THE MATHEMATICS BETWEEN CYBER LAW &CYBER

CRIME IN ‘INDIAN ARENA’

GAURAV TIWARI

INTRODUCTION:

The founding fathers of Internet barely had any proclivity that Internet could transform itself into

an all pervading revolution which could be tainted for criminal activities and which required law.

These days, there are many troubling incidents in cyberspace. Due to the mysterious nature of

the Internet, it is probable to engage into a variety of criminal activities with impunity and people

with intelligence, have been hideously misusing this aspect of the Internet to perpetuate criminal

activities in cyberspace. . The advancement in this field has been multiplying exponentially but

cybercrimes are also thriving rapidly. Although generous progress in technology, uncertainty

still prevails and the efforts to trace, identify and bring the criminal to books have not borne

much fruit. If cybercrimes are not combated at the early stage, the posterity will suffer from the

human values, which will have very damaging effects on the society at large and innocent

individuals in particular.1 The very character of crime itself has undergone complete

transformation. There is a conjectural shift in terms of the costs of criminal behaviour and the

forms of criminality, which merits state attention. The globalization of the world’s economy and

the resultant exponential increase in the way business is carried out has given rise to a new wave

of crime, which requires more attention than traditional forms of violent crimes that currently

command the vast share of state law enforcement resources. Territorial boundaries are no longer

the barriers, as it may also exist in cyberspace, where corporations, which serve computer and

1 M. Ponnaian,, July- September 2000 “Cyber crimes, Modern crimes and Human rights”, P R P Journal of Human Rights, Vol. 4, at 13-14

telecommunications networks also control access. The capacity of criminals has been enhanced

to carry out serious offences manifolds due to progress in computer and communications

technologies and that too with a greatly diminished risk of apprehension. The defence

mechanisms of states appear fragile when it comes to advanced technology, telecommunications

and cyberspace. The concept of jurisdiction becomes meaningless when an individual has only

an address on a computer network as identity. This century will therefore, be known not only for

greater technological innovation, but also be remembered for unpreparedness of legal and law

enforcement communities for the cyberspace crime, which is increasing unabated. The ever-

expanding financial resources of criminals will render them increasingly important players in

global financial markets.2 With the advent of the internet, cyberlaw has become an emerging

field. Cyberlaw encompasses electronic commerce, freedom of expression, intellectual property

rights, jurisdiction and choice of law, and privacy rights.3 There have been various kinds of

computer and internet related crimes. In fact, the growth of crime on the internet is directly

proportional to the growth of the internet itself, and so is the variety of crimes being committed

or attempted.4

FUNDAMENTAL PRINCIPLES OF CRIME

The fundamental principles of crime are founded on rules of equity, justice and fair play, which

provide adequate guidelines for the formulation of a rational penal policy and at the same time

ensure even-handed dispensation of justice to litigants. It is general principle of criminal law

2 M.P. Shahi,(2000), “Crime and Corruption in the Digital Age”, at 27 3 J. Kaufman Winn and R. Warner, “Course: Law of the internet”, Southern Methodist University School of Law at <http://www.smu.edu/~jwinn/inetlaw.htm>4 “Computer and internet Crimes”, at <http://www.cyberspacelaws.com/crime.asp>

that a person may not be convicted of a crime unless the prosecution has proved beyond

reasonable doubt that:

He has caused a certain event, or responsibility is to be attributed to him for the existence

of a certain state of affairs, which is forbidden by criminal law; and

He had a defined state of mind in relation to the causing of the event or the existence of

the state of affairs.

Thus, a crime essentially consists of two elements, namely, actus reus and mens rea.

ACTUS REUS

The word actus connotes, a physical result of human conduct. The actus reus includes all the

elements in the definition of the crime except the mental element of the accused. It is not

merely an act but may consist of a state of affairs not including an act at all. Actus reus is

defined as “such result of human conduct as the law seeks to prevent”.5

The actus reus is made up generally, but not always, of conduct, and sometimes it’s

consequences and also the circumstances in which the conduct takes place, or which constitute

the state of affairs, in so far as they are relevant. Sometimes a particular state of mind on the part

of the victim is required by the definition of the crime. If so, that state of mind is a part of the

actus reus.6

Actus reus in internet crimes

The element of actus reus in internet crimes is relatively easy to identify, but is very difficult to

prove. The fact of the occurrence of the act that can be termed as a crime can be said to have

taken place when a person is:

5 J.C. Smith and B. Hogan,(1988) “Criminal Law”, at 31-36 6 Thus, in the prosecution of rape the absence of consent on the part of the prosecutrix is an essential constituent of the actus reus. If the prosecution fails to prove such absence of consent the actus reus is not proved and the prosecution must fail.

making use of computer function;7

accessing data stored on a computer or from a computer which has access to data stored

outside;8

attempt to gain access through internet or passes signals through various computers and

made computers to perform a function on the instruction which the person gave to the

first computer in the chain. Such function can be said to constitute actus reus.9

trying to login, even though attempts are useless. For example, hackers have an

automated system of trying passwords of different systems, the very running of which

can be considered to be a function being performed.10

MENS REA

Mens rea is the second essential element, which constitutes crime is called “a guilty mind”.

This construalhad undergone gradual changes until modern criminal law came to regard a guilty

mind of some kind or some other such mental element as always being necessary.11 Mens rea

consist of a number of different mental attitudes including intention, recklessness and

negligence.12 Intention refers to the state of mind of a man who not only foresees but also wills

the possible consequences of his conduct. There cannot be intention unless there is foresight,

since a man who intends a particular act must have reasonable foresight of the consequences of

7 This is done by using input devices like the keyboard, mouse, etc8 A hacker uses an authorized person’s password to login to any company’s main server, hoping to gain access to the company’s customer details. The computer to which he logs in to stores these details in a huge data storage unit, which is, locate elsewhere. The data itself is stored on a magnetic tape. The processing unit of the computer retrieves the information the storage unit. The computer would be thought to include the magnetic tape, and so the data would still be considered as being ‘held in a computer’. See, C. Gringras,(1997) “The Laws of the internet”, at 216 9 For example, a hacker uses his computer to access an unauthorized account at an Internet Service Provider (ISP). It is enough for the prosecution to prove that either of the computers belonging to the hacker or the ISP were made to function. However, the prosecution would choose to prove that the ISP’s computer was made to function only when it is not possible or extremely difficult for the prosecution to prove that the functioning of the ISP’s computer was a result of the instructions given by the hacker unless there is other evidence to prove the same.10 A hacker oversees a password being entered by someone logging in to a remote computer. The login prompt specifies that the user must be authorized to access the computer. Later, the hacker attempts to use the password himself, but fails owing to the remote computer allowing only one login each day. This would still be actus reus as the rejection itself constitutes a function and this function was caused by the hacker using the password without authorization at the wrong time. 11 Smith and Hogan,(1988)Supra note 7 at 55 12 J.W. Cecil Turner (ed.), Kenny’s, “Outlines of Criminal Law”, 18th ed., Cambridge University Press, Cambridge, at 31- 36

such act. Though intention cannot exist without foresight, the converse is not necessarily true,

i.e., there can be foresight without intention. A person who does not intend to cause a harmful

result may take an unjustifiable risk of causing it. If a man foresees the possible or even

probable consequences of his conduct and yet, without desiring them, still persists with such

conduct, he knowingly runs the risk of bringing about the unwished result. Such conduct may be

defined as recklessness.

Finally, a man may bring about an event without having any intention or foresight. He may

never have considered the possible consequences of his conduct and the end result may come as

a surprise even to him. Under Common Law, there is no criminal liability for harm caused by

one’s inadvertent or unintended and unforeseen conduct.13

Mens rea in internet crimes

An essential ingredient for determining mens rea in internet crime, on the part of the offender is

that he or she must have been aware at the time of causing the computer to perform the function

that the access intended to be secured was unauthorized. There must be, on the part of the

hacker, intention to secure access, though this intention can be directed at any computer and not

at a particular computer. Thus, the hackerneed not be aware of which computer exactly he or she

was attacking.14 Further, this intention to secure access also need not be directed at any

particular or particular kind of, programme or data. It is enough that the hacker intended to

secure access to programmes or data per se.15

13 Professor Kenny gives the example of manslaughter cases where it has been laid down time and again that harm caused inadvertently does not carry criminal liability. Thus, he concludes that there are only two states of mind, which constitute mens rea in criminal law, namely, intention and recklessness. Under Law of Torts harm caused by negligence is interpreted differently. The courts have evolved the concept of “the reasonable man” for determining liability in tort law. Thus, a person might be liable for harm caused by his negligence if the consequences of his conduct were foreseeable by a reasonable man in possession of all ordinary faculties and placed in the same circumstances. However, if the consequences were not foreseeable by such reasonable man, then the person would not be guilty for the unintended consequences of his negligent act.14 This suits the prosecution in matters relating to unauthorized access on the internet, because it is often complicated to prove that a person intended to login to a particular computer.15 Gringras,(1997)Supra note 10 at 221

Thus, there are two vital ingredients for mens rea for hackers or crackers who gain unauthorized

access to the system:

There must be unauthorized access intended to be secured;

The hacker should have been aware of the same at the time he or she tried to secure the

access.

The second ingredient is easier to prove if the accused hacker is a person from outside who has

no authority whatsoever to access the data stored in the computer or the computers; however, it

is difficult to prove the same in the case of a hacker with limited authority.16

On deeper analysis one finds that our obsolete and primitive civil and criminal statutes of the

Common Law vintage have somehow been made to subverse the ends of the present day Indian

society primarily through judicial innovation and ingenuity. Needless to add that such statutes

are overdue for a total review and replacement. The nature of cyber crimes and the skills

involved are such that existing legal framework cannot do much to control and contain the same.

In fact, the cyberspace technology has undermined to a major extent the traditional legal

concepts like property and has impacted the rules of evidence like burden of proof, locus standi

and concepts of ‘mens rea’.

Cybercrimes have set in a debate as to whether a new legislation is needed to deal with them or

existing legal regime is flexible enough to effectively deals with this new form of criminality.

Generally the countries that have shown concern to combat cybercrimes have adopted two

strategies, i.e., to approach computer crime both as traditional crime committed by/on high tech

computers and as crime unique in nature requiring new legal framework.17

16 A common example of this is where the accused hacker is an employee of a company and is accused of using the companies Intranet outside their authority. The problem arises in such a case of a person who is entitled to limited access but not access of the kind in question i.e. he is exceeding the limits of his authority. The question to be asked here is whether the person knew that he was unauthorized in that sense. The question of fact as to whether the hacker knew the limits of authority is often a finely balanced one. The difficulty with partial authority raises an issue of relevance for server operators also. 17 In America 31 States have passed new legislations to deal with computer related crimes whereas others have amended the definitions of Larceny to include electronic media. See Michael D. Rostorker et al. “Computer Jurisprudence, Legal Response to the Information Revolution”,

DEFINITION OF CYBERCRIMES

Cybercrime has recently become a catchy term for a group of security issues in cyberspace.

However, despite its frequent use there is no commonly accepted definition. Surely, cybercrime

is related to the realm of computers, however, there is no consensus on whether those computers

have to be interconnected or not. Some definitions exclude explicitly computer related crimes

that are not committed online, as they view cybercrime in the narrow sense, while others prefer

broader definitions including all kinds of computer related offenses. However, it is evident that

most computer crimes are committed online. The UN Manual on the prevention and control of

computer-related crime provides the following definition of cybercrime: Computer crime can

involve activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of

which are generally subject everywhere to criminal sanctions. The computer has also created a

host of potentially new misuses or abuses that may, or should be criminal as well (UN 1994, par.

22).18

In July 1996, the UK National Criminal Intelligence Service launched a study of computer crime

called Project Trawler. In the study the terms computer crime, information technology crime and

cybercrime are interchangeable. Project Trawler defines computer crime as follows: An offence

in which a computer network is directly and significantly instrumental in the commission of the

crime. Computer interconnectivity is the essential characteristic (UKNCIS).19

According to UNO expert recommendations, the term of “cybercrimes” covers any crime

committed by using computer systems or networks, within their frameworks or against them.

Theoretically, it embraces any crime that can be committed in the electronic environment. In

(1986) at 344 In India also, the Indian Penal Code has been amended to cover computer related crimes and some such offences have been separately covered under the IT Act, 2000. See also, British Computer Misuse Act, 1990, Singapore Computer Misuse Act, 1993 (as amended 1998), Malaysian Computer Crimes Act, 1997.18<http://www.uncjin.org/Documents/irpc4344.pdf>19<http://www.ncis.co.uk/newpage1.htm>

other words, crimes committed by using e-computers against information processed and applied

in the internet can be referred to cybercrimes.

Cyber or Computer crimes are white-collar crimes and are committed by students, non-

professional computer programmers, business rivals, individuals having vested interest and

criminals. To define such a crime, one has to utter these three points:

When a computer is used in committing such a crime.

When computer technology is responsible for the wrongful loss and wrongful gain of two

individuals in a single transaction.

When any person commits an of the following acts, he is guilty of a computer crime:

- Knowingly or intentionally accesses and without permission alters, damages, deletes,

destroys, or otherwise uses any data, computer database, computer, computer system,

or computer network in order to-

(i) Devise or execute any unlawful scheme

(ii) Devise to defraud, deceive, or extort, or

(iii) Wrongfully control or obtain money, property, or data.

- Knowingly or intentionally accesses and without permission takes, copies, or makes

use of any data or computer database from a computer, computer system, or computer

network, or takes or copies any supporting documentation, whether existing or

residing internal or external to a computer, computer system, or computer network.

- Knowingly or intentionally accesses and without permission adds, alters, damages,

deletes, destroys any data, computer software, computer programs or computer

database which reside or exist internal or external to a computer, computer system, or

computer network.

- Knowingly or intentionally accesses and without permission disrupts or causes the

disruption of computer services or denies or causes the denial of computer services to

an authorized user of a computer, computer system, or computer network.

- Knowingly or intentionally accesses and without permission provides or assists in

providing a means of accessing a computer, computer system, or computer network.

- Knowingly or intentionally accesses and with the intent to defraud, obtains, or

attempts to obtain, or aids or abets another in obtaining, any commercial computer

service by false representation, false statement, unauthorized charging to the account

of another, by installing or tampering with any facilities or equipment or by any other

means.

- Knowingly or intentionally accesses and without permission accesses or causes to be

accessed any computer, computer system, or computer network.

- Knowingly or intentionally introduces or allows the introduction of any computer

contaminant or computer virus into any computer, computer system, or computer

network.20

CLASSIFICATIONS OF CYBERCRIMES: DIFFERENT BASIS

The internet with its speed and global access has made these crimes much easier, efficient, risk-

free, cheap and profitable to commit. New crimes created with the internet itself or for

commission of old crimes or incidental for commission of crime.21 Broadly stated, ‘cybercrime’

can be said to be an act of commission or omission, committed on or through or with the

help of or connected with, the internet, whether directly or indirectly, which is prohibited

by any law and for which punishment, monetary and/or corporal, is provided

20 Suresh T. Viswanathan,(2001), “The Indian Cyber laws”, at 81-83 21 Vivek Sood,(2001), “Cyber Law Simplified” at 39

A) Internet crime: The internet crimes include that group of crimes that make criminal use of

the internet infrastructure. These are:

Hacking

(a) Theft of information

(b) Theft of passwords

(c) Theft of credit cards numbers

(d) Launch of malicious programmes

Espionage

Spamming

B) Web based crime: Web based crimes have been categorized separately and have been further

classified separately and have been further classified into four subcategories.

(a) Web site related crime

Cheating and frauds

Insurance frauds

Gambling

Distribution of pornography

Sale of pirated software

(b) Crimes through e-mail

Threats

Extrotion

E-mail bombing

Defamation

Launching of malicious programmes

(c) Usenet related crime

Distribution/sale of pornography material

Distribution/sale of pirated software

Discussion on methods of jacking

Sale of stolen credit card numbers

Sale of stolen data

(d) Internet relay chat crime

Cyberstalking

Fraudsters use chat rooms for developing relations with unsuspecting victims

Criminals use it for meeting conspirators

Hackers use it for discussing their expertise of showing the techniques

Pedophiles use chat rooms to allure small children.22

Offences against the confidentiality, integrity and availability of computer data and

systems

(a) Illegal access

(b) Illegal interception

(c) Data interference

(d) System interference

(e) Illegal devices

Offences related to computer

(a) Computer-related forgery

(b) Computer-related fraud

(c) Computer sabotage22 Subhas P. Rathore and Bharat B. Das,(2001) “Cyber Crimes: The emerging trends and Challenges, Souvenir, National Conference on Cyberlaws and Legal Education”, NALSAR University of Law, at 56-57

(d) Cyberstalking

Offences related to contents

(a) Offences related to child pornography

(b) Offences related to infringements of copyright and related rights

Offences related to crime on web

(a) Computer network break-ins

(b) Industrial espionage

(c) Software piracy

(d) Cyber pornography

(e) Mail bombings

(f) Password sniffers

(g) Spoofing

(h) Credit card fraud

(i) Cybersquatting

CIVIL LIABILITY OR CRIMINAL LIABILITY IN CYBERCRIMES

The civil offences in Indian law impose only a liability for compensation to the person, who has

suffered, while the criminal offences may be punished with imprisonment and fine payable to the

State. There are crimes, which as come under both civil wrong and criminal offences so called

as hybrids. Various cyber crimes are there, which are mainly categorized into two broad ways:

Civil Liability: Civil liability provides remedy for compensation only which includes following

crimes, viz;

Defamation

Cybersquatting

Internet time theft

Copyright theft

Design theft

Patent theft

Software piracy

Spamming

Criminal wrong: Criminal liability provides remedy of punishment to offenders as well as

compensation to victims;

Cyberstalking

Cyber pornography/Child pornography

Sending threatening emails

Hacking

Cracking

Sending malicious programmes

Denial of service attack

Network sabotage

Sending virus and worms

Sending logic bombs, trojan horse, virus hoax

Cyber terrorism/Cyber warfare

Cyber frauds

Cyber gambling

Cyber cheating

Forgery

Cyber money laundering

Credit card frauds

Information theft

Data theft

OBJECTIVES OF INFORMATION TECHNOLOGY ACT, 2000

The objectives of The Information Technology Act, 2000 are defined as:

“To provide legal recognition for transactions carried out by means of electronic data

interchange and other means of electronic communication, commonly referred to as “electronic

commerce”, which involve the use of alternatives to paper-based methods of communication and

storage of information, to facilitate electronic filing of documents with the Government agencies

and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers’ Books

Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected

therewith or incidental thereto.”

In other words, the objectives are:-

To grant legal recognition for transactions carried out by means of electronic data

interchange and other means of electronic communication, commonly referred to as

“electronic commerce”, in place of paper-based methods of communication;

To give legal recognition to Digital Signature for authentication of any information or

matter which requires authentication under any law;

To facilitate electronic filing of documents with Government departments;

To facilitate electronic storage of data;

To facilitate and give legal sanction to electronic fund transfers between banks and

financial institutions;

To give legal recognition for keeping books of account by Bankers in electronic form.

The first 17 sections of the Act are largely based on Model Law on Electronic Commerce

adopted by United Nations Commission on International Trade Law. It contains 94 clauses

divided into XIII chapters. It has 4 schedules, Schedule I seeks to amend the Indian Penal Code;

Schedule II seeks to amend the Indian Evidence Act; Schedule III seeks to amend the Bankers’

Book Evidence Act; and Schedule IV seeks to amend the Reserve Bank of India Act.

Towards that end, the Act stipulates numerous provisions. It aims to provide for a legal

framework so that legal sanctity is accorded to all electronic records and other activities carried

out by electronic means.

SALIENT FEATURES OF THE INFORMATION TECHNOLOGY ACT, 2000

The Act has defined cybercrimes for the first time and provided for penalties, punishment and

compensation for hacking, unauthorised access to computer networks, altering database,

introducing computer viruses, disruption of services, copying of Intellectual Property Rights

(IPR) protected software, tampering with electronic documents and committing electronic

forgery. The IT Act has a provision of penalties up to Rs. 1 crore for damaging computer

systems and three-year jail term with a fine of Rs. 2 lakhs for hackers. But these penalties don’t

mean much if the existing police investigating officers, forensic scientists, and the judiciary are

not familiar with the intricacies of the internet. The Act covers a totally uncharted field with no

past experience even in other countries. Accordingly, future modifications, based on experience,

are not ruled out.

The salient features of the IT Act 2000 are as follows:

Provides legal recognition to e-commerce, which means that contracts can be enforced.

Records can be kept in an electronic form. Written records also mean electronic records

for the purposes of law.

Provides legal recognition for digital signatures. Digital signatures to be authenticated by

Certifying Authorities. Certifying Authorities to be overseen by a Controller of

Certifying Authorities.

Cyber crimes defined for the first time.

Adjudicating authorities to decide if cyber crimes have been committed. Also provide

cyber regulation advisory committee.23

The Information Technology Rules, 2000 provides The Information Technology

(Certifying Authorities) Rules, 2000 and The Cyber Regulations Appellate Tribunal

(Procedure) Rules, 2000.24

Cyber Law Appellate Tribunal25 to be set up to hear appeals against adjudicating

authorities.

Amendment of Indian Penal Code (1860), Indian Evidence Act (1872), Bankers’ Book

Evidence Act (1891) and the Reserve Bank of India Act (1934)26 to bring them in tune

with the information technology regime.

The Information Technology (Certifying Authorities) Rules, 200027 also stipulate the

Information Technology Security Guidelines in Schedule II.28

Also provide security guidelines29 for the management and operation of Certifying

Authorities (CAs) and is aimed at protecting the integrity, confidentiality and availability

of their services, data and systems.

23 See also Cyber Regulation Advisory Committee 24 See also The Information Technology Rules, 2000 25 See also Cyber Regulations Appellate Tribunal (Procedure) Rules, 200026 See also Schedules to the Information Technology Act, 2000 27 See also The Information Technology (Certifying Authorities) Rules, 200028 See also Information Technology (IT) Security Guidelines 29See also Security Guidelines for Certifying Authorities

The Act has paved the way for an exponential growth of e-commerce and other internet enabled

services like e-trading, e-shopping and e-banking. The provisions of the Act do not apply to a

negotiable instrument, a power of attorney, a trust, a will, and any contract for the sale or

conveyance of immovable property, or any interest in such property. It is significant that it

applies to any offence or contravention committed outside India by any person (irrespective of

his nationality), if it involves a computer, computer system, or computer network located in

India. It excludes network service providers from its ambit for any third party information (that

is, any information dealt with by them in their capacity as intermediaries) or data made available

by them, if they prove that the offence was committed without their knowledge, and they had

taken all precautions to prevent such commission. However, more explicitly, various computer

crimes that are not yet defined in the Act may be taken up to deal with the rapid technological

changes that would be taking place in future.

The Information Technology Act 2000 being India’s first cyber law is the central legislation,

which has been passed by the Parliament of India. Interestingly, it applies not only to the whole

of India including the State of Jammu & Kashmir but also applies to any contravention or

violation committed thereunder by any person anywhere in the world. State Governments have

also been given the powers to enact appropriate rules in the field of Information Technology. In

fact, Section 90 of the IT Act categorically states that the State Government may, by notification

in the official gazette, make rules to carry out the provisions of the Information Technology Act.

The rules to be made by the State Governments may include the electronic forms through which

common man communicates with the Government Departments or the format in which electronic

records shall be filed, created or issued and the manner of payment of any fee or charges for

filing, creation or issue of any electronic record. The State governments have appropriate

powers to legislate rules there under, apart from having powers to legislate on various steps

enumerated in the State List, which is detailed in the Constitution of India. Of course, it is

imperative to note that every rule made by the State Government under Section 90 of the IT Act

shall immediately be laid before each House of the State legislature for approval.30

In its resent form, the Act, therefore, not only recognizes the usefulness of e-commerce and

provide the necessary safeguards for the transactions by creating a necessary legal framework

but it also makes consequential amendments in the Indian Penal Code, Indian Evidence Act,

Reserve Bank of India Act and Bankers Book of Evidence Act, so that the offences relating to

documents and papers based transactions is made equal to the offences in respect of the

transactions carried out through the electronic media and further to facilitate electronic funds

transfer between the financial institutions and banks, and also to give legal sanctity to books of

accounts maintained in the electronic form by the banks.31

JURISDICTION- THE CONCEPT

The effectiveness of a judicial system rests on core of regulations, which define every aspect of a

system’s functioning; and principally, its jurisdiction. A court must have jurisdiction, venue and

appropriate service of process in order to hear a case and render an effective judgement.

Jurisdiction is the power of a court to hear and determine a case. Without jurisdiction, a court’s

judgement is ineffective and impotent. Such jurisdiction is essentially of two types, namely

subject matter jurisdiction and personal jurisdiction. Subject matter jurisdiction is defined as the

competence of the court to hear and determine a particular category of cases. It requires

determination whether a claim is actionable in the court where the case is filed and personal

jurisdiction is simply the competence of the court to determine a case against a particular

30 Pavan Duggal,(2002), “CyberLaw- The Indian Perspective”, at 1-5 31 U.K. Chaudhary,Jan 2001 , “Information Technology Act, 2000: A step in the right direction”, CS vol. 31 at 30-31

category whether the person is subject to the court in which the case is filed. These two

jurisdictions must be conjunctively satisfied for a judgement to take effect. It is the presence of

jurisdiction that ensures the power of enforcement to a court and in the absence of such power,

the verdict of a court, is of little or no use.32

INDIAN CONTEXT

The Information Technology Act, 2000 passed in India, is illustrative of the prevailing confusion

in the area of jurisdiction in the context of the internet. Section 1 of the Information Technology

Act, 2000, deals with the issue of applicability of this new law. Normally, the applicability of

laws within India can be broadly divided into the following major categories:

1. Laws applicable to all states of India barring Jammu & Kashmir.

2. Laws applicable only to Jammu & Kashmir.

3. Laws applicable to the entire country.

Jammu & Kashmir has been granted a special status under the Constitution of India and special

laws are applicable to that state. Keeping in mind the universal nature of the impact of computers

and Internet, the legislature has decided that the IT Act 2000 shall be applicable to the whole of

India including Jammu & Kashmir.

The Act begins by saying, in clause (2) to section 1, that it shall extend to the whole of India and,

save as otherwise provided in the Act, it applies also to any offence or contravention thereunder

committed outside India by any person. Clause (2) of section 75 of the Act simply states that,

“… this Act shall apply to an offence or contravention committed outside India by any person if

the act or conduct constituting the offence or contravention involves a computer, computer

32 Nandan Kamath,(2000) “Law Relating to Computers internet & E-Commerce : A guide to Cyber Laws & the IT Act,2000 with Rules & Regulations” at 20

system or computer network located in India”. Provisions of this nature are unlikely to be

effective for a number of reasons.

Firstly, it is unfair to suggest that the moment an Indian computer system is used, an action

defined by Indian laws as an “offence” would be subject to jurisdiction of Indian courts. To

illustrate, let us consider a web site located in a foreign country. The site may host content that

would be perfectly legal in its home country, but may be considered offensive or illegal in India.

If an Indian chooses to view this site on a computer situated in India, does that mean the site can

be prosecuted in an Indian courts? This would appear to violate principles of justice. As

explained earlier, the judicial trend of examining the amount of activity that a site undertakes in a

particular jurisdiction is a far more equitable method to determine jurisdiction. Further, even if

Indian Courts are to claim jurisdiction and pass judgements on the basis of the principle

expostulated by the IT Act, it is unlikely that foreign Courts will enforce these judgements since

they would not accept the principles utilized by the Act as adequate to grant Indian courts

jurisdiction. This would also render the Act ineffective.

The Indian jurisprudence with regard to jurisdiction over the internet is almost non-existent. In

the first place, as the result of the strongly unitary model of government prevalent in India,

interstate disputes never assume the level of private international law. Hence, there has been

precious little by way of development of private international law rules in India. Furthermore,

there have been few cases in the Indian courts where the need for the Indian courts to assume

jurisdiction over a foreign subject has arisen. Such jurisprudential development would however,

become essential in the future, as the internet sets out to shrink borders and merge geographical

and territorial restrictions on jurisdiction. It is worthwhile to consider the issue of jurisdiction at

two levels. In the first place, given the manner in which foreign courts assume jurisdiction over

the internet related issues (as evidenced by the cases discussed above), the consequences of a

decree passed by a foreign court against an Indian citizen must be examined. In other words,

under what circumstance can the decision of a foreign court be enforced against an Indian citizen

or a person resident in India? It is necessary to examine the circumstance under which the Indian

courts would assume jurisdiction over foreign citizens in order to better understand the rights of

an Indian citizen who is affected by the act of a foreign citizen.

CYBERJURISDICTION IN INFORMATION TECHNOLOGY ACT, 2000

However, the law has gone much further. It shall also apply to any violation or contravention of

the provisions of this Act done by any person anywhere in the world. By means of this provision,

the law is assuming jurisdiction over violators of The Information Technology Act, 2000 outside

the territorial boundaries of India. This provision is explained perhaps by the unique nature of

cyberspace, which knows no boundaries. The Information Technology Act, 2000 specifically

provides that unless otherwise provided in the Act, the Act also applies to any offence or

contravention thereunder committed outside India by any person irrespective of his nationality.33

It is however clarified that the Act shall apply to an offence or contravention committed outside

India by any person if the act or conduct constituting the offence or contravention, involves a

computer, computer system or computer network, located in India.34 The words “act or conduct

constituting the offence or contravention involves a computer, computer system or computer

network located in India” are very significant to determine jurisdiction ofthe IT Act over acts

committed outside India. For assuming jurisdiction over an act constituting an offence or

contravention under the IT Act, which is committed outside India, it has to be proved that the 33 Sec. 1(2) of IT Act, 200034 Sec. 75 of IT Act, 2000

said act involves a computer, computer system or computer network located in India. For

instance, where a website is created in the US which contains pornographic material, it shall not

give the IT Act jurisdiction to question the site unless the creation or maintenance or running

ofthe site involves a computer, computer system or computer network located in India. But

where the said website uses a server or any other computer network located in India, the IT Act

would assume jurisdiction to question the website under section 67 of the IT Act. Another

instance to explain the jurisdiction of the IT Act is where a person from the US hacks a computer

system or network in India, section 66 of the IT Act would come into play to punish the accused

for hacking because his act involves a computer in India. Similarly, where a person anywhere in

the world plants a virus into a computer system located in India, he would be liable under section

43(c) of the IT Act to pay damages by way of compensation net exceeding Rs 1 crore to the

victim.

Section 75 of the IT Act is restricted only to those offences or contraventions provided therein

and not to other offences under other laws such as the Indian Penal Code, 1860. Jurisdiction

over other cyber crimes, for instance under the Indian Penal Code, 1860, has to be determined by

the provisions of the Criminal Procedure Code, 1973. The fundamental principle on jurisdiction

is the same under the IT Act35 and the Criminal Procedure Code, 1973, though stated differently.

The basic legal principle of jurisdiction under the Code of Criminal Procedure, 1973 is that every

offence shall ordinarily be inquired into and tried by a court within whose local jurisdiction it

was committed.36 These principles in the Code of Criminal Procedure, 1973 apply for

determining jurisdiction in trial by courts as well as in investigation by the police. In a case

where an offence is committed in more places than one, or partly in one place and partly in

35 Sec. 1(2) r/w Sec 75 of IT Act, 200036 Sec. 177 of Cr.P.C., 1973

another, or where it is continuing and continues to be committed in more than one local area, or

where the offence consists of several acts done in different local areas, then it may be inquired

into or tried by a court having jurisdiction over either of such areas.37 In the event where it is

uncertain in which of several areas the offence was committed, again it may be inquired into or

tried by a court having jurisdiction over either of such areas of uncertainty.38

In a case where an act is an offence by reason of anything, which has been done and of a

consequence, which has ensued, the offence may be inquired into or tried by a court within

whose local jurisdiction such act has been done or such consequence has ensued.39 For instance,

in a case of defamation, either of the courts, i.e. of the place from where the defamatory letter

was e-mailed and the place at which it was published or received, if different, shall have

jurisdiction to inquire and try the same. To cite another instance; where in pursuance of misrep-

resentation by A through e-mail from place X, property was delivered at place Y, A can be tried

for the offence of cheating either at place X or Y. In a case where a person in Bombay does an

act of hacking of a computer system located in Delhi, he may be tried either in Bombay or Delhi.

In a case where an act is an offence by reason of its relation to any other act which is also an

offence or which would be an offence if the doer was capable of committing an offence, the first

mentioned offence may be inquired into or tried by a court within whose local jurisdiction either

of the acts was done. For instance, in a case of manufacture of sub-standard fertilizer in place X,

which is marketed through e-commerce at place Y, prosecution can be launched at either of the

said places because the marketing of the sub-standard fertilizer is an offence by reason of sub-

standard manufacture.

37 Sec. 178 of Cr.P.C., 197338 Sec. 178(a) of Cr.P.C., 197339 Sec. 179 of Cr.P.C., 1973

Certain specified offences have been required by law to be inquired into or tried in certain

places.40 For instance, an offence of criminal misappropriation or of criminal breach of trust,

may be inquired into or tried by a court within whose local jurisdiction the offence was

committed or any part of the property which is the subject of the offence was received or

retained or was required to be returned or accounted for, by the accused person.41 For example,

if an employee of a company based at Delhi, by operating through the internet bank account of

his employer company in a Bombay bank, transfers funds to his account at Calcutta, the case of

misappropriation can be tried either at Delhi or Bombay where the offence was partially

committed or at Calcutta where the money was received and retained.

The law also provides that in the case of any offence which includes cheating, if the deception is

practiced by means of letters or telecommunication messages, it may be inquired into or tried by

any court within whose jurisdiction such letters or messages were sent or where the same were

received.42 Moreover, any offence of cheating and dishonestly inducing delivery of property

may be inquired into or tried by a court having jurisdiction on the place where the property was

delivered by the person deceived or where it was received by the accused person.43

In a case where two or more courts take cognizance of the same offence and a question arises as

to which of the courts has jurisdiction to inquire into or try that offence, this question shall be

decided by the High Court, under whose jurisdiction both such courts function.44 However, if the

courts are not subordinate to the same High Court, the question of jurisdiction shall be decided

by the High Court within whose appellate criminal jurisdiction the proceedings were first

commenced.45 In such circumstances, all other proceedings with respect to that offence shall be

40 Sec. 180 of Cr.P.C., 197341 Sec. 181 of Cr.P.C., 197342 Sec. 182 of Cr.P.C., 197343 Sec. 182 of Cr.P.C., 197344 Sec. 186 (a) of Cr.P.C., 197345 Sec. 186 (b) of Cr.P.C., 1973

discontinued. Where two or more courts have jurisdiction over an offence, the choice of the

court for institution of the case lies with the complainant. He will obviously choose the forum,

which is most convenient for him and most inconvenient for the accused.

The law of jurisdiction stated in the Criminal Procedure Code, 1973 and section 75 of the IT Act,

2000, as discussed herein, is clear, specific and covers different situations which are likely to

generally arise in cyber crime cases. The internet by its nature and purpose operates when the

parties interacting or transacting are not physically face to face with one another. Due to the

global access of the internet, cyber crimes generally tend to transcend or disregard geographical

boundaries. These factors imply that in most cases of cyber crime, except where insiders are

involved, there would be two or more places, one from where the cyber criminal inflicts the

injury-for instance hacks, and the place where the injury is inflicted-for instance at the location

of the victim computer, which is hacked. This is in contrast to traditional crimes of rape, murder

and kidnapping where the criminal and the victim are at the same place. Moreover, every

criminal makes all possible attempts to conceal his identity and place of operation. Alibi is a

common defence in criminal matters. This basic tendency of a criminal coupled with the permis-

sible anonymity provided by the internet makes the cyber criminal almost invisible. Thus, in

terms of practical application of the law of jurisdiction over cyber crimes, in most cases, the

place of jurisdiction shall be where the victim is inflicted with the injury, whether personally, for

instance by fraud, or on his computer, computer system or computer network.

There is a valid point in the criticism that such a law assuming extra territorial jurisdiction passed

by the legislature is not enforceable in the real world. It is contrary to the principles of

international law to assume jurisdiction over citizens of another country, and so, it is likely to

lead to conflict of jurisdiction of different courts situated in different national jurisdictions. Also

it is important to note that there are differences between national legislations, laws, legal

processes and procedures.

Further compounding the problem is the issue that a particular act in one national jurisdiction is

legal and not barred by law but the same activity is illegal and barred by law, prevailing in

another national jurisdiction. Another ground of criticism has been that Section 1 does not lay

down the parameters of how such a provision would be enforceable in practical terms across

transnational boundaries and jurisdictions. Governments can take recourse to the extradition

process to bring to book the cyber criminals outside the territorial jurisdiction of their country,

provided there is a valid extradition treaty in place between the relevant countries. But the route,

as stipulated in Section 1 of the IT Act, 2000 is likely to throw up a complex arena of difficulties

in actual day-to-day implementation.

The existing international law pertaining to sovereignty of a nation also details that a sovereign

notion can make laws affecting people who reside within its territorial boundaries. However, the

birth of Internet has seen geography become history and transactions taking place over networks

are transnational in nature, thereby complicating the entire issue of jurisdiction. This becomes

all the more evident from the emerging principles from various judgments relating to Jurisdiction

over Internet. From the beginning of Internet, the issue of jurisdiction has continued to challenge

legal minds, societies and nations in the context of the peculiarly inherent character of the

Internet. Section 1(2) and Section 75 of the IT Act, 2000 provide for extra-territorial jurisdiction

of the Indian courts, which, however, seem implausible to be implemented. The courts in India

at present have not been uniform in following the US trend of asserting jurisdiction on the basis

of active accessibility of site. So far, in various Internet domain names related cases, the Delhi

High Court has assumed jurisdiction merely on the basis of accessibility of Internet.

In the famous Yahoo! France case entitled Yahoo! Inc. v. La Ligue Contre Le Racisme et L

‘Antisemitisme46, the judicial thinking on jurisdiction got further refined. This judgment has far

reaching significance and consequences on the entire subject of jurisdiction. Till now, the courts

anywhere in the world could assume and were assuming jurisdiction on Internet transactions and

websites that were located outside the country.

This decision underlines the principle that even if a foreign court passes a judgment or direction

against a legal entity of a particular country say country A, then that judgment or direction would

not be applicable automatically to country A’s legal entities or citizens. The decision or direction

of the foreign court will need to be scrutinized by country A’s courts keeping in mind the touch

stone and basic principles enshrined in the Constitution of the country as also enshrined in the

local laws of that country, before it can be enforceable in country A.

It is evident that the courts are looking into the totality of the circumstances when determining

whether to exercise jurisdiction over individuals involved in Internet related activities. However,

the coming of the Zippo case in the US changed the legal principles concerning assuming of

jurisdiction. In this case, the American Court decided that there must be “something more” than

mere Internet access in order to enable the court to assume jurisdiction. It is yet to be seen how

the Indian approach on jurisdiction emerges with the coming of the IT Act, specially Section 1

(2) and Section 75 (1) of its provisions, which specifically provides for its extraterritorial

jurisdiction. This extraterritorial jurisdiction all across the world can be exercised if the offence

or contravention of the IT Act concerns or impacts or affects a computer, computer system or

computer network which is located in India. In practical terms, such an extraterritorial

jurisdiction can hardly be enforced given the present growth and context of international Law,

Cyber law and cyber space.

46 2001 U.s. Dist. LEXIS 18378 (N.D. Cal. 2001) & 145 F. Supp. 2d 1168 (N.D.Cal. 2001)

As per sub-section (3) of Section 1, the Information Technology Act, 2000 shall came into force

on such date as the Central Government may by notification appoint. The Central Government

issued a notification on 17th October 2000 bringing into force The Information Technology Act,

2000.

POSITIVE ASPECTS OF THE INFORMATION TECHNOLOGY ACT, 2000

The Information Technology Act, 2000 is a laudable effort to create the necessary legal

infrastructure for promotion and growth of electronic commerce. Prior to the coming into effect

of the IT Act, 2000, the judiciary in India was reluctant to accept electronic records and

communications as evidence. Even email was not accepted under the prevailing statutes of India

as an accepted legal form of communication and as evidence in a court of law. The IT Act, 2000

changed this scenario by legal recognition of the electronic format. Indeed, the IT Act, 2000 is a

step forward.

From the perspective of the corporate sector, the IT Act 2000 and its provisions contain the

following positive aspects:

1. The implications of these provisions for the corporate sector are that email is now be a

valid and legal form of communication in our country, which can be duly produced and

proved in a court of law. The corporates today thrive on email, not only as the form of

communication with entities outside the company but also as an indispensable tool for

intra company communication. Corporates ought to understand that they shall need to be

more careful while writing emails, whether outside the company or within, as emails, in

whatever language, could be proved as a legal document in a court of law, sometimes to

the detriment of the company. Even intra company notes and memos, till now used only

for official purposes, shall come within the ambit of the IT Act, 2000 and will be

admissible as evidence in a court of law. A lot would of course depend upon how these

emails are proved in a court of law.

2. Companies shall be able to carry out electronic commerce using the legal infrastructure

provided by the IT Act, 2000. Till the coming into effect of the Indian cyberlaw, the

growth of electronic commerce was impeded in our country basically because there was

no legal infrastructure to regulate commercial transactions online.

3. Corporate will now be able to use digital signatures to carry out their transactions online

as legal validity and sanction given under the IT Act, 2000.

4. The IT Act, 2000 also throws open the doors for the entry of corporate in the business of

being Certifying Authorities for issuing Digital Signature Certificates. The law does not

make any distinction between any legal entity for being appointed as a Certifying

Authority so long as the norms stipulated by the IT Act, 2000, rules and regulations made

thereunder have been followed.

5. The Act also enables the companies to file any form, application or any other document

with any office, authority, body or agency owned or controlled by the appropriate

government in the electronic form as may be prescribed by the appropriate government,

thereby saving costs, time and wastage of precious manpower.

6. Corporate is mandated by different laws of the country, to keep and retain, valuable and

corporate information. The IT Act, 2000 enables companies legally to retain the

information in the electronic form, if

the information contained therein remains accessible so as to be usable for a

subsequent reference;

the electronic record is retained in the format in which it was originally generated,

sent or received or in a format, which can be demonstrated to represent accurately

the information originally generated, sent or received;

the details, which will facilitate the identification of the origin, destination, date

and time of despatch or receipt of such electronic record, are available in the

electronic record.

7. The IT Act, 2000 addresses important issues of security, which are so critical to the

success of electronic transactions. The Act has given legal definition to the concept of

secure digital signatures, which would be required to have been passed through a system

of a security procedure, as agreed to by the parties concerned. In times to come, secure

digital signatures shall playa major role in the New Economy, particularly from the

perspective of the corporate sector, as they will enable more secure transactions online.

GREY AREAS OF THE INFORMATION TECHNOLOGY ACT, 2000

1.The IT Act, 2000 purports to be applicable to not only the whole of India but also to any

offence or contravention thereunder committed outside India by any person. This provision in

Section 1 (2) is not clearly drafted. It is not clear as to how and in what particular manner, the

Act shall apply to any offence or contravention thereunder committed outside India by any

person.

2. There is no logic in excluding negotiable instruments from the applicability of the IT Act,

2000. The net effect of this exclusion is that any dispute regarding payments, received by means

of any negotiable instruments for an e-commerce transaction, are excluded from the protection of

the IT Act, 2000. It refers to promoting electronic commerce and begins by excluding

immovable property from the ambit of electronic commerce, a reasoning that defies logic.

3. The IT Act, 2000 has failed to legalize electronic fund transfer in the country. The IT Act,

2000 does not recognize the concept of electronic payments, digital cash, electronic cash,

electronic money or other existing systems of electronic payments.

4. Domain names have not been defined and the rights and liabilities of domain name owners do

not find any mention in the law .

5. The IT Act, 2000 does not deal with any issues concerning the protection of Intellectual

Property Rights.

6. The language of Section 40 of the IT Act, 2000. Section 40 provides for generating key pairs

in Chapter VIII dealing with the duties of subscribers. It states that where any Digital Signature

Certificate, the public key of which corresponds to the private key of the subscriber, which is to

be listed in the Digital Signature Certificate, has been accepted by a subscriber, then, the

subscriber shall generate the key pair by applying the security procedure. The entire wording of

Section 40 is faulty and has been shown in such a way as to denote that the acceptance of the

Digital Signature Certificate precedes the generation of key pair by the subscriber.

7. IT Act, 2000 covers only a limited number of cyber crimes such as damage to computer

source code, hacking, publishing obscene electronic information, breach of protected systems,

publishing Digital Signature Certificates false in certain particulars or for fraudulent purposes.

Barring these offences, no other cyber crimes are covered under the IT Act. The IT Act 2000

does not cover various cybercrimes including cyber stalking, cyber harassment, cyber

defamation, cyber terrorism, spamming, cyber fraud, cyber gambling, Theft of internet hours,

Cyber theft, Cyber Cheating, Cyberventing, Credit Card Fraud, Cyber Forgery, Identity Fraud,

E-mail Spoofing, Credit Card Fraud, Chat room abuse, Cyber Money Laundering, Password

Sniffing, Spamming, Electronic Evesdropping, Child Pornography, Mail Bombing, E-mail

Scams, etc.

8. The IT Act, 2000 is silent on covering all kinds of offences dealing with abuses of chat rooms.

9. The IT Act, 2000 is that it is silent on the issue of online credit card payments, misuse and

misappropriation of credit card numbers online.

10. The IT Act, 2000 is completely silent about the bailability or otherwise of the offences

prescribed in Chapter XI. There is no categorical mention at any point in Chapter XI from

Section 65 till Section 78 as to whether the offences prescribed under the sections are bailable or

not.

11. The Information Technology Act, 2000 has not tackled several vital issues pertaining to e-

commerce sphere like privacy and content regulation to name a few. Privacy issues have not

been touched at all. The right to privacy is recognized as a fundamental right under Article 21 of

the Constitution.

CHALLENGES OF CYBER CRIME IN INDIA

Cyber crime in India is no longer an illusion. The situation could go out of hand if computer

users, both in the government and the private sector, do not sit up and brace themselves to the

challenge. For the police, the temptation especially to view attacks on computer systems, as just

another form of crime is great. Three aspects of cyber crime deserve focused attention. These

are:

the legal safeguards that are available;

the adequacy of training of prosecutors and the judiciary; and

the nature of links forged by the Indian police with foreign law enforcement agencies so

that cooperation in matters of investigation and training is readily forthcoming.

Cyber crime does not recognise national borders. More than 30 countries have separate laws in

their statute book to check this menace. This Act is solely meant to quell cyber crime. It is a

piece of legislation intended mainly to lend legal recognition to e-commerce. It is also meant to

facilitate electronic filing of documents with the government agencies. The Indian Penal Code is

so well drafted that offences not listed in the IT Act right now can still be tackled through it, till

such time we are convinced that the IT Act needs to be recast in order to cope with the

expanding contours of cybercrime. We may also have to examine whether we need more than

one enactment. The volume and nature of cybercrime in our country would demand in course of

time a variety of laws. Apart from private digital enterprises, law enforcement agencies

including the Central Bureau of Investigation (CBI), the Enforcement Directorate, the

Directorate of Revenue Intelligence and the Income-Tax Investigation Wing, could provide

valuable inputs to the government. There is also the need to draw from the international

experience. No systematic effort has been made till now to impart training to prosecutors and

judges, although there is evidence of their keenness to become knowledgeable. Possibly, the

initiative may have to come from law enforcement agencies that have quality instructors and

training institutions. It is not difficult to draft special capsules for this purpose. Policing in

cyber space was a challenging job.

CONCLUSION

In sum, though cyber space is a global phenomenon that cannot be easily tackled but the

Information Technology Act, 2000 is a great step forward and it is the right initiative at the right

time. There is no doubt that such a law is absolutely necessary in the country today. The

medium that the Act seeks to regulate and facilitate has so profound an impact on human life that

it is beyond the comprehension of contemporary visionaries. It is perhaps only in hindsight,

several years later, that the extent and scale of the impact could be gauged. It could not therefore

have been allowed to run lawlessly without any system of checks and without clearly defined

rights and liabilities and forums in which to enforce them effectively. The law has not, therefore,

come a moment too soon and it is sincerely hoped that the Act would pave way for proper legal

control regime at national level.