
or
Some of the provisions of the Information Technology Act, 2000 demonstrate that all laws are not legitimate and all crimes are not illegitimate. Many laws are illegitimate and many crimes legitimate. Many laws are crimes and many crimes are lawful acts labeled as crimes by law. Read on to know more if it sounds twisted and suspicious
Section 66 of the Information Technology Act 2000 was amended by the I.T. (Amendment) Act, 2008 where in many contraventions stipulated in Section 43 of the I. T. Act 2000 that impose monetary penalty upon the violator have been made criminal offences. In other words, contraventions inviting penalty / compensation are now also criminal offences. The amended Section 66 reads as follows:
“66. Computer related offences: If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both”
Section 43(c) of the I. T. Act 2000 lays down the contravention of planting a virus or contaminant into another’s computer system, which, after the amendment to Section 66, is also a criminal offence inviting the punishment of imprisonment up to 3 years with fine. The distinction between the contravention (Section 43) of planting virus and the crime (Section 66) of planting virus is the requirement of mensrea, in other words, dishonest intention.
Is dishonest planting of a computer virus a legitimate crime, or, the punishing of dishonest planting of a computer virus an illegitimate law? Computer virus is as common as common cold. In most cases, it would be next to impossible to determine the real and ultimate source of a computer virus. Our law makers should ask themselves certain fundamental questions before criminalizing the planting of computer virus and contaminants:
Our law enforcement agencies have no expertise to determine the precise source of a computer virus. A person may be booked for the offence of planting computer virus and contaminant, in spite of having antivirus software on his computer system, as new types of virus come into existence from time to time and many of them are not detectable by antivirus software. Even if a person installs the antivirus software, virus can creep into the computer and unknowingly get transmitted to somebody else’s computer system. Since intention / mensrea is inferred from the incident and its consequences, apart from the allegations by the complainant, it would be only at the end of the ordeal of facing prosecution that the accused would get an opportunity to prove his innocence during defence evidence which is taken at the fag end of the trial.
A nominal fine would have sufficed and the law should have evolved with the growth of awareness, consciousness and maturity amongst computer users at large. Transmission of virus or contaminant, as acivil violation under section 43 of the I.T. Act 2000 with a nominal fine is still justifiable.
VIEWS ON CRIMINAL LIABILITY UNDER IT ACT 2000
In December 2008 as a knee–jerk reaction to the November 2008 terror attacks in Mumbai, India, the Information Technology (Amendments) Act, 2008 was hastily tabled before the Parliament and was passed hastily and without any debate whatsoever. Unlike the IT Act of 2000, the focus of the new IT Act 2008 is clearly on cyber terrorism and to a significant extent, cyber crime.
One of the important outcomes of the IT Act, 2008 amendments is the clarity on whether Data theft is considered a criminal offence. Commission of acts provided in S.43 to 66 dishonestly or fraudulently, clearly implies “Data Theft” as an offence in such instances. However these acts would amount to a punishable offence only if such data is “downloaded, copied or extracted” from a computer resource. Therefore it may be argued that the provisions of S.43 (b) are not inclusive, as they do not provide for removal of data through uploading. Criminal provisions give rise to liability only in cases of unambiguity. If a provision has to be applied through interpretation, then such interpretation, which favors the Accused, would have to be applied. With the addition of S.43A by the IT Act 2008, the onus of implementing “Reasonable Security Practices” is on the business entity.
The law must be logical and practical, keeping in view the social realities and the people to whom the law is sought to be applied. The criminal offence of planting computer virus into another’s computer system, would be legitimate in a hi-tech society, but not in India where the majority of the people are just beginning to use computers and internet.
The offence of planting virus and contaminant in a computer system, should have been restricted to the author of a virus and contaminant, and persons who infect multiple computer systems. For instance, authors of virus such as ‘Melissa’ that infected about 1 million computers inthe year 1999, and ‘Love Bug’/ ‘I Love You’ virus in the year 2000 should be penalized with corporal punishment. In other words, the law should have restricted itself to penalizing/ criminalizing the creation and/or planting of computer virus and contaminants, as an organized crime, by infecting a large number of computer systems.
However, dealing with the law as it is, a heavy responsibility lies on our judiciary to protect citizens from the harassment of being implicated for transmitting computer virus and contaminants. Section 66 read with section 43(c) of the I.T. Act, 2000 is a tragic comedy that makes every computer user in the country a complainant/victim of computer contaminants and virus, and also a criminal accused of introducing computer virus and/or contaminants into another’s computer.
‘Hacking’ is another ‘crime’ that has been illegitimately structured in the I.T. Act 2000. After the amendments to the I.T. Act in 2009, the offence of hacking is provided u/s 43(i) read with Sec. 66. The offence is defined as follows:-
“If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,– (i)“destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means.”
The other offences in the nature of ‘hacking’, as provided in the I.T. Act, 2000 (as amended in 2009) include access to a computer, downloading, copying orextraction of data from a computer, introducing computer virus and contaminants, causing damage to a computer, causing disruption of a computer, causing denial of access to a computer, affecting critical information infrastructure, and cyber terrorism
Hacking a computer system has been projected as a menace requiring harsh laws to act as deterrents. Such a general projection is somewhat misconceived. Hacking a computer simply implies getting into another’s computer without permission. Hacking perse, in simple terms, is criminal trespass into a computer that is a private property. Criminal trespass under the Indian Penal Code, 1860 is simply defined as entering into property in the possession of another with intent to commit an offence or to intimidate, insult or annoy any person in possession of such property, or having lawfully entered into or upon such property, by unlawfully remaining there with intent thereby to intimidate, insult or annoy any such person or with intent to commit an offence. Criminal trespass entails a punishment of imprisonment up to three months or fine up to rupees five hundred, or with both.
Similarly, the legal approach towards hacking should be the same as that of criminal trespass, mischief and the innumerable other offences in the I.P.C. All forms of hacking cannot be treated alike. It needs to be understood that hacking too has numerous dimensions and species like other offences.
A person who enjoys exploring computer systems is also a hacker. Many teenagers obsessed with the internet and computers hack for fun and excitement. They are popularly called ‘teenage web vandals’, and they creatively name themselves as Artech, Nemesystm, Team Holocaust and DoodooKrew, etc.
Another form of hacking is by internet security companies, to test the computer systemsof their clients and potential clients, to impress them and get business assignments of setting up security systems for the clients.
Before the 2008 amendment, all forms of hacking had been treated alike under the Act. However, the legislature seems to have realized that a teenager who enjoys exploring computer systems and showing off his talent, or a disgruntled lover sending obscene emails from his girlfriends email account is at a completely different footing from a terrorist organization hacking into a protected system such as defence. Hacking in its most basic sense is trespassing into another’s computer without permission. One aspect u/s 65 that strikes one as a necessary ingredient of all these provisions is the aspect of mensrea. Besides, if a naïve employee in an organization through his acts, even if they are grossly negligent, manages to introduce a deadly virus in his company’s software, he may not be liable under the Act, though he may be inviting immediate termination! Keeping this subtle but extremely pertinent distinction in mind, Section 66-F provides punishment for cyber terrorism as extending to punishment for life, whereas punishment for sending offensive messages, or receiving stolen computer resources or for violation of privacy on the net, extends to a maximum imprisonment of three years.
Even before the amendments came into force the courts essentially based their judicial discretion largely on which provisions of IPC were attracted along with the corresponding sections under the Act. This perspective has now been given statutory validity by legislating Section 66 A-F vide the 2008 amendment. The distinction between innocent or non-serious offenders and cyber criminals seems to have dawned on the judiciary, who have time and again exercised judicial discretion and awarded punishments accordingly. In one such case, a sixteen-year-old student from Ahmedabad sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. Considering the fact that he was a young boy, not fully appreciating the seriousness of his actions, Patel was given a warning by a juvenile court.
On the other hand was a case in 2005 when a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID. An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The arrested accused had used open source code email application software for sending spam e-mails. After spamming emails to the institute customers he got the response from around 120 customers, who had been duped. This crime was registered under section 66 of the IT Act, Sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 and attracted the punishment of three years imprisonment and fine uptoRs 2 lakhs, which the accused may never have thought of! Ergo, even before the amendments came into force the courts essentially based their judicial discretion largely on which provisions of IPC were attracted along with the corresponding sections under the Act.
Hacking is also committed to damage the business of competitors and enemies. It is done by spying into others’ computer systems and stealing information/data residing therein. Hacking is also used as a weapon to commit other crimes such as cheating and misappropriation of funds electronically from the bank account of another.
Hacking is done at the country level too. Frequently, Pakistani hackers are accused of hacking Indian web-sites. For instance, the web-site of SEBI (Stock Exchange Board of India) was hacked whereby a link to a pornographic web-site was inserted.
There are therefore numerous species of hacking, though in essence, it is theoffence of criminal trespass. All forms of hacking cannot thus be treated alike. It is the intent, purpose and consequences of hacking that determine its gravity. A twelve year old, who, for excitement and playing a prank enters restricted web-sites should not be treated as a national enemy. A terrorist organization hacking into a protected system such as the defence computer systems to steal nuclear secrets, or a criminal syndicate hacking to misappropriate huge amounts, cannot be treated on par with a teenager prying into the computer system of his best friend’s girlfriend or even the CBI (Central Bureau of Investigation) for fun and excitement. The nature of the hacking determines the gravity and all forms of hacking should not be projected or legally treated in the same manner.
The seriousness of hacking depends upon the nature, purpose, intent and the extent of loss and injury that are caused to the victim. For instance, in a reported incident in the U.S. the owner of a hobby web-site for children received an e-mail informing her that a group of hackers had gained control over her web-site. They demanded a ransom of one million dollars. The threat was overlooked as a mere scare tactic. A few days late, she discovered that the hackers had “web-jacked” her web-site. “Webjacking” has been equated with hijacking an aeroplane, as forcibly assuming control of a web-site, for diverse motives. The hackers had altered a part of the web-site which said “How to have fun with goldfish”. The word “goldfish” was replaced with “piranhas”. Piranhas are tiny but extremely dangerous flesh eating fish. Many children visiting the web-site, purchased ‘piranhas’ from pet shops and tried playing with them, thereby hurting themselves badly.
The law should have been structured so as to exclude the innocent forms of hacking and include only the malicious forms. The law makers should have taken cue from the offences of ‘criminal trespass’ and ‘mischief’ that are classified in numerous species, in the IPC, 1860.
Section 66F of the I.T. Act, 2000 (as amended in 2009) defines the offence of “cyber terrorism”. The core criminal acts with the stipulated intent and consequences, sought to be labeled as “cyber terrorism” in clause (A) of section 66F are:
The core criminal acts with the stipulated knowledge, intent and injury, sought to punished as “cyber terrorism” in clause (B) of section 66F are:
In sum, the above core criminal acts sought to be punished as “cyber terrorism” are of restraint, criminal trespass and mischief that are amongst the minor offences under the I.P.C., 1860. Only the stipulated intent/mensrea, knowledge and consequences make the said simple/minor offences, acts of “cyber terrorism” punishable up to life imprisonment. Intent is a matter of inference drawn from the acts and consequences. Cyber crime investigation is still alien to law enforcement agencies in India and would take them a long time to attain high levels of expertise. Moreover, the true impact of the aforesaid acts labeled as “cyber terrorism”, techniques of collection of evidence and conducting a proper investigation, are yet to be assimilated by our criminal justice system. Myriad innocent acts such as intrusion into critical information infrastructure, say, by an 18 year old hacker for fun, excitement and asserting his knowledge of computers can be misconstrued as “cyber terrorism”.
Hactivism means hacking as a form of protest for political ends and social causes. Hactivism is the cyber/electronic equivalent of holding a ‘dharna’ at Jantar Mantar, Delhi to protest against a government decision. However, the otherside believes that hacktivism is an attempt to precipitate a crisis situation online. Therefore, intrusions by ‘hacktivists’ to protest against a government policy could be misconstrued as “cyber terrorism”. Hactivists have often taken to defacing web-sites for political reasons, such as attacking and defacing government websites and web-sites of those who oppose their ideology.
The earliest known instance of hacktism dates back to October, 1989 when the ‘WANK’ (Worms Against Nuclear Killers) worm penetrated the computer systems of NASA. The “Strano Network sit-in” in 1995 was a hactivist strike directed against the French government. The hacking group ‘Milworm’ hacked into Bhabha Atomic Research Centre (BARC) in 1998, replacing the centre’s web-site with an anti-nuclear message.
Most of the incidents of hacktivism could prima-facie fall within the ambit of “cyber terrorism” defined and punishable under section 66F of the I.T. Act, 2000, that has been inserted by the I.T. (Amendment) Act, 2008. The real nature of the above acts are protests against a government decision or policy, which are protected by the constitutional guarantee of the freedom of speech and expression under Article 19(1)(a), but are sought to be stifled in the name of “cyber terrorism”.
The author is an Advocate, Delhi High Court.
Lex Witness Bureau
Lex Witness Bureau
For over 10 years, since its inception in 2009 as a monthly, Lex Witness has become India’s most credible platform for the legal luminaries to opine, comment and share their views. more...
Connect Us:
The Grand Masters - A Corporate Counsel Legal Best Practices Summit Series
www.grandmasters.in | 8 Years & Counting
The Real Estate & Construction Legal Summit
www.rcls.in | 8 Years & Counting
The Information Technology Legal Summit
www.itlegalsummit.com | 8 Years & Counting
The Banking & Finance Legal Summit
www.bfls.in | 8 Years & Counting
The Media, Advertising and Entertainment Legal Summit
www.maels.in | 8 Years & Counting
The Pharma Legal & Compliance Summit
www.plcs.co.in | 8 Years & Counting
We at Lex Witness strategically assist firms in reaching out to the relevant audience sets through various knowledge sharing initiatives. Here are some more info decks for you to know us better.
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved