Cyber Law of India

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 16

Cyber Law of India : Introduction

In Simple way we can say that cyber crime is unlawful acts wherein the computer is either a tool or a target or both

Cyber crimes can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and
mischief, all of which are subject to the Indian Penal Code. The abuse of computers has also given birth to a gamut of new
age crimes that are addressed by the Information Technology Act, 2000.

We can categorize Cyber crimes in two ways

The Computer as a Target :-using a computer to attack other computers.

e.g. Hacking, Virus/Worm attacks, DOS attack etc.

The computer as a weapon :-using a computer to commit real world crimes.

e.g. Cyber Terrorism, IPR violations, Credit card frauds, EFT frauds, Pornography etc.

Cyber Crime regulated by Cyber Laws or Internet Laws.

Technical Aspects
Technological advancements have created new possibilities for criminal activity, in particular the criminal misuse of information
technologies such as

a. Unauthorized access & Hacking:-

Access means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a
computer, computer system or computer network.

Unauthorized access would therefore mean any kind of access without the permission of either the rightful owner or the person
in charge of a computer, computer system or computer network.

Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer
programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some
hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank
accounts to their own account followed by withdrawal of money.

By hacking web server taking control on another persons website called as web hijacking

b. Trojan Attack:-

The program that act like something useful but do the things that are quiet damping. The programs of this kind are called as
Trojans.

The name Trojan Horse is popular.

Trojans come in two parts, a Client part and a Server part. When the victim (unknowingly) runs the server on its machine, the
attacker will then use the Client to connect to the Server and start using the trojan.

TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as
well.

c. Virus and Worm attack:-


1
A program that has capability to infect other programs and make copies of itself and spread into other programs is called virus.

Programs that multiply like viruses but spread from computer to computer are called as worms.

d. E-mail & IRC related crimes:-

1. Email spoofing

Email spoofing refers to email that appears to have been originated from one source when it was actually sent from another
source. Please Read

2. Email Spamming

Email "spamming" refers to sending email to thousands and thousands of users - similar to a chain letter.

3 Sending malicious codes through email

E-mails are used to send viruses, Trojans etc through emails as an attachment or by sending a link of website which on visiting
downloads malicious code.

4. Email bombing

E-mail "bombing" is characterized by abusers repeatedly sending an identical email message to a particular address.

5. Sending threatening emails

6. Defamatory emails

7. Email frauds

8. IRC related

Three main ways to attack IRC are: "verbal8218;?#8220; attacks, clone attacks, and flood attacks.

e. Denial of Service attacks:-

Flooding a computer resource with more requests than it can handle. This causes the resource to crash thereby denying access of
service to authorized users.

Our support will keep you aware of types of Cyber crimes while companies such as www.Lifelock.com can give you the right
protection against them.

Examples include

attempts to "flood" a network, thereby preventing legitimate network traffic

attempts to disrupt connections between two machines, thereby preventing access to a service

attempts to prevent a particular individual from accessing a service

attempts to disrupt service to a specific system or person.

Distributed DOS

A distributed denial of service (DoS) attack is accomplished by using the Internet to break into computers and using them to
attack a network.

2
Hundreds or thousands of computer systems across the Internet can be turned into zombies and used to attack another system
or website.

Types of DOS

There are three basic types of attack:

a. Consumption of scarce, limited, or non-renewable resources like NW bandwith, RAM, CPU time. Even power, cool air, or
water can affect.

b. Destruction or Alteration of Configuration Information

c. Physical Destruction or Alteration of Network Components

g. Forgery:-

Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers
and scanners.

Also impersonate another person is considered forgery.

h. IPR Violations:-

These include software piracy, copyright infringement, trademarks violations, theft of computer source code, patent violations.
etc.

Cyber Squatting- Domain names are also trademarks and protected by ICANNs domain dispute resolution policy and also under
trademark laws.

Cyber Squatters registers domain name identical to popular service providers domain so as to attract their users and get benefit
from it.

i. Cyber Terrorism:-

Targeted attacks on military installations, power plants, air traffic control, banks, trail traffic control, telecommunication
networks are the most likely targets. Others like police, medical, fire and rescue systems etc.

Cyberterrorism is an attractive option for modern terrorists for several reasons.

1.It is cheaper than traditional terrorist methods.

2.Cyberterrorism is more anonymous than traditional terrorist methods.

3.The variety and number of targets are enormous.

4.Cyberterrorism can be conducted remotely, a feature that isespecially appealing to terrorists.

5.Cyberterrorism has the potential to affect directly a larger number of people.

j. Banking/Credit card Related crimes:-

3
In the corporate world, Internet hackers are continually looking for opportunities to compromise a companys security in order to
gain access to confidential banking and financial information.

Use of stolen card information or fake credit/debit cards are common.

Bank employee can grab money using programs to deduce small amount of money from all customer accounts and adding it to
own account also called as salami.

k. E-commerce/ Investment Frauds:-

Sales and Investment frauds. An offering that uses false or fraudulent claims to solicit investments or loans, or that provides for
the purchase, use, or trade of forged or counterfeit securities.

Merchandise or services that were purchased or contracted by individuals online are never delivered.

The fraud attributable to the misrepresentation of a product advertised for sale through an Internet auction site or the non-
delivery of products purchased through an Internet auction site.

Investors are enticed to invest in this fraudulent scheme by the promises of abnormally high profits.

l. Sale of illegal articles:-

This would include trade of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and
bulletin boards or simply by using email communication.

Research shows that number of people employed in this criminal area. Daily peoples receiving so many emails with offer of
banned or illegal products for sale.

m. Online gambling:-

There are millions of websites hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these
websites are actually fronts for money laundering.

n. Defamation: -

Defamation can be understood as the intentional infringement of another person's right to his good name.

Cyber Defamation occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes
defamatory matter about someone on a website or sends e-mails containing defamatory information to all of that person's
friends. Information posted to a bulletin board can be accessed by anyone. This means that anyone can place

Cyber defamation is also called as Cyber smearing.

Cyber Stacking:-

Cyber stalking involves following a persons movements across the Internet by posting messages (sometimes threatening) on the
bulletin boards frequented by the victim, entering the chat-rooms frequented by the victim, constantly bombarding the victim
with emails etc.

In general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications.

p. Pedophiles:-

Also there are persons who intentionally prey upon children. Specially with a teen they will let the teen know that fully
understand the feelings towards adult and in particular teen parents.

They earns teens trust and gradually seduce them into sexual or indecent acts.

4
Pedophiles lure the children by distributing pornographic material, then they try to meet them for sex or to take their nude
photographs including their engagement in sexual positions.

q. Identity Theft :-

Identity theft is the fastest growing crime in countries like America.

Identity theft occurs when someone appropriates another's personal information without their knowledge to commit theft or
fraud.

Identity theft is a vehicle for perpetrating other types of fraud schemes.

r. Data diddling:-

Data diddling involves changing data prior or during input into a computer.

In other words, information is changed from the way it should be entered by a person typing in the data, a virus that changes
data, the programmer of the database or application, or anyone else involved in the process of having information stored in a
computer file.

It also include automatic changing the financial information for some time before processing and then restoring original
information.

s. Theft of Internet Hours:-

Unauthorized use of Internet hours paid for by another person.

By gaining access to an organisation's telephone switchboard (PBX) individuals or criminal organizations can obtain access to dial-
in/dial-out circuits and then make their own calls or sell call time to third parties.

Additional forms of service theft include capturing 'calling card' details and on-selling calls charged to the calling card account,
and counterfeiting or illicit reprogramming of stored value telephone cards.

t. Theft of computer system (Hardware):-

This type of offence involves the theft of a computer, some part(s) of a computer or a peripheral attached to the computer.

u. Physically damaging a computer system:-

Physically damaging a computer or its peripheralseither by shock, fire or excess electric supply etc.

v. Breach of Privacy and Confidentiality

Privacy

Privacy refers to the right of an individual/s to determine when, how and to what extent his or her personal data will be shared
with others.

Breach of privacy means unauthorized use or distribution or disclosure of personal information like medical records, sexual
preferences, financial status etc.

Confidentiality

5
It means non disclosure of information to unauthorized or unwanted persons.

In addition to Personal information some other type of information which useful for business and leakage of such information to
other persons may cause damage to business or person, such information should be protected.

Generally for protecting secrecy of such information, parties while sharing information forms an agreement about he procedure
of handling of information and to not to disclose such information to third parties or use it in such a way that it will be disclosed
to third parties.

Many times party or their employees leak such valuable information for monitory gains and causes breach of contract of
confidentiality.

Special techniques such as Social Engineering are commonly used to obtain confidential information.

Cyber Law in INDIA


Why Cyberlaw in India ?

When Internet was developed, the founding fathers of Internet hardly had any inclination that Internet could transform itself into
an all pervading revolution which could be misused for criminal activities and which required regulation. Today, there are many
disturbing things happening in cyberspace. Due to the anonymous nature of the Internet, it is possible to engage into a variety of
criminal activities with impunity and people with intelligence, have been grossly misusing this aspect of the Internet to
perpetuate criminal activities in cyberspace. Hence the need for Cyberlaws in India.

What is the importance of Cyberlaw ?


Cyberlaw is important because it touches almost all aspects of transactions and activities on and concerning the Internet, the
World Wide Web and Cyberspace. Initially it may seem that Cyberlaws is a very technical field and that it does not have any
bearing to most activities in Cyberspace. But the actual truth is that nothing could be further than the truth. Whether we realize
it or not, every action and every reaction in Cyberspace has some legal and Cyber legal perspectives.

Does Cyberlaw concern me ?


Yes, Cyberlaw does concern you. As the nature of Internet is changing and this new medium is being seen as the ultimate
medium ever evolved in human history, every activity of yours in Cyberspace can and will have a Cyberlegal perspective. From
the time you register your Domain Name, to the time you set up your web site, to the time you promote your website, to the
time when you send and receive emails , to the time you conduct electronic commerce transactions on the said site, at every
point of time, there are various Cyberlaw issues involved. You may not be bothered about these issues today because you may
feel that they are very distant from you and that they do not have an impact on your Cyber activities. But sooner or later, you
will have to tighten your belts and take note of Cyberlaw for your own benefit.

Cyberlaw Awareness program


Are your electronic transactions legally binding and authentic? Are you verifying your customers' identities to prevent identity
theft? Does your online terms and conditions have binding effect? Are you providing appropriate information and clear steps for
forming and concluding your online transactions? How are you ensuring data protection and information security on your web
site? Are you recognising the rights of your data subjects?

Transacting on the Internet has wide legal implications as it alters the conventional methods of doing business. To build enduring
relationships with your online customers the legal issues of e-transactions need to be addressed from the onset.

This Awareness program will cover

the basics of Internet Security


basic information on Indian Cyber Law
Impact of technology aided crime
Indian IT Act on covering the legal aspects of all Online Activities
Types of Internet policies required for an Organization.
Minium hardware and software, security measures required in an organization to protect data

Advantages of Cyber Laws

The IT Act 2000 attempts to change outdated laws and provides ways to deal with cyber crimes. We need such laws so that
people can perform purchase transactions over the Net through credit cards without fear of misuse. The Act offers the much-
6
needed legal framework so that information is not denied legal effect, validity or enforceability, solely on the ground that it is in
the form of electronic records.

In view of the growth in transactions and communications carried out through electronic records, the Act seeks to empower
government departments to accept filing, creating and retention of official documents in the digital format. The Act has also
proposed a legal framework for the authentication and origin of electronic records / communications through digital signature.

* From the perspective of e-commerce in India, the IT Act 2000 and its provisions contain many positive aspects. Firstly, the
implications of these provisions for the e-businesses would be that email would now be a valid and legal form of communication
in our country that can be duly produced and approved in a court of law.
* Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.
* Digital signatures have been given legal validity and sanction in the Act.
* The Act throws open the doors for the entry of corporate companies in the business of being Certifying Authorities for issuing
Digital Signatures Certificates.
* The Act now allows Government to issue notification on the web thus heralding e-governance.
* The Act enables the companies to file any form, application or any other document with any office, authority, body or agency
owned or controlled by the appropriate Government in electronic form by means of such electronic form as may be prescribed by
the appropriate Government.
* The IT Act also addresses the important issues of security, which are so critical to the success of electronic transactions. The
Act has given a legal definition to the concept of secure digital signatures that would be required to have been passed through a
system of a security procedure, as stipulated by the Government at a later date.
* Under the IT Act, 2000, it shall now be possible for corporates to have a statutory remedy in case if anyone breaks into their
computer systems or network and cause losses damages or copies data. The remedy provided by the Act is in the form of
monetary damages, not exceeding Rs. 1 crore.

2 Sides of INDIAN Cyber Law or IT Act of INDIA

Cyber laws are meant to set the definite pattern, some rules and guidelines that defined certain business activities going on
through internet legal and certain illegal and hence punishable . The IT Act 2000, the cyber law of India , gives the legal
framework so that information is not denied legal effect, validity or enforceability, solely on the ground that it is in the form of
electronic records.

One cannot regard government as complete failure in shielding numerous e-commerce activities on the firm basis of which this
industry has got to its skies, but then the law cannot be regarded as free from ambiguities.

MMS porn case in which the CEO of bazee.com(an Ebay Company) was arrested for allegedly selling the MMS clips involving school
children on its website is the most apt example in this reference. Other cases where the law becomes hazy in its stand includes
the case where the newspaper Mid-Daily published the pictures of the Indian actor kissing her boyfriend at the Bombay nightspot
and the arrest of Krishan Kumar for illegally using the internet account of Col. (Retd.) J.S. Bajwa.

The IT Act 2000 attempts to change outdated laws and provides ways to deal with cyber crimes. Lets have an overview of the
law where it takes a firm stand and has got successful in the reason for which it was framed.

1. The E-commerce industry carries out its business via transactions and communications done through electronic records . It
thus becomes essential that such transactions be made legal . Keeping this point in the consideration, the IT Act 2000 empowers
the government departments to accept filing, creating and retention of official documents in the digital format. The Act also
puts forward the proposal for setting up the legal framework essential for the authentication and origin of electronic records /
communications through digital signature.

2. The Act legalizes the e-mail and gives it the status of being valid form of carrying out communication in India . This implies
that e-mails can be duly produced and approved in a court of law , thus can be a regarded as substantial document to carry out
legal proceedings.

3. The act also talks about digital signatures and digital records . These have been also awarded the status of being legal and
valid means that can form strong basis for launching litigation in a court of law. It invites the corporate companies in the
business of being Certifying Authorities for issuing secure Digital Signatures Certificates.

4. The Act now allows Government to issue notification on the web thus heralding e-governance.

7
5. It eases the task of companies of the filing any form, application or document by laying down the guidelines to be submitted
at any appropriate office, authority, body or agency owned or controlled by the government. This will help in saving costs, time
and manpower for the corporates.

6. The act also provides statutory remedy to the coporates in case the crime against the accused for breaking into their
computer systems or network and damaging and copying the data is proven. The remedy provided by the Act is in the form of
monetary damages, not exceeding Rs. 1 crore($200,000).

7. Also the law sets up the Territorial Jurisdiction of the Adjudicating Officers for cyber crimes and the Cyber Regulations
Appellate Tribunal.

8. The law has also laid guidelines for providing Internet Services on a license on a non-exclusive basis.

The IT Law 2000, though appears to be self sufficient, it takes mixed stand when it comes to many practical situations. It looses
its certainty at many places like:

1. The law misses out completely the issue of Intellectual Property Rights, and makes no provisions whatsoever for copyrighting,
trade marking or patenting of electronic information and data. The law even doesnt talk of the rights and liabilities of domain
name holders , the first step of entering into the e-commerce.
2. The law even stays silent over the regulation of electronic payments gateway and segregates the negotiable instruments from
the applicability of the IT Act , which may have major effect on the growth of e-commerce in India . It leads to make the banking
and financial sectors irresolute in their stands .
3. The act empowers the Deputy Superintendent of Police to look up into the investigations and filling of charge sheet when any
case related to cyber law is called. This approach is likely to result in misuse in the context of Corporate India as companies have
public offices which would come within the ambit of "public place" under the Act. As a result, companies will not be able to
escape potential harassment at the hands of the DSP.
4. Internet is a borderless medium ; it spreads to every corner of the world where life is possible and hence is the cyber criminal.
Then how come is it possible to feel relaxed and secured once this law is enforced in the nation??

The Act initially was supposed to apply to crimes committed all over the world, but nobody knows how can this be achieved in
practice , how to enforce it all over the world at the same time???

* The IT Act is silent on filming anyones personal actions in public and then distributing it electronically. It holds ISPs (Internet
Service Providers) responsible for third party data and information, unless contravention is committed without their knowledge
or unless the ISP has undertaken due diligence to prevent the contravention .
* For example, many Delhi based newspapers advertise the massage parlors; and in few cases even show the therapeutic
masseurs hidden behind the mask, who actually are prostitutes. Delhi Police has been successful in busting out a few such
rackets but then it is not sure of the action it can takeshould it arrest the owners and editors of newspapers or wait for some
new clauses in the Act to be added up?? Even the much hyped case of the arrest of Bajaj, the CEO of Bazee.com, was a
consequence of this particular ambiguity of the law. One cannot expect an ISP to monitor what information their subscribers are
sending out, all 24 hours a day.

Cyber law is a generic term, which denotes all aspects, issues and the legal consequences on the Internet, the World Wide Web
and cyber space. India is the 12th nation in the world that has cyber legislation apart from countries like the US, Singapore,
France, Malaysia and Japan .

But can the cyber laws of the country be regarded as sufficient and secure enough to provide a strong platform to the countrys
e-commerce industry for which they were meant?? India has failed to keep in pace with the world in this respect, and the
consequence is not far enough from our sight; most of the big customers of India s outsourcing company have started to re-think
of carrying out their business in India .Bajajs case has given the strongest blow in this respect and have broken India s share in
outsourcing market as a leader.

If India doesnt want to loose its position and wishes to stay as the worlds leader forever in outsourcing market, it needs to take
fast but intelligent steps to cover the glaring loopholes of the Act, or else the day is not far when the scenario of India ruling the
worlds outsourcing market will stay alive in the dreams only as it will be overtaken by its competitors.

About Cyber Law


The cyber law, in any country of the World, cannot be effective unless the concerned legal system has the following three pre
requisites:
(1) A sound Cyber Law regime,

8
(2) A sound enforcement machinery, and
(3) A sound judicial system.

Let us analyse the Indian Cyber law on the above parameters.

(1) Sound Cyber Law regime: The Cyber law in India can be found in the form of IT Act, 2000.[1] Now the IT Act, as originally
enacted, was suffering from various loopholes and lacunas. These grey areas were excusable since India introduced the law
recently and every law needs some time to mature and grow. It was understood that over a period of time it will grow and
further amendments will be introduced to make it compatible with the International standards. It is important to realise that we
need qualitative law and not quantitative laws. In other words, one single Act can fulfil the need of the hour provided we
give it a dedicated and futuristic treatment. The dedicated law essentially requires a consideration of public interest as
against interest of few influential segments. Further, the futuristic aspect requires an additional exercise and pain of deciding
the trend that may be faced in future. This exercise is not needed while legislating for traditional laws but the nature of cyber
space is such that we have to take additional precautions. Since the Internet is boundary less, any person sitting in an alien
territory can do havoc with the computer system of India. For instance, the Information Technology is much more advanced in
other countries. If India does not shed its traditional core that it will be vulnerable to numerous cyber threats in the future. The
need of the hour is not only to consider the contemporary standards of the countries having developed Information Technology
standards but to anticipate future threats as well in advance. Thus, a futuristic aspect of the current law has to be
considered.Now the big question is whether India is following this approach? Unfortunately, the answer is in NEGATIVE. Firstly,
the IT Act was deficient in certain aspects, though that was bound to happen. However, instead of bringing the suitable
amendments, the Proposed IT Act, 2000 amendments have further diluted the criminal provisions of the Act. The national
interest was ignored for the sake of commercial expediencies. The proposed amendments have made the IT Act a tiger
without teeth and a remedy worst than malady.

(2) A sound enforcement machinery: A law might have been properly enacted and may be theoretically effective too but it is
useless unless enforced in its true letter and spirit. The law enforcement machinery in India is not well equipped to deal with
cyber law offences and contraventions. They must be trained appropriately and should be provided with suitable technological
support.

(3) A sound judicial system: A sound judicial system is the backbone for preserving the law and order in a society. It is
commonly misunderstood that it is the sole responsibility of the Bench alone to maintain law and order. That is a misleading
notion and the Bar is equally responsible for maintaining it. This essentially means a rigorous training of the members of both
the Bar and the Bench. The fact is that the cyber law is in its infancy stage in India hence not much Judges and Lawyers are
aware of it. Thus, a sound cyber law training of the Judges and Lawyers is the need of the hour.In short, the dream for an Ideal
Cyber Law in India requires a considerable amount of time, money and resources. In the present state of things, it may take
five more years to appreciate its application. The good news is that Government has sanctioned a considerable amount as a grant
to bring e-governance within the judicial functioning. The need of the hour is to appreciate the difference between mere
computerisation and cyber law literacy.[2] The judges and lawyers must be trained in the contemporary legal issues like
cyber law so that their enforcement in India is effective. With all the challenges that India is facing in education and training, e-
learning has a lot of answers and needs to be addressed seriously by the countries planners and private industry alike. E-learning
can provide education to a large population not having access to it.[3]

II. Critical evaluation of the proposed IT Act, 2000 amendments

The proposed IT Act, 2000 amendments are neither desirable nor conducive for the growth of ICT in India. They are suffering
from numerous drawbacks and grey areas and they must not be transformed into the law of the land.[4] These amendments must
be seen in the light of contemporary standards and requirements.[5] Some of the more pressing and genuine requirements in this
regard are:

(a) There are no security concerns for e-governance in India[6]


(b) The concept of due diligence for companies and its officers is not clear to the concerned segments[7]
(c) The use of ICT for justice administration must be enhanced and improved[8]
(d) The offence of cyber extortions must be added to the IT Act, 2000 along with Cyber Terrorism and other contemporary
cyber crimes[9]
(e) The increasing nuisance of e-mail hijacking and hacking must also be addressed[10]
(f) The use of ICT for day to day procedural matters must be considered[11]
(g) The legal risks of e-commerce in India must be kept in mind[12]
(h) The concepts of private defence and aggressive defence are missing from the IT Act, 2000[13]
(i) Internet banking and its legal challenges in India must be considered[14]
(j) Adequate and reasonable provisions must me made in the IT Act, 2000 regarding Internet censorship[15]
(k) The use of private defence for cyber terrorism must be introduced in the IT Act, 2000[16]
(l) The legality of sting operations (like Channel 4) must be adjudged[17]
(m) The deficiencies of Indian ICT strategies must be removed as soon as possible[18]
(n) A sound BPO platform must be established in India, etc[19].

9
The concerns are too many to be discussed in this short article. The Government must seriously take the genuine concerns and
should avoid the cosmetic changes that may shake the base of already weak cyber law in India.

Conclusion:
The Government has mistakenly relied too much upon self governance by private sectors and in that zeal kept aside the
welfare State role. The concept of self governance may be appropriate for matters having civil consequences but a
catastrophic blunder for matter pertaining to crimes, offences, contraventions and cyber crimes. Further, the Government must
also draw a line between privatisation and abdication of duties as imposed by the Supreme Constitution of India. The
concepts of Public-Private Partnerships must be reformulated keeping in mind the welfare State role of India.[20] The
collective expertise must be used rather than choosing a segment that is not representing the silent majority.[21] It would
be appropriate if the Government puts the approved draft by the Cabinet before the public for their inputs before finally placing
them before the Parliament

COMPUTER CRIME

Computer crime, cyber crime, e-crime, hi-tech crime or electronic crime generally refers to criminal activity where a computer
or network is the source, tool, target, or place of a crime. These categories are not exclusive and many activities can be
characterized as falling in one or more category. Additionally, although the terms computer crime or cybercrime are more
properly restricted to describing criminal activity in which the computer or network is a necessary part of the crime, these terms
are also sometimes used to include traditional crimes, such as fraud, theft, blackmail, forgery, and embezzlement, in which
computers or networks are used to facilitate the illicit activity.

10
Computer crime or cyber crime can broadly be defined as criminal activity involving an information technology infrastructure,
including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer
data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or
suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting,
transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft),
and electronic fraud.

Discussion

A common example would be when a person intends to steal information from, or cause damage to, a computer or computer
network. This can be entirely virtual in that the information only exists in digital form, and the damage, while real, has no
physical consequence other than the machine ceases to function. In some legal systems, intangible property cannot be stolen and
the damage must be visible, e.g. as resulting from a blow from a hammer. Yet denial of service attacks for the purposes of
extortion may result in significant damage both to the system and the profitability of the site targeted. A further problem is that
many definitions have not kept pace with the technology. For example, where the offense requires proof of a trick or deception
as the operative cause of the theft, this may require the mind of a human being to change and so do or refrain from doing
something that causes the loss. Increasingly, computer systems control access to goods and services. If a criminal manipulates
the system into releasing the goods or authorizing the services, has there been a "trick", has there been a "deception", does the
machine act because it "believes" payment to have been made, does the machine have "knowledge", does the machine "do" or
"refrain from doing" something it has been programmed to do (or not). Where human-centric terminology is used for crimes
relying on natural language skills and innate gullibility, definitions have to be modified to ensure that fraudulent behavior
remains criminal no matter how it is committed (consider the definition of wire fraud).

Issues surrounding hacking, copyright infringement through warez, child pornography, and paedophilia (see child grooming), have
become high-profile. But this emphasis fails to consider the equally real but less spectacular issues of obscene graffiti appearing
on websites and "cyberstalking" or harassment that can affect everyday life. There are also problems of privacy when
confidential information is lost, say, when an e-mail is intercepted whether through illegal hacking, legitimate monitoring
(increasingly common in the workplace) or when it is simply read by an unauthorized or unintended person.

E-mail and Short Message Service (SMS) messages are seen as casual communication including many things that would never be
put in a letter. But unlike spoken communication, there is no intonation and accenting, so the message can be more easily
distorted or interpreted as offensive. In England and Wales, s43 Telecommunications Act 1984 makes it an offense to use a public
telecommunications network to send 'grossly offensive, threatening or obscene' material, and a 'public telecommunications
network' is widely enough defined to cover Internet traffic which goes through telephone lines or other cables.

Secondly, a computer can be the tool, used, for example, to plan or commit an offense such as larceny or the distribution of
child pornography. The growth of international data communications and in particular the Internet has made these crimes both
more common and more difficult to police. And using encryption techniques, criminals may conspire or exchange data with fewer
opportunities for the police to monitor and intercept. This requires modification to the standard warrants for search, telephone
tapping, etc.

Thirdly, a computer can be a source of evidence. Even though the computer is not directly used for criminal purposes, it is an
excellent device for record keeping, particularly given the power to encrypt the data. If this evidence can be obtained and
decrypted, it can be of great value to criminal investigators. Thus, specialized government agencies and units have been set up
to develop the necessary expertise. See below for a link to the U.S. Department of Justice's website about e-crime and its
computer forensics services.

Computer Fraud

Computer fraud is any dishonest misrepresentation of fact intended to induce another to do or refrain from doing something
which causes loss. In this context, the fraud will result in obtaining a benefit by:

* altering computer input in an unauthorized way. This requires little technical expertise and is not an uncommon form of theft
by employees altering the data before entry or entering false data, or by entering unauthorized instructions or using
unauthorized processes;
* altering, destroying, suppressing, or stealing output, usually to conceal unauthorized transactions: this is difficult to detect;
* altering or deleting stored data; or
* altering or misusing existing system tools or software packages, or altering or writing code for fraudulent purposes. This
requires real programming skills and is not common.

Manipulating banking systems to make unauthorized identity theft with reference to ATM fraud.

Offensive Content
11
The content of websites and other electronic communications may be harmful, distasteful or offensive for a variety of reasons.
Most countries have enacted law that place some limits on the freedom of speech and ban racist, blasphemous, politically
subversive, seditious or inflammatory material that tends to incite hate crimes. This is a sensitive area in which the courts can
become involved in arbitrating between groups with entrenched beliefs, each convinced that their point of view has been
unreasonably attacked. In England, s28 Crime and Disorder Act 1998 defines a racial group, following Mandla v Dowell-Lee (1983)
2 AC 548 (in which a requirement to wear a cap as part of a school uniform had the effect of excluding Sikh boys whose religion
required them to wear a turban), as a group of persons defined by reference to race, color, nationality (including citizenship) or
ethnic or national origin; and a religious group as a group of persons defined by reference to religious belief or lack of religious
belief. Therefore, it is equally an offense to show hostility to a person who practices a particular faith as to a person who has no
religious belief or faith.

Harassment

Whereas content may be offensive in a non-specific way, harassment directs obscenities and derogatory comments at specific
individuals focusing for example on gender, race, religion, nationality, sexual orientation. This often occurs in chat rooms,
through newsgroups, and by sending hate e-mail to interested parties (see cyber bullying, harassment by computer, stalking, and
cyberstalking). In England, in a broader form than s43 Telecommunications Act 1984, s1 Malicious Communications Act 1988
makes it an offense to send an indecent, offensive or threatening letter, electronic communication or other article to another
person. Now, s2 Protection from Harassment Act 1997 criminalizes a course of conduct amounting to harassment which the
defendant knows, or ought to know, amounts to harassment of another. If a reasonable person in possession of the same
information would think the course of conduct amounted to harassment of the other, the knowledge will be imputed to the
defendant. Although harassment is not defined, s7 states that it includes causing alarm or distress, and conduct is defined as
including speech in all its forms. In DPP v Collins (2006) 1 WLR 308 the defendant repeatedly telephoned the offices of his MP on
a wide range of political matters. In conversations with employees at the office and on messages left on the telephone answering
machine, he used racist terms to show the frustration he felt at the way in which his affairs were being handled. No-one was
personally offended, but the staff became depressed. Charged under s127(1) Communications Act 2003, the magistrates found
that the terms were offensive but that a reasonable person would not find them grossly offensive. To determine whether any
message content is merely offensive or grossly offensive depended on their particular circumstances and context, i.e. in the
wider society which is an open and just multi-racial society, the test of offensiveness was objective.

More problematic are deliberate attacks which amount to defamation although, in March 2006, Michael Keith-Smith became the
first person to win damages from an individual internet user after she accused him of being a 'sex offender' and 'racist blogger' on
a Yahoo! discussion site. She also claimed that his wife was a prostitute. The High Court judge decided that Tracy Williams, of
Oldham, was "particularly abusive" and "her statements demonstrated that ... she had no intention of stopping her libellous and
defamatory behavior". She was ordered to pay 10,000 in damages, plus 7,200 costs. In general, libel is not treated as a criminal
matter except when it may provoke the person defamed into retaliatory violence (All forms of unsolicited e-mail and
advertisements can also be considered to be forms of Internet harassment where the content is offensive or of an explicit sexual
nature. Now termed spam, it has been criminalized in various countries.

Drug Trafficking

Drug traffickers are increasingly taking advantage of the Internet to sell their illegal substances through encrypted e-mail and
other Internet Technology. Some drug traffickers arrange deals at internet cafes, use courier Web sites to track illegal packages
of pills, and swap recipes for amphetamines in restricted-access chat rooms.

The Internet's easy-to-learn, fast-paced character, global impact, and fairly reliable privacy features facilitate the marketing of
illicit drugs. Detecting money laundering of cash earned by drug traffickers is very difficult, because dealers are now able to use
electronic commerce and Internet banking facilities. Also, traffickers have been using online package tracking services offered by
courier companies to keep tabs on the progress of their shipments. If there happened to be some sort of undue delay, this could
signal authority interception of the drugs, which would still allow the dealers time to cover their tracks. Law enforcement is also
more deficient because illicit drug deals are arranged instantaneously, over short distances, making interception by authorities
much more difficult.

The rise in Internet drug trades could also be attributed to the lack of face-to-face communication. These virtual exchanges
allow more intimidated individuals to more comfortably purchase illegal drugs. The sketchy effects that are often associated
with drug trades are severely minimized and the filtering process that comes with physical interaction fades away. Furthermore,
traditional drug recipes were carefully kept secrets. But with modern computer technology, this information is now being made
available to anyone with computer access.

COMPUTER INSECURITY

12
Security and systems design

Most current real-world computer security efforts focus on external threats, and generally treat the computer system itself as a
trusted system. Some knowledgeable observers consider this to be a disastrous mistake, and point out that this distinction is the
cause of much of the insecurity of current computer systems - once an attacker has subverted one part of a system without fine-
grained security, he or she usually has access to most or all of the features of that system. [citation needed] Because computer
systems can be very complex, and cannot be guaranteed to be free of defects, this security stance tends to produce insecure
systems.

The 'trusted systems' approach has been predominant in the design of many Microsoft software products, due to the long-standing
Microsoft policy of emphasizing functionality and 'ease of use' over security. Since Microsoft products currently dominate the
desktop and home computing markets, this has led to unfortunate effects. However, the problems described here derive from
the security stance taken by software and hardware vendors generally, rather than the failing of a single vendor. Microsoft is not
out of line in this respect, just far more prominent with respect to its consumer marketshare.

It should be noted that the Windows NT line of operating systems from Microsoft contained mechanisms to limit this, such as
services that ran under dedicated user accounts, and Role-Based Access Control (RBAC) with user/group rights, but the Windows
95 line of products lacked most of these functions. Before the release of Windows 2003 Microsoft has changed their official
stance, taking a more locked down approach. On 15 January 2002, Bill Gates sent out a memo on Trustworthy Computing,
marking the official change in company stance. Regardless, Microsoft's operating system Windows XP is still plagued by
complaints about lack of local security and inability to use the fine-grained user access controls together with certain software
(esp. certain popular computer games).

Financial cost

Serious financial damage has been caused by computer security breaches, but reliably estimating costs is quite difficult. Figures
in the billions of dollars have been quoted in relation to the damage caused by malware such as computer worms like the Code
Red worm, but such estimates may be exaggerated. However, other losses, such as those caused by the compromise of credit
card information, can be more easily determined, and they have been substantial, as measured by millions of individual victims
of identity theft each year in each of several nations, and the severe hardship imposed on each victim, that can wipe out all of
their finances, prevent them from getting a job, plus be treated as if they were the criminal. Volumes of victims of phishing and
other scams may not be known.

Individuals who have been infected with spyware or malware likely go through a costly and time-consuming process of having
their computer cleaned. Spyware and malware is considered to be a problem specific to the various Microsoft Windows operating
systems, however this can be explained somewhat by the fact that Microsoft controls a major share of the PC market and thus
represent the most prominent target.

Reasons

There are many similarities (yet many fundamental differences) between computer and physical security. Just like real-world
security, the motivations for breaches of computer security vary between attackers, sometimes called hackers or crackers. Some
are teenage thrill-seekers or vandals (the kind often responsible for defacing web sites); similarly, some web site defacements
are done to make political statements. However, some attackers are highly skilled and motivated with the goal of compromising
computers for financial gain or espionage. An example of the latter is Markus Hess who spied for the KGB and was ultimately
caught because of the efforts of Clifford Stoll, who wrote an amusing and accurate book, The Cuckoo's Egg, about his
experiences. For those seeking to prevent security breaches, the first step is usually to attempt to identify what might motivate
an attack on the system, how much the continued operation and information security of the system are worth, and who might be
motivated to breach it. The precautions required for a home PC are very different for those of banks' Internet banking system,
and different again for a classified military network. Other computer security writers suggest that, since an attacker using a
network need know nothing about you or what you have on your computer, attacker motivation is inherently impossible to
determine beyond guessing. If true, blocking all possible attacks is the only plausible action to take.

Vulnerabilities

To understand the techniques for securing a computer system, it is important to first understand the various types of "attacks"
that can be made against it. These threats can typically be classified into one of these seven categories:

Exploits

Software flaws, especially buffer overflows, are often exploited to gain control of a computer, or to cause it to operate in an
unexpected manner. Many development methodologies rely on testing to ensure the quality of any code released; this process

13
often fails to discover extremely unusual potential exploits. The term "exploit" generally refers to small programs designed to
take advantage of a software flaw that has been discovered, either remote or local. The code from the exploit program is
frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in certain programs' processing of
a specific file type, such as a non-executable media file.

Eavesdropping

Any data that is transmitted over a network is at some risk of being eavesdropped, or even modified by a malicious person. Even
machines that operate as a closed system (ie, with no contact to the outside world) can be eavesdropped upon via monitoring
the faint electro-magnetic transmissions generated by the hardware such as TEMPEST. The FBI's proposed Carnivore program was
intended to act as a system of eavesdropping protocols built into the systems of internet service providers.

Social engineering and human error

A computer system is no more secure than the human systems responsible for its operation. Malicious individuals have regularly
penetrated well-designed, secure computer systems by taking advantage of the carelessness of trusted individuals, or by
deliberately deceiving them, for example sending messages that they are the system administrator and asking for passwords. This
deception is known as Social engineering.

Denial of service attacks

Denial of service (DoS) attacks differ slightly from those listed above, in that they are not primarily a means to gain unauthorized
access or control of a system. They are instead designed to render it unusable. Attackers can deny service to individual victims,
such as by deliberately guessing a wrong password 3 consecutive times and thus causing the victim account to be locked, or they
may overload the capabilities of a machine or network and block all users at once. These types of attack are, in practice, very
hard to prevent, because the behavior of whole networks needs to be analyzed, not only the behaviour of small pieces of code.
Distributed denial of service (DDoS) attacks are common, where a large number of compromised hosts (commonly referred to as
"zombie computers") are used to flood a target system with network requests, thus attempting to render it unusable through
resource exhaustion. Another technique to exhaust victim resources is through the use of an attack amplifier - where the
attacker takes advantage of poorly designed protocols on 3rd party machines, such as FTP or DNS, in order to instruct these hosts
to launch the flood. There are also commonly vulnerabilities in applications that cannot be used to take control over a computer,
but merely make the target application malfunction or crash. This is known as a denial-of-service exploit.

Indirect attacks

Attacks in which one or more of the attack types above are launched from a third party computer which has been taken over
remotely. By using someone else's computer to launch an attack, it becomes far more difficult to track down the actual attacker.
There have also been cases where attackers took advantage of public anonymizing systems, such as the tor onion router system.

Backdoors

Methods of bypassing normal authentication or giving remote access to a computer to somebody who knows about the backdoor,
while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back
Orifice) or could be in the form of an existing "legitimate" program, or executable file. A specific form of backdoors are rootkits,
which replaces system binaries and/or hooks into the function calls of the operating system to hide the presence of other
programs, users, services and open ports. It may also fake information about disk and memory usage.

Direct access attacks

Common consumer devices that can be used to transfer data surreptitiously.


Common consumer devices that can be used to transfer data surreptitiously.

Someone gaining physical access to a computer can install all manner of devices to compromise security, including operating
system modifications, software worms, key loggers, and covert listening devices. The attacker can also easily download large
quantities of data onto backup media, for instance CD-R/DVD-R, tape; or portable devices such as keydrives, digital cameras or
digital audio players. Another common technique is to boot an operating system contained on a CD-ROM or other bootable media
and read the data from the harddrive(s) this way. The only way to defeat this is to encrypt the storage media and store the key
separate from the system.

Reducing vulnerabilities

14
Computer code is regarded by some as just a form of mathematics. It is theoretically possible to prove the correctness of
computer programs though the likelihood of actually achieving this in large-scale practical systems is regarded as unlikely in the
extreme by some with practical experience in the industry -- see Bruce Schneier et al.

It's also possible to protect messages in transit (ie, communications) by means of cryptography. One method of encryption the
one-time pad has been proven to be unbreakable when correctly used. This method was used by the Soviet Union during the
Cold War, though flaws in their implementation allowed some cryptanalysis (See Venona Project). The method uses a matching
pair of key-codes, securely distributed, which are used once-and-only-once to encode and decode a single message. For
transmitted computer encryption this method is difficult to use properly (securely), and highly inconvenient as well. Other
methods of encryption, while breakable in theory, are often virtually impossible to directly break by any means publicly known
today. Breaking them requires some non-cryptographic input, such as a stolen key, stolen plaintext (at either end of the
transmission), or some other extra cryptanalytic information.

Social engineering and direct computer access (physical) attacks can only be prevented by non-computer means, which can be
difficult to enforce, relative to the sensitivity of the information. Even in a highly disciplined environment, such as in military
organizations, social engineering attacks can still be difficult to foresee and prevent.

In practice, only a small fraction of computer program code is mathematically proven, or even goes through comprehensive
information technology audits or inexpensive but extremely valuable computer security audits, so it's usually possible for a
determined cracker to read, copy, alter or destroy data in well secured computers, albeit at the cost of great time and
resources. Extremely few, if any, attackers would audit applications for vulnerabilities just to attack a single specific system.
You can reduce a cracker's chances by keeping your systems up to date, using a security scanner or/and hiring competent people
responsible for security. The effects of data loss/damage can be reduced by careful backing up and insurance.

Security measures

A state of computer "security" is the conceptual ideal, attained by the use of the three processes:

1. Prevention,
2. Detection, and
3. Response.

* User account access controls and cryptography can protect systems files and data, respectively.
* Firewalls are by far the most common prevention systems from a network security perspective as they can (if properly
configured) shield access to internal network services, and block certain kinds of attacks through packet filtering.
* Intrusion Detection Systems (IDS's) are designed to detect network attacks in progress and assist in post-attack forensics, while
audit trails and logs serve a similar function for individual systems.
* "Response" is necessarily defined by the assessed security requirements of an individual system and may cover the range from
simple upgrade of protections to notification of legal authorities, counter-attacks, and the like. In some special cases, a
complete destruction of the compromised system is favored.

Today, computer security comprises mainly "preventive" measures, like firewalls or an Exit Procedure. A firewall can be defined
as a way of filtering network data between a host or a network and another network, such as the Internet, and is normally
implemented as software running on the machine, hooking into the network stack (or, in the case of most UNIX-based operating
systems such as Linux, built into the operating system kernel) to provide realtime filtering and blocking. Another implementation
is a so called physical firewall which consists of a separate machine filtering network traffic. Firewalls are common amongst
machines that are permanently connected to the Internet (though not universal, as demonstrated by the large numbers of
machines "cracked" by worms like the Code Red worm which would have been protected by a properly-configured firewall).
However, relatively few organizations maintain computer systems with effective detection systems, and fewer still have
organised response mechanisms in place.

Difficulty with response

Responding forcefully to attempted security breaches (in the manner that one would for attempted physical security breaches) is
often very difficult for a variety of reasons:

* Identifying attackers is difficult, as they are often in a different jurisdiction to the systems they attempt to breach, and
operate through proxies, temporary anonymous dial-up accounts, wireless connections, and other anonymising procedures which
make backtracing difficult and are often located in yet another jurisdiction. If they successfully breach security, they are often
able to delete logs to cover their tracks.

* The sheer number of attempted attacks is so large that organisations cannot spend time pursuing each attacker (a typical home
user with a permanent (eg, cable modem) connection will be attacked at least several times per day, so more attractive targets
15
could be presumed to see many more). Note however, that most of the sheer bulk of these attacks are made by automated
vulnerability scanners and computer worms.

* Law enforcement officers are often unfamiliar with information technology, and so lack the skills and interest in pursuing
attackers. There are also budgetary constraints. It has been argued that the high cost of technology, such as DNA testing, and
improved forensics mean less money for other kinds of law enforcement, so the overall rate of criminals not getting dealt with
goes up as the cost of the technology increases.

16

You might also like