Esisa
v?A$r Cyber Law Consulting
TEXT BOOK OF CYBER CRIME AND PENALTIES
[AS PER ITA A 2008 AND IPC] (Draft Version)
By Prashant Mali
www.cyberlawconsulting.com
CYBER CRIMES AND PENALTIES
prashan t.mali@cyberla wconsulting. com
INDEX
INTRODUCTION TO CYBER CRIME
Ch. 1.0 ANCIENT CYBER CRIME 05
Ch. 2.0 CRIMES INVOLVING MONEY 06
Ch. 3.0 CYBER PORNOGRAPHY & CHILD PORNOGRAPHY 08
Ch.4.0 CYBER BULLYING 15
Ch.5.0 IDENTITY THEFT 16
Ch.6.0 SALE OF ILLEGAL ARTICLES ON INTERNET 19
Ch.7.0 ONLINE GAMBLING 21
Ch.8.0 INTELLECTUAL PROPERTY CRIMES 24
Ch.9.0 EMAIL SPOOFING 27
Ch.10.0 FORGERY 30
Ch.11.0 CYBER DEFAMATION 33
Ch.12.0 CYBER STALKING 35
Ch.13.0 WEB DEFACEMENT 38
Ch.14.0 EMAIL BOMBING 41
Ch.15.0 DATA DIDDLING 43
Ch.16.0 SALAMI ATTACKS 45
Ch.17.0 DENIAL OF SERVICE ATTACK (DoS & DDoS) 46
Ch.18.0 VIRUS / WORM ATTACKS SPREADING OF CONTAMINATIO 49
Ch.19.0 TROJANS AND KEY LOGGERS 52
Ch.20.0 INTERNET TIME THEFT 56
Ch.21.0 WEB JACKING 59
Ch.22.0 EMAIL FRAUDS 62
Ch.23.0 CYBER TERRORISM 65
TABLE OF SECTIONS 70
GLOSSARY 71
CYBER CRIMES AND PENALTIES 2 prashant.mali@cyberlawconsulting.com
INTRODUCTION TO CYBER CRIME
What is a cyber crime?
Cyber crime is a generic term that refers to all criminal activities done using the
medium of computers, the internet, cyber space and the worldwide web.
There isn't really a fixed definition for cyber crime. The Indian Law has not given
any definition to the term 'cyber crime'. In fact, the Indian Penal Code does not
use the term 'cyber crime' at any point even after its amendment by the
Information Technology Act 2008 the Indian Cyber law. but "Cyber Security"
means protecting information, equipment, devices, computer, computer resource,
communication device and information stored therein from unauthorized access,
use, disclosure, disruption, modification or destruction.
What is Cyber law?
Cyber law (also referred to as Cyber law) is a term used to describe the legal
issues related to use of communications technology, particularly "cyberspace", i.e.
the Internet. It is less a distinct field of law in the way that property or contract are,
as it is an intersection of many legal fields, including intellectual property, privacy,
freedom of expression, and jurisdiction. In essence, cyber law is an attempt to
apply laws designed for the physical world to human activity on the Internet. In
India Information Technology Act [Amend.] 2008 is known as the Cyber law. It has
a separate chapter XI entitled "Offences" in which various cyber crimes have been
declared as penal offences punishable with imprisonment and fine.
Jurisdiction and sovereignty
Issues of jurisdiction and sovereignty have quickly come to the fore in the era of
the Internet. The Internet does not tend to make geographical and jurisdictional
boundaries clear, but Internet users remain in physical jurisdictions and are
subject to laws independent of their presence on the Internet. As such, a single
transaction may involve the laws of at least three jurisdictions:
1) the laws of the state/nation in which the user resides,
2) the laws of the state/nation that apply where the server hosting the transaction
is located, and
3) the laws of the state/nation which apply to the person or business with whom
the transaction takes place. So a user in one of the states in USA conducting a
transaction with another user in Australia through a server in Chennai could
theoretically be subject to the laws of all three countries as they relate to the
transaction at hand.
CYBER CRIMES AND PENALTIES 3 prashant.mall@cyberlawconsultlng.com
Jurisdiction is an aspect of state sovereignty and it refers to judicial, legislative
and administrative competence. Although jurisdiction is an aspect of sovereignty,
it is not coextensive with it. The laws of a nation may have extra-territorial impact
extending the jurisdiction beyond the sovereign and territorial limits of that nation.
This is particularly problematic as the medium of the Internet does not explicitly
recognize sovereignty and territorial limitations. There is no uniform, international
jurisdictional law of universal application
Cyber attacks and effects
Cyberspace is constantly under assault. Cyber spies, thieves, saboteurs, and thrill
seekers break into computer systems, steal personal data and trade secrets,
vandalize Web sites, disrupt service, sabotage data and systems, launch
computer viruses and worms, conduct fraudulent transactions, and harass
individuals and companies.
CYBER CRIMES AND PENALTIES 4 prashant.mali@cyberlawconsultlng.com
Ancient Cyber Crime
Ch. 1.0 ANCIENT CYBER CRIME
The first recorded cyber crime took place in the year 1820.
That is not surprising considering the fact that the abacus, which is thought to be
the earliest form of a computer, has been around since 3500 B.C. in India, Japan
and China. The era of modern computers, however, began with the analytical
engine of Charles Babbage.
In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the
loom. This device allowed the repetition of a series of steps in the weaving of
special fabrics. This resulted in a fear amongst Jacquard's employees that their
traditional employment and livelihood were being threatened. They committed
acts of sabotage to discourage Jacquard from further use of the new technology.
This is the first recorded cyber crime!
Today, computers have come a long way with neural networks and nano -
computing promising to turn every atom in a glass of water into a computer
capable of performing a billion operations per second.
In a day and age when everything from microwave ovens and refrigerators to
nuclear power plants are being run on computers, cyber crime has assumed
rather sinister implications.
Cyber crime can involve criminal activities that are traditional in nature, such as
theft, fraud, forgery, defamation and mischief. The abuse of computers has also
given birth to a gamut of new age crimes such as hacking, web defacement, cyber
stalking, web jacking etc.
A simple yet sturdy definition of cyber crime would be "unlawful acts wherein the
computer is either a tool or a target or both".
The term computer used in this definition does not only mean the conventional
desktop or laptop computer. It includes Personal Digital Assistants (PDA), cell
phones, sophisticated watches, cars and a host of gadgets.
Recent global cyber crime incidents like the targeted denial of service attacks on
Estonia have heightened fears. Intelligence agencies are preparing against
coordinated cyber attacks that could disrupt rail and air traffic controls, electricity
distribution networks, stock markets, banking and insurance systems etc.
Unfortunately, it is not possible to calculate the true social and financial impact of
cyber crime. This is because most crimes go unreported.
CYBER CRIMES AND PENALTIES 5 prashant.mall@cyberlawconsultlng.com
Crimes Involving Money
Ch. 2.0 CRIMES INVOLVING MONEY
Money is the most common motive behind all crime. The same is also true for
cyber crime. Globally it is being observed that more and more cyber crimes are
being committed for financial motives rather than for "revenge" or for "fun".
With the tremendous increase in the use of
internet and mobile banking, online share trading,
dematerialization of shares and securities, this
trend is likely to increase unabated.
Financial crimes include cyber cheating, credit
card frauds, money laundering, hacking,
accounting scams etc., into bank servers,
computer manipulation.
Section 66D Punishments for cheating by personation by using computer
resource (Inserted Vide ITA 2008)
Whoever, by means of any communication device or computer resource cheats
by personation, shall be punished with imprisonment of either description for a
term which may extend to three years and shall also be liable to fine which may
extend to one lakh rupees.
Section 415 of IPC for any kind of Cheating.
Whoever, by deceiving any person, fraudulently or dishonestly induces the person
so deceived to deliver any property to any person, or to consent that any person
shall retain any property, or intentionally induces the person so deceived to do or
omit to do anything which he would not do or omit if he were not so deceived, and
which act or omission causes or is likely to cause damage or harm to that person
in body, mind, reputation or property, is said to "cheat".
Explanation- A dishonest concealment of facts is a deception within the meaning
of this section.
Illustrations
(a) A, by falsely pretending to be in the Civil Service, intentionally deceives Z, and
thus dishonestly induces Z to let him have on credit goods for which he does not
mean to pay. A cheats.
CYBER CRIMES AND PENALTIES
prashan t. mali@cyberla wconsulting. com
Crimes Involving Money
Illustration 1
Rs. 2,50,000 were misappropriated from Bank of Baroda in India through
falsification of computerized bank accounts.
Illustration 2
The Hyderabad police in India arrested an unemployed computer operator and his
friend, a steward in a prominent five-star hotel, for stealing and misusing credit
card numbers belonging to hotel customers.
The steward noted down the various details of the credit cards, which were
handed by clients of the hotel for paying their bills. Then, he passed all the details
to his computer operator friend who used the details to make online purchases on
various websites.
Illustration 3
In 2004, the US Secret Service investigated and shut down an online organization
that trafficked in around 1 .7 million stolen credit cards and stolen identity
information and documents.
This high-profile case, known as "Operation Firewall," focused on a criminal
organization of some 4,000 members whose Web site functioned as a hub for
identity theft activity.
Illustration 4
In 2003, a hacker was convicted in the USA for causing losses of almost $25
million. The defendant pleaded guilty to numerous charges of conspiracy,
computer intrusion, computer fraud, credit card fraud, wire fraud, and extortion.
The hacker and his accomplices from Russia had stolen usernames, passwords,
credit card information, and other financial data by hacking into computers of US
citizens. They would then extort money from those victims with the threat of
deleting their data and destroying their computer systems.
Case of Extortion of Money through Internet
The complainant has received a threatening email and demanded protection from
unknown person claiming to be the member of Halala Gang, Dubai. Police
registered a case u/s. 384/506/51 1 IPC.
The sender of the email used the email ID xyz@yahoo.com & abc@yahoo.com
and signed as Chengez Babar.
The Cyber cafes from which the emails has been made were monitored and the
accused person was nabbed red handed.
CYBER CRIMES AND PENALTIES 7 prashant.mali@cyberlawconsulting.com
Cyber Pornography & Child Pornography
Ch.3.0 CYBER PORNOGRAPHY & CHILD PORNOGRAPHY
Cyber pornography is believed to be one of the largest businesses on the Internet
today. The millions of pornographic websites that flourish on the Internet are
testimony to this. While pornography per se is not illegal in many countries, child
pornography is strictly illegal in most nations
today.
Cyber pornography covers pornographic
websites, pornographic magazines produced
using computers (to publish and print the
material) and the Internet (to download and
transmit pornographic pictures, photos,
writings etc).
Section 67: Punishment for publishing or
transmitting obscene material in
electronic form (Amended vide ITAA 2008)
Whoever publishes or transmits or causes to be published in the electronic form,
any material which is lascivious or appeals to the prurient interest or if its effect is
such as to tend to deprave and corrupt persons who are likely, having regard to all
relevant circumstances, to read, see or hear the matter contained or embodied in
it, shall be punished on first conviction with imprisonment of either description
for a term which may extend to two three years and with fine which may extend
to five lakh rupees and in the event of a second or subsequent conviction with
imprisonment of either description for a term which may extend to five years and
also with fine which may extend to ten lakh rupees.
The Indian Penal Code, 1860 section 293 also specifies, in clear terms, the
law against Sale etc. of obscene objects to minors. As per the IPC Act,
As per IPC, 1860, Section 292 - For the purposes of sub-section (2), a book,
pamphlet, paper, writing, drawing, painting representation, figure or any other
object, shall be deemed to be obscene if it is lascivious or appeals to the prurient
interest or if its effect, or (where it comprises two or more distinct items) the effect
of any one of its items, is, if taken as a whole, such as to tend to deprave and
corrupt persons who are likely, having regard to all relevant circumstances, to
read, see or hear the matter contained or embodied in it.]
CYBER CRIMES AND PENALTIES
prashan t. mali@cyberla wconsulting. com
Cyber Pornography & Child pornography
Illustration 1
In the first case of this kind, the Delhi Police Cyber Crime Cell registered a case
under section 67 of the IT act, 2000. A student of the Air Force Balbharati School,
New Delhi, was teased by all his classmates for having a pockmarked face, used
a free hosting provider to create www.amazing-gents.8m.net.
He regularly uploaded "morphed" photographs of teachers and girls from his
school onto the website. He was arrested when the father of one of the victims
reported the case to the police.
Illustration 2
The CEO of online auction website bazee.com (a part of the ebay group) was
arrested by the Delhi police for violating India's strict laws on cyber pornography.
An engineering student was using the bazee website to sell a video depicting two
school students having sexual intercourse. Bazee.com was held liable for
distributing porn and hence the CEO was arrested.
Illustration 3
The CEO of a software company in Pune (India) was arrested for sending highly
obscene emails to a former employee.
Child pornography: The newly inserted section 67 B of ITAA, 2008deals with
child pornography. The wordings of the section are very hard worded and makes
even the recording in electronic form of any sexually explicit act with children shall
be punishable under this section. Even if one is found to be engaged in online
relationship with sexual overtone that may offend a reasonable adult on the
computer resource would be punishable under this section. The expression "May
offend a reasonable adult" is subject to judicial scrutiny and interpretation and
leaves scope for misuse and controversy.
67 B Punishments for publishing or transmitting of material depicting children
in sexually explicit act, etc. in electronic form. Whoever,-
(a) Publishes or transmits or causes to be published or transmitted material in
any electronic form which depicts children engaged in sexually explicit act or
conduct or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting
children in obscene or indecent or sexually explicit manner or
(c) cultivates, entices or induces children to online relationship with one or more
children for and on sexually explicit act or in a manner that may offend a
reasonable adult on the computer resource or
CYBER CRIMES AND PENALTIES 9 prashant.mali@cyberlawconsultlng.com
Cyber Pornography & Child pornography
(d) facilitates abusing children online or
(e) records in any electronic form own abuse or that of others pertaining to
sexually explicit act with children,
shall be punished on first conviction with imprisonment of either description for a
term which may extend to five years and with a fine which may extend to ten lakh
rupees and in the event of second or subsequent conviction with imprisonment of
either description for a term which may extend to seven years and also with fine
which may extend to ten lakh rupees:
Provided that the provisions of section 67, section 67A and this section does not
extend to any book, pamphlet, paper, writing, drawing, painting, representation or
figure in electronic form-
(i) The publication of which is proved to be justified as being for the public good on
the ground that such book, pamphlet, paper writing, drawing, painting,
representation or figure is in the interest of science, literature, art or learning or
other objects of general concern; or
(ii) which is kept or used for bonafide heritage or religious purposes
Explanation: For the purposes of this section, "children" means a person who has
not completed the age of 18 years.
Section 293 - " Sale, etc. of obscene objects to young persons - Whoever
sells, lets to hire, distributes, exhibits or circulates to any person under the age of
twenty years any such obscene object, as is referred to in IPC Section 292
(definition given below), or offers of attempts so to do, shall be punished (on first
conviction with imprisonment or either decription for a term which may extend to
three years, and which fine which may extend to two thousand rupees, and, in the
event of a second or subsequent conviction, with imprisonment of either
description for a term which may extend to
seven years, and also with fine which may
extend to five thousand rupees)"
CASE OF CHENNAI: The cyber crime police
arrested Will Heum (56), a Dutch national
living in Chennai, for uploading child
pornographic materials on the internet. Police
recovered his personal computer and
pornographic materials from his house.
Heum is already facing a case in
Chengalpattu court for sexually abusing
CYBER CRIMES AND PENALTIES
10
prashan t. mall@cyberla wconsulting. com
Cyber Pornography & Child pornography
children of Little Home, an orphanage he
had opened near Mamallapuram. He was arrested in May 2002. Out on bail and
living in a rented house in Choolaimedu, he was uploading pictures of children
being sexually abused, police said.
This is the first case of child pornography to be registered in the country under
the IT Act, which came into force on October 27. Heum was booked under
Section 67-B of the IT Act, 2008, which deals with digital child pornography, and
remanded in judicial custody after being produced before the XI metropolitan
magistrate court in Saidapet. The IT Act spells out a maximum punishment of
seven years' imprisonment and a fine of Rs 10 lakh.
It was a tip-off from the Child Exploitation Online Protection Centre in Germany
through Interpol that led to the arrest of Heum, who has done bit roles in Tamil
movies.
Initial inquiries revealed that he had uploaded video clips of foreign children. "We
are interrogating him about the source of these clips. We have to verify the seized
computer accessories to check if he had uploaded clips of Indian children too," a
police officer said.
"It was an example of good co-ordination between the city police and the
international agencies. Cyber crime has no geographical barriers,"
Sec. 292,293,294 IPC, Indecent Representation of Women Act
Section 292. Sale, etc., or obscene books, etc.
(1) For the purposes of sub-section (2), a book, pamphlet, paper, writing,
drawing, painting, representation, figure or any other object, shall be deemed to
be obscene if it is lascivious or appeals to the prurient interest or if its effect, or
(where it comprises two or more distinct items) the effect of any one of its items,
is, if taken as a whole, such as to tend to deprave and corrupt persons who are
likely, having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it.]
3(2) Whoever-
(a) Sells, lets to hire, distributes, publicly exhibits or in any manner puts into
circulation, or for purposes of sale, hire, distribution, public exhibition or
circulation, makes, produces or has in his possession any obscene book,
pamphlet, paper, drawing, painting, representation or figure or any other obscene
object whatsoever, or
CYBER CRIMES AND PENALTIES \ \ prashant.mali@cyberlawconsultlng.com
Cyber Pornography & Child pornography
(b) Imports, exports or conveys any obscene object for any of the purposes
aforesaid, or knowing or having reason to believe that such object will be sold, let
to hire, distributed or publicly exhibited or in any manner put into circulation, or
(c) Takes part in or receives profits from any business in the course of which he
knows or has reason to believe that any such obscene objects are, for any of the
purposes aforesaid, made, produced, purchased, kept, imported, exported,
conveyed, publicly exhibited or in any manner put into circulation, or
(d) Advertises or makes known by any means whatsoever that any person is
engaged or is ready to engage in any act which is an offence under this section,
or that any such obscene object can be procured from or through any person, or
(e) Offers or attempts to do any act which is an offence under this section,
Shall be punished 4[on first conviction with imprisonment of either description for
a term which may extend to two years, and with fine which may extend to two
thousand rupees, and, in the event of a second or subsequent conviction, with
imprisonment of either description for a term which may extend to five years, and
also with fine which may extend to five thousand rupees].
5 Exception-This section does not extend to-
(a) Any book, pamphlet, paper, writing, drawing, painting, representation orfigure-
(i) The publication of which is proved to be justified as being for the public good on
the ground that such book, pamphlet, paper, writing, drawing, painting,
representation or figure is in the interest of science, literature, art of learning or
other objects of general concern, or
(ii) Which is kept or used bona fide for religious purposes;
(b) Any representation sculptured, engraved, painted or otherwise represented on
or in-
(i) Any ancient monument within the meaning or the Ancient Monuments and
Archaeological Sites and Remains Act, 1958 (24 of 1958), or
(ii) Any temple, or on any car used for the conveyance of idols, or kept or used for
any religious purpose.
Section 292A. Printing etc. of grossly indecent or scurrilous matter or
matter intended for blackmail
Whoever, -
CYBER CRIMES AND PENALTIES 12 prashant.mali@cyberlawconsultlng.com
Cyber Pornography & Child pornography
(a) Prints or causes to be printed in any newspaper, periodical or circular, or
exhibits or causes to be exhibited, to public view or distributes or causes to be
distributed or in any manner puts into circulation any picture or any printed or
written document which is grossly indecent, or in scurrilous or intended for
blackmail, or
(b) Sells or lets for hire, or for purposes of sale or hire makes, produces or has in
his possession, any picture or any printed or written document which is grossly
indecent or is scurrilous or intended for blackmail; or
(c) Conveys any picture or any printed or written document which is grossly
indecent or is scurrilous or intended for blackmail knowing or having reason to
believe that such picture or document will be printed, sold, let for hire distributed
or publicly exhibited or in any manner put into circulation; or
(d) Takes part in, or receives profits from, any business in the course of which he
knows or has reason to believe that any such newspaper, periodical, circular,
picture or other printed or written document is printed, exhibited, distributed,
circulated, sold, let for hire, made, produced, kept, conveyed or purchased; or
(e) Advertises or makes known by any means whatsoever that any person is
engaged or is ready to engage in any Act which is an offence under this section,
or that any such newspaper, periodical, circular, picture or other printed or written
document which is grossly indecent or is scurrilous or intended for blackmail, can
be procured from or through any person; or
(f) Offers or attempts to do any act which is an offence under this section *[shall
be punished with imprisonment of either description for a term which may extend
to two years, or with fine, or with both.
Provided that for a second or any subsequent offence under this section, he shall
be punished with imprisonment of either description for a term which shall not be
less than six months and not more than two years.
Explanation I - For the purposes of this section, the word scurrilous shall be
deemed to include any matter which is likely to be injurious to morality or is
calculated to injure any person:
Provided that it is not scurrilous to express in good faith anything whatever
respecting the conduct of-
(i) A public servant in the discharge of his public functions or respecting his
character, so far as his character appears in that conduct and no further; or
(ii) Any person touching any public question, and respecting his character, so far
as his character appears in that conduct and no further.
CYBER CRIMES AND PENALTIES 1 3 prashant.mali@cyberlawconsultlng.com
Cyber Pornography & Child pornography
Explanation II - In deciding whether any person has committed an offence under
this section, the Court shall have regard inter alia, to the following considerations-
(a) The general character of the person charged, and where relevant the nature of
his business;
(b) The general character and dominant effect of the matter alleged to be grossly
indecent or scurrilous or intended for blackmail;
(c) Any evidence offered or called by or on behalf of the accused person as to his
intention in committing any of the acts specified in this section.
Section 293. Sale, etc., of obscene objects to young person
Whoever sells, lets to hire, distributes, exhibits or circulates to any person under
the age of twenty years any such obscene object as is referred to in the last
preceding section, or offers or attempts so to do, shall be punished 2[on first
conviction with imprisonment of either description for a term which may extend to
three years, and with fine which may extend to two thousand rupees, and, in the
event of a second or subsequent conviction, with imprisonment of either
description for a term which may extend to seven years, and also with fine which
may extend to five thousand rupees.
Section 294. Obscene acts and songs
Whoever, to the annoyance of others-
(a) Does any obscene act in any public place, or
(b) Sings, recites or utters any obscene song, balled or words, in or near any
public place,
Shall be punished with imprisonment of either description for a term which may
extend to three months, or with fine, or with both.
CYBER CRIMES AND PENALTIES 14 prashant.mali@cyberlawconsultlng.com
Cyber Bullying
Ch.4.0 CYBER BULLYING
With today's technology bullying has become easier then even the children and
youth of this generation do not even need to have personal confrontation. Cyber
bullying can be defined as any communication posted or sent by a minor online,
by instant messenger, e-mail, Social Networking Site, website, diary site, online
profile, interactive game, handheld device, cell phone or other interactive device
that is intended to frighten, embarrass, harass or otherwise target another minor.
Cyber bullying is disturbingly common
among Indian teens. Cyber-Bullying:
Our Kids' New Reality is a survey that
was conducted from December 2006 -
January 2007 by the members of Kids
Help Phone that had over 2500
respondents. More than 70 per cent of
respondents to the survey reported
that they have been bullied online,
while 44 per cent said they have
bullied someone online. At least 38
percent reported having experienced
cyber-bullying within the last three
months. Of the methods used, 77
percent reported being bullied by instant messaging, 37 per cent by e-mail and 31
per cent on social networking sites, such as MySpace and Facebook. When
bullied online, 43 per cent said they did nothing, 32 per cent confronted the
person who bullied them, and 27 per cent told a friend. Although most cyber
bullying cases go unreported, police departments take action in trying to prevent
it. Because many people are afraid to come to the police about an online problem,
the police go to great lengths to find the problems themselves online.
A large number of youth and their parents think that cyber bullying is not a big
enough deal to cause problems. However, it has been proven that a victim of this
type of bullying can be lead to serious disorders for the future including suicide.
When one becomes a victim of cyber bullying, they are a victim for life. Though
the bullying itself may go away, the fear, the hurt, and the memories scar the
victim forever.
Cyber Bullying is one type of "Unauthorized use" or "Unauthorized access to the
facilities". This is "hacking" under Section 66 of ITA 2008 and also liable for
compensation under Section 43 of ITA 2008.
CYBER CRIMES AND PENALTIES
15
prashan t. mali@cyberla wconsulting. com
Identity Theft
Ch. 5-0 IDENTITY THEFT
Identity theft is a term used to refer to fraud that involves stealing money or
getting other benefits by pretending to be someone else. The term is relatively
new and is actually a misnomer, since it is not inherently possible to steal an
identity, only to use it. The person whose identity is used can suffer various
consequences when they are held
responsible for the perpetrator's actions. At
one time the only way for someone to steal tv II
somebody else's identity was by killing that
person and taking his place. It was typically
a violent crime. However, since then, the
crime has evolved and today's white
collared criminals are a lot less brutal. But
the ramifications of an identity theft are still
scary.
As per the non-profit Identity Theft
Resource Center, identity thefts can be
sub-divided into four categories. These are
financial identity theft, criminal identity theft,
identity cloning, and business/commercial
identity theft.
In many cases the victim is not even aware of what is being done till it is already
too late. Identity theft may be used to facilitate crimes, including illegal
immigration, terrorism, and espionage. It may also be used as a means of
blackmail. There have also been cases of identity cloning to attack payment
systems, including online credit card processing and medical insurance.
Sometimes people may impersonate others for non-financial reasons too. This is
often done to receive praise or attention for the victim's achievements. This is
sometimes referred to as identity theft in the media, and is a common trend seen
by look-a-likes.
One does not have to think too far back before re-collecting a probable victim of
identity theft in India.
Illustration 1 : An American national named Ken Haywood, whose most likely
fault is, that his Wi-Fi internet connection was hacked, was only recently under the
scanner for involvement in the Ahmadabad terrorist attacks. The sad part
remains, while speculators and the cyber crime unit suspect foul play and
hacking, not once has the term identity theft or identity protection been suggested.
And, this just goes to show our current level of awareness towards a threat so
obvious.
CYBER CRIMES AND PENALTIES
16
prashan t. mali@cyberla wconsulting. com
Illustration 2
Identity Theft
The biggest case of identity theft ever seen, took place in August of 2009. Eleven
people, including a US secret service informant, had been charged in connection
with the hacking of nine major retailers and the theft and sale of more than 41
million credit and debit card numbers! This data breach is believed to be the
largest hacking and identity theft case ever prosecuted by the US Department of
Justice, which announced that the suspects were charged with conspiracy,
computer intrusion, fraud and identity theft. Three of those charged are US
citizens, while the others are from places such as Estonia, Ukraine, Belarus and
China.
The areas of data protection and securitsation are still very weak. How else could
1 1 people whose nations barely get along, pull of a heist involving a whooping 41
million credit card and debit card numbers. Yes, one can argue that this happened
half-way across the globe and India is so much safer. But is it really? Forget the
Ken Haywood incident, one might pass it off as an extreme case still in the grey
area. But, last year when there was a duplicate Axis bank web page created,
which was "phising" for unsuspecting baits on the internet, the victims and crime
was a lot closer home.
Illustration 3
Kingfisher Airlines was duped of Rs 17 crore caused by an online ticket booking
fraud, caused by credit card bookings. These credit card details were obtained by
the thieves from various places like shopping mall, restaurant and petrol-pump
employees who swipe these cards, felt the officers working on this case.
"Data loss is a burning issue that should be on the mind of every C-level executive
and board member — if it isn't already. Every day we read about companies
suffering millions of dollars in losses due to security breaches. Those losses
directly hurt the innocent stakeholders of those companies, including hardworking
employees and shareholders. Opportunity for data loss is everywhere, and
intentional or otherwise, data that ends up in the wrong place can do tremendous
harm. It might be at the hands of a single disgruntled employee with a flash drive,
or a forgetful member of your finance department leaving a CD-ROM on the
subway. But however it happens, data loss can be devastating, and it's only a
matter of time before a high-profile company, perhaps a squeaky clean one
bursting with integrity and good will, is brought to its knees by a breach" feels
Dave DeWalt, McAfee, president and CEO, in MacAfee's and Data monitor's
latest research report.
66C Punishment for identity theft. (Inserted Vide ITA 2008)
Whoever, fraudulently or dishonestly make use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with
CYBER CRIMES AND PENALTIES 17 prashant.mall@cyberlawconsultlng.com
imprisonment of either description for a term which may extend to three years and shall
also be liable to fine which may extend to rupees one lakh.
Identity Theft
66D Punishment for cheating by personation by using computer resource
Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which
may extend to three years and shall also be liable to fine which may extend to one lakh
rupees.
IPC
Section 41 7A, that prescribes punishment of up to 3 years imprisonment and a fine for
cheating, by using any unique identification feature of any other person.
Section 41 9A, which prescribes punishment of up to 5 years imprisonment and a
fine for cheating by impersonation, using a network or computer resource.
CYBER CRIMES AND PENALTIES 1 8 prashant.mall@cyberlawconsultlng.com
Sale of Illegal Articles on Internet
Ch.6,0 SALE OF ILLEGAL ARTICLES ON INTERNET
It is becoming increasingly common to find cases where sale of illegal articles
such as narcotics drugs, weapons, wildlife etc. is being facilitated by the Internet.
Information about the availability of the products for sale is being posted on
auction websites, bulletin boards etc.
It is practically impossible to control or prevent a criminal from setting up a
website to transact in illegal articles. Additionally, there are several online
payment gateways that can transfer money around the world at the click of a
button.
The Internet has also created a marketplace for the sale of unapproved drugs,
prescription drugs dispensed without a valid prescription, or products marketed
with fraudulent health claims.
Many sites focus on selling prescription drugs and are referred to by some as
"Internet pharmacies." These sites offer for sale either approved prescription drug
products, or in some cases, unapproved, illegal versions of prescription drugs.
This poses a serious potential threat to the health and safety of patients. The
broad reach, relative anonymity, and ease of creating new or removing old
websites, poses great challenges for law enforcement officials.
As pointed out earlier, the online lottery is the most popular form of internet
gambling in India. Most companies marketing and distributing or conducting state
government-sponsored lotteries through the internet are not allowed to sell their
services in the states that banned lotteries. In most cases, these marketers and
distributors limit their online services to consumers who are residents of the states
where a lottery is permissible. Notwithstanding the fact there has been no
reported case of breach by any company promoting online lotteries, most of these
companies (as a safeguard) seek an undertaking from their consumers relating to
their residence.
There have been instances where one state has banned the lottery of other
states, including online lotteries. In a recent case, the Karnatka High Court upheld
the decision of the Karnataka government to make itself a 'lottery free zone' by
imposing a ban on lotteries of all other states, including online lotteries under the
Lotteries (Regulation) Act 1998. The state government, in this case, directed the
closure of the terminals and kiosks selling the online lotteries.
Enforcement over foreign jurisdictions
If the websites are hosted and operated from outside India, it was difficult for the
Indian authorities to issue any directive to close them down or prohibit their
CYBER CRIMES AND PENALTIES 1 9 prashant.mall@cyberlawconsultlng.com
access without using its blocking powers under the ITA but under ITA 2008. The
authorities have little to worry about, as Indian foreign exchange laws do not
permit remittances outside India for gambling related sastiirii&ai smks <a&nt&h&
purchase of lottery tickets, football pools and sweepstakes. As a result, a
gambling website hosted outside India aiming at receiving money from within
India cannot do so through legal channels.
Illustration
Many of the auction sites even in India are believed to be selling cocaine in the
name of 'honey'. The clip of the DPS students was kept for selling on the site
called Bazee.com by a student from NT Kharagpur.
case filed under - NDPS Act
Illustration
In March 2007, the Pune rural police cracked down on an illegal rave party and
arrested hundreds of illegal drug users. The social networking site Orkut.com is
believed to be one of the modes of communication for gathering people for the
illegal "drug" party.
case is filed under -NDPS Act
Online sale of Arms -Arms Act will be applicable
CYBER CRIMES AND PENALTIES 20 prashant.mali@cyberlawconsultlng.com
Online Gambling
Ch.7.0 ONLINE GAMBLING
qed ens |^| o s e
There are thousands of Websites that offer online Gambling. The special issue
with online gambling is that it is legalised in several countries. So legally the
owners of these websites are safe in their home countries, virtual casinos, Cases
of money laundering etc are onlne cases.
The legal issues arise when a person
residing in a foreign country like India (where
such website are illegal) gambles on such a
website.
The law related to gambling is also
applicable to online gambling. All gambling
contracts are considered to be wagering
contracts and it is not possible to enforce
such contracts under the ICA, detailed
above.
Illustration
The website ladbrokes.com permits users to gamble on a variety of sports such
as cricket, football, tennis, golf, motor racing, ice hockey, basketball, baseball,
darts, snooker, boxing, athletics', rugby, volleyball, motorcycling etc.
Additionally it also features an online casino. The website has no technical
measures in place to prohibit residents of certain countries (where online
gambling is illegal) from betting at their website
Cyber lotto case: In Andhra
Pradesh one Kola Mohan created a website and an email address on the Internet
with the address 'eurolottery@usa.net. ' which shows his own name as beneficiary
of 12.5 million pound in Euro lottery. After getting confirmation with the email
address a telgu newspaper published this as news.
He gathered huge sums from the public as well as from some banks. The fraud
came to light only when a cheque amounting Rs 1.73 million discounted by him
with Andhra bank got dishonored
The law relating to online gambling in India needs to be understood within the
country's socio-cultural context. At the outset, gambling, although not absolutely
CYBER CRIMES AND PENALTIES
21
prashan t. mali@cyberla wconsulting. com
prohibited in India, does not receive express encouragement by policy makers.
The Indian organized gambling industry is estimated to be worth around US$8
Online Gambling
billion. While stringent laws have checked the proliferation of casinos and high
street gaming
centres as in many other countries, barring the state of Goa, the lottery business
remains the most post popular form of gambling.
Though gambling is not illegal, it is a highly controlled and regulated activity.
Modern India is a quasi-federal Constitutional democracy and the powers to
legislate are distributed at the federal as well as the state levels. Gambling
features in List II of the Constitution of India, this implies that the state
governments have the authority to enact laws in order to regulate gambling in the
respective states. Thus, there is no single law governing gambling in the entire
country. Different states have different laws governing gambling in addition to the
laws that have an application across the country. While some states have banned
lotteries, other states allow state government lotteries marketed and distributed in
other lottery playing and promoting states through private entities.
Regulation of gambling
The courts have defined gambling as 'the payment of a price for a chance to win a
prize'. The dominant element of skill or chance shall determine the nature of the
game. A game may be deemed to be gambling if the element of chance or luck
predominates in deciding its outcome. As a result, Indian courts have held that
betting on horse racing and a few card games are not gambling. The right to
undertake the business of gambling and lotteries is not considered as a
fundamental right protected by the Constitution of India. It may however be
pointed out that the state government run lotteries make significant contributions
to the state exchequer of several state governments and the Union government,
and hence there is a resistance to complete prohibition.
The following legislation is pertinent to gambling:
The Public Gaming Act, 1867
This Act provides punishment for public gambling and for keeping of a 'common
gaming house'. This Act also authorises the state governments to enact laws to
regulate public gambling in their respective jurisdictions. The penal legislations in
respective states have been amended in accordance with their policy on
gambling. However, this legislation does not have any direct impact on online
gambling unless a wide interpretation is given to the definition of common gaming
house so as to include virtual forums as well.
The Indian Contract Act, 1872 (ICA)
CYBER CRIMES AND PENALTIES 22 prashant.mali@cyberlawconsulting.com
The ICA is a codified umbrella legislation that governs all commercial contracts in
India. Under the ICA, a wagering contract is the one which cannot be enforced.
The Act lays down; 'Agreements by way of wager are void, and no suit shall be
brought for recovering anything alleged to be won on any wager or entrusted to
Online Gambling
any person to abide by the result of any game or other uncertain event on which
any wager is made'. Gambling, lottery and prize games have held to be wagering
contracts and thus void and unenforceable. While a wagering contract is not
illegal, it cannot be enforced in a court of law. Thus, the courts will not entertain
any cause of action that arises out of a wagering contract.
Lotteries (Regulation) Act, 1998
This Act provides a framework for organizing lotteries in the country. Under this
Act, the state governments have been authorized to promote as well as prohibit
lotteries within their territorial jurisdiction. This Act also provides for the manner in
which the lotteries are to be conducted and prescribes punishment in case of
breach of its provision. Lotteries not authorized by the state have been made an
offence under the Indian Penal Code. Several non-lottery playing states, like
Gujarat and Uttar Pradesh, have prohibited the sale of other state-government
lotteries under this Act.
Indian Penal Code, 1860
Section 294A deals with keeping lottery office. It says that whoever keeps any
office or place for the purpose of drawing any lottery not being a State lottery or a
lottery authorised by the State Government, shall be punished with imprisonment
of either description for a term which may extend to six months, or with fine, or
with both.
And whoever publishes any proposal to pay any sum, or to deliver any goods, or
to do or forbear doing anything for the benefit of any person, on any event or
contingency relative or applicable to the drawing of any ticket, lot, number or
figure in any such lottery, shall be punished with fine which may extend to one
thousand rupees.
CYBER CRIMES AND PENALTIES 23 prashant.mali@cyberlawconsulting.com
Intellectual Property Crimes
Ch.8,0 INTELLECTUAL PROPERTY CRIMES
These include software piracy, copyright infringement, trademarks violations, theft
of computer source code etc.
Illustration 1
Bharti Cellular Ltd. filed a case in the Delhi High Court that some cyber squatters
had registered domain names such as barticellular.com and bhartimobile.com
with Network solutions under different fictitious names. The court directed
Network Solutions not to transfer the domain names in question to any third party
and the matter is sub-judice.
Illustration 2
Yahoo had sued one Akash Arora for use of the domain name 'Yahooindia.Com'
deceptively similar to its 'Yahoo.com'. As this case was governed by the Trade
Marks Act, 1958, the additional defence taken against Yahoo's legal action for the
interim order was that the Trade Marks Act was applicable only to goods.
Illustration 3
A software professional from Bangalore (India) was booked for stealing the source
code of a product being developed by his employers. He started his own company
and allegedly used the stolen source code to launch a new software product.
Illustration 4
In 2003, a computer user in China obtained
the source code of a popular game -
Lineagell from an unprotected website.
This proprietary code was then sold to
several people in 2004. One of those
people set up a website,
www.l2extreme.com, to offer the "Lineage"
game at a discount.
Despite legal warnings from the South
Korean company that owned the Lineage
source code, the suspect did not shut down
the site. He rented powerful servers enough
CYBER CRIMES AND PENALTIES
24
prashan t. mali@cyberla wconsulting. com
to accommodate 4,000 simultaneous gamers - and solicited donations from users
to help defray the costs.
Intellectual Property Crimes
The loss in potential revenues for the South Korean company was estimated at
$750,000 a month. The US FBI arrested the suspect and the website was shut
down.
For Piracy - Sec. 51, 63, 63 B Copyright Act will be applicable.
CHAPTER XI : INFRINGEMENT OF COPYRIGHT
51. When copyright infringed
Copyright in a work shall be deemed to be infringed-
(a) when any person, without a licence granted by the owner of the copyright or
the Registrar of Copyrights under this Act or in contravention of the conditions of a
licence so granted or of any condition imposed by a competent authority under
this Act-
(i) does anything, the exclusive right to do which is by this Act conferred upon the
owner of the copyright; or
(ii) permits for profit any place to be used for the communication of the work to the
public where such communication constitutes an infringement of the copyright in
the work, unless he was not aware and had no reasonable ground for believing
that such communication to the public would be an infringement of copyright; or
(b) when any person-
(i) makes for sale or hire, or sells or lets for hire, or by way of trade displays or
offers for sale or hire, or
(ii) distributes either for the purpose of trade or to such an extent as to affect
prejudicially the owner of the copyright, or
(iii) by way of trade exhibits in public, or
(iv) imports 22[* * *] into India,
any infringing copies of the work:
PROVIDED that nothing in sub-clause (iv) shall apply to the import of one copy of
any work for the private and domestic use of the importer.
CYBER CRIMES AND PENALTIES 25 prashant.mali@cyberlawconsulting.com
Explanation: For the purposes of this section, the reproduction of a literary,
dramatic, musical or artistic work in the form of a cinematograph film shall be
deemed to be an "infringing copy".
Intellectual Property Crimes
63. Offence of infringement of copyright or other rights conferred by this Act
Any person who knowingly infringes or abets the infringement of-
(a) the copyright in a work, or
(b) any other right conferred by this Act, except the right conferred by section 53A,
shall be punishable with imprisonment for a term which shall not be less than six
months but which may extend to three years and with fine which shall not be less
than fifty thousand rupees but which may extend to two lakh rupees:
PROVIDED that where the infringement has not been made for gain in the course
of trade or business the court may, for adequate and special reasons to be
mentioned in the judgment, impose a sentence of imprisonment for a term of less
than six months or a fine of less than fifty thousand rupees.
Explanation: Construction of a building or other structure which infringes or which,
if completed, would infringe the copyright in some other work shall not be an
offence under this section.
63A. Enhanced penalty on second and subsequent convictions
Whoever having already been convicted of an offence under section 63 is again
convicted of any such offence shall be punishable for the second and for every
subsequent offence, with imprisonment for a term which shall not be less than one
year but which may extend to three years and with fine which shall not be less
than one lakh rupees but which may extend to two lakh rupees:
PROVIDED that where the infringement has not been made for gain in the course
of trade or business the court may, for adequate and special reasons to be
mentioned in the judgement, impose a sentence of imprisonment for a term of
less than one year or a fine of less than one lakh rupees:
PROVIDED FURTHER that for the purposes of this section, no cognisance shall
be taken of any conviction made before the commencement of the Copyright
(Amendment) Act, 1984 (65 of 1984).
CYBER CRIMES AND PENALTIES 26 prashant.mali@cyberlawconsultlng.com
Email Spoofing
Ch.9.0 EMAIL SPOOFING
A spoofed email is one that appears to originate from one source but actually has
been sent from another source e.g steve has an e-mail address
steve@cyberlawconsulting.com
Her ex-girlfriend, Sandra spoofs her e-mail and sends obscene messages to all
his acquaintances. Since the e-mails appear to have originated from Steve, his
friends may take offence and relationships may be spoiled for life.
Forgery of electronic records, Email spoofing Under ITA 2008 Section 66A,
66C.
66A Punishment for sending offensive messages through communication
service, etc.( Introduced vide ITAA 2008)
Any person who sends, by means
of a computer resource or a
communication device, -
a) any information that is grossly
offensive or has menacing
character; or
b) any information which he
knows to be false, but for the
purpose of causing annoyance,
inconvenience, danger,
obstruction, insult, injury, criminal
intimidation, enmity, hatred, or ill will, persistently makes by making use of such
computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing
annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages (Inserted vide ITAA 2008)
shall be punishable with imprisonment for a term which may extend to two three
years and with fine.
Explanation: For the purposes of this section, terms "Electronic mail" and
"Electronic Mail Message" means a message or information created or
transmitted or received on a computer, computer system, computer resource or
communication device including attachments in text, image, audio, video and any
other electronic record, which may be transmitted with the message.
66C Punishment for identity theft. (Inserted Vide ITA 2008)
CYBER CRIMES AND PENALTIES
27
prashan t. mali@cyberla wconsulting. com
Email Spoofing
Whoever, fraudulently or dishonestly make use of the electronic signature,
password or any other unique identification feature of any other person, shall be
punished with imprisonment of either description for a term which may extend to
three years and shall also be liable to fine which may extend to rupees one lakh.
Sec 463, 464, 468, 469 IPC
Illustration 1
In an American case, a teenager made millions of dollars by spreading false
information about certain companies whose shares he had short sold.
This misinformation was spread by sending spoofed emails, purportedly from
news agencies like Reuters, to share brokers and investors who were informed
that the companies were doing very badly.
Even after the truth came out the values of the shares did not go back to the
earlier levels and thousands of investors lost a lot of money.
Illustration 2
A branch of the erstwhile Global Trust Bank in India experienced a run on the
bank. Numerous customers decided to withdraw all their money and close their
accounts.
An investigation revealed that someone had sent out spoofed emails to many of
the bank's customers stating that the bank was in very bad shape financially and
could close operations at any time. The spoofed email appeared to have
originated from the bank itself. Unfortunately this information proved to be true in
the next few days.
Case of Cyber Extortion and email spoofing
He does not know much about computer hacking, yet 51 -year-old cyber criminal
Pranab Mitra has stunned even the cyber crime investigation cell of Mumbai
police with his bizarre fraud on the Net. Mitra, a former executive of Gujarat
Ambuja Cement, was arrested in June 09 for posing as a woman and seducing
online an Abu Dhabi-based man,
thereby managing to extort Rs 96 lakh from him. Investigating officer he was
remanded to police custody and has been booked for cheating, impersonation,
blackmail and extortion under sections 384, 420, 465, 467, 471, 474 of the IPC,
read with the newly formed Information Technology Act 2008 66D
66DPunishment for cheating by personation by using computer resource
(Inserted Vide ITA 2008)
Whoever, by means of any communication device or
CYBER CRIMES AND PENALTIES 28 prashant.mali@cyberlawconsulting.com
Email Spoofing
computer resource cheats by personation, shall be punished with imprisonment of
either description for a term which may extend to three years and shall also be
liable to fine which may extend to one lakh rupees.
Case Story:
Mitra posed as a woman, Rita Basu, and created a fake e-mail ID through which
he contacted one V.R. Ninawe. According to the FIR, Mitra trapped Ninawe in a
"cyber-relationship" sending emotional messages and indulging in online sex
since June 2002. Later, Mitra sent an e-mail that "she would commit suicide" if
Ninawe ended the relationship. He also gave him "another friend Ruchira
Sengupta's" e-mail ID which was in fact his second bogus address. When Ninawe
mailed at the other ID he was shocked to learn that Mitra had died. Then Mitra
began the emotional blackmail by calling up Abu Dhabi to say that police here
were searching for Ninawe. Ninawe panicked on hearing the news and asked
Mitra to arrange for a good advocate for his defence. Ninawe even deposited a
few lakh in the bank as advocate fees. Mitra even sent e-mails as high court and
police officials to extort more money. Ninawe finally came down to Mumbai to
lodge a police case.
CYBER CRIMES AND PENALTIES 29 prashant.mali@cyberlawconsulting.com
Forgery
Ch.10.0 FORGERY
Counterfeit currency notes, postage and revenue stamps, mark sheets, academic
certificates etc are made by criminals using sophisticated computers, printers and
scanners.
IPC Section 463. Forgery.
Whoever makes any false documents or
electronic record part of a document or
electronic record with, intent to cause
damage or injury], to the public or to any
person, or to support any claim or title,
or to cause any person to part with
property, or to enter into any express or
implied contract, or with intent to commit
fraud or that fraud may be committed,
commits forgery.
IPC Section 464.
document
Making a false
A person is said to make a false document or false electronic record-
First - Who dishonestly or fraudulently-
(a) Makes, signs, seals or executes a document or part of a document;
(b) Makes or transmits any electronic record or part of any electronic record;
(c) Affixes any digital signature on any electronic record;
(d) Makes any mark denoting the execution of a document or the authenticity of
the digital signature,
With the intention of causing it to be believed that such document or part of
document, electronic record or digital signature was made, signed, sealed,
executed, transmitted or affixed by or by the authority of a person by whom or by
whose authority he knows that it was not made, signed, sealed, executed or
affixed; or
Secondly - Who, without lawful authority, dishonestly or fraudulently, by
cancellation or otherwise, alters a document or an electronic record in any
material part thereof, after it has been made, executed or affixed with digital
CYBER CRIMES AND PENALTIES
30
prashan t. mall@cyberla wconsulting. com
Forgery
signature either by himself or by any other person, whether such person be living
or dead at the time of such alteration; or
Thirdly- Who dishonestly or fraudulently causes any person to sign, seal, execute
or alter a document or an electronic record or to affix his digital signature on any
electronic record knowing that such person by reason of unsoundness of mind or
intoxication cannot, or that by reason of deception practiced upon him, he does
not know the contents of the document or electronic record or the nature of the
alterations.
Section 468. Forgery for purpose of cheating
Whoever commits forgery, intending that the 1 [document or Electronic Record
forged] shall be used for the purpose of cheating, shall be punished with
imprisonment of either description for a term which may extend to seven years,
and shall also be liable to fine.
Section 469. Forgery for purpose of harming reputation
Whoever commits forgery, 1 [intending that the document or Electronic Record
forged] shall harm the reputation of any party, or knowing that it is likely to used
for that purpose, shall be punished with imprisonment of either description for a
term which may extend to three years, and shall also be liable to fine.
ITA 2008 Section 65. Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy or alter any computer source code
used for a computer, computer programme, computer system or computer
network, when the computer source code is required to be kept or maintained by
law for the time being in force, shall be punishable with imprisonment up to three
years, or with fine which may extend up to two lakh rupees, or with both.
Explanation -
For the purposes of this section, "Computer Source Code" means the listing of
programmes
Illustration 1
In October 1995, Economic Offences Wing of Crime Branch, Mumbai (India),
seized over 22,000 counterfeit share certificates of eight reputed companies worth
Rs. 34.47 crores. These were allegedly prepared using Desk Top Publishing
Systems.
CYBER CRIMES AND PENALTIES 3 1 prashant.mali@cyberlawconsultlng.com
Forgery
Illustration 2
Abdul Kareem Telgi, along with several others, was convicted in India on several
counts of counterfeiting stamp papers and postage stamps totalling several billion
rupees.
CYBER CRIMES AND PENALTIES 32 prashant.mali@cyberlawconsultmg.com
Cyber Defamation
Ch.11.0 CYBER DEFAMATION
This occurs when defamation takes place with the help of computers and / or the
Internet, e.g. Sameer publishes defamatory matter about Pooja on a website or
sends e-mails containing defamatory information to Pooja's friends.
66 APunishment for sending offensive messages through communication
service, etc. (Introduced vide ITAA 2008)
Any person who sends, by means of a
computer resource or a communication
device,-
a) any information that is grossly
offensive or has menacing character; or
b) any information which he knows to
be false, but for the purpose of causing
annoyance, inconvenience, danger,
obstruction, insult, injury, criminal
intimidation, enmity, hatred, or ill will,
persistently makes by making use of
such computer resource or a
communication device,
c) any electronic mail or electronic mail message for the purpose of causing
annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages (Inserted vide ITAA 2008)
shall be punishable with imprisonment for a term which may extend to two - three
years and with fine.
Explanation: For the purposes of this section, terms "Electronic mail" and
"Electronic Mail Message" means a message or information created or
transmitted or received on a computer, computer system, computer resource or
communication device including attachments in text, image, audio, video and any
other electronic record, which may be transmitted with the message.
IPC ,Section 500. Punishment for defamation
Whoever defames another shall be punished with simple imprisonment for a term
which may extend to two years, or with fine, or with both.
IPC ,Section 509. Word, gesture or act intended to insult the modesty of a
woman
Whoever, intending to insult the modesty of any woman, utters any word, makes
any sound or gesture, or exhibits any object, intending that such word or sound
shall be heard, of that such gesture or object shall be seen, by such woman, or
CYBER CRIMES AND PENALTIES 33 prashant.mall@cyberlawconsultlng.com
Cyber Defamation
intrudes upon the privacy of such woman, shall be punished with simple
imprisonment for a term which may extend to one year, or with fine, or with both.
Illustration 1
Abhishek, a teenaged student was arrested by the Thane police in India following
a girl's complaint about tarnishing her image in the social networking site Orkut.
Abhishek had allegedly created a fake account in the name of the girl with her
mobile number posted on the profile.
The profile had been sketched in such a way that it drew lewd comments from
many who visited her profile. The Thane Cyber Cell tracked down Abhishek from
the false e-mail id that he had created to open up the account.
Illustration 2
The Aurangabad bench of the Bombay high court issued a notice to Google.com
following a public interest litigation initiated by a young lawyer.
The lawyer took exception to a community called 'We hate India', owned by
someone who identified himself as Miroslav Stankovic. The community featured a
picture of the Indian flag being burnt.
Illustration 3
Unidentified persons posted obscene photographs and contact details of a Delhi
school girl. Suggestive names like 'sex teacher' were posted on the profile. The
matter came to light after the girl's family started receiving vulgar calls referring to
Orkut.
CYBER CRIMES AND PENALTIES 34 prashant.mali@cyberlawconsulting.com
Ch.12.0 CYBER STALKING
Cyber Stalking
Cyber stalking refers to the use of the Internet, e-mail, or other electronic
communications devices to stalk another person.
Stalking generally involves
harassing or threatening
behavior that an individual
engages in repeatedly, such as
following a person, appearing
at a person's home or place of
business, making harassing
phone calls, leaving written
messages or objects, or
vandalizing a person's
property.
Most stalking laws require that
the perpetrator make a credible
threat of violence against the
victim; others include threats
against the victim's immediate family.
Sec. 503 IPC Criminal intimidation
Whoever threatens another with any injury to his person, reputation or property, or
to the person or reputation of any one in whom that person is interested, with
intent to cause alarm to that person, or to cause that person to do any act which
he is not legally bound to do, or to omit to do any act which that person is legally
entitled to do, as the means of avoiding the execution of such threat, commits
criminal intimidation.
Explanation-A threat to inure the reputation of any deceased person in whom the
person threatened is interested, is within this section.
2. Sending defamatory messages by email
Sec. 499 IPC Defamation
Whoever, by words either spoken or intended to be read, or by signs or by visible
representations, makes or publishes any imputation concerning any person
intending to harm, or knowing or having reason to believe that such imputation will
harm, the reputation of such person, is said, except in the cases hereinafter
expected, of defame that person.
CYBER CRIMES AND PENALTIES
35
prashan t. mali@cyberla wconsulting. com
Cyber Stalking
Explanation 1 - It may amount to defamation to impute anything to a deceased
person, if the imputation would harm the reputation of that person if living, and is
intended to be hurtful to the feelings of his family or other near relatives.
Explanation 2 - It may amount to defamation to make an imputation concerning a
company or an association or collection of persons as such.
Explanation 3 - An imputation in the form of an alternative or expressed
ironically, may amount to defamation.
Explanation 4 - No imputation is said to harm a person's reputation, unless that
imputation directly or indirectly, in the estimation of others, lowers the moral or
intellectual character of that person, or lowers the character of that person in
respect of his caste or of his calling, or lowers the credit of that person, or causes
it to be believed that the body of that person is in a loathsome state, or in a state
generally considered as disgraceful
Illustration 1
Ritu Kohli has the dubious distinction
being the first lady to register the cyber
stalking case. A friend of her husband
gave her telephonic number in the
general chat room. The general
chatting facility is provided by some
websites like MIRC and ICQ. Where
person can easily chat without
disclosing his true identity. The friend
husband also encouraged this chatters
speak in slang language to Ms. Kohli.
Section 509 of IPC.
Waltr 'til my b\ogger buddies hear
how baked I got \m&t ni^ht,
Of
of
to
S. 509 of IPC. Word, gesture or act intended to insult the modesty of a
woman - Whoever, intending to insult the modesty of any woman, utters any
word, makes any sound or gesture, or exhibits any object, intending that such
word or sound shall be heard, or that such gesture or object shall be seen, by
such woman, or intrudes upon the privacy of such woman, shall be punished with
simple imprisonment for a term which may extend to one year, or with fine, or with
both. Sending threatening messages by email. 66A of ITA 2008
Section 66A Punishment for sending offensive messages through
communication service, etc.( Introduced vide ITAA 2008)
Any person who sends, by means of a computer resource or a communication
device,-
CYBER CRIMES AND PENALTIES
36
prashan t. mali@cyberla wconsulting. com
Cyber Stalking
a) Any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing
annoyance, inconvenience, danger, obstruction, insult, injury, criminal
intimidation, enmity, hatred, or ill will, persistently makes by making use of such
computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing
annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages (Inserted vide ITAA 2008)shall be
punishable with imprisonment for a term which may extend to two three years and
with fine.
Explanation: For the purposes of this section, terms "Electronic mail" and
"Electronic Mail Message" means a message or information created or
transmitted or received on a computer, computer system, computer resource or
communication device including attachments in text, image, audio, video and any
other electronic record, which may be transmitted with the message.
Illustration 2
In the first successful prosecution under the California (USA) cyber stalking law,
prosecutors obtained a guilty plea from a 50-year-old former security guard who
used the Internet to solicit the rape of a woman who rejected his romantic
advances. He terrorized the 28-year-old victim by impersonating her in various
Internet chat rooms and online bulletin boards, where he posted, along with her
telephone number and address, messages that she fantasized about being raped.
On at least six occasions, sometimes in the middle of the night, men knocked on
the woman's door saying they wanted to rape her.
Illustration 3
An honors graduate from the University of San Diego in USA terrorized five
female university students over the Internet for more than a year. The victims
received hundreds of violent and threatening e-mails, sometimes receiving four or
five messages a day. The student, who pleaded guilty, told the police that he had
committed the crimes because he thought the women were laughing at him and
causing others to ridicule him. In reality, the victims had never met him.
Illustration 4
In 2005, a minor from Massachusetts (USA) was convicted in connection with
approximately $1 million in victim damages. Over a 15-month period, he had
hacked into Internet and telephone service providers, stolen an individual's
personal information and posted it on the Internet, and made bomb threats to
many high schools.
CYBER CRIMES AND PENALTIES 37 prashant.mali@cyberlawconsulting.com
Web Defacement
Ch.13,0 WEB DEFACEMENT
Website defacement is usually the substitution of the original home page of a
website with another page (usually pornographic or defamatory in nature) by a
hacker.
Religious and government sites are animal _ -^h£^—B!^to
regularly targeted by hackers in
order to display political or religious
beliefs. Disturbing images and
offensive phrases might be displayed
in the process, as well as a signature
of sorts, to show who was
responsible for the defacement.
Websites are not only defaced for
political reasons, many defacers do it
just for the thrill. For example, there
are online contests in which hackers
are awarded points for defacing the
largest number of web sites in a specified amount of time. Corporations are also
targeted more often than other sites on the Internet and they often seek to take
measures to protect themselves from defacement or hacking in general.
Web sites represent the image of a company or organisation and these are
therefore especially vulnerable to defacement. Visitors may lose faith in sites that
cannot promise security and will become wary of performing online transactions.
After defacement, sites have to be shut down for repairs, sometimes for an
extended period of time, causing expenses and loss of profit.
Section 463 IPC. Forgery.
1 [Whoever makes any false documents or electronic record part of a document or
electronic record with, intent to cause damage or injury], to the public or to any
person, or to support any claim or title, or to cause any person to part with
property, or to enter into any express or implied contract, or with intent to commit
fraud or that fraud may be committed, commits forgery.
Section 464 IPC. Making a false document
A person is said to make a false document or false electronic record-
First-Who dishonestly or fraudulently-
(a) Makes, signs, seals or executes a document or part of a document;
(b) Makes or transmits any electronic record or part of any electronic record;
CYBER CRIMES AND PENALTIES
38
prashan t. mall@cyberla wconsulting. com
Web Defacement
(c) Affixes any digital signature on any electronic record;
(d) Makes any mark denoting the execution of a document or the authenticity of
the digital signature,
With the intention of causing it to be believed that such document or part of
document, electronic record or digital signature was made, signed, sealed,
executed, transmitted or affixed by or by the authority of a person by whom or by
whose authority he knows that it was not made, signed, sealed, executed or
affixed; or
Secondly- Who, without lawful authority, dishonestly or fraudulently, by
cancellation or otherwise, alters a document or an electronic record in any
material part thereof, after it has been made, executed or affixed with digital
signature either by himself or by any other person, whether such person be living
or dead at the time of such alteration; or
Thirdly- Who dishonestly or fraudulently causes any person to sign, seal, execute
or alter a document or an electronic record or to affix his digital signature on any
electronic record knowing that such person by reason of unsoundness of mind or
intoxication cannot, or that by reason of deception practised upon him, he does
not know the contents of the document or electronic record or the nature of the
alterations.]
Section 468 IPC. Forgery for purpose of cheating
Whoever commits forgery, intending that the 1 [document or Electronic Record
forged] shall be used for the purpose of cheating, shall be punished with
imprisonment of either description for a term which may extend to seven years,
and shall also be liable to fine.
Section 469 IPC. Forgery for purpose of harming reputation
Whoever commits forgery, 1 [intending that the document or Electronic Record
forged] shall harm the reputation of any party, or knowing that it is likely to used
for that purpose, shall be punished with imprisonment of either description for a
term which may extend to three years, and shall also be liable to fine.
Under ITA 2008 Section 65.
Section 65 Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy or alter any computer source code
used for a computer, computer programme, computer system or computer
network, when the computer source code is required to be kept or maintained by
law for the time being in force, shall be punishable with imprisonment up to three
years, or with fine which may extend up to two lakh rupees, or with both.
CYBER CRIMES AND PENALTIES 39 prashant.mali@cyberlawconsultlng.com
Web Defacement
Explanation -
For the purposes of this section, "Computer Source Code" means the listing of
programmes, Computer Commands, Design and layout and programme analysis
of computer resource in any form.
Illustration 1
Mahesh Mhatre and Anand Khare (alias Dr Neukar) were arrested in 2002 for
allegedly defacing the website of the Mumbai Cyber Crime Cell.
They had allegedly used password cracking software to crack the FTP password
for the police website. They then replaced the homepage of the website with
pornographic content. The duo was also charged with credit card fraud for using
225 credit card numbers, mostly belonging to American citizens.
Illustration 2
In 2001 , over 200 Indian websites were hacked into and defaced. The hackers put
in words like bugz, death symbol, Paki-king and allahhuakbar.
In the case of 123medicinindia.com, a message was left behind which said -
"Catch me if uu can my deraz lazy adminzzz" - challenging the system
administrators to trace the miscreants. The offenders were allegedly a group of
hackers who go by the name of 'Pakistani Cyber Warriors'.
Illustration 3
In 2006, a Turkish hacker using the handle iSKORPiTX was able to breach the
security of a group of web servers, containing more than 38,500 web sites in less
than a day!
CYBER CRIMES AND PENALTIES 40 prashant.mali@cyberlawconsultlng.com
EMAIL BOMBING
Ch.14.0 EMAIL BOMBING
Email bombing refers to sending a large number of emails to the victim resulting in
the victim's email account (in case of an individual) or mail servers (in case of a
company or an email service provider) crashing.
Email bombing is a type of denial-of-service attack. A denial-of-service attack is
one in which a flood of information requests is sent to a server, bringing the
system to its knees and making the server difficult to access.
1EI f ^
Section 66A Punishment for sending offensive messages through
communication service, etc.( Introduced vide ITAA 2008)
Any person who sends, by means of a computer resource or a communication
device,-
a) Any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing
annoyance, inconvenience, danger, obstruction, insult, injury, criminal
intimidation, enmity, hatred, or ill will, persistently makes by making use of such
computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing
annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages (Inserted vide ITAA 2008)
shall be punishable with imprisonment for a term which may extend to two three
years and with fine.
Explanation: For the purposes of this section, terms "Electronic mail" and
"Electronic Mail Message" means a message or information created or
CYBER CRIMES AND PENALTIES
41
prashan t. mali@cyberla wconsulting. com
EMAIL BOMBING
transmitted or received on a computer, computer system, computer resource or
communication device including attachments in text, image, audio, video and any
other electronic record, which may be transmitted with the message.
Illustration 1
A British teenager was cleared of launching a denial-of-
service attack against his former employer, in a ruling under
the UK Computer Misuse Act.
The teenager was accused of sending 5 million e-mail
messages to his ex-employer that caused the company's e-
mail server to crash. The judge held that the UK Computer
offence.
Illustration 2
In one case, a foreigner who had been residing in Simla, India for almost 30 years
wanted to avail of a scheme introduced by the Simla Housing Board to buy land at
lower rates. When he made an application it was rejected on the grounds that the
scheme was available only for citizens of India.
He decided to take his revenge. Consequently, he sent thousands of mails to the
Simla Housing Board and repeatedly kept sending e-mails till their servers
crashed.
CYBER CRIMES AND PENALTIES 42 prashant.mali@cyberlawconsulting.com
Data Diddling
Ch.15.0 DATA DIDDLING
One of the most common forms of computer crime is data diddling -illegal or
unauthorized data alteration. These changes can occur before and during data
input or before output. Data diddling cases have affected
banks, payrolls, inventory records, credit records, school
transcripts and virtually all other forms of data
processing known.
Section 66 and 43(d) of the IT. Act covers the offence
of data diddling.
Section 66 Computer Related Offences (Substituted
vide ITAA 2008)
If any person, dishonestly, or fraudulently, does any act referred to in section 43,
he shall be punishable with imprisonment for a term which may extend to two
three years or with fine which may extend to five lakh rupees or with both.
Explanation: For the purpose of this section, -
a) the word "dishonestly" shall have the meaning assigned to it in section 24 of
the Indian Penal Code;
b) the word "fraudulently" shall have the meaning assigned to it in section 25 of
the Indian Penal Code.
Section 43 (d) damages or causes to be damaged any computer, computer
system or computer network, data, computer data base or any other programs
residing in such computer, computer system or computer network;
Case in point:
NDMC Electricity Billing Fraud Case: A private contractor who was to deal with
receipt and accounting of electricity bills by the NDMC, Delhi. Collection of money,
computerized accounting, record maintenance and remittance in his bank who
misappropriated huge amount of funds by manipulating data files to show less
receipt and bank remittance
Illustration 1
The NDMC Electricity Billing Fraud Case that took place in 1996 is a typical
example. The computer network was used for receipt and accounting of electricity
bills by the New Delhi Municipal Council.
Collection of money, computerized accounting, record maintenance and
remittance in the bank were exclusively left to a private contractor who was a
computer professional.
CYBER CRIMES AND PENALTIES 43 prashant.mali@cyberlawconsulting.com
Data Diddling
He misappropriated huge amount of funds by manipulating data files to show less
receipt and bank remittance.
Illustration 2
A keyboard operator processing orders at an Oakland USA department store
changed some delivery addresses and diverted several thousand dollars worth of
store goods into the hands of accomplices.
Illustration 3
A ticket clerk at the Arizona Veterans' Memorial Coliseum in USA issued full-price
basketball tickets, sold them and then, tapping out codes on her computer
keyboard, recorded the transactions as half-price sales.
CYBER CRIMES AND PENALTIES 44 prashant.mali@cyberlawconsulting.com
Salami Attacks
Ch.16.0 SALAMI ATTACKS
These attacks are used for committing financial crimes. The key here is to make
the alteration so insignificant that in a single case it would go completely
unnoticed.
For instance, a bank employee inserts a program, into the bank's servers, that
deducts a small amount of money (say Rs. 2 a month) from the account of every
customer. No account holder will probably notice this unauthorized debit, but the
bank employee will make a sizeable amount of money every month.
The attack is called "salami attack" as it is analogous to slicing the data thinly, like
a salami.
Illustration 1
Four executives of a rental-car franchise in Florida USA defrauded at least 47,000
customers using a salami technique.
They modified a computer billing program to add five extra gallons to the actual
gas tank capacity of their vehicles. From 1988 through 1991, every customer who
returned a car without topping it off ended up paying inflated rates for an inflated
total of gasoline.
The thefts ranged from $2 to $1 5 per customer -difficult for the victims to detect.
Illustration 2
In January 1997, Willis Robinson of Maryland USA, was sentenced to 10 years in
prison for "having reprogrammed his Taco Bell drive-up-window cash register -
causing it to ring up each $2.99 item internally as a 1-cent item, so that he could
pocket $2.98 each time".
The management assumed the error was hardware or software and only caught
the perpetrator when he bragged about his crime to coworkers.
Illustration 3
In Los Angeles USA four men were charged with fraud for allegedly installing
computer chips in gasoline pumps that cheated consumers by overstating the
amounts pumped.
The problem came to light when an increasing number of consumers claimed that
they had been sold more gasoline than the capacity of their gas tanks!
However, the fraud was difficult to prove initially because the perpetrators
programmed the chips to deliver exactly the right amount of gasoline when asked
for five- and 10-gallon amounts (precisely the amounts typically used by
inspectors).
CYBER CRIMES AND PENALTIES 45 prashant.mali@cyberlawconsulting.com
Denial of Service Attack
Ch.17.0 DENIAL OF SERVICE ATTACK
Denial of Service attacks (DOS attacks) involves flooding a computer with more
requests than it can handle. This causes the computer (e.g. a web server) to
crash and results in authorized users being unable to access the service offered
by the computer.
Another variation to a typical denial of
service attack is known as a
Distributed Denial of Service (DDoS)
attack wherein the perpetrators are
many and are geographically
widespread.
Denial-of-service attacks have had an
impressive history having, in the past,
blocked out websites like Amazon,
CNN, Yahoo and eBay. The attack is
initiated by sending excessive
demands to the victim's computer(s),
exceeding the limit that the victim's servers can support and making the servers
crash. Sometimes, many computers are entrenched in this process by installing a
Trojan on them; taking control of them and then making them send numerous
demands to the targeted computer.
Section 43 of ITA 2008 case will be filled.
43 Penalty and Compensation for damage to computer, computer system,
etc (Amended vide ITAA-2008)
If any person without permission of the owner or any other person who is incharge
of a computer, computer system or computer network -
(a) accesses or secures access to such computer, computer system or computer
network or computer resource (ITAA2008)
(b) downloads, copies or extracts any data, computer data base or information
from such computer, computer system or computer network including information
or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or
computer network, data, computer data base or any other programmes residing
in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer
network;
CYBER CRIMES AND PENALTIES
46
prashan t. mall@cyberla wconsulting. com
Denial of Service Attack
(f) denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of this
Act, rules or regulations made thereunder,
(h) charges the services availed of by a person to the account of another person
by tampering with or manipulating any computer, computer system, or computer
network,
(i) destroys, deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means (Inserted vide
ITAA-2008)
(i) Steals, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code used for a computer resource with an
intention to cause damage, (Inserted vide ITAA 2008)
he shall be liable to pay damages by way of compensation not exceeding one
crore rupees to the person so affected, (change vide ITAA 2008)
Explanation - for the purposes of this section -
(i) "Computer Contaminant" means any set of computer instructions that are
designed -
(a) to modify, destroy, record, transmit data or programme residing within a
computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer
system, or computer network;
(ii) "Computer Database" means a representation of information, knowledge,
facts, concepts or instructions in text, image, audio, video that are being prepared
or have been prepared in a formalised manner or have been produced by a
computer, computer system or computer network and are intended for use in a
computer, computer system or computer network;
(iii) "Computer Virus" means any computer instruction, information, data or
programme that destroys, damages, degrades or adversely affects the
performance of a computer resource or attaches itself to another computer
resource and operates when a programme, data or instruction is executed or
some other event takes place in that computer resource;
(iv) "Damage" means to destroy, alter, delete, add, modify or re-arrange any
computer resource by any means.
CYBER CRIMES AND PENALTIES 47 prashant.mali@cyberlawconsultlng.com
Denial of Service Attack
(v) "Computer Source code" means the listing of programmes, computer
commands, design and layout and programme analysis of computer resource in
any form (Inserted vide ITAA 2008)
Illustration 1
A series of distributed denial of service attacks in February 2000 crippled many
popular websites including yahoo.com, amazon.com and cnn.com
Illustration 2
A series of more than 125 separate but coordinated denial of service attacks hit
the cyber infrastructure of Estonia in early 2007. The attacks were apparently
connected with protests against the Estonian government's decision to remove a
Soviet-era war memorial from the capital city. It is suspected that the attacks were
carried out by Russian hackers. The attack lasted several days.
CYBER CRIMES AND PENALTIES 48 prashant.mali@cyberlawconsultlng.com
Spreading Virus / Worm Attacks
Ch.18,0 SPREADING VIRUS / WORM ATTACKS
Computer viruses are small software programs that are designed to spread
from one computer to another and to interfere with computer operation. A virus
might corrupt or delete data on the victim's computer, use the victim's e-mail
program to spread itself to other computers, or even erase everything on the
victim's hard disk.
Viruses are most easily spread by
attachments in e-mail messages or instant
messaging messages. Viruses can be
disguised as attachments of funny images,
greeting cards, or audio and video files.
Viruses can also spread through
downloads on the Internet. They can be
hidden in illicit software or other files or
programs.
Worms, unlike viruses do not need the
host to attach themselves to. They merely
make functional copies of themselves and
do this repeatedly till they eat up all the
available space on a computer's memory.
Brain (in its first incarnation written in January 1986) is considered to be the first
computer virus for the PC. The virus is also known as Lahore, Pakistani, Pakistani
Brain, Brain-A and UIUC. The virus was written by two brothers, Basit and Amjad
Farooq AM, who lived in Lahore, Pakistan. The brothers told TIME magazine they
had written it to protect their medical software from piracy and was supposed to
target copyright infringers only.
The virus came complete with the brothers' address and three phone numbers,
and a message that told the user that their machine was infected and for
inoculation the user should call them.
When the brothers began to receive a large number of phone calls from people in
USA, Britain, and elsewhere, demanding them to disinfect their machines, the
brothers were stunned and tried to explain to the outraged callers that their
motivation had not been malicious.
They ended up having to get their phone lines cut off and regretted that they had
revealed their contact details in the first place. The brothers are still in business in
Pakistan as internet service providers in their company called Brain Limited.
Introduces or causes to be introduced any viruses or contaminant in that case,
suit filled under Chapter IX of IT Act i.e. Section 43 as a Civil Wrongs under IT
Act
CYBER CRIMES AND PENALTIES
49
prashan t. mali@cyberla wconsulting. com
Spreading Virus / Worm Attacks
Illustration 1
The VBS_LOVELETTER virus (better known as the Love Bug or the ILOVEYOU
virus) was reportedly written by a Filipino undergraduate. In May 2000, this deadly
virus became the world's most prevalent virus. Losses incurred during this virus
attack were pegged at US $ 10 billion.
VBS_LOVELETTER utilized the addresses in Microsoft Outlook and e-mailed
itself to those addresses. The e-mail, which was sent out, had "ILOVEYOU" in its
subject line. The attachment file was named "LOVE-LETTER-FOR-
YOU.TXT.vbs".
People wary of opening e-mail attachments were conquered by the subject line
and those who had some knowledge of viruses, did not notice the tiny .vbs
extension and believed the file to be a text file. The message in the e-mail was
"kindly check the attached LOVELETTER coming from me".
Illustration 2
Probably the world's most famous worm was the Internet worm let loose on the
Internet by Robert Morris sometime in 1988. The Internet was, then, still in its
developing years and this worm, which affected thousands of computers, almost
brought its development to a complete halt. It took a team of experts almost three
days to get rid of the worm and in the meantime many of the computers had to be
disconnected from the network.
Illustration 3
In 2002, the creator of the Melissa computer virus was convicted. The virus had
spread in 1999 and caused more than $80 million in damage by disrupting
personal computers, business and government computer networks.
Illustration 4
In 2006, a US citizen was convicted for conspiracy to intentionally cause damage
to protected computers and commit computer fraud.
Between 2004 and 2005, he created and operated a malicious software to
constantly scan for and infect new computers.
It damaged hundreds of US Department of Defence computers in USA, Germany
and Italy. The software compromised computer systems at a Seattle hospital,
including patient systems, and damaged more than 1,000 computers in a
California school district.
CYBER CRIMES AND PENALTIES 50 prashant.mali@cyberlawconsulting.com
Spreading Virus / Worm Attacks
Illustration 5
Logic bombs are event dependent programs. This implies that these programs are
created to do something only when a certain event (known as a trigger event)
occurs, e.g. even some viruses may be termed logic bombs because they lie
dormant all through the year and become active only on a particular date (like the
Chernobyl virus).
CYBER CRIMES AND PENALTIES 5 1 prashant.mali@cyberlawconsulting.com
Trojans And Keyloggers
Ch.19,0 TROJANS AND KEYLOGGERS
A Trojan, as this program is aptly called, is an unauthorized program which
functions from inside what seems to be an authorized program, thereby
concealing what it is actually doing.
Types of Trojans
The following are the most common types of Trojan:
1. Remote Administration Trojans (RATs) - Modern RATs are very simple to
use. They come packaged with two files - the server file and the client file. The
hacker tricks someone into running the server file, gets his IP address and gets
full control over his/her computer. Some Trojans are limited by their functions, but
more functions also mean larger server files. Some Trojans are merely meant for
the attacker to use them to upload another Trojan to his target's computer and run
it; hence they take very little disk space.
Hackers also bind Trojans into other
programs, which appear to be legitimate
e.g. a RAT could be bound with an
egreeting card. There are many
programs that detect common Trojans.
Firewalls and anti-virus software can be
useful in tracing RATs.
2. Password Trojans - Password
Trojans search the victim's computer for
passwords and then send them to the
attacker or the author of the Trojan.
Whether it's an Internet password or an
email password there is a Trojan for
every password. These Trojans usually
send the information back to the attacker
via Email.
3. Privileges-Elevating Trojans - These Trojans are usually used to fool system
administrators. They can either be bound into a common system utility or pretend
to be something harmless and even quite useful and appealing. Once the
administrator runs it, the Trojan will give the attacker more privileges on the
system. These Trojans can also be sent to less-privileges users and give the
attacker access to their account.
4. Destructive Trojans - These Trojans can destroy the victim's entire hard drive,
encrypt or just scramble important files. Some might seem like joke programs,
while they are actually ripping every file they encounter to pieces.
CYBER CRIMES AND PENALTIES
52
prashan t. mall@cyberla wconsulting. com
Trojans And Keyloggers
Some common Trojans
5. Back Orifice (BO) - This Trojan was developed by a community of hackers
known as "Cult of the dead cow" (www.cultdeadcow.com). This Trojan can be
downloaded from www.B02K.com and numerous other websites. (Note: the
websites keep changing and it is best to use a powerful search engine like
www.Google.com to search for the program.)
Back Orifice consists of two parts, a client application and a server application
(approximately 122 KB). The client application, running on the hacker's computer,
can be used to monitor and control the victim's computer (which runs the server
application). The hacker can do the following activities on the victim's computer:
. Run any program or see any file
i. Keep a record of all the keys punched on the keyboard
ii. Shutdown or restart the victim's computer
v. Transfer files to or from the victim computer
The hacker could be in Australia and the victim in China, but still the hacker can
do all the above activities on the victim's computer! The following are the main
characteristics of BO:
i. BO can only be used on victim computers that are running the Windows 95 or
Windows 98 operating systems.
ii. The server part of the program has to be installed on the victim computer. The
victim is usually fooled into installing the server part by sending him the Trojan
fused with another program (e.g. an electronic Diwali card fused with the Trojan
program).
iii. The hacker needs to know the IP address of the victim computer.
iv. If the victim computer is behind a firewall, then BO will not work
6. NetBus - NetBus was developed by a Swedish citizen named Carl-Fredrik
Neikter who claimed that he developed it "purely for fun". Netbus can be
downloaded from hundreds of websites. It is best to use Google.com to search for
the program. Netbus allows the hacker to do numerous activities on the victim's
computer. Some of these are:
i. Open/close the CD-ROM once or in intervals (specified in seconds)
ii. Swap mouse buttons - the right mouse button works like the left mouse
button and vice versa.
iii. Start any program.
iv. Play any sound-file (it supports only WAV files).
v. Point the mouse to some other place. The hacker can navigate the victim's
mouse with his own.
vi. Show a message dialogue on the screen. The answer is sent back to the
Trojans And Keyloggers
CYBER CRIMES AND PENALTIES 53 prashant.mali@cyberlawconsultlng.com
hacker. The hacker can ask for the password and the victim would enter it!
vii. Shutdown or log off the victim.
viii. Open any website
ix. Type anything in the program that the victim is using.
x. Obtain a list of all the keys on the keyboard that the victim is punching.
xi. Get an image of the screen (called a screen dump)
xii. Get information about the victim computer.
xiii. Upload any file to the victim computer. Using this feature the hacker can
upload any virus or Trojan or update the Netbus Trojan itself.
xiv. Increase and decrease the sound-volume.
xv. Record sounds that the microphone can catch. The sound is sent to the
hacker.
xvi. Make click sounds every time a key is pressed.
xvii. Download and delete any file on the victim computer.
xviii. Disable keys on the victim keyboard.
The following are the main characteristics of Netbus:
i. Once it is installed on the victim computer, it runs every time the computer is
started 184.
ii. Netbus can be used on victim computers that are running the Windows 95 or
Windows 98 or Windows NT operating systems
Keyloggers a re regularly used were to log all the strokes a victim makes on the
keyboard. This assumes sinister
proportions, if a key logger is installed on
a computer which is regularly used for
online banking and other financial
transactions. Key-loggers are most
commonly found in public computers such
as those in cyber cafes, hotels etc.
Unsuspecting victims also end up
downloading spyware when they click on
"friendly" offers for free software.
Illustration 1
A young lady reporter was working on an article about online relationships. The
article focused on how people can easily find friendship and even love on the
Internet. During the course of her research she made a lot of online friends. One
of these 'friends' managed to infect her computer with a Trojan.
This young lady stayed in a small one bedroom apartment and her computer was
located in one corner of her bedroom. Unknown to her, the Trojan would activate
her web camera and microphone even when the Internet was switched off. A
Trojans And Keyloggers
CYBER CRIMES AND PENALTIES 54 prashant.mali@cyberlawconsulting.com
year later she realized that hundreds of her pictures were posted on pornographic
sites around the world!
Illustration 2
The network administrator in a global bank received a beautifully packed CD ROM
containing "security updates" from the company that developed the operating
system that ran his bank's servers.
He installed the "updates" which in reality was Trojanized software. 3 years later,
the effects were still being felt in the bank's system!
Internet Time Theft
CYBER CRIMES AND PENALTIES
55
prashan t. mali@cyberla wconsulting. com
Ch.20,0 INTERNET TIME THEFT
This connotes the usage by an unauthorized person of the Internet hours paid for
by another person.
Illustration
In May 2000, the Delhi police arrested an engineer who had misused the login
name and password of a customer whose Internet connection he had set up.
The case was filed under the Indian Penal Code and the Indian Telegraph Act.
Theft of Computer Hardware
Sec. 43 of IT Act 2008 and also under Sec. 378, 379 IPC
Section 43 Penalty and Compensation for damage to computer, computer
system, etc (Amended vide ITAA-2008)
If any person without permission of the owner or any other person who is incharge
of a computer, computer system or computer network -
(a) accesses or secures access to such computer, computer system or computer
network or computer resource (ITAA2008)
(b) downloads, copies or extracts any data, computer data base or information
from such computer, computer system or computer network including information
or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or
computer network, data, computer data base or any other programmes residing
in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer
network;
(f) denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of this
Act, rules or regulations made there under,
(h) charges the services availed of by a person to the account of another person
by tampering with or manipulating any computer, computer system, or computer
network,
Internet Time Theft
CYBER CRIMES AND PENALTIES 56 prashant.mall@cyberlawconsultlng.com
(i) destroys, deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means (Inserted vide
ITAA-2008)
(i) Steals, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code used for a computer resource with an
intention to cause damage, (Inserted vide ITAA 2008)
he shall be liable to pay damages by way of compensation not exceeding one
crore rupees to the person so affected, (change vide ITAA 2008)
Explanation - for the purposes of this section -
(i) "Computer Contaminant" means any set of computer instructions that are
designed -
(a) to modify, destroy, record, transmit data or program residing within a
computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer
system, or computer network;
(ii) "Computer Database" means a representation of information, knowledge,
facts, concepts or instructions in text, image, audio, video that are being prepared
or have been prepared in a formalised manner or have been produced by a
computer, computer system or computer network and are intended for use in a
computer, computer system or computer network;
(iii) "Computer Virus" means any computer instruction, information, data or
program that destroys, damages, degrades or adversely affects the performance
of a computer resource or attaches itself to another computer resource and
operates when a program, data or instruction is executed or some other event
takes place in that computer resource;
(iv) "Damage" means to destroy, alter, delete, add, modify or re-arrange any
computer resource by any means.
(v) "Computer Source code" means the listing of programs, computer commands,
design and layout and program analysis of computer resource in any form
(Inserted vide ITAA 2008)
Section 378. Theft
Whoever intending to take dishonestly any moveable property out of the
possession of any person without that person's consent, moves that property in
order to such taking, is said to commit theft.
Internet Time Theft
CYBER CRIMES AND PENALTIES 57 prashant.mall@cyberlawconsultlng.com
Explanation - !. -A thing so long as it is attached to the earth, not being movable
property, is not the subject of theft; but it becomes capable of being the subject of
theft as soon as it is severed from the earth.
Explanation 2.
may be a theft.
-A moving effected by the same act which affects the severance
Explanation 3. -A person is said to cause a thing to move by removing an
obstacle which prevented it from moving or by separating it from any other thing,
as well as by actually moving it.
Explanation 4. -A person, who by any means causes an animal to move, is said
to move that animal, and to move everything which, in consequence of the motion
so caused, is moved by that animal.
Explanation 5. -The consent mentioned in the definition may be express or
implied, and may be given either by the person in possession, or by any person
having for the purpose authority either express or implied.
Section 379. Punishment for theft
Whoever commits theft shall be punished with imprisonment of either description
for a term which may extend to three years, or with fine, or with both.
Web Jacking
CYBER CRIMES AND PENALTIES
58
prashan t. mali@cyberla wconsulting. com
Ch.21.0 WEB JACKING
Just as conventional hijacking of an airplane is done by using force, similarly web
jacking means forcefully taking over control of a website. The motive is usually the
same as hijacking - ransom. The perpetrators have either a monetary or political
purpose which they try to satiate by holding the owners of the website to ransom.
This occurs when someone forcefully
takes control of a website (by cracking
the password and later changing it). The
actual owner of the website does not
have any more control over what
appears on that website.
How does web jacking take place?
The administrator of any website has a
password and a username that only he
(or someone authorized by him) may
use to upload files from his computer on
the web server (simply put, a server is a
powerful computer) where his website is
hosted.
Ideally, this password remains secret with the administrator. If a hacker gets hold
of this username and password, then he can pretend to be the administrator.
Computers don't recognize people - only usernames and passwords. The web
server will grant control of the website to whoever enters the correct password
and username combination.
There are many ways in which a hacker may get to know a password, the most
common being password cracking wherein a "cracking software" is used to guess
a password. Password cracking attacks are most commonly of two types.
The first one is known as the dictionary attack. In this type of attack the software
will attempt all the words contained in a predefined dictionary of words.
For example, it may try Rahim, Rahul, Rakesh, Ram, Reema, Reena ... in a
predefined dictionary of Indian names. These types of dictionaries are readily
available on the Internet.
The other form of password cracking is by using 'brute force'. In this kind of attack
the software tries to guess the password by trying out all possible combinations of
numbers, symbols, letters till the correct password is found. For example, it may
try out password combinations like abc123, acbd5679, sdj#% A , weuf*(-)*.
Web Jacking
CYBER CRIMES AND PENALTIES
59
prashan t. mall@cyberla wconsulting. com
Some software, available for password cracking using the brute force technique,
can check a huge number of password combinations per second.
When compared with a dictionary attack, a brute force attack takes more time, but
it is definitely more successful.
Section 65 Of ITA 2008
Section 65 Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy or alter any computer source code
used for a computer, computer programme, computer system or computer
network, when the computer source code is required to be kept or maintained by
law for the time being in force, shall be punishable with imprisonment up to three
years, or with fine which may extend up to two lakh rupees, or with both.
Explanation -
For the purposes of this section, "Computer Source Code" means the listing of
programs, Computer Commands, Design and layout and program analysis of
computer resource in any form.
IPC, Section 383. Extortion
Whoever intentionally puts any person in fear of any injury to that person, or to
any other, and thereby dishonestly induces the person so put in fear to deliver to
any property or valuable security, or anything signed or sealed which may be
converted into a valuable security, commits "extortion".
Illustration
In an incident reported in the USA, the owner of a hobby website for children
received an e-mail informing her that a group of hackers had gained control over
her website. They demanded a ransom of 1 million dollars from her.
The owner, a schoolteacher, did not take the threat seriously. She felt that it was
just a scare tactic and ignored the e-mail.
It was three days later that she came to know, following many telephone calls
from all over the country, that the hackers had web jacked her website.
Subsequently, they had altered a portion of the website which was entitled 'How
to have fun with goldfish'.
In all the places where it had been mentioned, they had replaced the word
'goldfish' with the word 'piranhas'.
Web Jacking
CYBER CRIMES AND PENALTIES
60
prashan t. mali@cyberla wconsulting. com
Piranhas are tiny but extremely dangerous flesh-eating fish. Many children had
visited the popular website and had believed what the contents of the website
suggested.
These unfortunate children followed the instructions, tried to play with piranhas,
which they bought from pet shops, and were very seriously injured.
Email Frauds
CYBER CRIMES AND PENALTIES
61
prashan t. mali@cyberla wconsulting. com
Ch.22.0 EMAIL FRAUDS
Dear Mr. Justin Williams, I'm Vikas Manjit Singh from Punjab (India). I belong to a
city named Ludhiana.
Mr. Williams, I am having a brother in
Canada who is also named Justin
Williams. He was adopted from my
parents by some Mr. William Ram of
Welland. Me and my mumy came over
to Canada to leave Justin to his new
family (William Ram's Family). It
happened in June 1985.
So Mr. Justin Williams, if you are the
same person I'm talking about. Then
please give me some time so that I can
let you know the realities.
•i-i*i*
YOUARETHEONE SELECTED WINNERS-..
PmSOti OF KAHOO INTERNET LOTTERY
KAHOO...!
MAIL LOTTERY
CON6WULATI0NS!!!
YOUW0A/A$1.0O0,0OO,O0D0LlDR5!
YOU HAVE BEEN ANN0UNC5P AS ON£ OP THE
TOP 25 LUCKY WMNERS [III
Imagine the thoughts going through Mr.
Justin William's head after reading this email. Is he really adopted? Where are his
birth parents? Is this email from his birth brother?
In reality, this is a scam email originating from a college in Sangroor (India)!
Canadian citizens are targeted with these emails. If the targets start believing the
sender to be their brother, they are asked to send money so that their "brother"
can travel to Canada with the proof of the victim's adoption!
This is just one of the hundreds of email scams being perpetrated on the Internet.
These scams are commonly referred to as Nigerian 419 scams. These scam
emails are believed to originate from Nigeria and section 419 of the Nigerian
Penal Code relates to cheating (like the famous section 420 of the Indian Penal
Code).
In 2007, conducted a 3 month intensive investigation of hundreds of scam emails.
The results were very surprising to say the least. Less than 10% of these emails
had actually originated from Nigeria!
A majority of these emails (more than 60%) have originated from Israel, followed
by the Netherlands, UK and other European countries. The "birth brother" email
was the only one originating from India.
Most of these scam emails promise the receiver millions (or sometimes billions) of
dollars. Most commonly the email says that some rich African bureaucrat or
businessman or politician has died and left behind a lot of money.
Email Frauds
CYBER CRIMES AND PENALTIES
62
prashan t. mali@cyberla wconsulting. com
The scamster states that the Government is going to confiscate the money. The
only way out is to transfer the money to the bank account of the email recipient.
All that the email recipient has to do is send his bank account details. For this a
generous fee of a few million dollars will be paid!
If someone actually falls for this scam and provides the bank details, he is sent
some official looking documents relating to the bank transfer of a huge sum of
money. Once the victim is convinced of the "genuineness" of the transaction,
something appears to go wrong.
The victim is informed that a small amount of money (ranging from US$ 100 to
2500) is needed for bank charges or other paper work. This money is the motive
behind the elaborate scam. Once the victim pays this money, the scamster
disappears from the scene.
The lottery scam emails inform the recipient that he has won a million dollar lottery
run by Microsoft, Yahoo or some other well known global company. The winner is
asked to provide his bank details and pay a small sum for bank charges and other
processing fees.
Another scam email begins with "This is to inform you that we are in possession of
a consignment, deposited by British National Lottery which is to be couriered to
you". The email asks for 470 pounds to be sent to the courier company so that the
cheque for the lottery prize can be sent.
Another scam email comes with the subject line "Blessed is the hand that giveth".
The sender claims to be a widow on her deathbed. She wants to donate her
wealth to someone who will pray for her.
Another scam email comes from an "employee of the Euro Lottery". The
"employee" claims to be in a position to carry out a lottery fraud and is willing to
share the money with the email recipient.
What is common in all these scams is that scanned versions of official documents
are emailed to potential victims. Once the victim is convinced of the genuineness
of the transaction, a small fee is requested for meeting bank charges / legal fees /
courier charges etc. It is this small fee that is the motive behind the scam.
It is believed that thousands of people are defrauded of billions of dollars every
year through these scams.
Section 420. Cheating and dishonestly inducing delivery of property
Whoever cheats and thereby dishonestly induces the person deceived any
property to any person, or to make, alter or destroy the whole or any part of a
valuable security, or anything which is signed or sealed, and which is capable of
being converted into a valuable security, shall be punished with imprisonment of
CYBER CRIMES AND PENALTIES 63 prashant.mali@cyberlawconsultlng.com
Email Frauds
either description for a term which may extend to seven years, and shall also be
liable to fine.
Criminal breach of trust/Fraud- Sec. 405,406,408,409 IPC
Illustration 1
In 2005, an Indian businessman received an email from the Vice President of a
major African bank offering him a lucrative contract in return for a kickback of Rs 1
million.
The businessman had many telephonic conversations with the sender of the
email. He also verified the email address of the 'Vice President' from the website
of the bank and subsequently transferred the money to the bank account
mentioned in the email. It later turned out that the email was a spoofed one and
was actually sent by an Indian based in Nigeria.
Illustration 2
A new type of scam e-mail threatens to kill recipients if they do not pay thousands
of dollars to the sender, who purports to be a hired assassin.
Replying to the e-mails just sends a signal to senders that they've reached a live
account. It also escalates the intimidation.
In one case, a recipient threatened to call authorities. The scammer, who was
demanding $20,000, reiterated the threat and sent some personal details about
the recipient — address, daughter's full name etc. He gave an ultimatum:
"TELL ME NOW ARE YOU READY TO DO WHAT I SAID OR DO YOU WANT
ME TO PROCEED WITH MY JOB? ANSWER YES/NO AND DON'T ASK ANY
QUESTIONS!!!"
Some emails claim to be from the FBI in London and inform recipients that an
arrest was made in the case.
The e-mail says the recipient's information was found with the suspect and that
they should reply to assist in the investigation. These emails are part of the scam!
CYBER CRIMES AND PENALTIES 64 prashant.mali@cyberlawconsulting.com
Cyber Terrorism
Ch.23,0 CYBER TERRORISM
Computer crime has hit mankind with unbelievable severity. Computer viruses,
worms, Trojans, denial of service attacks, spoofing attacks and e-frauds have
taken the real and virtual worlds by storm.
However, all these pale in the face of the
most dreaded threat - that of cyber terrorism,
has defined cyber terrorism as:
Cyber terrorism is the premeditated use of
disruptive activities, or the threat thereof, in
cyber space, with the intention to further
social, ideological, religious, political or
similar objectives, or to intimidate any person
in furtherance of such objectives.
66F of IT Act 2008
Punishment for cyber terrorism
(1) Whoever,-
(A) with intent to threaten the unity, integrity, security or sovereignty of India or to
strike terror in the people or any section of the people by -
(i) denying or cause the denial of access to any person authorized to access
computer resource; or
(ii) attempting to penetrate or access a computer resource without authorization or
exceeding authorized access; or
(iii) introducing or causing to introduce any Computer Contaminant.
and by means of such conduct causes or is likely to cause death or injuries to
persons or damage to or destruction of property or disrupts or knowing that it is
likely to cause damage or disruption of supplies or services essential to the life of
the community or adversely affect the critical information infrastructure specified
under section 70, or
(B) knowingly or intentionally penetrates or accesses a computer resource without
authorisation or exceeding authorized access, and by means of such conduct
obtains access to information, data or computer database that is restricted for
reasons of the security of the State or foreign relations; or any restricted
information, data or computer database, with reasons to believe that
CYBER CRIMES AND PENALTIES
65
prashan t. mall@cyberla wconsulting. com
Cyber Terrorism
such information, data or computer database so obtained may be used to cause
or likely to cause injury to the interests of the sovereignty and integrity of India, the
security of the State, friendly relations with foreign States, public order, decency
or morality, or in relation to contempt of court, defamation or incitement to an
offence, or to the advantage of any foreign nation, group of individuals or
otherwise, commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable
with imprisonment which may extend to imprisonment for life'.
Illustration 1
In 1996, a computer hacker allegedly associated with the White Supremacist
movement temporarily disabled a US based Internet Service Provider (ISP) and
damaged part of its record keeping system.
The ISP had attempted to stop the hacker from sending out worldwide racist
messages under the ISP's name. The hacker signed off with the threat, "you have
yet to see true electronic terrorism. This is a promise."
Illustration 2
In 1998, Spanish protestors bombarded the Institute for Global Communications
(IGC) with thousands of bogus e-mail messages. E-mail was tied up and
undeliverable to the ISP's users, and support lines were tied up with people who
couldn't get their mail. The protestors also spammed IGC staff and member
accounts, clogged their Web page with bogus credit card orders, and threatened
to employ the same tactics against organizations using IGC services.
They demanded that IGC stop hosting the website for the Euskal Herria Journal, a
New York-based publication supporting Basque independence.
Protestors said IGC supported terrorism because a section on the Web pages
contained materials on the terrorist group ETA, which claimed responsibility for
assassinations of Spanish political and security officials, and attacks on military
installations. IGC finally relented and pulled the site because of the "mail
bombings."
Illustration 3
In 1998, a 12-year-old boy successfully hacked into the controls for the huge
Roosevelt Dam on the Salt River in Arizona, USA.
He might have released floodwaters that would have inundated Mesa and Tempe,
endangering at least 1 million people.
Illustration 4
CYBER CRIMES AND PENALTIES 66 prashant.mali@cyberlawconsulting.com
Cyber Terrorism
In 2005, US security consultants reported that hackers were targeting the U.S.
electric power grid and had gained access to U.S. utilities' electronic control
systems.
Illustration 5
In 1998, ethnic Tamil guerrillas swamped Sri Lankan embassies with 800 e-mails
a day over a two-week period. The messages read "We are the Internet Black
Tigers and we're doing this to disrupt your communications." Intelligence
authorities characterized it as the first known attack by terrorists against a
country's computer systems.
Illustration 6
During the Kosovo conflict in 1999, NATO computers were blasted with e-mail
bombs and hit with denial-of-service attacks by hacktivists protesting the NATO
bombings.
In addition, businesses, public organizations, and academic institutes received
highly politicized virus-laden e-mails from a range of Eastern European countries,
according to reports. Web defacements were also common.
Illustration 7
Since December 1997, the Electronic Disturbance Theater (EDT) has been
conducting Web sit-ins against various sites in support of the Mexican Zapatistas.
At a designated time, thousands of protestors point their browsers to a target site
using software that floods the target with rapid and repeated download requests.
EDT's software has also been used by animal rights groups against organizations
said to abuse animals.
Electrohippies, another group of hacktivists, conducted Web sit-ins against the
WTO when they met in Seattle in late 1999.
Illustration 8
In 1994, a 16-year-old English boy took down some 100 U.S. defense systems.
Illustration 9
In 1997, 35 computer specialists used hacking tools freely available on 1 ,900 web
sites to shut down large segments of the US power grid. They also silenced the
command and control system of the Pacific Command in Honolulu.
Illustration 10
CYBER CRIMES AND PENALTIES 67 prashant.mali@cyberlawconsulting.com
Cyber Terrorism
In 2000, was regularly attacked by Distributed Denial of Service attacks by
"hactivists" propagating the "right to pornography", has spearheaded an
international campaign against pornography on the Internet.
Illustration 11
In 2001, in the backdrop of the downturn in US-China relationships, the Chinese
hackers released the Code Red virus into the wild. This virus infected millions of
computers around the world and then used these computers to launch denial of
service attacks on US web sites, prominently the web site of the White House.
Illustration 12
In 2001, hackers broke into the U.S. Justice Department's web site and replaced
the department's seal with a swastika, dubbed the agency the "United States
Department of Injustice" and filled the page with obscene pictures.
CYBER CRIMES AND PENALTIES 68 prashant.mali@cyberlawconsulting.com
Eight New Cyber offences added:
The IT AA, 2008 adds new eight cyber offences viz;
1 . sending offensive messages through a computer or mobile phone (Section
66 A),
2. receiving stolen computer resource or communication device (Section 66B)
3. Punishment for identity theft (Section 66C)
4. Punishment for cheating by personation using computer resource (Section
66D)
5. Punishment for violating privacy or video voyeurism (Section 66E)
6. Cyber Terrorism (Section 66F)
7. Publishing or transmitting material in electronic form containing sexually
explicit act (Section 67A),
8. Child pornography (Section 67B)
Thus, cyber crime police stations have to deal with more cyber crimes. Earlier
they were dealing with only two sections, 66 & 67.
TAKE A BITE OUT OF
■ssnui
CYBER CRIMES AND PENALTIES
69
prashan t. mall@cyberla wconsulting. com
Summary of Sections Applicable for Cyber Crimes
Cyber Crime
ITAA2008 Act
Section's
IPC Section's
Email spoofing
66D
416,417,463,465,419
Hacking
66,43
378,379,405,406
Web-jacking
65
383
Online sale of narcotics
-
NDPSAct
Virus attacks
43,66
-
Logic bombs
43,66
-
Salami attacks
66
-
Denial of Service attacks
43
-
Email bombing
66
-
Pornography & Child
Pornography
67 , 67B
292,293,294
Online sale of weapons
-
Arms Act
Bogus websites, cyber
frauds
-
420
Forgery of electronic
records
-
463, 465, 470, 471
Sending defamatory
messages by email
66A
499, 500
Sending threatening
messages by email
66A
503, 506
Financial Crime
-
415,384,506,511
Cyber Terrorism
66F
153A, UAPA 15-22
Identity Theft
66C
417A, 419A
Website Defacement
65
463,464,468,469
Data Diddling
65,43
-
CYBER CRIMES AND PENALTIES
70
prashan t. mali@cyberla wconsulting. com
Glossary
GLOSSARY :
AES
The Advanced Encryption Standard that will replace DES (the Data
Encryption Standard) around the turn of the century.
ANALOG
The traditional method of modulating radio signals so that they can carry
information. Amplitude modulation (AM) and frequency modulation (FM)
are the two most common methods of analog modulation. Today, most
U.S. cellular systems carry phone conversations using analog; the
transition to digital transmissions is happening slowly.
APPLET
Applet is a diminutive form of app (application), and it refers to simple,
single-function programs that often ship with a larger product. Programs
such as Windows' Calculator, File Manager, and Notepad are examples of
applets. It can also refer to little Java programs that run on web pages.
ASCII
American Standard Code for Information Interchange. Bland, unformatted
text files are best saved in ASCII (pronounced "askee") format. But ASCII
is more than a text file format-it's a standard developed by the American
National Standards Institute (ANSI) to define how computers write and read
characters. The ASCII set of 128 characters includes letters, numbers,
punctuation, and control codes (such as a character that marks the end of
a line). Each letter or other character is represented by a number: an
uppercase A, for example, is the number 65, and a lowercase z is the
number 122. Most operating systems use the ASCII standard, except for
Windows NT, which uses the suitably larger and newer Unicode standard.
B
BANDWIDTH
In a general sense, this term describes information-carrying capacity. It can
apply to telephone or network wiring as well as system buses, radio
frequency signals, and monitors. Bandwidth is most accurately measured
in cycles per second, or hertz (Hz), which is the difference between the
lowest and highest frequencies transmitted. But it's also common to use
bits or bytes per second instead.
CYBER CRIMES AND PENALTIES 7 1 prashant.mali@cyberlawconsultlng.com
CACHE
Caches come in many types, but they all work the same way: they store
information where you can get to it fast. A Web browser cache stores the
pages, graphics, sounds, and URLs of online places you visit on your hard
drive; that way, when you go back to the page, everything doesn't have to
be downloaded all over again. Since disk access is much faster than
Internet access, this speeds things up.
CODEC
As the name implies, codecs are used to encode and decode (or compress
and decompress) various types of data-particularly those that would
otherwise use up inordinate amounts of disk space, such as sound and
video files. See, for example, MP3.
COOKIE
Cookies are small data files written to your hard drive by some Web sites
when you view them in your browser. These data files contain information
the site can use to track such things as passwords, lists of pages you've
visited, and the date when you last looked at a certain page.
CRYPTOGRAPHY
The dividing lines between what is and what is not cryptography have
become blurred. But to most people, and for purposes of this class,
cryptography is concerned with keeping communications private, i.e.
guarding the electronic transfer of your Visa number from peeping Toms on
the Internet.
CYBERSQUATTING
Cybersquatting describes the potentially lucrative process of registering
popular trademark names or names sufficiently similar to a trademark as
Internet domain names, then selling them for outrageous fees to
companies who hold the trademarks.
DATA MINING
Data mining is the process of discovering new correlations, patterns and
trends by sifting through large amounts of data stored in repositories or
databases and using pattern recognition technologies as well as statistical
and mathematical techniques. Data mining can be a goldmine for any
business that wants to improve its bottom line by tracking consumer
behavior in new and efficient ways. It is also essential to fields that depend
on substantive research, such as healthcare. Along with data mining,
however, come privacy concerns: how are miners acquiring their data, i.e.
CYBER CRIMES AND PENALTIES 72 prashant.mali@cyberlawconsultlng.com
DES
Glossary
through cookies, how is it being used, and when does their use of your
data put you at risk?
Data Encryption Standard, an encryption method developed by IBM and
the U.S. government in the 1970's as an official standard.
DIGITAL CERTIFICATE
In an attempt to assuage fears of online transactions, software vendors,
security specialists, and online vendors have developed the concept of
digital certificates. A digital certificate is a password-protected file that
includes a variety of information: the name and email address of the
certificate holder, an encryption key that can be used to verify the digital
signature of the holder, the name of the company issuing the certificate,
and the period during which the certificate is valid. Certificate authorities
(CAs) gather information about a person or company and then issue
certificates. These certificates can be used as online identification, much in
the same way a driver's license can verify your identity in the physical
world.
DIGITAL SIGNATURE
Digital signatures are a means of proving that a file or email message
belongs to a specific person, much as a driver's license proves identity in
real life. Digital signatures have the added benefit of verifying that your
message has not been tampered with. When you sign a message, a hash
function-a computation that leaves a specific code, or "digital fingerprint"—
is applied to it. If the fingerprint on the recipient's message doesn't match
the original fingerprint, the message has been altered.
DOMAIN NAMES
You'll find them to the right of the @ sign in an email address, or about ten
characters into a URL. HLS's domain name is law.harvard.edu. See TLDs,
Cybersquatting .
ENCRYPTION
Encryption is the process of changing data into a form that can be read
only by the intended receiver. To decipher the message, the receiver of the
encrypted data must have the proper decryption key. In traditional
encryption schemes, the sender and the receiver use the same key to
encrypt and decrypt data. Public-key encryption schemes use two keys: a
public key, which anyone may use, and a corresponding private ke^Wftfch
is possessed only by the person who created it.
ETHERNET
CYBER CRIMES AND PENALTIES 73 prashant.mali@cyberlawconsultlng.com
Ethernet is a standard for connecting computers into a local area network
(LAN). The most common form of Ethernet is called 10BaseT, which
denotes a peak transmission speed of 10 mbps using copper twisted-pair
cable.
FILTER
Also known as rules, filters can be used to censor Internet content or to
manage incoming and stored mail. Software that supports filters lets you
create rules that perform actions, such as preventing a particular Internet
user from accessing a prohibited site or automatically routing messages to
various folders based on the sender's address. See, for example, PICS.
FIREWALL
If you want to protect any networked server from damage (intentional or
otherwise) by those who log in to it, you put up a firewall. This could be a
dedicated computer equipped with security measures such as a dial-back
feature, or it could be software-based protection called defensive coding.
H
HASH
A hash function takes a variable sized input and has a fixed size output.
What this means in plain English is that the hash is used to authenticate an
email or document by leaving a specific piece of code on it, such that the
document has a "digital fingerprint" that would signal tampering.
HTML
Hypertext Markup Language. As its name suggests, HTML is a collection of
formatting commands that create hypertext documents-Web pages, to be
exact. When you point your Web browser to a URL, the browser interprets
the HTML commands embedded in the page and uses them to format the
page's text and graphic elements. HTML commands cover many types of
text formatting (bold and italic text, lists, headline fonts in various sizes, and
so on), and also have the ability to include graphics and other nontext
elements.
I
IP ADDRESS
This address is a unique string of numbers that identifies a computer on the
Internet. These numbers are usually shown in groups separated by
periods, like this: 123.123.23.2. All resources on the Internet must have an
IP address-or else they're not on the Internet at all.
ISDN
CYBER CRIMES AND PENALTIES 74 prashant.mali@cyberlawconsultlng.com
ISP
Integrated Services Digital Network. The plain old telephone system
doesn't handle large quantities of data, and the phone companies realized
this a long time ago. So the ISDN spec was hammered out in 1984 to allow
for wide-bandwidth digital transmission using the public switched telephone
network. Under ISDN, a phone call can transfer 64 kilobits of digital data
per second. But it's not always easy to adopt.
Internet Service Provider. Once upon a time, you could only connect to the
Internet if you belonged to a major university or had a note from the
Pentagon. Not anymore: ISPs have arrived to act as your (ideally) user-
friendly front end to all that the Internet offers. Most ISPs have a network of
servers (mail, news, Web, and the like), routers, and modems attached to a
permanent, high-speed Internet "backbone" connection. Subscribers can
then dial into the local network to gain Internet access-without having to
maintain servers, file for domain names, or learn Unix.
JAVA
Sun Microsystems' Java is a programming language for adding animation
and other action to Web sites. The small applications (called applets) that
Java creates can play back on any graphical system that's Web-ready, but
your Web browser has to be Java-capable for you to see it.
K
KEY
Used widely in cryptography, keys are like pieces of code that allow you to
encrypt and decrypt data. Incidentally, a key can be used to perform other
mathematical operations as well.
LAN
Local area network. A local area network is a short-distance network used
to link a group of computers together within a building. 10BaseT Ethernet is
the most commonly used form of LAN. A piece of hardware calle^SFfrub
serves as the common wiring point, enabling data to be sent from one
machine to another over the network. LANs are typically limited to
distances of less than 500 meters and provide low-cost, high-bandwidth
networking capabilities within a small geographical area.
CYBER CRIMES AND PENALTIES 75 prashant.mali@cyberlawconsultlng.com
M
MET A TAG
These pieces of HTML are embedded into the heading sections of an
HTML web page and are invisible to surfers. They are designed to help
classify a web page for search engines, etc. but are now used to stuff lots
of terms into a web page that may make it more visible to a web surfer. For
example, we could stuff our IS99 web page with invisible and irrelevant
meta tags such as "Bill Clinton" so that whenever a person does a search
on Bill Clinton, our page will come up in the search results.
MP3
MREG-1, Layer 3. MP3 is a codec that compresses standard audio tracks
into much smaller sizes without significantly compromising sound quality.
The rise of MP3 has generated a highly publicized debate concerning the
distribution and protection of music over the Internet.
MPEG
Moving Pictures Experts Group. MPEG is a standard for compressing
sound and movie files into an attractive format for downloading-or even
streaming-across the Internet. The MPEG-1 standard streams video and
sound data at 150 kilobytes per second-the same rate as a single-speed
CD-ROM drive-which it manages by taking key frames of video and filling
only the areas that change between the frames. Unfortunately, MPEG-1
produces only adequate quality video, far below that of standard TV.
MPEG-2 compression improves things dramatically. With MPEG-2, a
properly compressed video can be shown at near-laserdisc clarity with a
CD-quality stereo soundtrack. For that reason, modern video delivery
mediums, such as digital satellite services and DVD, use MPEG-2.
N
NETIZEN
Citizens of the Internet. If you were not a netizen by this fall, you will
certainly become one during this course.
P3P
Platform for Privacy Preference Project. The P3P project, activity, products,
and specifications seek to enable Web sites to express their privacy
practices and enable users to exercise preferences over those practices.
P3P products will act as an initial privacy-screening device and attempt to
address the current privacy concerns that plague both Internet surfers and
webmasters. Users will be informed of site practices, will be able to
CYBER CRIMES AND PENALTIES 76 prashant.mali@cyberlawconsultlng.com
delegate decisions to their computer when appropriate, and will be able to
tailor their relationship to specific sites vis a vis privacy preferences.
PICS
Platform for Internet Content Selection. PICS is a filtering scheme that
allows content providers and independent organizations to publish their
own content-based label for any URL. Both content providers and third
party users may choose which rating system to use.
PROTOCOL
Computers can't just throw data at each other any old way. Because so
many different types of computers and operating systems connect via
modems or other connections, they have to follow communications rules
called protocols. The Internet is a very heterogenous collection of
networked computers and is full of protocols.
PROXY SERVER
A proxy server is a system that caches items from other servers to speed
up access. On the Web, a proxy first attempts to find data locally, and if it's
not there, fetches it from the remote server where the data resides
permanently.
PUBLIC KEY CRYPTOGRAPHY
In public key cryptography, each person gets a pair of keys, one called the
public key and the other called the private key. The public key is published,
while the private key is kept secret. There is no need for the sender and
receiver to share secret information; all communications involve only public
keys, and no private key is ever transmitted or shared. See Secret Key
Cryptography. Therefore, you don't have to worry about whether the
communications channels transmitting your encrypted message are
sufficiently secure. The only requirement is that public keys be associated
with their users in a trusted (authenticated) manner. Anyone can send a
confidential message by just using public information, but the message can
only be decrypted with a private key, which is in the sole possession of the
intended recipient.
SDMI
Secure Digital Music Initiative. An attempt to create an alternative to MP3
that would allow companies to track copyrights and be secure in the
knowledge that a user could not remove that copyright information. See
sdmi.org.
SECRET KEY CRYPTOGRAPHY
CYBER CRIMES AND PENALTIES 77 prashant.mali@cyberlawconsultlng.com
Secret key is the traditional method of encryption and decryption. In secret
key, or "symmetric key", the sender and receiver of a message know and
use the same secret key: the sender uses the secret key to encrypt the
message, and the receiver uses the same secret key to decrypt the
message. The main challenge, however, is getting the sender and receiver
to agree on the secret key without anyone else finding out. Because all
keys in a secret key system must remain secret, secret-key cryptography
often has difficulty providing secure key management, especially in open
systems with a large number of users. See public key cryptography.
SERVER
The business end of a client/server setup, a server is usually a computer
that provides the information, files, Web pages, and other services to the
client that logs on to it. (The word server is also used to describe the
software and operating system designed to run server hardware.) The
client/server setup is analogous to a restaurant with waiters and customers.
Some Internet servers take this analogy to extremes and become
inattentive, or even refuse to serve you.
SPAM
Spiced Ham. Hormel's famous can o' additives has given its name to
something almost as disgusting: junk email. Spam can be a mass mailing
to bulletin boards, newsgroups, or lists of people. But spam is never
welcome: if you spam or get spammed, flame wars can ensue.
SPIDER
Also known as a Web spider, this class of robot software explores the
World Wide Web by retrieving a document and following all the hyperlinks
in it. Web sites tend to be so well linked that a spider can cover vast
amounts of the Internet by starting from just a few sites. After following the
links, spiders generate catalogs that can be accessed by search engines.
Popular search sites like Alta Vista, Excite, and Lycos use this method.
STREAMING
Data is streaming when it's moving quickly from one chunk of hardware to
another and doesn't have to be all in one place for the destination device to
do something with it. When your hard disk's data is being written to a tape
backup device, it's streaming. When you're watching a QuickTime movie
on the Internet, it's not streaming, because the movie must be fully
downloaded before you can play it.
CYBER CRIMES AND PENALTIES
78
prashan t. mali@cyberla wconsulting. com
Glossary
TLDs
Top Level Domains. TLDs refer to the last extension on a domain name ,
like, "edu" or "com" or "mil". In a hierarchical classification system, TLD's fill
the highest, or most generalized, level of classification; currently, there are
about 260 of them (most of them country extensions like .uk or .fr). Their
future -- particularly who owns the right to assign and create new TLDs -- is
the subject of much contention and, not surprisingly, our first two classes.
U
UNIX
Unix took off in the early 1970s as a general-purpose operating system.
Since much of the Internet is hosted on Unix machines, the operating
system took on a new surge of popularity in the early 1990s. Unix comes in
many flavors-including Xenix, Ultrix, GNU, and Linux-and runs on a
variety of platforms, which makes its development a subject of widespread
discussion.
USENET
Usenet is a worldwide network of thousands of unix systems with a
decentralized administration. The Usenet systems exist to transmit
postings to special-interest newsgroups covering just about any topic you
can imagine (and many you wouldn't even want to imagine).
W
WARES
Wares is short for software or hardware.
WIPO
The World Intellectual Property Organization, located in Geneva,
Switzerland.
CYBER CRIMES AND PENALTIES 79 prashant.mali@cyberlawconsultlng.com