Is India Equipped to Deal with Cyber Crime?
Recently, we at CSR embarked on a journey to find out how Indian police deals with cases of cyber crimes. Specifically, we wanted to contact the cyber crime units of the country. Sonia, our diligent team member, was put in charge of obtaining the contact details of cyber crime units across India. It turned out to be a greater task than we had envisioned, as many of the details available on the internet turned out to be either false numbers, or numbers of some other department. With great difficulty, Sonia managed to create a list of authentic contact details of cyber crime cells pan India, which you can access here.
In her search for details of cyber crime units, Sonia told us that it is a false notion that there are specific departments dedicated to cases of cyber crimes. Rather, it is usually one person in a police station who is assigned the task of dealing with cyber crimes coming in that jurisdiction.
The statistics on the increase in cyber crime in India are alarming. According to the January 2015 report of the Associated Chambers of Commerce and Industry of India, the number of cyber crimes in India would have touched a figure of 3,00,000 last year. Hacking, data theft, cyber bullying and even cyber extortion have been on a constant rise.
The Indian Parliament enacted the Act called the Information Technology Act, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session. India was one of the States, which supported this adoption of Law by the General Assembly. Some relevant points of this Act are:
- It embraces the idea of electronic signatures as opposed to digital signatures.
- The section on child pornography (s.67B) has been drafted with some degree of care. It talks only of sexualized representations of actual children, and does not include fantasy play-acting by adults, etc. From a plain reading of the section, it is unclear whether drawings depicting children will also be deemed an offence under the section.
- The word “transmit” has only been defined for section 66E. The phrase “causes to be transmitted” is used in section 67, 67A, and 67B. That phrase, on the face of it, would include the recipient who initiates a transmission along with the person from whose server the data is sent. While in India, traditionally the person charged with obscenity is the person who produces and distributes the obscene material, and not the consumer of such material. This new amendment might prove to be a change in that position.
- Section 66A which punishes persons for sending offensive messages is overly broad.
- The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what “origin” means in that section.
- The amendment to the provision on intermediary liability (s.79) seeks to make only the actual violators of the law liable for the offences committed.
- Section 66F(1)(B), defining “cyber terrorism” is much too wide, and includes unauthorised access to information on a computer with a belief that that information may be used to cause injury to decency or morality or defamation, even. While there is no one globally accepted definition of cyber terrorism, it is tough to conceive of slander as a terrorist activity.
- Another overly broad provision is s.43, which talks of “diminish[ing] its value or utility” while referring information residing on a computer, is overly broad and is not guided by the statute. Diminishing of the value of information residing on a computer could be done by a number of different acts, even copying of unpublished data by a conscientious whistleblower might, for instance, fall under this clause. While the statutory interpretation principle of noscitur a socii (that the word must be understood by the company it keeps) might be sought to be applied, in this case that doesn’t give much direction either.
- While all offences carrying penalties above three years imprisonment have been made cognizable, they have also been made bailable and lesser offences have been made compoundable. This is a desirable amendment, especially given the very realistic possibility of incorrect imprisonments (Airtel case, for instance), and frivolous cases that are being registered (Orkut obscenity cases).
- Cheating by personation is not defined, and it is not clear whether it refers to cheating as referred to under the Indian Penal Code as conducted by communication devices, or whether it is creating a new category of offence. In the latter case, it is not at all clear whether a restricted meaning will be given to those words by the court such that only cases of phishing are penalised, or whether other forms of anonymous communications or other kinds of disputes in virtual worlds (like Second Life) will be brought under the meaning of “personation” and “cheating”.As per Rule 5, person or body corporate collecting information shall state the purpose and necessity of collecting the information. Moreover, while collecting information directly from the individual concerned, the body corporate or any person shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of :-
- the fact that the information is being collected,
- the purpose for which the information is being collected,
- the intended recipients of the information, and
– the name and address of:
- the agency that is collecting the information, and
- the agency that will hold the information.
- Rule 6 provides for the manner in which Information should be disclosed to the third party. It also provides that the Government agencies can collect the Sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences. Provided Government shall also state that the information thus obtained will not be published or shared with any other person.12. Rule 7 provides technical requirements for the protection of Sensitive personal information i.e. what constitutes “Reasonable Security Practices and Procedures”. It provides that, The International Standard IS/ISO/IEC 27001 on “Information Technology Security Techniques – Information Security Management System – Requirements” has been adopted by the country. Any person or body corporate implements the said security standards is said to have implemented reasonable security practices and standards. If any industry association or cluster are following other than IS/ISO/IEC 27001 codes of best practices for data protection shall get their codes approved and notified by the Government.
- In the course of our research we got immense help from Sumitro Chatterjee, who interned at CSR back in his college days, and is now a Senior Manager at Litigation Solutions, Pangea3. He had this to say: “I enjoyed helping CSR in analyzing cyber laws. In my opinion there needs to be sensitization among the legal fraternity as to the implications of this law in today’s world. We have increasingly become technology dependent and a common man in his day to day life is connected to the world wide web on a regular basis. This means that we do our daily transactions on the web, which also opens us to crime and misuse. The need of the hour is to understand the threat we face on the cyber space and the best way to deal with it. The only way forward is, if the guardians of the law (the Judges, the Lawyers and the Police) is aware and proactive in interpreting and implementing the cyber laws”.
While it is heartening that there are all these provisions to deal with the ever increasing cases of cyber crime, it is also important to understand that Indian legal system and police system still has a long way to go in its approach in curbing and punishing this menace. It is important that police is well trained in the ways of the cyber space, and up to date with new technology coming about every day. The systems and processes need to be perfectly in place, and efficient, if this evil of cyber crime is to be dealt with in a proper manner.
Discuss this article on Facebook