GROWING CYBER CRIME AND A NEED FOR GLOBAL LEGISLATION

Reading time : 12 minutes

INTRODUCTION

Humanity has come a long way from fighting wars with sticks and stones to fighting wars with modern technology. But this modern technology has brought with it modern crimes. One of them is cyber-crime. Cybercrime is defined as crime that involves computer and networks. In recent years it has been on rise rapidly and has become a menace.

The most infamous cyber-attack in USA recently was “Colonial pipeline” cyber-attack. They were attacked by group of hackers known as Dark Side. The company was made aware when an employee saw a note demanding ransom in bitcoin, he immediately informed the CEO of company and by 6:10 am entire pipeline had been shut down. According to the company they had to shut down the pipeline as they did not know who was attacking them. Last time the pipeline was shut was 57 years ago. At first it was thought to be a phishing attack. But evidence of phishing could not be found for the employee whose credentials were used in the attack. The company also paid hackers $4.4 million because they were not sure about the extent of the breach[1].

The hacking not only affected the company but also had a roller-coaster effect on fuel prices as well as the pocket of consumers. The prices rose to 6 cents per gallon in a week and shares of energy firms were up by 1.5%. Hacking does not only negatively impact the corporates but can also have a devastating effect on economies of countries, especially the developing nations.

Cyber-crime started when the first computer worm was created by a student of Cornell university Robert Morris. It was made for an innocuous purpose but, the problem started when the worm encountered an error and transformed into a computer virus. He released this worm through MIT to disguise the fact that it was made in Cornell University. He soon discovered that his program was reinfecting computers at a very fast rate. After realizing how severe the problem was, he contacted his friend for a solution to the problem. Once they figured out the problem, they sent an anonymous message to Harvard on how to stop the virus, but the channel was clogged and message did not reach on time. Many computers were affected by this including university computers, military computers and computers at medical research facilities. Teams of programmers worked relentlessly for hours to come up with at least a temporary fix for the virus. A method was published at University of Purdue but this information could not reach quickly as many sites had disconnected themselves from the network. It took a long time for the situation to return to normalcy. After the incident everybody wanted to know the source of virus. New York times later had named Morris. It was not proved at first but later he was convicted Under the Computer Fraud and Abuse Act (Title 18), and was sentenced to three years of probation, 400 hours of community service, a fine of $10,050[2].

After this incident cyber-attacks became very common and dangerous.

CLASSIFYING VARIOUS KINDS OF CYBERCRIMES

 Cybercrime can happen in different ways[3]

  1. Malware- malware is a term that is used to describe malicious software such as viruses, spyware, ransomware. This software attacks a person’s computer when they click on dangerous links or open unknown emails.

When malware enters a computer system, it installs itself or some other dangerous software and then it disrupts the computer system and even transmits important data and personal information. An example of this is when recently the largest meat company of the world JBS was attacked by ransomware, it’s facilities in US, Canada and Australia had to be shut down because of ransomware[4]. The company had incurred huge losses.

  • Hacking- hacking is a method of stealing data through breaking into computer system. This involves planting viruses and spywares. Hacking can cause manipulation and disruption of emails and computer data. It is one of the ways to plant malware inside computer system. Hacking is known to discourage businesses and has been used as a threat many times against businesses.

One of the most famous hacking attacks was when a 15yr old hacked NASA computers.

  • Piracy- due to easy access of information copying of software has become common. Hackers and pirates copy this software and sell them in market without authorization. Many users of these software do not know that they have the pirated version not the original one. This has led to loss of income for many companies. Piracy violates digital rights of owner also known as copyrights. Music industry and film industry are regularly targeted by cyber pirates to steal songs and movies.
  • Child pornography- with increase in use of internet crimes have also increased. Child pornography is one of the crimes that has increased in recent years. Pedophiles prey on children and share illegal images of them in online chat rooms. To control this the US government enacted cyber molester’s enforcement act 200. Under section 3 of this act government can intercept communication if they are investigating child pornography and online pedophilia.
  • Password sniffers- These are software that monitor people as they log in a network or a website. When a person types his/her username or password the sniffer collects it and sends it to the installer. The installer then can manipulate the system and he gets access to documents and personal information which can then be misused.
  • Denial of service attack- in this type of attack the hackers prevent the user from accessing a website by sending large amounts of traffic to the website. This type of attack can bring down whole enterprise websites.
  • Computer fraud- this is different from sending spyware or malware in computer systems. In this type of cyber-attacks users are defrauded by scamsters, particularly older people. Fraudulent prize promoters disguise themselves as legitimate businessmen and scam people. Pyramid schemes are another example of frauds where schemes compensate distributors exclusively for recruiting other distributors. Cyber piracy is another example of computer fraud where fake products are sold on internet.

When the problems had increased the US Federal Trade Commission organized special days known as surf days. In surf days the commission closed different websites which were making fraudulent claims. After sending emails to websites making suspicious earning claims 23 percent of those took back their schemes.

After warning from FTC 168 websites were removed.

  • Phishing- Phishing is a very common type of cyberattack in which an attacker shows himself as a trusted person through advertisement or messages and then tricks people into revealing sensitive information. The hackers create a website similar to the original website of the bank and business. The difference is so minor that only an expert can detect it e.g. the size or shape of font maybe only slightly different from the original and thus undetectable at first look.

LEGISLATION REGARDING CYBER CRIME

INDIA

The recent increase has led to a debate whether we are prepared for tackling cybercrime or not. In India 1.16mn cyber-attacks have happened in 2020. The government is taking measures to combat this menace according to home ministry[5]. The word cybercrime has been defined by Gujrat High Court in case of Jaydeep Vrujlal Depani vs State of Gujrat[6] as Offences that are committed against single or group of individuals with criminal intention to harm their reputation or cause them mental or physical harm or loss to them and their families directly or indirectly, using modern telecommunication such as internet which includes chat rooms, emails, notice boards or groups. And mobile phone networks (Bluetooth/SMS/MMS).

India does not have a separate cyber security law. The Information Technology Act 2000 along with the rules and regulations framed under it, is used at present to deal with cybersecurity and the cybercrimes associated with it.

Due to increase of cybercrimes and to make punishment stringent The IT Act 2000 is often applied with IPC in case of fraud or forgery.

Relationship scams are also punishable under IT Act 2000 section 66D

Section 66D punishes a person for cheating by impersonation by using a computer source. Whoever cheats by using means of communication device or computer source shall be imprisoned up to three years and shall also pay a fine up to one lakh rupees[7]

Here section 419(punishment for cheating by impersonation, 420(Cheating and dishonestly inducing delivery of property) of IPC would also punish the abovementioned offence.

To combat problem of cybercrime Union Home Ministry has operationalized a national helpline number to check computer frauds. Under this initiative banks and police will work together for preventing such crimes or solve them.

The number has been made by Indian Cyber Crime Coordination Centre with support from Reserve Bank of India, payment banks and wallets. Many notable public sector banks such as State Bank of India, Punjab National Bank, Union Bank, IndusInd Bank, HDFC Bank, ICICI Bank, Axis Bank, Yes Bank and Kotak Mahindra Bank are onboard with it. States such as Uttarakhand, Delhi, Madhya Pradesh, Chhattisgarh, Rajasthan, Telangana, Uttar Pradesh are active on it. Since its beginning in April 2021 the helpline has helped preventing cybercrime worth 1.85 crore with Delhi and Rajasthan recovering most money 58 lakhs and 53 lakhs respectively. Due a centralized approach better results are seen. When a person reports the incident to police operator, he notes down fraud transaction details and basic personal details of caller and will submit them in a form of “Ticket on the Citizen”.

The Officials need to be alert with users for the system to be effective this time. If there is suspicious transaction then users need to call helpline immediately to seek help so that banks can be alerted and money can be transferred back. But if the fraudster withdraws money before it can be transferred to rightful owner then matter will be taken to the Police. According to MHA loss of defrauded money can be stopped by tracking the money trail before it is taken out of the digital ecosystem.  Complaint on the helpline does not mean FIR should not be filed, it is not replacement of FIR. It was found out that people were only interested in getting money back not filing complaint. In 2017 RBI had issued a notification that if a person reports incident within 72 hours, then bank has to credit the entire amount to account holder within 10 working days. This helpline can help to expedite the process in most cases account holders run in circles to get their money back. Helpline will even help banks in knowing fraudulent transactions[8].

United Kingdom

Increasing cybercrimes in 1980s in UK were highlighted by the case of R vs gold[9]. In this case the defendant gained unauthorized access to computer network by entering username and password and he was charged under the Forgery and Counterfeiting Act 1981. But the House of Lords held that password does not fall under the meaning of recorded and stored under section 8 of the act. The judgment was criticized by many specially those who were working in IT sector. This judgment led to passing of Computer Misuse Act 1990 in UK Parliament. The act provides liability just on basis of gaining unauthorized access of computer.

Under section 2 of the act a person is guilty of offence of unauthorized access of computer if he performs any function with intention which leads him to access a computer without authorization and has full knowledge of the act that is happening[10].

In the case of Re Allison[11] the act was interpreted as follows

 Re Allison was charged and arrested on the request of US government under extradition act 1989. On charges of conspiracy with an American Express employee to

  1. accessing the American Express computer without authorization with intent to commit theft and forgery
  2. To cause unauthorized modifications of the contents of the

computer system.

The court indicted her on third charge but not on first two on basis that she had access to computer system. This was later challenged in divisional court but divisional court upheld magistrate’s judgment.

The US government was given permission to appeal to House of Lords. The House of Lords held that the American Express employee did not have access to the system therefore the crime would fall under unauthorized access of computer system. Therefore, any access by her would constitute unauthorized access under section 1 of the act.

U.S.A

Under United States law 18 U.S.C. § 1030[12] knowingly accessing a protected computer without authorization is a federal crime. In addition to this the U.S. Congress also passed the Electronic Communications Privacy Act of 1986, updating the Federal Wiretap Act to include the illegal interception of electronic communications. and the intentional, unauthorized access of electronically stored data. In 1996, Congress passed the Anticounterfeiting Consumer Protection Act of 1996, increasing the punishment for copyrighted or trademarked intellectual property theft and allowing the owner to recover up to $100,000. Congress enacted the Economic Espionage Act of 1996, holding the act of knowingly downloading or uploading information that benefits a foreign government, foreign instrumentality, or foreign agent as a crime.

Lack of legislation also plays its role in protecting cyber criminals. In Philippines Onel de Guzman a student studying computer science presented his project to his university. It was a virus known as ILOVEYOU virus which was designed to steal passwords and information. His project was rejected and therefore he did not graduate from university. Later on, a virus which had same pattern as his project started to attack corporations and caused billion dollars damage. The virus cloaked itself in email which was sent to computer systems. After email was opened it spread in each computer and started to replace files and steal passwords. He was charged under Access Device Act which punishes misusing password in case of bank transaction and credit cards. As the act did not cover hacking, the department of justice had to drop charges, also prosecution could not present adequate evidences[13].  

JURISDICTION PROBLEM

Even after different provisions, cyber criminals still go free without any consequences, the reason for this is jurisdiction of law. Municipal law has jurisdiction over country’s land only. Beyond that rarely any law has jurisdiction. To combat this problem European union set up an organization known as The European Cybercrime Centre. This Centre is part of Europol and is responsible for combating cyber-crime across Europe. These type of police forces which have intercountry jurisdiction can certainly help combating cybercrime[14].

To protect personal data EU implemented a new law in 2018 known as GDPR General Data Protection Law. GDPR is one of the toughest data protection law in the world. It imposes liabilities on companies and organization not just in Europe but also around the world if the companies are collecting data from Europe. The law also imposes harsh fines on those individuals who violate the provisions. Fines can be 20 million euro or 4% of global revenue whichever is higher. The concept of privacy is part of EU human rights convention “Everyone has the right to respect for his private and family life, his home and his correspondence.” As technological advancements were increased EU felt that it needed a data protection law. This law is applicable even if person is EU citizen and living elsewhere or is an EU resident. In case a person gives consent to collect his data that consent can later be withdrawn. The consent must be freely given and specific. Request for such consent must be given in specific and clear language. And children under 13 can only give consent with permission from their parent. Companies which monitor people regularly on large scale are required to appoint data officers[15].

At G8 Lyon summit, the council called for member countries to review their cyber laws and assess the jurisdiction problems. The OECD in 1980 adopted guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

It Recognised that policies and laws of a country may differ but they have a common purpose to protect privacy and individual liberties, and make sure there is free flow of data. The flow of personal data across borders will create new relationship among countries therefore there is a need to develop compatible rules and practices.  The flow of data across border will contribute to economic and social development but, domestic legislation regarding privacy protection and transborder flows of personal data may cause hindrance in such flow[16].  

The OECD also Recommended:

The Economic Community of West African States (ECOWAS) in 2010 adopted an act known as Supplementary Act on Personal Data Protection within ECOWAS. It was strongly influenced by EU Data law. It obligates member states to create a data protection authority[17].

These legislations have paved the way for global legislation against cyber-crimes as these laws had extraterritorial jurisdiction.

GLOBAL LEGISLATION

The need for global legislation has become crucial as cybercrimes are not limited by borders. The movement of global legislation is hindered by cyber nationalism and patriotic hacking. In cyber nationalism, patriotic groups hack computer or attack computer systems of other countries which are having conflict with their homeland. The countries which protect patriotic hackers hinder in enforcement of international law regarding cybercrime. It is not necessary that patriotic hackers are supported by state. President of Russia denied interference in US election of November 2016 and said that hackers are not supported by state even if they did act in interest of state[18]. In this kind of hacking, the state might not cooperate in punishing the hackers.

Nowadays as more and more common people are using the internet for purposes like online education, online banking, making videos to promote their art or craft or businesses, they become vulnerable to cyber-attacks which try to steal their confidential information or even their very identity. A recent shocking case occurred in Gurugram where group of cyber crooks made hundreds of rubber clones of finger prints of people and emptied their bank accounts. They stole information from tehsil office of more than 2000 people. A total 43 FIRs have been registered in this case[19].

This also makes banks and other financial institutions vulnerable to attacks and can shake economies of countries which are in conflict with others. Only time will tell if such attacks take place or not. In such a scenario could this act be a recognized mode of warfare and whether laws of war are applicable to them is unclear.

First step towards global legislation was taken when The Council of Europe on Crime Problems (CDCP) adopted the treaty of convention on cyber-crime. The reason it is known as global law is that it is signed not only by European countries but also USA, Mexico etc. The first time Europe took step towards combating cybercrime was when council of Europe gave recommendation in 1989. After that second recommendation was given regarding the same in 1995[20].

It was observed, in the report on economic crime and transnational organized crime, at the European Assembly’s April 2001 session, that “European democracy, the rule of law, and the economic and political stability of Europe now hang in a balance”.

Cybercrime was now seen as a matter of priority therefore the European committee on crime problems made a convention which led to harmonization of laws and defined the offences properly and also developed international cooperation. The convention particularly deals with confidentiality and computer related offences such as forgery and computer fraud; content-related offenses, such as production, dissemination and possession of child pornography; and offenses related to infringement of copyright and related crimes.

The international cooperation in the convention allows police to collect data for another state. Though it cannot investigate in another country but can collect data for investigation. Though the convention was made to combat cyber-crime and its aim was to promote rule of law in the country, it was criticised by many as a violation of right to privacy and human rights. For enforcing laws for regulation of internet, the lawmakers have to balance between the interest of law and rights of the people.

In global legislation many questions may arise. The first is how will we characterise a cyber incident. If such an incident is termed as an attack, does this attack equate with armed attack and secondly whether the right to self-defence arises with such an attack.

A global legislation would need to balance rule of law and fundamental right of individuals. If we need to protect rights of individuals, we will need a global data protection law which would protect privacy of individuals. In global legislation there always will be conflicts therefore these conflicts would need to be resolved with a well-defined procedure.

A global legislation regarding the cybercrime would also have to address possibilities of extradition and self-defence in case of a cyber-attack.

A common global legislation must be signed by each country to combat this menace.

CONCLUSION

There is no reason to live in denial that cyber-attacks may not happen. As technology advances these kinds of attacks will become very common in future. Therefore, people must be protected against them. For that governments must conduct awareness campaigns in their population and at the same time make stringent laws against cybercrime and also protect the data and privacy of their citizens. Police officers should also be trained in handling cases of cyber-crime. This should become part of their basic training. There will be a time when a global legislation will become a necessity therefore, we must act upon it immediately. World leaders must come together and help in controlling cybercrime. Cyber-attacks nowadays have become very dangerous. They can bring down not only corporates but even bring economy of a country to a standstill. Whenever a particular crime increases in a country the leaders always enact stringent laws against it. Same should be applied to cybercrime and it should be done seriously with advice from highly qualified cyber professionals.

Many countries like India have become aware on cybercrimes but still lack proper legislations and infrastructure to tackle it. As our country has many IT companies, data protection and cybersecurity law should be our top priority.

India must gear up to protect its data and material assets. We already have a young, dedicated and qualified IT workforce who can protect our country from cyber-attacks by hackers and other cyber crooks. Timely enactment of cyber laws can go a long way in protecting our national interests.


[1] Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom, available at: https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636(last visited on June 16,2021).

[2] The Robert Morris Internet Worm, available at: https://groups.csail.mit.edu/mac/classes/6.805/articles/morris-worm.html(last visited on June 16, 2021).

[3] Rita Esen, “Cyber Crime: A Growing Problem,” 66 Journal of Criminal Law 271 (2002).

[4] Significant Cyber Incidents, available at: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents(last visited June 11, 2021).

[5] Cyberattacks surged 3-fold to 1.16 mn last year in India, available at: https://www.livemint.com/news/india/as-tech-adoption-grew-india-faced-11-58-lakh-cyberattacks-in-2020-11616492755651.html(last visited on June 12, 2021).

[6] Jaydeep Vrujlal Depani vs State of Gujrat R/SCR.A/5708/2018.

[7] Information Technology Act, 2000 s.66D.

[8] Shivani Shinde, “Cyber fraud helpline brings banks and police together”, Weekend Business Standard, June.19,2021.

[9] R vs Gold [1988] 2 WLR 984.

[10] Computer Misuse Act, 1990, s. 2.

[11] 1992 3 WLR 432

[12] The Computer Fraud and Abuse Act (CFAA), 1986, 18 U.S.C. 1030

[13] Shannon C. Sprinkel, “Global internet regulation: the residual effects of the “iloveyou” computer virus and the draft convention on cyber-crime,”25Suffolk Transnational Law Review 492-493(2002).

[14] EUROPEAN CYBERCRIME CENTRE – EC3, available at: https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3(last visited on June 17 2021).

[15] What is GDPR, the EU’s new data protection law?, available at: https://gdpr.eu/what-is-gdpr/(last visited on June 18,2021).

[16] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at: https://www.oecd.org/digital/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited on June 18, 2021)

[17] Economic Community of West African States, available at: https://ccdcoe.org/organisations/ecowas/ 

(Last visited on June 17th ,2021).

[18] Putin: ‘Patriotic’ Russian hackers may have targeted US election, available at: https://edition.cnn.com/2017/06/01/politics/russia-putin-hackers-election/index.html (Last visited on June 17,2021).

[19] Gurugram gang steals fingerprints from registry papers to drain bank accounts, available at: https://timesofindia.indiatimes.com/city/gurgaon/attack-of-the-clones-fingerprints-in-registry-papers-used-to-drain-accounts/articleshow/83324403.cms (last visited on June 18,2021).

[20] GIULIANA CAGGIULA, “CYBERSPACE LAW: RULES FOR CYBER-CRIME”, 10 ILSA Quarterly 9 (2001).

Author: UJJWAL UBEROI, IMS UNISON UNIVERSITY

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s