WEBSITE HACKING IN INDIA – LEGAL ACTION
Understanding the cyber crime of website hacking in India and the legal actions that can be taken under Indian laws
Understanding Hacking
Hacking today, is an over eager villain of corporates, legal firms, start-ups and website-based businesses. Hacking has become a serious crime in the contemporary times, it can be said that today in the online world every individual is a potential victim. Today, the hackers are able to control any website, CCTV camera, personal computers etc. All this amounts to a serious espionage of privacy and personal space, on top of this, there are many other ways as well which a hacker can employ while committing the hacking.
However, as they say every coin has two sides, there is another side to hacking called ‘Ethical hacking’. ‘Ethical hacking’ takes place where the hacker has the legal permission to manipulate or break the security lines of a website or online network, ethical hacking thus, derives legality from the explicit consent/ authorization from an institution or person and therefore, we are able to deduce that the part of hacking which is involuntary or devoid of consent makes out an offence of criminal hacking.[1]
TYPES OF HACKING
Hackers are usually of three types-
- A White hat hacker: A White hat hacker is a person who has been employed by an organization to look for loopholes in their security systems and patch the vulnerabilities of the system, before a security breach happens. White hat hackers are often behind the scenes, thwarting attacks in real time, or proactively exposing weakness to try to help keep services running and data protected.[2]
- A Black hat hacker: A Black hat hacker is an individual who is tries to break into a website or security networks of an organization, unauthorized and with malicious intentions. Their primary motivation is usually for personal or financial gain, but they can also be involved in cyber espionage, protest or perhaps are just addicted to the thrill of cybercrime.[3]
- A Grey hat hacker: Grey hat hackers are a blend of both black hat and white hat activities.[4] Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.[5] Grey hats may also extort the hacked, offering to correct the defect for a nominal fee.
Law in India
‘Unethical Hacking’ in India is looked as a serious offence in India and is also a threat to national security as well. It is a punishable offence in India under:
- Indian Penal Code, 1860 [6]
- Section 408 – Criminal breach of trust by clerk or servant: “whoever, being a clerk or servant or employed as a clerk or servant, and being in any manner entrusted in such capacity with property, or with any dominion over property, commits criminal breach of trust in respect of that property, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine“. This deals with the breach of trust by any clerk or servant. This breach of interest is committed against the property which is interested to him. For example- If the employees working in IT Department of law firms or MNCs leak any personal or secretive information of the company they are likely to commit criminal breach of trust and will be liable under this section. The maximum punishment under section 408 is imprisonment of up to seven years and a fine.
- Section 424 – Dishonest or fraudulent removal or concealment of property:“whoever dishonestly or fraudulently conceals or removes any property of himself or any other person, or dishonestly or fraudulently assists in the concealment or removal thereof, or dishonestly releases any demand or claim to which he is entitled, shall be punished with imprisonment of either description, for a term which may extend to two years, or with fine, or with both.” This aforementioned section will also apply to data theft. When an important or secret piece of information is concealed, collected or removed by a hacker dishonestly or fraudulently from a website after hacking it, the hacker will be liable under this section. The maximum punishment under section 424 is imprisonment of up to two years or a fine or both.
- Section 378 – Theft of movable property will apply to the theft of any data, online or otherwise, since section 22 of the IPC states that the words “movable property” are intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth. Therefore if a hacker steals or collects any information from a website by gaining wrongful access he/she is likely to commit theft. The maximum punishment for theft under section 378 of the IPC is imprisonment of up to three years or a fine or both.
- Section 425 – Mischief : “whoever with intent to cause, or knowing that he is likely to cause, wrongful loss or damage to the public or to any person, causes the destruction of any property, or any such change in any property or in the situation thereof as destroys or diminishes its value or utility, or affects it injuriously, commits mischief”. The main motive of the hacker is to cause wrongful loss or destruction of the information available on websites by wrongfully editing them in order to destroy or diminish the value by wrongfully representing things. Damaging computer systems and even denying access to a computer system will fall within the aforesaid section 425 of the IPC. The maximum punishment for mischief as per section 426 of the IPC is imprisonment of up to three months or a fine or both.
- Information Technology Act, 2000 (IT Act) :[7]
- Section 43 –Penalty and compensation for damage to computer, computer system, etc. and Section 43A –Compensation for failure to protect data: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” This deals with the Civil liability which arises out of failure to protect sensitive or personal information as specified under Central Government’s notification dated 11th April, 2011 which classifies the details which are corporates are under legal duty to protect like bank account details, passwords etc. This provision was added by the amendment act of 2008 and emphasised the Corporate responsibility in data protection and mandates that corporates have to enforce reasonable and responsible measures to protect data of the general public.
- Section 66B- Punishment for dishonestly receiving stolen computer resource or communication device: “whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.” The abovementioned section prescribes penalty for receiving stolen information and provides for imprisonment upto three years or fine of Rs 1 lakh or both. Mens rea is a crucial requisite to engage liability under this section, further destruction, deletion, alternation or diminishing value orutility of the data are also factors for attracting liability.
- Section 66F –Punishment for cyber terrorism provides:
(1) Whoever,– (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by– (i) denying or cause the denial of access to any person authorised to access computer resource; or (ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; or (iii) introducing or causing to introduce any computer contaminant, and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70; or (B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer data base that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer data base, with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism. (2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life. Cyber Terrorism is one of the greatest threats to the society. Cyber terrorism basically means to do illegal things via internet or cyber space. It is usually done for political purposes such as provoking a group of people against the government or against the sovereignty, unity, or integrity of a country. The hackers can gain access to restricted information or computer database by network damage, data theft, by gaining unauthorized access, by privacy breach and attract liability under this section.
What happens when similar offences are brought under IPC and IT Act?
In Sharat Babu Digumarti v Government of NCT of Delhi[8], the contention relating to IPC and the IT Act came to surface. In this case, on November 27, 2004, an illicit video was uploaded for sale on Baazee.com and the listing was made under “Books and Magazine”, to avoid detection by the Baazee team. The video was successfully sold a few times from the platform, however, when Delhi Police began the investigation, they prepared a charge sheet against Mr. Avinash Bajaj (MD at Bazzee) and Sharat Digumarti (Manager), however, the company was not arraigned as an accused and therefore, the charges (Section 292 of IPC and 67 of IT Act) against Avinash Bajaj were dropped. Later on charges under Section 294 IPC and Section 67 of IT Act were dropped against Sharat. The Supreme Court held that in any case which involves electronic record, the provisions of IT Act will be applied alone as that’s the legislative intention and under section 81 of the IT Act, the provisions of the IT Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. It is a settled principle of interpretation that special laws would prevail over general laws and latter laws would prevail over prior legislation.
In Gagan Harsh Sharma v The State of Maharashtra[9], The petitioners were charged under sections 408 and 420 of IPC, 1860, supplemented by charges under sections 43,65 and 66 of the IT Act, 200. The offences under section 408 and 420 are non-bailable, while the offences which the individuals were charged with under IT Act are bailable. The petitioners stated before the Hon’ble Bombay High Court that charges against them under IPC should be dropped and the court should only pursue the charges framed under the IT Act. The Hon’ble court relying on the Supreme Court’s judgement in the Sharat Babu Digumarti case dropped the charges framed under IPC.
CONCLUSION
The most cost effective manner to prevent account hackings is to let people know how to create a strong password. The business entities should invest in technology and IT sphere, in collaboration with the government to deal with the common enemy. Data encryption could be looked as an alternative, however, it has its own backlashes and therefore should be effectively regulated.
The best option is to have a collaborative effort of website and software development to prevent hacking attacks. Websites are prone to hacking and therefore, it’s important to create a security network which is well equipped to deal with cyber-attacks. Additionally, legislations are also required to be more specialised in terms of strictness and privacy, to deal with the today’s everyday changing technology.
[2] https://www.safebreach.com/blog/what-is-a-white-hat-hacker/
[3] https://us.norton.com/blog/emerging-threats/black-white-and-gray-hat-hackers
[4] https://us.norton.com/blog/emerging-threats/black-white-and-gray-hat-hackers
[5] https://blog.eccouncil.org/types-of-hackers-and-what-they-do-white-black-and-grey/
[6] The Indian Penal Code, 1860; https://www.iitk.ac.in/wc/data/IPC_186045.pdf
[7] The Information Technology Act, 2000; https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
[8] 2 SCC 18 SC (2017).
[9] SCC Bom. High Court, 13046 (2018).
For further information on Cyber Laws in India, please write to us at info@ssrana.com.
To know more about Information technology law in India, read below: