Download Cybersecurity: Legal Perspectives - Understanding Cybercrime & Indian IT Act and more Study notes Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
UNIT- 5
CYBER SECURITY: Legal Perspectives
I) Cybercrime and the legal landscape around the world :
Cybercrime is crime in cyberspace, where cyberspaces are a social space whose infrastructure is formed by digital internetworked computers. Cybercrime is crime that happens in cyberspace. The amount of crime involving digital systems is steadily increasing. This involves both more traditional crime in which digital systems are merely used as tools (e.g., different types of fraud, blackmailing, hidden communication) as well as new forms of crime in which digital systems are an enabling technology (e.g., computer abuses, malicious software, malicious remote control networks like botnets). Much of cybercrime can be characterized by an economic motivation where cybercriminals “hack for profit”, thereby forming an underground economy of considerable size. Cyberspace is here understood as the “digital world” in which many people spend a non-negligible part of their daily life. For simplicity, we visualize cyberspace as an unstructured but clearly distinguishable realm in the landscape of cybercrime see Fig- 1. Landscape of cybercrime with its three main groups of actors (attackers, users and investigators) and their main activities and deficits:
- Attack and evasion for attackers,
- Awareness and education for users,
- Evidence extraction and analysis for investigators. In this context, we identify three groups of actors in cyberspace: 1) Attackers : Humans that act in an offensive manner, i.e., practice attack and evasion techniques. Such humans can be cybercriminals or security researchers who impersonate the role of adversaries in order to test certain computer systems for weaknesses (penetration testing).
2) Users : Humans who are acted upon and suffer from the actions of the first group. People belonging to this group are often called victims. 3) Investigators: Humans who try to understand and investigate the activities of the two previous groups. These people can be thought of as security researchers from academia or investigators of law enforcement agencies. In this context we develop tools and techniques in evidence collection and evidence analysis, for example: We examine traces of volatile information in main memory. These approaches complement persistent data oriented techniques and may be have indispensable help when dealing with encrypted disks or sophisticated types of malicious applications that solely reside in RAM. We develop a tool called ADEL for the analysis of smartphones with a major focus on Google’s Android platform. ADEL is able to dump and analyze SQLite databases from a connected smartphone. We are also developing a technique called selective imaging, which is the creation of partial forensic images by selectively acquiring only relevant data from digital devices.
II) Indian IT ACT 2000 --Cybercrime and Punishments:
The Information Technology Act, 2000 also Known as an IT Act is an act proposed by the Indian Parliament reported on 17th October 2000. This Information Technology Act is based on the United Nations Model law on Electronic Commerce 1996 (UNCITRAL Model) which was suggested by the General Assembly of United Nations by a resolution dated on 30th January, 1997. It is the most important law in India dealing with Cybercrime and E-Commerce. The main objective of this act is to carry lawful and trustworthy electronic, digital and online transactions and alleviate or reduce cybercrimes. The IT Act has 13 chapters and 90 sections. The last four sections that starts from ‘section 91 – section 94’, deals with the revisions to the Indian Penal Code 1860. The IT Act, 2000 has two schedules: First Schedule – Deals with documents to which the Act shall not apply. Second Schedule – Deals with electronic signature or electronic authentication method The offences and the punishments in IT Act 2000 : The offences and the punishments that falls under the IT Act, 2000 are as follows:-
- Tampering with the computer source documents.
- Directions of Controller to a subscriber to extend facilities to decrypt information.
- Publishing of information which is obscene in electronic form.
- Penalty for breach of confidentiality and privacy.
Section 72A Punishment for Disclosure of information in breach of lawful contract Section 7 9 Exemption from liability of intermediary in certain cases
III) Weak areas of IT ACT 2000:
The flaws of IT Act 2000 are: 1) Lack of Transparency: Section 69A grants to the government the power to issue directions to intermediaries for blocking access to any information that it considers prejudicial to, among other things, the sovereignty and integrity of India, national security, or public order. In 2009, the government also issued “Blocking Rules”, which set up the procedure for blocking (including regular review by government committees), and also stated that all requests and complaints would remain strictly confidential. 2) privacy Issues : The IT Act also doesn’t address privacy issues – privacy is now a fundamental right and the law needs to specifically address privacy concerns, but that’s not the case. 3) Poor protection of cybersecurity: T he Indian IT Act is not a cybersecurity law and therefore does not deal with the nuances of cybersecurity. Indian citizens have been victims to numerous instances of data breach and privacy violations – take for instance the Cambridge Analytical incident, or the Aadhaar account breach of 1.1 billion citizens, or for that matter the 2018 personal data leak incident of 5 lakh Google+ users. 4) Lack of expertise: Regular police personnel, specifically any officer holding the rank of inspector, are responsible for investigating nefarious online activities. The difficulty that arises here is that cybercrimes are a nuanced form of criminal activity that require years of specialised training and a deep understanding of technology to probe adequately.
IV) Challenges to Indian law and cybercrime scenario in India:
Some of the Cybersecurity challenges in India are as follows:
1. Lack of uniformity in devices used for internet access – With varying income groups in India, not everyone can afford expensive phones. In the US, Apple has over 44% market share. However, in India the iPhones with their higher security norms are used by less than 1% of mobile users. The widening gap between the security offered by the high-end iPhone and lower cost mobiles make it almost impossible for legal and technical standards to be set for data protection by the regulators. 2. Lack of national level architecture for Cybersecurity – Critical infrastructure is owned by private sector, and the armed forces have their own fire fighting agencies. However there is no national security architecture that unifies the efforts of all these agencies to be able to assess the nature of any threat and tackle them effectively. The Prime Minister’s Office has created a position towards this cause but there is a long way to go before India has the necessary structure in place. 3. Lack of separation – Unlike countries or states, in cyberspace there are no boundaries, thus making the armed forces, digital assets of ONGC, banking functions, etc. vulnerable to cyber attacks from anywhere. This could result in security breaches at a national level, causing loss of money, property or lives. To respond to possible threats on the country’s most precious resources, there is a need for a technically equipped multi-agency organization that can base its decisions on policy inputs and a sound strategy.
- Lack of awareness – As there is no National regulatory policy in place for cybersecurity there is a lack of awareness at both company level as well as individual level. Domestic netizens can protect and be protected from the cyber attacks only if there is a guided and supervised legal framework.
V) Amendments of the Indian IT Act:
The Information Technology Amendment Act was passed by the Indian Parliament in October 2008 and came into force a year later. The act is administered by the Indian Computer Emergency Response Team (CERT-In) and corresponds to the Indian Penal Code. The IT Act, 2000 was amended in 2008. This amendment introduced the controversial Section 66A into the Act. Section 66A: Section 66A gave authorities the power to arrest anyone accused of posting content on social media that could be deemed ‘offensive’. This amendment was passed in the Parliament without any debate. As per the said section, a person could be convicted if proved on the charges of sending any ‘information that is grossly offensive or has menacing character’.
Section 73: After section 73, the following section shall be inserted, namely:- "73A. Proof as to verification of digital signature.-In order to ascertain whether a digital signature is that of the person by whom it purports to have been affixed, the Court may direct- (a) That person or the Controller or the Certifying Authority to produce the Digital Signature Certificate; (b) Any other person to apply the public key listed in the Digital Signature Certificate and verify the digital signature purported to have been affixed by that person."
