Awareness: There is no serious provision for creating awareness and putting such initiatives in place in the Act. The government or the investigating agencies like the Police department (whose job has been made comparatively easier and focused, thanks to the passing of the IT Act), have taken any serious step to create public awareness about the provisions in these legislations, which is absolutely essential considering the fact that this is a new area and technology has to be learnt by all the stake-holders like the judicial officers, legal professionals, litigant public and the public or users at large. Especially, provisions like scope for adjudication process is never known to many including those in the investigating agencies.
Jurisdiction: This is a major issue which is not satisfactorily addressed in the ITA or ITAA. Jurisdiction has been mentioned in Sections 46, 48, 57 and 61 in the context of adjudication process and the appellate procedure connected with and again in Section 80 and as part of the police officers’ powers to enter, search a public place for a cyber crime etc. In the context of electronic record, Section 13 (3) and (4) discuss the place of dispatch and receipt of electronic record which may be taken as jurisprudence issues.
However some fundamental issues like if the mail of someone is hacked and the accused is a resident of a city in some state coming to know of it in a different city, which police station does he go to? If he is an employee of a Multi National Company with branches throughout the world and in many metros in India and is often on tour in India and he suspects another individual say an employee of the same firm in his branch or headquarters office and informs the police that evidence could lie in the suspect’s computer system itself, where does he go to file he complaint. Often, the investigators do not accept such complaints on the grounds of jurisdiction and there are occasions that the judicial officers too have hesitated to deal with such cases. The knowledge that cyber crime is geography-agnostic, borderless, territory-free and sans all jurisdiction and frontiers and happens in ‘cloud’ or the ‘space’, has to be spread and proper training is to be given to all concerned players in the field.
Evidences: Evidences are a major concern in cyber crimes. Pat of evidences is the ‘crime scene’ issues. In cyber crime, there is no cyber crime. We cannot mark a place nor a computer nor a network, nor seize the hard-disk immediately and keep it under lock and key keep it as an exhibit taken from the crime scene.
Very often, nothing could be seen as a scene in cyber crime! The evidences, the data, the network and the related gadgets along with of course the log files and trail of events emanating or recorded in the system are actually the crime scene. While filing cases under IT Act, be it as a civil case in the adjudication process or a criminal complaint filed with the police, many often, evidences may lie in some system like the intermediaries’ computers or some times in the opponent’s computer system too. In all such cases, unless the police swing into action swiftly and seize the systems and capture the evidences, such vital evidences could be easily destroyed. In fact, if one knows that his computer is going to be seized, he would immediately go for destruction of evidences (formatting, removing the history, removing the cookies, changing the registry and user login set ups, reconfiguring the system files etc) since most of the computer history and log files are volatile in nature.
There is no major initiative in India on common repositories of electronic evidences by which in the event of any dispute (including civil) the affected computer may be handed over to a common trusted third party with proper software tools, who may keep a copy of the entire disk and return the original to the owner, so that he can keep using it at will and the copy will be produced as evidence whenever required. For this there are software tools like ‘EnCase’ wih a global recognition and our own C-DAC tools which are available with much retrieval facilities, search features without giving any room for further writing and preserving the original version with date stamp for production as evidence.
Non coverage of many crimes: While there are many legislations in not only many Western countries but also some smaller nations in the East, India has only one legislation – the ITA and ITAA. Hence it is quite natural that many issues on cyber crimes and many crimes per se are left uncovered. Many cyber crimes like cyber squatting with an evil attention to extort money. Spam mails, ISP’s liability in copyright infringement, data privacy issues have not been given adequate coverage.
Besides, most of the Indian corporate including some Public Sector undertakings use Operating Systems that are from the West especially the US and many software utilities and hardware items and sometimes firmware are from abroad. In such cases, the actual reach and import of IT Act Sections dealing with a utility software or a system software or an Operating System upgrade or update used for downloading the software utility, is to be specifically addressed, as otherwise a peculiar situation may come, when the user may not know whether the upgrade or the patch is getting downloaded or any spyware getting installed. The Act does not address the government’s policy on keeping the backup of corporates including the PSUs and PSBs in our county or abroad and if kept abroad, the subjective legal jurisprudence on such software backups.
We find, as has been said earlier in the chapter, that most of the cyber crimes in the nation are still brought under the relevant sections of IPC read with the comparative sections of ITA or the ITAA which gives a comfort factor to the investigating agencies that even if the ITA part of the case is lost, the accused cannot escape from the IPC part. To quote the noted cyber law expert in the nation and Supreme Court advocate Shri Pavan Duggal, “While the lawmakers have to be complemented for their admirable work removing various deficiencies in the Indian Cyberlaw and making it technologically neutral, yet it appears that there has been a major mismatch between the expectation of the nation and the resultant effect of the amended legislation. The most bizarre and startling aspect of the new amendments is that these amendments seek to make the Indian cyberlaw a cyber crime friendly legislation; - a legislation that goes extremely soft on cyber criminals, with a soft heart; a legislation that chooses to encourage cyber criminals by lessening the quantum of punishment accorded to them under the existing law; ….. a legislation which makes a majority of
cybercrimes stipulated under the IT Act as bailable offences; a legislation that is likely to pave way for India to become the potential cyber crime capital of the world……”
Let us not be pessimistic that the existing legislation is cyber criminal friendly or paves the way to increase crimes. Certainly, it does not. It is a commendable piece of legislation, a landmark first step and a remarkable mile-stone in the technological growth of the nation. But let us not be complacent that the existing law would suffice. Let us remember that the criminals always go faster than the investigators and always try to be one step ahead in technology. After all, steganography was used in the Parliament Attack case to convey a one-line hidden message from one criminal to another which was a lesson for the investigators to know more about the technology of steganography. Similarly Satellite phones were used in the Mumbai attack case in November 2008 after which the investigators became aware of the technological perils of such gadgets, since until then, they were relying on cell phones and the directional tracking by the cell phone towers and Call Details Register entries only. Hopefully, more and more awareness campaign will take place and the government will be conscious of the path ahead to bring more and more legislations in place. Actually, bringing more legislations may just not be sufficient, because the conviction rate in Cyber crime offences is among the lowest in the nation, much lower than the rate in IPC and other offences. The government should be aware that it is not the severity of punishment that is a deterrent for the criminals, but it is the certainty of punishment. It is not the number of legislations in a society that should prevent crimes but it is the certainty of punishment that the legislation will bring.
Let us now discuss some of the other relevant legislations in the nation that deal with cyber crimes in various sectors.
Prevention of Money Laundering Act:
Black money has always been a serious evil in any developing economy. Nation builders, lawmakers and particularly the country’s financial administrators have always taken persistent efforts to curb the evil of black money and all sorts of illegally earned income. A major initiative taken in this direction in India is the Anti Money Laundering Act 2002. A main objective of the Act was to provide for confiscation of property derived from, or involved in, money laundering.
Money laundering though not defined in the Act, can be construed to mean directly or indirectly attempting to indulge in any process or activity connected with the proceeds of crime and projecting it as untainted property. The Act stipulates that whoever commits the offence of money laundering shall be punishable with rigorous imprisonment for a term which shall not be less than three years but may extend to seven years and also be liable to a fine which may extend to five lakh rupees.
Money laundering involves a process of getting the money from illegal sources, layering it in any legal source, integrating it as part of any legal system like banking and actually using it. Since the banking as an industry has a major and significant role to play in the act of money laundering, it is now a serious responsibility on the part of banks to ensure that banking channel is not used in the criminal activity. Much more than a responsibility, it is now a compliance issue as well.
Obligations of banks include maintenance of records of all transactions of the nature and value specified in the rules, furnish information of the transactions within the prescribed time, whenever warranted and verify and maintain records of the identity of all customers. Hence, as a corollary, adherence to Know Your Customer norms and maintenance of all KYC records assumes a very major significance and becomes a compliance issue. Records of cash transactions and suspicious transactions are to be kept and reported as stipulated. Non compliance on any of these will render the concerned bank official liable for the offence of money laundering and guilty under the Act.
e-Records Maintenance Policy of Banks:
Computerisation started in most of the banks in India from end 80’s in a small way in the form of stand-alone systems called Advanced Ledger Posting Machines (Separate PC for every counter/activity) which then led to the era of Total Branch Automation or Computerisation in early or mid 90’s. TBA or TBC as it was popularly called, marked the beginning of a networked environment on a Local Area Network under a client-server architecture when records used to be maintained in electronic manner in hard-disks and external media like tapes etc for backup purposes.
Ever since passing of the ITA and according of recognition to electronic records, it has become mandatory on the part of banks to maintain proper computerized system for electronic records. Conventionally, all legacy systems in the banks always do have a record maintenance policy often with RBI’s and their individual Board approval stipulating the period of preservation for all sorts of records, ledgers, vouchers, register, letters, documents etc.
Thanks to computerisation and introduction of computerized data maintenance and often computer-generated vouchers also, most of the banks became responsive to the computerized environment and quite a few have started the process of formulating their own Electronic Records Maintenance Policy. Indian Banks’ Association took the initiative in bringing out a book on Banks’ e-Records Maintenance Policy to serve as a model for use and adoption in banks suiting the individual bank’s technological set-up. Hence banks should ensure that e-records maintenance policy with details of e-records, their nature, their upkeep, the technological requirements, off-site backup, retrieval systems, access control and access privileges initiatives should be in place, if not already done already.
On the legal compliance side especially after the Rules were passed in April 2011, on the “Reasonable Security Practices and Procedures” as part of ITAA 2008 Section 43A, banks should strive well to prove that they have all the security policies in place like compliance with ISO 27001 standards etc and e-records are maintained. Besides, the certificate to be given as an annexure to e-evidences as stipulated in the BBE Act also emphasizes this point of maintenance of e-records in a proper ensuring proper backup, ensuring against tamperability, always ensuring confidentiality, integrity, availability and Non Repudiation.
This policy should not be confused with the Information Technology Business Continuity and Disaster Recovery Plan or Policy nor the Data Warehousing initiatives. Focus on all these three policies (BC-DRP, DWH and E-records Maintenance Policy) are individually different, serving different purposes, using different technologies and maybe coming under different administrative controls too at the managerial level.
Legislations in other nations:
As against the lone legislation ITA and ITAA in India, in many other nations globally, there are many legislations governing e-commerce and cyber crimes going into all the facets of cyber crimes. Data Communication, storage, child pornography, electronic records and data privacy have all been addressed in separate Acts and Rules giving thrust in the particular area focused in the Act.
In the US, they have the Health Insurance Portability and Accountability Act popularly known as HIPAA which inter alia, regulates all health and insurance related records, their upkeep and maintenance and the issues of privacy and confidentiality involved in such records. Companies dealing with US firms ensure HIPAA compliance insofar as the data relating to such corporate are handled by them. The Sarbanes-Oxley Act (SOX) signed into law in 2002 and named after its authors Senator Paul Sarbanes and Representative Paul Oxley, mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. Besides, there are a number of laws in the US both at the federal level and at different states level like the Cable Communications Policy Act, Children’s Internet Protection Act, Children’s Online Privacy Protection Act etc.
In the UK, the Data Protection Act and the Privacy and Electronic Communications Regulations etc are all regulatory legislations already existing in the area of information security and cyber crime prevention, besides cyber crime law passed recently in August 2011. Similarly, we have cyber crime legislations and other rules and regulations in other nations.
Conclusion: To sum up, though a crime-free society is Utopian and exists only in dream-land, it should be constant endeavour of rules to keep the crimes lowest. Especially in a society that is dependent more and more on technology, crime based on electronic offences are bound to increase and the law makers have to go the extra mile compared to the fraudsters, to keep them at bay. Technology is always a double-edged sword and can be used for both the purposes – good or bad. Steganography, Trojan Horse, Scavenging (and even DoS or DDoS) are all technologies and per se not crimes, but falling into the wrong hands with a criminal intent who are out to capitalize them or misuse them, they come into the gamut of cyber crime and become punishable offences. Hence, it should be the persistent efforts of rulers and law makers to ensure that technology grows in a healthy manner and is used for legal and ethical business growth and not for committing crimes.
It should be the duty of the three stake holders viz