Cybercrimes Relating To Unauthorised Access: A Critical Study
Cybercrime is not defined particularly anywhere, cybercrime in general does not differ from crime in the conventional sense except the method adopted for commission of crime. The definition of cybercrime is not possible because there are different forms of misuse of information technology. In the age of information technology, cyber law is the need of hour. The cyber law means the law relating to the cybercrime. Cybercrimes are biggest bane of internet. Our everyday life is so much dependent on internet from shopping to online studying to social networking everything can be done with one tap sitting at one place. With the development of the internet and its related benefits also developed the concept of cybercrimes. The term cyber law generally deals with all aspect of electronic communication and regulatory aspect of internet. The cyber law is the branch of law, which regulates the legal aspect while using internet. It means that anything concern with, related to or any legal activity of the internet user in the cyber space covered in the cyber law. Cyber crimes are committed in different forms. National Crime Records Bureau report of 2017 claimed that there was increase of 77% from 2016. Countrywide, 1.7 cyber crimes were committed per one lakh population in 2017.
Cyber crime is a crime done using technology by hackers or cyber criminals. These types of crimes usually aim at damaging computers for personal or political reasons. Cyber crime is a broad term that is used to define criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity and include everything from electronic cracking to denial of service attacks. It also covers the traditional crimes in which computers or networks are used to enable the illicit activity. A generalized definition of cyber crime may be “unlawful act wherein the computer is either tool or target or both, the computer may be used as a tool in financial crime or sale of the any illegal articles. The computer may be the target when someone tries to unauthorized access to the computer or any personal data; this kind of misuse of the computer or the computer networks is called cyber crime.
Types of cyber crime include email or internet fraud, identity fraud, cyber extortion, ransomware attacks or malware attacks, cryptographic, cyber espionage, denial of service attack, phishing, Distributed DoS attacks, web hijacking, cyber stalking, salami attacks, sale of illegal articles, online gambling, email spoofing, cyber defamation, forgery, data diddling, cyber terrorism etc.
Unauthorized access means any kind of access without the permission of either of the rightful or person in charge of the computer, computer system or computer network. Hacking means an illegal intrusion into a computer system and/or network. Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money. Government websites are the most targeted sites for the hackers. The data breach regulations define ‘cyber security incident’ to mean any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, and information without authorization. There is a further definition through a description of various incidents that constitute cyber-security incident:
targeted scanning or probing of critical networks and systems;
compromise of critical systems and information;
unauthorised access to IT systems and data;
defacement of website or intrusion onto a website and unauthorised changes(eg, inserting malicious code or links to external websites);
malicious code attacks (eg, spreading viruses, worms, Trojan horses, botnets and spyware);
attacks on servers (eg, database, mail and DNS) and network devices (eg, routers);
identity theft, spoofing and phishing attacks;
denial of service and distributed denial of service attacks;
attacks on critical infrastructure, SCADA systems and wireless networks; and
attacks on applications such as e-governance and e-commerce.
Some of the famous cybercrime attacks are WannaCry ransomware ttack of May 2017 which globally 2,30,000 computers. Another one is phishing scam of 2018, this was the world cup phishing scam which involved emails being sent to football fans enticing fans with fake trips to Moscow and people who opened and clicked on the links had their personal data beig stolen.
Cyber crimes are a new class of crimes which are increasing day by day due to extensive use of internet these days. To combat the crimes related to internet The Information Technology Act, 2000 was enacted with prime objective to create an enabling environment for commercial use of I.T. The IT Act specifies the acts which have been made punishable. The Indian Penal Code, 1860 has also been amended to take into its purview cyber crimes.
Cyber crimes under the IT Act include tampering with computer source documents (Section 65), hacking with computer systems, data alteration (Section 66), publishing obscene information (Section 67), unauthorised access to protected system (Section 70), breach of confidentiality and privacy (Section 72), publishing false digital signature certificates (Section 73).
Cyber crimes under Indian Penal Code include sending threatening messages by email (Section 503 IPC), sending defamatory messages by email (Section 499 IPC), forgery of electronic records (Section 463 IPC), bogus websites, cyber frauds (Section 420 IPC), email spoofing (Section 463 IPC), web- jacking )Section 383 IPC), e-mail abuse (Section 500 IPC).
Section 43A of the IT Act provides for compensation in the event that a company fails to use reasonable security practices and procedures in order to protect sensitive personal data and such negligence results in a wrongful gain or loss. However, the statute provides for compensation only when a wrongful gain or loss results from the failure to observe reasonable security practices and procedures. It can be argued that this is nothing more than a codification of the law of negligence. This means that no negative consequence arises from the failure to observe reasonable security practices and procedures. Further, the IT Act defines ‘reasonable security practices and procedures’ as procedures stated by a law in force or as agreed by the parties and, in the absence of both, the rules framed by the government. To date, no statute prescribes reasonable security practices and procedures. This means that if the parties (eg, a data subject and a data receiver) agree on the reasonable security practices and procedures to be adopted, the government-prescribed rules will not apply.
In an attempt to establish what constitutes reasonable security practices and procedures, the government issued rather basic and poorly written privacy rules. As stated above, these rules apply only if the parties have not agreed on their own reasonable security practices and procedures. The rules contain basic principles of privacy, such as:
when sensitive personal data can be collected;
requirements of notice and consent; and
when sensitive personal data can be transferred.
· Section 72 of the IT Act provides for a criminal penalty where a government official discloses records and information accessed in the course of his or her duties without the consent of the concerned person, unless permitted by other laws. The penalty prescribed is imprisonment of up to two years, a fine of up to Rs100,000 or both.
· Section 72A of the IT Act provides for a criminal penalty where in the course of performing a contract, a service provider discloses personal information without the data subject’s consent or in breach of a lawful contract and with the knowledge that he or she will cause or is likely to cause wrongful loss or gain. The punishment prescribed is imprisonment of up to three years, a fine of up to Rs500,000 or both.
Apart from the Information Technology Act and Indian Penal Code, there are certain laws and regulations, which deal with the cyber crime. Even certain civil laws are relevant in certain misuse in cyber space. They are as following:
1. Common Law (governed by general principles of law)
2. The Bankers’ Book Evidence Act, 1891
3. The Reserve Bank of India Act, 1934
4. The Information Technology (Amendment) Act, 2008 and 2009
5. The Information Technology (Removal of difficulties) Order, 2002
6. The Information Technology (Certifying Authorities) Rules, 2000
7. The Information Technology (Certifying Authorities) Regulations, 2001
8. The Information Technology (Securities Procedure) Rules, 2004
9. Various laws relating to IPRs.
Thus, the Indian legal system is having various laws concerning the cyber crimes. But the nature of the cyber crime is technical, therefore it require the technical process to execute the criminal law in proper sense. The technical process is lacking in Indian legal system, therefore though the substantive criminal law is sufficient, but due to lacking in procedural aspect its unable to execute it in India. The basic problem in the cyber crime is that, there is specific manner by which the internet can be misuse; it is on the criminals, that they always misuse it in different manner, therefore it is not possible to the legal system to meet with the need. Apart from this, the nature of cyber crime is transnational, therefore it required the international co-operation.
1. Gunjan, Vinit Kumar, Amit Kumar, and Sharda Avdhanam. “A survey of cyber crime in India.” In 2013 15th International Conference on Advanced Computing Technologies (ICACT), pp. 1-6. IEEE, 2013.
2. Roy, Apurba Kumar. “Role of cyber law and its usefulness in Indian IT industry.” In 2012 1st International Conference on Recent Advances in Information Technology (RAIT), pp. 143-147. IEEE, 2012.
3. Mehta, Saroj, and Vikram Singh. “A study of awareness about cyber laws in the Indian society.” International Journal of Computing and Business Research 4, no. 1 (2013): 1-8.
4. Lunker, Manish. “Cyber laws: a global perspective.” email@example.com (2009).
5. Sarmah, Animesh, Roshmi Sarmah, and Amlan Jyoti Baruah. “A brief study on cyber crime and cyber laws of India.” International Research Journal of Engineering and Technology (IRJET) 4, no. 6 (2017): 1633-1640.
Author Details: Niharika Tanwar (Symbiosis Law School, Pune)