008 was placed in the Parliament and passed without much debate, towards
the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken
place). This Amendment Act got the President assent on 5 Feb 2009 and was made effective
from 27 October 2009.
Some of the notable features of the ITAA are as follows:
Focussing on data privacy
Focussing on Information Security
Defining cyber caf
Making digital signature technology neutral
Defining reasonable security practices to be followed by corporate
Redefining the role of intermediaries
Recognising the role of Indian Computer Emergency Response Team
Inclusion of some additional cyber crimes like child pornography and cyber terrorism
authorizing an Inspector to investigate cyber offences (as against the DSP earlier)
10
1.3 How the Act is structured: The Act totally has 13 chapters and 90 sections (the last four
sections namely sections 91 to 94 in the ITA 2000 dealt with the amendments to the four Acts
namely the Indian Penal Code 1860, The Indian Evidence Act 1872, The Bankers Books
Evidence Act 1891 and the Reserve Bank of India Act 1934).
The Act begins with
preliminary and definitions and from there on the chapters that follow deal with
authentication of electronic records, digital signatures, electronic signatures etc.
Elaborate procedures for certifying authorities (for digital certificates as per IT Act -2000 and
since replaced by electronic signatures in the ITAA -2008) have been spelt out. The civil
offence of data theft and the process of adjudication and appellate procedures have been
described. Then the Act goes on to define and describe some of the well-known cyber crimes
and lays down the punishments therefore. Then the concept of due diligence, role of
intermediaries and some miscellaneous provisions have been described.
Rules and procedures mentioned in the Act have also been laid down in a phased manner,
with the latest one on the definition of private and sensitive personal data and the role of
intermediaries, due diligence etc., being defined as recently as April 2011
1.4 Applicability: The Act extends to the whole of India and except as otherwise provided, it
applies to also any offence or contravention there under committed outside India by any
person. There is some specific exclusion to the Act (i.e. where it is not applicable) as detailed
in the First Schedule, stated below:
A) Negotiable instrument (Other than a cheque) as defined in section 13 of the
Negotiable Instruments Act, 1881;
B) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
C) a trust as defined in section 3 of the Indian Trusts Act, 1882
D) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925
including any other testamentary disposition
E) any contract for the sale or conveyance of immovable property or any interest in such
property;
F) any such class of documents or transactions as may be notified by the Central
Government
11
1.5 Definitions: The ITA-2000 defines many important words used in common computer
parlance like access, computer resource, computer system, communication device,
data, information, security procedure etc. The definition of the word computer itself
assumes significance here.
Computer means any electronic magnetic, optical or other high-speed data processing
device or system which performs logical, arithmetic, and memory functions by manipulations
of electronic, magnetic or optical impulses, and includes all input, output, processing, storage,
computer software, or
communication facilities which are connected or related to the
computer in a computer system or computer network;

So is the word computer system which means a device or a collection of devices with input,
output and storage capabilities. Interestingly, the word computer and computer system
have been so widely defined to mean any electronic device with data processing capability,
performing computer functions like logical, arithmetic and memory functions with input,
storage and output capabilities.
A careful reading of the words will make one understand
that a high-end programmable gadgets like even a washing machine or switches and routers
used in a network can all be brought under the definition.
Similarly the word communication devices inserted in the ITAA-2008 has been given an
inclusive definition, taking into its coverage cell phones, personal digital assistance or such
other devices used to transmit any text, video etc like what was later being marketed as iPad
or other similar devices on Wi-fi and cellular models. Definitions for some words like cyber
caf were also later incorporated in the ITAA 2008 when Indian Computer response
Emergency Team was included.
1.6 Digital Signature: Electronic signature was defined in the ITAA -2008 whereas the
earlier ITA -2000 covered in detail about digital signature, defining it and elaborating the
procedure to obtain the digital signature certificate and giving it legal validity. Digital
signature was defined in the ITA -2000 as authentication of electronic record as per
procedure laid down in Section 3 and Section 3 discussed the use of asymmetric crypto
system and the use of Public Key Infrastructure and hash function etc. This was later
criticized to be technology dependent i.e., relying on the specific technology of asymmetric
crypto system and the hash function generating a pair of public and private key authentication
etc. Thus Section 3 which was originally Digital Signature was later renamed as Digital
Signature and
12
1.7 Electronic Signature in ITAA-2008 thus introducing technological neutrality by

adoption of electronic signatures as a legally valid mode of executing signatures. This
includes digital signatures as one of the modes of signatures and is far broader in ambit
covering biometrics and other new forms of creating electronic signatures not confining the
recognition to digital signature process alone. While M/s. TCS, M/s. Safescrypt and M/s.
MTNL are some of the digital signature certifying authorities in India, IDRBT (Institute for
Development of Research in Banking Technology the research wing of RBI) is the
Certifying Authorities (CA) for the Indian Banking and financial sector licensed by the
Controller of Certifying Authorities, Government of India.
It is relevant to understand the meaning of digital signature (or electronic signature) here. It
would be pertinent to note that electronic signature (or the earlier digital signature) as
stipulated in the Act is NOT a digitized signature or a scanned signature. In fact, in electronic
signature (or digital signature) there is no real signature by the person, in the conventional
sense of the term. Electronic signature is not the process of storing ones signature or
scanning ones signature and sending it in an electronic communication like email. It is a
process of authentication of message using the procedure laid down in Section 3 of the Act.
The other forms of authentication that is simpler to use such as biometric based retina
scanning etc can be quite useful in effective implementation of the Act. However, the Central
Government has to evolve detailed procedures and increase awareness on the use of such
systems among the public by putting in place the necessary tools and stipulating necessary
conditions. Besides, duties of electronic signature certificate issuing authorities for bio-metric
based authentication mechanisms have to be evolved and the necessary parameters have to
be formulated to make it user-friendly and at the same time without compromising security.
1.8 E-Governance: Chapter III discusses Electronic governance issues and procedures and
the legal recognition to electronic records is dealt with in detail in Section 4 followed by
description of procedures on electronic records, storage and maintenance and according
recognition to the validity of contracts formed through electronic means.
Procedures relating to electronic signatures and regulatory guidelines for certifying
authorities have been laid down in the sections that follow.
13
1.9 Chapter IX dealing with Penalties, Compensation and Adjudication is a major significant
step in the direction of combating data theft, claiming compensation, introduction of security
practices etc discussed in Section 43, and which deserve detailed description.
Section 43 deals with penalties and compensation for damage to computer, computer system
etc this section is the first major and significant legislative step in India to combat the issue of
data theft. The IT industry has for long been clamouring for legislation in India to address the
crime of data theft, just like physical theft or larceny of goods and commodities. This Section
addresses the civil offence of theft of data. If any person without permission of the owner or
any other person who is in charge of a computer, accesses or downloads, copies or extracts
any data or introduces any computer contaminant like virus or damages or disrupts any
computer or denies access to a computer to an authorised user or tampers etche shall be
liable to pay damages to the person so affected. Earlier in the ITA -2000 the maximum
damages under this head was Rs.1 Crore, which (the ceiling) was since removed in the ITAA
2008.
The essence of this Section is civil liability. Criminality in the offence of data theft is being
separately dealt with later under Sections 65 and 66. Writing a virus program or spreading a
virus mail, a bot, a Trojan or any other malware in a computer network or causing a Denial of
Service Attack in a server will all come under this Section and attract civil liability by way of
compensation.
Under this Section, words like Computer Virus, Compute Contaminant,
Computer database and Source Code are all described and defined.
Questions like the employees liability in an organisation which is sued against for data theft
or such offences and the amount of responsibility of the employer or the owner and the
concept of due diligence were all debated in the first few years of ITA -2000 in court
litigations like the bazee.com case and other cases. Subsequently need was felt for defining
the corporate liability for data protection and information security at the corporate level was
given a serious look.
Thus the new Section 43-Adealing with compensation for failure to protect data was
introduced in the ITAA -2008. This is another watershed in the area of data protection
especially at the corporate level. As per this Section, where a body corporate is negligent in
implementing reasonable security practices and thereby causes wrongful loss or gain to any
14
person, such body corporate shall be liable to pay damages by way of compensation to the
person so affected. The Section further explains the phrase body corporate and quite
significantly the phrases reasonable security practices and procedures and sensitive
personal data or information.
Thus the corporate responsibility for data protection is greatly emphasized by inserting
Section 43A where by corporate are under an obligation to ensure adoption of reasonable
security practices. Further what is sensitive personal data has since been clarified by the
central government vide its Notification dated 11 April 2011 giving the list of all such data
which includes password, details of bank accounts or card details, medical records etc. After
this notification, the IT industry in the nation including tech-savvy and widely technologybased banking and other sectors became suddenly aware of the responsibility of data
protection and a general awareness increased on what is data privacy and what is the role of
top management and the Information Security Department in organisations in ensuring data
protection, especially while handling the customers and other third party data.
Reasonable Security Practices
Site certification
Security initiatives
Awareness Training
Conformance to Standards, certification
Policies and adherence to policies
Policies like password policy, Access Control, email Policy etc
Periodic monitoring and review.
The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules have since been notified by the Government of India,
Dept of I.T. on 11 April 2011. Anybody corporate or a person on its behalf shall be
considered to have complied with reasonable security practices and procedures, if they have
implemented such security practices and standards and have a comprehensive documented
information security programme and information security policies containing managerial,
technical, operational and physical security control measures commensurate with the
information assets being protected with the nature of business. In the event of an information
security breach, the body corporate or a person on its behalf shall be required to demonstrate,
as and when called upon to do so by the agency mandated under the law, that they have
15
implemented security control measures as per their documented information security

programme and information security policies. The international Standard IS/ISO/IEC 27001
on "Information Technology Security Techniques - Information Security Management
System - Requirements" is one such standard referred to in sub-rule (1).
In view of the foregoing, it has now become a major compliance issue on the part of not only
IT companies but also those in the Banking and Financial Sector especially those banks with
huge\ computerised operations dealing with public data and depending heavily on
technology. In times of litigation or any security breach resulting in a claim of compensation
of financial loss amount or damages, it would be the huge responsibility on the part of that
body corporate to prove that that said Reasonable Security Practices and Procedures were
actually in place and all the steps mentioned in the Rules passed in April 2011 stated above,
having been taken.
In the near future, this is one of the sections that is going to create much noise and be the
subject of much debates in the event of litigations, like in re-defining the role of an employee,
the responsibility of an employer or the top management in data protection and issues like the
actual and vicarious responsibility, the actual and contributory negligence of all stake holders
involved etc.
The issue has wider ramifications especially in the case of a cloud computing scenario (the
practice of using a network of remote servers hosted on the Internet to store, manage, and
process data, rather than a local server, with the services managed by the provider sold on
demand, for the amount of time used) where more and more organisations handle the data of
others and the information is stored elsewhere and not in the owners system. Possibly, more
debates will emanate on the question of information owners Vis a Vis the information
container and the information custodians and the Service Level Agreements of all parties
involved will assume a greater significance.
Adjudication: Having dealt with civil offences, the Act then goes on to describe civil
remedy to such offences in the form of adjudication without having to resort to the procedure
of filing a complaint with the police or other investigating agencies. Adjudication powers
and procedures have been elaborately laid down in Sections 46 and thereafter. The Central
Government may appoint any officer not below the rank of a director to the Government of
India or a state Government as the adjudicator. The I.T. Secretary in any state is normally the
16
nominated Adjudicator for all civil offences arising out of data thefts and resultant losses in
the particular state.
If at all one section can be criticized to be absolutely lacking in
popularity in the IT Act, it is this provision. In the first ten years of existence of the ITA,
there have been only a very few applications made in the nation, that too in the major metros
almost all of which are under different stages of judicial process and adjudications have been
obtained in possibly less than five cases. The first adjudication obtained under this provision
was in Chennai, Tamil Nadu, in a case involving ICICI Bank in which the bank was told to
compensate the applicant with the amount wrongfully debited in Internet Banking, along with
cost and damages. In April 2010.
This section should be given much popularity and awareness should be spread among the
public especially the victims of cyber crimes and data theft that such a procedure does exist
without recourse to going to the police and filing a case. It is time the state spends some time
and thought in enhancing awareness on the provision of adjudication for civil offences in
cyber litigations like data theft etc so that the purpose for which such useful provisions have
been made, are effectively utilized by the litigant public.
There is an appellate procedure under this process and the composition of Cyber Appellate
Tribunal at the national level, has also been described in the Act. Every adjudicating officer
has the powers of a civil court and the Cyber Appellate Tribunal has the powers vested in a
civil court under the Code of Civil Procedure.
After discussing the procedures relating to appeals etc and the duties and powers of Cyber
Appellate Tribunal, the Act moves to the actual criminal acts coming under the broader
definition of cyber crimes. It would be pertinent to note that the Act only lists some of the
cyber crimes, (without defining a cyber crime) and stipulates the punishments for such
offences. The criminal provisions of the IT Act and those dealing with cognizable offences
and criminal acts follow from Chapter IX titled Offences
Section 65: Tampering with source documents is dealt with under this section. Concealing,
destroying, and altering any computer source code when the same is required to be kept or
maintained by law is an offence punishable with three years imprisonment or two lakh rupees
or with both.
Fabrication of an electronic record or committing forgery by way of
interpolations in CD produced as evidence in a court (Bhim Sen Garg vs State of Rajasthan

17
and others, 2006, Cri LJ, 3463, Raj 2411) attract punishment under this Section. Computer
source code under this Section refers to the listing of programmes, computer commands,
design and layout etc in any form.
Section 66: Computer related offences are dealt with under this Section. Data theft stated in
Section 43 is referred to in this Section. Whereas it was a plain and simple civil offence with
the remedy of compensation and damages only, in that Section, here it is the same act but
with a criminal intention thus making it a criminal offence. The act of data theft or the
offence stated in Section 43 if done dishonestly or fraudulently becomes a punishable offence
under this Section and attracts imprisonment upto three years or a fine of five lakh rupees or
both. Earlier hacking was defined in Sec 66 and it was an offence.
Now after the amendment, data theft of Sec 43 is being referred to in Sec 66 by making this
section more purposeful and the word hacking is not used. The word hacking was earlier
called a crime in this Section and at the same time, courses on ethical hacking were also
taught academically. This led to an anomalous situation of people asking how an illegal
activity be taught academically with a word ethical prefixed to it. Then can there be
training programmes, for instance, on Ethical burglary, Ethical Assault etc say for
courses on physical defence? This tricky situation was put an end to, by the ITAA when it
re-phrased the Section 66 by mapping it with the civil liability of Section 43 and removing
the word Hacking. However the act of hacking is still certainly an offence as per this
Section, though some experts interpret hacking as generally for good purposes (obviously to
facilitate naming of the courses as ethical hacking) and cracking for illegal purposes. It
would be relevant to note that the technology involved in both is the same and the act is the
same, whereas in hacking the owners consent is obtained or assumed and the latter act
cracking is perceived to be an offence.
Thanks to ITAA, Section 66 is now a widened one with a list of offences as follows:
66A Sending offensive messages thro communication service, causing annoyance etc through
an electronic communication or sending an email to mislead or deceive the recipient about
the origin of such messages (commonly known as IP or email spoofing) are all covered here.
Punishment for these acts is imprisonment upto three years or fine.
18
66B dishonestly receiving stolen computer resource or communication device with

punishment upto three years or one lakh rupees as fine or both.
66C Electronic signature or other identity theft like using others password or electronic
signature etc.
Punishment is three years imprisonment or fine of one lakh rupees or both.
66D cheating by personation using computer resource or a communication device shall be
punished with imprisonment of either description for a term which extend to three years and
shall also be liable to fine which may extend to one lakh rupee.
66E Privacy violation Publishing or transmitting private area of any person without his or
her consent etc. Punishment is three years imprisonment or two lakh rupees fine or both.
66F Cyber terrorism Intent to threaten the unity, integrity, security or sovereignty of the
nation and denying access to any person authorized to access the computer resource or
attempting to penetrate or access a computer resource without authorization. Acts of causing
a computer contaminant (like virus or Trojan horse or other spyware or malware) likely to
cause death or injuries to persons or damage to or destruction of property etc. come under this
Section. Punishment is life imprisonment.
It may be observed that all acts under S.66 are cognizable and non-bailable offences.
Intention or the knowledge to cause wrongful loss to others i.e. the existence of criminal
intention and the evil mind i.e. concept of mens rea, destruction, deletion, alteration or
diminishing in value or utility of data are all the major ingredients to bring any act under this
Section.
To summarise, what was civil liability with entitlement for compensations and damages in
Section 43, has been referred to here, if committed with criminal intent, making it a criminal
liability attracting imprisonment and fine or both.
Section 67 deals with publishing or transmitting obscene material in electronic form. The
earlier section in ITA was later widened as per ITAA 2008 in which child pornography and
retention of records by intermediaries were all included.
19
Publishing or transmitting obscene material in electronic form is dealt with here. Whoever
publishes or transmits any material which is lascivious or appeals to the prurient interest or if
its effect is such as to tend to deprave and corrupt persons who are likely to read the matter
contained in it, shall be punished with first conviction for a term upto three years and fine of
five lakh rupees and in second conviction for a term of five years and fine of ten lakh rupees
or both.
This Section is of historical importance since the landmark judgement in what is considered
to be the first ever conviction under I.T. Act 2000 in India, was obtained in this Section in the
famous case State of Tamil Nadu vs Suhas Katti on 5 November 2004. The strength of the
Section and the reliability of electronic evidences were proved by the prosecution and
conviction was brought about in this case, involving sending obscene message in the name of
a married women amounting to cyber stalking, email spoofing and the criminal activity stated
in this Section.
Section 67-Adeals with publishing or transmitting of material containing sexually explicit act
in electronic form. Contents of Section 67 when combined with the material containing
sexually explicit material attract penalty under this Section.
Child Pornography has been exclusively dealt with under Section 67B. Depicting children
engaged in sexually explicit act, creating text or digital images or advertising or promoting
such material depicting children in obscene or indecent manner etc or facilitating abusing
children online or inducing children to online relationship with one or more children etc come
under this Section. Children mean persons who have not completed 18 years of age, for the
purpose of this Section. Punishment for the first conviction is imprisonment for a maximum
of five years and fine of ten lakh rupees and in the event of subsequent conviction with
imprisonment of seven years and fine of ten lakh rupees.
Bonafied heritage material being printed or distributed for the purpose of education or
literature etc are specifically excluded from the coverage of this Section, to ensure that
printing and distribution of ancient epics or heritage material or pure academic books on
education and medicine are not unduly affected.
20
Screening videographs and photographs of illegal activities through Internet all come under
this category, making pornographic video or MMS clippings or distributing such clippings
through mobile or other forms of communication through the Internet fall under this category.
Section 67C fixes the responsibility to intermediaries that they shall preserve and retain such
information as may be specified for such duration and in such manner as the Central
Government may prescribe. Non-compliance is an offence with imprisonment upto three
years or fine.
Transmission of electronic message and communication:
Section 69: This is an interesting section in the sense that it empowers the Government or
agencies as stipulated in the Section, to intercept, monitor or decrypt any information
generated, transmitted, received or stored in any computer resource, subject to compliance of
procedure as laid down here. This power can be exercised if the Central Government or the
State Government, as the case may be, is satisfied that it is necessary or expedient in the
interest of sovereignty or integrity of India, defence of India, security of the State, friendly
relations with foreign States or public order or for preventing incitement to the commission of
any cognizable offence relating to above or for investigation of any offence. In any such case
too, the necessary procedure as may be prescribed, is to be followed and the reasons for
taking such action are to be recorded in writing, by order, directing any agency of the
appropriate Government. The subscriber or intermediary shall extend all facilities and
technical assistance when called upon to do so.
Section 69A inserted in the ITAA, vests with the Central Government or any of its officers
with the powers to issue directions for blocking for public access of any information through
any computer resource, under the same circumstances as mentioned above. Section 69B
discusses the power to authorise to monitor and collect traffic data or information through
any computer resource.
Commentary on the powers to intercept, monitor and block websites: In short, under the
conditions laid down in the Section, power to intercept, monitor or decrypt does exist. It
would be interesting to trace the history of telephone tapping in India and the legislative
provisions (or the lack of it?) in our nation and compare it with the powers mentioned here.
Until the passage of this Section in the ITAA, phone tapping was governed by Clause 5(2) of
the Indian Telegraph Act of 1885, which said that On the occurrence of any public
21
emergency, or in the interest of the public safety, the Government may, if satisfied that it is
necessary or expedient so to do in the interests of the sovereignty and integrity of India, the
security of the State, friendly relations with foreign States or public order or for preventing
incitement to the commission of an offence, for reasons to be recorded in writing, by order,
direct that any message or class of messages to or from any person or class of persons, or
relating to any particular subject, brought for transmission by or transmitted or received by
any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be
disclosed to the Government making the order or an officer thereof mentioned in the order.
Other sections of the act mention that the government should formulate precautions to be
taken for preventing the improper interception or disclosure of messages. There have been
many attempts, rather many requests, to formulate rules to govern the operation of Clause
5(2). But ever since 1885, no government has formulated any such precautions, maybe for
obvious reasons to retain the spying powers for almost a century.
A writ petition was filed in the Supreme Court in 1991 by the Peoples Union for Civil
Liberties, challenging the constitutional validity of this Clause 5(2). The petition argued that
it infringed the constitutional right to freedom of speech and expression and to life and
personal liberty. In December 1996, the Supreme Court delivered its judgment, pointing out
that unless a public emergency has occurred or the interest of public safety demands, the
authorities have no jurisdiction to exercise the powers given them under 5(2). They went on
to define them thus: a public emergency was the prevailing of a sudden condition or state of
affairs affecting the people at large calling for immediate action, and public safety means
the state or condition of freedom from danger or risk for the people at large. Without those
two, however necessary or expedient, it could not do so. Procedures for keeping such
records and the layer of authorities etc were also stipulated.
Now, this Section 69 of ITAA is far more intrusive and more powerful than the above cited
provision of Indian Telegraph Act 1885. Under this ITAA Section, the nominated
Government official will be able to listen in to all phone calls, read the SMSs and emails, and
monitor the websites that one visited, subject to adherence to the prescribed procedures and
without a warrant from a magistrates order. In view of the foregoing, this Section was
criticized to be draconian vesting the government with much more powers than required.
22
Having said this, we should not be oblivious to the fact that this power (of intercepting,
monitoring and blocking) is something which the Government represented by the Indian
Computer Emergency Response Team, (the National Nodal Agency, as nominated in
Section 70B of ITAA)
has very rarely exercised. Perhaps believing in the freedom of
expression and having confidence in the self-regulative nature of the industry, the CERT-In
has stated that these powers are very sparingly (and almost never) used by it.
Critical Information Infrastructure and Protected System have been discussed in Section 70.
The Indian Computer Emergency Response Team (CERT-In) coming under the Ministry of
Information and Technology, Government of India, has been designated as the National
Nodal Agency for incident response. By virtue of this, CERT-In will perform activities like
collection, analysis and dissemination of information on cyber incidents, forecasts and alerts
of cyber security incidents, emergency measures for handling cyber security incidents etc.
The role of CERT-In in e-publishing security vulnerabilities and security alerts is remarkable.
The Minister of State for Communications and IT Mr.Sachin Pilot said in a written reply to
the Rajya Sabha said that (as reported in the Press), CERT-In has handled over 13,000 such
incidents in 2011 compared to 8,266 incidents in 2009. CERT-In has observed that there is
significant increase in the number of cyber security incidents in the country. A total of 8,266,
10,315 and 13,301 security incidents were reported to and handled by CERT-In during 2009,
2010 and 2011, respectively," These security incidents include website intrusions, phishing,
network probing, spread of malicious code like virus, worms and spam, he added. Hence the
role of CERT-In is very crucial and there are much expectations from CERT In not just in
giving out the alerts but in combating cyber crime, use the weapon of monitoring the webtraffic, intercepting and blocking the site, whenever so required and with due process of law.
Penalty for breach of confidentiality and privacy is discussed in Section 72 with the
punishment being imprisonment for a term upto two years or a fine of one lakh rupees or
both.
Considering the global nature of cyber crime and understanding the real time scenario of
fraudster living in one part of the world and committing a data theft or DoS(Denial of
Service) kind of an attack or other cyber crime in an entirely different part of the world,
Section 75 clearly states that the Act applies to offences or contravention committed outside
23
India, if the contravention or the offence involves a computer or a computer network located
in India.
This Act has over-riding provisions especially with regard to the regulations stipulated in the
Code of Criminal Procedure. As per Section 78, notwithstanding anything contained in the
Code of Criminal Procedure, a police officer not below the rank of an Inspector shall
investigate an offence under this Act. Such powers were conferred to officers not below the
rank of a Deputy Superintendent of Police earlier in the ITA which was later amended as
Inspector in the ITAA.
Due Diligence: Liability of intermediaries and the concept of Due Diligence have been
discussed in Section 79. As per this, intermediary shall not be liable for any third party
information hosted by him, if his function is limited to providing access to a communication
system over which information made available by third parties is transmitted or temporarily
stored or hosted or if he does not initiate the transmission, select the receiver of the
transmission and select or modify the information contained in the transmission and if he
observes due diligence and follows the guidelines prescribed by the Central Government.
This concept of due diligence is also much being debated. Due Diligence was first discussed
as an immediate fallout of the famous bazee.com case in New Delhi, when the NRI CEO of
the company was arrested for making the MMS clipping with objectionable obscene material
depicting school children was made available in the public domain website owned by him,
for sale (and later the CD was sold). The larger issue being discussed at that time was how
far is the content provider responsible and how far the Internet Service Provider and what is
due diligence which as the CEO of the company, he should have exercised.
After passage of the ITAA and the introduction of reasonable security practices and
procedures and the responsibility of body corporate as seen earlier in Section 43A, and to set
at rest some confusion on the significance of due diligence and what constitutes due
diligence, the DIT came out with a set of rules titled Information Technology (Intermediaries
Guidelines) Rules on 11 April 2011. As per this, the intermediary, on whose computer
system the information is stored or hosted or published, upon obtaining knowledge by itself
or been brought to actual knowledge by an affected person in writing or through email signed
with electronic signature about any such information as mentioned in sub-rule (2) above,
24
shall act within thirty six hours and where applicable, work with user or owner of such
information to disable such information that is in contravention of sub-rule (2). Further the
intermediary shall preserve such information and associated records for at least ninety days
for investigation purposes..
In essence, an intermediary shall be liable for any contravention of law committed by any
user unless the Intermediary can prove that he has exercised due diligence and has not
conspired or abetted in the act of criminality.
Power to enter, search etc has been described in Section 80. Notwithstanding anything
contained in the Code of Criminal Procedure, any police officer, not below the rank of an
Inspector or any other officer .authorised .may enter any public place and search and
arrest without warrant any person found therein who is reasonably suspected of having
committed or of committing or of being about to commit any offence under this Act. This is
another effective weapon that has been rarely and almost never utilised by the police officers.
The Act is applicable to electronic cheques and truncated cheques (i.e. the image of cheque
being presented and processed curtailing and truncating the physical movement of the cheque
from the collecting banker to the paying banker).
Overriding powers of the Act and the powers of Central Government to make rules and that
of State Governments to make rules wherever necessary have been discussed in the Sections
that follow.
Other Acts amended by the ITA:
The Indian Penal Code, 1860: Normally referred to as the IPC, this is a very powerful
legislation and probably the most widely used in criminal jurisprudence, serving as the main
criminal code of India. Enacted originally in 1860 and amended many time since, it covers
almost all substantive aspects of criminal law and is supplemented by other criminal
provisions. In independent India, many special laws have been enacted with criminal and
penal provisions which are often referred to and relied upon, as an additional legal provision
in cases which refer to the relevant provisions of IPC as well.
25
ITA 2000 has amended the sections dealing with records and documents in the IPC by
inserting the word electronic thereby treating the electronic records and documents on a par
with physical records and documents. The Sections dealing with false entry in a record or
false document etc (eg 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since
been amended as electronic record and electronic document thereby bringing within the ambit
of IPC, all crimes to an electronic record and electronic documents just like physical acts of
forgery or falsification of physical records.
In practice, however, the investigating agencies file the cases quoting the relevant sections
from IPC in addition to those corresponding in ITA like offences under IPC 463,464, 468 and
469 read with the ITA/ITAA Sections 43 and 66, to ensure the evidence or punishment stated
at least in either of the legislations can be brought about easily.
The Indian Evidence Act 1872: This is another legislation amended by the ITA. Prior to the
passing of ITA, all evidences in a court were in the physical form only. With the ITA giving
recognition to all electronic records and documents, it was but natural that the evidentiary
legislation in the nation be amended in tune with it. In the definitions part of the Act itself,
the all documents including electronic records were substituted. Words like digital
signature, electronic form, secure electronic record information as used in the ITA,
were all inserted to make them part of the evidentiary mechanism in legislations.
Admissibility of electronic records as evidence as enshrined in Section 65B of the Act
assumes significance. This is an elaborate section and a landmark piece of legislation in the
area of evidences produced from a computer or electronic device. Any information contained
in an electronic record which is printed on a paper, stored, recorded or copied in optical or
magnetic media produced by a computer shall be treated like a document, without further
proof or production of the original, if the conditions like these are satisfied: (a) the computer
output containing the information was produced by the computer during the period over
which the computer was used regularly.... By lawful persons.. (b) the information ...derived
was regularly fed into the computer in the ordinary course of the said activities; (c)
throughout the material part of the said period, the computer was operating properly ......
and ......a certificate signed by a person .....Responsible..... Etc.
26
To put it in simple terms, evidences (information) taken from computers or electronic storage
devices and produced as print-outs or in electronic media are valid if they are taken from
system handled properly with no scope for manipulation of data and ensuring integrity of data
produced directly with or without human intervention etc and accompanied by a certificate
signed by a responsible person declaring as to the correctness of the records taken from a
system a computer with all the precautions as laid down in the Section.
However, this Section is often being misunderstood by one part of the industry to mean that
computer print-outs can be taken as evidences and are valid as proper records, even if they
are not signed. We find many computer generated letters emanating from big corporate with
proper space below for signature under the words Your faithfully or truly and the
signature space left blank, with a Post Script remark at the bottom This is a computer
generated letter and hence does not require signature. The Act does not anywhere say that
computer print-outs need not be signed and can be taken as record.
The Bankers Books Evidence (BBE) Act 1891 Amendment to this Act has been included
as the third schedule in ITA. Prior to the passing of ITA, any evidence from a bank to be
produced in a court, necessitated production of the original ledger or other register for
verification at some stage with the copy retained in the court records as exhibits. With the
passing of the ITA the definitions part of the BBE Act stood amended as: "bankers
' books include ledgers, day-books, cash-books, account-books and all other books used in
the ordinary business of a bank whether kept in the written form or as printouts of data stored
in a floppy, disc, tape or any other form of electro-magnetic data storage device. When the
books consist of printouts of data stored in a floppy, disc, tape etc, a printout of such entry
...certified in accordance with the provisions ....to the effect that it is a printout of such entry
or a copy of such printout by the principal accountant or branch manager; and (b) a certificate
by a person in-charge of computer system containing a brief description of the computer
system and the particulars of the safeguards adopted by the system to ensure that data is
entered or any other operation performed only by authorised persons; the safeguards adopted
to prevent and detect unauthorised change of data ...to retrieve data that is lost due to
systemic failure or .....
27
In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act
make the printout from a computer system or a floppy or disc or a tape as a valid document
and evidence, provided, such print-out is accompanied by a certificate stating that it is a true
extract from the official records of the bank and that such entries or records are from a
computerised system with proper integrity of data, wherein data cannot be manipulated or
accessed in an unauthorised manner or is not lost or tamperable due to system failure or such
other reasons.
Here again, let us reiterate that the law does not state that any computerised print-out even if
not signed, constitutes a valid record. But still even many banks of repute (both public sector
and private sector) often send out printed letters to customers with the space for signature at
the bottom left blank after the line Yours faithfully etc and with a remark as Post Script
reading: This is a computer generated letter and hence does not require signature. Such
interpretation is grossly misleading and sends a message to public that computer generated
reports or letters need not be signed, which is never mentioned anywhere in nor is the import
of the ITA or the BBE.
The next Act that was amended by the ITA is the Reserve Bank of India Act, 1934. Section
58 of the Act sub-section (2), after clause (p), a clause relating to the regulation of funds
transfer through electronic means between banks (ie transactions like RTGS and NEFT and
other funds transfers) was inserted, to facilitate such electronic funds transfer and ensure legal
admissibility of documents and records therein.
Observations on ITA and ITAA:
Having discussed in detail all the provisions of ITA and ITAA, let us now look at some of the
broader areas of omissions and commissions in the Act and the general criticism the Acts
have faced over the years.
Awareness: There is no serious provision for creating awareness and putting such initiatives
in place in the Act. The government or the investigating agencies like the Police department
(whose job has been made comparatively easier and focused, thanks to the passing of the IT
Act), have taken any serious step to create public awareness about the provisions in these
legislations, which is absolutely essential considering the fact that this is a new area and
technology has to be learnt by all the stake holders like the judicial officers, legal
28
professionals, litigant public and the public or users at large. Especially, a provision like
scope for adjudication process is never known to many including those in the investigating
agencies.
Jurisdiction: This is a major issue which is not satisfactorily addressed in the ITA or ITAA.
Jurisdiction has been mentioned in Sections 46, 48, 57 and 61 in the context of adjudication
process and the appellate procedure connected with and again in Section 80 and as part of the
police officers powers to enter, search a public place for a cyber crime etc. In the context of
electronic record, Section 13 (3) and (4) discuss the place of dispatch and receipt of electronic
record which may be taken as jurisprudence issues.
However some fundamental issues like if the mail of someone is hacked and the accused is a
resident of a city in some state coming to know of it in a different city, which police station
does he go to? If he is an employee of a Multi National Company with branches throughout
the world and in many metros in India and is often on tour in India and he suspects another
individual say an employee of the same firm in his branch or headquarters office and informs
the police that evidence could lie in the suspects computer system itself, where does he go to
file he complaint. Often, the investigators do not accept\ such complaints on the grounds of
jurisdiction and there are occasions that the judicial officers too have hesitated to deal with
such cases. The knowledge that cyber crime is geography-agnostic, borderless, territory-free
and sans all jurisdiction and frontiers and happens in cloud or the space, has to be spread
and proper training is to be given to all concerned players in the field.
Evidences: Evidences are a major concern in cyber crimes. Pat of evidences is the crime
scene issues. In cyber crime, there is no cyber crime. We cannot mark a place nor a
computer nor a network, nor seize the hard-disk immediately and keep it under lock and key
keep it as an exhibit taken from the crime scene.
29
Very often, nothing could be seen as a scene in cyber crime! The evidences, the data, the
network and the related gadgets along with of course the log files and trail of events
emanating or recorded in the system are actually the crime scene. While filing cases under
IT Act, be it as a civil case in the adjudication process or a criminal complaint filed with the
police, many often, evidences may lie in some system like the intermediaries computers or
some times in the opponents computer system too. In all such cases, unless the police swing
into action swiftly and seize the systems and capture the evidences, such vital evidences
could be easily destroyed. In fact, if one knows that his computer is going to be seized, he
would immediately go for destruction of evidences (formatting, removing the history,
removing the cookies, changing the registry and user login set ups, reconfiguring the system
files etc) since most of the computer history and log files are volatile in nature.
There is no major initiative in India on common repositories of electronic evidences by which
in the event of any dispute (including civil) the affected computer may be handed over to a
common trusted third party with proper software tools, who may keep a copy of the entire
disk and return the original to the owner, so that he can keep using it at will and the copy will
be produced as evidence whenever required. For this there are software tools like EnCase
with a global recognition and our own C-DAC tools which are available with much retrieval
facilities, search features without giving any room for further writing and preserving the
original version with date stamp for production as evidence.
Non coverage of many crimes: While there are much legislation in not only many Western
countries but also some smaller nations in the East, India has only one legislation -- the ITA
and ITAA. Hence it is quite natural that many issues on cyber crimes and many crimes per se
are left uncovered. Many cyber crimes like cyber squatting with an evil attention to extort
money. Spam mails, ISPs liability in copyright infringement, data privacy issues have not
been given adequate coverage.
Besides, most of the Indian corporate including some Public Sector undertakings use
operating Systems that are from the West especially the US and many software utilities and
hardware items and sometimes firmware are from abroad. In such cases, the actual reach and
import of
IT Act Sections dealing with a utility software or a system software or an
Operating System upgrade or update used for downloading the software utility, is to be
specifically addressed, as otherwise a peculiar situation may come, when the user may not
know whether the upgrade or the patch is getting downloaded or any spyware getting
installed.
The Act does not address the governments policy on keeping the backup of
30
corporate including the PSUs and PSBs in our county or abroad and if kept abroad, the
subjective legal jurisprudence on such software backups.
We find, as has been said earlier in the chapter, that most of the cyber crimes in the nation are
still brought under the relevant sections of IPC read with the comparative sections of ITA or
the ITAA which gives a comfort factor to the investigating agencies that even if the ITA part
of the case is lost, the accused cannot escape from the IPC part.
To quote the noted cyber law expert in the nation and Supreme Court advocate Shri Pavan
Duggal, While the lawmakers have to be complemented for their admirable work removing
various deficiencies in the Indian Cyber law and making it technologically neutral, yet it
appears that there has been a major mismatch between the expectation of the nation and the
resultant effect of the amended legislation. The most bizarre and startling aspect of the new
amendments is that these amendments seek to make the Indian cyber law a cyber crime
friendly legislation; - a legislation that goes extremely soft on cyber criminals, with a soft
heart; a legislation that chooses to encourage cyber criminals by lessening the quantum of
punishment accorded to them under the existing law; .. a legislation which makes a
majority of cybercrimes stipulated under the IT Act as bailable offences; a legislation that is
likely to pave way for India to become the potential cyber crime capital of the world
Let us not be pessimistic that the existing legislation is cyber criminal friendly or paves the
way to increase crimes. Certainly, it does not. It is a commendable piece of legislation, a
landmark first stepand a remarkable mile-stone in the technological growth of the nation. But
let us not be complacent that the existing law would suffice. Let us remember that the
criminals always go faster than the investigators and always try to be one step ahead in
technology. After all, steganography was used in the Parliament Attack case to convey a
one-line hidden message from one criminal to another which was a lesson for the
investigators to know more about the technology of steganography. Similarly Satellite phones
were used in the Mumbai attack case in November 2008 after which the investigators became
aware of the technological perils of such gadgets, since until then, they were relying on cell
phones and the directional tracking by the cell phone towers and Call Details Register entries
only. Hopefully, more and more awareness campaign will take place and the government will
be conscious of the path ahead to bring more and more legislations in place. Actually,
bringing more legislation may just not be sufficient, because the conviction rate in Cyber
crime offences is among the lowest in the nation, much lower than the rate in IPC and other
offences. The government should be aware that it is not the severity of punishment that is a
deterrent for the criminals, but it is the certainty of punishment. It is not the number of
31
legislations in a society that should prevent crimes but it is the certainty of punishment that
the legislation will bring.
Let us now discuss some of the other relevant legislations in the nation that deal with cyber
crimes in various sectors.
Prevention of Money Laundering Act:
Black money has always been a serious evil in any developing economy. Nation builders,
lawmakers and particularly the countrys financial administrators have always taken
persistent efforts to curb the evil of black money and all sorts of illegally earned income. A
major initiative taken in this direction in India is the Anti Money Laundering Act 2002. A
main objective of the Act was to provide for confiscation of property derived from, or
involved in, money laundering.
Money laundering though not defined in the Act, can be construed to mean directly or
indirectly attempting to indulge in any process or activity connected with the proceeds of
crime and projecting it as untainted property. The Act stipulates that whoever commits the
offence of money laundering shall be punishable with rigorous imprisonment for a term
which shall not be less than three years but may extend to seven years and also be liable to a
fine which may extend to five lakh rupees.
Money laundering involves a process of getting the money from illegal sources, layering it in
any legal source, integrating it as part of any legal system like banking and actually using it.
Since the banking as an industry has a major and significant role to play in the act of money
laundering, it is now a serious responsibility on the part of banks to ensure that banking
channel is not used in the criminal activity. Much more than a responsibility, it is now a
compliance issue as well.
Obligations of banks include maintenance of records of all transactions of the nature and
value specified in the rules, furnish information of the transactions within the prescribed time,
whenever warranted and verify and maintain records of the identity of all customers. Hence,
as a corollary, adherence to Know Your Customer norms and maintenance of all KYC
records assumes a very major significance and becomes a compliance issue. Records of cash
transactions and suspicious transactions are to be kept and reported as stipulated. Non
compliance on any of these will render the concerned bank official liable for the offence of
money laundering and guilty under the Act.
E-Records Maintenance Policy of Banks:
32
Computerisation started in most of the banks in India from end 80s in a small way in the
form of standalone systems called Advanced Ledger Posting Machines (Separate PC for
every counter/activity) which then led to the era of Total Branch Automation or
Computerisation in early or mid 90s. TBA or TBC as it was popularly called marked the
beginning of a networked environment on a Local Area Network under client-server
architecture when records used to be maintained in electronic manner in hard-disks and
external media like tapes etc for backup purposes.
Ever since passing of the ITA and according of recognition to electronic records, it has
become mandatory on the part of banks to maintain proper computerized system for
electronic records. Conventionally, all legacy systems in the banks always do have a record
maintenance policy often with RBIs and their individual Board approval stipulating the
period of preservation for all sorts of records, ledgers, vouchers, register, letters, documents
etc.
Thanks to computerisation and introduction of computerized data maintenance and often
computer generated vouchers also, most of the banks became responsive to the computerized
environment and quite a few have started the process of formulating their own Electronic
Records Maintenance Policy. Indian Banks Association took the initiative in bringing out a
book on Banks e-Records Maintenance Policy to serve as a model for use and adoption in
banks suiting the individual banks technological setup. Hence banks should ensure that erecords maintenance policy with details of e records, their nature, their upkeep, the
technological requirements, off-site backup, retrieval systems, access control and access
privileges initiatives should be in place, if not already done already.
On the legal compliance side especially after the Rules were passed in April 2011, on the
Reasonable security Practices and Procedures as part of ITAA 2008 Section 43A, banks
should strive well to prove that they have all the security policies in place like compliance
with ISO 27001 standards etc and e-records are maintained. Besides, the certificate to be
given as an annexure to e-evidences as stipulated in the BBE Act also emphasizes this point
of maintenance of e-records in a proper ensuring proper backup, ensuring against tamper
ability, always ensuring confidentiality, integrity, availability and Non Repudiation .
33
This policy should not be confused with the Information Technology Business Continuity and
Disaster Recovery Plan or Policy nor the Data Warehousing initiatives. Focus on all these
three policies (BCDRP, DWH and E-records Maintenance Policy) are individually different,
serving different purposes, using different technologies and maybe coming under different
administrative controls too at the managerial level.
Legislations in other nations:
As against the lone legislation ITA and ITAA in India, in many other nations globally, there
is much legislation governing e-commerce and cyber crimes going into all the facets of cyber
crimes. Data Communication, storage, child pornography, electronic records and data privacy
have all been addressed in separate Acts and Rules giving thrust in the particular area focused
in the Act.
In the US, they have the Health Insurance Portability and Accountability Act popularly
known as HIPAA which inter alia, regulates all health and insurance related records, their
upkeep and maintenance and the issues of privacy and confidentiality involved in such
records. Companies dealing with US firms ensure HIPAA compliance insofar as the data
relating to such corporate are handled by them. The Sarbanes-Oxley Act (SOX) signed into
law in 2002 and named after its authors Senator Paul Sarbanes and Representative Paul
Oxley, mandated a number of reforms to enhance corporate responsibility, enhance financial
disclosures, and combat corporate and accounting fraud. Besides, there are a number of laws
in the US both at the federal level and at different states level like the Cable Communications
Policy Act, Childrens Internet Protection Act, and Childrens Online Privacy Protection Act
etc.
In the UK, the Data Protection Act and the Privacy and Electronic Communications
Regulations etc are all regulatory legislations already existing in the area of information
security and cyber crime prevention, besides cyber crime law passed recently in August 2011.
Similarly, we have cyber crime legislations and other rules and regulations in other nations.
34
35
CHAPTER 02
CYBER CRIME PREVENTION & DETECTION
36
2.0 CYBER CRIME

2.1 Cyber Crime is an evil having its origin in the growing dependence on computers in
modern life.
A simple yet study definition of cyber crime would be unlawful acts wherein the computer
is either a tool or a target or both. Defining cyber crimes, as acts that are punishable by the
information Technology Act would be unsuitable as the Indian Penal Code also covers many
cyber crimes, such as e-mail spoofing, cyber defamation etc.,
2.2 TYPES OF CYBER CRIME
Cyber Crime refers to all activities done with criminal intent in cyberspace. These fall into
three slots.
Those against persons.
Against Business and Non-business organizations.
Crime targeting the government.
Let us examine the acts wherein the computer is a tool for an unlawful act. This kind of
activity usually involves a modification of a conventional crime by using computer. Some
examples are;
2.2.1 Financial Claims: This would include cheating, credit card frauds, money laundering
etc.
Cyber Pornography: This would include pornographic websites; pornographic magazines
produced using computer and the Internet (to down load and transmit pornographic pictures,
photos, writings etc.)
Sale of illegal articles: This would include sale of narcotics, weapons and wildlife etc., by
posting information on websites, bulletin boards or simply by using e-mail communications.
Online gambling: There are millions of websites; all hosted on servers abroad, that offer
online gambling. In fact, it is believed that many of these websites are actually fronts for
money laundering.
Intellectual Property Crimes: These include software piracy, copyright infringement,
trademarks violations etc.
37
E-Mail spoofing: A spoofed email is one that appears to originate from one source but
actually has been sent from another source. This can also be termed as E-Mail forging.
Forgery: Counterfeit currency notes, postage and revenue stamps, mark sheets etc., can be
forged using sophisticated computers, printers and scanners.
Cyber Defamation: This occurs when defamation takes place with the help of computers
and or the Internet e.g. someone published defamatory matter about someone on a websites or
sends e-mail containing defamatory information to all of that persons friends.
Cyber Stalking: Cyber stalking involves following a persons movements across the
Internet by posting messages on the bulletin boards frequented by the victim, entering the
chat-rooms frequented by the victim.
Let us examine some of the acts wherein the computer or computer Network is the target for
an unlawful act. It may be noted that in these activities the computer may also be a tool. This
kind of activity is usually out of the purview of conventional criminal law. Some examples
are:
2.2.2 Unauthorized access to computer system or network: This activity is commonly
referred to as hacking. The Indian Law has however given a different connotation to the term
hacking.
Theft of information contained in electronic from: This includes information stored in
computer hard disks, removable storage media etc.
E-Mail bombing: Email bombing refers to sending a large amount of e-mails to the victim
resulting in the victims e-mail account or mail servers.
Data diddling: This kind of an attack involves altering the raw data just before it is
processed by a computer and then changing it back after the processing is completed.
Salami attacks: Those attacks are used for the commission of financial crimes. The key
here is to make the alteration so insignificant that in a single case it would go completely
unnoticed e.g. A bank employee inserts a program into banks servers, that deducts a small
amount from the account of every customer.
Denial of Service: This involves flooding computer resources with more requests than it
can handle. This causes the resources to crash thereby denying authorized users the service
offered by the resources.
Virus/worm: Viruses are programs that attach themselves to a computer or a file and then
circulate themselves to other files and to other computers on a network. They usually affect
38
the data on a computer, either by altering or deleting it. Worms, unlike viruses don not need
the host to attach themselves to.
Logic bombs: These are dependent programs. This implies that these programs are created
to do something only when a certain event occurs, e.g. some viruses may be termed logic
bombs because they lie dormant all through the year and become active only on a particular
date.
Trojan horse: A Trojan as this program is aptly called, is an unauthorized program which
functions from inside what seems to be an authorized program, thereby concealing what it is
actually doing.
Internet Time Theft: This connotes the usage by unauthorized persons of the Internet
hours paid for by another person.
Physically damaging a computer system: This crime is committed by physically damaging
a computer or its peripherals.
2.1 PREVENTION
2.2 PREVENTIVE STEPS FOR INDIVIDUALS
2.2.1. CHILDREN:
Children should not give out identifying information such as Name, Home address, School
Name or Telephone Number in a chat room. They should not give photographs to anyone on
the Net without first checking or informing parents guardians. They should not respond to
messages, which are suggestive, obscene, belligerent or threatening, and not to arrange a
face-to face meeting without telling parents or guardians. They should remember that
people online might not be who they seem.
2.2.2 PARENTS:
Parent should use content filtering software on PC to protect children from pornography,
gambling, hate speech, drugs and alcohol. There is also software to establish time controls for
use of limpets (for example blocking usage after a particulars time) and allowing parents to
see which site item children have visited. Use this software to keep track of the type of
activities of children.
2.2.3. GENERAL INFORMATION:
Dont delete harmful communications (emails, chats etc).
information about system and address of the person behind these.
39
They will provide vital
Try not to panic.
If you feel any immediate physical danger contacts your local police.
Avoid getting into huge arguments online during chat and discussions with other
users.
Remember that all other Internet users are strangers; you do not know who you are
chatting with. So be careful.
Be extremely careful about how you share personal information about yourself online.
Choose your chatting nickname carefully so as others.
Do not share personal information in public space online; do not give it to strangers.
Be extremely cautious about meeting online introduced person. If you choose to

meet, do so in a public place along with a friend.
If a situation online becomes hostile, log off and if a situation places you in fear,
contact local police.
Save all communications for evidence. Do not edit it in any way. Also, keep a record
of your contacts and inform Law Enforcement Officials.
2.3 PREVENTIVE STEPS FOR ORGANISATIONS AND GOVERNMENT

2.3.1 PHYSICAL SECURITY: Physical security is most sensitive component, as
prevention from cyber crime Computer network should be protected from the access of
unauthorized persons.
2.3.2 ACCESS CONTROL: Access Control system is generally implemented using
firewalls, which provide a centralized point from which to permit or allow access. Firewalls
allow only authorized communications between the internal and external network.
2.3.3 PASSWORD: Proof of identity is an essential component to identify intruder. The
use of passwords in the most common security for network system including servers, routers
and firewalls. Mostly all the systems are programmed to ask for username and password for
access to computer system. This provides the verification of user. Password should be
charged with regular interval of time and it should be alpha numeric and should be difficult to
judge.
2.3.4
FINDING THE HOLES IN NETWORK: System managers should track down the
holes before the intruders do. Many networking product manufactures are not particularly
aware with the information about security holes in their products. So organization should
40
work hard to discover security holes, bugs and weaknesses and report their findings as they
are confirmed.
2.3.5 USING NETWORK SCANNING PROGRAMS: There is a security
administrations tool called UNIX, which is freely available on Internet. This utility scans
and gathers information about any host on a network, regardless of which operating system or
services the hosts were running. It checks the known vulnerabilities include bugs, security
weakness, inadequate password protection and so on. There is another product available
called COPS (Computer Oracle and Password System). It scans for poor passwords,
dangerous file permissions, and dates of key files compared to dates of CERT security
advisories.
2.3.6 USING INTRUSION ALERT PROGRAMS: As it is important to identify and
close existing security holes, you also need to put some watchdogs into service. There are
some intrusion programs, which identify suspicious activity and report so that necessary
action is taken. They need to be operating constantly so that all unusual behaviour on network
is caught immediately.
2.3.7
USING ENCRYPTION: - Encryption is able to transform data into a form that
makes it almost impossible to read it without the right key. This key is used to allow
controlled access to the information to selected people. The information can be passed on to
anyone but only the people with the right key are able to see the information. Encryption
allows sending confidential documents by E-mail or save confidential information on laptop
computers without having to fear that if someone steals it the data will become public. With
the right encryption/decryption software installed, it will hook up to mail program and
encrypt/decrypt messages automatically without user interaction.
2.4 DETECTION: Cyber crime is the latest and perhaps the most specialized and dynamic
field in cyber laws. Some of the Cyber Crimes like network Intrusion are difficult to detect
and investigation even though most of crimes against individual like cyber stalking, cyber
defamation and cyber pornography can be detected and investigated through following steps:
After receiving such type of mail
Give command to computer to show full header of mail.
In full header find out the IP number and time of delivery of number and this IP
number always different for every mail. From this IP number we can know who was
the Internet service provider for that system from which the mail had come.
41
To know about Internet Service Provider from IP number takes the service of search
engine like nic.com, macffvisualroute. Com, apnic.com, arin.com.
After opening the website of any of above mentioned search engine, feed the IP
number and after some time name of ISP can be obtained.
After getting the name of ISP we can get the information about the sender from the
ISP by giving them the IP number, date and time of sender.
ISP will provide the address and phone number of the system, which was used to send
the mail with bad intention.
After Knowing the address and phone number criminal can be apprehended by using
conventional police methods.
2.5 CYBER LAW
India has enacted the first I.T.Act, 2000 based on the UNCIRAL model recommended by the
general assembly of the United Nations. Chapter XI of this Act deals with offences/crimes
along with certain other provisions scattered in this Acts .The various offences which are
provided under this chapter are shown in the following table: 2.5.1 Offence
Section under IT Act
Tampering with Computer source documents
Sec.65
Hacking with Computer systems, Data alteration
Sec.66
Publishing obscene information
Sec.67
Un-authorised access to protected system
Sec.70
Breach of Confidentiality and Privacy
Sec.72
Publishing false digital signature certificates
Sec.73
NOTE:
Sec.78 of I.T.Act empowers Deputy Supdt. Of Police to investigate cases falling
under this Act.

2.5.2 Computer Related Crimes Covered under IPC and Special Laws
Offence
Section
Sending threatening messages by email
Sec 503 IPC
Sending defamatory messages by email
Sec 499 IPC
Forgery of electronic records
Sec 463 IPC
Bogus websites, cyber frauds
Sec 420 IPC
Email spoofing
Sec 463 IPC
Web-Jacking
Sec. 383 IPC
E-Mail Abuse
Sec.500 IPC
42
Online sale of Drugs
NDPS Act
Online sale of Arms
Arms Act
2.6 ELEMENTARY PROBLEMS ASSOCIATED WITH CYBER-CRIMES:

One of the greatest lacunae in the field of Cyber Crime is the absence of comprehensive law
anywhere in the World. The problem is further aggravated due to disproportional growth
ratio of Internet and cyber laws. Though a beginning has been made by the enactment of I.T.
Act and amendments made to Indian Penal Code, problems associated with cyber crimes
continue to persist.
1. Jurisdiction is the highly debatable issue as to the maintainability of any
suits, which
has been filed. Today with the growing arms of cyber space the territorial boundaries seem
to vanish. Thus the concept of territorial jurisdiction as envisaged under S.16 of Cr.P.C. and
S.2.of the I.P.C. will have to give way to alternative method of dispute resolution.
2. Loss of evidence is a very common & expected problem as all the data are routinely
destroyed. Further, collection of data outside the territorial extent also paralyses the system of
crime investigation.
3. Cyber Army: There is also an imperative need to build a high technology crime &
investigation infrastructure, with highly technical staff at the other end.
4. A law regulating the cyber-space, which India has done?
5. Though S.75 provides for extra-territorial operations of this law, but they could be
meaningful only when backed with provision recognizing orders and warrants for
Information issued by competent authorities outside their jurisdiction and measure for
cooperation for exchange of material and evidence of computer crimes between law
enforcement agencies.
6. Cyber savvy judges are the need of the day. Judiciary plays a vital role in shaping the
enactment according to the order of the day. One such case, which needs appreciation, is the
P.I.L. (Public Interest Litigation), which the Kerala High Court has accepted through an
email. Perfect' is a relative term. Nothing in this world is perfect. The persons who legislate
the laws and by-laws also are not perfect. The laws therefore enacted by them cannot be
perfect. The cyber law has emerged from the womb of globalisation. It is at the threshold of
development. In due course of exposure through varied and complicated issues it will grow to
be a piece of its time legislation.
43
44
CHAPTER 03
INFORMATION TECHNOLOGY ACT, 2000
45
3.0 INFORMATION TECHNOLOGY ACT, 2000

3.1. OBJECTIVES OF IT LEGISLATION IN INDIA
The Government of India enacted its Information Technology Act 2000 with the objectives
stating officially as:
to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as
"electronic commerce", which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with
the Government agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934
and for matters connected therewith or incidental thereto.
What does IT Act 2000 legislation deals with?
The Act essentially deals with the following issues:
Legal Recognition of Electronic Documents
Legal Recognition of Digital Signatures
Offenses and Contraventions
Justice Dispensation Systems for cyber crimes.
Why did the need for IT Amendment Act 2008 (ITAA) arise?
The IT Act 2000, being the first legislation on technology, computers, e-commerce and e
communication, the was the subject of extensive debates, elaborate reviews with one arm of
the industry criticizing some sections of the Act to be draconian and other stating it is too
diluted and lenient. There were some obvious omissions too resulting in the investigators
relying more and more on the time-tested (one and half century-old) Indian Penal Code even
in technology based cases with the IT Act also being referred in the process with the reliance
more on IPC rather on the ITA.
Thus the need for an amendment a detailed one was felt for the I.T. Act. Major industry
bodies were consulted and advisory groups were formed to go into the perceived lacunae in
the I.T. Act and comparing it with similar legislations in other nations and to suggest
recommendations. Such recommendations were analysed and subsequently taken up as a
46
comprehensive Amendment Act and after considerable administrative procedures, the

consolidated amendment called the Information Technology Amendment Act 2008 was
placed in the Parliament and passed at the end of 2008 (just after Mumbai terrorist attack of
26 November 2008 had taken place). The IT Amendment Act 2008 got the President assent
on 5 Feb 2009 and was made effective from 27 October 2009.
Notable features of the ITAA 2008 are:
Focussing on data privacy
Focussing on Information Security
Defining cyber caf
Making digital signature technology neutral
Defining reasonable security practices to be followed by corporate
Redefining the role of intermediaries
Recognising the role of Indian Computer Emergency Response Team
Inclusion of some additional cyber crimes like child pornography and cyber terrorism
Authorizing an Inspector to investigate cyber offences (as against the DSP earlier)
3.2. STRUCTURE OF IT ACT

a. How is IT Act structured?
The Act totally has 13 chapters and 90 sections. Sections 91 to 94 deal with the amendments
to the four Acts namely Indian Penal Code 1860, The Indian Evidence Act 1872, The
Bankers Books Evidence Act 1891 and the Reserve Bank of India Act 1934. The Act has
chapters that deal with authentication of electronic records, electronic signatures etc.
Elaborate procedures for certifying authorities and electronic signatures have been spelt out.
The civil offence of data theft and the process of adjudication and appellate procedures have
been described. Then the Act goes on to define and describe some of the well-known cyber
crimes and lays down the punishments therefore. Then the concept of due diligence, role of
intermediaries and some miscellaneous provisions have been described.
b. What i s the applicability of IT Act?
The Act extends to the whole of India and except as otherwise provided, it also applies to any
offence or contravention there under committed outside India by any person.
47
Rules and procedures mentioned in the Act have also been laid down in a phased manner,
defined as recently as April 2011.
For the sake of simplicity, here we will be only discussing the various penalty and offences
defined as per provisions of ITA 2000 and ITAA 2008. Please note that wherever the terms
IT Act 2000 or 2008 are used, they refer to same act because the IT Act now includes
amendments as per IT 2008 Amendment Act.
Specific exclusion(s) to the Act where it is not applicable are:
Negotiable instrument (other than a cheque) as defined in section 13 of the Negotiable

Instruments Act, 1881;
A power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
A trust as defined in section 3 of the Indian Trusts Act, 1882
A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925
including any other testamentary disposition
3.3. WHAT IS A CYBER CRIME?

Cyber Crime is not defined officially in IT Act or in any other legislation. In fact, it cannot be
too. Offence or crime has been dealt with elaborately listing various acts and the punishments
for each, under the Indian Penal Code, 1860 and related legislations. Hence, the concept of
cyber crime is just a "combination of crime and computer".
Cybercrime in a narrow sense (computer crime): Any illegal behaviour directed by means
of electronic operations that targets the security of computer systems and the data processed
by them.
Cybercrime in a broader sense (computer-related crime): Any illegal behaviour
committed by means of, or in relation to, a computer system or network, including such
crimes as illegal possession and offering or distributing information by means of a computer
system or network.
Any contract for the sale or conveyance of immovable property or any interest in such
property;
Any such class of documents or transactions as may be notified by the Central

Government
48
3.4. CASES STUDIES AS PER SELECTED IT ACT SECTIONS

Here are the case studies for selected IT Act sections.
For the sake of simplicity and maintaining clarity, details on the IT Act sections have been
omitted. Kindly refer the Appendix at the last section for the detailed account of all the
penalties and offences mentioned in IT Act.
a. Section 43 - Penalty and Compensation f or damage to computer, computer system,
etc
Related Case: Mphasis BPO Fraud: 2005
In December 2004, four call centre employees, working at an outsourcing facility operated by
Mphasis in India, obtained PIN codes from four customers of Mphasis client, Citi Group.
These employees were not authorized to obtain the PINs. In association with others, the call
centre employees opened new accounts at Indian banks using false identities. Within two
months, they used the PINs and account information gleaned during their employment at
Mphasis to transfer money from the bank accounts of Citi Group customers to the new
accounts at Indian banks.
By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly
identified the individuals involved in the scam. Arrests were made when those individuals
attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount
recovered was $230,000.
Verdict: Court held that Section 43(a) was applicable here due to the nature of unauthorized
access involved to commit transactions.
B. Section 65 - Tampering with Computer Source Documents
Related Case: Syed Asifuddin and Ors. Vs. The State of Andhra Pradesh
In this case, Tata Indicom employees were arrested for manipulation of the electronic 32- bit
number (ESN) programmed into cell phones theft were exclusively franchised to Reliance
Infocomm.
Verdict: Court held that tampering with source code invokes Section 65 of the Information
Technology Act.
49
C. Section 66 - Computer Related Offences

Related Case: Kumar v/s Whiteley
In this case the accused gained unauthorized access to the Joint Academic Network (JANET)
and deleted, added files and changed the passwords to deny access to the authorized users.
Investigations had revealed that Kumar was logging on to the BSNL broadband Internet
connection as if he was the authorized genuine user and made alteration in the computer
database pertaining to broadband Internet user accounts of the subscribers.
The CBI had registered a cyber crime case against Kumar and carried out investigations on
the basis of a complaint by the Press Information Bureau, Chennai, which detected the
unauthorised use of broadband Internet. The complaint also stated that the subscribers had
incurred a loss of Rs 38,248 due to Kumars wrongful act. He used to hack sites from
Bangalore, Chennai and other cities too, they said.
Verdict: The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G
Arun Kumar, the techie from Bangalore to undergo a rigorous imprisonment for one year
with affine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (Computer
related Offence).
D. Section 66A - Punishment f or sending offensive messages through communication
service
Relevant Case #1: Fake profile of President posted by imposter
On September 9, 2010, the imposter made a fake profile in the name of the Honble President
Pratibha Devi Patil. A complaint was made from Additional Controller, President Household,
President Secretariat regarding the four fake profiles created in the name of Honble
President on social networking website, Face book.
The said complaint stated that president house has nothing to do with the facebook and the
fake profile is misleading the general public. The First Information Report Under Sections
469 IPC and 66A Information Technology Act, 2000 was registered based on the said
50
complaint at the police station, Economic Offences Wing, the elite wing of Delhi Police
which specializes in investigating economic crimes including cyber offences.
Relevant Case #2: Bomb Hoax mail
In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell
(CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news
channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the
police to find them before it was too late. At around 1p.m. on May 25, the news channel
received an e-mail that read: I have planted five bombs in Mumbai; you have two hours to
find it. The police, who were alerted immediately, traced the Internet Protocol (IP) address
to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said
officials.
E. Sect ion 66C - Punishment f or identity theft
Relevant Cases:
The CEO of an identity theft protection company, Life lock, Todd Davis's social
security number was exposed by Matt Lauer on NBCs Today Show. Davis identity
was used to obtain a $500 cash advance loan.
Li Ming, a graduate student at West Chester University of Pennsylvania faked his

own death, complete with a forged obituary in his local paper. Nine months later, Li
attempted to obtain a new drivers license with the intention of applying for new
credit cards eventually.
F .Sect ion 66D - Punishment f or cheating by impersonation by using computer

resource
Relevant Case: Sandeep Vaghese v/s State of Kerala
A complaint filed by the representative of a Company, which was engaged in the business of
trading and distribution of petrochemicals in India and overseas, a crime was registered
against nine persons, alleging offences under Sections 65, 66, 66A, C and D of the
Information Technology Act along with Sections 419 and 420 of the Indian Penal Code.
The company has a web-site in the name and and style `www.jaypolychem.com' but, another
web site `www.jayplychem.org' was set up in the internet by first accused Sandeep Varghese
51
@ Sam, (who was dismissed from the company) in conspiracy with other accused, including
Preeti and Charanjeet Singh, who are the sister and brother-in law of `Sam'
Defamatory and malicious matters about the company and its directors were made available
in that website. The accused sister and brother-in-law were based in Cochin and they had
been acting in collusion known and unknown persons, who have collectively cheated the
company and committed acts of forgery, impersonation etc.
Two of the accused, Amardeep Singh and Rahul had visited Delhi and Cochin. The first
accused and others sent e-mails from fake e-mail accounts of many of the customers,
suppliers, Bank etc. to malign the name and image of the Company and its Directors. The
defamation campaign run by all the said persons named above has caused immense damage
to the name and reputation of the Company.
The Company suffered losses of several crores of Rupees from producers, suppliers and
customers and were unable to do business.
G. Section 66E Punishment for violation of privacy
Relevant Cases:
1) Jawaharlal Nehru University MMS scandal
In a severe shock to the prestigious and renowned institute - Jawaharlal Nehru University, a
pornographic MMS clip was apparently made in the campus and transmitted outside the
university.
Some media reports claimed that the two accused students initially tried to extort money from
the girl in the video but when they failed the culprits put the video out on mobile phones, on
the internet and even sold it as a CD in the blue film market.
2) Nagpur Congress leaders son MMS scandal
On January 05, 2012 Nagpur Police arrested two engineering students, one of them a son of a
Congress leader, for harassing a 16-year-old girl by circulating an MMS clip of their sexual
acts. According to the Nagpur (rural) police, the girl was in a relationship with Mithilesh
Gajbhiye, 19, son of Yashodha Dhanraj Gajbhiye, a zilaparishad member and an influential
Congress leader of Saoner region in Nagpur district.
52
H. Section-66F Cyber Terrorism

Relevant Case:
The Mumbai police have registered a case of cyber terrorismthe first in the state since an
amendment to the Information Technology Actwhere a threat email was sent to the BSE
and NSE on Monday. The MRA Marg police and the Cyber Crime Investigation Cell are
jointly probing the case. The suspect has been detained in this case.
The police said an email challenging the security agencies to prevent a terror attack was sent
by one Shahab Md with an ID sh.itaiyeb125@yahoo.in to BSEs administrative email ID
corp.relations@bseindia.com at around 10.44 am on Monday.
The IP address of the sender has been traced to Patna in Bihar. The ISP is Sify. The email ID
was created just four minutes before the email was sent. The sender had, while creating the
new ID, given two mobile numbers in the personal details column. Both the numbers belong
to a photo frame-maker in Patna, said an officer.
Status:
The MRA Marg police have registered forgery for purpose of cheating, criminal intimidation
cases under the IPC and a cyber-terrorism case under the IT Act.
I. Section 67 - Punishment f or publishing or transmitting obscene material
i n
electronic form
Relevant Case:
This case is about posting obscene, defamatory and annoying message about a divorcee
woman in the Yahoo message group. E-mails were forwarded to the victim for information
by the accused through a false e- mail account opened by him in the name of the victim.
These postings resulted in annoying phone calls to the lady. Based on the ladys complaint,
the police nabbed the accused.
Investigation revealed that he was a known family friend of the victim and was interested in
marrying her. She was married to another person, but that marriage ended in divorce and the
53
accused started contacting her once again. On her reluctance to marry him he started
harassing her through internet.
Verdict:
The accused was found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000.
He is convicted and sentenced for the offence as follows:
As per 469 of IPC he has to undergo rigorous imprisonment for 2 years and to pay
fine of Rs.500/-
As per 509 of IPC he is to undergo to undergo 1 year Simple imprisonment and to

pay Rs 500/-
As per Section 67 of IT Act 2000, he has to undergo for 2 years and to pay fine of
Rs.4000/-
All sentences were to run concurrently.

The accused paid fine amount and he was lodged at Central Prison, Chennai. This is
considered the first case convicted under section 67 of Information Technology Act 2000 in
India.
I .Section 67B Punishment f or publishing or transmitting of material
depicting
children in sexually explicit act, etc. In electronic form

Relevant Case:
Janhit Manch & Ors. v. The Union of India 10.03.2010 Public Interest Litigation:
The petition sought a blanket ban on pornographic websites. The NGO had argued that
websites displaying sexually explicit content had an adverse influence, leading youth on a
delinquent path.
I. Section 69 - Powers to issue directions for interception or monitoring or decryption of
any information through any computer resource
Relevant Case:
In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the
suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure
in the state of Maharashtra, on the social-networking site Orkut.
54
The police identified him based on IP address details obtained from Google and Airtel
Lakshmanas ISP. He was brought to Pune and detained for 50 days before it was discovered
that the IP address provided by Airtel was erroneous. The mistake was evidently due to the
fact that while requesting information from Airtel, the police had not properly specified
whether the suspect had posted the content at 1:15 p.m.
Verdict:
Taking cognizance of his plight from newspaper accounts, the State Human Rights
Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.
The incident highlights how minor privacy violations by ISPs and intermediaries could have
impacts that gravely undermine other basic human rights.
3.5. COMMON CYBER-CRIME SCENARIOS AND APPLICABILITY OF LEGAL
SECTIONS
Let us look into some common cyber-crime scenarios which can attract prosecution as per the
penalties and offences prescribed in IT Act 2000 (amended via 2008) Act.
A. Harassment via fake public profile on social networking site
A fake profile of a person is created on a social networking site with the correct address,
residential information or contact details but he/she is labelled as prostitute or a person of
loose character. This leads to harassment of the victim. Provisions Applicable:- Sections
66A, 67 of IT Act and Section 509 of the Indian Penal Code.
B. Online Hate Community
Online hate community is created inciting a religious group to act or pass objection able
remarks against a country, national figures etc. Provisions Applicable: Section 66A of IT Act
and 153A & 153B of the Indian Penal Code.
C. Email Account Hacking
If victims email account is hacked and obscene emails are sent to people in victims address
book. Provisions Applicable:- Sections 43, 66, 66A, 66C, 67, 67A and 67B of IT Act.
D. Credit Card Fraud
55
Unsuspecting victims would use infected computers to make online transactions. Provisions
Applicable:- Sections 43, 66, 66C, 66D of IT Act and section 420 of the IPC.
E. Web Defacement
The homepage of a website is replaced with a pornographic or defamatory page.
Government sites generally face the wrath of hackers on symbolic days. Provisions
Applicable: - Sections 43 and 66 of IT Act and Sections 66F, 67 and 70 of IT Act also apply
in some cases.
F. Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs
All of the above are some sort of malicious programs which are used to destroy or gain
access to some electronic information. Provisions Applicable:- Sections 43, 66, 66A of IT
Act and Section 426 of Indian Penal Code.
G. Cyber Terrorism
Many terrorists are using virtual (GDrive, FTP sites) and physical storage media (USBs,
hard drives) for hiding information and records of their illicit business. Provisions
Applicable: Conventional terrorism laws may apply along with Section 69 of IT Act.
H. Online sale of illegal Articles
Where sale of narcotics, drugs weapons and wildlife is facilitated by the Internet Provisions
Applicable:- Generally conventional laws apply in these cases.
I. Cyber Pornography
Among the largest businesses on Internet. Pornography may not be illegal in many countries,
but child pornography is.
Provisions Applicable: - Sections 67, 67A and 67B of the IT Act.
J .Phishing and Email Scams
Phishing involves fraudulently acquiring sensitive information through masquerading a site
as a trusted entity. (E.g. Passwords, credit card information)
Provisions Applicable: - Section 66, 66A and 66D of IT Act and Section 420 of IPC
56
K. Theft of Confidential Informat ion

Many business organizations store their confidential information in computer systems. This
information is targeted by rivals, criminals and disgruntled employees.
Provisions Applicable: - Sections 43, 66, 66B of IT Act and Section 426 of Indian Penal
Code.
L. Source Code Theft
A Source code generally is the most coveted and important "crown jewel" asset of a
company.
Provisions applicable: - Sections 43, 66, 66B of IT Act and Section 63 of Copyright Act.
M. Tax Evasion and Money Laundering
Money launderers and people doing illegal business activities hide their information in virtual
as well as physical activities.
Provisions Applicable: Income Tax Act and Prevention of Money Laundering Act. IT Act
may apply case-wise.
N. Online Share Trading Fraud
It has become mandatory for investors to have their demat accounts linked with their online
banking accounts which are generally accessed unauthorized, thereby leading to share trading
frauds.
Provisions Applicable: Sections 43, 66, 66C, 66D of IT Act and Section 420 of IPC
3.6. APPENDIX
I. Penalties, Compensation and Adjudication sections
Section 43 - Penalty and Compensation for damage to computer, computer system
If any person without permission of the owner or any other person who is in-charge of an
computer, computer system or computer network
(a) Accesses or secures access to such computer, computer system or computer network or
computer resource
57
(b) downloads, copies or extracts any data, computer data, computer database or information
from such computer, computer system or computer network including information or data
held or stored in any removable storage medium;
(c) Introduces or causes to be introduced any computer contaminant or computer virus into
any computer, computer system or computer network(d) damages or causes to be damaged any computer, computer system or computer network,
data, computer database, or any other programmes residing in such computer, computer
system or computer network(e) Disrupts or causes disruption of any computer, computer system, or computer network;
(f) Denies or causes the denial of access to any person authorised to access any computer,
computer system or computer network by any means
(h) Charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer of a computer, computer system or computer network(g) provides any assistance to any person to facilitate access to a computer, computer system
or computer network in contravention of the provisions of this Act, rules or regulations made
there under,
(h) Charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes
its value or utility or affects it injuriously by any means,
(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage,
He shall be liable to pay damages by way of compensation to the person so affected.
Section 43A - Compensation for failure to protect data
58
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate
Shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to
the person so affected.
Section 44 - Penalty for failure to furnish information or return, etc.
If any person who is required under this Act or any rules or regulations made there under to
(a) furnish any document, return or report to the Controller or the Certifying Authority, fails
to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand
rupees for each such failure;
(b) file any return or furnish any information, books or other documents within the time
specified therefore in the regulations, fails to file return or furnish the same within the time
specified therefore in the regulations, he shall be liable to a penalty not exceeding five
thousand rupees for every day during which such failure continues:
(c) Maintain books of account or records, fails to maintain the same, he shall be liable to a
penalty not exceeding ten thousand rupees for every day during which the failure continues.
Section 45 Residuary Penalty
Whoever contravenes any rules or regulations made under this Act, for the contravention of
which no penalty has been separately provided,
Shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the
person affected by such contravention or a penalty not exceeding twenty-five thousand
rupees.
Section 47 - Factors to be taken into account by the adjudicating officer
Section 47 lays down that while adjudging the quantum of compensation under this Act, an
adjudicating officer shall have due regard to the following factors, namely:59
(a) The amount of gain of unfair advantage, wherever quantifiable, made as a result of the
default;
(b) The amount of loss caused to the person as a result of the default,
(c) The repetitive nature of the default.
II. Offences sections
Section 65 - Tampering with Computer Source Documents
If any person knowingly or intentionally conceals, destroys code or alters or causes another to
conceal, destroy code or alter any computer, computer programme, computer system, or
computer network,
He shall be punishable with imprisonment up to three years, or with fine up to two lakh
rupees, or with both.
Section - 66 Computers Related Offences
If any person, dishonestly, or fraudulently, does any act referred to in section 43,
He shall be punishable with imprisonment for a term which may extend to two three years or
with fine which may extend to five lakh rupees or with both.
Section 66A - Punishment for sending offensive messages through communication
service
Any person who sends, by means of a computer resource or a communication device,
(a) Any information that is grossly offensive or has menacing character;
(b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill
will, persistently makes by making use of such computer resource or a communication
device,
(c) Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of such
messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine.
60
Section 66B - Punishment for dishonestly receiving stolen computer resource or

communication device.
Whoever dishonestly receives or retains any stolen computer resource or communication
device knowing or having reason to believe the same to be stolen computer resource or
communication device,
Shall be punished with imprisonment of either description for a term which may extend to
three years or with fine which may extend to rupees one lakh or with both.
Section 66C - Punishment for identity theft
Whoever, fraudulently or dishonestly make use of the electronic signature, password or any
other unique identification feature of any other person,
three years and shall also be liable to fine which may extend to rupees one lakh.
Section 66D - Punishment for cheating by personation by using computer resource
Whoever, by means of any communication device or computer resource cheats by
personating?
three years and shall also be liable to fine which may extend to one lakh rupees.
Section 66E - Punishment for violation of privacy
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private
area of any person without his or her consent, under circumstances violating the privacy of
that person,
Explanation - For the purposes of this section:
61
(a) Transmit means to electronically send a visual image with the intent that it be viewed
by a person or persons;
(b) Capture, with respect to an image, means to videotape, photograph, film or record by
any means;
(c) Private area means the naked or undergarment clad genitals, pubic area, buttocks or
female breast;
(d) Publishes means reproduction in the printed or electronic form and making it available
for public;
(e) Under circumstances violating privacy means circumstances in which a person can have
a reasonable expectation that-(i) He or she could disrobe in privacy, without being concerned that an image of his private
area was being captured; or
(ii) Any part of his or her private area would not be visible to the public, regardless of
whether that person is in a public or private place.
Shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees, or with both.
Section-66F Cyber Terrorism
(1) Whoever,(A) With intent to threaten the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people by
(i) Denying or cause the denial of access to any person authorized to access computer
resource; or
(ii) Attempting to penetrate or access a computer resource without authorisation or
exceeding authorized access; or
(iii) introducing or causing to introduce any Computer Contaminant and by means of
such conduct causes or is likely to cause death or injuries to persons or damage to or
destruction of property or disrupts or knowing that it is likely to cause damage or
disruption of supplies or services essential to the life of the community or adversely
affect the critical information infrastructure specified under section 70, or
(B) knowingly or intentionally penetrates or accesses a computer resource without
authorization or exceeding authorized access, and by means of such conduct obtains access to
information, data or computer database that is restricted for reasons of the security of the
62
State or foreign relations; or any restricted information, data or computer database, with
reasons to believe that such information, data or computer database so obtained may be used
to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the
security of the State, friendly relations with foreign States, public order, decency or morality,
or in relation to contempt of court, defamation or incitement to an offence, or to the
advantage of any foreign nation, group of individuals or otherwise, commits the offence of
cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with
imprisonment which may extend to imprisonment for life.
Section 67 - Punishment for publishing or transmitting obscene material in electronic
form
Whoever publishes or transmits or causes to be published in the electronic form, any material
which is lascivious or appeals to the prurient interest or if its effect is such as to tend to
deprave and corrupt persons who are likely, having regard to all relevant circumstances, to
read, see or hear the matter contained or embodied in it,
Shall be punished on first conviction with imprisonment of either description for a term
which may extend to two three years and with fine which may extend to five lakh rupees and
In the event of a second or subsequent conviction with imprisonment of either description for
a term which may extend to five years and also with fine which may extend to ten lakh
rupees.
Section 67A - Punishment for publishing or transmitting of material containing sexually
explicit act, etc. in electronic form
Whoever publishes or transmits or causes to be published or transmitted in the electronic
form any material which contains sexually explicit act or conduct
which may extend to five years and with fine which may extend to ten lakh rupees and
63
In the event of second or subsequent conviction with imprisonment of either description for a
term which may extend to seven years and also with fine which may extend to ten lakh
rupees.
Section 67B. Punishment for publishing or transmitting of material depicting children

in sexually explicit act, etc. in electronic form
Whoever:(a) Publishes or transmits or causes to be published or transmitted material in any
electronic form which depicts children engaged in sexually explicit act or conduct or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting children
in obscene or indecent or sexually explicit manner or
(c) Cultivates, entices or induces children to online relationship with one or more
children for and on sexually explicit act or in a manner that may offend a reasonable
adult on the computer resource or
(d) Facilitates abusing children online or
(e) Records in any electronic form own abuse or that of others pertaining to sexually
explicit act with children,
which may extend to five years and with a fine which may extend to ten lakh rupees
And in the event of second or subsequent conviction with imprisonment of either description
for a term which may extend to seven years and also with fine which may extend to ten lakh
rupees:
Provided that the provisions of section 67, section 67A and this section does not extend to
any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic
form
Section 69 - Powers to issue directions for interception or monitoring or decryption of
any information through any computer resource.64
(1) Where the central Government or a State Government or any of its officer specially
authorized by the Central Government or the State Government, as the case may be, in this
behalf may, if is satisfied that it is necessary or expedient to do in the interest of the
sovereignty or integrity of India, defense of India, security of the State, friendly relations with
foreign States or public order or for preventing incitement to the commission of any
cognizable offence relating to above or for investigation of any offence, it may, subject to the
provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any
agency of the appropriate Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information transmitted received or stored through
any computer resource.
(2) The Procedure and safeguards subject to which such interception or monitoring or
decryption may be carried out, shall be such as may be prescribed.
(3) The subscriber or intermediary or any person in charge of the computer resource shall,
when called upon by any agency which has been directed under sub section (1), extend all
facilities and technical assistance to (a) Provide access to or secure access to the computer resource generating, transmitting,
receiving or storing such information; or
(b) Intercept or monitor or decrypt the information, as the case may be; or
(c) Provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to in
sub-section (3) shall be punished with an imprisonment for a term which may extend to seven
years and shall also be liable to fine.
Section 69A - Power to issue directions for blocking for public access of any information
through any computer resource
(1) Where the Central Government or any of its officer specially authorized by it in this
behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and
integrity of India, defense of India, security of the State, friendly relations with foreign states
or public order or for preventing incitement to the commission of any cognizable offence
relating to above, it may subject to the provisions of sub-sections (2) for reasons to be
recorded in writing, by order direct any agency of the Government or intermediary to block
65
access by the public or cause to be blocked for access by public any information generated,
transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public
may be carried out shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall
be punished with an imprisonment for a term which may extend to seven years and also be
liable to fine.
Section 69B. Power to authorize to monitor and collect traffic data or information
through any computer resource for Cyber Security
(1) The Central Government may, to enhance Cyber Security and for identification, analysis
and prevention of any intrusion or spread of computer contaminant in the country, by
notification in the official Gazette, authorize any agency of the Government to monitor and
collect traffic data or information generated, transmitted, received or stored in any computer
resource.
(2) The Intermediary or any person in-charge of the Computer resource shall when called
upon by the agency which has been authorized under sub-section (1), provide technical
assistance and extend all facilities to such agency to enable online access or to secure and
provide online access to the computer resource generating, transmitting, receiving or storing
such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information,
shall be such as may be prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of
subsection (2) shall be punished with an imprisonment for a term which may extend to three
years and shall also be liable to fine.
Section 71. Penalty for misrepresentation
66
Whoever makes any misrepresentation to, or suppresses any material fact from, the
Controller or the Certifying Authority for obtaining any license or Electronic Signature
Certificate, as the case may be,
Shall be punished with imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both.
Section 72 - Breach of confidentiality and privacy
Any person who, in pursuant of any of the powers conferred under this Act, rules or
regulations made there under, has secured access to any electronic record, book, register,
correspondence, information, document or other material without the consent of the person
concerned discloses such electronic record, book, register, correspondence, information,
document or other material to any other person
Section 72A - Punishment for Disclosure of information in breach of lawful contract
Any person including an intermediary who, while providing services under the terms of
lawful contract, has secured access to any material containing personal information about
another person, with the intent to cause or knowing that he is likely to cause wrongful loss or
wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful
contract, such material to any other person shall be punished with imprisonment for a term
which may extend to three years, or with a fine which may extend to five lakh rupees, or with
both.
73. Penalty for publishing electronic Signature Certificate false in certain particulars.
(1) No person shall publish a Electronic Signature Certificate or otherwise make it available
to any other person with the knowledge that
(a) The Certifying Authority listed in the certificate has not issued it; or
(b) The subscriber listed in the certificate has not accepted it; or
(c) The certificate has been revoked or suspended, unless such publication is for the
purpose of verifying a digital signature created prior to such suspension or revocation
(2) Any person who contravenes the provisions of sub-section (1)
67
Section 74 - Publication for fraudulent purpose:

Whoever knowingly creates, publishes or otherwise makes available a Electronic Signature
Certificate for any fraudulent or unlawful purpose
Section 75 - Act to apply for offence or contraventions committed outside India
(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to
any offence or contravention committed outside India by any person irrespective of his
nationality.
(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention
committed outside India by any person if the act or conduct constituting the offence or
contravention involves a computer, computer system or computer network located in India.
Section 77A - Compounding of Offences.
(1) A Court of competent jurisdiction may compound offences other than offences for which
the punishment for life or imprisonment for a term exceeding three years has been provided
under this Act.
Provided further that the Court shall not compound any offence where such offence affects
the socio-economic conditions of the country or has been committed against a child below the
age of 18 years or a woman.
(2) The person accused of an offence under this act may file an application for compounding
in the court in which offence is pending for trial and the provisions of section 265 B and
265C of Code of Criminal Procedures, 1973 shall apply.
68
Section 77B - Offences with three years imprisonment to be cognizable

Notwithstanding anything contained in Criminal Procedure Code 1973, the offence
punishable with imprisonment of three years and above shall be cognizable and the offence
punishable with imprisonment of three years shall be bailable.
Section 78 - Power to investigate offences
Notwithstanding anything contained in the Code of Criminal Procedure, 1973, a police
officer not below the rank of Inspector shall investigate any offence under this Act.
69
CHAPTER 04
INFORMATION TECHNOLOGY, IT 2008
70
4.1 BRIEF EVOLUTION OF THE INFORMATION TECHNOLOGY ACT, 2000

United Nations Commission on International Trade Law in 1996 framed Model Law on
Electronic Commerce.
The
United
Nations
General
Assembly
by resolution
A/RES/51/162, dated the 30 January 1997 adopted this Model law. This resolution
recommended that all States give favourable consideration to the said Model Law when they
enact or revise their laws, in view of the need for uniformity of the law applicable to
alternatives to paper-based methods of communication and storage of information.
The Ministry of Commerce, Government of India created the first draft of the legislation
following these guidelines termed as E Commerce Act 1998". Since later a separate ministry
for Information technology came into being, the draft was taken over by the new ministry
which re-drafted the legislation as "Information Technology Bill 1999". This draft was
placed in the Parliament in December 1999 and passed in May 2000. After the assent of the
President on June 9, 2000, the act was finally notified with effect from October 17,
2000 vide notification number G.S.R 788(E). Clearly, most sections addressed the need of
issuance of digital certificates and management of these certificates.
The IT Act aims to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly
referred to as "electronic commerce", which involve the use of alternatives to paperbased methods of communication and storage of information and to facilitate electronic
filing of documents with the government agencies. In addition, the Central Government
also notified two distinct kinds of Rules. These rules are The Information Technology
(Certifying Authorities) Rules, 2000 and the Cyber Regulations Appellate Tribunal
(Procedure) Rules, 2000. The Information Technology (Certifying Authorities) Rules,
2000 detail various aspects and issues concerning to Certification Authorities for digital
signatures. These rules specify the manner in which information has to be authenticated by
71
means of digital signatures, the creation and verification of digital signatures, licensing
of certification authorities and the terms of the proposed licenses to issue digital
signatures. The said rules also stipulate security guidelines for certification authorities and
maintenance of mandatory databases by the said certification authorities and the generation,
issue, term and revocation of digital signature certificates.
The following are its main objectives and scope:1. It is objective of I.T. Act 2000 to give legal recognition to any transaction which is
done by electronic way or use of internet.
2. To give legal recognition to digital signature for accepting any agreement via
computer.
3. To provide facility of filling document online relating to school admission or
registration in employment exchange.
4. According to I.T. Act 2000, any company can store their data in electronic storage.
5.
To stop computer crime and protect privacy of internet users.
6. To give legal recognition for keeping books of accounts by bankers and other
companies in electronic form.
7. To make more power to IPO, RBI and Indian Evidence act for restricting
electronic crime.
Scope
Every electronic information is under the scope of I.T. Act 2000 but following electronic
transaction is not under I.T. Act 2000.
1. Information Technology Act 2000 is not applicable on the attestation for
creating trust via electronic way. Physical attestation is must.
2. I.T. Act 2000 is not applicable on the attestation for making will of any body.
Physical attestation by two witnesses is must.
3. I.T. Act 2000 is not applicable to a
contract of sale of any immovable
property.
4. Attestation for giving power of attorney of property is not possible via
electronic record.
India's first cyber law makes punishable cyber crimes like hacking, damage to computer
source code, publishing of information which is obscene in the electronic form, breach
of confidentiality and privacy, and publication of digital signature certificate false in
certain particulars, says noted Supreme Court advocate Pavan Dugga
72
As time passed by, there was a need for amending the Information Technology Act, 2000. As
such, the Information Technology (Amendment) Act, 2008 was passed by the Parliament.
4.2 INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008

IT Act Amendment which came into force after Presidential assent in Feb 2009
The changes in the information technology by way of introduction of new hardware
and software systems happen rapidly and the legislative enactments as well as
amendments to the same are always slow to respond to such changes. The reason for this can
be attributed to the fact that the law making process as well as the amendments to the law is a
slow and tedious process which is made to
respond
to
the
old system in
which
circumstances triggering change in law would not change so often.

The Parliament amended the Information Technology Act, 2000 (Act) by way of the
Information Technology (Amendment) Act, 2008 (Amendment Act).
New Provisions added through Amendments include:
New Section to address technology neutrality from Section 3A its present

technology specific form (i.e. Digital Signature to Electronic Signature).
New Section to address promotion of e-Governance Section 6A & other IT

application
a. Delivery of Service
b. Outsourcing Public Private Partnership
New Section to address electronic contract -Section 10A
New Section to address data protection and privacy -Section 43
Body corporate to implement best security practices Sections -43A & 72A
Multimember Appellate Tribunal Sections 49-52
New Sections to address new forms of computer misuse

a. Impersonation
b. Identity theft and E-commerce frauds
c. Video voyeurism
73
d. Offensive messages and Spam Section 66A

e. Pornography Section 67A
Preservation and Retention of Data/Information Section 67C
Revision of existing Section 69 to empower Central Section 69 Government to

designate
agencies and
issue
direction for
interception and safeguards for
monitoring and decryption
Blocking of Information for public access Section 69A Monitoring of Traffic

Data and Information for Section 69B Cyber Security
New section for designating agency for
protection Section 70A of Critical
Information Infrastructure
New Section for power to CERT-In to call and analyse information relating to breach
in cyber space and cyber security- Section 70B
Revision of existing Section 79 for prescribing liabilities Section 79 of service

providers in certain cases and to Empower Central Government to prescribe
guidelines to be observed by the service providers for providing services. It also
regulates cyber cafes.
New Section for Examiner of Digital Evidence Section 79A
New Section for power to prescribe modes of Encryption Section 84A
Punishment for most of offences were reduced from three years to two years
Electronic Signature:
Section 2(ta) introduces the term electronic signature. Now digital signature has
been made a subset of electronic signature. In the definition of electronic signature
it has been given that it includes digital signature.
Section 3A has been introduced for electronic signature which says that a
subscriber may authenticate electronic records by electronic signature. The
authentication was earlier possible only by digital signature.
Section 2(tb) has been introduced to define the term electronic signature
certificate. Now digital signature certificate has been made a subset of electronic
signature certificate.
Cyber Appellate Tribunal

74
The name of Cyber Regulations Appellate Tribunal has been changed to

Cyber Appellate Tribunal.
Cyber Appellate Tribunal has been made a multi-member entity. This will provide for
more expertise for the Tribunal.
Intermediary
Definition of intermediary has been modified. As per the amendments in various

sections now intermediaries are made more responsible and liable towards their
acts. New Section 67C asks intermediaries to preserve and retain certain records
for a stated period. New Section 69B is also quite stringent to intermediaries.
For E-Governance
Section 6A introduced to provide for appointment of Service Providers by appropriate

government for e-governance services.
Section 7A makes audit of electronic documents mandatory wherever physical

documents, records required audit. This provision will put considerable work load
on the government.
Offences
New sections have been introduced to cover new offences.

Section 66A Sending offensive message
Section 66B Receiving a stolen computer resource
Section 66C Identity theft
Section 66D Cheating by personation
Section 66E Violation of privacy, video voyeurism
Section 66F Cyber Terrorism (Life Sentence)
New Sections introduced

Section 67A To cover material containing sexually explicit act
Section 67B To cover child pornography
Section 67C To make intermediaries preserve and retain certain records for a
stated period. (Imprisonment 3 years and fine.)
75
For National Security Purpose
Section 69A has been introduced to enable blocking of websites by the central
government.
Section 69B provides powers to central government to collect traffic data from
any computer resource. It could be either in transit or in storage. This move by the
government was necessary for national security purposes but it may lead to abuse of
power by government.
Other Important Amendments
Section 1(4) in the Information Technology Act, 2000 contained a list of

documents which were excluded from the applicability of the act. The list has now
been moved to Schedule 1 of the ITAA 2008. This move can be considered as
a procedural simplification made by the amendment. A notification will be
required to make additions or deletions to this list. Every notification issued in
this regard shall be laid before each House of Parliament.
Some more new definitions have been added including communication device,
cyber caf, cyber security.
Compensation limit has been removed from Section 43.
Section 43A introduced to make body corporate liable to pay damages by way
of compensation for failure to protect sensitive personal data or information. No
limit has been set for compensation.
Changes in Section 46 have brought Civil Court below the High Court into the cyber
related disputes for the first time. The powers of the Adjudicator has been limited for
claims upto Rs 5 crores. For claims above Rs 5 crores Civil Courts authority has been
introduced.
In Section 66 dishonesty and fraudulent intention has been made necessary
Section 72A has been introduced for data protection purpose.
It
provides for
punishment for disclosure of information in breach of lawful contract.

Imprisonment of 3 years or fine upto Rs 5 lakhs or both for cases relating to data
breach has been provided.
76
Section 77A introduced to provide for compounding of offences with punishment

upto 3 years.
The powers under Section 80 were earlier available to Deputy Superintendent of

Police and are now available to Inspectors.
Section 81 has been amended to keep the primacy of Copyright and Patent Acts above
ITA 2000.
New Section 84C introduced to make an attempt to commit an offence

punishable. The punishment will be half of the punishment meant for the
offence.
State Governments will be exercising far more powers under the ITAA 2008
than what was envisaged under ITA 2000
4.3
SALIENT
FEATURES
OF
THE
INFORMATION
TECHNOLOGY
(AMENDMENT) ACT, 2008

The Information Technology (Amendment) Act, 2008 was signed by the President of
India on February 5, 2009 and was implemented on October 27,2009. A review of the
amendments indicates that there are several provisions relating to data protection and
privacy as well as provisions to curb terrorism using the electronic and digital medium
that have been introduced into the new Act. Some of the salient features of the Act are as
follows:
The term digital signature has been replaced with electronic signature to make the
Act more technology neutral.
A new section has been inserted to define communication device to mean cell
phones, personal digital assistance or combination of both or any other device used
to communicate, send or transmit any text video, audio or image.
A new section has been added to define cyber caf as any facility from
where the access to the internet is offered by any person in the ordinary
course of business to the members of the public.
A new definition has been inserted for intermediary. Intermediary with respect to
any particular electronic records, means any person who on behalf of another
person receives, stores or transmits that record or provides any service with
respect to that record and includes telecom service providers, network service
providers, internet service providers, web-hosting service providers, search
77
engines, online payment sites, online-auction sites, online market places and cyber
cafes.
A new section 10A has been inserted to the effect that contracts concluded
electronically shall not be deemed to be unenforceable solely on the ground that
electronic form or means was used.
The damages of Rs. One Crore (approximately USD 200,000) prescribed under
section 43 of the earlier Act for damage to computer, computer system etc has
been deleted and the relevant parts of the section have been substituted by the
words, he shall be liable to pay damages by way of compensation to the person
so affected.
A new section 43A has been inserted to protect sensitive personal data or
information possessed, dealt or handled by a body corporate in a computer resource
which such body corporate owns, controls or operates. If such body corporate
is negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, it
shall be liable to pay damages by way of compensation to the person so affected.
A host of new sections have been added to section 66 as sections 66A to 66F
prescribing
punishment
for
offenses
such
as
obscene
electronic message
transmissions, identity theft, cheating by impersonation using computer resource,

violation of privacy and cyber terrorism.
Section 67 of the old Act is amended to reduce the term of imprisonment for
publishing or transmitting obscene material in electronic form to three years
from five years and increase the fine thereof from Indian Rupees 100,000
(approximately USD 2000) to Indian Rupees 500,000 (approximately USD
10,000). A host of new sections have been inserted as Sections 67 A to 67C. While
Sections 67 A and B insert penal provisions in respect of offenses of publishing or
transmitting of material containing sexually explicit act and child pornography in
electronic form, section 67C deals with the obligation of an intermediary to
preserve and retain such information as may be specified for such duration and in
such manner and format as the central government may prescribe.
In view of the increasing threat of terrorism in the country, the new

amendments include an amended section 69 giving power to the state to issue
directions for interception or monitoring of decryption of any information
78
through any computer resource. Further, sections 69 A and B, two new sections, grant
power to the state to issue directions for
blocking for public access of any
information through any computer resource and to authorize to monitor and collect
traffic data or information through any computer resource for cyber security.
Section 79 of the old Act which exempted intermediaries has been modified to the
effect that an intermediary shall not be liable for any third party information
data or communication link made available or hosted by him if;
(a) The function of the intermediary is limited to providing access to a
communication system over which information made available by third parties
is transmitted or temporarily stored or hosted;
(b) The intermediary does not initiate the transmission or select the receiver of the
transmission and select or modify the information contained in the transmission;
(c) The intermediary observes due diligence while discharging his duties
However, section 79 will not apply to an intermediary if the intermediary has

conspired or abetted or aided or induced whether by threats or promise or otherwise in
the commission of the unlawful act or upon receiving actual knowledge or on being
notified that any information, data or communication link residing in or
connected to a computer resource controlled by it is being used to commit an
unlawful act, the intermediary fails to expeditiously remove or disable access to
that material on that resource without vitiating the evidence in any manner.
A proviso has been added to Section 81 which states that the provisions of the Act
shall have overriding effect. The proviso states that nothing contained in the
Act shall restrict any person from exercising any right conferred under the
Copyright Act, 1957.
4.4
VARIOUS
CRIMINAL
LAW
PROVISION
IN
INFORMATION
TECHNOLOGY (AMENDMENT) ACT, 2008

At this juncture, it is relevant to examine the various criminal law provisions that
have been duly incorporated in the Information Technology Act, 2000 by means of The
Information Technology ( Amendment) Act, 2008. All these find mention in Chapter XI
of the amended Information Technology Act, 2000. We now examine the
provisions contained in Chapter XI of the amended Information Technology Act,
2000.
79
Offences [Chapter XI]

Chapter XI deals with some computer crimes and provides for penalties for these
offences. It contains sections 65 to 78. Section 65 provides for punishment up to three years
or with a fine which may extend to Rs. 2 lakhs or with both whoever knowingly or
intentionally tampers with the computer code source documents.
Computer source code means the listing of programmes, computer commands, design and
layout and programme analysis of computer resource in any form.
Section 65 of the amended Information Technology Act provides as follows:
Section 65 - Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy or alter any computer source code used
for a computer, computer programme, computer system or computer network, when the
computer source code is required to be kept or maintained by law for the time being in force,
shall be punishable with imprisonment up to three years, or with fine which may extend up to
two lakh rupees, or with both.
Explanation
For the purposes of this section, "Computer Source Code" means the listing of programmes,
Computer Commands, Design and layout and programme analysis of computer resource in
any form.
Section 66 of the amended Information Technology Act, 2000 provides for various
computer related offences in the following manner:Section 66 - Computer Related Offences
If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be
punishable with imprisonment for a term which may extend to two three years or with fine
which may extend to five lakh rupees or with both.
Explanation: For the purpose of this section,a) The word "dishonestly" shall have the meaning assigned to it in section 24 of the
Indian Penal Code;
80
b) The word "fraudulently" shall have the meaning assigned to it in section 25 of the
Indian Penal Code.
Section 43 of the amended Information Technology Act provides as follows:Section 43 - Penalty and Compensation for damage to computer, computer system, etc
If any person without permission of the owner or any other person who is incharge of
a computer, computer system or computer network (a) Accesses or secures access to such computer, computer system or computer network
or computer resource
(b) downloads, copies or extracts any data, computer data base or information from such
computer, computer system or computer network including information or data
held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer
network, data, computer data base or any other programmes residing in such
computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer
network;
(f) denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of this Act,
rules or regulations made there under,
(h) charges the services availed of by a person to the account of another person
by tampering with or manipulating any computer, computer system, or
computer
network,
(i) destroys, deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means
(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or
alter any computer source code used for a computer resource with an intention
to cause damage, he shall be liable to pay damages by way of compensation to
the person so affected.
81
Explanation - for the purposes of this section (i)
"Computer Contaminant means any set of computer instructions that are

designed
a) To modify, destroy, record, transmit data or programme residing within a
computer, computer system or computer network; or
b) by any means to usurp the normal operation of the computer, computer
system, or computer network;
(ii)
"Computer Database" means a representation of information, knowledge,
facts,
concepts or instructions in text, image, audio, video that are being prepared or
have been prepared in a formalised manner or have been produced by a
computer, computer system or computer network and are intended for use in a
computer, computer system or computer network;
(iii)
"Computer
Virus" means any computer instruction, information, data or
programme that destroys, damages, degrades or adversely affects the

performance
of a computer resource or attaches itself to another computer
resource and operates when a programme, data or instruction is executed or some

other event takes place in that computer resource
(iv)
"Damage" means to destroy, alter, delete, add, modify or re-arrange any computer
resource by any means.
(v)
"Computer Source code" means the listing of programmes, computer

commands, design and layout and programme analysis of computer resource
in any form.
Other provisions of Chapter XI of the amended Information Technology Act, 2000

provide as follows:Section 66 A - Punishment for sending offensive messages through communication
service, etc.
Any person who sends, by means of a computer resource or a communication device,(a) Any information that is grossly offensive or has menacing character; or
(b) any information which he knows to be false, but for the purpose of causing
annoyance,
inconvenience,
danger,
obstruction,
insult,
injury,
criminal
intimidation, enmity, hatred, or ill will, persistently makes by making use of such
computer resource or a communication device,
82
(c) any electronic mail or electronic mail message for the purpose of causing annoyance
or inconvenience or to deceive or to mislead the addressee or recipient about
the origin of such messages shall be punishable with imprisonment for a term
which may extend to three years and with fine.
Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic
Mail Message" means a message or information created or transmitted or received on a
computer, computer system, computer resource or communication
device
including
attachments in text, image, audio, video and any other electronic record, which may be
transmitted with the message.
Section 66B - Punishment for dishonestly receiving stolen computer resource or
communication device
Whoever
dishonestly
receives
or
retains
any
stolen
computer
resource
or
communication device knowing or having reason to believe the same to be stolen

computer resource or communication device, shall be punished with imprisonment of
either description for a term which may extend to three years or with fine which may extend
to rupees one lakh or with both.
Section 66C - Punishment for identity theft
Whoever, fraudulently or dishonestly make use of the electronic signature, password or
any other unique identification feature of any other person, shall be
punished
with
imprisonment of either description for a term which may extend to three years and
shall also be liable to fine which may extend to rupees one lakh.
Section 66D - Punishment for cheating by personation by using computer resource
Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Section 66E- Punishment for violation of privacy:
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private
area of any person without his or her consent, under circumstances violating the privacy of
that person, shall be punished with imprisonment which may extend to three years or with
fine not exceeding two lakh rupees, or with both
Explanation - For the purposes of this section
(a) Transmit means to electronically send a visual image with the intent that it be
viewed by a person or persons;
83
(b) capture, with respect to an image, means to videotape, photograph, film or record
by any means;
(c) private area means the naked or undergarment clad genitals, pubic area,
buttocks or female breast;
(d) publishes means reproduction in the printed or electronic form and making it
available for public;
(e) under circumstances violating privacy means circumstances in which a person
can have a reasonable expectation that
(i)
he or she could disrobe in privacy, without being concerned that an

image of his private area was being captured; or
(ii)
any part of his or her private area would not be visible to the public,
regardless of whether that person is in a public or private place.
Section 66F - Punishment for cyber terrorism:

(1) Whoever,(A) With intent to threaten the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people by
(i) Denying or cause the denial of access to any person authorized to access computer
resource; or
(ii) attempting to penetrate or access a computer resource without authorisation or
exceeding authorized access; or
(iii)
introducing or causing to introduce any Computer Contaminant and by

means of such conduct causes or is likely to cause death or injuries to persons or
damage to or destruction of property or disrupts or knowing that it is likely to
cause damage or disruption of supplies or services essential to the life of the
community or adversely affect the critical information infrastructure specified
under section 70, or
(2) knowingly or intentionally penetrates or accesses a computer resource without

authorization or exceeding authorized access, and by means of such conduct obtains
access to information, data or computer database that is restricted for reasons of the security
of the State or foreign relations; or any restricted information, data or computer database,
with reasons to believe that such information, data or computer database so obtained may be
used to cause or likely to cause injury to the interests of the sovereignty and integrity of
India, the security of the State, friendly relations with foreign States, public order,
decency or morality, or in relation to contempt of court, defamation or incitement to an
84
offence, or to the advantage of any foreign nation, group of individuals or otherwise,

commits the offence of cyber terrorism.
(3) Whoever commits or conspires to commit cyber terrorism shall be punishable with
imprisonment which may extend to imprisonment for life. Publishing of information which
is obscene in electronic form Section 67 provides for punishment to whoever transmits or
publishes or causes to be published or transmitted, any material which is obscene in
electronic form with imprisonment for a term which may extend to five years and with fine
which may extend to Rs.1 lakh on first conviction. In the event of second or subsequent
conviction the imprisonment would be for a term which may extend to ten years and
fine which may extend to Rs. 2 lakhs.
Section 67 - Punishment for publishing or transmitting obscene material in electronic
form
Whoever publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeals to the prurient interest or if its effect is such as to
tend to deprave and corrupt persons who are likely, having regard to all relevant
circumstances, to read, see or hear the matter contained or embodied in it, shall be
punished on first conviction with imprisonment of either description for a term which
may extend to two three years and with fine which may extend to five lakh rupees and in
the event of a second or subsequent conviction with imprisonment of either description for a
term which may extend to five years and also with fine which may extend to ten lakh rupees.
Section 67A - Punishment for publishing or transmitting of material containing
sexually explicit act, etc. in electronic form
Whoever publishes or transmits or causes to be published or transmitted in the electronic
form any material which contains sexually explicit act or conduct shall be punished
on first conviction with imprisonment of either description for a term which may
extend to five years and with fine which may extend to ten lakh rupees and in the
event of second or subsequent conviction with imprisonment of either description for a
term which may extend to seven years and also with fine which may extend to ten lakh
rupees. Exception: This section and section 67 does not extend to any book, pamphlet, paper,
writing, drawing, painting, representation or figure in electronic form-
85
(i)
the publication of which is proved to be justified as being for the public

good on the ground that such book, pamphlet, paper, writing, drawing,
painting, representation or figure is in the interest of science, literature, art,
or learning or other objects of general concern; or
(ii)
Which is kept or used bona fide for religious purposes.
Section 67B - Punishment for publishing or transmitting of material depicting children

in sexually explicit act, etc. in electronic form:
Whoever,(a) Publishes or transmits or causes to be published or transmitted material in any
electronic form which depicts children engaged in sexually explicit act or conduct or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting
children in obscene or indecent or sexually explicit manner or
(c) cultivates, entices or induces children to online relationship with one or more
children for and on sexually explicit act or in a manner that may offend a
reasonable adult on the computer resource or
(d) facilitates abusing children online or
(e) records in any electronic form own abuse or that of others pertaining to
sexually explicit act with children, shall be punished on first conviction with
imprisonment of either description for a term which may extend to five years and with
a fine which may extend to ten lakh rupees and in the event of second or subsequent
conviction with imprisonment of either description for a term which may extend to
seven years and also with fine which may extend to ten lakh rupees: Provided that
the provisions of section 67, section 67A and this section does not extend to any
book, pamphlet, paper, writing, drawing, painting, representation or figure in
electronic form(i)
The publication of which is proved to be justified as being for the public good
on the ground that such book, pamphlet, paper writing, drawing, painting,
representation or figure is in the interest of science, literature, art or learning
or other objects of general concern; or
(ii)
which is kept or used for bonafied heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person
who has not completed the age of 18 years.
86
Section 67C - Preservation and Retention of information by intermediaries:

(1) Intermediary shall preserve and retain such information as may be specified for
such duration and in such manner and format as the Central Government may
prescribe. (2) Any intermediary who intentionally or knowingly contravenes the
provisions of sub section (1) shall be punished with an imprisonment for a term
which may extend to three years and shall also be liable to fine.
Section 68 provides that the controller may give directions to a Certifying
Authority or any employee of such authority to take such measures or cease
carrying on such activities as specified in the order, so as to ensure compliance with this
law. If any person fails to comply, he shall be liable to imprisonment upto 3 years or fine
upto Rs.2 lakhs, or both.
Section 68 - Power of Controller to give directions
(1) The Controller may, by order, direct a Certifying Authority or any employee of
such Authority to take such measures or cease carrying on such activities as
specified in the order if those are necessary to ensure compliance with the
provisions of this Act, rules or any regulations made there under.
(2) Any person who intentionally or knowingly fails to comply with any order under subsection (1) shall be guilty of an offence and shall be liable on conviction to
imprisonment for a term not exceeding two years or to a fine not exceeding one lakh
rupees or to both.
Section 69 empowers the Government to issue directions for interception or
monitoring or decryption of any information through any computer resource in the following
manner:Section 69 - Powers to issue directions for interception or monitoring or
decryption of any information through any computer resource
(1) Where the central Government or a State Government or any of its officer specially
authorized by the Central Government or the State Government, as the case may
be, in his behalf may, if is satisfied that it is necessary or expedient to do in the
interest of the sovereignty or integrity of India, defense of India, security of the
State, friendly relations with foreign States or public order or for preventing
incitement to the commission of any cognizable offence relating to above or
for investigation of any offence, it may, subject to the provisions of sub-section
(2), for reasons to be recorded in writing, by order, direct any agency of the
87
appropriate Government to intercept, monitor or decrypt or cause to be

intercepted or monitored or decrypted any information transmitted received or
stored through any computer resource.
(2) The Procedure and safeguards subject to which such interception or monitoring
or decryption may be carried out, shall be such as may be prescribed.
(3) The subscriber or intermediary or any person in charge of the computer
resource shall, when called upon by any agency which has been directed under
sub section (1), extend all facilities and technical assistance to - (a) provide access to
or secure access to the computer resource generating, transmitting, receiving or
storing such information; or (b) intercept or monitor or decrypt the information,
as the case may be; or (c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to
in sub-section (3) shall be punished with an imprisonment for a term which may
extend to seven years and shall also be liable to fine.
Section 69A -Power to issue directions for blocking for public access of any
information through any computer resource
(1) Where the Central Government or any of its officer specially authorized by it in this
behalf is satisfied that it is necessary or expedient so to do in the interest
of
sovereignty and integrity of India, defense of India, security of the State,

friendly relations with foreign states or public order or for preventing incitement
to the commission of any cognizable offence relating to above, it may subject to the
provisions of sub-sections (2) for reasons to be recorded in writing, by order
direct any agency of the Government or intermediary to block access by the
public or cause to be blocked for access by public any information generated,
transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public
may be carried out shall be such as may be prescribed.
The intermediary who fails to comply with the direction issued under sub- section (1)
shall be punished with an imprisonment for a term which may extend to seven years
and also be liable to fine.
Section 69B - Power to authorize to monitor and collect traffic data or
information through any computer resource for Cyber Security:
88
(1) The Central Government may, to enhance Cyber Security and for identification,
analysis and prevention of any intrusion or spread of computer contaminant in
the country, by notification in the official Gazette, authorize any agency of the
Government to monitor and collect traffic data or information generated, transmitted,
received or stored in any computer resource.
(2) The Intermediary or any person in-charge of the Computer resource shall when
called upon by the agency which has been authorized under sub- section (1),
provide technical assistance and extend all facilities to such agency to enable
online access or to secure and provide online access to the computer resource
generating, transmitting, receiving or storing such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or
information, shall be such as may be prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of
subsection (2) shall be punished with an imprisonment for a term which may
extend to three years and shall also be liable to fine. Explanation: For the
purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned
to it in section 43 (ii) "traffic data" means any data identifying or purporting to
identify any person, computer system or computer network or location to or from
which the communication is or may be transmitted and includes communications
origin, destination, route, time, date, size, duration or type of underlying service
or any other information.
Section 70 empowers the appropriate Government to declare by notification any computer,
computer system or computer network to be a protected system. Any unauthorized access of
such systems will be punishable with imprisonment which may extend to ten years or with
fine.
Section 70 - Protected system
(1) The appropriate Government may, by notification in the Official Gazette,
declare any computer resource which directly or indirectly affects the facility of
Critical Information Infrastructure, to be a protected system.
Explanation: For the purposes of this section, Critical Information Infrastructure" means the
computer resource, the incapacitation or destruction of which, shall have debilitating impact
on national security, economy, public health or safety.
89
(2) The appropriate Government may, by order in writing, authorize the persons
who are authorized to access protected systems notified under sub- section (1)
(3) Any person who secures access or attempts to secure access to a protected system in
contravention of
the
provisions
of
this
section
shall
be
punished with
imprisonment of either description for a term which may extend to ten years and shall
also be liable to fine.
(4) The Central Government shall prescribe the information security practices and
procedures for such protected system.
Section 70A -National nodal agency
(1) The Central Government may, by notification published in the official Gazette,
designate any organization of the Government as the national nodal agency in
respect of Critical Information Infrastructure Protection.
(2) The national nodal agency designated under sub-section (1) shall be responsible for
all measures including Research and Development relating to protection of Critical
Information Infrastructure.
(3) The manner of performing functions and duties of the agency referred to in subsection (1) shall be such as may be prescribed.
Section 70 B - Indian Computer Emergency Response Team to serve as national
agency for incident response
(1) The Central Government shall, by notification in the Official Gazette, appoint
an agency of the government to be called the Indian Computer Emergency
Response Team.
(2) The Central Government shall provide the agency referred to in sub- section (1)
with a Director General and such other officers and employees as may be prescribed.
(3) The salary and allowances and terms and conditions of the Director General
and other officers and employees shall be such as may be prescribed.
(4) The Indian Computer Emergency Response Team shall serve as the national
agency for performing the following functions in the area of Cyber Security,a) Collection, analysis and dissemination of information on cyber incidents
b) Forecast and alerts of cyber security incidents
c) Emergency measures for handling cyber security incidents
d) Coordination of cyber incidents response activities
90
e) Issue guidelines, advisories, vulnerability notes and white papers relating to

information security practices, procedures, prevention, response and
reporting of cyber incidents
f) such other functions relating to cyber security as may be prescribed
(5) The manner of performing functions and duties of the agency referred to in subsection (1) shall be such as may be prescribed.
(6) For carrying out the provisions of sub-section (4), the agency referred to in subsection (1) may call for information and give direction to the service providers,
intermediaries, data centers, body corporate and any other person
(7) Any service provider, intermediaries, data centers, body corporate or person
who fails to provide the information called for or comply with the direction
under sub-section (6), shall be punishable with imprisonment for a term which may
extend to one year or with fine which may extend to one lakh rupees or with both.
(8) No Court shall take cognizance of any offence under this section, except on a
complaint made by an officer authorized in this behalf by the agency referred
to in sub-section (1) Section 71 provides that any person found misrepresenting
or suppressing any material fact from the Controller or the Certifying Authority shall
be punished with imprisonment for a term which may extend to two years or with fine
which may extend to Rs.1 lakh or with both.
Section 71 - Penalty for misrepresentation
Whoever makes any misrepresentation to, or suppresses any material fact from, the
Controller or the Certifying Authority for obtaining any license or Electronic Signature
Certificate, as the case may be, shall be punished with imprisonment for a term which
may extend to two years, or with fine which may extend to one lakh rupees, or with
both. Section 72 provides a punishment for breach of confidentiality and privacy of
electronic records, books, information, etc. by a person who has access to them without the
consent of the person to whom they belong with imprisonment for a term which may extend
to two years or with fine which may extend to Rs.1 lakh or with both.
Section 72 - Breach of confidentiality and privacy
Save as otherwise provided in this Act or any other law for the time being in force,
any person who, in pursuant of any of the powers conferred under this Act, rules or
regulations made there under, has secured access to any electronic record, book,
91
register, correspondence, information, document or other material without the consent

of
the
person
concerned
discloses
such electronic
record,
book,
register,
correspondence, information, document or other material to any other person shall be

punished with imprisonment for a term which may extend to two years, or with fine which
may extend to one lakh rupees, or with both.
Section 72A - Punishment for Disclosure of information in breach of lawful contract
Save as otherwise provided in this Act or any other law for the time being in force,
any person including an intermediary who, while providing services under the terms of
lawful contract, has secured access to any material containing personal information about
another person, with the intent to cause or knowing that he is likely to cause wrongful loss or
wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful
contract, such material to any other person shall be punished with imprisonment for a
term which may extend to three years, or with a fine which may extend to five lakh rupees, or
with both.
Section 73 - Penalty for publishing electronic Signature Certificate false in certain
particulars:
(1) No person shall publish a Electronic Signature Certificate or otherwise make it
available to any other person with the knowledge that
a) the Certifying Authority listed in the certificate has not issued it; or
b) the subscriber listed in the certificate has not accepted it; or
c)
the certificate has been revoked or suspended, unless such publication is for
the purpose of verifying a digital signature created prior to such suspension or
revocation
(2) Any person who contravenes the provisions of sub-section (1) shall be punished
with imprisonment for a term which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.
Section 74 - Publication for fraudulent purpose
Whoever knowingly creates, publishes or otherwise makes available a Electronic
Signature Certificate for any fraudulent or unlawful purpose shall be punished with
imprisonment for a term which may extend to two years, or with fine which may extend
to one lakh rupees, or with both.
92
Section 75 - Act to apply for offence or contraventions committed outside India:

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also
to any offence or contravention committed outside India by any person irrespective of
his nationality.
(2) For the purposes of sub-section (1), this Act shall apply to an offence or
contravention committed outside India by any person if the act or conduct constituting
the offence or contravention involves a computer, computer system or computer
network located in India.
Section 76 Confiscation
Any computer, computer system, floppies, compact disks, tape drives or any other
accessories related thereto, in respect of which any provision of this Act, rules, orders or
regulations made there under has been or is being contravened, shall be liable to
confiscation However, where it is established to the satisfaction of the court adjudicating
the confiscation that the person in whose possession, power or control of any such
computer, computer system, floppies, compact disks, tape drives or any other accessories
relating thereto is found is not responsible for the contravention of the provisions of
this Act, rules, orders or regulations made there under, the court may, instead of
making an order for confiscation of such computer, computer system, floppies, compact
disks, tape drives or any other accessories related thereto, make such other order authorized
by this Act against the person contravening of the provisions of this Act, rules, orders or
regulations made there under as it may think fit.
Section 77A - Compounding of Offences
(1) A Court of competent jurisdiction may compound offences other than offences
for which the punishment for life or imprisonment for a term exceeding three
years has been provided under this Act. Provided that the Court shall not compound
such offence where the accused is by reason of his previous conviction, liable to
either enhanced punishment or to a punishment of a different kind. Provided
further that the Court shall not compound any offence where such offence affects the
socio-economic conditions of the country or has been committed against a child
below the age of 18 years or a woman.
93
(2) The person accused of an offence under this act may file an application for
compounding in the court in which offence is pending for trial and the provisions of
section 265 B and 265 C of Code of Criminal Procedures, 1973 shall apply.
Section 77B - Offences with three years imprisonment to be cognizable:

Notwithstanding anything contained in Criminal Procedure Code 1973, the offence
punishable with imprisonment of three years and above shall be cognizable and the
offence punishable with imprisonment of three years shall be boilable.
Section 78 - Power to investigate offences
Notwithstanding anything contained in the Code of Criminal Procedure, 1973, a police
officer not below the rank of Inspector shall investigate any offence under this Act.
4.5 Amendment of the Indian Penal Code

The Information Technology (Amendment) Act, 2008 has further brought about
important amendments to the Indian Penal Code in the following manner:In the Indian Penal Code
(a) In section 4,
(i) After clause (2), the following clause shall be inserted, namely:
(3) any person in any place without and beyond India committing offence
targeting a computer resource located in India.;
(ii) For the Explanation, the following Explanation shall be substituted, namely:
Explanation.In this section
(a) the word offence includes every act committed outside India which, if
committed in India, would be punishable under this Code;
(b) (b) the expression computer resource shall have the meaning assigned to it in clause
(k) of sub-section (1) of section 2 of the Information Technology Act, 2000. in
section 40, in clause (2), after the figure 117, the figures and word 118, 119
and 120 shall be inserted;
(c)
in section 118, for the words voluntarily conceals, by any act or illegal
omission, the existence of a design, the words voluntarily conceals by any
94
act or omission or by the use of encryption or any other information hiding

tool, the existence of a design shall be substituted;
(d) in section 119, for the words voluntarily conceals, by any act or illegal
omission, the existence of a design, the words voluntarily conceals by any
act or omission or by the use of encryption or any other information hiding
tool, the existence of a design shall be substituted;
(e) in section 464, for the words digital signature wherever they occur, the words
electronic signature shall be substituted;
Amendment of the Indian Evidence Act, 1872

The Information Technology (Amendment) Act, 2008 has further brought about important
amendments to the Indian Evidence Act, 1872 in the following manner:In the Indian Evidence Act, 1872,
(a) in section 3 relating to interpretation clause, in the paragraph appearing at the end, for
the words digital signature and Digital Signature Certificate, the words
electronic signature and Electronic Signature Certificate shall respectively be
substituted;
(b) after section 45, the following section shall be inserted, namely:
45A. When in a proceeding, the court has to form an opinion on any matter
relating to any information transmitted or stored in any computer resource or any
other electronic or digital form, the opinion of the Examiner of Electronic Evidence
referred to in section 79A of the Information Technology Act, 2000, is a relevant fact.
Explanation.for the purposes of this section, an Examiner of Electronic Evidence
shall be an expert.
(c) in section 47A,
(i)
for the words digital signature, the words electronic signature shall be
substituted;
(ii)
for the words Digital Signature Certificate, the words Electronic

Signature Certificate shall be substituted;
95
(d) in section 67A, for the words digital signature wherever they occur, the words
electronic signature shall be substituted;
(e) in section 85A, for the words digital signature at both the places where they occur,
the words electronic signature shall be substituted;
(f) in section 85B, for the words digital signature wherever they occur, the
words electronic signature shall be substituted;
(g) in section 85C, for the words Digital Signature Certificate, the words
Electronic Signature Certificate shall be substituted;
(h) in section 90A, for the words digital signature at both the places where they occur,
the words electronic signature shall be substituted;
When one examines the amended Information Technology Act, 2000 as amended by the
Information Technology (Amendment) Act, 2008, one realizes that
there
are
some
provisions which have an impact upon the concept of privacy. IT Act, 2000 is a
central legislation does not expressly define "Privacy" as a concept either under the
definitional clause or elsewhere in the said act. However, the IT Act, 2000 contains some
provisions which recognizes privacy protection and at the same time contains some
provision which encroach upon the privacy rights. It would be interesting to note that the IT
Act uses the word "Privacy" in two sections, i.e. Section 30 and Section 72. These provisions
have to be read in the context of the Constitution of India. The fundamental rights,
enshrined in Chapter III of the Constitution of India are guaranteed to citizens. The
Constitution guarantees the right to life under Article 21 of the Constitution. This
fundamental right has been widely interpreted by the Supreme Court in its various
judgments and its ambit has been sufficiently expanded. The Supreme Court has held that
the right to life as enshrined by Article 21 means something more than survival or an
animal existence. It includes the right to live with human dignity and with privacy. It includes
all those aspects of life, which make the human life meaningful, complete, and worth
living.
4.6
AMENDMENTS
TO
THE
INFORMATION
TECHNOLOGY-
LIMITATION OR DRAWBACKS
The next piece of amendment will be of much interest to certifying authorities and to the
subscribers who have obtained digital signature certificates from licensed certifying
96
authorities. The provision which provided for the Controller to act as a repository has been
omitted. Repositories are now to be maintained only by certifying authorities. The reasons
provided are that maintaining a repository is the primary responsibility of a certifying
authority, not the Controller and that it is an undue burden on the Controller.
The next series of amendments to the Act is significant as it deals with privacy. Protection of
privacy and personal data had never been addressed directly by any law in force in
India. Protection was finally given by the Supreme Court in the form of a ruling which
referred to privacy as a right flowing from the constitutionally guaranteed right to life.
The picture regarding privacy and data protection laws will now be somewhat clear because
of these amendments.
The first in the series of amendments involving privacy protection involves providing
compensation of up to ten million rupees by an organisation, that owns or handles
sensitive personal data or information in a computer resource that it owns or operates. If
such an organisation has been negligent in implementing and maintaining reasonable
security practices and procedures to protect sensitive personal data, it shall be liable
to pay compensation to any person affected by such negligence.
The next amendment in the series of privacy related amendments deals with disclosure
of information by intermediaries and service providers. Section 72 of the Act penalised
those agencies which in pursuance of the powers conferred on them by the Act,
(e.g., certifying authorities) having access to personal information disclosed it without
authorisation. It had limited scope because it could only be applied to those cases
where
an
agency
disclosed personal information to which
it was privy because of
requirements under the Act.

The amendment to the section now does away with this limitation and penalises any
intermediary who discloses subscriber information to which it is privy by reason of that
subscriber availing of the services provided by the intermediary. A simple example
would be all the providers who provide free services on the Internet. Almost all of
them require the subscriber to fill in forms with personal information before he is
allowed to avail of the services offered. The amendment penalises disclosure of such
information without the consent of the concerned subscriber.
97
However, there is a catch. The provision states that if an intermediary discloses this
information, without the consent of such subscriber and with intent to cause injury to
him. the subscriber is entitled to a compensation of up to twenty five lakh rupees.
It is interesting to note that no intermediary would ever disclose such information with
the intent to cause injury to any subscriber. The earlier section defined hacking so widely
that almost every conceivable computer crime fell within its purview. This, by itself,
is perfectly acceptable till we consider the fact that you and I understand hacking as
unauthorised access. Thus the commonly accepted definition and the legal definition
were altogether different. Now, all this has been put to rest by simply not defining
hacking at all! The provision has been divided into two parts. One part lays down a
punishment of up to a year in jail or fine of up to rupees two lakh or both.
Unauthorised access, unauthorised downloading of data and causing denial of access, if
done for dishonest or fraudulent purposes fall under this category.
The other part penalizes introduction of a virus, disruption of an electronic resource,
credit card frauds and time thefts, aiding or assisting in illegal activity and damaging a
computer resource. The penalty for the said offences is three years imprisonment or rupees
five lakh fine or both.
The provision penalising publishing and transmission of pornography has undergone
substantial change. Intermediaries have been excluded from the scope. This will bring
much needed relief to services based companies like Google and eBay, which will
now not be liable for third party pornographic material being accessed through their sites.
More importantly, distinction has now been made between adult and child pornography
and penalty has been reduced to two years imprisonment for adult pornography and three
years imprisonment for child pornography. Only those people have been made liable who
are intentionally or knowingly involved in transmission or publishing of pornographic
material.
The inclusion of the phrase intentionally and knowingly means that innocently forwarded
e-mails with adult content will now be outside the scope of this provision. The offence is
punishable with three years imprisonment (in cases of adult pornography) which
98
automatically makes it non-cognizable and bailable. So, any person arrested by law
enforcement agencies on charges of transmission or publishing will have to be released on
bail.
There is more. Pictures, images and representations in electronic form which are proved
to be justified as being for the public good on the ground of promotion of science,
literature, art or learning are excluded from the purview of this provision.
Intermediaries will also be relieved by the fact that their liability extends only to those cases
in which their active collusion is proved. The earlier section, which made them liable for
not taking due diligence to prevent the transmission, has been removed. Considering the
fiasco in the Baazee.com case which led to the arrest of the CEO simply because a posting
relating to sale of a CD containing offensive material was found on Baazee.com, this is
certainly a laudable step by the legislators. Cyber caf owners will also heave a sigh of relief,
as they are included within the definition of intermediaries.
The Act was had been criticised by all and sundry for giving arbitrary powers to the police.
Under the Act, the police could enter any public and search and arrest without a warrant if
they suspected commission of an offence under the Act. This made all offences under the
Act cognizable. A small but significant change has also been made to the provision which
specified offences relating to companies. Generally, when an offence committed by a
company as a legal person, the person(s) managing the affairs of the company are made
liable. The amended Act now provides that such a person will not be liable merely because he
is in charge. Liability can only be pinned when it is proved that the person knowingly
connived to commit.
The Information Technology Act, 2000 is Indias mother legislation regulating the use of
computers, computer systems and computer networks as also data and information in the
electronic format. The said legislation has provided for the legality of the electronic
format as well as electronic contracts. This legislation has touched varied aspects
pertaining to electronic authentication, digital signatures, cybercrimes and liability of network
service providers.
99
The most bizarre and startling aspect of the new amendments is that these
amendments seek to make the Indian cyber law a cyber crime friendly legislation; - a
legislation that goes extremely soft on cyber criminals, with a soft heart; a legislation
that chooses to encourage cyber criminals by lessening the
quantum
of
punishment
accorded to them under the existing law; a legislation that chooses to give far more
freedom to cyber criminals than the existing legislation envisages; a legislation which
actually paves the way for cyber criminals to wipe out the electronic trails and
electronic evidence by granting them bail as a matter of right; a legislation which makes a
majority of cybercrimes stipulated under the IT Act as bailable offences; a legislation that is
likely to pave way for India to become the potential cyber crime capital of the world.
Several Cyber Crimes including stealing of bank passwords and subsequent fraudulent
withdrawal of money have also happened through Cyber Cafes. Cyber Cafes have also
been used regularly for sending of obscene mails to harass people. In view of these,
Cyber Cafes have been considered as one of the key intermediaries. In order to
regulate Cyber Cafes, several States had passed regulations some under the Information
Technology (Guidelines for Cyber Cafe) Rules, 2011 and some under the State Police Act.
Now, The Information Technology Amendment Act 2008 has made many significant
changes in the prevailing laws of cyber space applicable in India, one of which is
regarding Cyber Cafes.
Section 79 which imposed on them a responsibility for "Due Diligence" failing which they
would be liable for the offences committed in their network. The New Act has however
provided a specific definition for the term "Cyber Cafe" and also included them under the
term "Intermediaries". Several aspects of the act therefore become applicable to Cyber
Cafes and there is a need to take a fresh look at what Cyber Cafes are expected to do for
Cyber Law Compliance.
The new IT Rules, 2011 had specifically provided a guidelines for the cyber caf
under the heading the Information Technology (Guidelines for Cyber Cafe) Rules, 2011
The sections 69, 69A and 69B specifically vest the powers in an agency to be designated. It
has deliberately avoided the use of the term "Police". The legislative intent is
100
therefore indicative that Police need not be the agency to exercise the powers under
these sections.
At the same time the Police at the State level would be looking for clarification on whether
they have the authority under Section 69,69A and 69B to regulate the Cyber Cafes. They
however continue to enjoy some powers under Section 80 with which they can still try to
regulate Cyber Cafes.
ASSOCHAM has expressed an opinion that the new version of the Act after the
amendments is still "Criminal Friendly", and has to be "Further hardened". In this context let
us see what the changes the amendments have brought in now are.
The IT Act Amendments are also deficient in the sense that they do not create rebuttable
presumptions of confidentiality of trade-secrets and information, in the contest of
corporate India. A large number of Indian companies and individuals are saving their
confidential data, information and trade-secrets in the electronic form on their
computers. Given the apparent increase in technology adoption, it is increasingly being
found that that despite all precautions been taken, the employees are still going ahead
and taking away confidential data from companies. The inability of the law to create
enabling presumptions of confidentiality regarding corporate and individual data and
information in the electronic form is likely to complicate matters further for Indian
companies and netizens.
Given the move to take an extremely lenient view on most cybercrimes, corporate
need to forget about being able to get their errant employees, misusing their
confidential data and information, behind bars. Absence of an effective remedy for
corporate by the new amendments is likely to further erode the confidence of the
Industry in the new cyber legal regime. The maximum damages by way of
compensation stipulated by the new cyber law amendments are Rs 5 crore. When
calculated in US Dollar terms, this is a small figure and hardly provides any effective relief to
corporate, whose confidential information worth crores is stolen or misused by its employees
or agents.
101
Another major failure of the proposed amendments is that they have not dealt with the entire
issue pertaining to Spam, in a comprehensive manner. In case, the word Spam is not even
mentioned anywhere in the IT Amendment Bill passed by both the houses of the
Parliament. India has missed yet another opportunity to deal with the contentious issue of
Spam.
It is pertinent to note that the countries like USA, Australia and New Zealand have
demonstrated their intentions to fight against Spam by coming across with dedicated anti
spam legislations.
The IT Act amendments do not address jurisdictional issues. At a time when the Internet
has made geography history, it was expected that the new amendments would throw far
more clarity on complicated issues pertaining to jurisdiction. This is because numerous
activities on the internet take place in different jurisdictions and that there is a need
for
enabling
the
Indian authorities to assume enabling jurisdiction over data and
information impacting India, in a more comprehensive way than in the manner as sketchily
provided under the current law. The new amendments make it mandatory for corporate,
possessing, dealing or handling any sensitive personal data or information in a computer
resource to maintain reasonable security practices, and procedures. However, what would be
these reasonable security practices and procedures would be anybodys guess. It has to
be pointed out that one set of security practices will not fit the entire nation. What
would be reasonable security practices for one industry may not be directly applicable
to another industry. Non maintaining such reasonable security practices, would expose
the said corporate to civil liability to pay damages by way of compensation to the
person so affected, to the tune of Rs 5 crore. The new amendments are likely to impact all
industries, which use computers, computer systems and computer networks and data
and information in the electronic form. These reasonable security practices and their
mandatory adoption, while in overall better interests, are likely to unveil a package of
unpleasant surprises for many.
A perusal of the said legislation shows that there is hardly any logical or rational
reason for adopting such an approach. Currently, the IT Act 2000 has provided for
punishment for various cyber offences ranging from three years to ten years. These are nonbailable offences where the accused is not entitled to bail as a matter of right. However what
102
amazes the lay reader is that the amendments to the IT Act have gone ahead and
reduced the quantum of punishment. Taking a classical case of the offence of online
obscenity, Section 67 has reduced the quantum of punishment on first conviction for
publishing, transmitting or causing to be published any information in the electronic form,
which is lascivious, from the existing five years to three years. Similarly, the quantum
of punishment for the offence of failure to comply with the directions of the Controller of
Certifying Authorities is reduced from three years to two years.
Hacking, as defined under Section 66 of the existing Information Technology Act 2000
has been completely deleted from the law book. In fact, the existing language of the under
Section 66 has now been substituted by new language. Deleting hacking as a specific
defined offence does not appeal to any logic. The cutting of certain elements of the
offence of hacking under the existing Section 66 and putting the same under Section 43
make no legal or pragmatic sense. This is all the more so as no person would normally
diminish the value and utility of any information residing in a computer resource or
affect the same injuriously by any means, with the permission of the owner or any such
person who is in charge of the computer, computer system or computer network.
The legislation has now stipulated that Cyber crimes punishable with imprisonment of
three years shall be bailable offences. Since the majority of cyber crime offences
defined under the amended IT Act are punishable with three years, the net effect of
all amendments is that a majority of these cybercrimes shall be bailable. In common
language, this means that the moment a cybercriminal will be arrested by the police barring
a few offences, in almost all other cyber crimes, he shall be released on bail as a
matter of right, by the police, there and then.
Another major change that the new amendments have done is that cyber crimes in India shall
now be investigated not by a Deputy Superintendent of Police, as under the existing law, but
shall now be done by a low level police inspector. So, henceforth, the local police
inspector is going to be the next point of contact, the moment a person or any company
is a victim of any cyber crime. The efficacy of such an approach is hardly likely to withstand
the test of time, given the current non- exposure and lack of training of Inspector level
police officers to cyber crimes, their detection, investigation and prosecution.
103
The entire issue relating to Encryption as a process has not been satisfactorily dealt with.
Having a single provision in the new amendments, reserving the right to specify processes
relating to encryption later, does not do justice to the expectations of corporate India,
regarding the usage of encryption. Encryption is a process that scrambles information, such
that it cannot easily be understood by people who do not have the right key to unscramble it.
The level of security this provides depends critically on the length of the keys used in the
encryption and decryption process. The maximum permissible length of this key has been a
matter of debate, discussion and dispute between the technology industry and the
government. The implications of this are highly significant for commerce, law, intellectual
property protection, and civil liberties
India needs to harness the benefits and advantages of technology, rather than wanting
to ride its boat upstream, against the current of the technological river. All in all, given the
glaring loopholes as detailed above, the new IT Act Amendments are likely to
adversely impact corporate India and all users of computers, computer systems and
computer networks, as also data and information in the electronic form.
104
CHAPTER 05
IT Act 2000 vs 2008- Implementation, Challenges, and the
Role of Adjudicating Officers
105
5. IT ACT, 2000 vs IT (Amendment) Act, 2008

5.1 Electronic signatures introducedWith the passage of the IT ( Amendment) Act,2008 India has become technologically
neutral due to adoption of electronic signatures as a legally valid mode of executing
signatures . This includes digital signatures as one of the modes of signatures and is far
broader in ambit covering biometrics and other new forms of creating electronic
signatures. This is a positive change as India has different segments people and all may not
be technologically adept to understand and use the digital signatures. Therefore, allowing
forms of authentication that are simpler to use such as retina scanning can be quite useful in
effective implementation of the Act. However, the challenge it poses is accessibility
to authentication tools and imparting education to people to use the same . It is a challenging
task for the Central government to prescribe conditions for considering reliability of
electronic signatures or electronic authentication techniques under Section 3A (2), the
procedure
for
ascertaining
electronic
signature
or
authentication
under
Section
3A(3),the manner in which information may be authenticated by electronic signatures in

Section 5. It also involves expenditure as such authentication tools will require
purchase, installation & training, particularly in all government departments where it is
proposed to be used. Equally challenging will be the drafting of duties of subscriber of
electronic signature certificate under Section 40 A of the Act which will need to incorporate
security measures subscribers can adopt depending on electronic signature being used for
signatures. Further, in a move to secure the flow of data and information on the internet,
and promote e-commerce & e- governance, the amended Act in Section 84A has
empowered the Central Government to prescribe modes
or methods for encryption.
These parameters should be laid down in consultation with organizations such as

Nasscom and/or governmental agencies that can assist in formulation of necessary
standards and related rules.
5.2 Corporate responsibility introduced in S. 43A
106
The corporate responsibility for data protection is incorporated in S 43A in the amended IT
Act, 2000 whereby corporate bodies handling sensitive personal information or data in a
computer resource are under an obligation to ensure adoption of reasonable security
practices to maintain its secrecy, failing which they may be liable to pay damages.
Also, there is no limit to the amount of compensation that may be awarded by virtue
of this section. This section must be read with Section 85 of the IT Act,2000 whereby all
persons responsible to the company for conduct of its business shall be held guilty in case
offence was committed by a company unless no knowledge or due diligence to
prevent the contravention is proved.
Insertion of this provision is particular significance to BPO companies that handle
such sensitive information in the regular course of their business. This provision is important
to secure sensitive data and is hence a step in the right direction. However, the challenge is to
first elucidate what we qualify as reasonable security practices. The Act in explanation to
Section 43A indicates these procedures
designed to protect
such information from
unauthorised access, damage, use, modification, disclosure, or impairment, as may be

specified in an agreement between parties or as may be specified by any law for the time
being in force and in absence of both, as may be prescribed by Central Government
in consultation with professional bodies/associations. The law explaining the definition of
reasonable security practices is yet to be laid down and/or Central government is yet to frame
its rules thereon. Perhaps, we can take guidance from certain foreign laws on data
protection & standards laid down in European Union or by organizations such as OECD in
protection of sensitive personal data. It is a challenge for the Central Government to
prescribe in consultation with professional bodies the information that will fall within the
meaning of sensitive personal data or information
5.3 Critique on amended section 43 of IT ActThe amended Act provides the distinction between contravention and offence by
introduction of the element of mens rea for an offence (s 43 for contraventions and s 66 of the
Act for offences). It is pertinent to note that no ceiling limit for compensation is prescribed
under s 43 of the Amendment Act, 2008 which was one crore rupees in the IT Act. The
removal of the ceiling limit can be misused or abused particularly seen in instances
where company files frivolous claims against its ex-employee who may have joined a
competitor firm without breaching its employment contract. In my opinion, one major
107
diversion from the earlier IT Act is the fact that the amended Section 43 has the insertion of
Section 43 (i) & (j)in the amended Act which may require an element of mens rea with actus
reus. Particularly Section 43(j) requires presence of mens rea ( please note use of words
stealing and
intention to cause damage in the section) and the same acts
mentioned in section 43 when committed dishonestly or fraudulently are punishable

under amended Section 66. The intent behind this change is to not only punish the
offender for its criminal act but also to compensate the victim with pecuniary damages for
loss incurred due to acts of the offender. In my view this is a positive change since a
ceiling on compensation that may be awarded in s. 43 renders at risk those companies
that invest huge amounts of money in their research & development and an employee simply
steals way that valuable information or resource by electronic means without due
remedy or award of compensable damages.
The relevant provision is as underIf any person without the permission of the owner or any other person who is in charge of a
computer, computer system or network. Steal, causes, destroys or alters or causes any
person to steal, conceal, destroy or alter any computer source code used for a
computer resource with an Intention to cause damage......he shall be liable to pay damages by
way of compensation to the person so affected .
The intention of the amended Act is to introduce the element of intention in this clause of the
Section and this mens rea element also finds its roots in Section 66 where a person will be
sentenced if he does the same act dishonestly or fraudulently within the meaning of IPC
i.e. with intention to defraud or cause wrongful loss. Intention to cause damage in S.43 (j)
can be said to also include intention to cause wrongful loss. Per se stealing cannot be done
without the mens rea in place and therefore this act should fall under s.66 and not 43
in case S.43 is to cover only acts done inadvertently or by negligence. This certainly cannot
be the intention /objective of the amendment. Hence, a clarification on this point is necessary.
5.4 Important definitions added
Two very important definitions are added to the IT Act through IT Amendment
Act,2008- Section 2(ha)- Communication device and Section 2 (w) intermediary.
Although cell phones
and other devices used to communicate would fall under the

108
definition of computer in the IT Act. This amendment removes any ambiguity and brings
within the ambit of the Act all communication devices, cell phones, iPods or other devices
used to communicate, send or transmit any text ,video ,audio or image. The insertion of
definition of intermediary similarly clarifies the categories of service providers that come
within its definition that includes telecom service providers, network service providers,
internet service provider, webhosting service providers, search engines, online payment
sites, online auction sites, online market places and cyber cafes.
5.5 Legal validity of electronic documents re-emphasizedTwo new sections Section 7A and 10A in the amended Act reinforce the equivalence of
paper based documents to electronic documents. Section 7A in the amended Act makes audit
of electronic documents also necessary wherever paper based documents are required
to be audited by law. Section 10A confers legal validity & enforceability on contracts
formed through electronic means. These provisions are inserted to clarify and
strengthen the legal principle in Section 4 of the IT Act,2000 that electronic
documents are atpar with electronic documents and e-contracts are legally recognized and
acceptable in law. This will facilitate growth of e-commerce activity on the internet
and build netizens confidence.
5.6 Critique on Power of Controller under the amended ActSection 28 of the Act provides that the Controller or any authorized officer
shall
investigate any contravention of the provisions of this Act, rules or regulations made
thereunder
.These words should be replaced with words any contravention of the
provisions of this Chapter in light of the fact that the amendment in Section 29
for
Controllers power to access computers and data has been curtailed by removal of
words any contravention of the provisions of this Act, rules or regulations made
thereunder for insertion of words any contravention of the provisions of this Chapter
. Also, the Controllers power cannot mean to overlap with Adjudicating officers who
are authorized to adjudicate on cases of contravention that fall under Section 43 or the
subject matter jurisdiction of CAT or the Police. Therefore , the power of Controller has
to be interpreted
keeping in view the intent & objectives of the Act which can be
clarified. The role of the Controller to act as repository of digital signatures has been
109
repealed by the IT Amendment Act, 2008. This role has now been assigned to the
Certifying Authority in Section 30 of the IT Act. This change poses a major
challenge to ensuring the secrecy and privacy of electronic signatures is maintained.
The Certifying authorities will bear greater responsibility and need to strengthen their
security infrastructure to ensure its role as repository is delivered with efficacy. It will
need to allocate more resources and manpower to regularly publish information
regarding its practices, electronic signatures certificates and publish the current status of
each certificate.
5.7 The Role of adjudicating officers under the amended ActThe Adjudicating officer s power under the amended Act in Section 46 (1A) is limited to
decide claims where claim for injury or damage does not exceed 5 crores. Beyond 5 crore the
jurisdiction shall now vest with competent court. This has introduced another forum for
adjudication of cyber contraventions. The words competent court also needs to be clearly
defined. As per Section 46(2), the quantum of compensation that may be awarded is left to
the discretion of Adjudicating officers. This leaves a wide room for subjectivity and quantum
should be decided as far as possible objectively keeping in view the parameters of amount
of unfair advantage gained amount of loss caused to a person (wherever quantifiable),
and repetitive nature of default. The Information Technology (qualification and experience
of adjudicating officers and manner of holding enquiry) Rules,2003
lay down
the
scope and manner of holding inquiry including reliance on documentary and other
evidence gathered in investigations. The rules also provide for compounding of
contraventions and describe factors that determine quantum of compensation or penalty.
In the IT Act, 2000 the office of adjudicating officer had the powers of civil court and all
proceedings before it are deemed to be judicial proceedings. A new change is incorporated in
Section 46(5) whereby the Adjudicating officers have been conferred with powers of
execution of orders passed by it, including order of attachment and sale of property, arrest
and detention of accused and appointment of receiver. This empowers the office of
adjudicating officer and extends greater enforceability and effectiveness of its orders.
5.8 Composition of CAT-
110
The amended Act has changed the composition of the Cyber Appellate Tribunal .The
Presiding officer alone would earlier constitute the Cyber Regulations Appellate Tribunal
which provision has now been amended. The tribunal would now consist of Chairperson and
such number of members as Central Government may appoint. The qualifications for their
appointment, term of office salary , power of superintendence, resignation and
removal, filling of vacancies have been incorporated. The decision making process allows
more objectivity with Section
52 D that provides that
the decision shall be taken
by majority. It is pertinent to note that there has not been any amendment in
Section
55 by 2008 amendments which states that no order of CAT shall be challenged on ground
that there existed a defect in constitution of appellate tribunal. However, in my view
this runs contrary to principles of natural justice. An analogy is drawn to Arbitrations where
defect in constitution of a tribunal renders an award subject to challenge as per Indian laws.
5.9 New cybercrimes as offences under amended ActStand included by the IT (Amendment) Act, 2008. Sending of offensive or false messages (s
66A), receiving stolen computer resource (s 66B), identity theft (s 66C), cheating by
personation (s 66D), violation of privacy (s 66E). A new offence of Cyber terrorism is
added in Section 66 F which prescribes punishment that may extend to imprisonment for
life . Section 66 F
covers any
act committed with intent to threaten unity ,integrity,
security or sovereignty of India or cause terror by
causing DoS attacks, introduction
of computer contaminant, unauthorized access to a computer resource, stealing of

sensitive information, any information likely to cause injury to interests of sovereignty
or integrity of India, the security, friendly relations with other states, public order,
decency , morality, or in relation to contempt of court, defamation or incitement to an offence
, or to advantage of any foreign nation, group of individuals or otherwise. For other offences
mentioned in Section 66 , punishment prescribed is generally upto three years and fine
of one/two lakhs has been prescribed and these offences are cognisable and bailable. This
will not prove to play a deterrent factor for cyber criminals. Further, as per new S. 84B,
abetment to commit an offence is made punishable with the punishment provided for
the offence under the Act and the new S. 84C makes attempt to commit an offence also a
punishable offence with imprisonment for a term which may extend to one- half of the
longest term of imprisonment provided for that offence.
111
In certain offences, such as hacking (s 66) punishment is enhanced from 3 years of

imprisonment and fine of 2 lakhs to fine of 5 lakhs. In S. 67, for publishing of
obscene information imprisonment term has been reduced from five years to three years (and
five years for subsequent offence instead of earlier ten years) and fine has been increased
from one lakh to five lakhs (rupees ten lakhs on subsequent conviction). Section 67A adds an
offence of publishing material containing sexually explicit conduct punishable with
imprisonment for a term that may extend to 5 years with fine upto ten lakhs. This
provision was essential to curb MMS attacks and video vouyerism. Section 67B punishes
offence of child pornography, childs sexually explicit act or conducts with imprisonment on
first conviction for a term upto 5 years and fine upto 10 lakhs. This is a positive change as it
makes even browsing and collecting of child pornography a punishable offence. Punishment
for disclosure of information in breach of lawful contract under sec 72 is increased
from 2 yrs upto 5 yrs and from one lakh to 5 lakh or both. This will deter the commission of
such crime. By virtue of Section 84 B person who abets a cybercrime will be punished with
punishment provided for that offence under the Act. This provision will play a deterrent role
and prevent commission of conspiracy linked cybercrimes. Also, punishment for attempt to
commit offences is given under Section 84 c which will be punishable with one half of
the term of imprisonment prescribed for that offence or such fine as provided or both.
5.10 Section 67 C to play a significant role in cyber crime prosecutionSection 67 C brings a very significant change in the IT Act,2000 .According to this
section, intermediaries shall be bound to preserve and retain such information as may be
prescribed by the Central government and for such duration
and format as it may
prescribe. Any intermediary that contravenes this provision intentionally or knowingly shall
be liable on conviction for imprisonment for a term not exceeding 2 yrs or fine not exceeding
one lac or both.
Many cybercrime cases cannot be solved due to lack of evidence and in
many cases this is due to the fact that ISP failed to preserve the record pertaining to
relevant time .This provision is
very helpful in collection of evidence that can prove
indispensable in cybercrime cases.

5.11 Section 69- Power of the controller to intercept amended
112
Section 69 that deals with power of Controller to intercept information being transmitted
through a computer resource when necessary in national interest is amended by Section 69.In
fact the power vests now with the Central Government or State Government that empowers
it to
appoint for reasons in writing, any agency to intercept, monitor or decrypt
any
information generated , transmitted , received or stored in any computer resource . This

power is to be exercised under great caution and only when it is satisfied that it is necessary
or expedient to do so in interests of sovereignty, or integrity of India, defence of India,
security of the State , friendly relations with foreign states or public order or for preventing
incitement to the commission of any cognizable offence relating to above or for
investigation of any offence . The procedure and safeguards to exercise this power are laid
out by the Information Technology (procedure and safeguards for interception ,
monitoring and decryption of Information ) Rules, 2009 . The subscriber or intermediary
that fails to extend cooperation in this respect is punishable offence with a term which
may extend to 7 yrs and imposition of fine. The element of fine did not exist in the erstwhile
Section 69. The said rules provide ample safeguards to ensure the power in this section is
diligently exercised, with due authorization procedures complied with and not abused by any
agency/intermediary including maintaining confidentiality
and rules for maintaining or
destruction of such records.

5.12 Power to block unlawful websites should be exercised with cautionSection 69A has been inserted in the IT Act by the amendments in 2008 and gives power to
Central government or any authorized officer to direct any agency or intermediary(for
reasons recorded in writing ) to block websites in special circumstances as applicable
in Section 69.Under this Section the grounds on which such blocking is possible are
quite wide. In this respect, the
Information Technology (Procedure and Safeguards for
Blocking for Access of Information by Public ) Rules, 2009 were passed vide GSR 781(E)
dated 27 Oct 2009 whereby websites promoting hate content, slander, defamation,
promoting gambling,racism,violence and terrorism, pornography, violent sex can
reasonably be blocked. The rules also allow the blocking of websites by a court
order. It further provides for review committee to review the decision to block
websites. The intermediary that fails to extend cooperation in this respect is punishable
offence with a term which may extend to 7 yrs and imposition of fine. We need to use this
113
power with caution as it has a thin line that distinguishes reasonable exercise of
power from Censorship.
5.13 Section 69B added to confer Power to collect, monitor traffic data
As a result of the amendments in 2008 , Section 69 B confers on the Central government
power to appoint any agency to monitor and collect traffic data or information generated
,transmitted, received, or stored in any computer resource in order to enhance its cyber
security and for identification, analysis, and prevention of intrusion or spread of
computer contaminant in the country . The Information Technology (procedure and
safeguard for monitoring and collecting traffic data or information ) Rules, 2009 have
been laid down to monitor and collect the traffic data or information for cyber security
purposes under Section 69B .It places responsibility to maintain confidentiality on
intermediaries, provides for prohibition of monitoring or collection of data without
authorization. This prescribes stringent permissions required to exercise the powers under this
Section which are fully justified as abuse of this power can infreinge the right to
privacy of netizens. It also provides for review of its decisions and destruction of records.
The intermediary that fails to extend cooperation in this respect is punishable offence
with a term which may extend to 3 yrs and imposition of fine.
5.14 Significance of the term Critical Information Infrastructure
Section 70 has a very important definition added by the IT (amendment) Act,2008.
The explanation to Section 70 defines what is critical information infrastructure .It
encompasses the computer resource the destruction of which not only has an adverse
impact on defence of India but also economy, public health or safety. This is very
significant step as today our IT infrastructure may also be used to manage certain services
offered to public at large, destruction of which
may directly affect public health and
safety . Hence, their protection is equally important as is the maintaining of security and
sovereignty of India. By virtue of Section 70 A and B Indian CERT has been appointed as
the National nodal agency for critical information infrastructure protection. The CERT shall
play an indispensable role in maintaining cybersecuriy within the country. A very important
step is coordination between CERT and service providers, data centres, body
corporates,and other persons ( Section 70B (6)). That will lead to effective performance of
114
the role
of CERT in. It has multiple roles education ,alert system , emergency
response, issuing guidelines , reporting of cyber incident amongst other functions . Incase
any person fails to comply with its directions, such person shall be punishable with
imprisonment of term that may extend to one year and fine of one lakh or both. It also
excludes the court from taking cognizance of any offence under this section except on a
complaint made by authorized officer of CERT to prevent misuse of the Section.
5.15 Important clarifications on the Acts application & effect
By virtue of Section 77 in the amended Act, it has been clarified that awarding of
compensation ,penalty imposed or confiscation made under this Act shall not prevent the
award of compensation, or imposition of any other penalty or punishment under any law for
the time being in force. This Section can be read with Section 81 proviso wherein it is
clarified that IT Act shall not restrict any person from exercising any right conferred
under copyright Act, 1957 or patents Act, 1970.
5.16 The combined effect of Section 77 and 77 BBy virtue of Section 77 Compounding of offences other than offences for which
imprisonment for life or punishment for a term exceeding has been provided has been made
possible. Section 77 B makes offences punishable with imprisonment of three years
and above as cognizable and offence punishable with 3 years of punishment as bailable.
Since the majority of cyber crime offences defined under the amended IT Act are
punishable with imprisonment for three years, the net effect of all amendments is that
a majority of these cybercrimes are bailable.
This means that the moment a
cybercriminal is arrested by the police, barring a few offences, in almost all other cyber
crimes, he has to be released on bail as a matter of right, by the police. A cyber criminal,
once released on bail, will immediately attempt at destroying or deleting all electronic traces
and trails of his having committed any cyber crime. This makes the task of law enforcement
agencies extremely challenging.
5.17 Combined effect of Section 78 & 80-
115
The Section 78 of the Act is amended to confer power to investigate offences under the Act
from DSP level to Inspector level. This will be instrumental in quicker investigation in the
cybercrime cases provided adequate tools and training is provided. Section 80 has been
amended and power to enter and search in a public place is now vested in any police
officer not below the rank of inspector or any authorized officer of central government or
state government.
Such officer is empowered to arrest without warrant a person
found therein who is reasonably suspected of having committed or of committing or

being about to commit any offence under this Act. However, this section may be misused
easily. Unless it is reasonably suspected that a person has committed, is committing or is
about to commit an offence, he should not be arrested without warrant. Otherwise cybercafs,
in particular could be adversely affected.
5.18 Liability of Intermediary amendedThe earlier section 79
made network service providers liable for third party content only
when it fails to prove that the offence was committed without his knowledge or that he had
exercised due diligence to prevent the commission of such offence or contravention. The
burden of proof was on the network service provider. The amended Section 79 states that the
intermediary shall not be liable for any third party information if it is only providing
access to a communication system over which information made available by third parties
is transmitted or temporarily stored or hosted or the intermediary does not initite the
transmission, select the receiver and select or modify the information contained in
transmission. It provides that the Intermediary shall be liable if he has conspired or
abetted or induced, whether by threats or promise or otherwise in the commission of the
unlawful act ( Section 79(3)(a). However, it is pertinent to note that the onus to
prove conspiracy has now shifted on the
complainant. This may be extremely difficult
for a complainant to prove.
Section 3 (b) renders an intermediary liable in case upon
receiving actual knowledge
or on receiving notice from a government agency, the
intermediary fails to expeditiously remove or disable access to the unlawful material without
vitiating the evidence in any manner.
5.19 Examiner of Electronic Evidence createdWith amendments in 2008, Section 79 A is added that empowers the Central government to
appoint any department or agency of Central or State government as Examiner of
Electronic Evidence. This agency will play a crucial role in providing expert opinion
on electronic form of evidence The explanation to the Section has an inclusive definition of
electronic form evidence that means any information of probative value that is either stored
116
or transmitted in electronic form and includes computer evidence, digital audio, digital
video,cellphones , digital fax machines. With the increasing number of cybercrime cases it
will become necessary to set up at least one Examiner of Electronic Evidence in each
State. The CFSIL laboratory in Hyderabad is playing similar role at present in cybercrime
cases where forensic study of hard discs and other computer accessories, digital
equipment is undertaken to provide expert opinion on the digital evidence analysed.
Conclusion
The IT( Amendment ) Act,2008 from an overall perspective has introduced
remarkable provisions and amendments that will facilitate the effective enforcement of
cyber law in India. India is now technologically neutral with electronic signatures
replacing the requirement of digital signatures . The importance of data protection in
todays information technology age cannot be undermined and it finds place in Section
43,43A, ,66, 72 of the IT Act,2000. In this era of convergence the definition of
communication device and intermediary have been rightly inserted/revisited and validity
of e-contracts is reinforced by insertion of Section 10 A. . Section 46(5) of the IT
Act is a welcome provision that empowers the Adjudicating officers by conferring powers
of execution on the office of Adjudicating officer at par with a civil court. Plethora of
new cybercrimes has been incorporated under chapter XI as offences under the amended Act
to combat growing kinds of cybercrimes particularly, serious crimes such as child
pornography, and cyber terrorism. The Intermediaries have been placed under an obligation
to maintain and provide access to sensitive information to appropriate agencies to assist
in solving cybercrime cases under Section 67C, Section 69. However, liability of ISPs
has been revisited and onus shall lie on complainant to prove lack of due diligence or
presence of actual knowledge by intermediary as proving conspiracy would be difficult.
These are some of the challenges that cyber law enforcement teams will be faced with The
power of interception of traffic data and communications over internet will need to be
exercised in strict compliance of rules framed under respective Sections in the Act
conferring such powers of monitoring, collection , decryption or interception.
for blocking websites should also be
Power
exercised carefully and should not transgress
into areas that amounts to unreasonable censorship. Many of the offences added to the
117
Act are cognizable but bailable which increases the likelihood of tampering of
evidence by cybercriminal once he is released on bail. The police must therefore play a
vigilant role to collect and preserve evidence in a timely manner .For this, the police force
will need to be well equipped with forensic knowledge and trained in cyber law to effectively
investigate cybercrime cases. The introduction of Examiner of Electronic Evidence will
also aid in effective analysis of digital evidence & cybercrime prosecution.
Having
discussed the new amendments and challenges before Indian cyber law regime ,
employing the strategies recommended below can facilitate the enforcement of cyber law in
our country (1) educating the common man and informing them about their rights and
obligations in Cyberspace. The practical reality is that most people are ignorant of the
laws of the cyberspace, different kinds of cybercrimes, and forums for redressal of
their grievances. There is an imperative need to impart the required legal and technical
training to our law enforcement officials, including the Judiciary and the Police officials
to combat the Cybercrimes and to effectively enforce cyber laws .
(2) The reporting and access points in police department require immediate attention. In
domestic territory, every local police station should have a cybercrime cell that can
effectively investigate cybercrime cases .Accessibility is one of the greatest impediments in
delivery of speedy justice.
(3) Also we have only one Government recognized forensic laboratory in India at
Hyderabad which prepares forensic reports in cybercrime cases. We need more such labs to
efficiently handle the increasing volume of cybercrime
investigation cases. Trained
and well-equipped law enforcement personnel - at local, state, and global levels can
ensure proper collection of evidence, proper investigation, mutual cooperation and
prosecution of cybercases.
(4) Further under Section 79 of the IT Act ,2000 no guidelines exist for ISPs to
mandatorily store and preserve
logs
for a
reasonable period to assist in tracing IP
addresses in Cybercrime cases. This needs urgent attention and prompt action.
(5) The investigation of cybercrimes and prosecution of cybercriminals and execution of
court orders requires efficient international cooperation regime and procedures. Although
Section 1(2) read with Section 75 of the IT Act,2000, India assumes prescriptive
jurisdiction to try accused for offences committed by any person of any nationality outside
India that involves a computer, computer system or network located in India, on the
enforcement front, without a duly signed extradition treaty or a multilateral cooperation
arrangement, trial of such offences and conviction is a difficult proposition.
118
IT (Amendment) Act, 2008 is a step in the right direction , however, there are still
certain lacunae in the Act, (few of which were briefly pointed out in this paper) which will
surface while the amendments are tested on the anvil of time and advancing technologies!
Future scope of Cyber Crime

What's in the future for Internet Crime and Punishment? With every new avenue opening up
on the Internet, comes more possibilities for criminal intent. The difference now and in the
future is, technology and human services are now in place or coming into place, to make
these individuals or organizations accountable for their actions. Laws and punishments for
even the smallest Internet crimes are now on the books, or in the process of being created.
Make no mistake; once something is on the Internet, it is fact. It is traceable and punishable.
No matter how hard someone tries to cover it up, erase it or disassociate from their actions,
once the footprint is made, it can't be unmade. Somewhere there is a way to track that
footprint.
The Internet has not only drawn people together, it has drawn international crime fighting
agencies together in a common purpose. The Internet is not a free playground anymore. It is a
global arena. Internet crime will take the punch.
119
REFERENCES:
a) Books:
i.
Pawan Duggal, Cyber Law: The Indian Perspective.
ii.
J. Rosenoer, Cyber Law: The Law of Internet.
b) Journals and Articles:

i.
"E-commerce in India: How to make it happen?" Report of the CII National

Committee on E-Commerce 2000-2001 (Confederation of Indian Industry).
ii.
Crime & Criminal Tracking Network and Systems, Released By: Maharashtra
Police,
iii.
Cyber
Crime
Cell,
Chennai
City
Police
available
at
www.chennaicitypolice.org/cyber.htm.
iv.
Cyber crimes and effectiveness of laws to control them, National Law University,
Delhi.
v.
Department of Telecommunication, India, Annual Report 2000-2001.
vi.
Detection of Cyber Crime and Investigation, Presented by Justice K.N. Basha,

Judge, Madras High Court, Chennai.
vii.
E-Commerce (India), April 2002. "Dot-coms are the future".
viii.
E-Commerce (India), April 2002. "The role of e-commerce in the new economy".
ix.
E-Commerce (India), February 2002. "An e-fulfilment model and its application in
the Indian context".
x.
Internet Time Theft & the Indian Law - White Paper prepared for the Corps of
Detectives, Karnataka Police, and September 2001.
xi.
NASSCOM and BCG, (2001) E-Commerce Opportunities for India Inc. (by
NASSCOM and The Boston Consulting Group) (July 2001).
120
xii.
National Research Council, "Computers at Risk", 1991.
xiii.
Curbing Cyber Crime: A Critique of Information technology Act 2000 and IT Act
Amendment 2008 By Sanjay Pandey.
xiv.
www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce/1996Model.html
c) Websites:
i.
www.asainlaws.org/cyberlaw/library/cc/what_cc.htm
ii.
www.asclonline.com/blog/category/ebooks
iii.
www.cert.org/advisories/CA-1997-28.html
iv.
www.cert.org/tech_tips/e-mail_bombing_spamming.html
v.
www.cybercell/Mumbai.com
vi.
www.cybercrimelaw.net/content/Global/un.html
vii.
www.cyberlawdb.com/main/indi
viii.
www.cyberlawindia.com
ix.
www.cyberlaws.net/ecompliance
x.
www.maha.nic.in
xi.
www.ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf
xii.
www.ncrb.nic.in/CII-2009-NEW/Statistics2009.pdf
xiii.
www.ncrb.nic.in/crime2005/home.htm
xiv.
www.indianexpress.com/news
xv.
www.thehindu.com/news
121

Project PGDCL & Ipr

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Project PGDCL & Ipr

Uploaded by

Copyright:

Available Formats

CYBER CRIME: LIMITATIONS IN IT ACT AND NEED FOR

DISSERTATION SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE

POST GRADUATE DIPLOMA

CENTRE FOR DISTANCE AND VIRTUAL LEARNING

CYBER CRIME: LIMITATIONS IN IT ACT AND NEED FOR

POST GRADUATE DIPLOMA

PITTA ISAAC NEWTON

CENTRE FOR DISTANCE AND VIRTUAL LEARNING

CENTRE FOR DISTANCE AND VIRTUAL LEARNING

Student Name: PITTA ISAAC NEWTON (19CL00994 12)

Until then, most of international trade and

Legal Recognition of Electronic Documents

Legal Recognition of Digital Signatures

Offenses and Contraventions

Justice Dispensation Systems for cyber crimes.

Some of the notable features of the ITAA are as follows:

Focussing on data privacy

Focussing on Information Security

Defining cyber caf

Making digital signature technology neutral

Defining reasonable security practices to be followed by corporate

Redefining the role of intermediaries

Recognising the role of Indian Computer Emergency Response Team

The Act begins with

communication facilities which are connected or related to the

computer in a computer system or computer network;

A careful reading of the words will make one understand

1.7 Electronic Signature in ITAA-2008 thus introducing technological neutrality by

Under this Section, words like Computer Virus, Compute Contaminant,

Conformance to Standards, certification

Policies and adherence to policies

Policies like password policy, Access Control, email Policy etc

Periodic monitoring and review.

implemented security control measures as per their documented information security

If at all one section can be criticized to be absolutely lacking in

Fabrication of an electronic record or committing forgery by way of

interpolations in CD produced as evidence in a court (Bhim Sen Garg vs State of Rajasthan

66B dishonestly receiving stolen computer resource or communication device with

has very rarely exercised. Perhaps believing in the freedom of

IT Act Sections dealing with a utility software or a system software or an

2.0 CYBER CRIME

Those against persons.

Against Business and Non-business organizations.

Crime targeting the government.

They will provide vital

Try not to panic.

Choose your chatting nickname carefully so as others.

Be extremely cautious about meeting online introduced person. If you choose to

2.3 PREVENTIVE STEPS FOR ORGANISATIONS AND GOVERNMENT

USING ENCRYPTION: - Encryption is able to transform data into a form that

Give command to computer to show full header of mail.

Section under IT Act

Tampering with Computer source documents

Hacking with Computer systems, Data alteration

Publishing obscene information

Un-authorised access to protected system

Breach of Confidentiality and Privacy

Publishing false digital signature certificates

Sec.78 of I.T.Act empowers Deputy Supdt. Of Police to investigate cases falling

under this Act.

Sending threatening messages by email

Sec 503 IPC

Sending defamatory messages by email