Overview Of Cyber Crimes..................................................................................................................

1
Definition of Cybercrime .................................................................................................................... 1
Tools and techniques used to commit cyber crimes .......................................................................... 2
Types of cyber crimes ......................................................................................................................... 3
Crimes targeting computer systems ................................................................................................... 4
Crimes in which computer systems are used as tools/instruments ................................................... 6
Some salient features of IT Amendment Act 2008:............................................................................ 8
Cyber Threat Classification ............................................................................................................... 12
The Information Technology Act, 2000 ............................................................................................ 13

Overview Of Cyber Crimes

Information Technology and the Internet have led to innovation and economic growth, but have also
created new avenues for malicious actors to perpetrate crimes. The perpetrators range from
sophisticated hackers to common criminals to foreign intelligence agencies and international
terrorists. Cyber threats are increasing for governments, commercial enterprises and industry and
above all ordinary citizens.s

The all pervasive role of internet and computers and the networks can be gauged from the glance of
a newspaper on any given day, on the lives of the citizens, corporations and governments world over.
Number of lottery scams, fake profiles on social networking websites and, identity theft for fake
banking transactions etc., have become news of daily routine and, are affecting increasing number of
ordinary citizens. Commercial enterprises are becoming targets of frauds by insiders, commercial
espionage and, intellectual property thefts causing enormous damages to reputations of the
companies and, potentially huge financial losses. Finally, the threats of cyber terrorism and, espionage
are closer to reality than were anytime in the past. The Wiki leaks episode of publishing of the
classified diplomatic communications in public domain is a pointer to the things to come in future.
Finally, Governments and regimes are being overthrown, through the sheer power of internet and
social networks, as a galvanizing force. While some of these acts may not be classified as Cyber Crimes
universally, as Law Enforcement Officers, it becomes necessary to understand and investigate the
incidents as and when reported.

Thus, Cybercrime is the latest that is affecting the cyberspace and through it causing physical crimes
in the real world, where either the computer is an object or subject of the conduct constituting crime.

Definition of Cybercrime

1. Any criminal activity that uses a computer either as an instrument, target, or a means for
perpetuating further crimes comes within the ambit of cybercrime, i.e., unlawful acts wherein the
computer is either a tool or a target or both.
2. Any violations of criminal law that involve knowledge of computer technology for their
perpetration, investigation, or prosecution. — U.S. Department of Justice

3. The communication addresses computer crime in its broadest sense as any crime involving the
use of information technology. The terms “computer crime,” “computer-related crime,” “high-
tech crime” and “cybercrime” share the same meaning in that they describe (a) the use of
information and communication networks that are free from geographical constraints and (b) the
circulation of intangible and volatile data.
— EU Council (Justice and Home Affairs)

Tools and Techniques used to commit Cybercrimes

Cyber Crimes make use of various tools and techniques for the commission of offences and are
installed on the victim’s systems through - exploitation of the vulnerabilities in the systems / networks
or by surreptitiously gaining access to the victim’s systems which may include physical access or by
making use of the intermediary systems or by deceiving the victim to allow access to his system or by
gathering the victim information.

Buffer overflow: The condition when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. Since buffers are created to contain a
finite amount of data, the extra information – which has to go somewhere - can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them

Cracking: Cracking is breaking into someone else’s computer system, often on a network; bypassing
passwords or licenses in computer programs; or in other ways intentionally breaches computer
security. A cracker can be doing this either for profit, or maliciously, or for some altruistic purpose or
cause.

Data Diddling: Involves altering the raw data just before a computer processes it and then changing
it back after processing is completed.

Malware: A program that is inserted into a system, usually covertly, with the intent of compromising
the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or
of otherwise annoying or disrupting the victim.

Phishing: Using spoof E-mails or directing the people to fake web sites to deceive them into divulging
personal financial details so that criminals can access their accounts.

Rootkit: A set of tools that enables continued privileged access to a computer, while actively hiding
its presence from the administrator. Typically, a cracker installs a rootkit on a computer after first
obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once
the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to
the computer and, possibly, other machines on the network
Salami Attack: A programmed attack which is implemented in small (meant to be unnoticeable)
increments. This attack involves making alteration so insignificant that it is easily concealed and would
go completely unnoticed. Attacks are used for commission of financial crimes.

Sniffer: A program and/or device that monitors data traveling over a network. Sniffers can be used
both for legitimate network management functions and for stealing information off a network.
Unauthorized sniffers can be extremely dangerous to a network’s security because they are virtually
impossible to detect and can be inserted almost anywhere.

Social Engineering: A hacker term which involves non-technical intrusion for deceiving or
manipulating unwitting people into giving out information of a network or how to access it.

Spoofing: Refers to a situation in which the incoming information from an attacker is masqueraded as
one that appears to come from a trusted source to the recipient or to the recipient network. Often
the messages from the fraudster appearing to be from a genuine source (like bank), seeks personally
identifiable information to perpetrate fraud on the victim.

Spyware: It is a type of malware that is secretly or surreptitiously installed into an information system
to gather information on individuals or organisations without their knowledge; a type of malicious
code.

Steganography: The art and science of writing hidden messages in such a way that no one, apart from
the sender and intended recipient, suspects the existence of the message. An image file may contain
hidden messages between terror groups, which will be known only to the intended recipient and the
sender.

Trojan: A malicious program that masquerades as a benign application and can take complete control
of the victim’s computer system.

Virus: A self-replicating program that runs and spreads by modifying other programs or files.

Worm: A self-replicating, self-propagating, self-contained program that uses networking mechanisms

to spread itself.

Zombie: A program that is installed on a system to cause it to attack other systems.

Types of Cybercrimes

Cybercrimes cover a wide range of illegal activities, which are either done solely using computer
resources (as defined under Section 2 of ITAA, 2008) or, done in conjunction with traditional means
using the computer resources and communication devices as tools to commit conventional crimes.
The Information Technology (Amendment) Act, 2008 under Section 66, deals with cybercrimes, with
the penal provisions for committing any of the acts defined under Section 43 of the ITAA 2008, if the
acts were done with fraudulent or dishonest intentions. Apart from Section 66, the amendment to the
ITA 2000, has introduced the emerging cybercrimes under its ambit.

The crimes dealt under section 66, thus presuppose that, all these acts were done with dishonest and
fraudulent intentions. If the fraudulent or dishonest intentions are not forthcoming, they will be dealt
under Section 43 of the IT Act and, will be dealt with by the Adjudicating Officers notified under
Section 46 of the IT Act 2000.

Crimes targeting computer systems

a. Hacking

(Under Section 66 ITAA 2008)

Hacking is a broader term and can be defined as gaining entry into a computer system without the
permission, with an intention to cause loss, steal, or destroy the data contained in it. It is often done
by exploiting some of the vulnerabilities that are present in the computer system. This involves various
methods of acquiring sensitive information like usernames, passwords, Internet Protocol (IP)
addresses and using them to access the computer system, which can be used by the hacker to gain
entry into the system itself. These applications may be in the form of trojans, malware, worms, and
viruses, which will install in the targeted system and compromise its security. After hacking and gaining
entry into the computer system, the hacker can gain administrative rights and can do anything with
the data contained in it. The computer systems can also be used to infect and destroy other systems.

b. Denial of Service (DoS) attack or Distributed Denial-of-Service (DDoS) attack

(Under Section 66 of ITAA 2008)

In this kind of attack, an important service offered by a Web site or a server is denied or disrupted
thereby causing loss to the intended users of the service. Typically, the loss of service is the inability
of a particular network service, such as e-mail, to be available or the temporary loss of all network
connectivity and services.

In some cases, DoS attacks have forced the Web sites to temporarily cease operation. This often
involves sending large amount of traffic in the form of e-mails and other requests to the targeted
network or server so that it occupies the entire bandwidth of the system and ultimately results in a
crash. ICMP flooding, teardrop attacks, peer-to-peer attacks, application‑level flooding, etc. are few
examples of DDoS attacks. These attacks make use of multiple systems to flood the bandwidth of the
targeted system.

Remarks: The above description speaks about high‑level sophisticated attack, but in general, there are
cases where the attacker causes the denial of access to a computer/computer system/computer
network by changing/inserting a password.
c. Spreading viruses and malware
(Under Section 66 of ITAA 2008 or Sec.66F ITAA 2008 in case if it is done against country or to strike
terror in the people)

Spreading viruses and malware is the biggest crime that is happening today and most of the internet
users are affected by it. These can be generic or targeted to a specific computer system. Injecting and
spreading malicious code also can come in the form of viruses, worms, trojans, spyware, adware, and
rootkits. These get installed secretly in the victim’s computer
system and can be used to access and transmit sensitive information about the system, and in some
instances, the infected systems can be used as tools to commit other types of cybercrime.

d. Website defacement
(Under Section 66 of ITAA 2008 or Sec.66F ITAA 2008 in case if it is done against country or to strike
terror in the people)

It is an attack on a Web site, which will change the visual appearance, and the attacker may post some
other indecent, hostile and obscene images, messages, videos, etc., and sometimes make the Web
site dysfunctional. It is most commonly done by hackers of one country to the Web sites of other
enemy or rival neighbouring country to display their technological superiority and infecting with
malware.

e. Cyber terrorism
(Under Section 66F of ITAA 2008)

Whether traditional or cyber terrorism, terrorists these days are using state of the art technology like
satellite phones, communicating through encrypted messages, posting messages and recruiting
personnel, raising funds, and creating propaganda using Web sites and Internet technology. When it
comes to cyber terrorism, they resort to large‑scale disruption of computer networks, Web sites, and
attack other critical infrastructural facilities governed by computer systems. In all these instances,
digital evidence may be present in the computer systems and computer resources in the form of
e‑mail, web addresses, encrypted messages, photographs, videos, etc.

f. Spoofing
(Under Section 66A, 66D of ITAA 2008)

In spoofing, the attacker masquerades the data packets, IP addresses, MAC addresses, and e-mail
addresses so as to create an impression that they are originating from somebody else’s addresses.

g. Skimming
(Under Section 66C of ITAA 2008)

Skimming is a kind of credit/debit/ATM/chip/SIM card fraud in which a hand‑held device called

skimmer is used to capture the information contained in it. The data can be transferred on to a
computer system later. The information like name, credit card number, expiry date, etc., can be used
to create fake credit cards.
Remarks: If the information obtained by using the above technique is used to make any fraudulent
transactions, then section 66D of ITAA 2008 is also applicable.

h. Pharming
(Under Section 66C, 66D of ITAA 2008)

Pharming is a type of attack in which the user is deceived into entering sensitive data, such as PIN
numbers, credit card numbers, passwords etc., into a fake Web site, which impersonates as genuine
Web site. It is different from Phishing in such a way that the attacker need not rely on any of the URL
or link. Instead, it redirects the Web site traffic from a legitimate Web site to a fake one.

i. Spamming
(Under Section 66A of ITAA 2008)
Spamming is an act of sending unsolicited and junk e-mails or messages by anyone for the purpose of
causing annoyance or inconvenience.

Crimes in which computer systems are used as tools/instruments

a. Financial fraud
(Several sections under IPC, ITAA 2008 and other applicable laws)

Financial frauds include business frauds, investment frauds, mass marketing frauds, offering jobs
overseas, Nigerian Frauds, business opportunity frauds, etc., where unsuspecting people are lured in
trap by the promise of such opportunities and deceived of their money and other valuables.

b. Data modification
(Under Section 66 of ITAA 2008 and sections 403,406,408,409 of IPC as applicable)

In this crime, the criminal gains entry into the targeted system like financial systems and modifies or
changes the data contained in a computer system. This type of crime can be committed by the
authorized users (insiders) of the computers also.

c. Identity theft and its misuse

(Under Section 66C, 66D of ITAA 2008)

It is the theft of sensitive identity information such as date of birth, name, PAN numbers, passport
numbers, credit card numbers, e-mail accounts, etc., for fraudulent purposes. The user may obtain
the sensitive information by several means like phishing, sending some links to victim’s e-mail address
and asking them to furnish confidential information, or obtaining
the information through social engineering, using key-loggers, etc.

d. Cyber bullying/Stalking
(Under Section 66A of ITAA 2008 and sections 500,504,506,507,508,509 of IPC as applicable)
It is defined as the use of Information and Communication technologies to harass, threaten or
intimidate someone. Cyberbullying can include acts such as making threats, sending provocative
insults or racial or ethnic slurs, gay bashing, attempting to infect the victim’s computer with a virus,
and flooding an e-mail inbox with messages.

e. Data theft
(Under Section 66 of ITAA 2008 and section 379 IPC)

Data theft is copying the data without the permission of the owner of the computer/computer
system/computer network. It can be in the form of breaking into the system and copying classified
and sensitive information often in the workplace/ business. The type of data can be anything like
official/business communication, contact details of customers, clients, addresses, user names,
passwords, credit card numbers, and other related documents.

f. Pornography
(Under Section66E, 67, 67A and 67 B of ITAA 2008 and section 292 IPC)

Pornography is posting, publishing, and transmitting obscene messages, photographs, videos, and text
through e-mail, Web sites, chatting, and other forms over the Internet. Child pornography is one of
the biggest ventures on the Internet.

g. Theft of trade secrets and intellectual property

(Under Section 66 of ITAA 2008, IPR laws and other applicable laws)

It is the theft of knowledge based assets and capital, trade designs, logos, ideas and innovations,
material that is copyrighted by an individual or an organization. It also includes audio, video, movies,
etc. Highest number of cases under intellectual property theft happened with software and its source
code.

h. Espionage on protected systems

(Under Sections 66, 70 of ITAA 2008 and other applicable laws)

This kind of spying and espionage on the government systems is often done by the intelligence officials
of enemy or neighbouring countries. It involves accessing sensitive and classified documents.

Cybercrime and IT Act

Cybercrime is an intangible dimension that is very difficult to govern or enforce. There are various
constraints and it is extremely difficult for conventional laws to address the cybercrime related issues.
Information Technology Act 2000 is an omnibus act for promotion of e-commerce and e‑governance,
acceptance of electronic documents at par with paper documents, acceptance of digital signatures at
par with normal handwritten signatures, and for dealing with some forms of cybercrime to enhance
trust in cyberspace.
The ITA 2000 was amended in December 2008 as the IT (Amendment) Act, 2008 (ITAA 2008), and
notified for implementation from 27th October 2009. ITAA 2008 has created a strong data protection
regime by mandating reasonable security practices to protect sensitive personal information and
several provisions for handling cybercrimes like identity theft and cyber terrorism. The IPC and the
Indian Evidence Act were also amended to include cybercrimes and digital evidences covered by ITA
2000.

Some of the Indian laws and acts which addresses various aspects of cybercrimes are as follows:
1. Information Technology Amendment Act 2008
2. Indian Penal Code 1860
3. The Indian Evidence Act 1872
4. The Indian Telegraph Act 1885
5. Bankers’ Book of Evidence Act 1891.

Some salient features of IT Amendment Act 2008:

1. The act applies to any offence or contravention committed outside India by any person,
irrespective of his nationality, if the act or conduct constituting the offence or contravention
involves a computer, computer system or computer network located in India (Section 75)
2. Certain documents and transactions like negotiable instruments (excepting a cheque), power of
attorney, trust(s), will and contract for sale of immoveable property are excluded from the
purview of this act.
3. Statutory requirements have been prescribed for retention of electronic records in a format which
captures the information accurately and which facilitates tracking back. Intermediaries are liable
for penal provisions for non-compliance under 67C of the ITAA 2008.
4. Controller of Certifying Authorities is responsible for issuance of licenses to certifying authorities
who in turn are licensed to issue digital signatures (Section 18).
5. Dishonest and fraudulent contraventions of acts defined under section 43 of the ITAA2008 are
offences under section 66 of the ITAA2008. If the acts are simply contraventions, then they will
be dealt by the Adjudicating Officers designated by the government under sections 46 of the IT
Act. An adjudicating officer can adjudicate and award a compensation of up to Rs 5 crores.
6. Officers of the rank of Police Inspectors and above are empowered to investigate offences under
the ITAA 2008
7. As per Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009, Secretary in the Ministry of Home Affairs in Government
of India and, the Secretary of the Home Department in respective state / union territory
governments are authorized to order the interception, monitoring or decryption of information
from any computer resource(s).
8. As per Information Technology (Procedure and Safeguards for Blocking for Access of Information
by Public) Rules, 2009, Central Government can designate an officer of the Central Government
(not below the rank of a Joint Secretary) to issue directions for blocking public access of any
information in computer resources (Section 69 A of the ITAA 2008).
9. Computer offences as per the ITAA 2008 are-
 a. Computer related offences (include source code tampering, unauthorized access, disruption,
damage etc of computer resources) defined under Section 65, 66 and 66A to 66D.
b. Obscenity and related offences as defined in Sections 66E, 67, 67A and, 67B
c. threat to unity and integrity of India (cyber terrorism), Section 66F
d. Power to Issue directions by competent authorities to block access, monitor traffic etc., Sec
67C, 69, 69A, 70 and 70B.
e. CERT-In designated as the National Nodal Agency for Critical Information Infrastructure
Protection
f. All the offences with upto three years punishment have been made bailable and, as such only
sections 66F, 67A, 67B, 69, 69A and 70 of the ITA are non-bailable.

When is something a crime under IT Act

The ITAA 2008, contains explicit penal provisions for certain offences (66A to 66F). However, Section
66 stands on a different footing, in relation to other penal provisions.
Section 66 of the IT Act makes it amply clear that only when a person, dishonestly, or fraudulently,
does any act(s) referred to in Section 43 of the IT Act, he shall be punishable with imprisonment for a
term which may extend to 3 years or with fine which may extend to 5 lakh rupees, or with both.

Thus, for an act to be investigated under Section 66 of the ITAA 2008 as a cybercrime, it needs to
satisfy two conditions:

1. Firstly, it has to be an act as defined under Section 43 of the ITAA 2008 and,

2. Secondly, it should have been done by a person with dishonest or fraudulent intentions. The
explanation of the words, dishonestly and fraudulently shall have the same meaning as in Section
24 and 25 of the IPC.

Thus, to an IO, if the complaint reveals acts as defined under section 43 of ITAA 2008 only but does
not reveal commission of these acts with dishonest and fraudulent intentions, then it cannot be
investigated as a crime under IT Act. Under these circumstances, these reports of the acts under
section 43 need to be resolved before the adjudicating officers, who were notified under Section 46
of the ITAA 2008. Typically, the concerned Secretaries of the IT Departments in the State Governments
have been designated as the Adjudicating Officers.

Cyber Crimes Mapping with ITAA 2008, IPC and Special & Local Laws

Legal procedure to gather information from outside India

The legal procedure for gathering information from outside India — Mutual legal assistance treaty
(MLAT) and Letter Rogatory/letter of request, guidelines have been issued by the Ministry of Home
Affairs, Government of India.

Sec.166–A and 166–B of CrPC provides for the process for making a request to any foreign country to
help and assist in the investigation.
Provisions of Law:

Section 166-A: Letter of request to competent authority for investigation in a country or place outside
India-

1) Notwithstanding anything contained in this Code if, in the course of an investigation into an
offence, an application is made by the investigating officer or any officer superior in rank to the
investigating officer that evidence may be available in a country or place outside India, any
Criminal Court may issue a letter of request to a Court or an authority in that country or place
competent to deal with such request to examine orally any person supposed to be acquainted
with the facts and circumstances of the case and to record his statement made in the course of
such examination and also to require such person or any other person to produce any document
or thing which may be in his possession pertaining to the case and to forward all the evidence so
taken or collected or the authenticated copies thereof or the thing so collected to the Court issuing
such letter.
2) The letter of request shall be transmitted in such manner as the Central Government may specify
in this behalf.
3) Every statement recorded or document or thing received under sub-section (1) shall be deemed
to be the evidence collected during the course of investigation under this Chapter.

Definition of Letters Rogatory:

Letters rogatory is a formal communication in writing sent by the Court in which action is pending to
a foreign court or Judge requesting the testimony of a witness, residing within the jurisdiction of that
foreign court, may be formally taken thereon under its direction and transmitted to the issuing court
making such request for use in a pending legal contest or action. This request entirely depends upon
the committee of court towards each other and usages of the court of another nation.
In the Bofors case a letter of rogatory was issued with request to authorities in Switzerland, for
freezing certain bank accounts, and the accused did not claim, any amount connected with Bofors
case as being deposited in his Swiss Bank, held that it cannot be said that the accused was deprived
of his property and that he is not entitled to any prior notice and opportunity of being heard. [Union
of India v Chadha]

Section 166-B CrPC: Letter of request from a country or place outside India to a Court or an authority
for investigation in India

(1) Upon receipt of a letter of request from a Court or an authority in a country or place outside India
competent to issue such letter in that country or place for the examination of any person or
production of any document or thing in relation to an offence under investigation in that country or
place, the Central Government may, if it thinks fit,
i. Forward the same to the Chief Metropolitan Magistrate or Chief Judicial Magistrate or such
Metropolitan Magistrate or Judicial Magistrate as he may appoint in this behalf, who shall
thereupon summon the person before him and record his statement or cause the document
or thing to be produced ; or
 ii. Send the letter to any police officer for investigation, who shall thereupon investigate into the
offence in the same manner, as if the offence had been committed within India.
(2) All the evidence taken or collected under sub-section (1), or authenticated copies thereof or the
thing so collected shall be, forwarded by the Magistrate or police officer, as the case may be, to the
Central Government for transmission to the Court or the authority issuing the letter of request, in such
manner as the Central Government may deem fit.

When will both IT Act and IPC apply together?

Not always. If the offence is covered under IT act which is a special act, then IPC won’t be applicable.
However, if the offence is not covered, then both will be applicable.

1. Sharat Babu Digumarti v. Govt. (NCT of Delhi), (2017, Supreme Court)

2. Gagan Harsh Sharma and Another vs. State of Maharashtra (2019, Bombay HC)
Cyber Threat Classification

Contravention (Civil wrong) v/s Offences (Criminal wrong)

Contravention (Civil Wrong)

A cyber contravention refers to a civil wrong under IT Act, 2000. It is important to note that law of
torts provide remedies for civil wrong where affected person can compel the wrong doer to pay
damages by way of compensation.

Section 43A. Compensation for failure to protect data. –

Where a body corporate, possessing, dealing or handling any sensitive personal data or information
in a computer resource which it owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay damages by way of
compensation, to the person so affected.

Offences (Criminal Wrong)

1) Section 65. Tampering with computer source documents.

2) Section 66. Computer related offences.
3) Section 66B. Punishment for dishonestly receiving stolen computer resource or communication
device.
4) Section 66C. Punishment for identity theft.
5) Section 66D. Punishment for cheating by personation by using computer resource.
6) Section 66E. Punishment for violation of privacy.
7) Section 66F. Punishment for cyber terrorism.
8) Section 67. Punishment for publishing or transmitting obscene material in electronic form.
9) Section 67A. Punishment for publishing or transmitting of material containing sexually explicit
act, etc., in electronic form.
10) Section 67B. Punishment for publishing or transmitting of material depicting children in sexually
explicit act, etc., in electronic form.
11) Section 67C. Preservation and retention of information by intermediaries.
12) Section 77B. Offences with three years’ imprisonment to be bailable.
13) Section 78. Power to investigate offences.
The Information Technology Act, 2000

Section 2(1)

(i) “computer” means any electronic, magnetic, optical or other high-speed data processing device or
system which performs logical, arithmetic, and memory functions by manipulations of electronic,
magnetic or optical impulses, and includes all input, output, processing, storage, computer software
or communication facilities which are connected or related to the computer in a computer system or
computer network;

(j) “computer network” means the inter-connection of one or more computers or computer systems
or communication device through–
i. the use of satellite, microwave, terrestrial line, wire, wireless or other communication
media; and
ii. terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the inter-connection is continuously maintained;]

(k) "computer resource" means computer, computer system, computer network, data, computer data
base or software;

(l) "computer system" means a device or collection of devices, including input and output support
devices and excluding calculators which are not programmable and capable of being used in
conjunction with external files, which contain computer programmes, electronic instructions, input
data and output data, that performs logic, arithmetic, data storage and retrieval, communication
control and other functions;

Section 43. Penalty and compensation for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who is incharge of a computer,
computer system or computer network, —

(a) accesses or secures access to such computer, computer system or computer network or computer
resource;

(b) downloads, copies or extracts any data, computer data base or information from such computer,
computer system or computer network including information or data held or stored in any removable
storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data,
computer data base or any other programmes residing in such computer, computer system or
computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorised to access any computer, computer
system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made
thereunder;

(h) charges the services availed of by a person to the account of another person by tampering with
or manipulating any computer, computer system, or computer network;

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value
or utility or affects it injuriously by any means;

(j) steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any
computer source code used for a computer resource with an intention to cause damage;

[he shall be liable to pay damages by way of compensation to the person so affected.] Explanation.–
For the purposes of this section,–

(i) “computer contaminant” means any set of computer instructions that are designed–
(a) to modify, destroy, record, transmit data or programme residing within a computer, computer
system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer
network;

(ii) “computer data-base” means a representation of information, knowledge, facts, concepts or

instructions in text, image, audio, video that are being prepared or have been prepared in a
formalised manner or have been produced by a computer, computer system or computer network
and are intended for use in a computer, computer system or computer network;

(iii) “computer virus” means any computer instruction, information, data or programme that
destroys, damages, degrades or adversely affects the performance of a computer resource or
attaches itself to another computer resource and operates when a programme, data or instruction is
executed or some other event takes place in that computer resource;

(iv) “damage” means to destroy, alter, delete, add, modify or rearrange any computer resource by
any means.

[(v) “computer source code” means the listing of programme, computer commands, design and
layout and programme analysis of computer resource in any form.]

Sec-43A- Compensation for failure to protect sensitive personal data [Omitted in 2023]

Where a body corporate, possessing, dealing or handling any sensitive personal data or information
in a computer resource which it owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay damages by way of
compensation to the person so affected.

Explanation.–For the purposes of this section,–

(i) “body corporate” means any company and includes a firm, sole proprietorship or other association
of individuals engaged in commercial or professional activities;

(ii) “reasonable security practices and procedures” means security practices and procedures designed
to protect such information from unauthorised access, damage, use, modification, disclosure or
impairment, as may be specified in an agreement between the parties or as may be specified in any
law for the time being in force and in the absence of such agreement or any law, such reasonable
security practices and procedures, as may be prescribed by the Central Government in consultation
with such professional bodies or associations as it may deem fit;

(iii) “sensitive personal data or information” means such personal information as may be prescribed
by the Central Government in consultation with such professional bodies or associations as it may
deem fit.]

Section 44. Penalty for failure to furnish information return, etc.

If any person who is required under this Act or any rules or regulations made thereunder to–

(a) furnish any document, return or report to the Controller or the Certifying Authority fails to furnish
the same, he shall be liable to a penalty not exceeding 15 lakh rupees for each such failure;

(b) file any return or furnish any information, books or other documents within the time specified
therefor in the regulations fails to file return or furnish the same within the time specified therefor in
the regulations, he shall be liable to a penalty not exceeding 50,000 rupees for every day during which
such failure continues;

(c) maintain books of account or records, fails to maintain the same, he shall be liable to a penalty not
exceeding 1 lakh rupees for every day during which the failure continues.

Section 45. Residuary penalty

Whoever contravenes any rules, regulations, directions or orders made under this Act, for the
contravention of which no penalty has been separately provided, shall be liable to pay a penalty not
exceeding 1 lakh rupees, in addition to compensation to the person affected by such contravention
not exceeding—

(a) 10 lakh rupees, by an intermediary, company or body corporate; or

(b) 1 lakh rupees, by any other person.

New South Communication Org v Universal Telephone Company (2000)

a. Even if no intention to harm but unauthorised access- that is violation of s 43(b)

b. In this case, he send financial information and other relevant data to himself while leaving the
company and so in contravention of S 43(6)
How and what all encompasses data theft, and when do we ascribe liability? This deals with a
provision similar to 43(b). Here, an ex-employee, at the time of leaving the company, sent some
documents (containing financial info, which amounted to trade secrets) to his personal mail. He was
held to be liable for data theft. Further, Sec. 2(1)(o) is relevant for data theft. It defines ‘data’. It has
been given a very broad understanding, and it extends to hard copies of info also. ‘Data’ can also be
understood from Explanation 2 to Sec. 43, dealing with ‘computer database’.

• Jan Vishwas Amendment Act, 2023- several provision of IT Act got amended

Cyber Offences:

Section 65:

So, a connection can be drawn with Sec. 43(j) and they’re to be read together. There’s no specific
language or meaning ascribed to a computer source code under the act. when such a source code is
put into an assembler or a compiler, it converts it into a form that the machine understands. Sec. 65
says that tampering with the source code or the object code would amount to a violation. Further, it
also says that it doesn’t even matter as to in which form your source code is.

The controversy under this section pertains to ‘kept or maintained’, it was understood as an OR
obligation and not an AND obligation. So, people assumed that keeping the source code was
enough, which wasn’t, it was to be kept AND maintained.

Syed Asabuddin v. State of AP

Here, 2 companies were involved, Reliance infocomm and Tata Indicom. Reliance had taken an
exclusive franchise for distribution of certain numbers. Tata indicom employee changed the 32 bit
number, and they contended that the same did not amount to a violation as sirf code ko rakhna
zaroori hai and not to maintain it. The court rejected this contention and held that Sec. 65 is
operational in 2 situations –

• Kept in its original form

• Maintenance as well – standard of maintenance wasn’t laid down.

When this is r/w Sec. 43(j), it is seen broadly seen as a computer offence. Certain distinctions are
there however, nature of crime, the effect on source code, the type of source code [43(j) – any
source code], types of devices, mens rea, on the basis of penalty.

Speaking of computer offence, Sec. 66 is relevant.

S 65 – tampering computer source document

a. IT Act does not differentiate between source code and object code
b. Source code can be electronic as well
c. Interpretation of s 65

SECTION 66
This deals with all your computer related offences. This section simply criminalises all the acts of Sec.
43 if done with an intention. This intention is ascribed basis the terms used – ‘dishonestly,
fraudulently’. Now, if we see Sec. 2(7), 2(36), 2(37) of BNSS, we can better understand these terms
and terms such as wrongful gain and wrongful loss.

Prior to the 2008 amendment, this section wasn’t worded like this and was primarily used to tackle
offences dealing with hacking. Hacking is one of the many kinds of unauthorized uses. It was done
away with when the legislature realized its narrow scope. Post the 2008, we can see that the degree
of intention that is needed has been enhanced. Pehle this section used to apply when there was
intention or knowledge, now it applies only to intention.)

Nirav Shah v State of Gujarat

clarified that electronic evidence is admissible in courts if obtained and certified properly under the
provisions of the Evidence Act, and that collecting digital evidence does not violate the right against
self-incrimination, establishing key principles for handling electronic data in legal proceedings.

Abhinav Gupta v state of Haryana

Reinforced the legal framework for the admissibility of electronic evidence under IT law, emphasizing
the need for proper certification and preservation of digital records. It also stressed procedural
safeguards during cybercrime investigations to ensure the reliability of electronic evidence and
protect the rights of the accused.

Shreya Singhal Case

a. In 2023, several FIR can be seen u/s 66 though it was stuck down by SC until it was finally omitted
by 2023 amendment Act
b. S 66 was capable of limiting all forms of online discussions – S.66A struck down as per court in
Shreya Singhal Case
c. S 32E of Jan Vishwas Amendment Act, 2023 and S 66A were finally deleted

Cyber Bullying – trolling is a subset of this

a. Meena Kandasanya Case – Dalit beef festival

b. Bal Barthi Public School case- Grafitti in school washroom stalls being put up on the web–
violation of S66A

S 66F- Cyber Terrorism- Engineering student stated he wants to kill 3000 Muslims. This was dealt
with under Sec. 66F as 66A wasn’t available.

Cyber Stalking

S.78 of BNS- it is not a gender-neutral crime (starts with ‘any men’)

a. Gopal v State of Karnataka

b. S Raju Iyer v Jawaharlal Nehru Industry (2013)
c. Kulwinder Singh v State of Punjab (2001)
d. State v Ashok Kumar (2013)
Section 66B cases-

1. Vodafone Mobile Services Limited v State (2015)

2. Kiran Kumar v State of Chhattisgarh (2016)
3. S Ravi Kumar v Commissioner of Commercial Taxes, Chepauk (2016)
4. Chandrashekar v State of Maharashtra (1860)
5. Shagun v state of Jharkhand (2016)

SECTIONS 66C, 66D

66C deals with identity theft, and 66D deals with cheating by personation. What’ the difference? These
sections are to be read with Sec. 43(h) and 66.

In identity theft, any individual’s credentials/identifiers are being used to dishonestly and deceptively
do something. Identity theft usually involves loss to the person whose identity has been stolen, which
may not always be the case with personation.

For cheating, Sections 318, 319 of the BNSS are also relevant.

Identity theft always involves a real person but in personation, it could be a real person or even an
imaginary one.

Impersonation cases

a. David Mathew Read- Pretended to be Demi Moore’s PA and said to her bank that her credit card
(a no limit card) has been lost so please send a new one to this address.
b. Lui Fulores- identity theft of Kim Kardasian social security number was linked to his address and
then to cr and dr card
c. Bloomberg Finance LP V State of Karnataka (criminal case)
d. Deepak Ratanlal Wabecha v state of Maharashtra
e. Deepak Omprakash Gupta v State of Maha
f. Girish Kumar Maleecha v State of Telegana

Section 66E

This section discusses the violation of privacy. When this section is there already, then why was there
a controversy about not having a privacy related law in India? This is because this section restricts
itself to bodily privacy. An important element of this section is about not giving consent. But what
happens when you consent to getting a photograph clicked but then it is published online? Ans. - this
section will still apply, given that the consent was only for personal use and not for it to be published.

This section doesn’t specify what ‘photograph’ means in the sense that self-destructing or view
photographs are covered or not. They’re covered, as per 66(a).

In this regard, an example of Google Glass is relevant. These were glasses that could capture videos
and photos by using motion-sensing technology. They’ve been discontinued for very obvious privacy
concerns.
Other examples of cameras in bathrooms, etc, third wave coffee recent case etc Paparazzi taking
photos from weird angles etc violative

Say if I send a snap but the recipient didn’t ever see it, deleted their account or whatever, it will still
fall under 66(a) because intent for it to be viewed was there.

This section also, in part refers to voyeurism under Section 77 of BNS.

Relevant Cases -

1) Beenu Tanta v. Delhi HC (2014) - she was an advocate and was recorded in the HC washroom.
2) Balwinder Singh v. State of PB (2016)
3) Jakibhai Shardabhai v. State of GJ (2015)
a. Violation of privacy
b. It limits only to bodily privacy
c. There is reasonable expectation for privacy for public washroom, hotel rooms
d. Important ingredient here is consent and intent
• consent to photograph but not publication
• consent is limited to clicking photos and not publication

Section 66 F- Punishment for cyber terrorism

a. Where utilise computer a wide spread offence called cyber- terrorism

b. 2015 case- invoked s 66 F where told 1st year student posted that he will kill 3000 Muslims
c. It is provoking acts- features like contempt of court – wide spread abuse of section

Cyber vandalism- website (home page) (cartoons)- comes under section 66(f) because it is not against
government

1. Internet of things- aggravating cyber terrorism- how?

a. Network of physical objects
b. Coupled with sensor or software and other technologies for the purpose of connecting and
exchanging data with other devices and systems over the internet -eg- self driving cares,
fitness tracking devices
c. Mere attempt also becomes cyber terrorism
d. S 66 F only section which gives life imprisonment
2. Stuxnet case- cyberwarfare weapon developed by USA-Isreal – used to attach Iran
a. Here question- one govt doing something against another govt- whether this comes under
cyber-terrorism
b. Eg- Kudrakulam power plant case- cyber-attack happened- govt recognised it as cyber-attack

Cyber Security

CIA triad is there. C - Confidentiality, I - integrity and A - availability. It is a common model for
developing security systems and is used to identify vulnerabilities and create solutions.
● Confidentiality - Protecting the privacy of individuals and proprietary information by limiting access
to data and preventing unauthorized sharing

● Integrity - Ensuring that data is accurate, authentic, and reliable, and that it's not modified or
destroyed improperly. Blockchain and data diddling example is there as to how integrity is to be
maintained.

● Availability - Making sure that authorized users can access information and systems in a timely and
reliable manner.

The National Cyber Security Policy, 2013. The preamble gives the essence of what constitutes
‘cybersecurity’. The same is protection of information data structure, along with the protection of CIA
triad. The core focus of a cybersecurity policy differs from country to country. They have used the
term ‘incident’ and not ‘attack’ because there’s no physical damage usually but its impact is still felt
without the physical harm so it’ll be better understood as an incident than to call it an attack. This way
it has a wider ambit.

Cybersecurity is defined under Sec. 2(1)(nb). In addition, Rules 2(1)(h) and 2(1)(f) of the IT (Indian
Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013
are relevant as they define ‘cybersecurity’ and ‘cybersecurity incident’, respectively. In addition, Rule
2(1)(d) of IT Rules, 2011 defines cyber incidents.

Cybersecurity is required on various levels, both individual and organisational levels. In terms of the
IT Act, 2000, 6 sections are to be read (Sec. 69, 70B, etc.).

Examples of cybersecurity breaches/attacks - APTs (Advanced Prolonged Threats - 2021 China

allegedly did this to Indian power sector. Some US company informed us of China), Advanced
Persistent Threats, CAT exams PII details leak, Sidecopy malware by Pakistan.

SECTION 69

This the provision that is used for surveillance.

Swift banking system attach in 2020- national incident for cyber security at national level. Personally
Identifiable Infor of 2,00,000 CAT students leaked in 2021.

Cyber espionage- Operation SideCopy flagged as Pakistani threat to Indian, Indian military and
diplomats targeted, malware in their devices to get info etc.

Advanced Persistent Threat (APT)- remains hidden in your network and slowly takes info etc, in 2021
China used this to attack India, company called RedEco flagged this to India.

1. Post 26/11, s 69A was added

2. S 69- power to issue direction for interception or monitoring or decryption of any information
through any computer resource
a. When possible
• If authorised by officials of CG/SG
• In defence of India
• Sovereignty or integrity of India
• Security of state
• Friendly commission of any cognizable offence
 • Preventing incitement to commission of any cognizable offence

Section 66F is relevant, which was put under focus after 26/11 attacks. This section gives government
very wide reaching powers and gives them a lot of control. Even before this, we had Sec. 5 of the
Telegraph Act, which is very old but gives similar powers to the central govt. (even state govt. In some
respects). The telegraph act also empowers the DoT to give licenses to ISPs when any intermediary
wants to operate in India. This is also how encryption is covered, to what extent will it be done,
whether decryption is possible and till what extent. If all this is already taken care of under law, then
why do at times these intermediaries (WhatsApp, Instagram) refuse to share data with agencies.

The ambit of the govt.’s powers is to be understood. Sec. 5 has now been replaced by Sec. 20 of the
Telecommunications act. There are slight differences though.

Read Sections 69A, 69B + IT (Procedure and Safeguards for Interception, Monitoring and Decryption
of Information) Rules, 2009.

If you look up interception cases, its core origin began in 2008, again 26/11 attacks.

Internet outages and the extent of the govt’s power.

Anuradha Bhasin case (JK internet case) + general example sof when internet is shut or slowed down.

Whether the banning of Chinese apps was constitutionally sound?

-Concept of fantum constitutionality

3. S 69 ITA is read in conjunction with S 5 of Telegram Act

4. DoT not only give licences to any entities, but also regulates how much of encryption is to be done

Examples:

1. Govt asked information from Blackberry- it denied for decrypting- stating it is violative of privacy
2. Twitter- India tussle
o Court said when a foreign entity operating in India- it needs to abide by Indian law while
operating premises within Indian territory

Section 69A- power of govt to issue direction for blocking public access of any information through
any computer resources + power to complete shutdown of internet – reason for issuing such direction
to be written in writing

a. Anuradha Basin Case

b. Frequent media blackouts
c. Internet shutdown during
• farmers protest in Delhi
• implementation of CAA
• in Jharkhand before conducting a govt exam
• at time of conviction of Asharam
 5. S 69B- power to authorise to monitor and collect traffic data or information through any computer
resource for cyber security
a. Here CG may authorise any govt agency to do so through a notification in official gazette
b. Collect traffic data that is- generated/ transmitted, received or stored in any computer
resource
6. Relevant rule to be read with S 67 and 68 - Information technology procedure and safeguards for
interception, monitoring and decryption of information Rules, 2009

Cases on Section 69 A

a. Tanul Thakur v UOI

b. Anuradha Basin v UOI
c. 2008 Blackberry case

[Link] case

An intermediary can claim that it is not liable by relying on safe harbour principle- but in case
intermediaries are asked by govt for some info- that mentioned principal can’t be relied upon

a. If still forced by govt to give data, those intermediaries can reach out to court
b. Until and unless intermediaries don’t lose out the safe harbour principal, they cannot be forced
to give data by govt

Digital Right Software management- in case of musical copyright infringement, these software comes
into action and restricts you from using certain music
What is digital evidence and what is the nature of digital evidence

Digital evidence or electronic evidence is “any probative information stored or transmitted in digital
form that a party to a court case may use at trial”. Section 79A of IT (Amendment) Act, 2008 defines
electronic form evidence as “any information of probative value that is either stored or transmitted
in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax
machines”.

The main characteristics of digital evidence are, it is latent as fingerprints and DNA, can transcend
national borders with ease and speed, highly fragile and can be easily altered, damaged, or destroyed
and also time sensitive. For this reason, special precautions should be taken to document, collect,
preserve, and examine this type of evidence. When dealing with digital evidence, the principles that
should be applied are, actions taken to secure and collect digital evidence should not change that
evidence; persons conducting the examination of digital evidence should be trained for this purpose
and activity relating to the seizure, examination, storage, or transfer of digital evidence should be fully
documented, preserved, and available for review.

Cyber Forensics

Computer/ Cyber forensics is an emerging practice to discover evidence from digital devices, and
prosecute criminals in a Court of law. The term “Computer Forensics” was coined back in 1991 in the
first training session held by the International Association of Computer investigative Specialists (IACIS)
in Portland, Oregon, USA. Like traditional forensics, Computer forensics is a science, and uses
specialized skills, tools and programs.

In simple terms from an investigators’ perspective, it is the science of extraction of evidences from
digital devices without altering the authenticity of the original evidence object.

Process

Cyber forensics process encompasses five key elements:

1) The identification and acquiring of digital evidence: Knowing what evidence is present, where it
is stored and how it is stored is vital in determining which processes are to be employed to
facilitate its recovery. In addition, the Cyber forensic examiner must be able to identify the type
of information stored in a device and the format in which it is stored so that the appropriate
technology can be used to extract it. After the evidence is identified the cyber forensic examiner/
investigator should image/ clone the hard-disk or the storage media.
2) The preservation of digital evidence is a critical element in the forensic process. Any examination
of the electronically stored data can be carried out in the least intrusive manner. Alteration to
data that is of evidentiary value must be accounted for and justified.
3) The analysis of digital evidence —the extraction, processing and interpretation of digital data—
is generally regarded as the main element of cyber forensics. Extraction produces a binary junk,
which should be processed, to make it human readable.
4) Report the findings, means giving the findings, in a simple lucid manner, so that any person can
understand. The report should be in simple terms, giving the description of the items, process
adopted for analysis & chain of custody, the hard & soft copies of the findings, glossary of terms
etc.
5) The presentation of digital evidence involves deposing evidence in the court of law regarding the
findings and the credibility of the processes employed during analysis.

Reference Links:

[Link]