another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Tuesday, June 07, 2005

Crime and Cyber Crimes India

This story of the Time of India is another example of how half baked legal idiots mislead the public. India's present IT - Information technology laws fully protect the data security, privacy, confidentiality etc. and information security of Indian computer users. Howver, the matter has so unnerved corporate India and their lapdog NASSCOM, that they are pushing to dilute the present IT ACT 2000 where everything is defined to be a computer - from MP3 players, mobile phones, bar code stickers, audio casettes, credit cards, your TV remote etc. - with severe penal consequences for CEOs of corporates and banks. Read SarbaJit Roy's Hacking Complaint for the full inside scoop.

Is theft a crime?

[ SUNDAY, JUNE 05, 2005 02:03:29 AM] Times News Network.

Is theft a crime?

The above question appears to beg the obvious. However a marked difference in approach happens to the same offence of theft between the real and the virtual world. The admitted position as on date is that there is no criminal provision or statute to protect “information” or “data” in the virtual world in India. This applies not merely to the above offense but to various serious misdemeanors in the virtual world, which gives increased opportunity and reach for commission of offences but the law is not sufficient to extend a cloak of protection.

Crime & Cyber Crime

The recent Mphasis case highlights the urgency for laws in the field of Information and Data security. In the absence of exhaustive criminal provisions existing laws ought to be applied to crimes loosely termed as “Cyber Crimes”. Having said that, the problems posed in applying existing laws to emerging trends in Cyber Crimes is patently apparent when we actually attempt to apply them.

Provisions under the IT Act

Before looking at the time tested criminal enactment here's a look at the provisions of the Information Technology Act, 2000 ("IT Act"), the only "cyber law" as on date in India. The IT Act does not list Information or data "theft" as a crime. However Section 43 of the IT Act provides for a civil penalty by way of compensation of up to Rs 1crore, for downloading, copying, extracting any data, computer data base or information from such computer, computer system or computer network including information or data stored in any removable storage medium (floppy, CD, etc.,), without permission of the Owner. This penalty is to be imposed by the Adjudicating Officer who is to be appointed as per the provisions of the IT Act. Listing of the above misdemeanor under Civil Penalties appears to indicate that the framers of this Act did not intend to include Information / Data appropriation as a criminal offense, under the IT Act.

Applicability of IPC

In the absence of the application of the IT Act to such wrongs, existing penal provisions are to be applied, and Section 81 of the IT Act would not preclude such application. The Supreme Court has emphasized the need for applying the principles of purposive interpretation for harmonious construction of Statutes in A. T. Corporation Ltd. vs. Shapoorji Data Processing Ltd. (AIR 2004 SC (“Supreme Court”) 355). Applying such purposive interpretation the provision for theft may be applied to verify if “Information Theft” is an offense under the Indian penal Code (“IPC”).

Section 378 IPC defines theft as taking dishonestly any movable property out of the possession (emphasis added) of any person without that person’s consent. The offence of “theft” under IPC relates to the “possession” of movable property and not “Ownership” thereof.

Section 22 IPC defines ‘movable property’ as words “intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth”.

Hence only corporeal property can be the subject matter of theft, which prima facie rules out incorporeal property such as information, data etc., as a subject matter for commission of an offense of “Theft”. “Electronic Record” is defined in Section 29 A IPC (included by the amendment of 2000 after the enactment of the IT Act), as data, record or data generated image or sound stored, received or sent in an electronic form, micro film or computer generated micro fiche.

Even if such “electronic record” is presumed to be corporeal property, transfer of information / data through such electronic record would still not amount to an offense of “theft” as defined in IPC as the most essential ingredient of the offense under IPC is that movable property which is the subject matter of theft should be moved out of the possession (emphasis added) of any person without his consent (State of Maharashtra Vs. Vishwanath AIR 1979 SC 1825,). The Supreme Court has further held in K. N. Mehra Vs. State of Rajasthan AIR 1957 SC 369 that even if it is only temporary there should be actual deprivation of the property i.e., the owner or person in possession of such property was deprived of its use at least for a temporary period of time

Information / Data pilfering however does not deprive the owner of the use of such information or data even whilst such stolen data is being utilised without authorization. Hence the essential ingredient of Section 378 IPC, of deprivation of possession, is absent in such “cyber wrongs” as a person only takes "into their possession" and do not take “out of the possession” of the owner. It could therefore be safely concluded that mere taking / pilfering / stealing of information per se does not amount to an offence under any Indian Law and there is an immediate necessity for filling this lacunae.

Hence mere taking of information and / or data may not be an offense under Indian Laws. However the usage that such information is put to could amount to the commission of an offense under IPC. For instance, in the recent Mphasis BPO case whilst being in possession of personal information like passwords, bank account numbers, access codes etc., may not have been an offence as such information was obtained through legal means, utilization of such information to commit a bank fraud, siphoning of money from bank accounts, creation of false bank accounts, creation of false mail IDs to divert Bank statements etc., are all offences punishable under the IPC namely under broad heads of forgery, falsification of accounts, etc.,

Immediate solutions

Information theft is merely one example where existing laws are insufficient to curb the “Cyber Crime” menace. There are several instances of Cyber Crime, which do not fall under any penal provision. Such actions admittedly cause severe damage & loss to society and individuals and yet the culprits cannot be booked for any crime.

Further clarity in what amounts to a crime is imperative as knowledge that an action is a crime may deter the offender in several instances particularly as the “Cyber offender” is an educated person. Also interpretations of criminal statutes always favour the Accused hence clear criminal provisions are required to ensure proper prosecution of offenders. The Legislature should therefore hasten in comprehensive amendments / enactments not merely for Data & Information Protection & Privacy but also for various kinds of Cyber Crimes which impact the economy and individual rights.


Post a Comment

<< Home