1. What do you mean by Cyber Crime?

Discuss the nature and types of Cyber

Crime. What are the challenges before it?
CYBER CRIME

Cybercrime is any criminal activity that involves a computer, networked device or a network.
While most cybercrimes are carried out in order to generate profit for the cybercriminals, some
cybercrimes are carried out against computers or devices directly to damage or disable them,
while others use computers or networks to spread malware, illegal information, images or other
materials. Some cybercrimes do both -- i.e., target computers to infect them with a computer
virus, which is then spread to other machines and, sometimes, entire networks.

A primary effect of cybercrime is financial; cybercrime can include many different types of
profit-driven criminal activity, including ransom ware attacks, email and internet fraud, and
identity fraud, as well as attempts to steal financial account, credit card or other payment card
information. Cybercriminals may also target an individual's private information, as well as
corporate data for theft and resale.

Definition of Cyber Crime

The U.S. Department of Justice (DOJ) divides cybercrime into three categories:

1. Crimes in which the computing device is the target -- for example, to gain network access;

2. Crimes in which the computer is used as a weapon -- for example, to launch a denial-of-
service (DoS) attack; and

3. Crimes in which the computer is used as an accessory to a crime -- for example, using a
computer to store illegally obtained data.

The Council of Europe Convention on Cybercrime, to which the United States is a signatory,
defines cybercrime as a wide range of malicious activities, including the illegal interception of
data, system interferences that compromise network integrity and availability, and copyright
infringements.

The ubiquity of internet connectivity has enabled an increase in the volume and pace of
cybercrime activities because the criminal no longer needs to be physically present when
committing a crime. The internet's speed, convenience, anonymity and lack of borders make
computer-based variations of financial crimes -- such as ransom ware, fraud and money
laundering, as well as crimes such as stalking and bullying -- easier to carry out.

Cybercriminal activity may be carried out by individuals or small groups with relatively little
technical skill or by highly organized global criminal groups that may include skilled developers
and others with relevant expertise. To further reduce the chances of detection and prosecution,
cybercriminals often choose to operate in countries with weak or nonexistent cybercrime laws.

NATURE OF CYBER CRIME

The term ‘cyber’ is derived from the word ‘cybernetics’ which means science of communication
and control over machine and man.

• Cyberspace is the new horizon which is controlled by machine for information and
communication between human beings across the world. Therefore, crimes committed in
cyberspace are to be treated as cyber crimes.

• In wider sense, cyber crime is a crime on the Internet which includes hacking, terrorism, fraud,
gambling, cyber stalking, cyber theft, cyber pornography, flowing of viruses etc.

• Cyber crime is a threat to national and international socio-economic, political and security
system.

• As a result of development of technology, a new variety of crime called the cyber crime has
emerged which is radically different from the traditional crimes. there is no fort that cannot be
breached; and there is no computer that cannot be hacked―every system, every computer can be
hacked.

• There is nothing private in the cyber space: it is the end of privacy.

• Professor H.L.A. Hart in his classic work entitled ‘The Concept of Law’ has stated that human
beings are vulnerable to unlawful acts which are crimes and therefore, rules of law are required
to protect them against such acts. Applying the same analogy to cyberspace, the computer
systems despite being hi-tech devices, are extremely vulnerable.

The reasons for vulnerability of computers to cyber criminality may briefly be stated as follows:

• Huge data storage capacity

• Wider access to information

• Complexity of computer systems

• Negligence of network users

• Non-availability or loss of evidence

• Jurisdictional uncertainty
TYPES OF CYBER CRIME

There are many different types of cybercrime; most cybercrimes are carried out with the
expectation of financial gain by the attackers, though the ways cybercriminals aim to get paid
can vary. Some specific types of cybercrimes include the following:

Cyber Extortion: A crime involving an attack or threat of an attack coupled with a demand for
money to stop the attack. One form of cyber extortion is the ransom ware attack, in which the
attacker gains access to an organization's systems and encrypts its documents and files --
anything of potential value -- making the data inaccessible until a ransom is paid, usually in
some form of crypto currency, such as bitcoin.

Crypto-jacking: An attack that uses scripts to mine crypto currencies within browsers without
the user's consent. Crypto jacking attacks may involve loading crypto currency mining software
to the victim's system. However, many attacks depend on JavaScript code that does in-browser
mining if the user's browser has a tab or window open on the malicious site; no malware needs to
be installed as loading the affected page executes the in-browser mining code.

Identity theft: An attack that occurs when an individual accesses a computer to glean a user's
personal information, which they then use to steal that person's identity or access their valuable
accounts, such as banking and credit cards. Cybercriminals buy and sell identity information on
darknet markets, offering financial accounts, as well as other types of accounts, like video
streaming services, webmail, video and audio streaming, online auctions and more. Personal
health information is another frequent target for identity thieves.

Credit card fraud: An attack that occurs when hackers infiltrate retailers' systems to get the
credit card and/or banking information of their customers. Stolen payment cards can be bought
and sold in bulk on darknet markets, where hacking groups that have stolen mass quantities of
credit cards profit by selling to lower-level cybercriminals who profit through credit card fraud
against individual accounts.

Cyber Espionage: A crime involving a cybercriminal who hacks into systems or networks to
gain access to confidential information held by a government or other organization. Attacks may
be motivated by profit or by ideology. Cyber espionage activities can include every type of cyber
attack to gather, modify or destroy data, as well as using network-connected devices, like
webcams or closed-circuit TV (CCTV) cameras, to spy on a targeted individual or groups and
monitoring communications, including emails, text messages and instant messages.

Software Piracy: An attack that involves the unlawful copying, distribution and use of software
programs with the intention of commercial or personal use. Trademark violations, copyright
infringements and patent violations are often associated with this type of cybercrime.
Exit Scam: The dark web, not surprisingly, has given rise to the digital version of an old crime
known as the exit scam. In today's form, dark web administrators divert virtual currency held in
marketplace escrow accounts to their own accounts -- essentially, criminals stealing from other
criminals.

Cyber Stalking: This is a kind of online harassment wherein the victim is subjected to a barrage
of online messages and emails. In this case, these stalkers know their victims and instead of
offline stalking, they use the Internet to stalk. However, if they notice that cyber stalking is not
having the desired effect, they begin offline stalking along with cyber stalking to make the
victims’ lives more miserable.

Cyber Terrorism: Cyber terrorism is the use of the computer and internet to perform violent
acts that result in loss of life. This may include different type of activities either by software or
hardware for threatening life of citizens. In general, Cyber terrorism can be defined as an act of
terrorism committed through the use of cyberspace or computer resources.

Cyber Warfare: Cyber warfare is the use or targeting in a battle space or warfare context of
computers, online control systems and networks. It involves both offensive and defensive
operations concerning to the threat of cyber attacks, espionage and sabotage.

CHALLENGES FACED BY CYBER CRIME:

There are many challenges in front of us to fight against the cyber crime. They majorly include:

 Lack of awareness and the culture of cyber security, at individual as well as

organizational level.
 Lack of trained and qualified manpower to implement the counter measures.
 No e-mail account policy especially for the defense forces, police and the security agency
personnel.
 Cyber attacks have come not only from terrorists but also from neighboring countries
contrary to our National interests.
 The minimum necessary eligibility to join the police doesn’t include any knowledge of
computers sector so that they are almost illiterate to cyber-crime.
 The speed of cyber technology changes always beats the progress of govt. sector so that
they are not able to identify the origin of these cyber-crimes
 Promotion of Research & Development in ICTs is not up to the mark.
 Security forces and Law enforcement personnel are not equipped to address high-tech
crimes.
 Present protocols are not self sufficient, which identifies the investigative responsibility
for crimes that stretch internationally.
  Budgets for security purpose by the government especially for the training of law
enforcement, security personnel’s and investigators in ICT are less as compare to other
crimes

2. What do you understand by Digital Signature? Discuss the use of Digital

Signature in E-Governance.
DIGITAL SIGNATURE

Digital signature is a mathematical scheme to verify the authenticity of digital documents or

messages. Also, a valid digital signature allows the recipient to trust the fact that a known sender
sent the message and it was not altered in transit. In this article, we will look at the sections of
the Information Act, 2000 which deal with digital certificates.

Like written signatures, digital signatures provide authentication of the associated input or
messages. Further, digital signatures authenticate the source of messages like an electronic mail
or a contract in electronic form.

The three important features of digital features are:

 Authentication – They authenticate the source of messages. Since the ownership of a

digital certificate is bound to a specific user, the signature shows that the user sent it.
 Integrity – Sometimes, the sender and receiver of a message need an assurance that the
message was not altered during transmission. A digital certificate provides this feature.
 Non-Repudiation – A sender cannot deny sending a message which has a digital
According to the Information Technology Act, 2000, digital signatures mean
authentication of any electronic record by a subscriber by means of an electronic method
or procedure in accordance with the provisions of section 3. Further, the IT Act, 2000
deals with digital signatures under Sections 2, 3, and 15.

Section 2(1) (p)

According to Section 2(1) (p), digital signature means ‘authentication of any electronic record
using an electronic method or procedure in accordance with the provisions of Section 3‘.

Further, authentication is a process for confirming the identity of a person or proving the
integrity of information. Authenticating messages involves determining the source of the
message and verifying that is has not been altered or modified in transit.
Authentication Using Digital Signature

The authentication of the electronic record is done by creating a digital signature which is a
mathematical function of the message content. Such signatures are created and verified by
Cryptography, which is a branch of applied mathematics. It is used to secure the confidentiality
and authentication of the data by replacing it with a transformed version that can be reconverted
to reveal the original data only to someone who has the proper key.

A key is a sequence of symbols that controls the operation of a cryptographic transformation.

It involves two processes which are as follows.

 Encryption: The process of transforming the plain message into a cipher text.
 Decryption: The reversal of Cipher text into the original message.

Asymmetric Encryption

Can only be decrypted using a publicly available key known as the ‘Public Key’ provided by the
sender. The procedure has been under Section 2(1) (f) of the Information Technology Act, 2000.
Under this system, there is a pair of keys, a private key known only to the sender and a public
key known only to the receivers.

The message is encrypted by the private key of the sender; on the contrary, decryption can be
done by anyone who is having the public key. It depicts the authenticity of the sender. It is also
known as the ‘principle of irreversibility’ i.e. the public key of the sender is known to many
users, but they do not have access to the private key of the sender which bars them from forging
the digital signature.

Symmetric Encryption

There is only a single key known to both the sender and the receiver. Under this system, the
secret key or the private key is known to the sender and the legitimate user. This secret key is
used for both encryption and decryption of the message. The only drawback of this symmetric
encryption is that as the number of pairs of users increases, it becomes difficult to keep track of
the secret keys used.

Benefits of Digital Signature

 Authenticity.
 Non-deniability.
 Message cannot be altered in between the transmission.

The process followed for the creation of digital signature

 Firstly a person needs to get a Digital Signature Certificate from the Certifying
Authorities. After that, the following process is followed:
  The original message of the sender is demarcated in order to get the message digest, with
the help of the hash function.
 Then the private key is used to encrypt the message digest.
 The encrypted message digest becomes the digital signature by using the signature
function.
 The digital signature is then attached to the original data
 Two things are transmitted to the recipient:
o The Original message
o The digital signature

Rule 4 of the Information Technology (Certifying Authorities)Rules, 2000, explains the

procedure of digital signature as:

 To sign an electronic record or any other item of information, the signer first applies the
hash function in the signer’s software. A hash function is a function which is used to map
data of arbitrary size onto data of a fixed size. The values returned by a hash function are
called hash values, hash codes, digests, or simply hashes
 The hash function computes a hash result of standard length, which is unique to the
electronic record.
 The signer’s software transforms the hash result into a Digital Signature using the
signer’s private key.
 The resulting Digital Signature is unique to both electronic record and private key which
is used to create it.
 The Digital Signature is attached to its electronic record and stored or transmitted with its
electronic record.

Verification of Digital Signature

 The recipient receives the original message and the digital signature. After this, there are
two steps which need to be followed :
 A new message digest is recovered from the original message by applying the hash result.
 The signer’s public key is applied to the digital signature received by the recipient and
another message digest is recovered as the outcome of it.
 If both the message digests are identical, it means that the message is not altered.

Rule 5 of the Information Technology (Certifying Authorities) Rules, 2000, explains the method
of verification of digital signature as:
The verification of a Digital Signature shall be accomplished by computing a new hash result of
the original electronic record by means of a hash function which is used to create a Digital
Signature and by using the public key and the new hash result.

Problems with Digital Signature

 It functions online. Therefore, it has to be either purchased or downloaded

 It lacks trust and authenticity

Digital Signature Certificate (DSC)

DSC is a method to prove the authenticity of an electronic document. It can be presented

electronically to prove the identity, to access information or sign certain documents digitally.

The Central Government has appointed a Controller of Certifying Authorities who grants a
license to the Certifying Authorities to issue digital signature certificates to the subscriber.

Who needs a DSC?

 A vendor and a bidder

 A Chartered Accountant
 Banks
 Director of a company
 A Company Secretary
 Other Authorized Signatories

Elements of Digital Certificate

 Owner’s public key.

 Owners name.
 The expiration date of Public Key.
 Name of the issuer.
 Serial Number of the certificate.
 A digital signature of the user.

Types of Certificate

 Only Sign– It could only be used for signing a document. It is widely used in signing
PDF Files for the purpose of filing Tax Returns for usage as an attachment for Ministry
Of Corporate Affairs or other government websites
 Encrypt– It is used to encrypt a particular document. It is popularly used in tender portals
to help a company encrypt a document before uploading it.
  Sign along with Encryption– It is used for both signing and encrypting a particular
document.

Validity

 The DSC is valid up to a maximum period of three years.

DSC under the Information Technology Act, 2000

 Section 35: Any person who wishes to get a Digital Signature Certificate may file an
application to the certifying authority for issuance of the Electronic Certificate along with
the submission of the required amount of fees not exceeding Rs. 25,000, including a
statement of certification practice or stating such particulars as prescribed.
 Section 36: Representations upon issuance of the DSC.
 Section 37: Suspension in public interest, not more than 15 days, unless given the
opportunity to present the case.
 Section 38: Revocation on death or request of a subscriber, dissolution of a company or a
firm.

Legal Approach and Digital Signature

The provisions of Information Technology Act, 2000 are based on the UNCITRAL’s Model Law
on E-Commerce. The Model Law is based on the minimalist neutral approach ie. with the
changes in technology the law will remain neutral, as technology is dynamic in nature and comes
in the public domain with a lot of advancement with the passage of time, and it will not be
feasible for the legislators to keep on changing the laws dealing with the technology.

According to Article 7 of the UNCITRAL model, there ought to be a signature of a person while
contracting using the electronic means, for which any technology can be used. It has to be
ensured that the sender can be identified and he has given his consent to the message. The same
‘technology neutrality’ approach has also been ratified by the Amendment Act, 2008 of the
Information technology Act, 2000, with the insertion of Section 3A.

USE OF DIGITAL SIGNATURE IN E-GOVERNANCE:

According to the World Bank, E-Governance is when government agencies use information and
communication technologies to transform relations with citizens, businesses, and other
government agencies. One of the prime objectives of the IT Act, 2000 is the promotion of
electronic governance. In this article, we will talk about electronic records and e-governance.

Provisions for e-governance under the IT Act, 2000

These are the provisions under the IT Act, 2000 in the context of e-governance:

1. Legal Recognition of Electronic Records (Section 4)

Certain law requires the matter to be written, typewritten, or printed. In the case of such a law,
the requirement is satisfied if the information is rendered or made available in an electronic form
and also accessible for subsequent reference.

2. Legal recognition of digital signatures (Section 5)

The law requires a person’s signature to authenticate some information or a document.

Notwithstanding anything contained in such law, if the person authenticates it with a digital
signature in a manner that the Central Government prescribes, then he satisfies the requirement
of the law.

For the purpose of understanding this, signature means a person affixing his handwritten
signature or a similar mark on the document.

3. Use of electronic records and digital signatures in Government and its agencies (Section
6)

(1) If any law provides for –

A. the filing of a form, application, or any document with any Government-owned or controlled
office, agency, body, or authority

B. the grant or issue of any license, sanction, permit or approval in a particular manner

C. also, the receipt or payment of money in a certain way

Then, notwithstanding anything contained in any other law in force such as filing, grant, issue,
payment, or receipt is satisfied even if the person does it in an electronic form. The person needs
to ensure that he follows the Government-approved format.

(2) With respect to the sub-section (1), may prescribe:

A. The format and manner of filing, creating or issuing such electronic records

B. also, the manner and method of payment of any fees or charges for filing, creating or issuing
any such records

4. Retention of electronic records (Section 7)

(1) The law requires the retention of certain records, documents or information for a specific
period. In such cases, the requirement is also satisfied if the retention is in an electronic form,
provided:

A. the information contained therein is accessible and also usable for a subsequent reference.
B. the format of the electronic record is the same as the one originally created, received or sent.
Even if the format is changed, then it must accurately represent the original information.

C. the electronic record contains details to facilitate the identification of the origin, destination,
and also the date and time of the dispatch or receipt of the record.

This is provided that the clause does not apply to any information which is automatically
generated primarily for the purpose of enabling an electronic record for dispatch or receipt.

(2) Nothing in this section applies to any law which expressly provides for the retention of
records, documents or information electronically.

5. Publication of rules, regulations, etc., in Electronic Gazette (Section 8)

The law requires the publishing of official regulation, rule, by-law, notification or any other
matter in the Official Gazette. In such cases, the requirement is also satisfied if such rule,
regulation, order, bye-law, notification or any other matter is published in the Official Gazette or
Electronic Gazette.

However, the date of publication of the rule, regulation, by-law, notification or any other matter
is the date of the Gazette first published in any form – Official or Electronic.

6. Section 6, 7 and 8 do not confer a right to insist document should be accepted in

Electronic form (Section 9)

It is important to note that, nothing contained in Sections 6, 7, and 8 confer a right upon any
person to insist either the acceptance, issuance, creation or also retention of any document or a
monetary transaction in the electronic form from:

 Ministry or Department of the Central/State Government

 Also, any authority or body established under any law by the State/Central Government

7. Power to make rules by Central Government in respect of digital signature (Section 10)

The IT Act, 2000 empowers the Central Government to prescribe:

Type of digital signature

 Also, the manner and format of affixing the digital signature

 Procedures which facilitate the identification of the person affixing the digital signature
 Control processes and procedures to ensure the integrity, security, and confidentiality of
electronic payments or records
 Further, any other matter which is legally important for digital signatures
Data Protection

Section 43A of the Information Technology Act, 2000:

A body corporate which possesses, deals or handles any sensitive personal data or information in
a computer resource which it owns, controls or operates, is certainly negligent in implementing
and maintaining reasonable security practices and procedures leading to a wrongful loss or gain
to a person.

In such cases, the body corporate is liable to pay damages by way of compensation. Further,
these damages cannot exceed five crore rupees.

Further, the Government of India notified the Information Technology (Reasonable security
practices and procedures and sensitive personal data or information) Rules, 2011, under section
43A of the IT Act, 2000. These rules specifically pertain to sensitive personal information or
data and are applicable to all body corporate within India.

3. Discuss the Powers and Functions of various authorities under the

Information Technology Act, 2000.
The various authorities under Information Technology Act, 2000 are:

1) Controller of Certifying Authorities (CCA)

CCA is appointed by the Central Government under section 17 of the IT Act.

Some of the functions of CCA are –

Act. To exercise supervision over the activities of Certifying Authorities;

• To supervise public keys of the Certifying Authorities;

• To lay down the standards to be maintained by the Certifying Authorities;

• To specify the qualifications and experience which employees of the Certifying Authorities
should possess;

• To specify the conditions subject to which the Certifying Authorities shall conduct their
business;

1. Section 17 – Appointment of the Controller and other officers

• The Central Government may appoint a Controller of Certifying Authorities after notifying the
Official Gazette. They may also appoint Deputy Controllers and Assistant Controllers as it
deems fit.
• The Controller discharges his responsibilities subject to the general control and also directions
of the Central Government

• The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them
by the Controller under the general superintendence and also control of the Controller.

• The qualifications, experience and terms and conditions of service of Controller, Deputy
Controllers, and Assistant Controllers shall be such as may be prescribed by the Central
Government.

• The Head Office and Branch Office of the office of the Controller shall be at such places as the
Central Government may specify, and these may be established at such places as the Central
Government may think fit.

• There shall be a seal of the Office of the Controller.

2. Functions of Controller (Section 18)

A Controller performs some or all of the following functions:

• Supervise the activities of the Certifying Authorities and also certify their public keys

• Lay down the standards that the Certifying Authorities follow

• Specify the following:

a. qualifications and also experience requirements of the employees of all Certifying Authorities

b. conditions that the Certifying Authorities must follow for conducting business

c. the content of the printed, written, and also visual materials and advertisements in respect of
the digital signature and the public key

d. the form and content of a digital signature certificate and the key

e. the form and manner in which the Certifying Authorities maintain accounts

f. terms and conditions for the appointment of auditors and their remuneration

• Facilitate the Certifying Authority to establish an electronic system, either solely or jointly with
other Certifying Authorities and its regulation

• Specify the manner in which the Certifying Authorities deal with the subscribers

• Resolve any conflict of interests between the Certifying Authorities and the subscribers

• Lay down the duties of the Certifying Authorities

• Maintain a database containing the disclosure record of every Certifying Authority with all the
details as per regulations. Further, this database is accessible to the public.

3. Recognition of Foreign Certifying Authority (Section 19)

• A Controller has the right to recognize any foreign certifying authority as a certifying authority
for the purpose of the IT Act, 2000. While this is subject to the conditions and restrictions which
the regulations specify, the Controller can recognize it with the previous approval of the Central
Government and notify in the Official Gazette.

• If a controller recognizes a Certifying Authority under sub-section (i), then its digital signature
certificate is also valid for the purpose of the Act.

• If the controller feels that any certifying authority has contravened any conditions or
restrictions of recognition under sub-section (i), then he can revoke the recognition. However, he
needs to record the reason in writing and notify in the Official Gazette.

4. Controller to act as a repository (Section 20)

• The Controller will act as a repository of all digital signature certificates under this Act.

• The Controller will –

a. Make use of secure hardware, software, and also procedures.

b. Observe the standards that the Central Government prescribes to ensure the secrecy and also
the security of the digital signatures.

• The Controller will maintain a computerized database of all public keys. Further, he must
ensure that the public keys and the database are available to any member of the public.

5. License to issue Digital Signature Certificates (Section 21)

(1) Subject to the provisions of sub-section (2), any person can apply to the Controller for a
license to issue digital signature certificates.

(2) A Controller can issue a license under sub-section (1) only if the applicant fulfills all the
requirements. The Central Government specifies requirements with respect to qualification,
expertise, manpower, financial resources, and also infrastructure facilities for the issuance of
digital signature certificates.

(3) A license granted under this section is –

(a) Valid for the period that the Central Government specifies

(b) Not transferable or inheritable

(c) Subject to the terms and conditions that the regulations specify

6. Power to investigate contraventions (Section 28)

1. The Controller or any other Officer that he authorizes will investigate any contravention of the
provisions, rules or regulations of the Act.

2. The Controller or any other Officer that he authorizes will also exercise the powers conferred
on Income-tax authorities under Chapter XIII of the Income Tax Act, 1961. Also, the exercise of
powers will be limited according to the Act.

(2) Certifying Authority

Certifying Authorities (CA) has been granted a license to issue a digital signature certificate
under section 24 of the IT Act.

(3) Adjudicating officer (AO)

AO is appointed under section 46 of the IT Act to adjudicate offences under Chapter IX. As per
Rule 3 of the Information Technology (Qualification and Experience of Adjudicating Officers
and Manner of Holding Enquiry) Rules, 2003, it has been declared that the Secretary of
Department of Information Technology of every State and Union Territory shall serve as
Adjudicating officer.

Important sections regarding AO under the IT Act –

 Section 46 – Power to adjudicate

 Section 47 – Factors to be taken into account by the adjudicating officer

The Information Technology Act provides for "Penalties and Adjudication" under Chapter IX
and for "Offences" under Chapter XI of the Act. The Act also contemplates the appointment of
an Adjudicating Officer for inquiring into and adjudicating contraventions under the Act. There
have been differences of opinion as to what exactly are the powers and jurisdiction of the
Adjudicating Officer appointed under the provisions of the Information Technology Act, 2000.
There is a general opinion that the Adjudicating officer would be competent to entertain and
adjudicate all disputes, contraventions and offences relating to the Information Technology Act.
However, a careful reading of the relevant provisions of the Act makes it clear that the powers
and jurisdiction of the Adjudicating Officer is in fact very limited.

Chapter IX of the Information Technology Act provides for penalties and adjudication. This
chapter consists only of five sections, i.e. Sections 43 to 47 of the Act. Section 43 is titled
"Penalty for damage to computer, computer system etc.". This Section goes on to elaborate that
if any person unauthorized accesses, downloads, copies, induces viruses etc. into any computer
or computer network, he shall be liable to pay damages by way of compensation not exceeding
Rs. One Crore to the person so affected.
It can be argued that the maximum liability that can be imposed is qua the person so affected. In
other words, if ten persons are aggrieved, each of them could be entitled to Rs. One Crore for
damages. Therefore, a person contravening Section 43 can be made liable to pay an amount
greater than Rs. One Crore, in case more than one person is affected by his actions. However,
what is more significant is that although the heading of Section 43 provides for "Penalty for
damage to computer, computer system etc.", nowhere in the text of the Section is the word
"penalty" found. A contravention of Section 43 can result only in "damages by way of
compensation payable to the person so affected". This is significant because, by contravening
Section 43, a person is made liable only to the aggrieved person and not to the State. Moreover, a
mere contravention of Section 43 would not result in damages being imposed. For a person
claiming damages, he/she would first have to establish the following:

 That there was a contravention of Section 43;

 That the contravention resulted in an unfair gain or advantage to the person contravening
Section 43; and
 That the contravention resulted in loss to the claimant;

The claimant would then have to quantify the loss in monetary terms to establish his claim before
the Adjudicating Officer. It is only on the basis of the claim so established, that the Adjudicating
Officer can pass an order directing the person, who has contravened Section 43, to pay damages.

Section 44 provides for penalty for failure to furnish information as required under the Act, rules
or regulations and Section 45 provides for "residuary penalty". Unlike Section 43, a
contravention of Sections 44 and 45 would result in a person being made liable to pay "penalty"
which would accrue to the State.

Section 46(1) of the Act provides for the appointment of an Adjudicating Officer for the purpose
of adjudicating under Chapter IX whether any person has contravened any provisions of the Act.
Although Section 46(1) is slightly confusing, a careful scrutiny of it would reveal that the
Adjudicating Officer is empowered only to determine contraventions under Sections 43, 44 and
45 of the Act and nothing else. Chapter XI of the Act deals with "offences" and provides for
punishment of fine and/or imprisonment for committing offences like tampering with computer
source documents, hacking and other offences prescribed therein. The trial of these offences
would not fall within the Adjudicating Officer's jurisdiction. This is all the more clear when one
considers the fact that the Adjudicating Officer has been conferred with the powers of a Civil
Court under Section 46(5) of the Act. The trial of offences committed under Chapter XI of the
Information Technology Act would therefore still be before the Jurisdictional Magistrate under
the provisions of the Code of Criminal Procedure.

To sum up, the jurisdiction of an Adjudicating Officer appointed under the provisions of the
Information Technology Act would extend only to:
  Determining the extent of damages payable by a person contravening Section 43, to the
person so affected;
 Determining the amount of penalty payable by a person for his failure to furnish
information, returns, etc. as required under the Act or its Rules; and
 Determining the amount of penalty/damages payable by a person for contravening the
provisions of the Act, Rules or Regulations for which no separate penalty is provided.

(4) Cyber Appellate Tribunal (CAT)

Cyber Appellate Tribunal has been established under the IT Act under the aegis of Controller of
Certifying Authorities. It is established under Section 48(1) of the IT Act. Any person aggrieved
by an order made by Controller or an adjudicating officer under this Act may prefer an appeal to
a Cyber Appellate Tribunal.

 Chapter X – Sections 48 to 64 of the IT Act has provisions regarding CAT.

 Website of the office of CAT – http://www.catindia.gov.in

Establishment of the Cyber Appellate Tribunal

Section 48 of the IT Act 2000 talks about the establishment of Cyber Appellate Tribunal where
the Central Government shall by notification establish one or more appellate tribunals. The
powers of the Tribunal are no doubt limited. Its area of jurisdiction is well defined within the
boundaries of its jurisdiction. However if at any time, the Chairperson of the Tribunal is satisfied
that circumstances exist which render it necessary to have settings of the Tribunal at any place
other than New Delhi, the Chairperson may direct to hold the sittings at any such appropriate
place.

Composition of the Cyber Appellate Tribunal

Sec 49 of the IT Act 2000 deals with the composition of Cyber Appellate Tribunal. It shall
consist of a Chairperson and such number of other members as the Central Government may
notify.

 Qualifications
To be qualified for appointment as a Chairperson of the Cyber Appellate Tribunal, a
person has or qualified to be a judge of a High Court. Judicial members of the Cyber
Appellate Tribunal so appointed from amongst persons who is or has been a member of
the Indian Legal Service and has held the post of Additional Secretary for a period of not
less than one year or Grade I post of that service for a period of not less than five years.
Members other than judicial member should have special knowledge and professional
experience in information technology, telecommunication, industry, management or
consumer affairs.
  Term
Section 51 (1) provides a five year term for the Chairperson or Member of the Cyber
Appellate Tribunal. The term states from the date on which he enters upon his office. It
will last for five years or until he attains the age of 65 years, whichever is earlier.

 Powers
As per section 52A the Chairperson being the Head of the Cyber Appellate Tribunal has
both executive and administrative powers of general superintendence and directions in
the conduct of the affairs of that Tribunal which may include presiding over the meetings
of the Tribunal. To exercise and discharge such powers and functions of the Tribunal as
may be prescribed. The Chairperson has the power of the to transfer cases after either
following the laid down procedure or suo moto may transfer any case pending before one
Bench, for disposal to any other Bench.

 Resignation and Removal

Section 54 deals with resignation and removal of the Chairperson and members of a
Cyber Appellate Tribunal. In order to resign, Chairperson or the member of the Cyber
Appellate Tribunal has to give notice in writing under his hand to the Central
Government. It is for the Central Government to relieve him on the receipt of such notice
or permit him to continue to hold office until the expiry of three months from the date of
receipt of such notice or until a person duly appointed as his successor enters upon his
office or until the expiry of his term of office, whichever is the earliest.  The Chairperson
or a Member of the Cyber Appellate Tribunal can be removed on the ground of
misbehavior or incapacity after instituting an inquiry under a Judge of the Supreme
Court. Under section 87 (2) (s) of the Act, the Central Government has the power to make
rules regarding the procedure for investigation of misbehaviour or incapacity of the
Chairperson or a Member.

Procedure and Powers of Cyber Appellate Tribunal

The Code of Civil Procedure 1908 is an Act to consolidate and amend the laws relating to the
procedure of the Courts of Civil Judicature. The objective of the section 58 is that the Tribunal is
not bound by the procedure laid down by the Code of Civil Procedure 1908 and instead it shall
be guided by the principles of natural justice. The principles of natural justice revolve around the
premise that the authority should hear the person concerned before passing any decision,
direction or order against him.

In Union of India v. T. R. Verma, AIR 1957 SC 882 its said that it is established law that the
tribunals should follow law of natural justice requires that a party should have opportunity of
adducing all relevant evidence on which he relies. Evidence should be taken in the presence of
the parties and the opportunity to cross examination be given.
Further the Cyber Appellant Tribunal shall have powers to regulate its own procedure including
the place at which it shall have its sittings. It is an established law that in the absence of any
procedure laid down, the provisions of the Code of Civil Procedure should be followed.

The CYBER APPELLATE COURT shall have the powers of:-

1. Summoning and enforcing the attendance of any person and examining him on oath;
2. Requiring the discovery and production of documents or other electronic records;
3. Receiving evidence on affidavits;
4. Issuing commissions for the examination of witness or documents;
5. Reviewing its decisions;
6. Dismissing an application for default or deciding it ex parte;
7. Any other matter, which may be prescribed.
Appeal
 Appeal from controller or an adjudicating officer to the cyber appellant tribunal
Under section 57 of the IT Act 2000 lies right to appeal to the Cyber Appellant Tribunal
if any person is aggrieved by an order made by Controller or an adjudicating officer. The
right to appeal is a creature of a statute and it is for the legislature to decide whether the
right of appeal should be given unconditional to an aggrieved party or it should be
conditionally given.

 Appeal from the cyber appellate tribunal to high court

Within the scheme of the IT Act under section 62, the Cyber Appellate Tribunal is the
final fact finding authority. The Act provides a second forum of appeal in the form of the
High Court to any person aggrieved by any decision or order of the Cyber Appellate
Tribunal. An appeal is to be filed within 60 days from the date of communication of the
decision.

Compounding Contraventions
The proviso to the sub section (1) of section 63 provides that the maximum amount of the
penalty, which may be imposed under this Act for the contravention, so compounded not to
exceed the maximum amount prescribed for such contravention. A penalty imposed or
compensation awarded under this Act, if it is not paid, shall be recovered as an arrears of land
revenue and the license or the Electronic Signature Certificate as the case may be and shall
remain suspended till the penalty.
(5) Indian Computer Emergency Response Team (ICERT)

ICERT is the National Incident Response Centre for major computer security incidents in its
constituency, i.e. Indian Cyber Community. Under section 70B of the IT Act, ICERT has been
empowered to serve as national agency for incident response.

Website of the office of CERT-In – http://www.cert-in.org.in/

The Central Government issued the Information Technology (the Indian Computer Emergency
Response Team and Manner of Performing Functions and Duties) Rules, 2013 under the
provisions of Section 70B of the Information Technology Act, 2000 (“IT Act”) on January 16,
2014.

These rules create the ‘Indian Computer Emergency Response Team’ (“CERT-in”) and provide
for its functions. It shall function under the administrative control of the Department of
Electronics and Information Technology.

‘Computer Emergency Response’ means to co-ordinate action during cyber security emergencies
and provides support to the users, publish alerts and offer information for the improvement of
cyber security.

The IT Act under Section 70B stipulates the following as the functions of CERT-in:-

1. Collection, analysis and dissemination of information on cyber incidents,

2. Forecast and alert of cyber security incidents,

3. Emergency measures for handling cyber security incidents,

4. Co-ordination for cyber incidents response activities,

5. Issue guidelines, advisories and vulnerability notes etc. relating to information security
practices, procedures, prevention, response and reporting, and

6. Other functions, as may be prescribed, related to cyber security.

The cyber security incidents are to be reported to CERT-in by individuals, organizations or

corporate entities within a reasonable time of occurrence or noticing the incident.

CERT-in shall respond to cyber security incidents that occur in the country, however the level of
support by CERT-in shall vary depending on the type and severity of the incidents. The
resources shall be allocated in the prescribed order of priority.

The CERT-in Rules empower the CERT-in to collect and analyze information on cyber security
incidents from individuals, organization and computer resource, in compliance with the
applicable laws, rules and orders of the courts. The CERT-in may share or disclose the general
trends of cyber security incidents and breaches freely to assist the general public in preventing
the same. The CERT-in may also seek information from service providers, intermediaries, data
centers etc. and take recourse of the IT Act for monitoring and collection of traffic data.

The CERT-in Rules provide for the establishment of a ‘Review Committee’ to review:-

1. Non-compliance of communication, seeking information issued to the service providers,

intermediaries, data centers, body corporate etc;

2. Non-compliance of the directions issued to the service providers, intermediaries, data centers,
body corporate etc., with a view to cyber security of the information infrastructure; and

3. Terming such non-compliance of directions as a offence under the IT Act.

On the basis of the non-compliance report and the direction of the Review Committee, CERT-in
through an authorized officer shall file a complaint before the court in accordance with the
procedure laid down by the IT Act.

CERT-in is obligated to exchange information pertaining to attacks, vulnerabilities and solutions

in respect of the critical sector with the National Critical Information Infrastructure Protection
Centre

(6) National Technical Research Organization (NTRO)

NTRO is designated as the national nodal agency in respect of Critical Information Infrastructure
Protection under Sec. 70A of the IT Act.

National Technical Research Organization (NTRO) is the technical intelligence gathering agency
of India.

• The agency head of NTRO, along with Chiefs of Intelligence Bureau and Research & Analysis
Wing (RAW), report to the National Security Advisor (NSA) and PMO.

• Function: The agency develops technology capabilities in aviation and remote sensing, data
gathering and processing, cyber security, cryptology systems, strategic monitoring.

NTRO has the same “norms of conduct” as the Intelligence Bureau (IB) and the Research and
Analysis Wing (R&AW) as listed in the Intelligence Organizations (Restriction of Rights) Act,
1985.

The Intelligence Organizations (Restriction of Rights) Act, 1985 prevents employees of a

notified agency from forming unions/associations, puts restrictions on the employee’s freedom of
speech, bars any communication with the press, or publishing a book or other document without
the permission of the head of the intelligence organization.
• NTRO also hires many people from the private sector and they have the same safety net and
restrictions available to other spy agencies.

• The Official Secrets Act is also applicable to NTRO employees putting certain restrictions like
being involved in political activities in the country.

(7) Cyber Crime Cell

Cyber Crime Cell is a wing of law enforcement agencies like Police, CID, CBI, etc. established
to expedite the investigation of Cyber Crimes. Cyber Crime Cell is not a Police station where
one can go and register a complaint. In India, Bangalore is the only city which has a Cyber
Crime Police Station where one can register a complaint and can get a copy of the First
Investigation Report (FIR).

Some of the duties of Cyber Crime Cell are –

 To assist law enforcement in investigating cyber crimes

 To spread awareness about cyber crimes and preventive measures in its territory
 To act as an expert in giving opinions on cyber crime related issues

Power to investigate offences under the IT Act is with the police officer not below the rank of
Inspector as per Sec. 78 of the IT Act.

4. Critically examine the various penal provisions under the Information

Technology Act, 2000.
Cyber offenses are the unlawful acts which are carried in a very sophisticated manner in which
either the computer is the tool or target or both. Cybercrime usually includes:

(a) Unauthorized access of the computers (b) Data diddling (c) Virus/worms attack (d) Theft of
computer system (e) Hacking (f) Denial of attacks (g) Logic bombs (h) Trojan attacks (i) Internet
time theft (j) Web jacking (k) Email bombing (l) Salami attacks (m) Physically damaging
computer system.

The offenses included in the IT Act 2000 are as follows:

 Tampering with the computer source documents.

 Hacking with computer system.
 Publishing of information which is obscene in electronic form.
 Power of Controller to give directions
 Directions of Controller to a subscriber to extend facilities to decrypt information
 Protected system
 Penalty for misrepresentation
 Penalty for breach of confidentiality and privacy
  Penalty for publishing Digital Signature Certificate false in certain particulars
 Publication for fraudulent purpose
 Act to apply for offense or contravention committed outside India
 Confiscation
 Penalties or confiscation not to interfere with other punishments.
 Power to investigate offenses.

Offenses under the IT ACT, 2000

1. Tampering with computer source documents:

 Section 65 of this Act provides that Whoever knowingly or intentionally conceals,

destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter
any computer source code used for a computer, computer Program, computer system or
computer network, when the computer source code is required to be kept or maintained
by law for the being time in force, shall be punishable with imprisonment up to three
year, or with fine which may extend up to two lakh rupees, or with both.
 Explanation: For the purpose of this section “computer source code” means the listing of
programmes, computer commands, design and layout and programme analysis of
computer resource in any form.
 Object: The object of the section is to protect the “intellectual property” invested in the
computer. It is an attempt to protect the computer source documents (codes) beyond what
is available under the Copyright Law.
 This section extends towards the Copyright Act and helps the companies to protect the
source code of their programmes.
 Section 65 is tried by any magistrate. This is cognizable and non- bailable offense.
 Imprisonment up to 3 years and or Fine up to Two lakh rupees.

CASE LAWS

Frios v. State of Kerela:

Facts: In this case, it was declared that the FRIENDS application software as a protected system.
The author of the application challenged the notification and the constitutional validity of
software under Section 70. The court upheld the validity of both.

It included tampering with source code. Computer source code the electronic form, it can be
printed on paper.

Held: The court held that Tampering with Source code is punishable with three years jail and or
two lakh rupees fine of rupees two lakh rupees for altering, concealing and destroying the source
code.
Syed Asifuddin case:

Facts: In this case, the Tata Indicom employees were arrested for manipulation of the electronic
32- bit number (ESN) programmed into cell phones theft were exclusively franchised to Reliance
Infocom.

Held: Court held that Tampering with source code invokes Section 65 of the Information
Technology Act.

Parliament Attack Case:

Facts: In this case, several terrorists attacked Parliament House on 13 December 2001. In this
Case, the Digital evidence played an important role during their prosecution. The accused argued
that computers and evidence can easily be tampered and hence, should not be relied.

In Parliament case, several smart device storage disks and devices, a Laptop was recovered from
the truck intercepted at Srinagar pursuant to information given by two suspects. The laptop
included the evidence of fake identity cards, video files containing clips of the political leaders
with the background of Parliament in the background shot from T.V news channels. In this case
design of Ministry of Home Affairs car sticker, there was game “wolf pack” with user name of
‘Ashiq’, there was the name in one of the fake identity cards used by the terrorist. No back up
was taken. Therefore, it was challenged in the Court.

Held: Challenges to the accuracy of computer evidence should be established by the challenger.
Mere theoretical and generic doubts cannot be cast on the evidence.

2. Hacking with the computer system:

 Section 66 provides that- (1) Whoever with the intent to cause or knowing that he is
likely to cause wrongful loss or damage to the public or any person destroys or deletes or
alters any information residing in a computer resource or diminishes its value or utility or
affects it injuriously by any means, commits hacking.
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or
with fine which may extend up to two lakh rupees, or with both.
 Explanation: The section tells about the hacking activity.
 Punishment: Imprisoned up to three years and fine which may extend up to two lakh
rupees Or with both.

CASE LAWS

R v. Gold & Schifreen:

In this case, it is observed that the accused gained access to the British telecom Prestl Gold
computers networks file amount to dishonest trick and not a criminal offense.
R v. Whiteley:

In this case, the accused gained unauthorized access to the Joint Academic Network (JANET)
and deleted, added files and changed the passwords to deny access to the authorized users. The
perspective of the section does not merely protect the information but to protect the integrity and
security of computer resources from attacks by unauthorized person seeking to enter such
resource, whatever may be the intention or motive.

Cases Reported In India:

Official website of Maharastra government hacked. The official website of the government of
Maharashtra was hacked by Hackers Cool Al- Jazeera, and claimed them they were from Saudi
Arabia.

3. Publishing of obscene information in electronic form:

Section 67 of this Act provides that Whoever publishes or transmits or causes to be published in
the electronic form, any material which is lascivious or appeals to the prurient interest or if its
effect is such as to tend to deprave and corrupt persons who are likely, having regard to all
relevant circumstance, to read see or hear the matter contained or embodied in it, shall be
punished on first conviction with imprisonment of either description for a term which may
extend to five years and with fine which may extend to one lakh rupees and in the event of a
second or subsequent conviction with imprisonment of either description for a term which may
extend to ten years and also with fine which may extend to two lakh rupees.

CASE LAWS:

The State of Tamil Nadu v. Suhas Katti.

Facts: This case is about posting obscene, defamatory and annoying message about a divorcee
woman in the Yahoo message group. E-mails were forwarded to the victim for information by
the accused through a false e-mail account opened by him in the name of the victim. These
postings resulted in annoying phone calls to the lady. Based on the complaint police nabbed the
accused. He was a known family friend of the victim and was interested in marrying her. She
married to another person, but that marriage ended in divorce and the accused started contacting
her once again. And her reluctance to marry him he started harassing her through the internet.

Held: The accused is found guilty of offenses under section 469, 509 IPC and 67 of the IT Act
2000 and the accused is convicted and is sentenced for the offense to undergo RI for 2 years
under 469 IPC and to pay fine of Rs.500/-and for the offense u/s 509 IPC sentenced to undergo 1
year Simple imprisonment and to pay fine of Rs.500/- and for the offense u/s 67 of IT Act 2000
to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently.”
The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered
the first case convicted under section 67 of Information Technology Act 2000 in India.

In a recent case, a groom’s family received numerous emails containing defamatory information
about the prospective bride. Fortunately, they did not believe the emails and chose to take the
matter to the police. The sender of the emails turned out to be the girl’s step-father, who did not
want the girl to get married, as he would have lost control over her property, of which he was the
legal guardian.

Avnish Bajaj (CEO of bazzee.com – now a part of the eBay group of companies) case.

Facts: There were three accused first is the Delhi schoolboy and IIT Kharagpur Ravi Raj and the
service provider Avnish Bajaj.

The law on the subject is very clear. The sections slapped on the three accused were Section 292
(sale, distribution, public exhibition, etc., of an obscene object) and Section 294 (obscene acts,
songs, etc., in a public place) of the Indian Penal Code (IPC), and Section 67 (publishing
information which is obscene in electronic form) of the Information Technology Act 2000. In
addition, the schoolboy faces a charge under Section 201 of the IPC (destruction of evidence),
for there is apprehension that he had destroyed the mobile phone that he used in the episode.
These offenses invite a stiff penalty, namely, imprisonment ranging from two to five years, in the
case of a first-time conviction, and/or fines.

Held: In this case, the Service provider Avnish Bajaj was later acquitted and the Delhi schoolboy
was granted bail by Juvenile Justice Board and was taken into police charge and detained into
Observation Home for two days.

4. Power of Controller to give directions:

 Section 68 of this Act provides that (1) The Controller may, by order, direct a Certifying
Authority or any employee of such Authority to take such measures or cease carrying on
such activities as specified in the order if those are necessary to ensure compliance with
the provisions of this Act, rules or any regulations made thereunder.
(2) Any person who fails to comply with any order under sub-section (1) shall be guilty
of an offense and shall be liable on conviction to imprisonment for a term not exceeding
three years or to a fine not exceeding two lakh rupees or to both.
 Explanation: Any person who fails to comply with any order under subsection (1) of the
above section, shall be guilty of an offense and shall be convicted for a term not less than
three years or to a fine exceeding two lakh rupees or to both.
 The offense under this section is non-bailable & cognizable.
  Punishment: Imprisonment up to a term not exceeding three years or fine not exceeding
two lakh rupees.

5. Directions of Controller to a subscriber to extend facilities to decrypt information:

 Section 69 provides that- (1) If the Controller is satisfied that it is necessary or expedient
so to do in the interest of the sovereignty or integrity of India, the security of the State,
friendly relations with foreign States or public order or for preventing incitement to the
commission of any cognizable offense; for reasons to be recorded in writing, by order,
direct any agency of the Government to intercept any information transmitted through
any computer resource.
(2) The subscriber or any person in charge of the computer resource shall, when called
upon by any agency which has been directed under sub-section (1), extend all facilities
and technical assistance to decrypt the information.
(3) The subscriber or any person who fails to assist the agency referred to in subsection
shall be punished with imprisonment for a term which may extend to seven years.
 Punishment: Imprisonment for a term which may extend to seven years. The offense is
cognizable and non- bailable.

6. Protected System:

 Section 70 of this Act provides that –

(1) The appropriate Government may, by notification in the Official Gazette, declare
that any computer, computer system or computer network to be a protected
system.
(2) The appropriate Government may, by order in writing, authorize the persons who
are authorized to access protected systems notified under sub-section (1).
(3) Any person who secures access or attempts to secure access to a protected system
in contravention of the provision of this section shall be punished with
imprisonment of either description for a term which may extend to ten years and
shall also be liable to fine.
 Explanation: This section grants the power to the appropriate government to declare any
computer, computer system or computer network, to be a protected system. Only
authorized person has the right to access to protected system.
 Punishment: The imprisonment which may extend to ten years and fine.

7. Penalty for misrepresentation:

 Section 71 provides that- (1) Whoever makes any misrepresentation to, or suppresses any
material fact from, the Controller or the Certifying Authority for obtaining any license or
Digital Signature Certificate, as the case may be, shall be punished with imprisonment for
 a term which may extend to two years, or which fine which may extend to one lakh
rupees, or with both.
 Punishment: Imprisonment which may extend to two years or fine may extend to one
lakh rupees or with both.

8. Penalty for breach of confidentiality and privacy:

 Section 72 provides that- Save as otherwise provide in this Act or any other law for the
time being in force, any person who, in pursuance of any of the powers conferred under
this Act, rules or regulation made thereunder, has secured assess to any electronic record,
book, register, correspondence, information, document or other material without the
consent of the person concerned discloses such material to any other person shall be
punished with imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both.
 Explanation: This section relates to any person who in pursuance of any of the powers
conferred by the Act or it allied rules and regulations have secured access to any:
Electronic record, books, register, correspondence, information, document, or other
material.
 If such a person discloses such information, he will be punished. It would not apply to
disclosure of personal information of a person by a website, by his email service
provider.
 Punishment: Term which may extend to two years or fine up to one lakh rupees or with
both.

9. Penalty for publishing Digital Signature Certificate false in certain particulars:

 Section 73 provides that – (1) No person shall publish a Digital Signature Certificate or
otherwise make it available to any other person with the knowledge that-
(a) The Certifying Authority listed in the certificate has not issued it; or
(b) The subscriber listed in the certificate has not accepted it; or
(c) The certificate has been revoked or suspended unless such publication is
for the purpose of verifying a digital signature created prior to such
suspension or revocation.
(2) Any person who contravenes the provisions of sub-section (1) shall be punished
with imprisonment for a term which may extend to two years, or with fine which
may extend to one lakh rupees, or with both.
 Explanation: The Certifying Authority listed in the certificate has not issued it or, The
subscriber listed in the certificate has not accepted it or the certificate has been revoked
or suspended.
 The Certifying authority may also suspend the Digital Signature Certificate if it is of the
opinion that the digital signature certificate should be suspended in public interest.
  A digital signature may not be revoked unless the subscriber has been given opportunity
of being heard in the matter. On revocation, the Certifying Authority need to
communicate the same with the subscriber. Such publication is not an offense it is the
purpose of verifying a digital signature created prior to such suspension or revocation.
 Punishment: Imprisonment of a term of which may extend to two Years or fine may
extend to 1 lakh rupees or with both.

CASE LAWS:

Bennett Coleman & Co. v. Union of India

In this case, the publication has been stated that ‘publication means dissemination and
circulation’. In the context of the digital medium, the term publication includes and transmission
of information or data in electronic form.

10. Publication for fraudulent purpose:

Section 74 provides that- Whoever knowingly creates, publishes or otherwise makes available a
Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished with
imprisonment for a term which may extend to two years, or with fine which extends to one lakh
rupees, or with both.

Explanation: This section prescribes punishment for the following acts:

 Knowingly creating a digital signature certificate for any

 fraudulent purpose or,
 Unlawful purpose.
 Knowingly publishing a digital signature certificate for any
 fraudulent purpose or
 unlawful purpose
 Knowingly making available a digital signature certificate for any
 fraudulent purpose or
 Unlawful purpose.

Punishment: Imprisonment for a term up to two years or fine up to one lakh or both.

11. Act to apply for offense or contravention committed outside India:

 Section 75 provides that- (1) Subject to the provisions of sub-section (2), the provisions
of this Act shall apply also to any offense or contravention committed outside India by
any person irrespective of his nationality.
 For the purposes of sub-section (1), this Act shall apply to an offense or
  Contravention committed outside India by any person if the act or conduct constituting
the offense or contravention involves a computer, computer system or computer network
located in India.
 Explanation: This section has a broader perspective including cyber crime, committed by
cyber criminals, of any nationality, any territoriality.

CASE LAW:

R v. Governor of Brixton prison and another

Facts: In this case the Citibank faced the wrath of a hacker on its cash management system,
resulting in illegal transfer of funds from customers account into the accounts of the hacker, later
identified as Valdimer Levin and his accomplices. After Levin was arrested he was extradited to
the United States. One of the most important issues was the jurisdictional issue, the ‘place of
origin’ of cyber crime.

Held: The Court held that the real-time nature of the communication link between Levin and
Citibank computer meant that Levin’s keystrokes were actually occurring on the Citibank
computer. It is thus important that in order to resolve the disputes related to jurisdiction, the issue
of territoriality and nationality must be placed by much broader criteria embracing principles of
reasonableness and fairness to accommodate overlapping or conflicting interests of states, in
spirit of universal jurisdiction.

12. Confiscation:

 Section 76 provides that- Any computer, computer system, floppies, compact disks, tape
drives or any other accessories related thereto, in respect of which any provisions of this
Act, rules, orders or regulations made thereunder has been or is being contravened, shall
be liable to confiscation. :
 Provided that where it is established to the satisfaction of the court adjudicating the
confiscation that the person in whose possession, power or control of any such computer,
computer system, floppies, compact disks, tape drives or any other accessories relating
thereto is found is not responsible for the contravention of the provisions of this Act,
rules orders or regulations made there under, the court may, instead of making an order
for confiscation of such computer, computer system, floppies, compact disks, tape drives
or any other accessories related thereto, make such other order authorized by this Act
against the person contravening of the provisions of this Act, rules, orders or regulations
made there under as it may think fit.
 Explanation: The aforesaid section highlights that all devices whether computer,
computer system, floppies, compact disks, tape drives or any other storage,
communication, input or output device which helped in the contravention of any
 provision of this Act, rules, orders, or regulations made under there under liable to be
confiscated.

13. Penalties or confiscation not to interfere with other punishments:

 Section 77 provides that – No penalty imposed or confiscation made under this Act shall
prevent the imposition of any other punishment to which the person affected thereby is
liable under any other law for the time being in force.
 Explanation: The aforesaid section lays down a mandatory condition, which states the
Penalties or confiscation not to interfere with other punishments to which the person
affected thereby is liable under any other law for the time being in force.

Power to investigate offenses:

 Section 78 provides that – Notwithstanding anything contained in the Code of Criminal

Procedure, 1973, a police officer not below the rank of Deputy Superintendent of Police
shall investigate any offense under this Act.

5. Write Short notes on:

 Trojan Horse
 Computer Virus

A. TROJAN HORSE
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems.
Users are typically tricked by some form of social engineering into loading and executing
Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal
your sensitive data, and gain backdoor access to your system. These actions can include:

 Deleting data
 Blocking data
 Modifying data
 Copying data
 Disrupting the performance of computers or computer networks

Unlike computer viruses and worms, Trojans are not able to self-replicate.

Impact of Trojan Virus

Trojans are classified according to the type of actions that they can perform on your computer:

 Backdoor
A backdoor Trojan gives malicious users remote control over the infected computer.
They enable the author to do anything they wish on the infected computer – including
sending, receiving, launching and deleting files, displaying data and rebooting the
computer. Backdoor Trojans are often used to unite a group of victim computers to form
a botnet or zombie network that can be used for criminal purposes.
 Exploit
Exploits are programs that contain data or code that takes advantage of a vulnerability
within application software that’s running on your computer.
 Rootkit
Rootkits are designed to conceal certain objects or activities in your system. Often their
main purpose is to prevent malicious programs being detected – in order to extend the
period in which programs can run on an infected computer.
 Trojan-Banker
Trojan-Banker programs are designed to steal your account data for online banking
systems, e-payment systems and credit or debit cards.
 Trojan-DDoS
These programs conduct DoS (Denial of Service) attacks against a targeted web address.
By sending multiple requests – from your computer and several other infected computers
– the attack can overwhelm the target address… leading to a denial of service.
 Trojan-Downloader
Trojan-Downloaders can download and install new versions of malicious programs onto
your computer – including Trojans and adware.
 Trojan-Dropper
These programs are used by hackers in order to install Trojans and / or viruses – or to
prevent the detection of malicious programs. Not all antivirus programs are capable of
scanning all of the components inside this type of Trojan.
 Trojan-FakeAV
Trojan-FakeAV programs simulate the activity of antivirus software. They are designed
to extort money from you – in return for the detection and removal of threats… even
though the threats that they report are actually non-existent.
 Trojan-GameThief
This type of program steals user account information from online gamers.
 Trojan-IM
 Trojan-IM programs steal your logins and passwords for instant messaging programs –
such as ICQ, MSN Messenger, AOL Instant Messenger, Yahoo Pager, Skype and many
more.
 Trojan-Ransom
This type of Trojan can modify data on your computer – so that your computer doesn’t
run correctly or you can no longer use specific data. The criminal will only restore your
computer’s performance or unblock your data, after you have paid them the ransom
money that they demand.
 Trojan-SMS
These programs can cost you money – by sending text messages from your mobile device
to premium rate phone numbers.
 Trojan-Spy
Trojan-Spy programs can spy on how you’re using your computer – for example, by
tracking the data you enter via your keyboard, taking screen shots or getting a list of
running applications.
 Trojan-Mailfinder
These programs can harvest email addresses from your computer.

Other types of Trojans include:

 Trojan-ArcBomb
 Trojan-Clicker
 Trojan-Notifier
 Trojan-Proxy
 Trojan-PSW

Protect against Trojan

By installing effective anti-malware software, you can defend your devices – including PCs,
laptops, Macs, tablets and smart phones – against Trojans. A rigorous anti-malware solution –
such as Kaspersky Anti-Virus – will detect and prevent Trojan attacks on your PC, while
Kaspersky Mobile Security can deliver world-class virus protection for Android smart phones.
Kaspersky Lab has anti-malware products that defend the following devices against Trojans:

 Windows PC
 Linux computers
 Apple Macs
 Smartphone
 Tablets
B. COMPUTER VIRUS
A computer virus, much like a flu virus, is designed to spread from host to host and has the
ability to replicate itself. Similarly, in the same way that flu viruses cannot reproduce without a
host cell, computer viruses cannot reproduce and spread without programming such as a file or
document.

In more technical terms, a computer virus is a type of malicious code or program written to alter
the way a computer operates and is designed to spread from one computer to another. A virus
operates by inserting or attaching itself to a legitimate program or document that supports macros
in order to execute its code. In the process, a virus has the potential to cause unexpected or
damaging effects, such as harming the system software by corrupting or destroying data.

What are the different types of computer viruses?

1. Boot sector virus: This type of virus can take control when you start — or boot — your
computer. One way it can spread is by plugging an infected USB drive into your computer.

2. Web scripting virus: This type of virus exploits the code of web browsers and web pages. If
you access such a web page, the virus can infect your computer.

3. Browser hijacker: This type of virus “hijacks” certain web browser functions, and you may
be automatically directed to an unintended website.

4. Resident virus: This is a general term for any virus that inserts itself in a computer system’s
memory. A resident virus can execute anytime when an operating system loads.

5. Direct action virus: This type of virus comes into action when you execute a file containing a
virus. Otherwise, it remains dormant.

6. Polymorphic virus: A polymorphic virus changes its code each time an infected file is
executed. It does this to evade antivirus programs.

7. File infector virus: This common virus inserts malicious code into executable files — files
used to perform certain functions or operations on a system.

8. Multipartite virus: This kind of virus infects and spreads in multiple ways. It can infect both
program files and system sectors.

9. Macro virus: Macro viruses are written in the same macro language used for software
applications. Such viruses spread when you open an infected document, often through email
attachments.

How does a computer virus attack?

Once a virus has successfully attached to a program, file, or document, the virus will lie dormant
until circumstances cause the computer or device to execute its code. In order for a virus to infect
your computer, you have to run the infected program, which in turn causes the virus code to be
executed.

This means that a virus can remain dormant on your computer, without showing major signs or
symptoms. However, once the virus infects your computer, the virus can infect other computers
on the same network. Stealing passwords or data, logging keystrokes, corrupting files, spamming
your email contacts, and even taking over your machine are just some of the devastating and
irritating things a virus can do.

While some viruses can be playful in intent and effect, others can have profound and damaging
effects. This includes erasing data or causing permanent damage to your hard disk. Worse yet,
some viruses are designed with financial gains in mind.

How do computer viruses spread?

In a constantly connected world, you can contract a computer virus in many ways, some more
obvious than others. Viruses can be spread through email and text message attachments, Internet
file downloads, and social media scam links. Your mobile devices and smartphones can become
infected with mobile viruses through shady app downloads. Viruses can hide disguised as
attachments of socially shareable content such as funny images, greeting cards, or audio and
video files.

To avoid contact with a virus, it’s important to exercise caution when surfing the web,
downloading files, and opening links or attachments. To help stay safe, never download text or
email attachments that you’re not expecting, or files from websites you don’t trust.

What are the signs of a computer virus?

A computer virus attack can produce a variety of symptoms. Here are some of them:

 Frequent pop-up windows. Pop-ups might encourage you to visit unusual sites. Or they
might prod you to download antivirus or other software programs.
 Changes to your homepage. Your usual homepage may change to another website, for
instance. Plus, you may be unable to reset it.
 Mass emails being sent from your email account. A criminal may take control of your
account or send emails in your name from another infected computer.
 Frequent crashes. A virus can inflict major damage on your hard drive. This may cause
your device to freeze or crash. It may also prevent your device from coming back on.
 Unusually slow computer performance. A sudden change of processing speed could
signal that your computer has a virus.
  Unknown programs that start up when you turn on your computer. You may become
aware of the unfamiliar program when you start your computer. Or you might notice it by
checking your computer’s list of active applications.
 Unusual activities like password changes. This could prevent you from logging into your
computer.

How to help protect against computer viruses?

 Use a trusted antivirus product, such as Norton AntiVirus Basic, and keep it updated with
the latest virus definitions. Norton Security Premium offers additional protection for even
more devices, plus backup.
 Avoid clicking on any pop-up advertisements.
 Always scan your email attachments before opening them.
 Always scan the files that you download using file sharing programs.