Let's Build a Responsible Cyber Society


"Hacking" ..In India, It's Different..Let is Retain it

.

 

Section 66 of ITA-2000 which defines "Hacking" has been a subject of discussion particularly from the point of view of its distinctiveness to similar Computer Misuse" provisions in other Country legislations. This article revisits the section with particular reference to hacking (as per section 66) by Employees, Directors and Partners. It also discusses whether one partner of a firm can allege hacking of the partnership computer by the other partner.


Section 66 of Information Technology Act: Hacking with Computer System

Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person, destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.

Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.


Meaning of "Hacking"

The word "Hacking" is one of the most common words used in the field of Cyber Crimes. In fact it is more or less a generic term used to represent Cyber Crimes.

According to the global understanding, "Hacking" refers to "Unauthorized Access to a Computer Network" which may otherwise be called an "Unauthorized Intrusion".

A finer distinction is made when such "Intrusion" is with a criminal intention of causing harm. In such cases the "Unauthorized Intrusion" may be called "Cracking". On the other hand, access  undertaken to check the security vulnerability of a system though Unauthorized, is also called "Hacking" and is considered a part of the IT security testing. Such a Hacker has no intention of causing harm. Some times such hackers also act under the knowledge and permission (without access privileges being shared) of the Information Asset owners.

While it is acceptable for the common man to refer to any Cyber Crime as "Hacking", and International community to accept the Wikipedia/dictionary.com definition of "Hacking", it is important for Cyber Law followers to understand that "Hacking" is the name given by law in India to a specific type of offence as defined in Section 66 of ITA-2000. It is therefore in-correct for us to use the term "Hacking" except as the offence under "Section 66 of ITA-2000".

The definition provided in ITA-2000 for the Section 66 offence which is called "Hacking" is unique since it is distinct from definitions used in other International laws for defining an offence of some what similar nature.

The Computer Misuse Act 1990 of UK defines  offences under Section 1,2 and 3 as follows:

Unauthorised access to computer material

1.—(1) A person is guilty of an offence if—

     (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

     (b) the access he intends to secure is unauthorised; and

     (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at—

     (a) any particular program or data;

     (b) a program or data of any particular kind; or

     (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

Unauthorised access with intent to commit or facilitate commission of further offences.

2.—(1) A person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorised access offence") with intent—

     (a) to commit an offence to which this section applies; or

     (b) to facilitate the commission of such an offence (whether by himself or by any other person);

and the offence he intends to commit or facilitate is referred to below in this section as the further offence.

    (2) This section applies to offences—

     (a) for which the sentence is fixed by law; or

     (b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the [1980 c. 43.] Magistrates' Courts Act 1980).

    (3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.

    (4) A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible.

    (5) A person guilty of an offence under this section shall be liable—

     (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

     (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

Unauthorised modification of computer material.

    3.—(1) A person is guilty of an offence if—

       (a) he does any act which causes an unauthorised modification of the contents of any computer; and

       (b) at the time when he does the act he has the requisite intent and the requisite knowledge.

        (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

       (a) to impair the operation of any computer;

       (b) to prevent or hinder access to any program or data held in any computer; or

       (c) to impair the operation of any such program or the reliability of any such data.

        (3) The intent need not be directed at—

       (a) any particular computer;

       (b) any particular program or data or a program or data of any particular kind; or

       (c) any particular modification or a modification of any particular kind.

        (4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.

        (5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

        (6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

        (7) A person guilty of an offence under this section shall be liable—

       (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

       (b) on conviction on indictment, to imprisonment for a term not not exceeding five years or to a fine or to both

Under Section 1 above, offence is recognized when a person knowingly manipulates a computer to gain accesses to a computer without authority. The requirement focuses on the intention to gain access to data even if the person does not have any knowledge of what kind of data he is likely to access. Section 2 covers instances where the gaining of access is to commit an act otherwise declared as an offence in any other statute. Section 3 covers instances where there is "unauthorised modification of data" with  intent and knowledge.

Similar provisions are provided in the Computer Misuse Act 1994 of Singapore.

It must be remembered that these definitions of Cyber Crime were already available for reference when the Indian ITA-2000 was drafted and were in fact extensively consulted before the draft of the act was finalised.

Hence the drafting of Section 66 with certain differences were deliberate and intentional though some who think everything foreign is always correct may still want the Indian law to be amended to copy the laws prevalent say in UK or Singapore.

While the undersigned has been suggesting the removal of the name of section 66 crime as "Hacking" to avoid this confusion, it is  considered that the rest of the section as it stands  is very purposeful and needs to be retained.

Indian Definition More Purposeful

What makes Sec 66 more purposeful than other attempts of defining "Computer Misuse" or "Hacking" is that the focus of Section 66 is "Information Residing Inside a Computer" and what happens to it.

It recognizes "Diminishing of Value" and "Injurious Effect" of the Information residing inside a computer. Ofcouse it also mentions the more obvious "Destruction", "Deletion" and "Alteration".

Any Means

It is immaterial as far as Section 66 is concerned, how the injurious effect on the information was brought about. It could have been by causing the computer to behave a particular fashion either by a "virus like" programme or by simply breaking the hard disk. It could even be by bringing a powerful magnetic force near the computer so that the hard disk gets corrupted or causing a wide fluctuation in the voltage to cause the hard disk to malfunction.

Knowledge Without Intention

We may also observe that as regards the "intention", the section states "..with the intent to cause or knowing that he is likely to cause..". From the choice of the words, it is clear that the section is attracted even when there is no "intention" but only "knowledge of likelyhood of a loss ". The reason why the "mens rea" has been ignored is that the "Technology" is a sophisticated tool and any person using the technology has to be responsible and ensure that the world around is not adversely affected by their negligent use. Hence it was proposed that a technologist with knowledge that a certain action is likely to create harm to information will be liable if the damage occurs even when he may contend that he had no such intention. The onus of proving innocence (It was not likely under the circumstances that the disputed action would result in harm) is therefore put on the technology user and not on the community or the Information asset owner.

What is Wrongful Loss?

The section 66 gets attracted whenever there is a "Wrongful loss" to "public or any person".

The word "Wrongful Loss" is not defined in ITA-2000. It is therefore to be interpreted in the given context with reference to the objective of this law.

IPC, (Section 23 ) attempts to define "Wrongful gain" and "Wrongful loss" as follows.

"Wrongful gain"

"Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled.

"Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.

Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property.

While the general principle of "Wrongful loss" can be derived from here, it is necessary to remember that the vision of IPC was limited to "Physical Property" and hence the meaning of "Deprivation" here is to "physically being prevented from the enjoyment of the proprty". This goes with the other concepts of "Theft" of movable property or "Tresspass" on an immovable property. In the context of ITA-2000 we need to look at how this provision has to be applied to "Virtual Properties" which even when stolen (ie copied), does not deprive the original owner of the property and even when tresspassed, allows others to simultaneously view and enjoy the same electronic document (eg: a Website document space which is simultaneously occupied by many).

Hence the meaning of "Wrongful loss" for the purpose of Section 66 of ITA-2000 cannot be limited to the available definition under IPC just for the reason that the phrase is similar. Also Section 66 itself provides the direction in which we may think to find a definition for "Wrongful Loss". For example, "Diminution in value or utility" of an "Information Asset" is "Wrongful loss" in the Information world. The value of this definition can be seen from the fact that "When a Confidential Information is viewed by an unauthorized person, i.e, when the confidentiality is compromised, we can say that its value and utility has diminished.. Similarly, due to a "Trojan activity" or a "Denial of Service Attack", the functioning of certain information assets is slowed down, then the utility of the asset has been diminished. Similarly, the word "Affecting it injuriously" can also be interpreted in several dimensions.

The Victim under Section 66

One more subtle point of discussion about the section is about "Who should suffer the wrongful loss" to make the section operable. According to the section it could be "Public or any person". The use of the word "or" in conjunction with the word "person" indicates that it refers to somebody who cannot be treated as  "public" in the given context.

This fine distinction provided in the section is very important from the point of view of "Information Security". For example, in a E-Commerce world, information may be injured both in public domain or in private domain. Private domain here means the internal network of a company or a computer resource of an organization. It can also be a single laptop computer. Wrongul loss can occur to one employee of an organization, one Director of a Company or One Partner of a firm. These are the "persons" who come under the category of "Persons other than the public".

If therefore a wrongful loss occurs to a Director or Partner of a business entity due to destruction, deletion, alteration, diminution in value or injurious damage of information residing in a computer, then section 66 is invoked.

Offence by an Authorized person

The next question which we some times come across is that if an authorized employee of a company is involved in causing the damage, can it be excluded from the definition of the offence since it was not an "Unauthorized Activity".

In the UK type definitions, it is possible to envisage situations where the damage to the information has arisen from the actions of an authorized employee which may not amount to an offence. The thin line that needs to be drawn in this case is " A person may be authorized to make some modifications, but the one he is now accused of is a modification which is not authorized". For example, a person may be authorized to maintain a data base of people in which periodical changes in the address has to be noted. He is for the purpose of this operation "Authorized". However he makes the modification but enters a "Wrong Address" for some record. In this connection, he is authorised to make the change in address but not authorised if the change sought to be made is erroneous.

We note that the Indian definition of Sec 66 offence does not lend itself to such convoluted arguments. Here the point to be established is "Has the information been injured? diminished in value?".. Since the answer is in the affirmative when the address is changed erroneously, irrespective of whether there is authority or not the offence is recognized. This is one of the strong points of Sec 66 when it comes to "Data Protection" which is sought to be diluted in the proposed amendments. (Can we say by the lack of attention to details by the expert committee?).

What is discussed above in respect of an employee also holds good in the case of "Partners" of a partnership firm when one partner injures information residing inside the computer causing a wrongful loss to the other person. Just as in the case of a joint account in a Bank, one of the joint account holders can cheat the other joint account holder though both appear to be the owners of the money  or when one joint owner of a property can cheat the other joint owner, one partner of a firm can commit "hacking under section 66" against the other partner though both of them jointly own the information. This can typically happen when the partnership business is run jointly while the information system is under the control of one of the partners.

In case there is a situation where the act of "Hacking" by one partner damages the partnership firm also, a question may be raised whether it is not infeasible for  some body to "Hack on himself".

This needs to be answered with reference to two possibilities. First is "Can a person commit an offence on himself". If we take the example of "An attempt to commit suicide" as an offence, it is clear that law does recognize commission of crime on oneself. Secondly, if a person injures himself for the purpose of making some body else responsible for the consequences, the act can be considered as an offence and cannot be defended with the argument "How can a person commit an offence on himself?

It is therefore clear that it is possible that one owner of a system (or information) can commit hacking under Section 66 against another joint owner.

Thus, we can observe that Section 66 of ITA-2000  has a far wider dimension  than the definition of computer misuse as an offence in the British law. It is therefore prudent to retain it in the present form than to dilute it only to cases of "Unauthorised Actions". Any exceptional cases where a person is wrongly accused of hacking under section 66 can be handled under the provision of protection and exemptions given to people who practice "Due Diligence".

 

Naavi

April 12, 2006

Related Articles:

Naavi's Comments on Proposed Amendments to ITA-2000

Additional Comment:

"Morphing" is Hacking in India

The case of a school boy in Ahmedabad who has been arrested for having morphed the photo of a girl class mate on an Internet downloaded pornographic picture and circulating it amongst his friends has reopened the debate on the definition of "Hacking" in India. In this offence, apart from section 67 of the ITA-2000, the question arises if any "Information Residing inside a computer" was "Altered" with the "Intent to cause" "Wrongful harm" to "Any person". It appears that all these ingredients can be found in the Ahmedabad case and hence Section 66 of ITA-2000 can also be invoked in the above case. This also provides a clarification to one of the points that was raised in our previous article "Hacking" ..In India, It's Different..Let is Retain it , where we discussed the issue of "Hacking" into "Own Computer" in the context of joint ownership such as in a partnership firm. The Ahmedabad case rightly focusses on the fact that if  "Wrongful harm" can be inflicted on "Any Person", by "Altering" information in a computer owned by the accused, that action eminently qualifies to be called an offence and charged under Section 66 of ITA-2000. By the same argument, a graphic designer who designs a fake currency using software on his computer is also guilty of "Hacking" or a photographer who morphs pictures of celebrities with members of the public for a fee (which can be used to commit a fraud or defamation) is also guilty of "Hacking".

Naavi

April 14, 2006

(Comments Welcome)


For Structured Online Courses in Cyber laws, Visit Cyber Law College.com

 

Back To Naavi.org