another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Saturday, May 21, 2005

CBI on Citigroup Mphasis credit card hacking

This one got away

R.K. Raghavan (source : The Hindu Business Line, 02 May 2005)

Yes, security was breached in the recent incident of fraud at an Indian BPO operation. Which means losing no time to arm ourselves effectively. This is how we can go about it.

A CALL centre in Pune looking after Citigroup customer relations was recently vandalised. Managed by MphasiS BFL, this centre was, by all accounts, an efficient outfit with more than a reasonable accent on security.

Suddenly, at least four Citigroup customers based in the US found that their accounts had been tampered with, and substantial sums of money (totalling about $350,000) transferred to accounts in and around Pune. On a complaint from Citigroup officials in India, the Pune Police sprung into action and did some smart field enquiries that established the involvement of a few former employees of the call centre. Investigation revealed that this gang had won the confidence of the customers victimised and secured their Personal Identification Numbers (PIN) with which they were able to access their accounts online and achieve their criminal objective.

Those who are familiar with security regulations in vogue in well-run call centres would know that employees are searched when they enter and exit the premises. They are not allowed to take even a scrap of paper, not to speak of any implement to copy or record any material. These restrictions are nothing new or special, and are taken for granted by the firm that outsources the job.

Also, telephonic conversations with customers from within centres are monitored at random. You may therefore rightly ask the question: How did the Pune group execute their diabolical plan? (If `diabolical' is a strong expression, I use it deliberately because the damage caused to our image as a secure IT vendor is inestimable.)

I am told that most, if not all the members of the gang, had memorised the crucial numbers, walked thereafter into cyber cafes where they accessed the page relating to each account in Citibank's Web site, opened new e-mail IDs replacing the ones originally given by the customers, and thereafter transferred funds. It is as simple as that.

What do you make of the Pune episode? Was it a case of poor physical security? I don't think so, unless investigation, as it progresses, reveals any collusion between the security guards posted at the centre and the former employees who have now been arrested.

Possibly, it was a case of system vulnerability. Some banks have switched over to double authentification. This may tighten up access and prevent intrusion. Some banks can think of an enhancement to transaction processing by which a customer is notified of unusual transfer of funds. This will be something akin to the practice of a few banks providing for an SMS notification to customers whenever an ATM transaction is made.

Whether these would have helped in Pune is a moot question, because once you win over a customer and persuade him to submit himself to you without reservation, there is precious little the best of brains in cyber security can do.

Was it a case of poor background check? I am not very sure whether any such check was done at all by the company that runs the centre. It is for them to tell the customers on their own as to what they had done in this regard. My preliminary information does not reveal that any of those now in custody had a criminal record. Only if they had any, a check would have yielded valuable information, provided the checking agency had the resources.

My own impression of most of the private agencies who claim to be experts in background checks and who fleece their customers (sometimes as much as Rs 5,000 for each candidate checked) is very poor. Many organisations wanting an employee's past data have unfortunately nothing else to fall back on. However, the Pune incident does reinforce the need for more rigorous checks by all IT companies, especially those in the BPO business.

Some police forces respond to requests for a record check from private companies. Many don't. It is for the Union Home Ministry (MHA) and the IT Ministry to appeal to State governments to be helpful in this regard. This need not be a free service. The police can levy a substantial fee. The National Crime Records Bureau (NCRB) under the MHA does this in a limited way in respect of stolen cars. There is a case for it to expand its database by talking to the State Police through the MHA.

Nasscom is said to be building a database of IT employees. Once this becomes ready, it should help raise the quality of background checks. Additionally, Nasscom has the clout to establish a partnership between IT companies, the IT Ministry in Delhi and State Police forces that would handle the nuances of background checks, at least for IT company recruitment. All the three have a huge stake in preserving our reputation as a security-conscious IT nation.

In the final analysis, what we are discussing here is a case of so-called `social engineering'. This would mean that there is something beyond the well-oiled systems that we have to take care of. Clients of outsourcing financial institutions would do well to step up customer education. It is not as if they are not already doing this. In this instance Citibank would like to study how they could not instil a stronger sense of security in customer minds. Their findings would be useful to others who would also want to plug loopholes in their drill to sensitise customers.

It is easy to dismiss Pune as one of those incidents that happen regularly in many countries in the developed West. The difference is that these countries can afford to be indifferent because of their own wealth and their stringent and swift criminal justice system that ensures quick punishment of the guilty. India cannot afford to be indifferent or complacent. We are the envy of the rest of the world. We should not allow our advantage to slip from our hands purely because of the dishonesty of a few individuals. Let us study Pune in its entirety and take immediate remedial action.

(The author is a former CBI Director and currently Security Adviser to TCS Ltd.)

Toothless Cyber Laws?

Outlook [ The Weekly Newsmagazine ] - November 17, 2003
World Wide Web

India's e-commerce is expected to rise to Rs 2,300 crore by 2006. But where are the laws to check abuse? - by HARSH KABRA

*
Over 600 employees of an Indian company receive an e-mail from info@amazon.com offering a book discount. They swamp the link, only to realise that an employee has spoofed the address to glom money and card numbers.
*
A man pays for jewellery worth lakhs with a card. But the jeweller The Digital Divide never gets money because the code on the card's magnetic strip has been rigged to get another computer, instead of the bank server, to authenticate the transaction.

Hackers use sophisticated software that can be installed on the computer and siphon off data on the sly.

Plastic money can buy you problems, and technologies can be ready accomplices. The hazard of credit card abuse stalks you in the virtual as well as the real world today. Gartner reports that over seven million Americans were victims of stolen credit card information last year. According to the American Banking Association, its members suffer identity fraud losses of around $1 billion and credit card companies absorb losses of around $1.5 billion every year. Identity thefts in the UK, reveals the UK Fraud Advisory Panel, cost victims nearly £#62.5 million and the UK economy £#1.3 billion. Isn't India too at risk, with cardholders rising to 100 million in the next five years? A recent CII study pegs the share of e-commerce at 12 per cent of the total revenues generated on the Net. Nasscom pitches e-commerce activity in 2002 at $300 million (over Rs 1,383 crore), only half that of China now but expected to grow to Rs 2,300 crore by 2006. Pavan Duggal, Supreme Court advocate and cyber law consultant, says: "There's no law—not even for data protection—that actually deters people from misusing credit cards. The risk is far greater here."

And the conditions are only too conducive. Manual card swiping machines continue to be in vogue and the entire 16-digit card number is still printed on invoices, even as most countries have replaced all but the last four digits with asterisks. Banks hush card frauds fearing damage to their credibility, so less than 0.1 per cent cases are reported in India. No card-related complaints have yet come to Bangalore's Cyber Crime Police Station set up in 2001, DySP Chandramohan Singh reveals.

Meanwhile, hackers continue to outsmart their pursuers. Says Kuji, a former hacker: "Every time a form is filled on the Net, no matter what the website declares, there's a possibility of that information leaking to unauthorised viewers." Today, Kuji's tribe is armed with programmes that can identify the bank issuing a card, harvest the three-digit card verification number, finagle the owner's personal details, check the card's validity, and even engineer the available credit limit.

A recent report by the Honeynet Project, a group of online security experts, says that the Internet Relay Chat (a messaging system for large networks) now abets online credit card fraud. Hackers also use sophisticated spy softwares, often dowloaded from the Net, that get installed on the computer and siphon off data on the sly.

Yerra Ravi Kiran Raju, certified "ethical" hacker, researcher at the Pune-based Centre for Information and Network Security and principal consultant with Network Security Solutions, demonstrates how searching for certain keywords and queries using an everyday search engine like Google can gain him access to card databases. He takes us through some he has downloaded on his computer. We also accompany him to the Internet chatrooms teeming with "carders"—those who crack into card databases and sell info or stuff like pin decryptor.

Ravi explains how fraudsters can reprint cards using numbers pillaged during manual swipes and how cards devoid of data on their magnetic strip hold good for most transactions in India. Even the data on the magnetic strip can be copied using a special recorder that can be fitted in the swiping machine itself.Worse, such recording devices can be conveniently ordered over the Net by almost anybody. Even the data contained in smart chips, used by many cards to guard against abuse, can be copied to other smart chips. Says Ravi: "The effects of card abuse aren't visible for the first few months. When they begin to appear, the culprit is untraceable."

Says Debashis Nayak, a consultant with the Asian School of Cyber Laws (ASCL) and a partner at TechJuris, a law firm specialising in technology: "Card numbers are relatively safe when they travel in a secure, encrypted format. The danger is in the source and the destination computers." Ravi agrees: "The risk may start from your own computer. You won't know if your details are being fished out and stored elsewhere."

Even the ubiquitous call centres are vulnerable. "I can make separate phone calls to such centres and extract the required details in parts," says Ravi. "Like, I cite a number, obtain the cardholder's name and hang up. Then I pretend I want to change the date of birth in the cardholder's profile, obtain the exact date and hang up. By then, I have obtained sufficient data for extracting the pin number the next time."

From the instances reported thus far, says Nayak, two patterns are apparent. "The first is where card numbers are noted down from physical locations, such as petrol pumps, restaurants and shops, and later used online. The second involves the creation of bogus online shopping websites to lure prospective buyers to part with their credit card numbers, which are then misused on the Internet."

According to Ravi, e-mails can be spoofed in such a way that they appear to be originating from someone close to the recipient. If the sender requests some critical data, it is quite likely that the unsuspecting recipient will part with it in his reply. Alternatively, the moment that recipient opens the e-mail, it could trigger off the installation of a spy software, which will subsequently draw off more such data. That's petrifying—how many of us actually bother to verify the authenticity of the sender and his e-mail address?

Is it possible to nab such culprits? Yes, but a bigger problem is toothless laws. Says Duggal: "Credit card payments are a matter of contractual law between the concerned parties. Even the provisions of the Information Technology Act, 2000, haven't been tested practically. Convincing the police to act under those provisions is a challenge in itself. Plus, card companies simply wash their hands of cases involving big amounts." And the user is the worst-hit. Over 35 per cent of card users in India may have faced card abuse, Duggal says. And prudence and precaution alone can save them.

Credit card fraud spiralling

Credit card fraud hits new high despite chip and PIN
By Helen Nugent, March 08, 2005

CREDIT and debit card fraud has soared to a record £500 million despite the introduction of new chip-and-PIN technology, it emerged today.

Banks, credit card companies and shop owners hoped that the new technology would reduce fraud because a four-digit personal identification number is harder to reproduce than a signature. But far from deterring fraudsters, the new measures have encouraged criminals to steal more cards.

Figures from Apacs (the Association for Payment Clearing Services) show that losses to thieves rose by 20 per cent last year, equivalent to £10 for every adult in Britain.

*
An average of 100,000 credit and debit cards were posted to consumers every day last year. Many were intercepted by criminals, resulting in a 62 per cent rise — to £73 million — in “mail non-receipt” fraud.

The sheer volume of cards sent out every day provided rich pickings for fraudsters who operate by getting their hands on plastic before it is received by the genuine customers.

The banking industry says that it is working with Royal Mail to monitor card losses, identify fraud hot spots and take preventive action such as asking cardholders to collect new cards from their branch. But customers seem reluctant to pick up new cards in person.

Card analysts claim that fraudsters doubled their efforts last year in the belief that chip and PIN would eventually act as an effective deterrent.

Malcolm Bushell, managing director of Ingenico, Northern Europe, the world’s biggest developer and supplier of chip-and-PIN technology, said: “The banks knew that 2004 would be a difficult year because fraudsters would want to fill their boots while they still could.”

But retailers and banks seem powerless to clamp down on credit card fraud. The theft of card details, which are then used to buy products over the phone, via mail order or over the internet — known as “card-not-present fraud” — continues to top the table of losses, soaring by 24 per cent to £150 million last year.

Consumers duped by counterfeiters who illegally clone or skim cards lost nearly £130 million last year, a rise of 17 per cent. Fraud at cash machines, a favourite resort of thieves, grew at an alarming rate, up by 81 per cent to nearly £75 million Chip and PIN claims to be a sophisticated anti-fraud measure, yet there is no deadline for its implementation. Cards without the new technology are still being issued and of 141 million credit and debit cards in circulation, one in three are still the old signature-only type.

Furthermore, 15 per cent of retailers have yet to install tills that accept PINs, even though retailers without chip and PIN in-store have been liable for fraudulent transactions since January 1 this year.

The British Retail Consortium said: “This time next year, we should be in more of a position to see the impact that chip and PIN has had on card fraud.” Many shops that have up-to-date tills still do not insist that customers use PINs to authorise transactions.

“Fraudsters can disable the chip, for instance by smacking it with a hammer, and pay for goods using a signature,” Mr Bushell said. “There is a case for saying that a signature should not be accepted.”

Apacs estimates that, without chip and PIN, losses would reach £800 million by the end of this year. But it accepts that the battle against fraudsters is still to be won. Sandra Quinn, its director of corporate communications, said: “The more of us use a PIN, the harder a criminal’s life becomes. But clearly they will keep targeting cards. Many people have made predictions on where the fraudsters will attack next, but we have long foreseen that we need to keep cards secure in all environments.”

Card identity fraud rose by 22 per cent during 2004, according to Apacs. Credit reference agencies say that this alternative type of fraud is likely to grow even more if chip and PIN does prove successful.

IRCTC Credit Card Fraud

Source: From the Times of India website, 27 April 2005

HYDERABAD: There have been as many as four cases of credit card frauds in the last couple of years where cheats have booked railway tickets online using a genuine person’s credit card number. But, sadly the Indian Railway Catering and Tourism Corporation (IRCTC) still does not have a system in place to prevent these frauds. As a result, fraudsters stealing credit card numbers are having a field day.

On Monday two youths were arrested by the city police for collecting the credit card numbers of people at a petrol pump in the city and fraudulently booking tickets online. Ironically, it was IRCTC who lost huge amounts and the not the
genuine card owners.

"Some more security measures are required and they will be put in place soon," IRCTC managing director M N Chopra told The Times of India from New Delhi on Tuesday.

In an earlier case of credit card fraud in Hyderabad, the Central Bureau of Investigation (CBI) arrested an ex-employee of Indian Air Force, M Raja Rao for using stolen credit card details and booking railway tickets. The Cyber Crime Investigation of CBI detected that Raja Rao cheated people of several lakhs of rupees by making use of their credit card details.

Rao’s case was detected in March last year but till date, the website (irctc.co.in) does not have enough security measures to prevent misuse of credit card details.

This despite the fact that similar cases were detected in Delhi, Lucknow, and Mumbai apart from Hyderabad. Total nine persons have been booked by the CBI so far.

"The names of two more persons indulging in this kind of fraud have also been given to the CBI officials for necessary action," the IRCTC managing director said.

As of now, when credit card details are entered in the website the payment gateway of the bank mechanically verifies only the card number, expiry date, and amount available.


IRCTC joint general manager of railway ticketing J Vinayan said in the wake of online frauds, the IRCTC had asked the two network service providers Visa and Master Card for additional security features to prevent the misuse. All credit cards of banks are networked on either Visa or Mastercard or both.

Following this, a security feature called ‘Verified by Visa’ was introduced from February 15 this%2

Call centers identity theft

All this security is just eyewash. how could Mphasis happen after this? Everyday over 200 cyber security incidents take place in India and nobody is ever convicted.

Outsourcing: Fortress India?
Call centers and credit-card processors are tightening security to ease U.S. and European fears of identity theft

A line of neatly dressed workers files into the Golden Millennium, a shimmering glass-and-steel building in central Bangalore. One by one, they swipe ID cards through a reader, then empty their pockets and bags and stuff cell phones, PDAs, and even pens and notebooks into lockers as a dour security guard watches. Staffers ending their shifts, meanwhile, are busy shredding notes of conversations with customers. At the reception desk, visitors sign a daunting four-page form promising not to divulge anything they see inside -- and even then are only allowed to peer into the workspace through thick windows.

A top-secret military contractor? Hardly. This is one of four call centers run by ICICI OneSource, which employs 4,000 young Indians to process credit-card bills and make telemarketing calls for big U.S. and European banks, insurers, and retailers. And ICICI isn't the only outsourcing company worried about security. Call center operators such as Mphasis BFL, Wipro Spectramind, and 24/7 Customer, as well as back-office subsidiaries of companies such as General Electric, are quickly adding state-of-the-art systems to monitor phone conversations, guard data, and watch workers' every move.

Why the extreme caution? After rushing to shift telemarketing and back-office work to India in recent years to tap low wages, U.S. and European companies are under growing pressure from regulators and legislators to guarantee the privacy of their customers' financial and health-care data. India's $3.6 billion business-process services industry is eager to defuse the issue. When the backlash against offshore outsourcing erupted last year, opponents first focused on curbing government contracts and temporary U.S. work visas for foreign tech workers. Now security and privacy fears have become the hot excuses "for new barriers to trade in services and information technology," says Jerry Rao, chairman of the National Association of Service & Software Cos. (Nasscom), India's IT trade group.

PENDING LEGISLATION
Today 186 bills that aim to limit offshore outsourcing are pending in the U.S. Congress and 40 state legislatures. Dozens of those involve restrictions on transmission of data. For example, the SAFE ID Act, sponsored by Senator Hillary Clinton (D-N.Y.), and a similar House bill by Representative Edward J. Markey (D-Mass.), would require businesses to notify U.S. consumers before sending personal information overseas -- and would bar companies from denying service or charging a higher price if customers balk. Although no such bills have been enacted so far, "next year I think all of this legislation will be back and spike up again as a huge issue," especially if the U.S. recovery stalls, says R. Bruce Josten, a U.S. Chamber of Commerce executive vice-president who helped industry fight the legislation.

Identity theft and credit-card fraud are huge problems globally. There's little evidence, though, to suggest consumer data are at any greater risk in India than in the U.S. Sure, India's privacy laws aren't as stringent as in the West. But most highly sensitive data belonging to U.S. or European companies are stored on their own servers at home, with access from India tightly controlled. If an American is defrauded, the U.S. company that farmed out the work is legally responsible. Indian call centers, meanwhile, sign their contracts in the U.S. and can thus be sued there by their corporate customers. What's more, there is only one known case of fraud. Last year a programmer for India's Geometric Software Solutions Co. tried to sell a U.S. client's intellectual property. He was arrested and is awaiting trial in India.

Still, given the charged emotions over outsourcing, India's IT industry knows even a few incidents will generate devastating publicity. So call centers like Mphasis BFL Ltd., which employs 6,000 workers performing sensitive tasks such as processing personal tax returns and credit-card statements for U.S. clients, are leaving little to chance. If the U.S. company prefers, consumers' names, Social Security numbers, and credit-card numbers can be masked. Computer terminals at Mphasis lack hard drives, e-mail, CD-ROM drives, or other ways to store, copy, or forward data. Indian accountants only view data from U.S. servers for specific tasks. Video cameras watch over the sea of cubicles. Every phone conversation is recorded and can be monitored on a system installed by Melville (N.Y.)-based Verint Systems Inc. And since data theft is often committed by disgruntled former employees, Mphasis can lock a staffer out and cut access to PCs and phones three minutes after a resignation. A year ago that process took three days. "Fears about identity theft can be aggravated when people learn their data are in a foreign country," says Mphasis Vice-Chairman Jeroen Tas. "So we feel it is better to address these concerns up front."

Such precautions don't come cheap. It costs about $1,000 per worker to install the Verint system that records, stores, and analyzes voice conversations. Yet Verint has signed up 100 local and multinational centers in India. "There has been a big push in the past year or so as the competition focuses more on quality," says Mariann McDonagh, Verint's vice-president for global marketing. Indian centers also pay up to $300 per worker for background checks, a big expense given their explosive growth and high attrition rates. It's also cumbersome: Due to India's lack of online databases, verifying education and work experience can take weeks.

But while security practices in India now match or surpass those at most U.S. call centers, the legal system still needs work. Indian law on computer hacking inside companies is fuzzy, and privacy enforcement is weak. India's IT industry is addressing those vulnerabilities. Nasscom is working with the government to bring India's data-privacy laws more in line with the U.S. And it intends to have the security practices of all its 860 members audited by international accounting firms. Nasscom has helped Bombay's police department set up a cybercrime unit, training officers to investigate data theft. Similar units are planned in nine other cities. India's goal, says Nasscom Vice-President Sunil Mehta, is "to have the best data-security provisions and be a trusted sourcing destination."

Given the ingenuity of today's cyberscammers, some embarrassing incident seems inevitable. But India's IT-services industry is determined to show that the world's financial and health secrets are as safe in Bangalore as they are anywhere.

By Pete Engardio in New York, with Josey Puliyenthuruthel in Bangalore and Manjeet Kripalani in Bombay

Hacked credit card numbers on-line

Hacked credit card numbers

Hackers are finding ways to use search engines and chatrooms to turn up credit card numbers, owners' addresses and online transactions

By Ho Ka Wei , Straits Times 30 Jul 2003

SEARCH engines can give a Web user more information than he needs.

With certain keywords, queries could throw up volumes on online transactions, credit card numbers, orders and customer addresses.

To prove this point, Mr Ravi Kiran Raju Yerra, principal consultant of Network Security Solutions in India - who spoke about online credit card fraud at the Information Security World Asia conference here recently - showed data he retrieved from the Web.

He said search engines should be fine-tuned so that they do not seek out such strings, or search keywords.

Mr Ravi, a certified 'ethical hacker' - one who is tasked by an organisation to test its network's vulnerability by penetrating it - managed to access the valuable information from a client he was working for.

He made the point to drive home to online businesses that they need to be more aware of gaps in security that can be exploited by hackers.

But while drawing credit card information from some merchant websites can be done through a simple online search at times - and only by very sophisticated hackers - Mr Ravi said it is generally difficult to get information because credit card companies do have hardy systems.

For instance, he said the toughest system he has had to crack so far was a card company's system - it took him 180 days of continuous research to break into.

But the crooks are getting more sophisticated, he cautioned.

According to a report this month by the Honeynet Project, a grouping of online security experts, the Internet Relay Chat (IRC) now plays an instrumental role in online credit card fraud.

The Honeynet Project studies the behaviour of malicious hackers, by setting up easy-to-infiltrate systems in order to identify intrusion methods.

IRC channels have always been fertile ground for illicit activities, but 'carders' - people who crack into such databases - have grown sophisticated and are using programs from IRC channels to sniff out vital information, according to the report.

Mr Ravi explained that these programs are linked to the merchant sites that facilitate transactions between the online store and the bank.

In other words, they open a gateway to a repository of information.

'Stop such channels in IRC servers or keep a close watch on such channels,' said Mr Ravi, who also researches credit card fraud and prevention at the Centre for Information and Network Security at the University of Pune in India.

He called for more counter-measures against online fraud to identify the new technologies being used by hackers.

According to him, most online credit card fraud happens in South-east Asia, Eastern Europe and Russia.

'But attacks happen wherever hackers find a weak link in the system,' he added.

IT offence is State subject

Declare cyber crime a federal offence: Sodhi

By Our Staff Reporter {source "The Hindu" newspaper website)

BANGALORE, JAN. 30 2005. Cyber crimes must be declared as "federal crimes" and "included in List 1 (Union List) of the Seventh Schedule of the Constitution," the Chief Justice of the Karnataka High Court, N.K. Sodhi, has said.

If this is done, cyber crime will then be brought under the purview of Article 246 (1) of the Constitution.

At the valedictory session of a three-day international seminar on `Information Technology Law and Governance' here on Sunday, Mr. Sodhi called the IT Act of 2000, "highly inadequate" as it was silent on cyber crime.

Articles 245 to 254 of the Constitution deal with the distribution of legislative powers between the Union and the States. Article 246 says Parliament has "exclusive powers to make laws" with respect to any matter detailed in List 1 of the Seventh Schedule of the Constitution.

Cyber terrorists, Mr. Sodhi said, need no weapons and can remain anonymous. They can hack into a hospital network to alter patients' prescriptions and kill them or gain access to an airport's computer system and, by simply changing a decimal point, vary the altitude of aircraft causing them to collide.

Information technology can speed up work in the judiciary, he said. The United States, Singapore, Australia, and the United Kingdom use IT extensively. In Andhra Pradesh, he said, undertrials are produced before magistrates using video links. "This brings in transparency and accountability," he said.

Reasons

At an earlier session on cyber crime, N. Balakrishnan from the Super Computer Education and Research Centre at the Indian Institute of Science, said cyber crime — tax evasion, cheating on the Net, identity theft, child pornography and so on — caused a loss of $ 50 billion annually.

His department has analysed the reasons for cyber crime.

"In India, it is politically motivated while globally, politics is the last motivation for such crimes," he said.

K.T.S. Tulsi, senior advocate, stressed that laws by themselves will not work if the district magistrates and police officers are not trained to deal with cyber crime.

Some times laws also blocked new technology such as Voice Over Internet Protocol (VOIP) which is hailed in the West. "Those who use it here are being prosecuted," he said.

Mr. Tulsi also described the arrest of the Bazee.com Chief Executive Officer, Avnish Bajaj, in connection with the Delhi Public School `MMS case' as illegal.

A.K. Ganguli, another senior advocate, wanted a regulatory body to monitor data on the Net.

Fali S. Nariman, president of the Bar Association of India, presided over the session.

Santosh N. Hegde, judge of the Supreme Court, Mohan Parasaran, Additional Solicitor-General, Paul Nemo, president of the conference organiser, Union Internationale des Avocats (UIA), and C. S. Vaidyanathan, national vice-president UIA, spoke.

PM's laptop is bugged says CIA.

A terrifying article. {source south asia tribune website)
Secret Indian Agencies Spying on Coalition Partners of Congress Government

By Arun Rajnath

NEW DELHI, May 18: Indian security agencies are not only spying on people suspected as threats to Indian internal and external security, they are also using an archaic law to spy on the political allies and partners in the ruling Congress coalition government, well informed sources of the Home Ministry have revealed.

The latest hi-tech method being used by these agencies is to hack into the computer systems and networks of political parties and install spyware programs which constantly monitor and relay critical data, a qualified source told the South Asia Tribune.

Their work has become easier as the government provides laptops to all the members of Parliament and the Secretariat of the Parliament provides computer training to all the MPs. But obviously most of them cannot understand the technology or the hidden secrets planted by hackers inside their computers.

Sources said recently one of the most dangerous spyware programs was detected in some of the systems provided to the politicians. When installed, this program sleeps undetected and can be activated by remote control whenever the computer is connected online. It can help the monitoring agency to even take control of the computer, if so desired.

Spying agents immediately get access to all files and folders from where they can copy all vital information, including documents, e-mail messages, e-mail addresses, Internet links, bank details, credit card details or anything stored in the computer.

Sources say only a few top authorized persons of the Government know about these condemnable activities as these agencies are not accountable to the Home Minister. They are directly under the control of the Prime Minister and report to his National Security Advisor.

While the United States put together its aggressive Patriot Act after 9/11, the Indians have had a highly intrusive piece of legislation for years to invade the privacy of its citizens and politicians.

The law which allows spying on innocent populace is the Indian Telegraph Act, which has not been amended to provide safeguards against misuse, but is being increasingly used even though the Government keeps harping on the theme of more rights for the people including obtaining information under the recently adopted Freedom of Information Act.

Home Ministry sources, talking to the South Asia Tribune about the use, and in many cases misuse, of the Telegraph Act, have been giving details of the many ways in which the agencies have been operating, including what was being done to infiltrate the journalists community or how the Sikh pilgrims to Pakistan were used for spying while visiting their holy sites in Pakistan.

These sources disclosed that under the Telegraph Act, one Indian sensitive agency was desperately searching for Indian journalists who could ‘legally infiltrate’ into Pakistan like these Sikh pilgrims. The agency also wants to employ journalists who could project the Indian point of view in the international media.

The Indian Telegraph Act empowers the sensitive agencies to monitor communications, record conversations, intercept postal mail usually from Pakistan to India and vice versa, of any ordinary citizen on the pretext of internal and national security.

According to a rough estimate, about 10,000 letters are intercepted daily by these sensitive agencies across the country. All the telephonic conversations at civilian residences near sensitive areas, viz. cantonment, official bungalows, etc are routinely monitored.

This job is being carried out by a sensitive agency that has a responsibility of internal security. This agency is located at the Sardar Patel Road in the Capital City of Delhi, and is directly accountable to the National Security Advisor of the Indian Prime Minister. This agency has the additional responsibility to keep vigil on all political parties, including the allies and partners in the ruling coalition.

The sources of the Home Ministry confided to this correspondent that every time Sikh pilgrims went to Pakistan to visit Panja Sahib or other religious places, the sensitive agencies used to send their agents with the Jatthas (groups) masquerading as pilgrims.

In past years, Sikh activists struggling for an independent state of Khalistan, routinely spoke to members of these Jatthas at the holy site of Panja Sahib. This was when the militancy in Indian Punjab was at its peak. This practice started during the regime of Prime Minister Indira Gandhi. Agents also kept an eye on their fellow pilgrims to find out who was meeting whom during their visits to Pakistan.

The agency is now trying to hire local journalists who could project their viewpoint in international media and who could be sent to Pakistan and other targeted countries on personal visits or with the delegations.

This was revealed when a Delhi based journalist received a call from a so-called Media Cell of the Home Ministry. The caller appreciated his write-ups and expressed the wish to meet him. The journalist was taken aback as no one had given his numbers to the caller. The journalist scanned his computer system and found a spyware secretly installed.

He decided to meet the person who had called him from the so-called Media Cell. The agent urged him to publish anti-Pakistan news that would be supplied to him. If he agreed, the journalist was offered foreign tours along with the Prime Minister. The journalist, who also contributes to a newspaper published from a Gulf country, was also offered a monthly payment ranging from Rs3200 to Rs10,000.

An amateur's take on the Information Technology Act

It seems the author of this article has a passing knowledge of the IT ACT and IPC.


Sunil J Thacker reflects on the task before the judiciary
to make up for the lacunas in the Indian IT Act (Source : Lawyers Collective Website]

Accessing one's mail without his/her consent, understanding his personal data and later forwarding it to other(s) would amount to infringement of privacy under the Information Technology Act, 2000 (IT Act) or would attract a suit for defamation under Indian Penal Code, 1980 (IPC).

The Cyber Industry has long talked of self-regulations, but has failed to check the abuse and violation of individual privacy. And now it is in the hands of judiciary to take into account the importance, vitality and significance of privacy, not only for a citizen, but also for a netizen/netsurfer.

Section 43(a) of the IT Act reflects on the infringement of privacy wherein penalty of Rs. 1 Crore is attracted. However, where privacy has not merely been interrupted but has been leaked, it tantamount to defamation and hence, Section 499 of IPC is attracted. No man has the right to disparage or destroy the reputation of another. Conversely, every person has a right to have his good name maintained.

The Indian IT Act is full of discrepancies and lacunas. It may be noted that, although the Act has been enacted, the daily used terms by a netsurfer like password, E-mail, web-page and the like are not defined under the Act.

In an interesting case, a person had logged on to the net and chatted on with a lady's name without her consent, after she had logged off, and forwarded her telephone numbers and allied details to people who were logged on at that time to the net. This made the lady's life miserable, as she had to attend crank calls at any time. She lodged a complaint against that person. But the case was filed under the IPC and not under the IT Act, although the provisions of IT Act were clearly violated.

Further, regarding dealing with passwords, it is interesting to note that one might also take the plea that it was not him who interrupted the privacy of another, but it was in fact in the memory of Computer. It may be noted that, many times, password is retained under a check- box1 that is normally below the password field, and such technicalities are in real life hard to evaluate and assess.

User Name :

Password :

Again the question would arise: How would one prove that it was the accused, who has breached the privacy? In many instances, there is no proof that such an act infringed the privacy. But if such alleged act amounts to defamation, one can move the court in that regard under the purview of Section 499 of the IPC.

Further, though the IPC is amended with respect to IT Act, the question would arise as to whether anything in context to e-mail fall under the purview of Section 499 of the IPC? In my opinion, Yes, as Section 499 clearly states "Whoever by words either spoken or intended to be read, by signs or by visible representations, makes or publishes any imputation concerning any person intending to harm, or knowing or having reason to believe that such imputation will harm, the reputation of such person, is said, except in the cases hereinafter excepted, to defame that person." Further, facts of every case have to be examined very carefully as to whether or not one can claim protection or file a suit under the exceptions provided in the said section, which,

1. relates to imputation made/done for public good

2. reflects acts done in good faith

3. refers to conduct with respect to Public good

4. with respect to Justice of peace making inquiry in Court.

5. deals with cases decided, be it Civil or Criminal by Courts of Justice

6. with respect to judgment of public, character of authorities

7. It emits act of imputation committed on basis of authority contended by law or lawful contracts in good faith

However, as the IT Act is yet emerging, the party so defamed due to such violation of its privacy, can either claim damages of 1 Crore under Section 43 the IT Act, or can move the court for defamation. In cases of defamation, the Courts have to consider the following aspects to assess damages, namely the conduct of the Plaintiff, position and standing, the nature of libel, absence or refusal of any apology and the whole conduct of Plaintiff from date of publication to the date of decree.

In a recent case of Vivek Goenka and Others v YR Patil, 2000 7 SC 468, the court has held that it will be for the accused to prove that he was protected by the exceptions laid down in Section 499 of the IPC. A civil action in defamation should be based on `Justice, Equity and Good Conscious', and as the same is not a codified law, hence the terms are to be interpreted accordingly.

Similarly an issue would arise for every legal professional as to whether opening of a Website/Webpage would amount to Professional misconduct. This had been a recent Moot issue. I would like to bring it to the attention of the readers about the same in the following passage.

Firstly, if professionals do provide their information under the Yellow Pages, wherein instances have come to my view, certain advertisements do provide/reflect areas of Specialization (which is clearly violative of Professional Conduct and Code of Etiquette), but such mode of communication has been accepted today. Secondly, with reference to providing information on the net, unless and until one does not inform another about his/her website, it is not violative of professional misconduct. To put it in technical terms, unless there is a hyperlink one cannot access the site. To cite an example, Mr A, a practising legal professional, opens a web page and links his website to Mr B's website, who is his friend, dealing in Cosmetics. In this case, when any one who accesses to the website of Mr B automatically gets linked to the website of Mr A. If such hyperlink exists it is a gross misconduct

It is also interesting to note that due to the introduction of Internet and the IT Act, serious amendments has been made in the Code of Criminal Procedure, 1973, the Indian Penal Code, 1980, The Indian Evidence Act, 1872, The Banking Regulation Act, 1949, but no Act for the professionals like the Chartered Accountants, Company Secretary or Lawyers have been introduced.

Now a question would arise, what if one (Indian Legal Professional) develops his website in the United Kingdom (UK) and registers the same in Sri Lanka. Once the site is in the air, it can be accessed by anyone throughout the globe. In this case, even if such a hyperlink were provided, would it amount to professional misconduct? This issue would be dealt by taking into account, whether the aforesaid two countries do permit opening of such web page firstly in country A and registering it in country B? And whether there is any person of either two aforesaid countries associated with such Indian in opening of web site?

And, how would one deal with Pornography? Taking the above example if Mr A (Indian) with help of Mr B (European) opens a Porn site in UK (which is say, permitted there) and puts it on the net would he fall under the Indian IT Act?

These issues can be solved only in the courts and it is in the hands of panel of jury assessing such cases.
Conclusion:

There is an immediate and urgent need to curb crimes under the Information and Technology Act, which is possible not only by mere implementation but does need a sparkling change so that in the near future no person can take the lacuna of the aforesaid act in any manner whatsoever.

Sunil J Thacker is a Practicing Tax Consultant at Mumbai

Adjudication proceedings Information Technology Act

A Good Article from Asian School of Cyber laws website on Adjudicating proceedings under Chapter IX of the IT ACT 2000.

Cyber Crimes - adjudication issues (source Asian School of Cyber Laws website)

1. Offences under Chapter XI of the Information Technology Act

Offences under Chapter XI of the Information Technology Act will be tried as per the provisions of the Criminal Procedure Code. The table below enumerates the various offences under the Information Technology Act and the courts by which they are triable. (JMFC stands for Judicial Magistrate First Class.)

Offence

Section: Court triable: Offence:
65:JMFC
hacking with computer system
66:JMFC
Publishing information which is obscene in electronic form
67:JMFC
Publishing information which is obscene in electronic form (subsequent offence)
67:Court of Session
Failure to comply with directions of Controller
68:JMFC
Failure to assist in decryption of information
69:JMFC
Securing or attempting to secure access to protected system
70:Court of Session
Misrepresentation
71:Any magistrate
Breach of confidentiality and privacy
72:Any magistrate
Publishing false Digital Signature Certificate
73:Any magistrate
Publishing Digital Signature Certificate for fraudulent purposes
74:Any magistrate

Offences under the Indian Penal Code

Cyber crimes under the Indian Penal Code will be tried as per the provisions of the Criminal Procedure Code. The table below enumerates the various cyber crimes under the Information Technology Act and the courts by which they are triable. (JMFC stands for Judicial Magistrate First Class.)

Offence
Section of Indian Penal Code
By what Court triable

Public servant framing an incorrect electronic record with intent to cause injury
167
JMFC

Absconding to avoid service of summons to produce electronic record
172
Any magistrate

Preventing service of summons or preventing publication of summons
173
Any magistrate

Intentional omission to produce electronic record
175
Triable in the Court that issued the summons or order to produce the document. In other cases it is triable by any magistrate

Fabricating false electronic evidence
192(Punishable under 193)
If committed for using evidence before a judicial proceeding then it is triable by a JMFC. Otherwise any magistrate can try it.

Destroying of electronic record to prevent its production as evidence
204
JMFC

Forgery of record of Court or of public register, etc.
466
JMFC

Forgery for the purpose of cheating
468
JMFC

Forgery for the purpose of defamation
469
JMFC

Using as genuine a forged document
471
JMFC

Knowingly possessing a forged document
474
JMFC

Counterfeiting authentication marks or devices
476
JMFC>

Falsifying accounts
477A
JMFC

3. Contraventions of Chapter IX of the IT Act

Adjudicating officer

The first authority that has jurisdiction to try a contravention of Chapter IX is the Adjudicating Officer. Section 46(1) reads as under:

For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made thereunder the Central Government shall, subject to the provisions of sub-section (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government.

The Central Government has been empowered by this sub-section to appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of the State Government to be an Adjudicating Officer.

Section 46(2) stipulates that the Adjudicating Officer is required to give reasonable opportunity to the contravener, which may be in the nature of a notice stating clearly the charges against the contravener, so that, he gets the opportunity to defend himself against the allegation levelled against him. Non-compliance with this rule would vitiate the order of the Adjudicating Officer. The Adjudicating Officer may after considering the reply of the contravener pass an order as to compensation.

Section 46(2) reads as under.

The adjudicating officer shall, after giving the person referred to in sub-section (1) a reasonable opportunity for making representation in the matter and if, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.

Reasonable opportunity is one of the basic principles of natural justice, which is embodied in the maxim "Audi Alterem Partem" (hear both sides).

The Adjudicating Officer has been empowered to award compensation in accordance with the provisions of the section and the contravention committed after holding due inquiry of the alleged contravention. The compensation will be awarded in the following manner - as he thinks fit, after giving the person a reasonable opportunity for making representation, being satisfied about the contravention.

The Legislators have been wise enough, and with the objective that any such "satisfaction", as provided in the preceding subsection will not cause any prejudice or unnecessary hardship to the offender, have made it mandatory that, the Adjudicating Officer should possess necessary experience in the field of Information Technology, only then will he be able to do justice to the nature of disputes arising before him. Now it becomes necessary for us to know the factors, which will determine the adjudication of penalty.

The expression "as he thinks fit", gives the impression that it has given the adjudicating officer discretionary power with relation to penalty adjudication. However, it is limited by the fact that it has to be exercised in accordance with the provisions of the concerned section. Moreover, it has been established by judicial precedents that discretionary power has to be just and equitable in accordance with the facts and circumstances of the case.

The Adjudicating Officer has to be satisfied that the contravention has been committed on the basis of the material placed before him. It is important to note here that such satisfaction has to be based on material facts. The Adjudicating Officer is required to apply his mind before making any order.

Section 46(3) stipulates that the adjudicating officer has to possess the prescribed experience in the field of Information Technology and Law. Section 46(3) reads as under.

No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government.

Section 46(4) provides that the Central Government shall specify the territorial and other jurisdictions of the adjudicating officers. The sub-section reads as under.

Where more than one adjudicating officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction.

The procedure to be followed by the adjudicating officers is laid down in section 46 (5). The sub-section reads as under.

Every adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal under sub-section (2) of section 58, and-

a) all proceedings before it shall be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code;

b) shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973.

The Adjudicating Officer has been deemed to be a Civil Court for the purposes of Section 345 and Section 346 of the Criminal Procedure Code, 1973 and all the proceedings before him are judicial proceedings under the provisions of Section 193 and Section 228 of the Indian Penal Code.

Thus, the adjudicating officer is an Administrative Authority and all the proceedings before him will be quasi-judicial in nature. However, it is required of him that he acts judicially in respect of the basic principles of law.

The Act specifically empowers the Adjudicating Officer to hold due inquiry under Section 46 to determine the contravention. In course of inquiry and in accordance with the provisions of the Act, he is empowered in respect of the following matters:

i. Summoning and enforcing attendance of person
ii. Compelling the production of documents or electronic records
iii. Receiving evidence
iv. Issuing commission
v. Giving ex parte decisions
vi. Dismissing the application

Section 47 enumerates the factors to be considered by the Adjudicating Officer, to estimate the amount of compensation.

The section reads as under.

47. Factors to be taken into account by the adjudicating officer.

While adjudging the quantum of compensation under this Chapter, the adjudicating officer shall have due regard to the following factors, namely: -

(a) The amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;

(b) The amount of loss caused to any person as a result of the default;

(c) The repetitive nature of the default

Let us try to understand this section in detail. The expression "have due regard" seems to mean that the factors contained in the section will not have binding efficacy on the Adjudicating Officer but will exist as guidelines or directives while making an assessment of the quantum of the damage.

The expression "Unfair advantage" will not only include unfair advantage only in terms of money but also will consider improvement and advantage the offender has made thereafter. This is based on the basic principle of law that whatever has been gained by wrongful conduct must be restored.

The expression "loss caused" necessarily mandates a relationship between the loss caused and the default, i.e. loss causing factor. The degree of relationship however has not been explained and is left to the Adjudicating officer to determine the required standard. However, loss as natural and necessary consequence of the alleged act has to be considered. The term "loss", in this section signifies the injury or damages in pecuniary terms, e.g. loss in trade, therefore the Adjudicating Officer will be required to put the person who has suffered loss in nearly the same position, as if he has not been injured.

"Repetitive nature" is the last guiding factor, which has to be taken into account by the Adjudicating Officer in quantifying the damage. Repetitive, basically means, that an act, which is done over and over again or is caused several times on its own due to certain features in it.

Cyber Regulations Appellate Tribunal

Section 57 relates to an appeal to the Tribunal.

57. Appeal to Cyber Appellate Tribunal.

(1) Save as provided in sub-section (2), any person aggrieved by an order made by Controller or an adjudicating officer under this Act may prefer an appeal to a Cyber Appellate Tribunal having jurisdiction in the matter.

(2) No appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties.

(3) Every appeal under sub-section (1) shall be filed within a period of forty-five days from the date on which a copy of the order made by the Controller or the adjudicating officer is received by the person aggrieved and it shall be in such form and be accompanied by such fee as may be prescribed:

Provided that the Cyber Appellate Tribunal may entertain an appeal after the expiry of the said period of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period.

(4) On receipt of an appeal under sub-section (1), the Cyber Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against.

(5) The Cyber Appellate Tribunal shall send a copy of every order made by it to the parties to the appeal and to the concerned Controller or adjudicating officer.

(6) The appeal filed before the Cyber Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal.

A person aggrieved by an order made by the Controller or an adjudicating officer under the IT Act may prefer an appeal to a Tribunal having jurisdiction in the matter. No appeal lies to the Tribunal from an order made by an adjudicating officer with the consent of the parties.

The appeal is required to be filed within a period of forty-five days from the date on which the aggrieved person receives a copy of the order. It is required to be in form 1 of the Appellate Tribunal (Procedure) Rules, 2000 and be accompanied by a fee of Rupees two thousand. The Tribunal may entertain an appeal after the expiry of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period.

On receipt of an appeal, the Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. The Tribunal is required to send a copy of every order made by it to the parties to the appeal and to the Controller or concerned adjudicating officer.

The appeal filed before the Tribunal is to be dealt with expeditiously and endeavour will be made to dispose of the appeal finally within six months from the date of receipt of the appeal.

Section 48 empowers the Central Government to establish one or more Cyber Regulations Appellate Tribunals (hereinafter referred to as Tribunal). The Central Government is required to specify the matters and places in relation to which the Tribunal may exercise jurisdiction. Section 49 provides that a Tribunal is to consist of only one person, the Presiding Officer. He is to be appointed, by notification, by the Central Government.

Section 50 provides that only a person who is, has been or is qualified to be, a Judge of a High Court, or who is a member of the Indian Legal Service and is holding or has held a post in Grade I of that Service for at least three years, may be appointed as the Presiding Officer of the Tribunal.

Section 55 lays down that no order of the Central Government appointing any person as the Presiding Officer of a Tribunal can be called in question in any manner. It also provides that no act or proceeding before a Tribunal can be called in question in any manner on the ground merely of any defect in the constitution of a Tribunal.

Section 58 lays down the procedure and powers of the Tribunal. The Tribunal is not bound by the procedure laid down by the Code of Civil Procedure, 1908 but is to be guided by the principles of natural justice. The Tribunal is empowered to regulate its own procedure including the place at which it will hold its sittings.

The Tribunal has, for the purposes of discharging its functions under the IT Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters:

i. Summoning and enforcing the attendance of any person and examining him on oath,
ii. Requiring the discovery and production of documents or other electronic records,
iii. Receiving evidence on affidavits,
iv. Issuing commissions for the examination of witnesses or documents,
v. Reviewing its decisions,
vi. Dismissing an application for default or deciding it ex parte,
vii. Any other matter, which may be prescribed.

Every proceeding before the Tribunal is deemed to be a judicial proceeding within the meaning of sections 193 and 228 of the Indian Penal Code (IPC) and for the purposes of section 196 of the IPC. The Tribunal is also deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973.

Section 59 provides for the right to legal representation. The appellant may either appear in person or authorize one or more legal practitioners or any of its officers to present his or its case before the Cyber Appellate Tribunal.

Section 60 provides that the provisions of the Limitation Act, 1963, will, as far as may be, apply to an appeal made to the Cyber Appellate Tribunal.

High court

Section 62 provides for an appeal by a person aggrieved by any decision or order of the Cyber Appellate Tribunal. Such an aggrieved person may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him. Such an appeal may be made on any question of fact or law arising out of such order.

The section also empowers the High Court to extend the period for filing an appeal by a further sixty days. However, in such cases, the High Court must be satisfied that the appellant was prevented by sufficient cause from filing the appeal within the initial period of 60 days.

Civil Courts

Section 61 debars the jurisdiction of the civil courts. This section provides that:
i. No court will have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer or the Cyber Regulations Appellate Tribunal is empowered by the IT act, and

ii. No court may issue any injunction in respect of any action taken (or to be taken) in pursuance of any power conferred by the IT Act.

Miscellaneous provisions

Section 63 contains provisions relating to compounding (settling without going in for litigation) of contraventions. It empowers the Controller and the adjudicating officer to compound any contravention either before or after the institution of adjudication proceedings. The compounding may be subject to conditions as specified by the Controller or the adjudicating officer.

The section however warrants that the sum must not exceed the maximum amount of the penalty imposable under the IT Act for the compounded contravention. Once a contravention has been compounded, no proceeding or further proceeding can be conducted against the accused person.

This provision relating to compounding is not applicable to a person who commits the same or similar contravention within a period of three years from the date on which the first contravention, committed by him, was compounded. However, any second or subsequent contravention committed after the expiry of a period of three years from the date on which the contravention was previously compounded will be deemed to be a first contravention.

E.g. Aditya commits a breach of section 43(b) of the IT Act in 1992 and the contravention is compounded. If he contravenes the provision again in 1994, then it cannot be compounded. However, if he contravenes the provision again in 1997, then such contravention can be compounded.

Section 64 provides that an unpaid penalty imposed under the IT Act can be recovered as an arrear of land revenue. It also provides for the suspension of the license or the Digital Signature Certificate, as the case may be, till the penalty is paid.

Provisions relating to recovery arrears of land revenue are contained in local laws of Indian states. E.g. the Maharashtra Land Revenue Code, 1966 is the relevant law for the state of Maharashtra.

© 2004 Asian School of Cyber Laws. All Rights Reserved.