Download - cyber law
THE MATHEMATICS BETWEEN CYBER LAW &CYBER
CRIME IN ‘INDIAN ARENA’
GAURAV TIWARI
INTRODUCTION:
The founding fathers of Internet barely had any proclivity that Internet could transform itself into
an all pervading revolution which could be tainted for criminal activities and which required law.
These days, there are many troubling incidents in cyberspace. Due to the mysterious nature of
the Internet, it is probable to engage into a variety of criminal activities with impunity and people
with intelligence, have been hideously misusing this aspect of the Internet to perpetuate criminal
activities in cyberspace. . The advancement in this field has been multiplying exponentially but
cybercrimes are also thriving rapidly. Although generous progress in technology, uncertainty
still prevails and the efforts to trace, identify and bring the criminal to books have not borne
much fruit. If cybercrimes are not combated at the early stage, the posterity will suffer from the
human values, which will have very damaging effects on the society at large and innocent
individuals in particular.1 The very character of crime itself has undergone complete
transformation. There is a conjectural shift in terms of the costs of criminal behaviour and the
forms of criminality, which merits state attention. The globalization of the world’s economy and
the resultant exponential increase in the way business is carried out has given rise to a new wave
of crime, which requires more attention than traditional forms of violent crimes that currently
command the vast share of state law enforcement resources. Territorial boundaries are no longer
the barriers, as it may also exist in cyberspace, where corporations, which serve computer and
1 M. Ponnaian,, July- September 2000 “Cyber crimes, Modern crimes and Human rights”, P R P Journal of Human Rights, Vol. 4, at 13-14
telecommunications networks also control access. The capacity of criminals has been enhanced
to carry out serious offences manifolds due to progress in computer and communications
technologies and that too with a greatly diminished risk of apprehension. The defence
mechanisms of states appear fragile when it comes to advanced technology, telecommunications
and cyberspace. The concept of jurisdiction becomes meaningless when an individual has only
an address on a computer network as identity. This century will therefore, be known not only for
greater technological innovation, but also be remembered for unpreparedness of legal and law
enforcement communities for the cyberspace crime, which is increasing unabated. The ever-
expanding financial resources of criminals will render them increasingly important players in
global financial markets.2 With the advent of the internet, cyberlaw has become an emerging
field. Cyberlaw encompasses electronic commerce, freedom of expression, intellectual property
rights, jurisdiction and choice of law, and privacy rights.3 There have been various kinds of
computer and internet related crimes. In fact, the growth of crime on the internet is directly
proportional to the growth of the internet itself, and so is the variety of crimes being committed
or attempted.4
FUNDAMENTAL PRINCIPLES OF CRIME
The fundamental principles of crime are founded on rules of equity, justice and fair play, which
provide adequate guidelines for the formulation of a rational penal policy and at the same time
ensure even-handed dispensation of justice to litigants. It is general principle of criminal law
2 M.P. Shahi,(2000), “Crime and Corruption in the Digital Age”, at 27 3 J. Kaufman Winn and R. Warner, “Course: Law of the internet”, Southern Methodist University School of Law at <http://www.smu.edu/~jwinn/inetlaw.htm>4 “Computer and internet Crimes”, at <http://www.cyberspacelaws.com/crime.asp>
that a person may not be convicted of a crime unless the prosecution has proved beyond
reasonable doubt that:
He has caused a certain event, or responsibility is to be attributed to him for the existence
of a certain state of affairs, which is forbidden by criminal law; and
He had a defined state of mind in relation to the causing of the event or the existence of
the state of affairs.
Thus, a crime essentially consists of two elements, namely, actus reus and mens rea.
ACTUS REUS
The word actus connotes, a physical result of human conduct. The actus reus includes all the
elements in the definition of the crime except the mental element of the accused. It is not
merely an act but may consist of a state of affairs not including an act at all. Actus reus is
defined as “such result of human conduct as the law seeks to prevent”.5
The actus reus is made up generally, but not always, of conduct, and sometimes it’s
consequences and also the circumstances in which the conduct takes place, or which constitute
the state of affairs, in so far as they are relevant. Sometimes a particular state of mind on the part
of the victim is required by the definition of the crime. If so, that state of mind is a part of the
actus reus.6
Actus reus in internet crimes
The element of actus reus in internet crimes is relatively easy to identify, but is very difficult to
prove. The fact of the occurrence of the act that can be termed as a crime can be said to have
taken place when a person is:
5 J.C. Smith and B. Hogan,(1988) “Criminal Law”, at 31-36 6 Thus, in the prosecution of rape the absence of consent on the part of the prosecutrix is an essential constituent of the actus reus. If the prosecution fails to prove such absence of consent the actus reus is not proved and the prosecution must fail.
making use of computer function;7
accessing data stored on a computer or from a computer which has access to data stored
outside;8
attempt to gain access through internet or passes signals through various computers and
made computers to perform a function on the instruction which the person gave to the
first computer in the chain. Such function can be said to constitute actus reus.9
trying to login, even though attempts are useless. For example, hackers have an
automated system of trying passwords of different systems, the very running of which
can be considered to be a function being performed.10
MENS REA
Mens rea is the second essential element, which constitutes crime is called “a guilty mind”.
This construalhad undergone gradual changes until modern criminal law came to regard a guilty
mind of some kind or some other such mental element as always being necessary.11 Mens rea
consist of a number of different mental attitudes including intention, recklessness and
negligence.12 Intention refers to the state of mind of a man who not only foresees but also wills
the possible consequences of his conduct. There cannot be intention unless there is foresight,
since a man who intends a particular act must have reasonable foresight of the consequences of
7 This is done by using input devices like the keyboard, mouse, etc8 A hacker uses an authorized person’s password to login to any company’s main server, hoping to gain access to the company’s customer details. The computer to which he logs in to stores these details in a huge data storage unit, which is, locate elsewhere. The data itself is stored on a magnetic tape. The processing unit of the computer retrieves the information the storage unit. The computer would be thought to include the magnetic tape, and so the data would still be considered as being ‘held in a computer’. See, C. Gringras,(1997) “The Laws of the internet”, at 216 9 For example, a hacker uses his computer to access an unauthorized account at an Internet Service Provider (ISP). It is enough for the prosecution to prove that either of the computers belonging to the hacker or the ISP were made to function. However, the prosecution would choose to prove that the ISP’s computer was made to function only when it is not possible or extremely difficult for the prosecution to prove that the functioning of the ISP’s computer was a result of the instructions given by the hacker unless there is other evidence to prove the same.10 A hacker oversees a password being entered by someone logging in to a remote computer. The login prompt specifies that the user must be authorized to access the computer. Later, the hacker attempts to use the password himself, but fails owing to the remote computer allowing only one login each day. This would still be actus reus as the rejection itself constitutes a function and this function was caused by the hacker using the password without authorization at the wrong time. 11 Smith and Hogan,(1988)Supra note 7 at 55 12 J.W. Cecil Turner (ed.), Kenny’s, “Outlines of Criminal Law”, 18th ed., Cambridge University Press, Cambridge, at 31- 36
such act. Though intention cannot exist without foresight, the converse is not necessarily true,
i.e., there can be foresight without intention. A person who does not intend to cause a harmful
result may take an unjustifiable risk of causing it. If a man foresees the possible or even
probable consequences of his conduct and yet, without desiring them, still persists with such
conduct, he knowingly runs the risk of bringing about the unwished result. Such conduct may be
defined as recklessness.
Finally, a man may bring about an event without having any intention or foresight. He may
never have considered the possible consequences of his conduct and the end result may come as
a surprise even to him. Under Common Law, there is no criminal liability for harm caused by
one’s inadvertent or unintended and unforeseen conduct.13
Mens rea in internet crimes
An essential ingredient for determining mens rea in internet crime, on the part of the offender is
that he or she must have been aware at the time of causing the computer to perform the function
that the access intended to be secured was unauthorized. There must be, on the part of the
hacker, intention to secure access, though this intention can be directed at any computer and not
at a particular computer. Thus, the hackerneed not be aware of which computer exactly he or she
was attacking.14 Further, this intention to secure access also need not be directed at any
particular or particular kind of, programme or data. It is enough that the hacker intended to
secure access to programmes or data per se.15
13 Professor Kenny gives the example of manslaughter cases where it has been laid down time and again that harm caused inadvertently does not carry criminal liability. Thus, he concludes that there are only two states of mind, which constitute mens rea in criminal law, namely, intention and recklessness. Under Law of Torts harm caused by negligence is interpreted differently. The courts have evolved the concept of “the reasonable man” for determining liability in tort law. Thus, a person might be liable for harm caused by his negligence if the consequences of his conduct were foreseeable by a reasonable man in possession of all ordinary faculties and placed in the same circumstances. However, if the consequences were not foreseeable by such reasonable man, then the person would not be guilty for the unintended consequences of his negligent act.14 This suits the prosecution in matters relating to unauthorized access on the internet, because it is often complicated to prove that a person intended to login to a particular computer.15 Gringras,(1997)Supra note 10 at 221
Thus, there are two vital ingredients for mens rea for hackers or crackers who gain unauthorized
access to the system:
There must be unauthorized access intended to be secured;
The hacker should have been aware of the same at the time he or she tried to secure the
access.
The second ingredient is easier to prove if the accused hacker is a person from outside who has
no authority whatsoever to access the data stored in the computer or the computers; however, it
is difficult to prove the same in the case of a hacker with limited authority.16
On deeper analysis one finds that our obsolete and primitive civil and criminal statutes of the
Common Law vintage have somehow been made to subverse the ends of the present day Indian
society primarily through judicial innovation and ingenuity. Needless to add that such statutes
are overdue for a total review and replacement. The nature of cyber crimes and the skills
involved are such that existing legal framework cannot do much to control and contain the same.
In fact, the cyberspace technology has undermined to a major extent the traditional legal
concepts like property and has impacted the rules of evidence like burden of proof, locus standi
and concepts of ‘mens rea’.
Cybercrimes have set in a debate as to whether a new legislation is needed to deal with them or
existing legal regime is flexible enough to effectively deals with this new form of criminality.
Generally the countries that have shown concern to combat cybercrimes have adopted two
strategies, i.e., to approach computer crime both as traditional crime committed by/on high tech
computers and as crime unique in nature requiring new legal framework.17
16 A common example of this is where the accused hacker is an employee of a company and is accused of using the companies Intranet outside their authority. The problem arises in such a case of a person who is entitled to limited access but not access of the kind in question i.e. he is exceeding the limits of his authority. The question to be asked here is whether the person knew that he was unauthorized in that sense. The question of fact as to whether the hacker knew the limits of authority is often a finely balanced one. The difficulty with partial authority raises an issue of relevance for server operators also. 17 In America 31 States have passed new legislations to deal with computer related crimes whereas others have amended the definitions of Larceny to include electronic media. See Michael D. Rostorker et al. “Computer Jurisprudence, Legal Response to the Information Revolution”,
DEFINITION OF CYBERCRIMES
Cybercrime has recently become a catchy term for a group of security issues in cyberspace.
However, despite its frequent use there is no commonly accepted definition. Surely, cybercrime
is related to the realm of computers, however, there is no consensus on whether those computers
have to be interconnected or not. Some definitions exclude explicitly computer related crimes
that are not committed online, as they view cybercrime in the narrow sense, while others prefer
broader definitions including all kinds of computer related offenses. However, it is evident that
most computer crimes are committed online. The UN Manual on the prevention and control of
computer-related crime provides the following definition of cybercrime: Computer crime can
involve activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of
which are generally subject everywhere to criminal sanctions. The computer has also created a
host of potentially new misuses or abuses that may, or should be criminal as well (UN 1994, par.
22).18
In July 1996, the UK National Criminal Intelligence Service launched a study of computer crime
called Project Trawler. In the study the terms computer crime, information technology crime and
cybercrime are interchangeable. Project Trawler defines computer crime as follows: An offence
in which a computer network is directly and significantly instrumental in the commission of the
crime. Computer interconnectivity is the essential characteristic (UKNCIS).19
According to UNO expert recommendations, the term of “cybercrimes” covers any crime
committed by using computer systems or networks, within their frameworks or against them.
Theoretically, it embraces any crime that can be committed in the electronic environment. In
(1986) at 344 In India also, the Indian Penal Code has been amended to cover computer related crimes and some such offences have been separately covered under the IT Act, 2000. See also, British Computer Misuse Act, 1990, Singapore Computer Misuse Act, 1993 (as amended 1998), Malaysian Computer Crimes Act, 1997.18<http://www.uncjin.org/Documents/irpc4344.pdf>19<http://www.ncis.co.uk/newpage1.htm>
other words, crimes committed by using e-computers against information processed and applied
in the internet can be referred to cybercrimes.
Cyber or Computer crimes are white-collar crimes and are committed by students, non-
professional computer programmers, business rivals, individuals having vested interest and
criminals. To define such a crime, one has to utter these three points:
When a computer is used in committing such a crime.
When computer technology is responsible for the wrongful loss and wrongful gain of two
individuals in a single transaction.
When any person commits an of the following acts, he is guilty of a computer crime:
- Knowingly or intentionally accesses and without permission alters, damages, deletes,
destroys, or otherwise uses any data, computer database, computer, computer system,
or computer network in order to-
(i) Devise or execute any unlawful scheme
(ii) Devise to defraud, deceive, or extort, or
(iii) Wrongfully control or obtain money, property, or data.
- Knowingly or intentionally accesses and without permission takes, copies, or makes
use of any data or computer database from a computer, computer system, or computer
network, or takes or copies any supporting documentation, whether existing or
residing internal or external to a computer, computer system, or computer network.
- Knowingly or intentionally accesses and without permission adds, alters, damages,
deletes, destroys any data, computer software, computer programs or computer
database which reside or exist internal or external to a computer, computer system, or
computer network.
- Knowingly or intentionally accesses and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of computer services to
an authorized user of a computer, computer system, or computer network.
- Knowingly or intentionally accesses and without permission provides or assists in
providing a means of accessing a computer, computer system, or computer network.
- Knowingly or intentionally accesses and with the intent to defraud, obtains, or
attempts to obtain, or aids or abets another in obtaining, any commercial computer
service by false representation, false statement, unauthorized charging to the account
of another, by installing or tampering with any facilities or equipment or by any other
means.
- Knowingly or intentionally accesses and without permission accesses or causes to be
accessed any computer, computer system, or computer network.
- Knowingly or intentionally introduces or allows the introduction of any computer
contaminant or computer virus into any computer, computer system, or computer
network.20
CLASSIFICATIONS OF CYBERCRIMES: DIFFERENT BASIS
The internet with its speed and global access has made these crimes much easier, efficient, risk-
free, cheap and profitable to commit. New crimes created with the internet itself or for
commission of old crimes or incidental for commission of crime.21 Broadly stated, ‘cybercrime’
can be said to be an act of commission or omission, committed on or through or with the
help of or connected with, the internet, whether directly or indirectly, which is prohibited
by any law and for which punishment, monetary and/or corporal, is provided
20 Suresh T. Viswanathan,(2001), “The Indian Cyber laws”, at 81-83 21 Vivek Sood,(2001), “Cyber Law Simplified” at 39
A) Internet crime: The internet crimes include that group of crimes that make criminal use of
the internet infrastructure. These are:
Hacking
(a) Theft of information
(b) Theft of passwords
(c) Theft of credit cards numbers
(d) Launch of malicious programmes
Espionage
Spamming
B) Web based crime: Web based crimes have been categorized separately and have been further
classified separately and have been further classified into four subcategories.
(a) Web site related crime
Cheating and frauds
Insurance frauds
Gambling
Distribution of pornography
Sale of pirated software
(b) Crimes through e-mail
Threats
Extrotion
E-mail bombing
Defamation
Launching of malicious programmes
(c) Usenet related crime
Distribution/sale of pornography material
Distribution/sale of pirated software
Discussion on methods of jacking
Sale of stolen credit card numbers
Sale of stolen data
(d) Internet relay chat crime
Cyberstalking
Fraudsters use chat rooms for developing relations with unsuspecting victims
Criminals use it for meeting conspirators
Hackers use it for discussing their expertise of showing the techniques
Pedophiles use chat rooms to allure small children.22
Offences against the confidentiality, integrity and availability of computer data and
systems
(a) Illegal access
(b) Illegal interception
(c) Data interference
(d) System interference
(e) Illegal devices
Offences related to computer
(a) Computer-related forgery
(b) Computer-related fraud
(c) Computer sabotage22 Subhas P. Rathore and Bharat B. Das,(2001) “Cyber Crimes: The emerging trends and Challenges, Souvenir, National Conference on Cyberlaws and Legal Education”, NALSAR University of Law, at 56-57
(d) Cyberstalking
Offences related to contents
(a) Offences related to child pornography
(b) Offences related to infringements of copyright and related rights
Offences related to crime on web
(a) Computer network break-ins
(b) Industrial espionage
(c) Software piracy
(d) Cyber pornography
(e) Mail bombings
(f) Password sniffers
(g) Spoofing
(h) Credit card fraud
(i) Cybersquatting
CIVIL LIABILITY OR CRIMINAL LIABILITY IN CYBERCRIMES
The civil offences in Indian law impose only a liability for compensation to the person, who has
suffered, while the criminal offences may be punished with imprisonment and fine payable to the
State. There are crimes, which as come under both civil wrong and criminal offences so called
as hybrids. Various cyber crimes are there, which are mainly categorized into two broad ways:
Civil Liability: Civil liability provides remedy for compensation only which includes following
crimes, viz;
Defamation
Cybersquatting
Internet time theft
Copyright theft
Design theft
Patent theft
Software piracy
Spamming
Criminal wrong: Criminal liability provides remedy of punishment to offenders as well as
compensation to victims;
Cyberstalking
Cyber pornography/Child pornography
Sending threatening emails
Hacking
Cracking
Sending malicious programmes
Denial of service attack
Network sabotage
Sending virus and worms
Sending logic bombs, trojan horse, virus hoax
Cyber terrorism/Cyber warfare
Cyber frauds
Cyber gambling
Cyber cheating
Forgery
Cyber money laundering
Credit card frauds
Information theft
Data theft
OBJECTIVES OF INFORMATION TECHNOLOGY ACT, 2000
The objectives of The Information Technology Act, 2000 are defined as:
“To provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as “electronic
commerce”, which involve the use of alternatives to paper-based methods of communication and
storage of information, to facilitate electronic filing of documents with the Government agencies
and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers’ Books
Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected
therewith or incidental thereto.”
In other words, the objectives are:-
To grant legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as
“electronic commerce”, in place of paper-based methods of communication;
To give legal recognition to Digital Signature for authentication of any information or
matter which requires authentication under any law;
To facilitate electronic filing of documents with Government departments;
To facilitate electronic storage of data;
To facilitate and give legal sanction to electronic fund transfers between banks and
financial institutions;
To give legal recognition for keeping books of account by Bankers in electronic form.
The first 17 sections of the Act are largely based on Model Law on Electronic Commerce
adopted by United Nations Commission on International Trade Law. It contains 94 clauses
divided into XIII chapters. It has 4 schedules, Schedule I seeks to amend the Indian Penal Code;
Schedule II seeks to amend the Indian Evidence Act; Schedule III seeks to amend the Bankers’
Book Evidence Act; and Schedule IV seeks to amend the Reserve Bank of India Act.
Towards that end, the Act stipulates numerous provisions. It aims to provide for a legal
framework so that legal sanctity is accorded to all electronic records and other activities carried
out by electronic means.
SALIENT FEATURES OF THE INFORMATION TECHNOLOGY ACT, 2000
The Act has defined cybercrimes for the first time and provided for penalties, punishment and
compensation for hacking, unauthorised access to computer networks, altering database,
introducing computer viruses, disruption of services, copying of Intellectual Property Rights
(IPR) protected software, tampering with electronic documents and committing electronic
forgery. The IT Act has a provision of penalties up to Rs. 1 crore for damaging computer
systems and three-year jail term with a fine of Rs. 2 lakhs for hackers. But these penalties don’t
mean much if the existing police investigating officers, forensic scientists, and the judiciary are
not familiar with the intricacies of the internet. The Act covers a totally uncharted field with no
past experience even in other countries. Accordingly, future modifications, based on experience,
are not ruled out.
The salient features of the IT Act 2000 are as follows:
Provides legal recognition to e-commerce, which means that contracts can be enforced.
Records can be kept in an electronic form. Written records also mean electronic records
for the purposes of law.
Provides legal recognition for digital signatures. Digital signatures to be authenticated by
Certifying Authorities. Certifying Authorities to be overseen by a Controller of
Certifying Authorities.
Cyber crimes defined for the first time.
Adjudicating authorities to decide if cyber crimes have been committed. Also provide
cyber regulation advisory committee.23
The Information Technology Rules, 2000 provides The Information Technology
(Certifying Authorities) Rules, 2000 and The Cyber Regulations Appellate Tribunal
(Procedure) Rules, 2000.24
Cyber Law Appellate Tribunal25 to be set up to hear appeals against adjudicating
authorities.
Amendment of Indian Penal Code (1860), Indian Evidence Act (1872), Bankers’ Book
Evidence Act (1891) and the Reserve Bank of India Act (1934)26 to bring them in tune
with the information technology regime.
The Information Technology (Certifying Authorities) Rules, 200027 also stipulate the
Information Technology Security Guidelines in Schedule II.28
Also provide security guidelines29 for the management and operation of Certifying
Authorities (CAs) and is aimed at protecting the integrity, confidentiality and availability
of their services, data and systems.
23 See also Cyber Regulation Advisory Committee 24 See also The Information Technology Rules, 2000 25 See also Cyber Regulations Appellate Tribunal (Procedure) Rules, 200026 See also Schedules to the Information Technology Act, 2000 27 See also The Information Technology (Certifying Authorities) Rules, 200028 See also Information Technology (IT) Security Guidelines 29See also Security Guidelines for Certifying Authorities
The Act has paved the way for an exponential growth of e-commerce and other internet enabled
services like e-trading, e-shopping and e-banking. The provisions of the Act do not apply to a
negotiable instrument, a power of attorney, a trust, a will, and any contract for the sale or
conveyance of immovable property, or any interest in such property. It is significant that it
applies to any offence or contravention committed outside India by any person (irrespective of
his nationality), if it involves a computer, computer system, or computer network located in
India. It excludes network service providers from its ambit for any third party information (that
is, any information dealt with by them in their capacity as intermediaries) or data made available
by them, if they prove that the offence was committed without their knowledge, and they had
taken all precautions to prevent such commission. However, more explicitly, various computer
crimes that are not yet defined in the Act may be taken up to deal with the rapid technological
changes that would be taking place in future.
The Information Technology Act 2000 being India’s first cyber law is the central legislation,
which has been passed by the Parliament of India. Interestingly, it applies not only to the whole
of India including the State of Jammu & Kashmir but also applies to any contravention or
violation committed thereunder by any person anywhere in the world. State Governments have
also been given the powers to enact appropriate rules in the field of Information Technology. In
fact, Section 90 of the IT Act categorically states that the State Government may, by notification
in the official gazette, make rules to carry out the provisions of the Information Technology Act.
The rules to be made by the State Governments may include the electronic forms through which
common man communicates with the Government Departments or the format in which electronic
records shall be filed, created or issued and the manner of payment of any fee or charges for
filing, creation or issue of any electronic record. The State governments have appropriate
powers to legislate rules there under, apart from having powers to legislate on various steps
enumerated in the State List, which is detailed in the Constitution of India. Of course, it is
imperative to note that every rule made by the State Government under Section 90 of the IT Act
shall immediately be laid before each House of the State legislature for approval.30
In its resent form, the Act, therefore, not only recognizes the usefulness of e-commerce and
provide the necessary safeguards for the transactions by creating a necessary legal framework
but it also makes consequential amendments in the Indian Penal Code, Indian Evidence Act,
Reserve Bank of India Act and Bankers Book of Evidence Act, so that the offences relating to
documents and papers based transactions is made equal to the offences in respect of the
transactions carried out through the electronic media and further to facilitate electronic funds
transfer between the financial institutions and banks, and also to give legal sanctity to books of
accounts maintained in the electronic form by the banks.31
JURISDICTION- THE CONCEPT
The effectiveness of a judicial system rests on core of regulations, which define every aspect of a
system’s functioning; and principally, its jurisdiction. A court must have jurisdiction, venue and
appropriate service of process in order to hear a case and render an effective judgement.
Jurisdiction is the power of a court to hear and determine a case. Without jurisdiction, a court’s
judgement is ineffective and impotent. Such jurisdiction is essentially of two types, namely
subject matter jurisdiction and personal jurisdiction. Subject matter jurisdiction is defined as the
competence of the court to hear and determine a particular category of cases. It requires
determination whether a claim is actionable in the court where the case is filed and personal
jurisdiction is simply the competence of the court to determine a case against a particular
30 Pavan Duggal,(2002), “CyberLaw- The Indian Perspective”, at 1-5 31 U.K. Chaudhary,Jan 2001 , “Information Technology Act, 2000: A step in the right direction”, CS vol. 31 at 30-31
category whether the person is subject to the court in which the case is filed. These two
jurisdictions must be conjunctively satisfied for a judgement to take effect. It is the presence of
jurisdiction that ensures the power of enforcement to a court and in the absence of such power,
the verdict of a court, is of little or no use.32
INDIAN CONTEXT
The Information Technology Act, 2000 passed in India, is illustrative of the prevailing confusion
in the area of jurisdiction in the context of the internet. Section 1 of the Information Technology
Act, 2000, deals with the issue of applicability of this new law. Normally, the applicability of
laws within India can be broadly divided into the following major categories:
1. Laws applicable to all states of India barring Jammu & Kashmir.
2. Laws applicable only to Jammu & Kashmir.
3. Laws applicable to the entire country.
Jammu & Kashmir has been granted a special status under the Constitution of India and special
laws are applicable to that state. Keeping in mind the universal nature of the impact of computers
and Internet, the legislature has decided that the IT Act 2000 shall be applicable to the whole of
India including Jammu & Kashmir.
The Act begins by saying, in clause (2) to section 1, that it shall extend to the whole of India and,
save as otherwise provided in the Act, it applies also to any offence or contravention thereunder
committed outside India by any person. Clause (2) of section 75 of the Act simply states that,
“… this Act shall apply to an offence or contravention committed outside India by any person if
the act or conduct constituting the offence or contravention involves a computer, computer
32 Nandan Kamath,(2000) “Law Relating to Computers internet & E-Commerce : A guide to Cyber Laws & the IT Act,2000 with Rules & Regulations” at 20
system or computer network located in India”. Provisions of this nature are unlikely to be
effective for a number of reasons.
Firstly, it is unfair to suggest that the moment an Indian computer system is used, an action
defined by Indian laws as an “offence” would be subject to jurisdiction of Indian courts. To
illustrate, let us consider a web site located in a foreign country. The site may host content that
would be perfectly legal in its home country, but may be considered offensive or illegal in India.
If an Indian chooses to view this site on a computer situated in India, does that mean the site can
be prosecuted in an Indian courts? This would appear to violate principles of justice. As
explained earlier, the judicial trend of examining the amount of activity that a site undertakes in a
particular jurisdiction is a far more equitable method to determine jurisdiction. Further, even if
Indian Courts are to claim jurisdiction and pass judgements on the basis of the principle
expostulated by the IT Act, it is unlikely that foreign Courts will enforce these judgements since
they would not accept the principles utilized by the Act as adequate to grant Indian courts
jurisdiction. This would also render the Act ineffective.
The Indian jurisprudence with regard to jurisdiction over the internet is almost non-existent. In
the first place, as the result of the strongly unitary model of government prevalent in India,
interstate disputes never assume the level of private international law. Hence, there has been
precious little by way of development of private international law rules in India. Furthermore,
there have been few cases in the Indian courts where the need for the Indian courts to assume
jurisdiction over a foreign subject has arisen. Such jurisprudential development would however,
become essential in the future, as the internet sets out to shrink borders and merge geographical
and territorial restrictions on jurisdiction. It is worthwhile to consider the issue of jurisdiction at
two levels. In the first place, given the manner in which foreign courts assume jurisdiction over
the internet related issues (as evidenced by the cases discussed above), the consequences of a
decree passed by a foreign court against an Indian citizen must be examined. In other words,
under what circumstance can the decision of a foreign court be enforced against an Indian citizen
or a person resident in India? It is necessary to examine the circumstance under which the Indian
courts would assume jurisdiction over foreign citizens in order to better understand the rights of
an Indian citizen who is affected by the act of a foreign citizen.
CYBERJURISDICTION IN INFORMATION TECHNOLOGY ACT, 2000
However, the law has gone much further. It shall also apply to any violation or contravention of
the provisions of this Act done by any person anywhere in the world. By means of this provision,
the law is assuming jurisdiction over violators of The Information Technology Act, 2000 outside
the territorial boundaries of India. This provision is explained perhaps by the unique nature of
cyberspace, which knows no boundaries. The Information Technology Act, 2000 specifically
provides that unless otherwise provided in the Act, the Act also applies to any offence or
contravention thereunder committed outside India by any person irrespective of his nationality.33
It is however clarified that the Act shall apply to an offence or contravention committed outside
India by any person if the act or conduct constituting the offence or contravention, involves a
computer, computer system or computer network, located in India.34 The words “act or conduct
constituting the offence or contravention involves a computer, computer system or computer
network located in India” are very significant to determine jurisdiction ofthe IT Act over acts
committed outside India. For assuming jurisdiction over an act constituting an offence or
contravention under the IT Act, which is committed outside India, it has to be proved that the 33 Sec. 1(2) of IT Act, 200034 Sec. 75 of IT Act, 2000
said act involves a computer, computer system or computer network located in India. For
instance, where a website is created in the US which contains pornographic material, it shall not
give the IT Act jurisdiction to question the site unless the creation or maintenance or running
ofthe site involves a computer, computer system or computer network located in India. But
where the said website uses a server or any other computer network located in India, the IT Act
would assume jurisdiction to question the website under section 67 of the IT Act. Another
instance to explain the jurisdiction of the IT Act is where a person from the US hacks a computer
system or network in India, section 66 of the IT Act would come into play to punish the accused
for hacking because his act involves a computer in India. Similarly, where a person anywhere in
the world plants a virus into a computer system located in India, he would be liable under section
43(c) of the IT Act to pay damages by way of compensation net exceeding Rs 1 crore to the
victim.
Section 75 of the IT Act is restricted only to those offences or contraventions provided therein
and not to other offences under other laws such as the Indian Penal Code, 1860. Jurisdiction
over other cyber crimes, for instance under the Indian Penal Code, 1860, has to be determined by
the provisions of the Criminal Procedure Code, 1973. The fundamental principle on jurisdiction
is the same under the IT Act35 and the Criminal Procedure Code, 1973, though stated differently.
The basic legal principle of jurisdiction under the Code of Criminal Procedure, 1973 is that every
offence shall ordinarily be inquired into and tried by a court within whose local jurisdiction it
was committed.36 These principles in the Code of Criminal Procedure, 1973 apply for
determining jurisdiction in trial by courts as well as in investigation by the police. In a case
where an offence is committed in more places than one, or partly in one place and partly in
35 Sec. 1(2) r/w Sec 75 of IT Act, 200036 Sec. 177 of Cr.P.C., 1973
another, or where it is continuing and continues to be committed in more than one local area, or
where the offence consists of several acts done in different local areas, then it may be inquired
into or tried by a court having jurisdiction over either of such areas.37 In the event where it is
uncertain in which of several areas the offence was committed, again it may be inquired into or
tried by a court having jurisdiction over either of such areas of uncertainty.38
In a case where an act is an offence by reason of anything, which has been done and of a
consequence, which has ensued, the offence may be inquired into or tried by a court within
whose local jurisdiction such act has been done or such consequence has ensued.39 For instance,
in a case of defamation, either of the courts, i.e. of the place from where the defamatory letter
was e-mailed and the place at which it was published or received, if different, shall have
jurisdiction to inquire and try the same. To cite another instance; where in pursuance of misrep-
resentation by A through e-mail from place X, property was delivered at place Y, A can be tried
for the offence of cheating either at place X or Y. In a case where a person in Bombay does an
act of hacking of a computer system located in Delhi, he may be tried either in Bombay or Delhi.
In a case where an act is an offence by reason of its relation to any other act which is also an
offence or which would be an offence if the doer was capable of committing an offence, the first
mentioned offence may be inquired into or tried by a court within whose local jurisdiction either
of the acts was done. For instance, in a case of manufacture of sub-standard fertilizer in place X,
which is marketed through e-commerce at place Y, prosecution can be launched at either of the
said places because the marketing of the sub-standard fertilizer is an offence by reason of sub-
standard manufacture.
37 Sec. 178 of Cr.P.C., 197338 Sec. 178(a) of Cr.P.C., 197339 Sec. 179 of Cr.P.C., 1973
Certain specified offences have been required by law to be inquired into or tried in certain
places.40 For instance, an offence of criminal misappropriation or of criminal breach of trust,
may be inquired into or tried by a court within whose local jurisdiction the offence was
committed or any part of the property which is the subject of the offence was received or
retained or was required to be returned or accounted for, by the accused person.41 For example,
if an employee of a company based at Delhi, by operating through the internet bank account of
his employer company in a Bombay bank, transfers funds to his account at Calcutta, the case of
misappropriation can be tried either at Delhi or Bombay where the offence was partially
committed or at Calcutta where the money was received and retained.
The law also provides that in the case of any offence which includes cheating, if the deception is
practiced by means of letters or telecommunication messages, it may be inquired into or tried by
any court within whose jurisdiction such letters or messages were sent or where the same were
received.42 Moreover, any offence of cheating and dishonestly inducing delivery of property
may be inquired into or tried by a court having jurisdiction on the place where the property was
delivered by the person deceived or where it was received by the accused person.43
In a case where two or more courts take cognizance of the same offence and a question arises as
to which of the courts has jurisdiction to inquire into or try that offence, this question shall be
decided by the High Court, under whose jurisdiction both such courts function.44 However, if the
courts are not subordinate to the same High Court, the question of jurisdiction shall be decided
by the High Court within whose appellate criminal jurisdiction the proceedings were first
commenced.45 In such circumstances, all other proceedings with respect to that offence shall be
40 Sec. 180 of Cr.P.C., 197341 Sec. 181 of Cr.P.C., 197342 Sec. 182 of Cr.P.C., 197343 Sec. 182 of Cr.P.C., 197344 Sec. 186 (a) of Cr.P.C., 197345 Sec. 186 (b) of Cr.P.C., 1973
discontinued. Where two or more courts have jurisdiction over an offence, the choice of the
court for institution of the case lies with the complainant. He will obviously choose the forum,
which is most convenient for him and most inconvenient for the accused.
The law of jurisdiction stated in the Criminal Procedure Code, 1973 and section 75 of the IT Act,
2000, as discussed herein, is clear, specific and covers different situations which are likely to
generally arise in cyber crime cases. The internet by its nature and purpose operates when the
parties interacting or transacting are not physically face to face with one another. Due to the
global access of the internet, cyber crimes generally tend to transcend or disregard geographical
boundaries. These factors imply that in most cases of cyber crime, except where insiders are
involved, there would be two or more places, one from where the cyber criminal inflicts the
injury-for instance hacks, and the place where the injury is inflicted-for instance at the location
of the victim computer, which is hacked. This is in contrast to traditional crimes of rape, murder
and kidnapping where the criminal and the victim are at the same place. Moreover, every
criminal makes all possible attempts to conceal his identity and place of operation. Alibi is a
common defence in criminal matters. This basic tendency of a criminal coupled with the permis-
sible anonymity provided by the internet makes the cyber criminal almost invisible. Thus, in
terms of practical application of the law of jurisdiction over cyber crimes, in most cases, the
place of jurisdiction shall be where the victim is inflicted with the injury, whether personally, for
instance by fraud, or on his computer, computer system or computer network.
There is a valid point in the criticism that such a law assuming extra territorial jurisdiction passed
by the legislature is not enforceable in the real world. It is contrary to the principles of
international law to assume jurisdiction over citizens of another country, and so, it is likely to
lead to conflict of jurisdiction of different courts situated in different national jurisdictions. Also
it is important to note that there are differences between national legislations, laws, legal
processes and procedures.
Further compounding the problem is the issue that a particular act in one national jurisdiction is
legal and not barred by law but the same activity is illegal and barred by law, prevailing in
another national jurisdiction. Another ground of criticism has been that Section 1 does not lay
down the parameters of how such a provision would be enforceable in practical terms across
transnational boundaries and jurisdictions. Governments can take recourse to the extradition
process to bring to book the cyber criminals outside the territorial jurisdiction of their country,
provided there is a valid extradition treaty in place between the relevant countries. But the route,
as stipulated in Section 1 of the IT Act, 2000 is likely to throw up a complex arena of difficulties
in actual day-to-day implementation.
The existing international law pertaining to sovereignty of a nation also details that a sovereign
notion can make laws affecting people who reside within its territorial boundaries. However, the
birth of Internet has seen geography become history and transactions taking place over networks
are transnational in nature, thereby complicating the entire issue of jurisdiction. This becomes
all the more evident from the emerging principles from various judgments relating to Jurisdiction
over Internet. From the beginning of Internet, the issue of jurisdiction has continued to challenge
legal minds, societies and nations in the context of the peculiarly inherent character of the
Internet. Section 1(2) and Section 75 of the IT Act, 2000 provide for extra-territorial jurisdiction
of the Indian courts, which, however, seem implausible to be implemented. The courts in India
at present have not been uniform in following the US trend of asserting jurisdiction on the basis
of active accessibility of site. So far, in various Internet domain names related cases, the Delhi
High Court has assumed jurisdiction merely on the basis of accessibility of Internet.
In the famous Yahoo! France case entitled Yahoo! Inc. v. La Ligue Contre Le Racisme et L
‘Antisemitisme46, the judicial thinking on jurisdiction got further refined. This judgment has far
reaching significance and consequences on the entire subject of jurisdiction. Till now, the courts
anywhere in the world could assume and were assuming jurisdiction on Internet transactions and
websites that were located outside the country.
This decision underlines the principle that even if a foreign court passes a judgment or direction
against a legal entity of a particular country say country A, then that judgment or direction would
not be applicable automatically to country A’s legal entities or citizens. The decision or direction
of the foreign court will need to be scrutinized by country A’s courts keeping in mind the touch
stone and basic principles enshrined in the Constitution of the country as also enshrined in the
local laws of that country, before it can be enforceable in country A.
It is evident that the courts are looking into the totality of the circumstances when determining
whether to exercise jurisdiction over individuals involved in Internet related activities. However,
the coming of the Zippo case in the US changed the legal principles concerning assuming of
jurisdiction. In this case, the American Court decided that there must be “something more” than
mere Internet access in order to enable the court to assume jurisdiction. It is yet to be seen how
the Indian approach on jurisdiction emerges with the coming of the IT Act, specially Section 1
(2) and Section 75 (1) of its provisions, which specifically provides for its extraterritorial
jurisdiction. This extraterritorial jurisdiction all across the world can be exercised if the offence
or contravention of the IT Act concerns or impacts or affects a computer, computer system or
computer network which is located in India. In practical terms, such an extraterritorial
jurisdiction can hardly be enforced given the present growth and context of international Law,
Cyber law and cyber space.
46 2001 U.s. Dist. LEXIS 18378 (N.D. Cal. 2001) & 145 F. Supp. 2d 1168 (N.D.Cal. 2001)
As per sub-section (3) of Section 1, the Information Technology Act, 2000 shall came into force
on such date as the Central Government may by notification appoint. The Central Government
issued a notification on 17th October 2000 bringing into force The Information Technology Act,
2000.
POSITIVE ASPECTS OF THE INFORMATION TECHNOLOGY ACT, 2000
The Information Technology Act, 2000 is a laudable effort to create the necessary legal
infrastructure for promotion and growth of electronic commerce. Prior to the coming into effect
of the IT Act, 2000, the judiciary in India was reluctant to accept electronic records and
communications as evidence. Even email was not accepted under the prevailing statutes of India
as an accepted legal form of communication and as evidence in a court of law. The IT Act, 2000
changed this scenario by legal recognition of the electronic format. Indeed, the IT Act, 2000 is a
step forward.
From the perspective of the corporate sector, the IT Act 2000 and its provisions contain the
following positive aspects:
1. The implications of these provisions for the corporate sector are that email is now be a
valid and legal form of communication in our country, which can be duly produced and
proved in a court of law. The corporates today thrive on email, not only as the form of
communication with entities outside the company but also as an indispensable tool for
intra company communication. Corporates ought to understand that they shall need to be
more careful while writing emails, whether outside the company or within, as emails, in
whatever language, could be proved as a legal document in a court of law, sometimes to
the detriment of the company. Even intra company notes and memos, till now used only
for official purposes, shall come within the ambit of the IT Act, 2000 and will be
admissible as evidence in a court of law. A lot would of course depend upon how these
emails are proved in a court of law.
2. Companies shall be able to carry out electronic commerce using the legal infrastructure
provided by the IT Act, 2000. Till the coming into effect of the Indian cyberlaw, the
growth of electronic commerce was impeded in our country basically because there was
no legal infrastructure to regulate commercial transactions online.
3. Corporate will now be able to use digital signatures to carry out their transactions online
as legal validity and sanction given under the IT Act, 2000.
4. The IT Act, 2000 also throws open the doors for the entry of corporate in the business of
being Certifying Authorities for issuing Digital Signature Certificates. The law does not
make any distinction between any legal entity for being appointed as a Certifying
Authority so long as the norms stipulated by the IT Act, 2000, rules and regulations made
thereunder have been followed.
5. The Act also enables the companies to file any form, application or any other document
with any office, authority, body or agency owned or controlled by the appropriate
government in the electronic form as may be prescribed by the appropriate government,
thereby saving costs, time and wastage of precious manpower.
6. Corporate is mandated by different laws of the country, to keep and retain, valuable and
corporate information. The IT Act, 2000 enables companies legally to retain the
information in the electronic form, if
the information contained therein remains accessible so as to be usable for a
subsequent reference;
the electronic record is retained in the format in which it was originally generated,
sent or received or in a format, which can be demonstrated to represent accurately
the information originally generated, sent or received;
the details, which will facilitate the identification of the origin, destination, date
and time of despatch or receipt of such electronic record, are available in the
electronic record.
7. The IT Act, 2000 addresses important issues of security, which are so critical to the
success of electronic transactions. The Act has given legal definition to the concept of
secure digital signatures, which would be required to have been passed through a system
of a security procedure, as agreed to by the parties concerned. In times to come, secure
digital signatures shall playa major role in the New Economy, particularly from the
perspective of the corporate sector, as they will enable more secure transactions online.
GREY AREAS OF THE INFORMATION TECHNOLOGY ACT, 2000
1.The IT Act, 2000 purports to be applicable to not only the whole of India but also to any
offence or contravention thereunder committed outside India by any person. This provision in
Section 1 (2) is not clearly drafted. It is not clear as to how and in what particular manner, the
Act shall apply to any offence or contravention thereunder committed outside India by any
person.
2. There is no logic in excluding negotiable instruments from the applicability of the IT Act,
2000. The net effect of this exclusion is that any dispute regarding payments, received by means
of any negotiable instruments for an e-commerce transaction, are excluded from the protection of
the IT Act, 2000. It refers to promoting electronic commerce and begins by excluding
immovable property from the ambit of electronic commerce, a reasoning that defies logic.
3. The IT Act, 2000 has failed to legalize electronic fund transfer in the country. The IT Act,
2000 does not recognize the concept of electronic payments, digital cash, electronic cash,
electronic money or other existing systems of electronic payments.
4. Domain names have not been defined and the rights and liabilities of domain name owners do
not find any mention in the law .
5. The IT Act, 2000 does not deal with any issues concerning the protection of Intellectual
Property Rights.
6. The language of Section 40 of the IT Act, 2000. Section 40 provides for generating key pairs
in Chapter VIII dealing with the duties of subscribers. It states that where any Digital Signature
Certificate, the public key of which corresponds to the private key of the subscriber, which is to
be listed in the Digital Signature Certificate, has been accepted by a subscriber, then, the
subscriber shall generate the key pair by applying the security procedure. The entire wording of
Section 40 is faulty and has been shown in such a way as to denote that the acceptance of the
Digital Signature Certificate precedes the generation of key pair by the subscriber.
7. IT Act, 2000 covers only a limited number of cyber crimes such as damage to computer
source code, hacking, publishing obscene electronic information, breach of protected systems,
publishing Digital Signature Certificates false in certain particulars or for fraudulent purposes.
Barring these offences, no other cyber crimes are covered under the IT Act. The IT Act 2000
does not cover various cybercrimes including cyber stalking, cyber harassment, cyber
defamation, cyber terrorism, spamming, cyber fraud, cyber gambling, Theft of internet hours,
Cyber theft, Cyber Cheating, Cyberventing, Credit Card Fraud, Cyber Forgery, Identity Fraud,
E-mail Spoofing, Credit Card Fraud, Chat room abuse, Cyber Money Laundering, Password
Sniffing, Spamming, Electronic Evesdropping, Child Pornography, Mail Bombing, E-mail
Scams, etc.
8. The IT Act, 2000 is silent on covering all kinds of offences dealing with abuses of chat rooms.
9. The IT Act, 2000 is that it is silent on the issue of online credit card payments, misuse and
misappropriation of credit card numbers online.
10. The IT Act, 2000 is completely silent about the bailability or otherwise of the offences
prescribed in Chapter XI. There is no categorical mention at any point in Chapter XI from
Section 65 till Section 78 as to whether the offences prescribed under the sections are bailable or
not.
11. The Information Technology Act, 2000 has not tackled several vital issues pertaining to e-
commerce sphere like privacy and content regulation to name a few. Privacy issues have not
been touched at all. The right to privacy is recognized as a fundamental right under Article 21 of
the Constitution.
CHALLENGES OF CYBER CRIME IN INDIA
Cyber crime in India is no longer an illusion. The situation could go out of hand if computer
users, both in the government and the private sector, do not sit up and brace themselves to the
challenge. For the police, the temptation especially to view attacks on computer systems, as just
another form of crime is great. Three aspects of cyber crime deserve focused attention. These
are:
the legal safeguards that are available;
the adequacy of training of prosecutors and the judiciary; and
the nature of links forged by the Indian police with foreign law enforcement agencies so
that cooperation in matters of investigation and training is readily forthcoming.
Cyber crime does not recognise national borders. More than 30 countries have separate laws in
their statute book to check this menace. This Act is solely meant to quell cyber crime. It is a
piece of legislation intended mainly to lend legal recognition to e-commerce. It is also meant to
facilitate electronic filing of documents with the government agencies. The Indian Penal Code is
so well drafted that offences not listed in the IT Act right now can still be tackled through it, till
such time we are convinced that the IT Act needs to be recast in order to cope with the
expanding contours of cybercrime. We may also have to examine whether we need more than
one enactment. The volume and nature of cybercrime in our country would demand in course of
time a variety of laws. Apart from private digital enterprises, law enforcement agencies
including the Central Bureau of Investigation (CBI), the Enforcement Directorate, the
Directorate of Revenue Intelligence and the Income-Tax Investigation Wing, could provide
valuable inputs to the government. There is also the need to draw from the international
experience. No systematic effort has been made till now to impart training to prosecutors and
judges, although there is evidence of their keenness to become knowledgeable. Possibly, the
initiative may have to come from law enforcement agencies that have quality instructors and
training institutions. It is not difficult to draft special capsules for this purpose. Policing in
cyber space was a challenging job.
CONCLUSION
In sum, though cyber space is a global phenomenon that cannot be easily tackled but the
Information Technology Act, 2000 is a great step forward and it is the right initiative at the right
time. There is no doubt that such a law is absolutely necessary in the country today. The
medium that the Act seeks to regulate and facilitate has so profound an impact on human life that
it is beyond the comprehension of contemporary visionaries. It is perhaps only in hindsight,
several years later, that the extent and scale of the impact could be gauged. It could not therefore
have been allowed to run lawlessly without any system of checks and without clearly defined
rights and liabilities and forums in which to enforce them effectively. The law has not, therefore,
come a moment too soon and it is sincerely hoped that the Act would pave way for proper legal
control regime at national level.