Crimes related to Information Technology

(By Group no. 3 - Sr. No 11 to 15 & 21)

1
 Crimes related to Information Technology

A. Introduction
Any criminal activity that involves a computer, networked device, or any other related device
can be considered a cyber crime. There are some instances when cyber crimes are carried out
with the intention of generating profit for the cybercriminals, whereas other times a cyber
crime is carried out directly to damage or disable the computer or device. It is also possible
that others use computers or networks to spread malware, illegal information, images, or any
other kind of material. As a result of cyber crime, many types of profit-driven criminal
activities can be perpetrated, such as ransomware attacks, email and internet fraud, identity
theft, and frauds involving financial accounts, credit cards or any other payment card. The
theft and resale of personal and corporate data could be the goal of cybercriminals. In India,
cyber crimes are covered by the Information Technology Act, 2000 and the Indian Penal
Code, 1860. It is the Information Technology Act, 2000, which deals with issues related to
cyber crimes and electronic commerce.
Internet, though offers great benefit to the society, it also present opportunities for crime
using new and highly sophisticated technology tools. Cyber crime is emerging as a serious
threat. Worldwide governments, police departments and intelligence units have started to
react. Initiatives to curb cross border cyber threats are taking shape.In simple words,
cybercrime can be divided into two big categories: Computer as a target and computer as a
tool.
Computer as a target crimes require much higher expertise from the perpetrators and are
usually committed as a group of individuals rather than loners. Given the technical expertise
required to execute and the novelty of these types of crimes, these are the crimes that society
is more unprepared to face. Fortunately, this type of cybercrime is the least common, due to
the expertise and coordination that they require. These crimes usually depend on computer
viruses, malware, and denial of service attacks.

Computer as a tool cybercrime is much less technically unrefined, thus making it more
common; in these cases, the attacker relies on human weaknesses to exploit. These include
thefts, scams, and harassment, which have existed for centuries, way before computer science
started to develop.

The entire world is moving towards development and simultaneously towards technological
advancement and the rapid development of internet and computer technology globally has led
to the growth of new forms of transnational crime especially. The problems and crimes
brought by or in sector of information technology/ internet have virtually no boundaries. All
members of society are negatively impacted by crime, regardless of its form. Due to the
Internet's fast spread and the digitalisation of commercial activity, cyber crime has risen
sharply in developing nations.

Cyber law is actually a law enacted by the concerned Government of the concerned country
and state which allow for computer and cyber offence. Cyber Crime is the crime and other
offensive activity such as computer crime, mobile crime, and IT crime may fall under the
Cyber Crime.

2
Causes of Cyber Crime:

To earn a huge amount of money, Cyber-criminals always choose an easy way. Banks,
casinos, companies, and, financial firms are the prosperous organizations and their target
centers where an enormous amount of money runs daily and has diplomatic information.
It’s very difficult to catch those criminals. Hence, the number of cyber-crimes are
increasing day-by-day across the globe. We require so many laws to protect and safeguard
them against cyber-criminals since the devices we use everyday for businesses and
communication might have vulnerabilities that can be exploited. We have listed some of the
reasons :

1. Easy to access computers – Since technology is complex, it has become very

difficult to protect the computer from viruses and hackers. There are so many
possibilities of hacking when we safeguard a computer system from
unauthorized access. Hackers can steal access codes, retinal images, advanced
voice recorders, etc that can mislead the bio-metric systems easily and can be
utilized to get past many security systems by avoiding firewalls.
2. Size to store computer data in comparatively small space – The computer has
got a distinctive feature of storing data in a very small space. Due to this, the
people can steal data very easily from any other storage and are using this for
their purpose.
3. Complexity of Code – The computers can run on operating systems and these
operating systems are programmed with millions of codes. There might be
mistakes in the code. The human brain is defective so that they can commit
mistakes at any stage. The cyber-criminals take advantage of these loopholes.
4. Negligence of the user – Human beings always neglect things. So, if we make
any negligence in protecting our computer system which leads the cyber-
criminal to the access and control over the computer system.
5. Loss of evidence – Hackers always make sure to clear any evidence i.e log data
related to the attack. So, Loss of evidence has turned into an evident problem
that disables the law enforcement to go beyond the investigation of cyber-crime.

B. TYPES OF CYBER CRIME

Cybercrime may be committed:

1. Against an individual (For example, threatening emails, cyber stalking, defamation,

cheating, email spoofing, cyber fraud, etc.);
2. Against property (For example, internet thefts, software piracy, copyright
infringement, internet thefts, computer vandalism, etc.);
3. Against governments or organizations (For example, cyber terrorism, distributing
pirated software, unauthorized control over computer systems);
4. Crime against society (For example, child pornography, online gambling, web
jacking, forgery, trafficking, sale of banned products online, and financial crimes).

3
 The following are considered to be the major types of cyber-crimes:

1. Child pornography or child sexually abusive material (CSAM):

In its simplest sense, child sexual abuse materials (CSAMs) include any material
containing sexual images in any form, wherein both the child being exploited or
abused may be seen. There is a provision in Section 67(B) of the Information
Technology Act which states that the publication or transmission of material depicting
children in sexually explicit acts in an electronic form is punishable.

2. Cyberbullying:

A cyberbully is someone who harasses or bullies others using electronic devices like
computers, mobile phones, laptops, etc. Cyberbullying refers to bullying conducted
through the use of digital technology. The use of social media, messaging platforms,
gaming platforms, and mobile devices may be involved. Oftentimes, this involves
repeated behaviour that is intended to scare, anger, or shame those being targeted.

3. Cyberstalking:

Cyberstalking is the act of harassing or stalking another person online using the
internet and other technologies. Cyberstalking is done through texts, emails, social
media posts, and other forms and is often persistent, methodical, and deliberate.

4. Cyber grooming:

The phenomenon of cyber grooming involves a person building a relationship with a

teenager and having a strategy of luring, teasing, or even putting pressure on them to
perform a sexual act.

5. Online job fraud:

An online job fraud scheme involves misleading people who require a job by
promising them a better job with higher wages while giving them false hope. On
March 21, 2022, the Reserve Bank of India (RBI) alerted people not to fall prey to job
scams. By this, the RBI has explained the way in which online job fraud is
perpetrated, as well as precautions the common man should take when applying for
any job opportunity, whether in India or abroad.

6. Online sextortion:

The act of online sextortion occurs when the cybercriminal threatens any individual to
publish sensitive and private material on an electronic medium. These criminals
threaten in order to get a sexual image, sexual favour, or money from such
individuals.

4
7. Phishing:

Fraud involving phishing is when an email appears to be from a legitimate source but
contains a malicious attachment that is designed to steal personal information from
the user such as their ID, IPIN, Card number, expiration date, CVV, etc. and then
selling the information on the dark web.

8. Vishing:

In vishing, victims’ confidential information is stolen by using their phones.

Cybercriminals use sophisticated social engineering tactics to get victims to divulge
private information and access personal accounts. In the same way as phishing and
smishing, vishing convincingly fools victims into thinking that they are being polite
by responding to the call. Callers can often pretend that they are from the government,
tax department, police department, or victim’s bank.

9. Smishing:

As the name suggests, smishing is a fraud that uses text messages via mobile phones
to trick its victims into calling a fake phone number, visiting a fraudulent website or
downloading malicious software that resides on the victim’s computer.

10. Credit card fraud or debit card fraud:

In credit card (or debit card) fraud, unauthorized purchases or withdrawals from
another’s card are made to gain access to their funds. When unauthorized purchases or
withdrawals of cash are made from a customer’s account, they are considered
credit/debit card fraud. Fraudulent activity occurs when a criminal gains access to the
cardholder’s debit/credit number, or personal identification number (PIN). Your
information can be obtained by unscrupulous employees or hackers.

11. Impersonation and identity theft:

A person is impersonated or exposed to identity theft when they make fraudulent use
of an electronic signature, a password, or any other unique identifier on another
person’s behalf.

12. Online intellectual property infringements:

Intellectual property infringements include the sale of counterfeit or replica goods,

content piracy, patent infringement, and more.They are explained as follows:

5
 Counterfeit and replica goods: Products created to look identical to an existing
product made by a third party’s brand; while counterfeits are branded, replicas are
not.
 Piracy: Piracy is the unauthorized reproduction, copying, and spreading of
copyrighted materials.
 Patent infringement: These are products that exactly copy the functionality and
mechanism of products protected by utility patents.

13. Cyber Terrorism:

Cyber terrorism is also known as information wars and can be defined as an act of
Internet terrorism which contains cautious and large-scale strikes and disturbances
of computer networks using computer viruses or the physical attacks using malware
to strike individuals, governments and other organizations. The aim of terrorists is to
produce a sense of terror in the brains of the victims. Maintaining this idea in mind,
it enhances a simple way to modify the cyber-attacks for a financial or egotistical
and achieve from acts of cyber terrorism. Cyber terrorists drive with the aim of harm
and demolition at the forefront of their activities like a vanguard.

14. Computer Vandalism:

This is a type of malicious action that involves the destruction of computers and
data in different ways and certainly disrupting businesses. The computer vandalism
involves the installation of malicious programs which are designed to perform
damaging tasks such as deleting hard drive data or remove login credentials.
Computer vandalism differs from viruses which hold themselves to the existing
programs.

15. Malicious Software:

This software based on the Internet or programs that are used to disturb a network.
The software is used to acquire access to a system to loot diplomatic information or
data or causing destruction to the software which is present in the system.

16. Social engineering:

Social engineering attacks are conducted by exploiting human errors and behaviours
to perpetrate a cyber attack. Social engineering means manipulating someone to
reveal confidential or sensitive information, usually through digital communication
and using the same for fraudulent purposes. Since it takes advantage of human
vulnerabilities for unlawful ends, it is also called human hacking. For example, a
cybercriminal impersonating an IT professional contacts you under the guise of
updating your security software. Such cyber criminals build trust with their targets,
collect their personal information, commit the attack, and depart. Some of the
common social engineering attacks include baiting, too good to be true schemes,
phishing, email hacking, etc.

17. Email stalking:

Sending unsolicited emails persistently is one of the most common forms of cyber
stalking. The cyber criminal sends obscene or threatening emails to the victim and these
mails may also include viruses and links to fake or harmful websites. In order to

6
 constitute the offence of stalking, the element of persistent unwanted communication
which has the potential to intimidate the victim should be there.

18. Internet stalking:

This means stalking on the internet. The cyber criminal stalks your social media by
creating a fake profile and might send you messages persistently or create a fake ID in
your name on any social media platform along with your contact details. Cyber criminals
take advantage of the anonymity of the internet to slander their victims and threaten them.

19. Computer stalking:

Here, the cyber criminal exploits the working of the internet and operating system to
assume control over the computer of the targeted victim. As soon as the target computer
connects to the internet, the cybercriminal can communicate directly with his victim.

20. Cyber fraud:

Cyber fraud means any fraud committed by using a computer as a means or a target to
gain an unlawful financial advantage. Internet fraud is any fraud committed through or
with the aid of computer programming or internet-related communication such as
websites, emails, and chat rooms. In today’s digital world, all payments and other
financial transactions take place online. Thus, cyber fraud has become a lucrative
business for cybercriminals. These frauds include misuse of credit cards by obtaining
passwords through hacking, bogus investment, and misappropriation and transfer of
funds. The various legal provisions invoked in case of cyber fraud include Section
420 and Section 408 etc.

Forms of computer fraud

Input fraud: It involves the falsification of data before or at the moment of its entry into
the computer. For example, misuse of cash dispensing cards.
Output fraud: This involves the fraudulent manipulation of data at the point it is
outputted from the computer. For example, forging paychecks.
Programme fraud: It involves either the creation of a program with a view to fraud or the
alteration or amendment of a program to such ends. For example, Salami fraud.

21. Cyber defamation:

Cyber defamation can be broadly defined as any act, deed, word, gesture, or thing on the
internet or concerning cyberspace that is designed to harm a person’s reputation or
goodwill on the internet with a malafide intention so that others in the community,
whether online or offline would view the person with ridicule, hatred, contempt,
indifference or any other negative attribute. For example, posting vulgar pictures of a
person on social media without his consent, creating fake accounts in someone’s name,
sending obscene messages to his friends and relatives, etc. Thus, cyber defamation refers
to defaming a person online or in cyberspace. It is noteworthy that word travels like light
in cyberspace and the defamatory content reaches millions in a matter of seconds. Hence,
defamation in the context of cyberspace has become a serious concern.
Sections 499 and 500 of I.P.C. deals with defamation. Section 66A of the Information
Technology Act, 2000 provides punishment for sending offensive messages through
communication services, etc. However, the said Section was struck down as
unconstitutional by the Supreme Court in the case of Shreya Singhal v. Union of
India(2015) on the ground that it violates the right to free speech and expression.

7
22. Others:
Other cyber crimes usually include:
(a) Unauthorized access of the computers
(b) Data diddling
(c) Virus/worms attack
(d) Theft of computer system
(e) Hacking
(f) Denial of attacks
(g) Logic bombs
(h) Trojan attacks
(i) Internet time theft
(j) Web jacking
(k) Email bombing
(l) Salami attacks
(m) Physically damaging computer system.

C. Historical perspective

From the 1940s to the present, discover how cybercrime and cybersecurity have
developed to become what we know today.Many species evolve in parallel, each
seeking a competitive edge over the other. As cybersecurity and technology have
evolved, so have criminals and ‘bad actors’ who seek to exploit weaknesses in the
system for personal gain – or just to prove a point. This arms race has been going on
since the 1950s, and this article explains the evolution of cyberattacks and security
solutions.

 1940s: The time before crime

 1950s: The phone phreaks
 1960s: All quiet on the Western Front
 1970s: Computer security is born
 1980s: From ARPANET to internet
 1990s: The world goes online
 2000s: Threats diversify and multiply
 2010s: The next generation

1940s: The time before crime

For nearly two decades after the creation of the world’s first digital computer in 1943,
carrying out cyberattacks was tricky. Access to the giant electronic machines was
limited to small numbers of people and they weren’t networked – only a few people
knew how to work them so the threat was almost non-existent.Interestingly, the theory
underlying computer viruses was first made public in 1949 when computer
pioneer John von Neumann speculated that computer programs could reproduce.

8
1950s: The phone phreaks

The technological and subcultural roots of hacking are as much related to early
telephones as they are to computers.In the late 1950s, ‘phone phreaking’ emerged.
The term captures several methods that ‘phreaks’ – people with a particular interest in
the workings of phones – used to hijack the protocols that allowed telecoms engineers
to work on the network remotely to make free calls and avoid long-distance tolls.
Sadly for the phone companies, there was no way of stopping the phreaks, although
the practice eventually died out in the 1980s. The phreaks had become a community,
even issuing newsletters, and included technological trailblazers like Apple’s founders
Steve Wozniak and Steve Jobs. The mold was set for digital technology.

1960s: All quiet on the Western Front

The first-ever reference to malicious hacking was in the Massachusetts Institute of

Technology’s student newspaper.Even by the mid-1960s, most computers were huge
mainframes, locked away in secure temperature-controlled rooms. These machines
were very costly, so access – even to programmers – remained limited.

However, there were early forays into hacking by some of those with access, often
students. At this stage, the attacks had no commercial or geopolitical benefits.
Most hackers were curious mischief-makers or those who sought to improve existing
systems by making them work more quickly or efficiently.

In 1967, IBM invited school kids to try out their new computer. After exploring the
accessible parts of the system, the students worked to probe deeper, learning the
system’s language, and gaining access to other parts of the system.

This was a valuable lesson to the company and they acknowledged their gratitude to
“a number of high school students for their compulsion to bomb the system”, which
resulted in the development of defensive measures – and possibly the defensive
mindset that would prove essential to developers from then on. Ethical hacking is still
practiced today.

As computers started to reduce in size and cost, many large companies invested in
technologies to store and manage data and systems. Storing them under lock and key

9
became redundant as more people needed access to them and passwords began to be
used.

1970s: Computer security is born

Cybersecurity proper began in 1972 with a research project on ARPANET (The

Advanced Research Projects Agency Network), a precursor to the internet.

Researcher Bob Thomas created a computer program called Creeper that could move
across ARPANET’s network, leaving a breadcrumb trail wherever it went. It read:
‘I’m the creeper, catch me if you can’. Ray Tomlinson – the inventor of email – wrote
the program Reaper, which chased and deleted Creeper. Reaper was not only the very
first example of antivirus software, but it was also the first self-replicating program,
making it the first-ever computer worm.

Challenging the vulnerabilities in these emerging technologies became more

important as more organizations were starting to use the telephone to create remote
networks. Each piece of connected hardware presented a new ‘entry point’ and
needed to be protected.

As reliance on computers increased and networking grew, it became clear to

governments that security was essential, and unauthorized access to data and systems
could be catastrophic. 1972-1974 witnessed a marked increase in discussions around
computer security, mainly by academics in papers.

Creating early computer security was undertaken by ESD and ARPA with the U.S.
Air Force and other organizations that worked cooperatively to develop a design for a
security kernel for the Honeywell Multics (HIS level 68) computer system. UCLA
and the Stanford Research Institute worked on similar projects.

ARPA’s Protection Analysis project explored operating system security; identifying,

where possible, automatable techniques for detecting vulnerabilities in software.

By the mid-1970s, the concept of cybersecurity was maturing. In 1976 Operating

System Structures to Support Security and Reliable Software stated:

“Security has become an important and challenging goal in the design of computer
systems.”

10
 In 1979, 16-year-old Kevin Mitnick famously hacked into The Ark – the computer at
the Digital Equipment Corporation used for developing operating systems – and made
copies of the software. He was arrested and jailed for what would be the first of
several cyberattacks he conducted over the next few decades. Today he runs Mitnick
Security Consulting.

1980s: From ARPANET to internet

The 1980s brought an increase in high-profile attacks, including those at National

CSS, AT&T, and Los Alamos National Laboratory. The movie War Games, in which
a rogue computer program takes over nuclear missiles systems under the guise of a
game, was released in 1983. This was the same year that the terms Trojan Horse and
Computer Virus were first used. At the time of the Cold War, the threat of cyber
espionage evolved. In 1985, The US Department of Defense published the Trusted
Computer System Evaluation Criteria (aka The Orange Book) that provided guidance
on:
 Assessing the degree of trust that can be placed in software that processes classified or
other sensitive information

 What security measures manufacturers needed to build into their commercial

products.

Despite this, in 1986, German hacker Marcus Hess used an internet gateway in
Berkeley, CA, to piggyback onto the ARPANET. He hacked 400 military computers,
including mainframes at the Pentagon, intending to sell information to the KGB.

Security started to be taken more seriously. Savvy users quickly learned to monitor
the command.com file size, having noticed that an increase in size was the first sign
of potential infection. Cybersecurity measures incorporated this thinking, and a
sudden reduction in free operating memory remains a sign of attack to this day.

1987: The birth of cybersecurity

1987 was the birth year of commercial antivirus, although there are competing claims
for the innovator of the first antivirus product.

 Andreas Lüning and Kai Figge released their first antivirus product for the Atari ST –
which also saw the release of Ultimate Virus Killer (UVK)

 Three Czechoslovakians created the first version of NOD antivirus

11
  In the U.S., John McAfee founded McAfee (now part of Intel Security), and released
VirusScan.

Also in 1987:

 One of the earliest documented ‘in the wild’ virus removals was performed by
German Bernd Fix when he neutralized the infamous Vienna virus – an early example
of malware that spread and corrupted files.
 The encrypted Cascade virus, which infected .COM files, first appeared . A year later,
Cascade caused a serious incident in IBM’s Belgian office and served as the impetus
for IBM’s antivirus product development. Before this, any antivirus solutions
developed at IBM had been intended for internal use only.

By 1988, many antivirus companies had been established around the world – including
Avast, which was founded by Eduard Kučera and Pavel Baudiš in Prague, Czech
Republic. Today, Avast has a team of more than 1,700 worldwide and stops around 1.5
billion attacks every month.

Early antivirus software consisted of simple scanners that performed context searches to
detect unique virus code sequences. Many of these scanners also included ‘immunizers’
that modified programs to make viruses think the computer was already infected and
not attack them. As the number of viruses increased into the hundreds, immunizers
quickly became ineffective.

It was also becoming clear to antivirus companies that they could only react to existing
attacks, and a lack of a universal and ubiquitous network (the internet) made updates
hard to deploy.

As the world slowly started to take notice of computer viruses, 1988 also witnessed the
first electronic forum devoted to antivirus security – Virus-L – on the Usenet network.
The decade also saw the birth of the antivirus press: UK-based Sophos-sponsored Virus
Bulletin and Dr. Solomon’s Virus Fax International.

The decade closed with more additions to the cybersecurity market, including F-Prot,
ThunderBYTE, and Norman Virus Control. In 1989, IBM finally commercialized their
internal antivirus project and IBM Virscan for MS-DOS went on sale for $35.

12
 1990s: The world goes online

1990 was quite a year:

 The first polymorphic viruses were created (code that mutates while keeping the
original algorithm intact to avoid detection)

 British computer magazine PC Today released an edition with a free disc that
‘accidentally’ contained the DiskKiller virus, infecting tens of thousands of computers
 EICAR (European Institute for Computer Antivirus Research) was established

Early antivirus was purely signature-based, comparing binaries on a system with a

database of virus ‘signatures’. This meant that early antivirus produced many false
positives and used a lot of computational power – which frustrated users as productivity
slowed.

As more antivirus scanners hit the market, cybercriminals were responding and in 1992
the first anti-antivirus program appeared.

By 1996, many viruses used new techniques and innovative methods, including stealth
capability, polymorphism, and ‘macro viruses’, posing a new set of challenges for
antivirus vendors who had to develop new detection and removal capabilities.

New virus and malware numbers exploded in the 1990s, from tens of thousands early in
the decade growing to 5 million every year by 2007. By the mid-‘90s, it was clear that
cybersecurity had to be mass-produced to protect the public. One NASA researcher
developed the first firewall program, modeling it on the physical structures that prevent
the spread of actual fires in buildings.

The late 1990s were also marked by conflict and friction between antivirus developers:

 McAfee accused Dr. Solomon’s of cheating so that testing of uninfected discs showed
good speed results and the scan tests of virus collections showed good detection
results. Dr. Solomon’s filed suit in response

 Taiwanese developer Trend Micro accused McAfee and Symantec of violating its
patent on virus scan-checking technology via the internet and electronic mail.
Symantec then accused McAfee of using code from Symantec’s Norton AntiVirus.

Heuristic detection also emerged as a new method to tackle the huge number of virus
variants. Antivirus scanners started to use generic signatures – often containing non-

13
contiguous code and using wildcard characters – to detect viruses even if the threat had
been ‘hidden’ inside meaningless code.

Email: a blessing and a curse

Towards the end of the 1990s, email was proliferating and while it promised to
revolutionize communication, it also opened up a new entry point for viruses.

In 1999, the Melissa virus was unleashed. It entered the user’s computer via a Word
document and then emailed copies of itself to the first 50 email addresses in Microsoft
Outlook. It remains one of the fastest spreading viruses.

2000s: Threats diversify and multiply

With the internet available in more homes and offices across the globe, cybercriminals
had more devices and software vulnerabilities to exploit than ever before. And, as more
and more data was being kept digitally, there was more to plunder.

In 2001, a new infection technique appeared: users no longer needed to download files –
visiting an infected website was enough as bad actors replaced clean pages with infected
ones or ‘hid’ malware on legitimate webpages. Instant messaging services also began to
get attacked, and worms designed to propagate via IRC (Internet Chat Relay) channel also
arrived.

The development of zero-day attacks, which make use of ‘holes’ in security measures for
new software and applications, meant that antivirus was becoming less effective – you
can’t check code against existing attack signatures unless the virus already exists in the
database. Computer magazine found that detection rates for zero-day threats had dropped
from 40-50% in 2006 to only 20-30% in 2007.

As crime organizations started to heavily fund professional cyberattacks, the good guys
were hot on their trail:

 2000: the first open-source antivirus engine OpenAntivirus Project is made available
 2001: ClamAV is launched, the first-ever open-source antivirus engine to be
commercialized

 2001: Avast launches free antivirus software, offering a fully-featured security

solution to the masses. The initiative grew the Avast user base to more than 20 million
in five years.

14
A key challenge of antivirus is that it can often slow a computer’s performance. One
solution to this was to move the software off the computer and into the cloud. In 2007,
Panda Security combined cloud technology with threat intelligence in their antivirus
product – an industry-first. McAfee Labs followed suit in 2008, adding cloud-based anti-
malware functionality to VirusScan. The following year, the Anti-Malware Testing
Standards Organization (AMTSO) was created and started working shortly after on a
method of testing cloud products.

`Another innovation this decade was OS security – cybersecurity that’s built into the
operating system, providing an additional layer of protection. This often includes
performing regular OS patch updates, installation of updated antivirus engines and
software, firewalls, and secure accounts with user management.

With the proliferation of smartphones, antivirus was also developed for Android and
Windows mobile.

2010s: The next generation

The 2010s saw many high-profile breaches and attacks starting to impact the national
security of countries and cost businesses millions.

 2012: Saudi hacker 0XOMAR publishes the details of more than 400,000 credit cards
online

 2013: Former CIA employee for the US Government Edward Snowden copied and
leaked classified information from the National Security Agency (NSA)

 2013-2014: Malicious hackers broke into Yahoo, compromising the accounts and
personal information of its 3 billion users. Yahoo was subsequently fined $35 million
for failing to disclose the news

 2017: WannaCry ransomware infects 230,000 computers in one day

 2019: Multiple DDoS attacks forced New Zealand’s stock market to temporarily shut
down

The increasing connectedness and the ongoing digitization of many aspects of life
continued to offer cybercriminals new opportunities to exploit. Cybersecurity tailored
specifically to the needs of businesses became more prominent and in 2011, Avast
launched its first business product.

As cybersecurity developed to tackle the expanding range of attack types, criminals

responded with their own innovations: multi-vector attacks and social engineering.

15
Attackers were becoming smarter and antivirus was forced to shift away from signature-
based methods of detection to ‘next generation’ innovations.

Next-gen cybersecurity uses different approaches to increase detection of new and

unprecedented threats, while also reducing the number of false positives. It typically
involves:

 Multi-factor authentication (MFA)

 Network Behavioural Analysis (NBA) – identifying malicious files based on
behavioral deviations or anomalies

 Threat intelligence and update automation

 Real-time protection – also referred to as on-access scanning, background guard,

resident shield and auto-protect

 Sandboxing – creating an isolated test environment where you can execute a

suspicious file or URL
 Forensics – replaying attacks to help security teams better mitigate future breaches

 Back-up and mirroring

 Web application firewalls (WAF) – protecting against cross-site forgery, cross-site-

scripting (XSS), file inclusion, and SQL injection.

Cyber Security in the 2020’s

According to Forbes, we need to look at the threats posed by ransomware, which

continues to provide a payload to cybercriminals. More proactive malware detection is
the best way to protect cloud-based data, using advanced behavioural analysis and
machine learning. As well, we need to close the skills gap between cyber security
experts and cybercriminals who continue to remain out front in tech advancements.
Thus, the information Technology Act is an outcome of the resolution dated 30th
January 1997 of the General Assembly of the United Nations, which adopted the
Model Law on Electronic Commerce, adopted the Model Law on Electronic
Commerce on International Trade Law. This resolution recommended, inter alia, that
all states give favourable consideration to the said Model Law while revising enacting
new law, so that uniformity may be observed in the laws, of the various cyber-nations,
applicable to alternatives to paper based methods of communication and storage of
information.
The Department of Electronics (DoE) in July 1998 drafted the bill. However, it could
only be introduced in the House on December 16, 1999 (after a gap of almost one and a
half years) when the new IT Ministry was formed. It underwent substantial alteration,
with the Commerce Ministry making suggestions related to e-commerce and matters
pertaining to World Trade Organization (WTO) obligations.

The Ministry of Law and Company Affairs then vetted this joint draft.
After its introduction in the House, the bill was referred to the 42-member
Parliamentary Standing Committee following demands from the Members. The

16
 Standing Committee made several suggestions to be incorporated into the bill.
However, only those suggestions that were approved by the Ministry of Information
Technology were incorporated. One of the suggestions that was highly debated upon
was that a cyber café owner must maintain a register to record the names and addresses
of all people visiting his café and also a list of the websites that they surfed. This
suggestion was made as an attempt to curb cyber crime and to facilitate speedy locating
of a cyber criminal. However, at the same time it was ridiculed, as it would invade
upon a net surfer's privacy and would not be economically viable.

Finally, this suggestion was dropped by the IT Ministry in its final draft.
The Union Cabinet approved the bill on May 13, 2000 and on May 17, 2000, both the
houses of the Indian Parliament passed the Information Technology Bill. The Bill
received the assent of the President on 9th June 2000 and came to be known as the
Information Technology Act, 2000. The Act came into force on 17th October 2000.

With the passage of time, as technology developed further and new methods of
committing crime using Internet & computers surfaced, the need was felt to amend the
IT Act, 2000 to insert new kinds of cyber offences and plug in other loopholes that
posed hurdles in the effective enforcement of the IT Act, 2000.
his led to the passage of the Information Technology (Amendment) Act, 2008 which
was made effective from 27 October 2009. The IT (Amendment) Act, 2008 has
brought marked changes in the IT Act, 2000 on several counts.

D. Relevant laws and Case studies

The following Act, Rules and Regulations are covered under cyber laws:

1. Information Technology Act, 2000

In India, cyber laws are contained in the Information Technology Act, 2000 (IT
Act) which came into force on October 17, 2000. The main purpose of the Act is
to provide legal recognition to electronic commerce and to facilitate filing of
electronic records with the Government.

Offences Under The It Act 2000:

A. Section 43: Penalty and compensation for damage to computer ,

computer system, etc
This section of the IT Act applies to individuals who indulge in cyber crimes
such as damaging the computers of the victim, without taking the due
permission of the victim. In such a situation, if a computer is damaged without
the owner’s consent, the owner is fully entitled to a refund for the complete
damage.

In Poona Auto Ancillaries Pvt. Ltd., Pune v. Punjab National Bank, HO New
Delhi & Others (2018), Rajesh Aggarwal of Maharashtra’s IT department
(representative in the present case) ordered Punjab National Bank to pay Rs 45

17
 lakh to Manmohan Singh Matharu, MD of Pune-based firm Poona Auto
Ancillaries. In this case, a fraudster transferred Rs 80.10 lakh from Matharu’s
account at PNB, Pune after the latter answered a phishing email. Since the
complainant responded to the phishing mail, the complainant was asked to
share the liability. However, the bank was found negligent because there were
no security checks conducted against fraudulent accounts opened to defraud
the Complainant.

B. Section 65: Tampering with computer source documents:

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or

knowingly causes another to conceal, destroy or alter any computer source code
used for a computer, computer Programme, computer system or computer
network, when the computer source code is required to be kept or maintained by
law for the being time in force, shall be punishable with imprisonment up to three
year, or with fine which may extend up to two lakh rupees, or with both.

This is cognizable and non- bailable offence.

Penalties: Imprisonment up to 3 years and / or
Fine: Two lakh rupees.

Case Laws:
1. Frios v/s State of Kerela

Facts: In this case it was declared that the FRIENDS application software as
protected system. The author of the application challenged the notification and the
constitutional validity of software under Section 70. The court upheld the validity
of both.

It included tampering with source code. Computer source code the electronic
form, it can be printed on paper.

Held: The court held that Tampering with Source code are punishable with three
years jail and or two lakh rupees fine of rupees two lakh rupees for altering,
concealing and destroying the source code.

2. Syed Asifuddin case:

Facts: In this case the Tata Indicom employees were arrested for manipulation of
the electronic 32- bit number (ESN) programmed into cell phones theft were
exclusively franchised to Reliance Infocom.

Held: The Court held that Tampering with source code invokes Section 65 of the
Information Technology Act.

18
3. Parliament Attack Case:

Facts: In this case several terrorist attacked on 13 December, 2001Parliament

House. In this the Digital evidence played an important role during their
prosecution. The accused argued that computers and evidence can easily be
tampered and hence should not be relied.

In Parliament case several smart device storage disks and devices, a Laptop were
recovered from the truck intercepted at Srinagar pursuant to information given by
two suspects. The laptop included the evidence of fake identity cards, video files
containing clips of the political leaders with the background of Parliament in the
background shot from T.V news channels. In this case design of Ministry of
Home Affairs car sticker, there was game “wolf pack” with user name of ‘Ashiq’.
There was the name in one of the fake identity cards used by the terrorist. No back
up was taken therefore it was challenged in the Court.

Held: Challenges to the accuracy of computer evidence should be established by

the challenger. Mere theoretical and generic doubts cannot be cast on the evidence.

C. Section 66: Hacking with computer system

Applies to any conduct described in Section 43 that is dishonest or fraudulent.

There can be up to three years of imprisonment in such instances, or a fine of up
to Rs. 5 lakh or with both.

In Kumar v. Whiteley (1991), during the course of the investigation, the accused
gained unauthorized access to the Joint Academic Network (JANET) and deleted,
added, and changed files. As a result of investigations, Kumar had been logging on
to a BSNL broadband Internet connection as if he was an authorized legitimate
user and modifying computer databases pertaining to broadband Internet user
accounts of subscribers. On the basis of an anonymous complaint, the CBI
registered a cyber crime case against Kumar and conducted investigations after
finding unauthorized use of broadband Internet on Kumar’s computer. Kumar’s
wrongful act also caused the subscribers to incur a loss of Rs 38,248. N G Arun
Kumar was sentenced by the Additional Chief Metropolitan Magistrate. The
magistrate ordered him to undergo a rigorous year of imprisonment with a fine of
Rs 5,000 under Sections 420 of IPC and 66 of the IT Act.

D. Section 66B: Punishment for dishonestly receiving stolen computer

resource or communication device
This section describes the penalties for fraudulently receiving stolen
communication devices or computers, and confirms a possible three-year
prison sentence. Depending on the severity, a fine of up to Rs. 1 lakh may also
be imposed.

19
 E. Section 66C: Punishment for Identity Theft, Misuse of Digital
Signature
The focus of this section is digital signatures, password hacking, and other
forms of identity theft. This section imposes imprisonment upto 3 years along
with one lakh rupees as a fine.

F. Section 66D: Punishment for cheating by personation by using

computer resource
This section involves cheating by personation using computer Resources.
Punishment if found guilty can be imprisonment of up to three years and/or
up-to Rs 1 lakh fine.

E. Section 66E: Punishment for violation of privacy

Taking pictures of private areas, publishing or transmitting them without a

person’s consent is punishable under this section. Penalties, if found guilty,
can be imprisonment of up to three years and/or up-to Rs 2 lakh fine.

G. Section 66F: Punishment for cyber terrorism

Acts of cyber terrorism. An individual convicted of a crime can face

imprisonment of up to life. An example: When a threat email was sent to the
Bombay Stock Exchange and the National Stock Exchange, which challenged
the security forces to prevent a terror attack planned on these institutions. The
criminal was apprehended and charged under Section 66F of the IT Act.

H. Section 67: Punishment for Publishing of obscene information in

electronic form:

Whoever, Publishes or transmits or causes to be published in the

electronic form, Any material which is lascivious or appeals to the prurient
interest or If its effect is such as to tend to deprave and corrupt persons who are
likely, having regard to all relevant circumstances, to read, see or hear the
matter contained or embodied in it, shall be punished on first conviction with
imprisonment of either description for a term which may extend to three years
and with fine which may extend to five lakh rupees and in the event of a second
or subsequent conviction with imprisonment of either description for a term
which may extend to five years and also with fine which may extend to Rs 10
lakh.

I. Section 67 A :Punishment for publishing or transmitting of material

containing sexually explicit acts.

Whoever, Publishes or transmits or causes to be published or transmitted in

the electronic form, any material which contains sexually explicit act or conduct, shall

20
be punished on first conviction with imprisonment of either description for a term
which may extend to five years and with fine which may extend to Rs 10 lakhs and in
the event of second or subsequent conviction with imprisonment of either description
for a term which may extend to seven years and also with fine which may extend to
Rs 10 lakhs.

J. Section 68: Power of controller to give directions:

(1) The Controller may, by order, direct a Certifying Authority or any

employee of such Authority to take such measures or cease carrying on such
activities as specified in the order if those are necessary to ensure compliance
with the provisions of this Act, rules or any regulations made thereunder.
(2) Any person who fails to comply with any order under sub-section (1) shall
be guilty of an offence and shall be liable on conviction to imprisonment for a
term not exceeding three years or to a fine not exceeding two lakh rupees or to
both.
K. Section 69 :Power to issue directions for interception or monitoring or
decryption of any information through any computer resource.–
(1) Where the Central Government or a State Government or any of its
officers specially authorised by the Central Government or the State
Government, as the case may be, in this behalf may, if satisfied that it is
necessary or expedient so to do, in the interest of the sovereignty or integrity
of India, defence of India, security of the State, friendly relations with foreign
States or public order or for preventing incitement to the commission of any
cognizable offence relating to above or for investigation of any offence, it may
subject to the provisions of sub-section (2), for reasons to be recorded in
writing, by order, direct any agency of the appropriate Government to
intercept, monitor or decrypt or cause to be intercepted or monitored or
decrypted any information generated, transmitted, received or stored in any
computer resource.
(2) The procedure and safeguards subject to which such interception or
monitoring or decryption may be carried out, shall be such as may be
prescribed.
(3) The subscriber or intermediary or any person in-charge of the computer
resource shall, when called upon by any agency referred to in sub-section (1),
extend all facilities and technical assistance to– (a) provide access to or secure
access to the computer resource generating, transmitting, receiving or storing
such information; or (b) intercept, monitor, or decrypt the information, as the
case may be; or (c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency
referred to in sub-section (3) shall be punished with imprisonment for a term
which may extend to seven years and shall also be liable to fine.

21
 L. Section 70 : Protected System:
(1) The appropriate Government may, by notification in the Official Gazette,
declare any computer resource which directly or indirectly affects the facility of
Critical Information Infrastructure, to be a protected system.
(2) The appropriate Government may, by order in writing, authorise the persons
who are authorised to access protected systems notified under sub-section (1).
(3) Any person who secures access or attempts to secure access to a protected
system in contravention of the provisions of this section shall be punished with
imprisonment of either description for a term which may extend to ten years and
shall also be liable to fine. [(4) The Central Government shall prescribe the
information security practices and procedures for such protected system.]

M. Section 71- Penalty for misrepresentation –

Whoever makes any misrepresentation to, or suppresses any material fact from the
Controller or the Certifying Authority for obtaining any licence or Certificate, as
the case may be, shall be punished with imprisonment for a term which may
extend to two years, or with fine which may extend to one lakh rupees, or with
both.

N. Section 72 -Penalty for breach of confidentiality and privacy :

Save as otherwise provide in this Act or any other law for the time being in force,
any person who, in pursuance of any of the powers conferred under this Act, rules
or regulation made there under, has secured assess to any electronic record, book,
register, correspondence, information, document or other material without the
consent of the person concerned discloses such material to any other person shall
be punished with imprisonment for a term which may extend to two years, or with
fine which may extend to one lakh rupees, or with both.

O. Section 73 : Penalty for publishing [electronic signature] Certificate false

in certain particulars.—
(1) No person shall publish a [electronic signature] Certificate or otherwise make it
available to any other person with the knowledge that--

(a) the Certifying Authority listed in the certificate has not issued it; or

(b) the subscriber listed in the certificate has not accepted it; or

(c) the certificate has been revoked or suspended,

22
unless such publication is for the purpose of verifying a [electronic signature] created
prior to such suspension or revocation.

(2) Any person who contravenes the provisions of sub-section (1) shall be punished
with imprisonment for a term which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.

P. Section 74. Publication for fraudulent purpose:

Whoever knowingly creates, publishes or otherwise makes available a [electronic
signature] Certificate for any fraudulent or unlawful purpose shall be punished with
imprisonment for a term which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.

Q. Section 75. Act to apply for offence or contravention committed outside India:
(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply
also to any offence or contravention committed outside India by any person
irrespective of his nationality.

(2) For the purposes of sub-section (1), this Act shall apply to an offence or
contravention committed outside India by any person if the act or conduct constituting
the offence or contravention involves a computer, computer system or computer
network located in India.

CASE LAW:

R v/s Governor of Brixton prison and another.

Facts: In this case the Citibank faced the wrath of a hacker on its cash management
system, resulting in illegal transfer of funds from customers account in to the accounts
of the hacker, later identified as Valdimer Levin and his accomplices. After Levin was
arrested he was extradite to the United States. One of the most important issues was
jurisdictional issue, the ‘place of origin’ of the cyber crime.

Held: The Court helds that the real- time nature of the communication link between
Levin and Citibank computer meant that Levin’s keystrokes were actually occurring
on the Citibank computer.

It is thus important that in order to resolve the disputes related to jurisdiction, the
issue of territoriality and nationality must be placed by a much broader criteria
embracing principles of reasonableness and fairness to accommodate overlapping or
conflicting interests of states, in spirit of universal jurisdiction.

R. Section 76. Confiscation:

23
Any computer, computer system, floppies, compact disks, tape drives or any other
accessories related thereto, in respect of which any provisions of this Act, rules,
orders or regulations made there under has been or is being contravened, shall be
liable to confiscation:

Provided that where it is established to the satisfaction of the court adjudicating the
confiscation that the person in whose possession, power or control of any such
computer, computer system, floppies, compact disks, tape drives or any other
accessories relating thereto is found is not responsible for the contravention of the
provisions of this Act, rules orders or regulations made there under, the court may,
instead of making an order for confiscation of such computer, computer system,
floppies, compact disks, tape drives or any other accessories related thereto, make
such other order authorized by this Act against the person contravening of the
provisions of this Act, rules, orders or regulations made there under as it may think fit.

S. Section 77. Compensation, Penalties or confiscation not to interfere with other

punishments:
No compensation awarded, penalty imposed or confiscation made under this Act shall
prevent the award of compensation or imposition of any other penalty or punishment
under any other law for the time being in force.

T. Section 78. Power to investigate offences:

Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of

1974), a police officer not below the rank of 1 [Inspector] shall investigate any offence
under this Act.

2. Information Technology Rules

There are several aspects of the collection, transmission, and processing of data that
are covered by the IT Rules, including the following:

 The Information Technology (Reasonable Security Practices and Procedures and

Sensitive Personal Data or Information) Rules, 2011: According to these rules,
entities holding individuals’ sensitive personal information must maintain certain
security standards that are specified.
 The Information Technology (Guidelines for Intermediaries and Digital Media
Ethics Code) Rules, 2021: To maintain the safety online of users’ data, these rules
govern the role of intermediaries, including social media intermediaries, to prevent
the transmission of harmful content on the internet.

24
 The Information Technology (Guidelines for Cyber Cafe) Rules, 2011: According
to these guidelines, cybercafés must register with an appropriate agency and
maintain a record of users’ identities and their internet usage.
 The Information Technology (Electronic Service Delivery) Rules, 2011:
Basically, these regulations give the government the authority to specify the
delivery of certain services, such as applications, certificates, and licenses, by
electronic means.
 Information Technology (The Indian Computer Emergency Response Team and
Manner of Performing Functions and Duties) Rules, 2013 (the CERT-In Rules):
There are several ways in which the CERT-In rules provide for the working of
CERT-In. In accordance with rule 12 of the CERT-In rules, a 24-hour Incident
response helpdesk must be operational at all times. Individuals, organisations and
companies can report cybersecurity incidents to Cert-In if they are experiencing a
cybersecurity Incident. The Rules provide an Annexure listing certain Incidents
that must be reported to Cert-In immediately.
Another requirement under Rule 12 is that service providers, intermediaries, data
centres, and corporate bodies inform CERT-In within a reasonable timeframe of
cybersecurity incidents. As a result of the Cert-In website, Cybersecurity Incidents
can be reported in various formats and methods, as well as information on
vulnerability reporting, and incident response procedures. In addition to reporting
cybersecurity incidents to CERT-In in accordance with its rules, Rule 3(1)(I) of the
Information Technology (Guidelines for Intermediaries and Digital Media Ethics
Code) Rules, 2021 also requires that all intermediaries shall disclose information
about cybersecurity incidents to CERT-In.

3. Indian Penal Code, 1860 (IPC):

If the IT Act is not sufficient to cover specific cyber crimes, law enforcement
agencies can apply the following IPC sections:

 Section 292:Sale, etc, of obscene books, etc. -The purpose of this section was to
address the sale of obscene materials, however, in this digital age, it has evolved to
deal with various cyber crimes as well. A manner in which obscene material or
sexually explicit acts or exploits of children are published or transmitted
electronically is also governed by this provision. The penalty for such acts is
imprisonment and fines up to 2 years and Rs. 2000, respectively. The punishment
for any of the above crimes may be up to five years of imprisonment and a fine of
up to Rs. 5000 for repeat (second-time) offenders.
 Section 354C: Voyeurism - In this provision, cyber crime is defined as taking or
publishing pictures of private parts or actions of a woman without her consent. In
this section, voyeurism is discussed exclusively since it includes watching a
woman’s sexual actions as a crime. In the absence of the essential elements of this
section, Section 292 of the IPC and Section 66E of the IT Act are broad enough to
include offences of an equivalent nature. Depending on the offence, first-time
offenders can face up to 3 years in prison, and second-time offenders can serve up
to 7 years in prison.

25
 Section 354D: Stalking: Stalking, including physical and cyberstalking, is
described and punished in this chapter. The tracking of a woman through
electronic means, the internet, or email or the attempt to contact her despite her
disinterest amounts to cyber-stalking. This offence is punished by imprisonment of
up to 3 years for the first offence and up to 5 years for the second offence, along
with a fine in both cases.

A victim in the case Kalandi Charan Lenka v. the State of Odisha(2017) has
received a series of obscene messages from an unknown number that has damaged
her reputation. The accused also sent emails to the victim and created a fake
account on Facebook containing morphed images of her. The High Court,
therefore, found the accused prima facie guilty of cyberstalking on various charges
under the IT Act and Section 354D of IPC.

 Section 379: Punishment for theft:The punishment involved under this section,
for theft, can be up to three years in addition to the fine. The IPC Section comes
into play in part because many cyber crimes involve hijacked electronic devices,
stolen data, or stolen computers.
 Section 420:Cheating and dishonestly inducing delivery of property - This
section talks about cheating and dishonestly inducing delivery of property. Seven-
year imprisonment in addition to a fine is imposed under this section on
cybercriminals doing crimes like creating fake websites and cyber frauds. In this
section of the IPC, crimes related to password theft for fraud or the creation of
fraudulent websites are involved.
 Section 463: Forgery- This section involves falsifying documents or records
electronically.
 Section 465:Punishment for forgery: This provision typically deals with the
punishment for forgery. Under this section, offences such as the spoofing of email
and the preparation of false documents in cyberspace are dealt with and punished
with imprisonment ranging up to two years, or both.

In Anil Kumar Srivastava v. Addl Director, MHFW (2005), the petitioner had
forged signed the signature of the AD and had then filed a case that made false
allegations against the same individual. Due to the fact that the petitioner also
attempted to pass it off as a genuine document, the Court held that the petitioner
was liable under Sections 465 and 471 of the IPC.

 Section 468: Forgery for purpose of cheating: Fraud committed with the
intention of cheating may result in a seven-year prison sentence and a fine. This
section also punishes email spoofing.

In Gagan Harsh Sharma v. The State of Maharashtra (2018), the Bombay High Court
addressed the issue of non-bailable and non-compoundable offences under sections
408 and 420 of the IPC in conflict with those under Sections 43, 65, and 66 of the IT
Act that is bailable and compoundable.

26
 4. Companies Act, 2013:

A majority of the corporate stakeholders consider the Companies Act of 2013 to be

the most pertinent legal obligation to properly manage daily operations. This Act
enshrines in law all the techno-legal requirements that need to be met, implementing
the law as a challenge to the companies that are not compliant. As part of the
Companies Act 2013, the SFIO (Serious Fraud Investigation Office) is entrusted with
powers to investigate and prosecute serious frauds committed by Indian companies
and their directors.

As a result of the Companies Inspection, Investment, and Inquiry Rules,

2014 notification, the SFIOs have become even more proactive and serious in regard
to this. By ensuring proper coverage of all the regulatory compliances, the legislature
ensured that every aspect of cyber forensics, e-discovery, and cybersecurity diligence
is adequately covered. Moreover, the Companies (Management and Administration)
Rules, 2014 prescribe a strict set of guidelines that confirm the cybersecurity
obligations and responsibilities of corporate directors and senior management.

5. Cyber Crimes under the Special Acts

1. Online sale of Drug under Narcotics Drugs and Psychotropic
Substance Act
2. 2. Online sale of arms- Arms Act.

27
6. Other Landmark Judgment

28
 1. Shreya Singhal v. UOI

Facts-Two women were arrested under Section 66A of the Information

Technology Act after posting offensive comments on Facebook regarding
Mumbai’s total closure following the death of a political leader. Section 66A of
the Information Technology Act presents consequences for the usage of laptop
sources or communications, consisting of data this is offensive, fake, worrying,
inconvenient, dangerous, offensive, repulsive, dangerous or malicious. The women
responded to the arrest in a petition challenging the constitutionality of Section
66A of the Information Technology Act because they violated freedom of speech
and expression.

Judgment–The Supreme Court made its decision based on three concepts:

deliberation, advocacy, and incitement. He pointed out that simply discussing or
defending a case, no matter how popular, is at the heart of freedom of speech and
expression. Section 66A may restrict any form of communication and does not
appear to distinguish between the mere advocacy or discussion of a particular issue
that is offensive to some people and the instigation of such words leading to a
causal relationship to public disorder, safety, etc. When asked if Section 66A was
intended to protect people from defamation, the court answered that Section 66A
condemned abusive language that may annoy people but does not affect their
reputation.

Analysis– The court also noted that Section 66A of the Information Technology
Act did not violate Section 14 of the Constitution of India because there is a clear
distinction between information transmitted over the Internet and information
transmitted through other forms of speech. Also, the Supreme Court did not even
consider the issue of procedural irrationality because it was inherently
unconstitutional

2. Syed Asifuddin and Ors. v. State of Andhra Pradesh and Anr.

Facts-Subscriber purchased Reliance phone and Reliance mobile service together

under the Dhirubhai Ambani Pioneer plan. Subscribers were attracted to other
operators’ top rates and wanted to switch to other operators. The applicant
(TataIndCom employee) has hacked the Electronic Serial Number (“ESN”). The
Reliance MIN (Mobile Phone Identification Number) has been permanently
integrated with the ESN and the ESN has been reprogrammed to verify the device
through the applicant’s service provider rather than Reliance Infocomm.

Issues

 Is a handset a “computer” under section 2(1)(i) of the IT Act?

 Is the ESN operation programmed in the mobile phone a source code change
according to Article 65 of the IT Act?

29
Judgment–In section 2(1)(i) of the Information Technology Act, “computer” means
an electronic, magnetic, optical or other high-speed data processing device or system
that electronically manipulates logic, arithmetic and memory functions. , magnetic or
optical impulses and any input, output, processing, storage, computer software or
communication connected to or connected to a computer in a computer system or
computer network.

Therefore, a telephone falls within the definition of “computer” as defined in section

2(1)(i) of the IT Act. If the ESN changes, other service providers like TATA Indicom
can use the phone exclusively.

Therefore, changing the ESN would be a violation of Section 65 of the Information

Technology Act. This is because each service provider must maintain a unique SID
and assign a specific number to the customer for each tool used to provide the
services they provide. Consequently, crimes registered against the applicant cannot be
excluded under section 65 of the Information Technology Act.

Analysis–

In 2003, Crime No. 20 was dismissed under Articles 409, 420 and 120B, and criminal
cases brought under Article 65 of the Information Technology Act and Article 63 of
the Copyright Act and CID were also dismissed. When complaints are received, it is
suggested that the investigation be completed and a final report be submitted to the
metropolitan court to hear the case within three months.

3.Avnish Bajaj v. State (NCT) of Delhi

Facts–Bazee.com CEO Avnish Bajaj had been arrested under section 67 of the
Information Technology Act for broadcasting cyber pornography. Someone else was
selling obscene CD copies through the bazee.com website.

Issues

 Is Article 67 of the Information Technology Act against which the case was
brought against the applicant?
 Are allegations of misconduct under Sections 292(2)(a) and 292(2)(d) IPC on
the website objectionable or not?
Judgment–

The court noted that Mr Bajaj did not participate in any pornography program
anywhere. No one is allowed to view pornography on the Bazee.com website.
However, Bazee.com receives sales commissions and makes money from
advertisements placed on its web pages. The court also points out that the evidence
gathered indicates that cyber-porn crimes can be attributed to someone other than
Bazee.com. The court granted Mr Bajai two rupees bail. 10,000 won each. However,
the defendant bears the burden of being only a service provider, not a content.

30
 Analysis

 The testimony could not prove that any publications were written directly or
indirectly by the accused.
 Analysis confirms that you cannot view real porn/clips on the Baaze.com
portal.
 The consideration for the sale had nothing to do with the defendant.
 At first glance, the website (Baaze.com) was trying to close the loop.
 The accused took an active part in the investigation.
 The nature of the suspected crime has already been determined and can be
protected from unauthorized access.
 Evidence gathered suggests that only pornographic content may be
unintentionally offered for sale on a website.
 It also indicates that criminal charges may be attributed to others.

E. Suggestions

The law deals an important part in the overall development of the country, and this can be
achieved with proper and effective implementation of it. Now the children are being
exploited. As can be seen, the crime rate against children is rising day by day. It is a
challenge to apprehend a wrongdoer in cybercrime but with proper and strict
implementation it can be curtailed. Some crucial points regarding ineffective protection of
children against cybercrime are-

 Educating the children and their parents against the threat of cybercrime.
 Proper functioning of legislation to meet up with the growing challenge to
tackle cybercrime.
 Enhancement in skilled Manpower and Equipment required.

Mentioned below is a comprehensive list of tips and measures that an individual can
take to protect themselves from cybercrime:

a. Use strong passwords-One of the simplest ways to prevent cyber crimes is to

use strong passwords. Don’t go for 123456…and other simple passwords that
are too easy to guess. Don’t use the names of your partners or dear ones or
your birth date as your password. Instead, use a unique password that is a
combination of alphabets, numerals, and special characters/symbols. Another
trick is to use different passwords for different sites and change your
passwords frequently.
b. Keeping your software updated-Keep checking for the updates for your
operating system and internet security software. Generally, cybercriminals
take advantage of the glitches and flaws in your software for gaining access to
your systems and devices. Thus, keeping your software updated to the latest
version takes you one step closer to preventing cyber crimes.
c. Manage your social media settings-The next easy thing that you can do is
keep your personal information private. Social media platforms usually have a
feature where that allows you to hide your phone numbers and other
contact/personal information. It might be a reasonable choice to hide such
information and keep it locked down from the public eye for if you disclose

31
 your pet’s name in your public profile, you are giving away the answer to one
of the most basic security questions.
d. Strengthening your network-Use strong encryption passwords to protect
your home network from hackers and unwanted interceptions. If you are
someone who uses public WI-FI, you must use a VPN(Virtual Private
Network). A VPN encrypts all traffic until it reaches your computer. Thus,
even if hackers can hack your communication line, they won’t intercept
anything but encrypted data.

e. Keep yourself up to date on major security breaches-We often read about

security breaches and theft of user information stored by various websites. If
you have an account on any of these websites which have been impacted by
the breach, you should check out what information the hackers have accessed
and change your passwords immediately.
f. Talk to children about the internet-Even before the pandemic happened,
children were already using the internet and mobile, and computer devices to a
great extent and the pandemic only intensified it. The internet and technology
have become a necessity in a student’s life. But do we teach our kids about the
pros and cons of the internet? Every parent must talk to their child about the
cautious use of the internet and the risks that come with it. Essentially, you
must make sure that your child comes to you if he or she is experiencing any
form of online harassment, abuse, or any other cyber-criminal activity.
g. Protect yourself from identity theft-

You can protect yourself from identity theft by taking the following
precautions:

 Beware of shoulder surfing.

 Do not reply to spam emails or open URLs or click on links in unsolicited mails.
 Use robust passwords and practise safe clicking.
 Always verify the identity of the person asking for your personal information.

h. Install anti-virus software- Installing reputed anti-virus software or internet

security solutions can go a long way in protecting you from cyber crimes.
These softwares such as avast provides you maximum protection and contains
features such as virus cleaner, VPN, app locks, monitoring leaked passwords,
etc. Anti-virus software allows you to scan, detect and remove threats before
they become a problem. Also, please make sure that your antivirus software is
kept updated.

i. Check your bank statements-It is advised that you should regularly check

your bank account statements and in case you notice some unfamiliar

32
 transactions, or unauthorised withdrawals, you can report the same to the

bank.

j. Protect yourself from phishing-

The first thing you can do to avoid a phishing attack is to learn to recognize it.
Here’s how-typically, phishing attacks call for an urgent action prompting you
to click some link or act immediately to claim this lucrative reward and so on.
Here are the other things that you can do to avoid becoming a victim of
phishing attacks:

 A mail from a first-time sender might be a sign of phishing. Therefore, be extra

cautious when you receive mail from an unknown person.
 If the mail you got has bad grammar and obvious spelling errors, there is a good
chance that it is a scam. This is because these emails are usually translated into
foreign languages. Also, reputed organisations do not generally send emails with
spelling errors.
 Beware of generic greetings. In the time we live in, organisations that you deal
with know your details and they usually address you with your name. Thus, if you
receive a letter with a generic greeting ‘Dear mam or sir’ from your bank, there is
a chance that it is not your bank after all.
 If you suspect that you have received spam mail, or that the email message is a
scam, avoid clicking any links that may be inside it.

k. Other tips

 Don’t share your location on social media publicly

 While making online purchases, ensure that the website is legitimate and uses a
secure e-payment facility or portal.
 Do not share your OTP, and CVV codes with anyone. Trusted banks and financial
institutions will never ask for this information.
 Always follow the industry best practices and government recommended practices
and measures on cyber security.
 Keep your company’s software, hardware, and digital assets up to date using
proper IT security asset management.
 Do not accept all the cookies from all websites that you visit. Read the terms and
conditions carefully before accessing a website.
 Make an effort to check the credibility of an app before downloading it.
 Do not permit apps and websites access to your location unless necessary.

33
  Understand the nature and importance of the data that you store on your devices.
Creating a backup of your data and files is a good option to mitigate the loss in
case of a malware attack etc.
 Enabling multi-factor authentication is another option that you can explore to level
up your security.
 Setting and modifying transaction limits on your accounts and cards.
 Be careful while you make payments on the internet. Enter your Card Verification
Value(CVV) only on secure payment websites.
 Don’t fall into the trap of fake lotteries scams or get-rich-quick schemes.

What to do if you become a victim : reporting a cybercrime

If you find yourself in the clutches of a cybercrime, you must report it to the
cybercrime cell. You can register a complaint with the cyber crime cell, both in
physical and online mode. In case you don’t have access to a cyber crime cell, then
you can lodge an FIR in the nearest police station.

National cyber crime reporting portal

You can file a cyber complaint through the National Cyber Crime Reporting Portal
i.e. https://cybercrime.gov.in. The portal also provides the facility of filing
anonymous complaints regarding cybercrime related to child pornography and
sexually explicit content. To file a complaint, you have to give details of the incident
such as the category of cybercrime, date and time, a platform where it occurred,
upload evidence and details of the suspect, etc.

F. Conclusion

The cyber legal system is subject to IT laws and regulations. The Indian Penal Code of
1860 may also be applicable where the Information Technology Act cannot provide for
certain types of crimes or does not contain comprehensive criminal provisions. However,
the cyber law framework is still insufficient to cover all types of cybercrime in India that
exist today. As countries move towards the Digital India movement, cybercrime is
constantly evolving and new types of cybercrime enter the cyber law regime every day.
India’s cyber legal system is weak compared to other countries.

Also, Various initiatives have been taken by the government such as issuing advisories
regarding cyber threats and setting up of Cyber Swacchta Kendra, etc. Cyberspace is very
vast and knows no bounds. The internet offers anonymity to offenders and often it is very
difficult to impossible to trace a skilled cyber offender. Thus, people have to be aware of
their digital surroundings just as they are in the real world.

G. Reference

34
1. Criminology and Penology Book by Prof. N.V. Paranjape.

35