INTRODUCTION

Under the information technology act, computer crimes such as hacking into a computer system, cyber terrorism, and fraudulent use of electronic signatures are punishable offences. Banks and financial institutions which issue credit cards typically obtain insurance against financial frauds which enable them to reimburse the customer in the event a credit card is misused. Indian law imposes certain obligations on entities which collect certain kinds of personal information of individuals which is considered to be sensitive. This obligation applies to ecommerce websites. The obligations for data protection have been mentioned in the Information Technology Act,2000 and the Information Technology (Reasonably Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011( SPDI Rules). It is applicable to body corporates, including companies, firms or any association of individuals engaged in commercial activities that involve collection of personal data have to comply  with these rules.[1] This provision is also applicable in cloud computing services. Reasonable security practices and procedures are defined to mean security practices designed to protect information from unauthorized access, damage, use, modification, disclosure or impairment as specified in an agreement between parties or under any law (Information Technology Act, 2000).

Cybercrimes scan be categorized into mainly 2 broad categories and they are:

1. Content related cybercrimes-these include posting exploit content on the internet, sending offensive or hurtful emails, hacking and destroying the content of a website etc.
2. Financial fraud: misuse of credit card or other financial information which directly causes a loss to an individual or business.[2]

Alternatives available to minimize the harm caused by internet crimes

Due to the problems in prosecuting offenders, corrective or preventive actions are frequently at a managerial level to prevent harm caused by cybercrimes. For example a content based could maintain extensive backups (which can enable the business to restore itself to its state much easier in the event of hacking), a business which processes personal or financial information of customers can establish multiple layers of security or use good encryption techniques.[3]

The alternatives typically used to minimize harm caused by offences pertaining to financial fraud are different from those deployed for content-related offences and are as follows:

Financial frauds: Most banks provide a “card-holder form” to report instances of credit card misuse to bank. This process is usually not transparent and extremely secretive. Banks run the risk of being sued by customers in consumer courts for not protecting sensitive data or providing deficient services.[4]

Harmful content on the internet: Issuing take down notices to intermediaries which host or enable access to content that is prohibited under Indian law can be very effective in minimizing harm. Since legal proceedings can take significant time to conclude, immediate relief can be obtained by hosts or other intermediaries to provide access to the offensive which can lead to removal of offensive content from the internet.[5]

Shreya Singhal’s case[6] and Section 66A of the Information Technology Act, 2000.

Section 66A[7] states punishment for sending offensive messages through communication service, etc.

The court struck down the entire provision down for the following reasons:

• Section 66A limits freedom of speech and expression, but the grounds on which it does so do not correspond to article 19(2) of the constitution of India ,which specifies limited grounds only for which the freedom can be restricted
• It cannot be said that the legislature was not aware of article 19(2) of the constitution of India. in the IT act itself the grounds for blocking in section 69A closely correspond to article 19(2)[8]
• The terms mentioned in section 66A such as annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, are too vague and not defined in the act such as section 66,66B to 67B[9] pertaining to criminal offences define the offence they punish for cannot be made to the Indian penal code, as there is no provision specifically allowing that under the IT act.[10]

How can one identify the intermediaries involved when you take a particular action on the internet?

Let us take an example of content posted by a user by way of blog, or a video upload on YouTube.

The content is hosted on YouTube’s servers, or a cloud hosting service. These servers could be located anywhere in the world. Accessing the services of a website may involve accessing content stored over multiple locations. A visitor to YouTube accesses this information through this internet service provider.[11]

1. Risks of operating as an intermediary

Under law, if a person’s legal rights are violated by another person, any persons who have incited, abetted or abided the wrongdoer in committing the violation may also be held responsible.

2. Formal definition of intermediary

The IT Act has a relatively formal definition of intermediaries which is provided here.

Under the IT Act, an intermediary is defined to include “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet providers, web hosting service providers, search engines, cyber cafes etc.[12]

3. Intermediary liability under IT Act

In order to protect intermediaries from the risk of liability from illegal or unlawful activities on the internet where the intermediaries have not been actively involved, the IT Act was amended in 2008. As per the IT Act in its current form, an intermediary must not knowingly publish, host or initiate transmission of unlawful information.[13] The intermediary will be liable if:

1. It has knowingly aided the commission of an unlawful act, or;
2. If after receiving actual knowledge or being notified by a government or its agency that information hosted on a computer resource regulated by the intermediary is being used to commit an unlawful act, it does not remove information expeditiously.[14]

When the intermediary has not knowingly participated in the commission of unlawful activity, it is granted protection from liability. As per the IT Act, an intermediary will not be liable in respect of third party information or data hosted by it under the following circumstances:

1. The function of the intermediary is restricted to providing access to a system where the third party information is transmitted, stored or hosted,
2. When the intermediary does not a) initiate the transmission of the information, b) select the receiver of the information, i.e. when the intermediary is merely a ‘blind’ carrier of information sent by a person to another person.[15]

4. Due diligence as per the Intermediary Rules:

Appointment of grievance officers:

As per the Intermediary Rules, websites must appoint grievance officers whose appointment must be made known to users.[16]

Publication of policies:

Intermediaries must also publish; a) a set of rules and regulations, b) a privacy policy and c) a user agreement for access or usage of their usage of their resources. These policies must notify not to host, display, upload, modify, publish, transmit, update or share. These policies must notify not to host, display, upload, modify, publish, transmit, update or share certain prohibited categories of information.[17]

5. Consequences of breach of the provisions of the IT Act by intermediaries:

1. Wrongful disclosure of confidential information: disclosure of confidential information by intermediaries without consent of the concerned persons, and with the knowledge that it may cause wrongful loss punishable with imprisonment of three years and fine up to INR 50,000 upon intermediaries.[18]
2. Non-compliance with an order to intercept information: Failure to comply with orders to share information with government agencies issued pursuant to the IT Act is punishable with imprisonment up to 7 years and fine.[19]

Case Study of Whatsapp privacy policy modification after Facebook acquisition[20]

Whatsapp was intending to share user details with Facebook, post its Facebook acquisition and had accordingly modified its privacy policies. It had given its users a timeline until 25^th September, 2016 to opt in for the new privacy policy if they wished to continue with the service, or else they would have to opt out. This was challenged in Karmanya Singh Sareen vs. Union of India[21] before the Delhi High Court, where the Court ordered the following:

• If the users opt for completely deleting “whatsapp” account before 25.09.16, the information/details of such users should be deleted completely from “Whatsapp” servers and the same shall not be shared with the “Facebook” or any of its group companies.
• So far as the users who opt for remain in “Whatsapp” are concerned, the existing information/data/details of such users up to 25/09/16 shall not be shared with “Facebook” or any group of companies.
• The court also asked TRAI and Department of Telecommunication to take a call on whether they would like to bring these under statutory regulatory framework.[22]

How to recover lost money under Information Technology Act, 2000?

The cyber space is increasingly used by organized criminal groups to target credit cards, bank account and other financial instruments for fraudulent transactions. Online fraud is considered to be the third amongst economic crimes prevalent in India according to Global Economic Crime Survey, 2011, conducted by Price Waterhouse Cooper, which includes online auctions, internet access service, work at home plans, payment methods, credit card, debit cards etc.[23]

Nabbing a cyber-fraudster who might have committed the offence sitting at a distant location possibly on a foreign shore will be difficult for a common person.[24]

Banking Fraud methods:

Most of the online banking frauds are conducted either through phishing, stealing of banking information or through cloning of credit cards/debit cards. In phishing, a fraudster will send an email pretending to be sent from the bank to the victim asking for their personal details including banking information like PIN code or banking user name and password on some pretext or the other. Once the person reveals such crucial information, the fraudster may withdraw or transfer the money from the account of the victim. In most cases. Due to lack of awareness, people fall into the traps of such people and loose huge amount of money.[25]

A selected study of banking frauds revealed that the fraudster mostly applies the following tactics to defraud innocent people:

• Stealing of the original credit/debit cards and using the cards at shopping merchants
• Cloning/duplication of credit/debit cards
• Phishing scams where the information has been revealed by the customer himself
• Leakage of PIN/credit/debit card details
• Usage of stolen mobile SIM cards to receive One Time Password[26]

How to recover this lost money through fraudulent bank transfers under Information Technology Act, 2000?

One can file an application under the Adjudicating Officer appointed under Section 46 of the Information Technology Act, 2000 claiming breach of reasonable security procedures by the bank. [27]An analysis of selected cases ordered by the Adjudicating officer in the state of Maharashtra revealed that the banks and telecom operators in most cases have failed to maintain reasonable security procedures, including non-compliance of KYC norms, anti-money laundering guidelines and automatic suspicious transaction monitoring facilities. As per Section 43A of Information Technology Act, 2000, the banks and other intermediaries  who have failed to maintain reasonable security procedures must pay adequate damages as compensation to such person so as to cover the loss. The Adjudicating officer has the power to adjudicate in the matters where the claim does not exceed INR 5 crores. The banks must prove that they have maintained reasonable security procedures to prevent such fraudulent acts. In cases the bank fails to prove that they have maintained reasonable security procedure, the Adjudicating Officer who has the powers of a Civil Court, may order the bank to pay damages as compensation to the victim.[28]

[1] 4 Cyber Security Threats for 2017, University of San Diego (2018), https://onlinedegrees.sandiego.edu/4-cyber-security-threats-2017/ (last visited Jan 9, 2018).

[2] Forbes Welcome, Forbes.com (2018), https://www.forbes.com/sites/forbestechcouncil/2017/01/17/why-cybersecurity-should-be-the-biggest-concern-of-2017/#4fef33ce5218 (last visited Jan 10, 2018).

[3] Michelle Drolet, 5 cyber security trends to watch for 2017 CSO Online (2018), https://www.csoonline.com/article/3150255/security/5-cybersecurity-trends-to-watch-for-2017.html (last visited Jan 7, 2018).

[4] Vivek Tripathi, Cyber Laws India Cyberlawsindia.net (2018), http://cyberlawsindia.net/ (last visited Jan 14, 2018).

[5] What is Data Security? – Definition from Techopedia, Techopedia.com (2018), https://www.techopedia.com/definition/26464/data-security (last visited Jan 8, 2018).

[6]  WRIT PETITION (CRIMINAL) NO.167 OF 2012

[7] Information Technology Act, 2000

[8] The Constitution of India, 1950

[9] Information Technology Act, 2000

[10] (2018), https://blog.ipleaders.in/need-know-cyber-laws-india/ (last visited Jan 11, 2018).

[11] Supra at note 5

[12] CYBER CRIMES AND THE CYBER LAWS IN INDIA, Legal News / Law News & Articles – Free Legal Helpline – Legal Tips : Legal India (2018), https://www.legalindia.com/cyber-crimes-and-the-law/ (last visited Jan 19, 2018).

[13] Ibid

[14] Ibid

[15] Supra at note 9

[16] Need and Importance of Cyber Law | Cyberspace | Cybercrime, Scribd (2018), https://www.scribd.com/doc/12655949/Need-and-Importance-of-Cyber-Law (last visited Jan 18, 2018).

[17] Cite a Website – Cite This For Me, Cis-india.org (2018), https://cis-india.org/internet-governance/blog/shreya-singhal-judgment.pdf (last visited Jan 14, 2018).

[18] Social share privacy, SFLC.in (2018), https://sflc.in/shreya-singhal-v-union-of-india-w-p-crl-no-167-of-2012 (last visited Jan 17, 2018).

[19] CYBER CRIMES AND THE CYBER LAWS IN INDIA, Legal News / Law News & Articles – Free Legal Helpline – Legal Tips : Legal India (2018), https://www.legalindia.com/cyber-crimes-and-the-law/ (last visited Jan 19, 2018).

[20] http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf (last visited Jan 12, 2018).

[21] SLP (C) 804/2017

[22] Supreme Court to Facebook, WhatsApp: Have you shared user details?, The Indian Express (2018), http://indianexpress.com/article/india/supreme-court-to-facebook-whatsapp-have-you-shared-user-details-4832144/ (last visited Jan 17, 2018).

[23] Ibid

[24] Supra at note 11

[25] Nupur Anand, The three big problems in India’s banking sector, according to the RBI Quartz (2018), https://qz.com/1020168/the-rbi-is-worried-about-three-big-problems-in-indias-banking-sector/ (last visited Jan 13, 2018).

[26] Cyber Laws in India – IT Act – Cyber lawyers, Legalserviceindia.com (2018), http://www.legalserviceindia.com/cyber/cyber.htm (last visited Jan 16, 2018).

[27] (2018), http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.431.7770&rep=rep1&type=pdf (last visited Jan 15, 2018).

[28] Indianresearchjournals.com (2018), http://indianresearchjournals.com/pdf/IJMFSMR/2013/March/16.pdf (last visited Jan 16, 2018).