UNIT – IV

Cyber Security: The Legal Perspectives: Cyber Crime

and the Legal Landscape around the World, Need of
Cyber laws: the Indian Context, The Indian IT Act,
Amendments to IT Act, Positive and week areas of IT
Act, Challenges to Indian Law and Cyber Crime
Scenario in India, Digital Signatures and the Indian IT
Act, Data Protection Act 2019.
Introduction
cybercrime is the largest illegal industry.
Cybercrime involves massive, coordinated attacks against the information infrastructure of
a country .

paradigm for Cyber Security

UNIT-III Cyber Law
Introduction
Cybercrime was broken into two categories and defined as:
1. Cybercrime in a restrictive sense (computer crime): It is referred to any illegal
behavior that is carried out by means of electronic methods targeting the security of
computer systems and the data processed by them. This can be considered as a narrow
definition of the term cybercrime.
2. Cybercrime in a general sense (computer-related crime): It is referred to any illegal
behavior that is committed by means of, or in relation to, a computer system or network,
including such crimes as illegal possession, and offering or distributing information by
means of a computer system or network. This can be considered as a broader definition of
the term cybercrime.
UNIT-III Cyber Law
Introduction
These definitions are complicated by the fact that an act may be illegal in one nation but not
in another.
There are more concrete examples, including
1. Unauthorized access to computer
2. Causing damage to computer data or programs;
3. An act of computer sabotage;
4. Doing unauthorized interception of communications;
5. Carrying out computer espionage.
UNIT-III Cyber Law
Introduction
In reference to the above-mentioned term unauthorized access, note that the law considers
computer trespass to be a crime. For example, according to Sections 18.2–152.4 of Virginia
State Criminal Law, computer trespass is deemed to have occurred when any person uses a
computer or computer network without authority and with the intent to:
1. Temporarily or permanently remove computer data, computer programs or computer
software from a computer or computer network;
2. cause a computer to malfunction regardless of how long the malfunction persists;
3. alter or erase any computer data, computer programs or computer software;
4. effect the creation or alteration of a financial instrument or of an electronic transfer of
funds;
5. cause physical injury to the property of another; or make or cause to be made an
unauthorized copy, in any form, including, but not limited to, any printed or electronic form
of computer data, computer programs or computer software residing in, communicated by
or produced by a computer or computer network shall be guilty of the crime of computer
trespass which shall be punishable as a Class 1 misdemeanor.
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Crime or an offense is “a legal wrong that can be followed by criminal proceedings which
may result into punishment”
The hallmark of criminality is that it is breach of the criminal law.
A Broad View on Cybercrime Law Scenario in the Asia-Pacific Region
Online Safety and Cybercrime Laws: Detailed Perspective on the Current Asia-Pacific
Scenario
Anti-Spam Laws in Canada
Cybercrime and Federal Laws in the US
The EU Legal Framework for Information Privacy to Prevent Cybercrime
Cybercrime Legislation in the African Region
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
A Broad View on Cybercrime Law Scenario in the Asia-Pacific Region
Only a few countries of the Asia-Pacific region have appropriate legal and regulatory
frameworks to meet these challenges.
Even where awareness is growing and where legislation may be adequate, capacity to use
information security technologies and related procedures as well as to protect against,
detect and respond effectively to cybercrime, and to assist other countries, is low.
As a result, published cybercrime reports may represent only a small fraction of their
incidence and there is a need for more accurate estimates of the prevalence of cybercrime
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Online Safety and Cybercrime Laws: Detailed Perspective on the Current Asia-Pacific
Scenario
In the privacy arena, there are numerous regional norms, such as the Asia-Pacific Economic
Co-operation (APEC) Privacy Framework and the EU’ s Data Protection Directive, but an
international consensus on the best approach to data protection regulation has not yet been
reached. However, Co E’ s Convention on Cybercrime serves as the benchmark legislation.
There are nine principles to the APEC Privacy Framework:
1. Preventing harm;
2. integrity of personal information;
3. notice;
4. security safeguards;
5. collection limitations;
6. access and correction;
7. uses of personal information;
8. accountability;
9. choice.
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Anti-Spam Laws in Canada
In early 2009, the Canadian Government tabled anti-Spam legislation, Bill C- 27 , T e Electronic
Commerce Protection Act, to address Spam, counterfeit websites and Spyware.
The proposed legislation also brings amendment to Canada’s Personal Information Protection and
Electronic Documents Act (PIPEDA) which covers online privacy in detail and contains many
provisions relevant to E-Mail marketing.
Basically, PIPEDA is based on the FIPs (Fair Information Practices):
1. Principle 1 – Accountability
2. Principle 2 – Identifying purposes
3. Principle 3 – Consent
4. Principle 4 – Limiting collection
5. Principle 5 – Limiting use, disclosure and retention
6. Principle 6 – Accuracy
7. Principle 7 – Safeguards
8. Principle 8 – Openness
9. Principle 9 – Individual access
10. Principle 10 – Challenging compliance
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Anti-Spam Laws in Canada
There are two laws currently being discussed in Canadian legislative assemblies:
1. Senate Bill S-220:
The bill was introduced by Senator Yoine Goldstein in early February 2009.
It is slated to become the Anti-Spam Act. It is a private member’s bill with private right of action and criminal
remedies.

2. Parliamentary Bill C-27:

The bill was tabled by the government in April 2009, with private right of action, coordination between various
enforcement agencies, civil remedies.
The Electronic Commerce Protection Act (ECPA) (aka: Bill C-27) is an Anti-Spam Act that covers E-Mail
communications, unauthorized installed applications and the alteration of data during transmission between
senders and recipients.
The bill forbids anyone from installing a program on a computer that could send an electronic message without
the consent of the owner or user
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Cybercrime and Federal Laws in the US
On 15 September 2008, the US House of Representatives approved the bill H. R. 5938.
The amendment, as part of Senate Bill S . 2168, was meant to expand the ability of the
Federal Government to prosecute criminal of identity theft and to allow victims to seek
compensation for the victims’ efforts (time and money) spent on trying to restore their credit.
The legislation was signed by President George W. Bush. It had provisions for a fine as well
as imprisonment up to 5 years for Spyware.
Florida Computer Crimes Act (1988 version) and a summary of the penalties
The Act specifies the following type of crimes:

1. Offenses against intellectual property;

2. offenses against computer equipment or supplies;
3. offenses against computer users.
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
The EU Legal Framework for Information Privacy to Prevent Cybercrime
The E U is an economic and political union of 27 member states, located primarily in
Europe.
Readers can visit the link to understand the EU member countries.Also see Box 6.7 to know
the names of EU member countries.
Data protection E U legal framework addressed the principles for information management
(fairness, consent, transparency, purpose specification, data retention, security and access).
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
The EU Legal Framework for Information Privacy to Prevent Cybercrime
In the EU , cybercrime law is primarily based on the C oE’s Convention on C ybercrime
(November 2001).
Under the convention, member states are obliged to criminalize:
1. Illegal access to computer system ;
2. Illegal interception of data to a computer system;
3. Interfering with computer system without rights and intentional interference with
computer data without rights;
4. The use of inauthentic data with intent to put it across as authentic (data forgery);
5. Infringement of copyright-related rights online;
6. Interference with data or functioning of computer system;
7. Child pornography-related off enses possession/ distribu tion/ procuring/producing of
child pornographic.
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Cybercrime Legislation in the African Region
There is a common agreement that the African regions are in dire need for legislation to fight
cybercrime.
Africa is witnessing explosive growth in ICTs.
With this growth, however, cybercrime has also become a reality in this part of the world
too.
African countries, mostly because of inadequate action and controls to protect computers
and networks, are targets of attack.
A great deal of criminal activity is said to take place from this part of the world.
UNIT-III Cyber Law
Cybercrime and the Legal Landscape around the World
Cybercrime Legislation in the African Region
UNIT-III Cyber Law
Why do we need Cyberlaws: the Indian context
Cyberlaw is a framework created to give legal recognition to all risks arising out of the usage
of computers and computer networks.
Under the purview of cyberlaw, there are several aspects, such as, intellectual property,
data protection and privacy, freedom of expression and crimes committed using
computers .
The Indian Parliament passed its first cyberlaw, the ITA 2000, aimed at providing the legal
infrastructure for E-Commerce in India.
ITA 2000 received the assent of the President of India and it has now become the law of the
land in India.
The Government of India felt the need to enact relevant cyberlaws to regulate Internet-based
computer related transactions in India.
It manages all aspects, issues, legal consequences and conflict in the world of cyberspace,
Internet or WWW.
In the Preamble to the Indian ITA 2000, it is mentioned that it is an act to provide legal
recognition for transactions carried out by means of electronic data interchange and other
means of electronic communication, commonly referred to as electronic commerce .
UNIT-III Cyber Law
Why do we need Cyberlaws: the Indian context
The reasons for enactment of cyberlaws in India are summarized below:
1. Although India possesses a very well-defined legal system, covering all possible situations
and cases that have occurred or might take place in future, the country lacks in many
aspects when it comes to newly developed Internet technology. It is essential to address this
gap through a suitable law given the increasing use of Internet and other computer
technologies in India.
2. There is a need to have some legal recognition to the Internet as it is one of the most
dominating sources of carrying out business in today’s world.
3. With the growth of the Internet, a new concept called cyberterrorism came into existence.
Cyberterrorism includes the use of disruptive activities with the intention to further social,
ideological, religious, political or similar objectives, or to intimidate any person in
furtherance of such objectives in the world of cyberspace. It actually is about committing an
old offense but in an innovative way.
Keeping all these factors into consideration, Indian Parliament passed the Information
Technology Bill on 17 May 2000, known as the ITA 2000.
This law is based on Model UNCITRAL law for E-Commerce
UNIT-III Cyber Law
The Indian ITact.
Cybercrimes and Other Related Crimes Punishable under Indian Laws
1. Under Section 65 of Indian Copyright Act any person who knowingly makes, or has in
his/her possession, any plate for the purpose of making infringing copies of any work in
which Copyright subsists is punishable with imprisonment which may extend to 2 years
with fine.
2. Sending pornographic or obscene E-Mails are punishable under Section 67 of the IT Act.
• An offense under this section is punishable on fi rst conviction with imprisonment for a term, which may
extend to 5 years and with fi ne, which may extend to 1 lakh rupees (Rs.1,00,000).
• In the event of a second or subsequent conviction, the recommended punishment is imprisonment for a term,
which may extend to 10 years and also with fi ne which may extend to 2 lakh rupees (Rs.2,00,000).

3. E-Mails that are defamatory in nature are punishable under Section 500 of the Indian
Penal Code (IPC) that recommends an imprisonment of upto 2 years or a fi ne or both.
4. Threatening E -Mails are punishable u nder the provisions of the IPC pertaining to
criminal intimidation, insult and annoyance (CHAPTER XXII) and extortion (CHAPTER XVII).
5. E-Mail spoofing is covered under provisions of the IPC with regard to fraud, cheating by
personation (CHAPTER XVII) and forgery (CHAPTER XVIII).
UNIT-III Cyber Law
The Indian ITact.
Weak Areas of the ITA 2000
As mentioned before, there are limitations too in the IT Act; those are mainly due to the
following gray areas:
1. The ITA 2000 is likely to cause a conflict of jurisdiction.
2. E-Commerce is based on the system of domain names. The ITA 2000 does not even touch
the issues relating to domain names. Domain names have not been defi ned and the rights
and liabilities of domain name owners do not find any mention in the law. The law does not
address the rights and liabilities of domain name holders.
3. The ITA 2000 does not deal with issues concerning the protection of Intellectual Property
Rights (IPR) in the context of the online environment. Contentious yet very important issues
concerning online copyrights, trademarks and patents have been left untouched by the law,
thereby leaving many loopholes. Thus, the law lacks “Proper Intellectual Property Protection
for Electronic Information and Data” – the law misses out the issue of IPR, and makes no
provisions whatsoever for copyrighting, trade marking or patenting of electronic information
and data. However, the corresponding provisions are available under the Indian Copyright
Act.
UNIT-III Cyber Law
The Indian ITact.
Weak Areas of the ITA 2000
4. As the cyberlaw is evolving, so are the new forms and manifestations of cybercrimes. The
offenses defined in the ITA 2000 are by no means exhaustive. However, the drafting of the
relevant provisions of the ITA 2000 makes it appear as if the offenses detailed therein are
the only cyberoffenses possible and existing. The ITA 2000 does not cover various kinds of
cybercrimes and Internet-related crimes.
These include:
• Theft of Internet hours;
• cybertheft;
• cyberstalking;
• cyberharassment;
• cyberdefamation;
• cyberfraud;
• misuse of credit card numbers;
• chat room abuse;
• cybersquatting (not addressed directly).
UNIT-III Cyber Law
The Indian ITact.
Weak Areas of the ITA 2000
5 . The ITA 2000 has not tackled vital issues pertaining to E-Commerce sphere like privacy
and content regulation to name a few.
6. The Information Technology Act is not explicit about regulation of Electronic Payments,
and avoids applicability of IT Act to Negotiable Instruments. The Information Technology Act
stays silent over the regulation of electronic payments gateway and rather segregates the
negotiable instruments from the applicability of the IT Act. This may have major eff ect on
the growth of E-Commerce in India.
This has led to tendencies of banking and financial sectors being irresolute in their stands.
7. IT Act does not touch upon antitrust issues.
8. The most serious concern about the Indian Cyberlaw relates to its implementation. The
ITA 2000 does not lay down parameters for its implementation. Also, when Internet
penetration in India is extremely low and government and police officials, in general, are not
very computer savvy, the new Indian cyberlaw raises more questions than it answers. It
seems that the Parliament would be required to amend the ITA 2000 to remove the gray
areas mentioned above.
Challenges to Indian Law

No procedural rules: There are no separate rules of procedure for investigating cybercrime or computer
crime.
Electronic evidence is very different from traditional criminal evidence, so it is essential to establish
standardized and consistent procedures for handling electronic evidence.

Shortage of technical staff: There are minimal efforts by states to recruit technical personnel to investigate
cybercrime.
A regular police officer with a background in humanities and business administration may not understand the
nuances of how computers and the Internet work.
Additionally, the Information Technology (IT) Act of 2000 maintains that offences registered under the Act
should be investigated by police officers, not below the rank of inspector. In practice, the number of police
inspectors in the district is limited and most field investigations are conducted by deputy inspectors.

Lack of Infrastructure – Cyber labs: State cyber forensics labs need to be upgraded as new technologies
emerge. Cryptocurrency-related crime continues to be underreported due to the limited ability to solve such
crimes. Most government cyber labs are well equipped to analyze hard drives and mobile phones, but many still
employ “electronic evidence examiners” so they can provide an expert opinion on electronic records. Not
specified.

Need for localization: Most cybercrime is transnational and extraterritorial. Collecting evidence from foreign
territories is not only a difficult but time-consuming process. Other than the immediate suspension of
objectionable websites and accounts of suspects in most social media crimes, other details are not readily
available from big tech companies.
Therefore, “data localization” should be included in the proposed Personal Data Protection Act to ensure law
enforcement agencies have timely access to suspected data of Indian citizens.
 Cybercrime Scenario in India
According to Joseph Aghatise, cybercrime is a crime committed on the Internet using a computer either as a
tool or as a targeted victim. It is very difficult to categorize crimes into different groups because many
crimes evolve daily. Even in the real world, crimes such as rape, murder, or theft do not necessarily need to
be separated. However, in all cybercrimes, both the computer and the person behind it are victims; it just
depends on which of the two is the main target. Therefore, the computer can be a target or a tool for
simplicity. Hacking, for example, involves attacking the computer's information and other resources. It is
important to note that in many cases, there is overlap, and it is impossible to have a perfect classification
system.

Verizon's[iv] 2016 annual report, titled "Data Breach Investigations Report," lists industry-related incidents
and security breaches. According to the report, "89 percent of data breaches had a financial or espionage-
related purpose."When individuals suffer harm, the impact is felt the most, especially when the hard road of
international enforcement is taken. The vastness of cyberspace makes enforcement even more difficult.

According to a report by the Ministry of Electronics and Information Technology (MeitY) submitted to a
parliamentary subcommittee, cybercrime and fraud cases increased more than fivefold between 2018 and
2021. According to data from India's Computer Emergency Response Team (Cert-In), the total number of
incidents increased from 208,456 in 2018 to 1,402,809 in 2021, so according to these figures, cybercrime in
India has increased by 572% in just 3 years.
Important steps were taken by the Government:

Information Act 2000: The Information Act, of 2000 is the primary law to combat cybercrime and digital
commerce in India.

National Cyber ​Security Policy, 2013: This policy provides a vision and strategic direction for protecting the
nation’s cyberspace.

CERT-In (Cyber ​Emergency Response Team – India): CERT-In has been operational since 2004. It is a national
focal point for immediate response to computer security incidents as they occur.

India’s Cyber ​Crime Coordination Center (I4C): A comprehensive and coordinated response to all types of
cybercrime. Cyber ​Swachhta Kendra: Launched in early 2017, Cyber ​Swachhta Kendra provides users with a
platform to analyze and clean their systems from various viruses, bots/malware, Trojans, etc.

Cyber S
​ uraksit Bharat: The Ministry of Electronics and Information Technology launched the Cyber ​Surakshit
Bharat initiative to raise awareness of cybercrime and build the security response capabilities of the Chief
Information Security Officer (CISO) of all government departments and his IT staff on the front lines.

Cyber ​Warrior Police: In 2018, the government announced plans to implement his CWPF. It is proposed to be
brought under the guidelines of the Central Armed Police Force (CAPF).

Cybercrime prevention programs for women and children: The program, run by the Ministry of Home Affairs,
aims to prevent and reduce cybercrime against women and children.
 Digital signatures and Indian IT Act
Unveiling the Digital Handshake:
A Secure E-Seal: A DS is an encrypted fingerprint attached to your electronic document, verifying your
identity and ensuring its integrity. It's like your unique digital handshake, sealing the deal with
security and authenticity.
Legal Recognition: The IT Act, 2000 grants legal equivalence to DSs issued by licensed Certifying
Authorities (CAs), like eMudhra. This means your online signature carries the same legal weight as its
ink-stained counterpart.
Admissibility in Court: Documents signed with valid DSs are admissible as evidence in Indian courts,
making them legally binding and enforceable. So, your e-agreement stands just as tall as any
traditional contract.

Exploring the IT Act, 2000:

Section 3: This section lays the foundation for digital signatures, outlining their authentication
methods and legal recognition. It's the bedrock on which the e-signing ecosystem rests.
Section 5: This section establishes the role of CAs, ensuring they follow stringent verification
procedures and issue secure, tamper-proof DSs. Choose your CA wisely!
Section 6: This section recognizes the legal validity of electronically signed documents, paving the way
for their use in contracts, government filings, and more. Your e-signature has the law's backing.
Understanding the Nuances:
Types of DSs: Different types of DSs cater to varying security needs. Class 2 suits
individual tax filing and simple agreements, while Class 3 offers enhanced security for
high-value transactions and government tenders. Choose the right tool for the job.
Validity Period: Every DS has a validity period, typically one or two or three years. Don't
sign documents with an expired DS; remember to renew it on time.
Compliance Matters: Different sectors have specific regulations governing the use of DSs.
Ensure you comply with relevant regulations to maintain legal validity.

Navigating the E-Legality Maze:

Always verify the signer's DS: Check if their certificate is valid and issued by a trusted
CA. Don't enter a blind e-handshake!
Maintain records: Keep copies of your DS application, renewal documents, and signed
documents for future reference. Be your own e-archivist.
Stay informed: The e-world is constantly evolving. Keep yourself updated about changes
in the IT Act, 2000 and regulations related to DSs. Knowledge is power in the digital
marketplace.
Consult legal professionals: For complex transactions or legal uncertainties, seek expert
advice on the legal implications of DSs. Don't sail the e-seas alone.
Choose a reliable provider: Trustworthy providers like eMudhra offer support and
guidance on using DSs effectively and complying with regulations. Choose your digital
wingman wisely.
Spread the word: Educate others about the legal validity and benefits of DSs. Let's
normalize the e-handshake in India!
 Data Protection and Privacy

o 137 out of 194 countries had put in place legislation to secure the
protection of data and privacy.

o Africa and Asia show different level of adoption with 61 and 57 per
cent of countries having adopted such legislations.

o The share in the least developed countries is only 48 per cent.

Guiding Principles
Key Considerations
 AFRICA

Existing Privacy Laws and Frameworks in Africa

SADC Model Law on Data Protection (2010) – Under Review

ECOWAS Supplementary Act A/SA.1/01/10 on personal data protection (2010)
EAC Framework for Cyberlaws (2008)
African Union Convention on Cyber Security and Personal Data Protection (Malabo
Convention)
Privacy & Personal Data Protection Guidelines for Africa
African Union Continental Data Policy Framework
The Digital Transformation Strategy for Africa (2020-2030)
African Continental Free Trade Area (AfCFTA) agreement

Source:
 European Union (EU)
The Evolving Landscape of European Data Privacy Laws
General Data Protection Regulation (GDPR)
Data Governance Act (DGA)
ePrivacy Directives
ePrivacy Regulation
Digital Markets Act
Digital Services Act
The Draft Data Act
European Health Data Space (EHDS)
Artificial Intelligence Regulation
 Council of Europe (CoE)

Ratification of Mauritius to the Convention for the

Protection of Individuals with regard to Automatic
Processing of Personal Data (Convention 108)
which came into force on 01 October 2016. Ratification of the Protocol amending Convention
for the Protection of individuals with regard to
automatic processing of personal data on 04
September 2020.
 United Nations
 United Nations International Covenant on Civil and Political Rights

Universal Declaration of Human Rights

UN Principles on Data Protection and Privacy

 UN Reports of the Special Rapporteur on the Right to Privacy

Guidance Note on Data Privacy, Ethics and Protection for the United Nations Development Group
(UNDG)

UNESCO’s Principles on Personal Data Protection and Privacy

United Nations High Commission on Human Rights’ resolution on The Right to Privacy in the
Digital Age
 US
American Data Privacy and Protection Bill,
UK
California Privacy Rights Act (2020), Consumer Data
Protection Act (Virginia), Utah Consumer Privacy Act
(UCPA), Connecticut Privacy Act, Colorado Privacy • Data Protection Act 2018
Act, (CPA), Children’s Online Privacy Protection Bill
• Online Safety Bill
China
India

• Personal Information Protection Law • Digital Personal Data Protection Bill

(PIPL) 2022
 Main Achievements of the Data Protection Office
Revenue Collected
DPO collected a total revenue of Rs 11,741,500 in 2021 and Rs 2,736,500 for registration of controllers and
processors in 2022.
European Union Adequacy
In conjunction with the adequacy requirements established by the European Union, the
office prepared and submitted a report to the European Commission (EC) Directorate for
its study and perusal with a view to a subsequent adequacy finding for Mauritius. The
report aims to provide an overview of the Mauritian system in order for the EC to conduct
an objective assessment.
Enforcing Data Protection Statistics 2021 – 2022