Interview: How good are our cyber-laws?

What can you do if your computer is hacked? What are the options before you if you find your e-mail account, or even your bank account, compromised? Did you know that your bank is liable if your account is hijacked and misused online?

As we grow increasingly dependent on the computer both at work and at home, we become more susceptible to attacks by cyber criminals. This can range from identity theft to phising, where your bank account and other details are stolen and misused.

Are our laws good enough to deal with such crimes?

Vijay Shankar, director of Naavi Cyber Law College, and the author of Cyber Laws for Every Netizen in India and the e-book Cyber Laws… ITA-2000 and Beyond., is probably one of the best-known cyber-crime experts in the country. He has not only helped the local police convict several cyber criminals, his college organizes workshops on cyber-laws and cyber-crimes for corporates, BPOs and banks.

In an interview with Anjali Menon, Shankar elaborates on the vulnerabilities that plague the Indian cyberspace, and what we can do to promote a ”Responsible Cyber Society”.

Excerpts:

What is cyber crime?

Cyber Crime is any Contravention of law in which a Computer or an Electronic Document is either the target or tool.

The offence could be either as defined in ITA 2008 or in IPC or in any other law. There are many names for Cyber Crimes that are strictly not relevant. However ”hacking” which is basically ‘unauthorised access’ to a computer system causing a wrongful harm to some body is one popular name. Similarly ‘denial of access’ is prevention of access to a computer system authorized users. ‘phishing’ is stealing of passwords through deception,’cyber stalking’ is harassment through communication etc. Additionally there is ‘cyber terrorism’, Video Voyeurism, transmission and publication of obscene information, child pornography etc.

What are the current trends of cyber crime in India (And has the Govt been able to check the growth of cyber crime)?

Cyber Crime is a product of technological development. As more and more people use computers and computer like devices for carrying on their day-to-day activities such as social interaction, e-commerce or e-governance, the incidence of misuse of the system naturally will increase. Like in any other instance, the Government needs to make continuous efforts to prevent occurrence of crimes and also to detect crimes after incidence and punishing of the offenders. This is a process that will continue as long as we use technology. In this race, we may now be in a phase where the law enforcement is lagging behind the growth of crimes but if proper effort is put in, the problem can be contained though it cannot be eliminated.

What are the drawbacks in Indian IT Act, 2000? Do you think the amendments in Information Technology Amendment Act, 2008 are enough to deal with present situation?

Race against cyber crime is a continuing battle and will never be fully won. What we must however appreciate is that ITA 2008 is a significant improvement over ITA 2000. Yes, it could have been even better. But let’s be happy with at least what has happened. The best part of ITA 2008 is not that it increased the number of crime definitions from 10 sections to 24 sections. It is in a display of an intention to encourage practice of ”Information Security” by intermediaries and companies, which could help in the reduction of Cyber Crimes.

What motivated you to become a cyber crime expert?

My motivation stemmed from the belief that ”Prevention of Cyber Crime is essential for the benefit of the society”. Initially when Cyber Laws were being drafted in India around 1998, I thought that it would contribute to the development of the society and hence set about my work with a view of contributing towards creating a ”Responsible Cyber Society”. This was adopted as the motto of naavi.org.

Since one of the causes for the cyber crime was lack of awareness, I went about development of education through Cyber Law College and also started assisting Police in understanding and resolving cyber crimes. I also train individuals on Cyber Ethics and warn them about ”Cyber Offendo Mania”.

I am simultaneously working with Corporates for ”Proactive Prevention of Cyber Crimes” with ITA 2008 compliance as a part of corporate strategy.

Collectively, I can say it is not any specific incident that motivated me into this field except that I wanted to contribute towards a healthy development of Cyber Society in India, which is economically good for the country and can be achieved if we reduce the Cyber Crime risks.

Tell an instance of cyber crime, which you have dealt with personally?

I have dealt with many cases of Cyber Crimes mostly assisting the Police.

I was involved in assisting the TN Police in the first case, which went for successful conviction under ITA 2000 in India (State of Tamil Nadu Vs Suhas Katti). In this case the accused was convicted under Section 67 of ITA 2000 along with other sections of IPC for having posted obscene messages in the Yahoo e-group causing issues to a lady.

I am also pursuing in what could be the first case of a Phishing Crime in which a Bank is accused and the proceedings are pending with the adjudicator of Tamil Nadu. This is a case under Section 43 for recovery of Rs 6.46 lakhs from a Bank for an offence under Section 66 combined with Section 85.

I have provided certified evidence from Cyber Evidence Archival Center (www.ceac.in) that are used in many civil and criminal cases. I also assist advocates for pursuing cyber crime litigations.

Most companies use Internet. So, has the government prescribed any basic norms on prevention of crime and the follow up action afterwards?

Yes, under several sections of ITA 2008, it is prescribed that companies need to practice ”due diligence”. In certain cases, detailed prescriptions have been given and will be given in the form of rules notified or to be notified. In many other cases, it is left to the judgment of the companies to determine what is appropriate due diligence for their type and criticality of activity. They would, however, be better placed to take the assistance of experts in understanding what is ”ITA 2008 Compliance” and act accordingly.

If a cyber crime takes place in a corporate office, what should be the management’s stand?

The fact that a crime has occurred is a prima-facie indication that the company has failed to follow due diligence. Hence, they can be charged as a company for the same offence under Section 85 of the ITA 2008. Even the officials in charge of business and the management, including the CEO and Directors, may also be hoisted with vicarious liabilities.

The company has to therefore defend itself for the due diligence efforts earlier initiated by them. Whether they had undertaken an ITA 2008 risk analysis and initiated steps to mitigate the risk become very important in this respect.

Companies should realize that merely stating that their company is an ISO/CMMI/Six Sigma Company, or that they have completed ISO 27001 audit etc may not suffice to avoid the liabilities.

The management should immediately review the information security process and determine the reason what part of the systems failed in allowing a cyber crime to occur. Then it has to take steps to preserve whatever evidence that may be available towards resolving all aspects of crime. Then they need to make necessary changes to the system so that in future possibility of occurrence of similar crimes is reduced.

Can a person sue the company for the personal loss through cyber crime in office?

Yes. Section 85 is meant for that. Company’s defence is that it is not part of the offence and they were unaware and also that they had practiced ”due diligence”. If any of these defences fail, they are liable to compensate.

How stringent are our cyber laws – for instance, unlike in real world, we don’t have proof of the crime (like when email is hacked) then how much is filing a case possible?

Civil liabilities can be proved with evidence that are not as stringent as in the case of criminal liabilities. Whether the evidence is sufficient to prove an offence beyond reasonable doubt or otherwise is an issue, which the judge of a particular case has to determine. Civil liabilities are determined in a process of adjudication where the adjudicator can act if he is reasonable satisfied that the occurrence of an offence is proved and the ”due diligence” is considered unsatisfactory.

A case can be filed if the victim can prove that he has suffered a loss and the cause of the loss can be traced to an electronic document. Finding the proof is the responsibility of the investigator.

What are the proofs a person has to produce while filing a complaint?

It may differ from case to case. It could be e-mails, SMS messages, web pages or server log records, etc. Initially, the complainant may produce raw information in his hands. However, as early as possible and particularly when civil compensation is claimed, it would be necessary to get the evidence certified under Section 65B of the Indian Evidence Act (Refer www.ceac.in for more information).

What are the punishments of cyber crime?

Punishment can be three fold — payment of financial compensation to the victim, payment of fine to the government and imprisonment. The maximum punishment in ITA 2008 is ”life imprisonment” for offences under Section 66F which is called ”Cyber Terrorism”. Most common offences have 3-year imprisonment. Fines range from Rs 1 lakh to Rs 10 lakh. There is no upper limit on the compensation payable to the victim. It could be in crores.

What are the issues that the cyber protectors are facing while dealing with cyber-criminals?

The intermediaries support criminalization of Internet by not providing adequate support to law enforcement. Privacy is often misused to protect the criminals and frustrate the law enforcement. If a proper consortium of law enforcement and private sector companies is forged the situation could be better. I therefore advocate a ”Netizens Rights Commission” to act as an intermediary between law enforcement which may misuse its powers if too much of power is available and at the same time need such power occasionally.

Tell us something about impersonation and cheating through that on social networking sites. How strict is the law on that? Can we approach police, if someone impersonates as our old friend and stalks us online?

Impersonation and cheating can be punishable both under ITA 2008 and also under IPC. Cyber stalking leading to harassment is also punishable under section 66A of ITA 2008.

In a bank fraud, will the bank be liable to compensate the loss to an account holder if he is defrauded through the hacking of his online banking system?

Yes, since most banks any way are not complying with either the ITA 2008 nor the Internet banking guidelines and are led by the IT companies who have supplied them the software which is deficient in security and maintain that that is the best available software in the world. All core banking software used in India suffer from such limitations. It is time that software companies ensure that they upgrade their software to be ”ITA 2008 compliant” and not push their customers into liabilities, which can kill some Banks in future.

How can we protect ourselves from phishing?

Protection from phishing is required to be ensured both from the user’s end as well as from the Banker’s end. While users must be educated enough to distinguish between genuine communication from the bank and the false communication, there is a responsibility on the part of the bank to harden the security at their end by allowing transactions only against the legally mandated authentication system of digital signatures.