CYBER CRIMES AND

CYBER SECURITY: THE

LEGAL PERSPECTIVES

Dr K Suresh Babu, JNTUH

 Introduction
•Cyber crime is the
largest illegal industry
•Cybercrime involves
massive, coordinated
attacks against the
information structure of a
country.
Introduction
Introduction
Introduction
Cyber Crime and Legal Landscape
around the world
Cyber Crime and Legal Landscape
around the world
Cyber Crime and Legal Landscape
around the world
Cyber Crime and Legal
Landscape around the world
Cyber Crime and Legal
Landscape around the world
Cyber Crime and Legal Landscape
around the world
Cyber Crime and Legal Landscape
around the world
Cyber Crime and Legal
Landscape around the world
Cyber Crime and Legal
Landscape around the world
Cyber Crime and Legal Landscape
around the world
Why Do We Need Cyber laws:
The Indian Context
Why Do We Need Cyber laws:
The Indian Context
The Indian IT Act
 Chapter No. Chapter Title Names of the Section

CHAPTER I PRELIMINARY 1. Short title, extent, commencement and application.

2. Definitions
CHAPTER II DIGITAL SIGNATURE AND 3. Authentication of electronic records.
ELECTRONIC SIGNATURE 3A. Electronic signature.
CHAPTER III ELECTRONIC GOVERNANCE 4. Legal recognition of electronic records.
5. Legal recognition of electronic signatures.
6. Use of electronic records and electronic signatures in
Government and its agencies.
6A. Delivery of services by service provider.
7. Retention of electronic records.
7A. Audit of documents, etc., maintained in electronic form.
8. Publication of rule, regulation, etc., in Electronic Gazette.
9. Sections 6, 7 and 8 not to confer right to insist document should
be accepted in electronic form.
10. Power to make rules by Central Government in respect of
electronic signature.
10A. Validity of contracts formed through electronic means.

CHAPTER IV ATTRIBUTION, 11. Attribution of electronic records.

ACKNOWLEDGEMENT AND 12. Acknowledgment of receipt.
DESPATCH OF ELECTRONIC 13. Time and place of despatch and receipt of electronic record
RECORDS
CHAPTER V SECURE ELECTRONIC 14. Secure electronic record.
RECORDS AND SECURE 15. Secure electronic signature.
ELECTRONIC SIGNATURE 16. Security procedures and practices
 Chapter No. Chapter Title Names of the Section
CHAPTER VI REGULATION OF 17. Appointment of Controller and other officers.
CERTIFYING AUTHORITIES 18. Functions of Controller.
19. Recognition of foreign Certifying Authorities.
20. [Omitted.].
21. Licence to issue electronic signature Certificates.
22. Application for licence.
23. Renewal of licence.
24. Procedure for grant or rejection of licence.
25. Suspension of licence.
26. Notice of suspension or revocation of licence
27. Power to delegate.
28. Power to investigate contraventions.
29. Access to computers and data.
30. Certifying Authority to follow certain procedures.
31. Certifying Authority to ensure compliance of the Act, etc.
32. Display of licence.
33. Surrender of licence.
34. Disclosure.

CHAPTER VII ELECTRONIC SIGNATURE 35. Certifying authority to issue electronic signature Certificate.
CERTIFICATES 36. Representations upon issuance of Digital signature Certificate.
37. Suspension of Digital Signature Certificate.
38. Revocation of Digital Signature Certificate.
39. Notice of suspension or revocation.
CHAPTER VIII DUTIES OF SUBSCRIBERS 40. Generating key pair.
40A. Duties of subscriber of Electronic Signature Certificate.
41. Acceptance of Digital Signature Certificate.
42. Control of private key.
CHAPTER IX PENALTIES, COMPENSATION 43. Penalty and compensation for damage to computer, computer system, etc.
AND ADJUDICATION 43A. Compensation for failure to protect data.
44. Penalty for failure to furnish information, return, etc.
45. Residuary penalty.
46. Power to adjudicate.
47. Factors to be taken into account by the adjudicating officer.
 Chapter No. Chapter Title Names of the Section

CHAPTER X THE APPELLATE 48. Appellate Tribunal.

TRIBUNAL 49. [Omitted.].
50. [Omitted.].
51. [Omitted.].
52. [Omitted.].
52A. [Omitted.].
52B. [Omitted.].
52C. [Omitted.].
52D. Decision by majority.
53. [Omitted.].
54. [Omitted.].
55. Orders constituting Appellate Tribunal to be final and not to invalidate its
proceedings.
56. [Omitted.].
57. Appeal to Appellate Tribunal.
58. Procedure and powers of the Appellate Tribunal.
59. Right to legal representation.
60. Limitation.
61. Civil court not to have jurisdiction.
62. Appeal to High Court.
63. Compounding of contraventions.
64. Recovery of penalty or compensation.
CHAPTER XII INTERMEDIARIES 79. Exemption from liability of intermediary in certain cases.
NOT TO BE LIABLE
IN CERTAIN CASES

CHAPTER XIIA EXAMINER OF 79A. Central Government to notify Examiner of Electronic Evidence.
ELECTRONIC
EVIDENCE
 Chapter No. Chapter Title Names of the Section

CHAPTER XI OFFENCES 65. Tampering with computer source documents.

66. Computer related offences.
66A. Punishment for sending offensive messages through communication service, etc.
66B. Punishment for dishonestly receiving stolen computer resource or communication device.
66C. Punishment for identity theft.
66D. Punishment for cheating by personation by using computer resource.
66E. Punishment for violation of privacy.
66F. Punishment for cyber terrorism.
67. Punishment for publishing or transmitting obscene material in electronic form.
67A. Punishment for publishing or transmitting of material containing sexually explicit act, etc., in
electronic form.
67B. Punishment for publishing or transmitting of material depicting children in sexually explicit act,
etc., in electronic form.
67C. Preservation and retention of information by intermediaries.
68. Power of Controller to give directions.
69. Power to issue directions for interception or monitoring or decryption of any information through
any computer resource. 69A. Power to issue directions for blocking for public access of any
information through any computer resource.
69B. Power to authorise to monitor and collect traffic data or information through any computer
resource for cyber security.
70. Protected system.
70A. National nodal agency.
70B. Indian Computer Emergency Response Team to serve as national agency for incident response.
71. Penalty for misrepresentation.
72. Penalty for Breach of confidentiality and privacy.
72A. Punishment for disclosure of information in breach of lawful contract.
73. Penalty for publishing electronic signature Certificate false in certain particulars.
74. Publication for fraudulent purpose.
75. Act to apply for offence or contravention committed outside India.
76. Confiscation.
77. Compensation, penalties or confiscation not to interfere with other punishment.
77A. Compounding of offences.
77B. Offences with three years imprisonment to be bailable.
78. Power to investigate offences.
 Chapter No. Chapter Title Names of the Section
CHAPTER XIII MISCELLANEOUS 80. Power of police officer and other officers to
enter, search, etc.
81. Act to have overriding effect.
81A. Application of the Act to electronic cheque
and truncated cheque.
82. Controller, Deputy Controller and Assistant
Controller to be public servants.
83. Power to give directions.
84. Protection of action taken in good faith.
84A. Modes or methods for encryption.
84B. Punishment for abetment of offences.
84C. Punishment for attempt to commit
offences.
85. Offences by companies.
86. Removal of difficulties.
87. Power of Central Government to make rules.
88. Constitution of Advisory Committee.
89. Power of Controller to make regulations.
90. Power of State Government to make rules.
91. [Omitted.].
92. [Omitted.].
93. [Omitted.].
94. [Omitted.]
 Sections
• Sections 65,66,67,71,72,73 and 74 are relevant to the discussions of
cybercrime in legal context.
• 65. Tampering with computer source documents.–Whoever
knowingly or intentionally conceals, destroys or alters or
intentionally or knowingly causes another to conceal, destroy, or
alter any computer source code used for a computer, computer
programme, computer system or computer network, when the
computer source code is required to be kept or maintained by law for
the time being in force, shall be punishable with imprisonment up to
three years, or with fine which may extend up to two lakh rupees, or
with both.
• 66. Computer related offences.–If any person, dishonestly or
fraudulently, does any act referred to in section 43, he shall be
punishable with imprisonment for a term which may extend to three
years or with fine which may extend to five lakh rupees or with both.
 Section 66
• 66A. Punishment for sending offensive messages through communication service, etc.–Any person who sends, by means
of a computer resource or a communication device

• 66B. Punishment for dishonestly receiving stolen computer resource or communication device.–Whoever dishonestly
receive or retains any stolen computer resource or communication device knowing or having reason to believe the same
to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a
term which may extend to three years or with fine which may extend to rupees one lakh or with both.

• 66C. Punishment for identity theft.–Whoever, fraudulently or dishonestly make use of the electronic signature, password
or any other unique identification feature of any other person, shall be punished with imprisonment of either description
for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

• 66D. Punishment for cheating by personation by using computer resource.–Whoever, by means of any communication
device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term
which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

• 66E. Punishment for violation of privacy.–Whoever, intentionally or knowingly captures, publishes or transmits the image
of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall
be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with
both.

• 66F. Punishment for cyber terrorism.–(1) Whoever,– (A) with intent to threaten the unity, integrity, security or sovereignty
of India or to strike terror in the people or any section of the people by
 Sections
67. Punishment for publishing or transmitting obscene material in electronic form.–Whoever publishes or
transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or
appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely,
having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall
be punished on first conviction with imprisonment of either description for a term which may extend to three
years and with fine which may extend to five lakh rupees and in the event of second or subsequent conviction
with imprisonment of either description for a term which may extend to five years and also with fine which
may extend to ten lakh rupees.

71. Penalty for misrepresentation.–Whoever makes any misrepresentation to, or suppresses any material fact
from the Controller or the Certifying Authority for obtaining any licence or 1 [electronic signature]
Certificate, as the case may be, shall be punished with imprisonment for a term which may extend to two
years, or with fine which may extend to one lakh rupees, or with both.

72. Penalty for Breach of confidentiality and privacy.–Save as otherwise provided in this Act or any other law
for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act,
rules or regulations made thereunder, has secured access to any electronic record, book, register,
correspondence, information, document or other material without the consent of the person concerned
discloses such electronic record, book, register, correspondence, information, document or other material to
any other person shall be punished with imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both.
 Sections
• 73. Penalty for publishing 1 [electronic signature] Certificate false in
certain particulars No person shall publish a Certificate or otherwise
make it available to any other person with the knowledge that–
• (a) the Certifying Authority listed in the certificate has not issued it; or
• (b) the subscriber listed in the certificate has not accepted it; or
• (c) the certificate has been revoked or suspended, unless such
publication is for the purpose of verifying a created prior to such
suspension or revocation.
• Any person who contravenes the provisions of sub-section (1) shall be
punished with imprisonment for a term which may extend to two
years, or with fine which may extend to one lakh rupees, or with both.
• 74. Publication for fraudulent purpose.–Whoever knowingly creates,
publishes or otherwise makes available a 1 [electronic signature]
Certificate for any fraudulent or unlawful purpose shall be punished with
imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both.
Positive Aspects of the ITA 2000
The Indian IT Act
The Indian IT Act
The Indian IT Act
The Indian IT Act
 Challenges To Indian Law And
Cybercrime Scenario In India
Major Challenges in Cyber Security:
•No procedural rules: There are no separate rules of procedure for investigating cybercrime or computer
crime. Electronic evidence is very different from traditional criminal evidence, so it is essential to establish
standardized and consistent procedures for handling electronic evidence.
•Shortage of technical staff: There are minimal efforts by states to recruit technical personnel to
investigate cybercrime.
A regular police officer with a background in humanities and business administration may not understand
the nuances of how computers and the Internet work.
Additionally, the Information Technology (IT) Act of 2000 maintains that offences registered under the Act
should be investigated by police officers, not below the rank of inspector. In practice, the number of
police inspectors in the district is limited and most field investigations are conducted by deputy inspectors.
•Lack of Infrastructure – Cyber labs: State cyber forensics labs need to be upgraded as new technologies
emerge. Cryptocurrency-related crime continues to be underreported due to the limited ability to solve
such crimes. Most government cyber labs are well equipped to analyze hard drives and mobile phones, but
many still employ “electronic evidence examiners” so they can provide an expert opinion on electronic
records. Not specified.
•Need for localization: Most cybercrime is transnational and extraterritorial. Collecting evidence from
foreign territories is not only a difficult but time-consuming process. Other than the immediate suspension
of objectionable websites and accounts of suspects in most social media crimes, other details are not
readily available from big tech companies.
Therefore, “data localization” should be included in the proposed Personal Data Protection Act to ensure
law enforcement agencies have timely access to suspected data of Indian citizens.
 Challenges To Indian Law And
Cybercrime Scenario In India
Important steps were taken by the Government:
•Information Act 2000: The Information Act, of 2000 is the primary law to combat cybercrime and digital
commerce in India.
•National Cyber ​Security Policy, 2013: This policy provides a vision and strategic direction for protecting the
nation’s cyberspace.
•CERT-In (Cyber ​Emergency Response Team – India): CERT-In has been operational since 2004. It is a national
focal point for immediate response to computer security incidents as they occur.
•India’s Cyber ​Crime Coordination Center (I4C): A comprehensive and coordinated response to all types of
cybercrime. Cyber ​Swachhta Kendra: Launched in early 2017, Cyber ​Swachhta Kendra provides users with a
platform to analyze and clean their systems from various viruses, bots/malware, Trojans, etc.
•Cyber ​Suraksit Bharat: The Ministry of Electronics and Information Technology launched the Cyber ​Surakshit
Bharat initiative to raise awareness of cybercrime and build the security response capabilities of the Chief
Information Security Officer (CISO) of all government departments and his IT staff on the front lines.
•Cyber ​Warrior Police: In 2018, the government announced plans to implement his CWPF. It is proposed to be
brought under the guidelines of the Central Armed Police Force (CAPF).
•Cybercrime prevention programs for women and children: The program, run by the Ministry of Home Affairs,
aims to prevent and reduce cybercrime against women and children.
 Challenges To Indian Law And
Cybercrime Scenario In India
Way ahead:
•Build skills: There is an urgent need to build skills and capabilities for application, device, and
infrastructure testing.
•Maintain staff: There is an urgent need to pay attention to human resource development to increase the
number of professionals who can effectively manage cybersecurity in the country.
•Research and Development: We need to invest in research and development to create more innovative
technologies to combat the growing cybersecurity threat.
•Politics and Governance: It is important to formulate sound policies and implement them effectively.
Additionally, roles and responsibilities should be clearly defined to ensure smooth functioning and better
coordination between departments and stakeholders.
•Awareness: Regular awareness campaigns by governments and large private sector organizations should
be conducted to make people aware of Cybersecurity threats.
•Strengthening private partnerships: Strengthening public-private partnerships in cybersecurity is
critical.
 Consequences of not addressing
the weakness in IT Act
1.**Challenges in Fighting Cybercrime
- The Indian scenario presents numerous challenges in combating cybercrime.
- The existing cyber laws in India are not sufficient and lack adequate security measures to
effectively address cyber threats.
2. **Impact on E-Commerce Industry
- The inadequacy of cyber laws in India affects the E-commerce industry, which relies heavily on
secure online transactions.
- India's lag in developing robust cyber laws may hinder the growth and potential of its E-
commerce sector.
3. **Risk to Outsourcing Sector
-The outsourcing sector in India faces risks due to concerns about data breaches and leakages.
- Overseas customers may become wary of outsourcing to India if data security concerns persist.
4. **Threat to India's Leadership in IT Business
- India's reputation as a leader in the international outsourcing market could be at risk if
weaknesses in the ITA are not addressed promptly.
- Failure to strengthen cyber laws may result in a loss of trust and confidence from global clients.
5. **Need for Prompt Action:
- With outsourcing on the rise, it's imperative for India to take swift and strategic steps to address
weaknesses in the Information Technology Act.
- Failure to do so may jeopardize India's position as a dominant player in the global outsourcing
market
 Digital Signatures and the Indian IT Act

1. Digital Signatures and Electronic Signatures

Digital signatures and electronic signatures are methods used to authenticate electronic documents and transactions.
- A digital signature is a cryptographic technique that verifies the authenticity of a digital message or document.

- An electronic signature, on the other hand, is a broader term that encompasses various methods of electronically
indicating consent or approval.

2. Public-Key Certificate and PKI

-A public-key certificate is a digital document issued by a trusted third party, known as a certificate authority (CA),
that associates a public key with an individual or entity.

- Public-Key Infrastructure (PKI) is a set of policies, procedures, and technologies used to manage digital certificates
and ensure the security of electronic communication

3. Impact of Oversight in ITA 2000

- The Indian IT Act addresses the use of digital signatures but may have oversights or gaps in it provisions regarding
their use and regulation.

- Publishing false digital signature certificates is considered an offense under the IT Act, with penalties specified for
such actions
 PUBLIC-KEY CERTIFICATE
A public-key certificate is a digital document issued by one entity (usually a Certificate Authority or CA) confirming
that the public key and other information of another entity have specific validity and authenticity.
A digital signature is an electronic mark used to ensure the integrity of data. When tied to the identity of the signer
using a security token like X.509 certificates, a digital signature can provide
non-repudiation, meaning the signer cannot deny signing the document.
An X.509 Certificate contains details about the certificate subject and the certificate issuer (the CA). It is encoded
using Abstract Syntax Notation One (ASN.1), a standard syntax for describing network messages. The primary
purpose of a certificate is to link an identity with a public key value, thus enabling secure communication and
authentication in digital environments.
A certificate includes:
1.X.509 version information;
2.a serial number that uniquely identifies the certificate;
3. a common name that identifies the subject;
4. the public key associated with the common name;
5.the name of the user who created the certificate, known as the subject name;
6. information about the certificate issuer;
7. signature of the issuer;
8. information about the algorithm used to sign the certificate;
9. some optional X.509 version 3 extensions. For example, an extension exists that distinguishes between CA
certificates and end-entity certificates
 Representation of Digital Signatures in the ITA 2000

1. Acceptable Forms of Authentication

- The ITA 2000 recognized digital signatures based on asymmetric cryptosystems and hash systems as
the only acceptable forms of authentication for electronic documents.
- Digital signatures are deemed equivalent to traditional paper signatures in terms of legal validity.
2. Mandatory Enclosure of Certification Practice Statement
- Section 35, subsection (3) of the ITA 2000 initially mandated applicants for a digital signature
certificate to enclose a Certification Practice Statement (CPS) with their application.
- A Certification Practice Statement outlines the practices and procedures adopted by a Certification
Authority (CA) in issuing digital certificates
3. Deficiencies in the Bill
- One major deficiency in the ITA 2000 was related to the provisions regarding the role and function of
CAs and the process of issuing digital certificates.
- The bill lacked clarity and specificity in defining the responsibilities and processes of CAs, which
could hinder its effective implementation.
In summary, the ITA 2000 recognized digital signatures as a valid form of authentication for electronic
documents but faced challenges due to deficiencies in its provisions regarding Certification Authorities
and the issuance of digital certificates. Clarity and refinement in these areas were necessary for the
smooth implementation of the law
 Cyber Crime and Punishment

1. **Rising Concerns and Challenges

- Cybercrime is on the rise globally, attracting attention due to its widespread impact.
- Existing laws are often inadequate to address the complexities of cybercrimes, making
enforcement challenging.

2. **Reliance on Technical Measures

- In the absence of strong legal protections, businesses and governments rely heavily on technical
measures to safeguard their data and systems.
- However, technical measures alone cannot ensure a safe cyberspace; the rule of law must also
be enforced
 Cyber Crime and Punishment
3. **Cross-Border Nature of Cybercrime
- Cybercrime knows no boundaries and can originate from anywhere in the world, posing
challenges for law enforcement agencies.
- Transnational nature of cybercrime complicates investigations and prosecutions due to
jurisdictional issues and complex legal procedures.

4. **Lack of Clear Legal Frameworks

- Many countries lack clear legal frameworks to address cybercrimes effectively, leading to
discrepancies in how crimes are treated across jurisdictions.
- Outdated laws and weak enforcement mechanisms hinder efforts to protect networked
information and promote E-Commerce
 Cyber Crime and Punishment

5. **Need for Stronger Legal Measures

- Strengthening legal measures and enforcement mechanisms is crucial to combat cybercrimes
and promote a secure digital environment.
- Close cooperation among national governments and adoption of best practices from other
countries are essential to develop enforceable legal protections against cybercrimes.

6. **Challenges in Punishing Cybercriminals

- Punishing cybercriminals is challenging due to the transnational nature of cyberspace and the
difficulty in enforcing laws across borders.
- Few countries have been able to demonstrate effective legal measures to hold perpetrators of
ybercrimes accountable for their actions.
 Cyber Crime and Punishment

We conclude about punishment to cybercriminals by summarizing the following key points:

1. Reliance on Terrestrial Laws

- Many countries still rely on traditional laws that may not effectively address cybercrimes.
- These laws are often outdated and have not been tested in court for cyber-related offenses.

2. Weak Penalties
- Weak penalties in updated criminal statutes offer limited deterrence against cybercrimes, which
can have significant economic and social impacts.
- The lack of strong penalties may embolden cybercriminals to continue their activities.

3. Self-Protection as the First Line of Defense

- Given the weaknesses in legal frameworks, private sector efforts to develop robust technical solutions
and management practices for information security are crucial.
- Self-protection measures become essential for businesses and individuals to safeguard against cyber
threats
 Cyber Crime and Punishment

4. Global Patchwork of Laws*

- Lack of consensus among countries regarding which cybercrimes need legislation complicates international
efforts to combat cybercrime.
- Harmonizing laws across jurisdictions is essential to facilitate coordinated efforts by law enforcement
agencies.

5. Need for a Model Approach:

- Many countries, especially in the developing world, lack the legal and technical resources to address
cybercrimes effectively
A coordinated public-private partnership is needed to develop a model approach that can serve as a guide for
countries to strengthen their legal frameworks and combat cybercrime.
- This approach can help prevent the inadvertent creation of havens for cybercriminals and promote a secure
environment for E-Commerce globally
 Cyberlaw, Technology and
Students in India Scenario
1. Educational Disparity
- Technology students often lack exposure to laws related to information technology, cybercrimes, hacking, viruses,
and secure coding.
- Law students typically have limited exposure to information technology and its implications on legal aspects like
trademarks, copyrights, and electronic documents.

2. Need for Techno-Legal Experts

- India's advancement in IT, ITES, and BPO sectors necessitates the presence of experts who understand both
technology and law
- Techno-legal experts are crucial for demystifying cyberlaw and making it accessible to a broader section of society.

3. Integration into Education

-There's a call for integrating cyberlaw into the curriculum of engineering, commerce, and management colleges
- Law colleges should expand their coverage of criminal laws and intellectual property rights (IPR) laws to include
the cyberworld.
 Cyberlaw, Technology and
Students in India Scenario
4. IPR Issues
- Intellectual property rights are important considerations in the digital age, and students should be educated
about them.

5. Future Perspectives
- The emergence of techno-legal specialists is expected to reshape the legal perspective in India.
- The development of cyber jurisprudence as a distinct field of study is anticipated with the contribution of
these specialists

In summary, there's a recognized need for bridging the gap between technology and law education in India to
produce well-rounded professionals capable of navigating the complexities of cyberlaw in the digital age.