MID TERM EXAMINATION: FEB/MARCH – 2023 **MAXIMUM MARKS:** 20

1. X, a girl aged 18 years and Y a boy aged 21 years have been close friends since their School days. X,
deeply in love with Y wanted to take their friendship to level of a committed relationship. X explicitly
expressed her love to Y. As a way of expressing her love and commitment to Y, she also sends him some
of her seminude pictures. A year later relationship between X and Y became sour as X discovered that
Y was dating another friend of theirs Z. While Y and Z were in relationship, Z found seminude pictures
of X on Y's phone. Having been jealous of X since School days, Z posted pictures of X on social media. Is
X a Victim or a perpetrator? Decide. Substantiate your answer by citing relevant statutory provisions,
case law and in the light of classroom discussion.

ANSWER - In the scenario described, X can be considered a victim of cyber harassment and non-
consensual distribution of private images, which are criminal acts under Indian law.

1. **Violation of Privacy and Cyber Harassment**:

Under the Indian Penal Code (IPC) and the Information Technology Act, 2000 (IT Act), Z's actions
constitute clear violations. According to Section 66E of the IT Act, the violation of privacy by sharing
personal images without consent is punishable. Additionally, Section 67 of the IT Act, which prohibits the
publication or transmission of sexually explicit material, also applies here.

2. **Cyber Stalking**:

Z could also be accused of cyber stalking under Section 354D of the IPC, which covers the act of
monitoring the use of the internet, email, or any other form of electronic communication to foster
personal interaction repeatedly despite a clear indication of disinterest by the other individual

3. **Criminal Intimidation and Defamation**:

Depending on the circumstances, such actions might also be considered under Sections 499/500 of the
IPC for defamation, as distributing such images could be seen as intending to harm X’s reputation.
Section 506 of the IPC covers criminal intimidation which could apply if X felt threatened by Z's actions

4. **Potential Liability of Y**:

Although Y might not have shared the images himself, there might be questions about his role in
securing and safeguarding access to sensitive content which ended up being misused by Z.

In summary, X is a victim under various provisions of Indian cyber and criminal laws, primarily due to the
unauthorized distribution of her images which is a clear infringement of her privacy and a form of cyber
harassment. Z, who posted the images, and potentially Y, for inadequate security of private data, could
face legal consequences. For comprehensive legal recourse, it would be advisable for X to consult a legal
professional to explore all possible legal avenues including the filing of a police complaint under the
relevant sections of the IT Act and IPC.
2. Technosoft is a software company based in Delhi involved in developing a communication code called
‘Eveready’ for the Police of the State of X under a confidentiality agreement. Q, hacked into the security
system of Technosoft using login credentials of R and stole the codes of ‘Eveready’. Later on, Q sold the
codes of ‘Eveready’ to e-Solutions. Technosoft made a complaint regarding this incident to the Police.
By the time the police could investigate the matter, e-Solutions announced the launch of its own
communication software *Mango-People’ and also proposed to sell the same to the Police of the State
of Y which was very similar to the communication code being developed by Technosoft. Reviewing
above facts, discuss the legal liabilities of Q, R and e-Solutions, if any. Substantiate your answer by citing
relevant statutory provisions, case law, and in the light of classroom discussion.

ANSWER- In the scenario provided, the legal liabilities of Q, R, and e-Solutions in connection with the
unauthorized access, theft, and subsequent sale and potential use of the ‘Eveready’ communication code
can be explored under the Information Technology Act, 2000 (IT Act), as well as provisions from the Indian
Penal Code, 1860 (IPC).

### Legal Liabilities of Q:

1. **Under the IT Act**:

- **Section 43**: Q’s unauthorized access to Technosoft’s security system using R’s credentials
constitutes damage to the computer system, which is a contravention under this section and subjects Q
to liability for damages by way of compensation.

- **Section 66**: This section provides punishment for computer-related offences which would cover
Q’s actions of hacking and data theft.

- **Section 66B**: Q’s receipt or retention of stolen computer resource (in this case, the stolen code) is
punishable under this section.

2. **Under the IPC**:

- **Section 379** (Theft): The unauthorized access and copying of the code can be construed as "theft"
in cyberspace.

- **Section 411** (Dishonestly receiving stolen property): If it is established that Q knew the code was
proprietary and confidential, receiving and retaining the stolen code falls under this provision.

- **Section 420** (Cheating and Dishonestly Inducing Delivery of Property): If Q deceived e-Solutions
about the legitimacy of the code, this could also apply.

### Legal Liabilities of R:

If R negligently handled his login credentials which allowed Q to access the system, depending on the
company’s security policies and the terms of employment, R might face disciplinary action internally.
However, unless it can be shown that R had some complicity in the unauthorized access, criminal liability
under the IT Act or IPC might be difficult to establish.
### Legal Liabilities of e-Solutions:

1. **Under the IT Act**:

- **Section 65**: This section punishes anyone who knowingly or intentionally conceals, destroys or
alters any computer source code required to be kept or maintained by law. If ‘Mango-People’ is
substantially similar to ‘Eveready’, and e-Solutions altered the code to avoid detection, this might apply.

- **Section 66B**: Possession of stolen computer resources, if it can be proven that e-Solutions knew
the code was stolen.

2. **Under the IPC**:

- **Section 411**: If e-Solutions knew that the codes were proprietary and had been criminally acquired,
then purchasing and using them would fall under receiving stolen property.

3. **Civil Liability**: Technosoft could also pursue a civil lawsuit for breach of contract (if any exists
between the parties), breach of confidentiality, and for an injunction to prevent the use or dissemination
of their proprietary code.

### Relevant Case Law:

While specific Indian case law directly analogous to this situation might not be readily available, similar
principles were discussed in the case of **BMC Software, Inc. v. Sangram Keshari Rout & Ors.** (2009),
where unauthorized use of software and breach of license agreements were adjudicated.

### Classroom Discussion Points:

- The significance of safeguarding login information.

- The implications of negligence in cybersecurity.

- The need for stringent internal security protocols to prevent such breaches.

In conclusion, Q faces significant legal liabilities under both the IT Act and the IPC for his actions. e-
Solutions also could be liable if they knew or should have known that the code was proprietary and
obtained through improper means. R’s liability appears more limited unless further evidence of his
complicity emerges.

3. Explaining the meaning of ‘cybercrime’ discuss the typology of cybercrime. Identify and explain the
role of ‘intention’ and ‘motive’ in determining criminal liability of a wrongdoer.

ANSWER- ### Explaining the Meaning of 'Cybercrime'

**Cybercrime** refers to any criminal activity that involves a computer, network device, or a network.
While the computer may be the target of the crime, it can also be used as a tool to commit a crime or as
a storage device to store illegal material. The Information Technology Act, 2000 (IT Act) of India, along
with the Indian Penal Code, 1860 (IPC), provides a legal framework to address various forms of
cybercrimes.
### Typology of Cybercrime

Cybercrimes can be broadly categorized into three types:

1. **Crimes Against Individuals**: This includes various forms of cyber harassment, cyberstalking,
distribution of pornographic material, defamation, hacking personal online accounts, identity theft, and
financial frauds such as phishing, credit card frauds, and ATM fraud.

2. **Crimes Against Property**: This includes cyber vandalism, hacking into systems to cause disruption,
transmission of harmful programs like viruses or malware, unauthorized access and control over
computer systems, intellectual property crimes including software piracy, and theft of information
contained in electronic form.

3. **Crimes Against Government and Society**: This includes cyber terrorism aimed at the government
or societal groups, spreading hate and inciting terrorism, and activities that breach national security
protocols.

### Role of ‘Intention’ and ‘Motive’ in Cybercrimes

**Intention** and **motive** play critical roles in determining the criminal liability in cybercrimes,
much like in traditional crimes.

- **Intention (Mens Rea)**: This refers to the mental state of the perpetrator at the time of committing
the crime. It involves the conscious decision to engage in an activity that is known to be criminal. In
cybercrimes, proving intention can be challenging, especially in cases involving malware dissemination
where the perpetrator might argue the lack of intent to cause specific harm.

For example, under Section 66 of the IT Act, which deals with computer-related offenses, the
culpability is often established by proving that the offender intentionally or knowingly caused damage or
harm. Similarly, Section 43 of the IT Act penalizes anyone who causes damage "intentionally" to the
computer, computer system, etc.

- **Motive**: While motive is not necessary for proving criminal liability, it helps in understanding the
reasons behind committing the crime and can influence the severity of penalties. Motive involves the
underlying cause that drives an individual to commit a crime, which can range from financial gains to
emotional or ideological reasons. For example, a hacker might infiltrate a secure system to steal
sensitive information for financial gain (motive), and the act of breaching the security (intention)
constitutes the cybercrime.

### Conclusion

In legal terms, while motive provides the "why" behind a crime, it is the intention that is paramount in
establishing "mens rea" for cybercrimes under the law. The differentiation is crucial because, in legal
proceedings, establishing the intention can directly affect the outcome in terms of conviction or
acquittal, whereas motive might influence the penalty phases or strategic aspects of law enforcement
investigations. The evolution of cybercrime laws continually adapts to new challenges posed by
technological advancements, making the understanding of these elements all the more critical for
effective legal enforcement.
 **END TERM EXAMINATION, MAY 2023**

1. Koogle Technologies an intermediary (Koogle) provides services to its customers, including the
transmission of e-mail to and from other members and across the Internet. To become a member, an
user must agree not to use Koogle's communication services to send unsolicited commercial e-mails.
Koogle uses filtering software to block unsolicited commercial e-mails but commercial e-mailers
sometimes use other software to thwart the filters. Tahoo (P) Ltd. (Tahoo) is a company which sells
computer chips and Application Services (App Services). To generate leads for Tahoo’s products, sales
representative, who included Koogle’s members sent more than 500 million pieces of unsolicited
commercial e-mails through Koogle’s communication services, each item cost Koogle an estimated Rs.
2.00 in equipment expenses. Some of the e-mail messages used the false headers and other methods
to hide the source of the e-mail message. After receiving more than 50,000 complaints, Koogle asked
Tahoo to stop this practice. When the unsolicited commercial e-mail continued, Koogle initiated legal
action against Tahoo. Reviewing aforementioned facts: a) Identify the techno-legal issues involved in
the matter. b) Present arguments from the side of both the parties in the light of classroom discussion
citing relevant legal provisions and judicial decisions.

ANSWER- ### Techno-legal Issues Involved in the Matter

1. **Violation of Terms of Service**: Tahoo's use of Koogle's communication services to send unsolicited
commercial e-mails (spam) breaches the service agreement that prohibits such activity.

2. **Use of False Headers**: The utilization of deceptive headers in emails by Tahoo to obscure the
origin of the emails compounds the legal issue, suggesting a deliberate attempt to bypass spam filters
and deceive recipients, which might violate laws related to fraudulent practices and electronic
communication.

3. **Costs Incurred by Koogle**: The unsolicited emails have resulted in significant costs for Koogle in
terms of equipment expenses, highlighting issues related to unauthorized use of network resources and
the financial impact of spam on internet service providers.

4. **Ineffective Filtering and Technological Evasion**: The case involves technological measures and
countermeasures, where Koogle's efforts to implement spam filters are being actively circumvented by
Tahoo using sophisticated software.

### Arguments from the Side of Koogle

- **Breach of Contract**: Koogle can argue that Tahoo violated the terms of service agreed upon by
using Koogle’s network to send spam. This breach justifies legal action to enforce the agreement and
seek reparations for damages incurred.

- **Costs and Damages**: Koogle is justified in seeking compensation for the additional costs incurred
due to the increased load on its infrastructure, which can be quantified based on the volume of spam
sent and the cost per email.

- **Legal Compliance and Reputation**: Koogle can assert that it has a legal and ethical obligation to
protect its network and its users from spam, and that Tahoo's actions endanger its compliance with
cybersecurity and data protection laws, as well as harm its reputation.
- **Fraudulent Misrepresentation**: The use of false headers by Tahoo can be presented as an act of
fraud, misleading both Koogle and its users, potentially leading to liability under laws that punish
deceptive practices in electronic communications.

### Arguments from the Side of Tahoo

- **Lack of Intent**: Tahoo might argue that there was no intentional breach of Koogle's terms of
service, positing that the sales representatives acted without full knowledge or outside of corporate
policy guidelines.

- **Technical Countermeasures**: Tahoo could claim that their actions were a legitimate use of
technology to conduct business, and that the responsibility to filter and block unwanted content lies
with Koogle as the service provider.

- **Economic Justification**: Tahoo may argue the economic necessity of their marketing strategy,
emphasizing the competitive nature of their industry and the role of direct email marketing in their
business model.

### Relevant Legal Provisions and Judicial Decisions

- **Information Technology Act, 2000 (IT Act)**, specifically Section 66C (punishment for identity theft)
and Section 43 (damage to computer system), could be cited, relating to the use of false headers and
unauthorized use of computer resources.

- **Case Law**: Reference can be made to cases such as _Microsoft Corp. v. John Does 1-18_, where
courts have ruled against defendants who used false information to promote services or products,
recognizing these actions as violations of both contractual terms and applicable spam laws.

- **Consumer Protection and Fraud**: Laws against misleading advertisements and consumer fraud
could also be relevant, as the false headers mislead recipients about the origin of the emails.

### Conclusion

In presenting their cases, both parties would benefit from focusing on the clarity of contractual terms,
the intent behind the actions, and the technical measures involved in the dispute. Koogle has a strong
case based on clear terms of service violations and incurred costs, while Tahoo would need to robustly
defend the intent and legality of their marketing strategies.
2. X a political leader and a member of Parliament from a regional party comes to know from a friend
that certain pictures of hers in company of a political leader from a rival, Opposition party are going
viral on Yearbook, a social media platform. She is shown in these pictures in company of a political leader
in a farm house, where both are seen to be sitting together and evidently enjoying each other’s
company. She initiated proceedings against Yearbook for obtaining an order to take down these
pictures. Her contention is that these pictures are defamatory, as she is a married woman with grown
up children and being shown in company of another man hurts her reputation. Identify techno-legal
issues involved in the matter and decide in the light of legal provisions and judicial decisions.

ANSWER –

### Techno-Legal Issues Involved in the Matter

1. **Defamation**: The primary legal issue here is whether the pictures shared on Yearbook are
defamatory. Defamation involves harming another person's reputation through the publication of false
information. X contends that the pictures damage her reputation by suggesting inappropriate behavior.

2. **Privacy**: The right to privacy can be implicated if the pictures were taken without X's consent,
particularly if the setting was private (such as a private farmhouse). This concerns the unauthorized use
of X's image, which can infringe upon her privacy rights.

3. **Responsibility of Social Media Platforms**: This issue revolves around the liability of Yearbook for
the content posted by its users. The question is whether Yearbook has an obligation to remove content
that is potentially defamatory and what its responsibilities are under the law for hosting such content.

4. **Content Moderation and Freedom of Expression**: The platform must balance the need to protect
users' rights against defamation with the protection of free expression. The platform's role in moderating
and removing content can sometimes conflict with freedom of speech principles.

### Legal Provisions and Judicial Decisions

1. **Information Technology Act, 2000 (IT Act)**:

- **Section 79**: This provides immunity to intermediaries (like Yearbook) given they do not initiate
the transmission, select the receiver of the transmission, and select or modify the information contained
in the transmission. However, this immunity is conditional upon the platform acting upon notices of
unlawful acts promptly.

- **Section 67**: It punishes the publication of obscene content in electronic form, which is not
directly applicable here unless the content of the photos can be argued as obscene.

2. **Indian Penal Code, 1860 (IPC)**:

- **Sections 499 and 500**: These sections deal with defamation. X would need to prove that the
pictures, in the context they were presented, were intended to harm her reputation, were false, and
were seen by someone other than herself.

3. **Judicial Decisions**:

- **Shreya Singhal vs. Union of India (2015)**: The Supreme Court clarified the liability of internet
platforms, holding that a platform is required to take down content only upon receiving an actual court
order or a government notification, thus protecting platforms against private takedown notices based on
alleged defamation.

- **Google India Pvt Ltd vs. Visaka Industries Limited (2011)**: It was held that platforms are not liable
for any posting on their website by third parties unless they have conspired or abetted or aided or
induced the same.

### Conclusion and Decision

- **Yearbook's Responsibility**: Under the IT Act, Yearbook is not liable for the user-generated content
unless they have been shown to have conspired or aided in the creation of the content. They are
required to remove the content only under a court order or a government notice.

- **On Defamation**: If the photos were taken and shared without manipulation and accurately show X
in a social setting with another political leader, proving defamation could be challenging. The context in
which the images were shared and the captions (if any) accompanying them would be crucial. If the
portrayal was neutral and merely descriptive of a fact (X sitting with someone), it might not meet the
threshold of defamation.

X would need to secure a court order mandating the takedown of the images from Yearbook, proving
that the images were either doctored, shared with malicious intent, or false, causing reputational harm
that outweighs the public interest and freedom of expression.

3. Tulip Technologies (Pvt.) Ltd. (Tulip)** is owned and operated by X, a resident of Country Mountain
Hills. He operates a host of website on diverse subjects like, news entertainment, gambling and
pornography. His business is conducted in a manner that it does not violate any law of the country
Mountain Hills where websites are registered. However, X relies on subscription-based accounts and
over 50% subscribers for his websites were from India. Lucy, a resident of India was surfing the
Internet and visited websites hosted by X which contained pornographic content. Lucy wants to
initiate legal action against X and Tulip in India.

Reviewing abovementioned facts, advise Lucy. Support your answer with reason, relevant legal
provisions and judicial decisions.

ANSWER -

### Advice for Lucy Regarding Legal Action in India

#### Legal Framework and Challenges:

1. **Jurisdictional Issues**: The primary challenge in Lucy’s case is the jurisdictional issue. X operates
Tulip Technologies from Country Mountain Hills, where the content he hosts is legal. Although the
services reach Indian subscribers, initiating legal action in India against a foreign entity where the alleged
offence originates in a jurisdiction where it is not an offence poses significant legal hurdles.

2. **Indian Penal Code (IPC) and Information Technology Act, 2000 (IT Act)**:
 - **Section 67 of the IT Act**: This provision penalizes the publication or transmission of obscene
material in electronic form. However, its applicability to X depends on whether Indian courts can assert
jurisdiction over him.

- **Section 294 of the IPC**: This section deals with obscenity in public places but is less likely to be
applicable in cyberspace cases involving a foreign defendant operating legally in their own country.

3. **Extra-Territorial Jurisdiction**:

- Indian law does assert extra-territorial jurisdiction under Section 4 of the IPC and Section 75 of the IT
Act for offences involving Indian citizens or affecting them outside India. However, enforcement against
individuals or companies solely based overseas, without assets or presence in India, is complicated and
often impractical.

#### Judicial Decisions:

- **Avinash Bajaj vs. State (2005)**: In the Bazee.com case, the CEO was held liable for an obscene video
clip sold on the website, highlighting the responsibility of intermediaries. However, the key difference
here is the jurisdiction - Bazee.com operated within India, making enforcement straightforward.

- **Kapil Sibal vs. Facebook Inc & Ors.**: In cases involving social media giants like Facebook and Google,
Indian courts have shown a willingness to exercise jurisdiction over foreign entities, but typically only
where these companies have a significant business presence in India.

#### Practical Advice for Lucy:

- **Legal Feasibility**: Given the jurisdictional challenges and the legality of X’s operation in Mountain
Hills, pursuing legal action in India may be fraught with difficulties. The cost, time, and uncertain
outcome should be carefully considered.

- **Filing a Complaint with Indian Authorities**: If Lucy believes the content violates Indian law, she
could lodge a complaint with the Cyber Cell of her local police, or the Ministry of Electronics &
Information Technology (MeitY), which can intercede through diplomatic channels or direct contact with
foreign service providers.

- **Public Policy Route**: Advocating for stronger regulations and international cooperation in
combating cybercrimes, especially those involving pornography, might be a more effective way to
address such issues. Engaging with NGOs, or lawmakers could help in pushing for changes that tighten
controls over objectionable online content accessible in India.

#### Conclusion:

Lucy should be informed about the significant challenges in prosecuting a foreign entity like Tulip
Technologies from a jurisdictional standpoint. While legal action is possible, the complexities and
potential for an unsuccessful outcome suggest considering alternative approaches, such as advocacy for
better regulatory frameworks.
4. X an auditor at Mizo Technologies, ** a Multinational Company (Mizo), has recently discovered
suspicious financial activities within their organization. X discovers suspicious activities within the
Mizo’s accounts, indicating a potential financial fraud scheme. Upon further investigation, he uncovers
evidence that suggests some senior executives are embezzling funds from client accounts for personal
gain. The management of Mizo is concerned about the potential financial losses and reputational
damage that may result from these fraudulent activities.

Taking into consideration above factual matrix, advise XYZ Corporation, propose a step-by-step plan to
investigate and address the suspected financial frauds within the organization.

ANSWER -

### Step-by-Step Plan to Investigate and Address Suspected Financial Frauds at Mizo Technologies

**1. Immediate Action and Internal Controls**

- **Secure Evidence**: Ensure that all potential evidence related to the case is preserved. This involves
securing digital logs, access records, financial statements, and all relevant correspondence.

- **Restrict Access**: Temporarily restrict access to sensitive financial systems for individuals
suspected of involvement to prevent further unauthorized transactions or tampering with evidence.

**2. Assemble an Investigation Team**

- **Internal Audit Team**: Strengthen the internal audit team by including members with forensic
accounting expertise.

- **External Experts**: Hire external auditors or forensic investigators experienced in dealing with
financial frauds. This helps maintain objectivity and brings specialized skills.

- **Legal Counsel**: Engage corporate legal counsel to understand the legal implications and ensure
compliance with all relevant laws and regulations during the investigation.

**3. Detailed Investigation**

- **Review Financial Transactions**: Conduct a thorough review of all suspicious transactions, tracing
the flow of funds, and identifying discrepancies.

- **Interviews and Interrogations**: Conduct structured interviews with the involved or suspected
employees, maintaining confidentiality and adherence to legal standards to protect employee rights.

- **Technology Aids**: Utilize financial auditing software and other technological tools to analyze large
datasets and uncover patterns indicative of embezzlement or fraud.

**4. Report Findings**

- **Documentation**: Prepare a detailed report documenting the investigative process, findings,

implicated individuals, and the extent of financial loss.

- **Management Review**: Present the findings to senior management and key stakeholders for
review.
 - **Regulatory Reporting**: Depending on the jurisdiction and the scale of fraud, report the findings to
relevant regulatory bodies as required by law.

**5. Legal and Disciplinary Actions**

- **Legal Proceedings**: Based on the advice of legal counsel, initiate legal actions against those found
culpable to recover embezzled funds and press criminal charges as applicable.

- **Internal Disciplinary Actions**: Implement disciplinary measures according to company policy,

which may include termination of employment, demotion, or other penalties.

**6. Mitigate Damage and Manage Public Relations**

- **Stakeholder Communication**: Communicate with shareholders, clients, and other relevant

stakeholders to explain what happened and what is being done to address the issue.

- **Public Relations Strategy**: Manage media and public queries with a carefully crafted message that
demonstrates transparency and the firm's commitment to ethical business practices.

**7. Implement Reforms**

- **Review Policies and Procedures**: Post-investigation, review and strengthen internal controls,
auditing procedures, and employee screening processes to prevent future frauds.

- **Training Programs**: Develop training programs to educate employees about ethical practices,
how to report suspected frauds, and the consequences of unethical behavior.

- **Regular Audits**: Schedule regular and surprise audits to maintain financial discipline and integrity
within the organization.

**8. Follow-up and Review**

- **Monitoring**: Set up a regular monitoring schedule to ensure the effectiveness of implemented

changes.

- **Feedback System**: Establish an anonymous reporting system or whistleblower policy to

encourage employees to report unethical practices without fear of retaliation.

### Conclusion

By following this comprehensive plan, Mizo Technologies can effectively address the current financial
fraud issues and take proactive steps to prevent future incidents, thus safeguarding its financial interests
and reputation in the industry.
5. Stating the material facts of Avnish Bajaj v. State,** 150(2008) DLT 769 explain the principles of law
laid down in it. Also discuss the concept of due diligence enshrined under the Information Technology
Act, 2000. How relevant should the concept be in determining liability of an intermediary?
Substantiate your answer in the light of relevant legal provisions.

ANSWER -

### Avnish Bajaj v. State – Case Summary

**Material Facts**:

Avnish Bajaj is the CEO of Baazee.com, an online marketplace. A CD containing an obscene video was
listed and sold on the platform. The seller was a user who had registered with Baazee.com and listed the
item, which was described in a manner that didn’t directly indicate its obscene nature. The video
involved two students from a reputed school in Delhi, and its listing led to widespread controversy and
legal action. Bajaj was charged under various sections of the Indian Penal Code (IPC) and the Information
Technology Act, 2000 (IT Act) for selling obscene material online.

### Principles of Law Laid Down

1. **Intermediary Liability**: The court deliberated on the liability of intermediaries (like Baazee.com) in
the context of user-generated content. It recognized the challenges that intermediaries face in policing
all content on their platforms.

2. **Due Diligence Requirement**: The court noted that as long as the intermediary exercises due
diligence and was not aware of the nature of the content, it should not be held liable. This stems from
Section 79 of the IT Act, which provides conditions under which an intermediary can be granted
immunity from liabilities

3. **Actual Knowledge and Notice**: The court highlighted the need for the intermediary to have actual
knowledge of unlawful acts or to be notified about such content to attract liability. This actual knowledge
must be through a court order or a notification by the appropriate government or its agency as per the
guidelines described in the Information Technology (Intermediaries Guidelines) Rules, 2011.

### Concept of Due Diligence Under the IT Act, 2000

**Due Diligence** is a concept encapsulated under Section 79 of the IT Act. This section and its
corresponding rules outline the framework that intermediaries must follow to claim immunity from
liabilities:

- **Publishing Rules and Regulations**: Intermediaries must publish rules and regulations, privacy
policy, and user agreement for access or usage of the intermediary's computer resource by any person.

- **Notification of Unlawful Acts**: They must inform users of computer resources not to engage in
activities that are unlawful or involve information that is misleading, harmful, or offensive.

- **Prompt Redressal**: On obtaining knowledge by itself or been brought to actual knowledge by an

affected person about any such information as mentioned above, the intermediary must act within 36
hours to remove or disable access to that material.
### Relevance of Due Diligence in Determining Liability of an Intermediary

The concept of due diligence is crucial for determining the liability of an intermediary because:

1. **Protection from Liability**: It allows intermediaries to function without the fear of being held liable
for every piece of content on their platform, provided they fulfill the criteria of due diligence.

2. **Encourages Proactive Management**: Due diligence criteria push intermediaries to be vigilant and
proactive in managing content, thus balancing freedom of expression with responsibilities toward
societal norms.

3. **Legal Compliance**: It ensures that intermediaries adhere to legal standards and maintain a safe
environment for users to interact and transact.

4. **Standard of Care**: Due diligence sets a standard of care expected from intermediaries, beyond
which they may face legal consequences

5. **Judicial Interpretation**: As seen in Avnish Bajaj's case, courts evaluate the efforts made by the
intermediary to prevent the misuse of their platform. This influences judicial decisions regarding the
liability or innocence of the intermediary.

### Conclusion

The concept of due diligence is foundational in determining the extent of liability that can be attributed
to an intermediary in cases of unlawful content dissemination. The Avnish Bajaj case is a seminal
judgment that clarifies the extent of responsibility and operational conduct expected from
intermediaries in the digital and internet-driven age. This case and the IT Act’s provisions collectively
ensure that while innovation and freedom of commerce on the internet are upheld, they do not come at
the cost of legal and ethical compromise.

6. Critically analyse the existing legal framework** in relation to offences committed by Artificial
Intelligence System in India. How far do you think that Information Technology Act, 2000 is sufficient
to take care of offences which have bearing upon modern technologies? Suggest few amendments
keeping in mind the purpose of the Act to make it a complete code in relation to cyber offences.

ANSWER -

### Critical Analysis of the Existing Legal Framework Related to AI Offenses in India

The Information Technology Act, 2000 (IT Act) forms the cornerstone of cyber law in India, regulating
cyber activities and addressing cybercrimes, but its provisions are predominantly oriented towards
human actions rather than autonomous operations of Artificial Intelligence (AI) systems. Here's an
analysis of how the IT Act and related laws fare in relation to offenses committed by AI:

#### Limitations of the IT Act, 2000:

1. **Human-centric Provisions**: The IT Act primarily addresses offenses committed directly by humans,
not AI. For instance, sections dealing with data theft, privacy breaches, or cyber fraud require an
element of human intent which cannot be directly translated to AI behavior.
2. **Accountability for AI Actions**: The current legal framework lacks clear provisions on who should
be held responsible when an AI system commits an offense – whether it's the developer, the user, the
owner, or the AI entity itself.

3. **Technological Neutrality**: Although the IT Act is technology-neutral, which is a strength, this

approach can overlook specific challenges posed by AI, such as autonomous decision-making, learning
algorithms, and the potential for self-modification beyond initial programming intentions

4. **Ambiguity in Liability**: There is ambiguity in existing laws about the liability for actions taken by AI
systems, especially when these actions were not explicitly programmed or anticipated by human
operators.

### Sufficiency of the IT Act for Modern Technologies:

The rapid advancement of technologies like AI, machine learning, and autonomous systems poses new
challenges that the IT Act, conceived in 2000, may not fully address:

1. **Absence of Specific AI Regulations**: The Act does not specifically address the nuanced
implications of AI technology, particularly in areas like autonomous harm, decision-making impacts, and
ethical considerations.

2. **Updating Required to Match Technological Advances**: The pace of technological development

means that continuous updates and revisions to the legal framework are necessary to keep up with new
challenges and scenarios presented by modern technologies

### Suggested Amendments to the IT Act:

1. **Explicit AI Governance Framework**: Introduce specific sections that deal with AI and its
implications, including standards and guidelines for development, deployment, and management of AI
systems.

2. **Liability Provisions for AI**: Establish clear liability provisions that define who is responsible for the
actions of AI systems under different circumstances, such as the developers, deployers, or operators
based on the control and foreseeability of actions.

3. **AI Ethical Standards**: Include provisions for ethical standards in AI programming and operations,
especially concerning privacy, data protection, and decision-making processes to prevent bias and
discrimination.

4. **AI Safety and Certification**: Mandate safety certifications and regular audits for AI systems,
particularly those involved in critical areas like healthcare, transportation, and public safety to ensure
they adhere to safety and security standards.

5. **Digital Personhood**: Explore the concept of digital personhood for advanced AI to handle issues of
AI rights, responsibilities, and legal standing in a controlled manner.

6. **Integration with Global Regulations**: Harmonize new AI regulations with international standards
and frameworks to ensure global interoperability and adherence to best practices.
### Conclusion:

While the IT Act has provided a foundational framework for handling cybercrimes in India, the advent of
AI and related technologies necessitates significant updates to address these new challenges effectively.
Amendments focusing on AI-specific issues will not only strengthen legal responses to technology-
induced offenses but also foster a safer and more responsible development and deployment of AI
technologies. These changes should be crafted to anticipate future technological advancements,
ensuring the Act remains relevant and robust in the face of rapid technological change.

7. Write short note on any two of the following-**

A. Standard Operating Procedure (SOPs) and Best Practices for Investigation of Cybercrime

B. Role of CERT-In

C. Cyber Warfare

D. Identity Theft and Financial Frauds

ANSWER -

### A. Standard Operating Procedures (SOPs) and Best Practices for Investigation of Cybercrime

Standard Operating Procedures (SOPs) and best practices for investigating cybercrimes are crucial for law
enforcement agencies to effectively handle cases involving illegal activities over the internet and other
computer networks. These SOPs are designed to ensure that evidence is collected, preserved, and
analyzed in a manner that maintains its integrity and admissibility in court.

**Key Components of SOPs for Cybercrime Investigation:**

1. **Initial Response**: Quick and secure isolation of the affected systems to prevent further damage or
data loss. It’s crucial to document everything accurately from the very beginning.

2. **Evidence Collection**: Detailed guidelines on how to lawfully seize, copy, and secure electronic
evidence from different devices and storage media while maintaining a documented chain of custody.

3. **Forensic Analysis**: Procedures for the forensic examination of digital evidence using authorized
and validated tools. This includes recovering deleted files, decrypting encrypted files, and tracing hacks
back to their sources.

4. **Maintaining Integrity**: Ensuring the digital evidence is not altered, either intentionally or
accidentally. Use of write-blockers and maintaining hash values for digital copies are standard practices.

5. **Documentation**: Keeping detailed logs of all investigative actions taken, observations, and
handling of evidence. This documentation must be thorough enough to be presented in legal
proceedings.

6. **Collaboration**: Guidelines for cooperating with ISPs, other law enforcement agencies, and
international bodies, as cybercrimes often span multiple jurisdictions.
**Best Practices:**

- Training law enforcement personnel regularly on the latest cybercrime trends and digital forensic
techniques.

- Utilizing legal tools such as search warrants and subpoenas effectively and ethically.

- Engaging in public-private partnerships to enhance technical expertise and resources.

### B. Role of CERT-In — Process of

The Indian Computer Emergency Response Team (CERT-In) is the national agency for responding to
computer security incidents as they occur. It is a key component of the Ministry of Electronics and
Information Technology, Government of India, with the primary role of ensuring security, enhancing
cyber resilience, and handling severe cybersecurity incidents in India.

**Functions of CERT-In:**

1. **Incident Response**: CERT-In provides a 24x7 service for responding to cybersecurity incidents. It
coordinates with various government and non-government entities for quick resolution.

2. **Vulnerability Management**: It scans public and private networks for vulnerabilities and
disseminates information about security flaws and threats.

3. **Security Guidelines**: CERT-In issues guidelines, advisories, and best practices for the improvement
of cybersecurity in the nation.

4. **Capacity Building**: It conducts training programs and workshops for system administrators and
cybersecurity professionals across various sectors.

**Process:**

- **Reporting**: Organizations or individuals report cybersecurity incidents to CERT-In via email, phone,
or a dedicated online platform.

- **Assessment**: CERT-In assesses the severity and potential impact of the incident.

- **Coordination**: It coordinates with relevant stakeholders, including ISPs, other CERTs, and law
enforcement agencies, to mitigate the impact.

- **Resolution**: Offers technical advice to the affected entity on containing and recovering from the
incident.

- **Feedback and Improvement**: Post-incident analysis is conducted, and feedback is provided to

improve future cybersecurity measures.

CERT-In plays a pivotal role in enhancing the cybersecurity posture of the nation by proactive measures
and reacting promptly to cyber incidents, making it an essential pillar in India’s cybersecurity
infrastructure.
### C. Cyber Warfare

**Cyber Warfare** refers to the use of digital attacks by one nation to disrupt the computer systems of
another, with the aim of creating significant damage and disruption. Such activities are often considered
an extension of the state's power to influence, degrade, or incapacitate the digital infrastructure,
including critical national information systems of other nations or significant enemies.

**Key Aspects of Cyber Warfare:**

- **Targets**: Common targets include military networks, infrastructure systems (like power grids, water
supply, and transportation), financial systems, and communication networks.

- **Methods**: Cyber warfare tactics can involve hacking, the use of viruses and malware, denial-of-
service attacks, espionage to steal sensitive data, and even the dissemination of propaganda across
social media platforms.

- **Objectives**: The primary objectives range from espionage and data theft to creating disruptions
that weaken a nation's security or economic standing or to spread misinformation.

**Implications**:

- Cyber warfare can lead to severe consequences without physical violence. For example, disabling a
national power grid can cause widespread panic, affect economies, and disrupt daily life, all without a
single physical attack.

- The ambiguous nature of cyber warfare often makes it difficult to attribute attacks to specific actors or
states, complicating the international response and policy-making.

**Regulations and Defense**:

- Many countries have developed dedicated cyber military units to protect national interests in
cyberspace.

- International cooperation, such as agreements on cyber operations norms and collaborative defense, is
also growing, although the field lacks comprehensive global regulations akin to traditional warfare laws.

### D. Identity Theft and Financial Frauds

**Identity Theft** is the deliberate use of someone else's identity, typically as a method to gain a
financial advantage or obtain credit and other benefits in the other person's name, and perhaps to the
other person's disadvantage or loss. **Financial Frauds** involve using deceitful tactics to unlawfully
make financial gains from a person or institution.

**Key Forms of Identity Theft and Financial Frauds:**

- **Credit Card Fraud**: Using someone else’s credit card information to make unauthorized purchases
or withdraw cash.

- **Bank Fraud**: Involves stealing money directly from accounts or taking out loans in another person’s
name without their consent.
- **Online Impersonation**: Creating fake accounts on social media or dating websites to extract
personal or financial information from unsuspecting users.

- **Phishing**: Sending emails pretending to be from reputable companies to induce individuals to

reveal personal information, such as passwords and credit card numbers

**Prevention and Response:**

- **Security Measures**: Use of strong, unique passwords, two-factor authentication, and regular
monitoring of financial statements can help prevent theft.

- **Legal Action**: Victims of identity theft and financial fraud can often take legal action to recover lost
funds and hold the perpetrators accountable.

- **Reporting**: It is crucial to report such activities to relevant financial institutions and law
enforcement agencies immediately to prevent further damage.

**Technological Aids**: Advances in technology, such as encryption, secure payment gateways, and
fraud detection algorithms, play a crucial role in combating these crimes. Moreover, public awareness
campaigns are essential to educate people about safe practices online.

Both cyber warfare and identity theft highlight the darker side of our digital world, where security and
privacy are continuously at risk. Addressing these challenges requires a combination of robust legal
frameworks, international cooperation, advanced technological defenses, and widespread public
awareness.
 REPEAT EXAMINATION, JULY 2023

**Q.1 X Technologies Pvt. Ltd (XTL),** an Indian Software Company, is developing innovative software
for Bhopal Municipal Corporation. The product is under development and has been tentatively named
as BMC Office Suite (BMCO). On 1 January 2012, XTL terminated the services of Y, one of its software
developers, on grounds of negligence and indiscipline. On 10 January 2012, Y secured employment
with Pioneer Technologies Pvt. Ltd. (PTL), a business rival of XTL. On 15 February 2012, PTL launched
PTL Office Suite (PTLO), a suite of office management software tools. PTL Office Suite is very similar to
BMCO in function and design. XTL officials suspect that Y has stolen the source code of BMCO and sold
it to Pioneer Technologies Pvt. Ltd. (PTL).

Advise XTL of the legal action that they can take against Y. Can any action be taken against Pioneer
Technologies Pvt. Ltd? Support your answers with reasons.

ANSWER -

### Legal Action Against Y

**1. Breach of Confidentiality and Misuse of Trade Secrets:**

- **Legal Basis**: If Y signed a non-disclosure agreement (NDA) or if there were confidentiality clauses
in his employment contract with XTL, he could be held liable for breach of confidentiality. Furthermore,
under the common law duty of confidentiality that persists even after termination of employment, Y is
prohibited from disclosing any trade secrets or proprietary information obtained during his employment.

- **Actionable Claim**: XTL can file a lawsuit against Y for breach of contract if it can be proven that he
disclosed confidential information (source code of BMCO) to PTL.

**2. Intellectual Property Infringement:**

- **Legal Basis**: Under the Copyright Act, if the source code is copyrighted by XTL, Y’s actions could
constitute copyright infringement. This includes any unauthorized use, reproduction, or distribution of
the copyrighted material.

- **Actionable Claim**: XTL can pursue a claim for infringement, seeking damages and an injunction to
prevent further misuse of their intellectual property.

**3. Criminal Charges:**

- **Legal Basis**: Under the Information Technology Act, 2000, particularly Section 43 (damage to
computer, computer system, etc.) and Section 66 (computer-related offences), Y could potentially face
criminal charges for stealing digital information from XTL.

- **Actionable Claim**: Filing a criminal complaint against Y for theft of digital assets might be an
option if there is sufficient evidence to show that he acted unlawfully to extract and utilize the source
code.
### Legal Action Against Pioneer Technologies Pvt. Ltd. (PTL)

**1. Vicarious Liability and Receiving Stolen Property:**

- **Legal Basis**: If it can be established that PTL was aware or should have been aware that the
information was stolen, they could potentially be liable for receiving stolen property (the source code).
Additionally, if they directed or encouraged Y to commit the theft, they could be directly liable.

- **Actionable Claim**: XTL could pursue legal action against PTL for knowingly using stolen
intellectual property to create PTLO.

**2. Unfair Competition:**

- **Legal Basis**: This arises if PTL engaged in deceptive practices that might confuse the market or
give PTL an unfair advantage by using XTL’s proprietary technology.

- **Actionable Claim**: XTL can file a civil lawsuit for unfair competition, seeking damages and
injunctive relief to stop PTL from selling PTLO.

**3. Contributory and Induced Infringement:**

- **Legal Basis**: If PTL induced Y to breach his contract or infringe upon XTL’s copyrights, they could
be liable for contributory or induced infringement.

- **Actionable Claim**: XTL can argue that PTL’s actions facilitated the infringement of their
intellectual property rights.

### Steps for XTL

1. **Investigation**: Conduct a thorough forensic investigation to ascertain the similarity between

BMCO and PTLO and to uncover any evidence of Y’s misconduct and PTL’s involvement.

2. **Cease and Desist Letter**: Before initiating formal legal proceedings, XTL might consider sending a
cease and desist letter to PTL, demanding that they stop using the stolen source code.

3. **Legal Proceedings**: Based on the evidence collected, XTL should file a lawsuit against Y and
possibly against PTL, claiming the relevant breaches and seeking appropriate remedies such as damages,
injunctions, and potentially, criminal sanctions against Y.

4. **Protect Intellectual Property**: Moving forward, XTL should reinforce their intellectual property
rights and confidentiality agreements with employees, to deter such incidents in the future.

In conclusion, XTL has several legal avenues to explore against both Y and PTL, provided they can
substantiate their claims with solid evidence. Engaging competent legal counsel to navigate these
complex issues will be crucial in effectively addressing the alleged misconduct and protecting XTL’s
business interests.
**Q.2 Stating the material facts of Avnish Bajaj v. State, ** 150 (2008) DLT 769, explain the principles
of law laid down in it. Also discuss the concept of due diligence enshrined under the Information
Technology Act, 2000. How relevant should the concept be in determining the liability of an
intermediary? Substantiate your answer in light of relevant legal provisions.

ANSWER -

### Material Facts of Avnish Bajaj v. State, 150 (2008) DLT 769

**Avnish Bajaj v. State** is a landmark case involving Avnish Bajaj, the CEO of Baazee.com, an online
marketplace that later became part of eBay India. The case arose when a video depicting two minors in
an obscene act was listed for sale on Baazee.com. The seller was a user who listed the video as an MMS
clip, which caught public attention and led to a criminal complaint. Avnish Bajaj was charged under
Section 67 of the Information Technology Act, 2000 (IT Act) for publishing obscene content online.

### Principles of Law Laid Down in the Case

1. **Liability of Intermediaries**: The key legal question was whether Avnish Bajaj, as the CEO of an
intermediary (Baazee.com), could be held liable for the actions of its users. The court focused on the
nature of the intermediary’s role and responsibilities under the IT Act.

2. **Due Diligence and Actual Knowledge**: The court emphasized the need for intermediaries to
practice due diligence and the importance of actual knowledge of unlawful acts to establish liability. It
was highlighted that an intermediary must have had actual knowledge of the unlawful act or must have
been notified about it to attract liability.

3. **Safe Harbor Provisions**: The judgment clarified the application of the safe harbor provisions under
the IT Act, which protect intermediaries from liability for user-generated content, provided they fulfill
certain conditions.

### Concept of Due Diligence Under the Information Technology Act, 2000

The concept of due diligence under the IT Act is encapsulated in Section 79, which provides immunity to
intermediaries (like online platforms) from liabilities arising from user-generated content, provided they
meet certain conditions:

- They must not initiate the transmission, select the receiver of the transmission, or select or modify the
information contained in the transmission.

- They must observe due diligence while discharging their duties under the Act and also observe such
other guidelines as prescribed by the Central Government.

### Relevance of Due Diligence in Determining Liability of an Intermediary

Due diligence is critically relevant in determining the liability of an intermediary for several reasons:

- **Determines Scope of Liability**: Due diligence helps define the boundary between passive and
active participation in the content handling process. An intermediary that actively participates or
contributes to the content can no longer avail itself of the safe harbor protections.
- **Mandates Proactive Measures**: The IT Act implicitly requires intermediaries to take proactive steps
to prevent misuse of their platforms, which includes implementing effective user agreements, privacy
policies, and take-down procedures.

- **Legal Compliance**: Adhering to the standards of due diligence ensures that intermediaries remain
compliant with legal requirements, thus avoiding potential legal liabilities.

- **Role of Actual Knowledge**: Due diligence also involves mechanisms to gain actual knowledge of any
unlawful activity, which must trigger take-down actions. This aspect was highlighted in the case of Shreya
Singhal v. Union of India (2015), where the Supreme Court stipulated that intermediaries are required to
take down content only upon receiving actual knowledge through a court order or a government
notification.

### Conclusion

In light of the Avnish Bajaj case and subsequent legal developments, due diligence remains a
cornerstone of legal strategy for intermediaries. It not only protects them from potential liabilities but
also ensures that they maintain the integrity of their platforms and comply with regulatory
requirements. Effective implementation of due diligence protocols is essential for intermediaries to
balance user freedoms with legal obligations.

**Q.3 Explain the meaning of cyber pornography. ** Discuss the law relating to cyber pornography in
India.

ANSWER -

### Meaning of Cyber Pornography

**Cyber pornography** refers to the use of the internet to create, display, distribute, import, or access
sexually explicit content through electronic means. This content can range from images, videos, and
writings to live streams and virtual reality experiences that are intended for adult audiences. The
proliferation of the internet has made pornography more accessible than ever, leading to various legal
and social concerns, especially regarding non-consensual content and access by minors.

### Law Relating to Cyber Pornography in India

The legal framework in India addressing cyber pornography is primarily embedded in the **Information
Technology Act, 2000 (IT Act)** along with relevant sections of the **Indian Penal Code, 1860 (IPC)**.
Here’s how these laws regulate cyber pornography:

1. **Information Technology Act, 2000**:

- **Section 67**: This section penalizes the publication or transmission of obscene content in
electronic form. The act defines obscene content as any material which is lascivious or appeals to the
prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having
regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it. For the
first conviction, the punishment can be imprisonment up to three years and a fine up to five lakh rupees.
Subsequent convictions can attract imprisonment up to five years and a fine up to ten lakh rupees.
 - **Section 67A**: This section deals specifically with the publication or transmission of material
containing sexually explicit act or conduct in electronic form. The penalties are more severe compared to
Section 67, with imprisonment up to five years and fine up to ten lakh rupees on first conviction and up
to seven years and fine up to ten lakh rupees on subsequent conviction.

- **Section 67B**: It addresses the publication or transmission of material depicting children in

sexually explicit acts, in electronic form. It includes browsing, downloading, creation, or publication of
such materials. The punishment is imprisonment up to five years and a fine up to ten lakh rupees on first
conviction, and up to seven years and a fine up to ten lakh rupees on subsequent conviction.

2. **Indian Penal Code, 1860**:

- **Sections 292 to 294**: These IPC sections deal with the sale, distribution, public exhibition, and
circulation of obscene materials. Although not specific to the cyber context, these provisions are often
invoked alongside IT Act provisions to address the physical mediums involved in the dissemination of
cyber pornography.

### Enforcement and Challenges

While these laws provide a framework to combat cyber pornography, enforcement faces several
challenges:

- **Jurisdiction Issues**: Many servers hosting pornographic content are located outside India,
complicating the legal process of content regulation or removal.

- **Anonymity of Users**: The anonymous nature of the internet makes it difficult to trace individuals
who upload or share pornographic content illegally.

- **Technological Evasion**: Advanced technologies enable the circumvention of bans and filters,
making it challenging for authorities to effectively monitor and control the dissemination of illegal
content.

### Conclusion

The laws in India are structured to address the challenges posed by cyber pornography, emphasizing the
protection of minors and the prohibition of obscene content. However, the effectiveness of these laws is
contingent on robust enforcement mechanisms, international cooperation, and ongoing updates to legal
provisions to keep pace with technological advancements. Awareness and education also play crucial
roles in preventing the spread and consumption of illegal cyber pornography.

**Q.4** What do you understand by the cyber defamation? Discuss the regulatory framework for
cyber defamation in India.

ANSWER -

### Understanding Cyber Defamation

**Cyber defamation** refers to the act of defaming, slandering, or libeling an individual or entity
through digital mediums, particularly over the internet. This includes publishing false, harmful, or
malicious statements or representations about someone on websites, social media platforms, blogs,
online forums, or via emails that are intended to damage the reputation of the subject of such
statements. Unlike traditional defamation, cyber defamation can spread much more rapidly and widely
due to the inherent connectivity and reach of the internet.

### Regulatory Framework for Cyber Defamation in India

Cyber defamation in India is addressed under both the **Information Technology Act, 2000 (IT Act)**
and the **Indian Penal Code, 1860 (IPC)**. Each provides mechanisms to deal with defamatory content
circulated online.

#### 1. Information Technology Act, 2000

- **Section 66A**: Although originally this section dealt with sending offensive messages through
communication service, etc., it was struck down by the Supreme Court in 2015 in the landmark
judgment of *Shreya Singhal v. Union of India* for being vague and unconstitutional under Article
19(1)(a) of the Indian Constitution which guarantees the freedom of speech and expression.

- **Section 67**: It provides for the punishment for publishing or transmitting obscene material in
electronic form. Although not directly addressing defamation, it can intersect with cyber defamation
when the content is both defamatory and obscene.

#### 2. Indian Penal Code, 1860

- **Section 499 and Section 500**: These sections are the primary laws used to combat cyber
defamation in India. Section 499 defines defamation and provides exceptions under which the act of
defamation is not punishable. Section 500 provides for the punishment for defamation, which can be
simple imprisonment for up to two years, or a fine, or both. Although these sections were formulated
long before the advent of the internet, Indian courts have applied them to cases of cyber defamation as
well.

- **Section 469**: This section pertains to forgery for purpose of harming reputation. It includes
electronic records and punishes the act of creating false electronic records or false digital signatures with
the intent to harm someone's reputation. The punishment is imprisonment which may extend to three
years and also a fine.

#### Application of Laws and Jurisdiction

One of the major challenges with cyber defamation is the jurisdictional issues, given that the internet
does not adhere to geographical boundaries. The Indian courts have generally maintained that if the
content is accessible in India and affects a person or business within India, Indian courts can claim
jurisdiction.

Moreover, the international nature of the internet often requires cooperation with service providers and
legal systems in other countries to address and remedy instances of defamation effectively.

### Challenges and Need for Reforms

The current legal framework for addressing cyber defamation in India faces several challenges:

- **Rapid Technological Changes**: The laws have not kept pace with the rapid advancements in
technology and the new methods of communication.
- **Jurisdictional Issues**: Enforcement of defamation laws across international borders remains
complicated.

- **Free Speech vs. Defamation**: Balancing the right to freedom of speech while protecting individuals
from defamation is a complex legal challenge.

Given these challenges, there's a pressing need for specific laws that directly address cyber defamation,
possibly updating the IT Act to better handle the nuances of digital communication and reputational
harm online.

### Conclusion

While the existing legal provisions under the IPC are used to address cyber defamation, the repeal of
Section 66A of the IT Act has left a gap that needs to be addressed with clearer and more specific
legislation. The legal framework needs continual reassessment to keep it relevant and effective against
the backdrop of evolving digital landscapes.

**Q.5** Explaining the meaning of ‘cyber corporate frauds’ and ‘tempest attack’, differentiate
between ‘identity theft and impersonation’ in the light of statutory provisions and suitable examples.

ANSWER -

### Explaining Cyber Corporate Frauds

**Cyber corporate frauds** refer to illegal activities conducted via the internet that target companies to
defraud them or steal sensitive company information. These activities often involve manipulating or
bypassing digital systems to gain unauthorized access to financial accounts, confidential corporate data,
or to carry out unauthorized transactions. Common examples include phishing attacks aimed at
employees, unauthorized access to financial systems, and manipulation of digital accounting records.

### Explaining Tempest Attack

A **Tempest attack** (also known as Van Eck phreaking) involves eavesdropping on the electromagnetic
emissions from electronic devices that can be used to reconstruct what the device is processing. These
emissions can be from monitors, printers, or even keyboards, and the attack can potentially be used to
spy on data inputs and outputs without needing direct access to the targeted device. This method of
attack highlights the need for shielding and other security measures in environments where sensitive
information is displayed or transmitted.

### Identity Theft vs. Impersonation

**Identity Theft** involves stealing another person's personal or financial information to access
resources, credit, or other benefits in that person's name, typically resulting in financial harm to the
victim. Identity theft can be facilitated by cyber means such as malware, phishing, or through the
unauthorized access of personal data from corporate databases. For instance, stealing someone’s social
security number, credit card information, or login credentials to make purchases or open new accounts
constitutes identity theft.
**Impersonation** in the context of cyber fraud refers to pretending to be another individual by using
stolen identity information to deceive others. This often involves communication under a false identity to
manipulate or deceive the recipient for financial gain or to gain unauthorized access to systems. An
example of impersonation might involve an attacker using a stolen email account to request money
transfers or sensitive information from contacts who believe they are communicating with the email
account's legitimate owner.

### Legal Framework and Examples

**Legal Framework in India**:

1. **Information Technology Act, 2000 (IT Act)**:

- **Section 66C**: Punishes identity theft with imprisonment up to three years and/or a fine up to one
lakh rupees. This section specifically addresses the fraudulent use of another’s electronic signature,
password, or any other unique identification feature.

- **Section 66D**: Punishes cheating by impersonation using a computer resource or a communication

device, with imprisonment of up to three years and/or a fine up to one lakh rupees.

**Examples**:

- **Identity Theft**: An individual’s email account is hacked (without their knowledge), and the hacker
uses stored credit card details to purchase items online.

- **Impersonation**: A fraudster accesses the email account of a company CEO and sends instructions
to the finance department to transfer funds to an external account, pretending to be the CEO.

### Conclusion

While both identity theft and impersonation involve the unauthorized use of someone else's identity, the
primary difference lies in the use case. Identity theft involves stealing personal or financial information to
directly benefit from the victim's resources, whereas impersonation involves actively pretending to be
another individual, often to deceive third parties. Both activities are addressed under the IT Act in India,
reflecting the serious nature of these offenses and the significant impact they can have on victims.
Understanding these distinctions is crucial for legal professionals and corporations to appropriately
address and mitigate such risks within their operational and legal strategies.

**Q.6** What do you understand by the cyber stalking? Discuss the regulatory framework for cyber
stalking in India.

ANSWER -

### Understanding Cyber Stalking

**Cyber stalking** refers to the use of the internet, email, or other electronic communications devices
to stalk, harass, or intimidate someone. This form of stalking includes the repeated use of online media
to follow, harass, or make unwelcome contact with another person. It is often characterized by the
assailant sending threatening emails, posting threatening or personal information about the victim on
public forums, or using technology to track the victim’s location.
Cyber stalking behaviors can include:

- Sending repeated, unwanted messages to the victim.

- Posting derogatory or false information about someone online to harm their reputation.

- Using electronic means to monitor or track someone’s activities and location.

- Manipulating and controlling a victim's online presence or digital devices.

- Impersonating the victim online to damage their relationships or reputation.

### Regulatory Framework for Cyber Stalking in India

India’s approach to combating cyber stalking involves several sections of the Information Technology Act,
2000 (IT Act) and the Indian Penal Code, 1860 (IPC). Here are the primary statutes:

#### 1. Information Technology Act, 2000

- **Section 66A** (struck down by the Supreme Court in 2015 for being vague and unconstitutional
under free speech provisions): Originally covered sending information of annoying, inconvenient, or
offensive nature via electronic communication, which was often applied to cases of cyber stalking.

- **Section 66E**: Pertains to the violation of privacy and deals with capturing, publishing or
transmitting the image of a private area of any person without his/her consent, under circumstances
violating the privacy of that person.

#### 2. Indian Penal Code, 1860

- **Section 354D**: Specifically deals with stalking, including cyber stalking, even after the striking down
of Section 66A of the IT Act. This section makes it clear that a man who follows a woman and contacts,
or attempts to contact such woman to foster personal interaction repeatedly despite a clear indication of
disinterest by such woman, or monitors the use of the internet, email or any other form of electronic
communication commits the offense of stalking. It can apply to cyber stalking if the means of stalking are
electronic.

- **Section 509**: Word, gesture or act intended to insult the modesty of a woman. This can include
actions taken during cyber stalking that are intended to insult or intimidate a woman online.

#### 3. Other Provisions

- **Section 507 of IPC**: Criminal intimidation by an anonymous communication is punishable by two

years of imprisonment. Cyber stalkers often use anonymous identities, and this provision can be invoked
in such cases.

- **Section 503 of IPC**: Criminal intimidation can be charged if the stalker threatens to harm the victim
or her reputation or her property through cyber means.

### Conclusion

The legal framework in India for addressing cyber stalking is primarily based on provisions of the IPC,
with support from specific sections of the IT Act related to privacy violations. While these laws
collectively address the broader spectrum of harassment and intimidation online, the dynamics of cyber
stalking require constant updates and refinements to the law to address new technologies and methods
employed by stalkers. Continuous efforts are needed from all stakeholders, including law enforcement
agencies, legal bodies, and policymakers, to ensure a robust defense against this invasive and often
dangerous behavior.

**Q.7** Write a short note on the following:

A. Denial of Service and Distributed Denial of Service Attack (DoS/DDoS).

B. Packet Sniffing

C. Trapdoors, Backdoors and Trojan Horse

D. Virtual Money Laundering

ANSWER -

### A. Denial of Service and Distributed Denial of Service Attack (DoS/DDoS)

**Denial of Service (DoS)** and **Distributed Denial of Service (DDoS)** attacks are types of cyber
threats where the perpetrator seeks to make a machine or network resource unavailable to its intended
users by temporarily or indefinitely disrupting services of a host connected to the Internet. DoS is
typically carried out by one machine and its internet connection to flood a target with fake requests,
often using malformed or oversized packets to crash the targeted server.

**Distributed Denial of Service (DDoS)** involves multiple compromised systems, often infected with a
Trojan, being used to target a single system. The influx of incoming messages to the target system
essentially forces it to shut down, thereby denying the service of the system to legitimate users. Since
the incoming traffic flooding the victim originates from many different sources, it is impossible to stop
the attack simply by blocking a single source.

### B. Packet Sniffing

**Packet sniffing** is the process used by network professionals to diagnose network issues, and by
cybercriminals to capture data as it travels over a network. The process involves using software tools to
capture data packets as they travel across the network. Packet sniffers can be legitimate tools used by
administrators to monitor network traffic or detect issues; however, in the hands of unauthorized users,
they can be used to steal data, such as passwords and confidential information. The effectiveness of
packet sniffing can be mitigated by the use of encryption which renders the payload data unreadable.

### C. Trapdoors, Backdoors, and Trojan Horse

- **Trapdoors** are secret entry points into a program that allow someone that is aware of the trapdoor
to gain access without going through the usual security access procedures. They are often left by the
original programmers and can pose significant security risks if discovered by malicious entities.
- **Backdoors** are similar to trapdoors but are typically installed after the original programming. They
allow for remote access to a computer system or network and, like trapdoors, can be exploited by
attackers to gain unauthorized access to resources, deploy malware, or steal data.

- **Trojan Horse** is a type of malicious software that misleads users of its true intent. The term is
derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans appear to be legitimate software but will secretly perform unauthorized actions such as
damaging the system, creating backdoors, or spying on the user.

### D. Virtual Money Laundering

**Virtual Money Laundering** refers to the use of digital currencies to conduct transactions that involve
the proceeds of criminal activities. The aim is to mask the origins of illegally obtained money.
Cryptocurrencies, such as Bitcoin, offer a high degree of anonymity and can be used across international
borders, making them attractive for laundering activities. Money launderers might use online gaming,
digital wallets, and other virtual platforms to move and withdraw money in ways that are hard to trace
by authorities. This form of money laundering poses significant challenges for regulatory bodies due to
the decentralized nature of cryptocurrencies and the lack of uniform international regulations
concerning their use.
 REPEAT EXAMINATION, NOVEMBER 2022

Q.1 X (P) an Internet Service Provider (XISP) provides services to its customers, including the
transmission of e-mail to and from other members and across the Internet. To become a member, a
person must agree not to use XISP’s communication services to send unsolicited commercial e-mails.
XISP uses filtering software to block unsolicited commercial e-mails but commercial e-mailers
sometimes use other software to thwart the filters. Y (P) Ltd. (YPL) sells computer chips and application
services (App Services). To generate leads for YPL’s products, sales representative, who included XISP
members sent more than 500 million pieces of unsolicited commercial e-mails through XISP’s
communication services each item cost XISP an estimated Rs.1.00 in equipment expenses. Some of the
e-mail messages used the false headers and other methods to hide the source. After receiving more
than 50,000 complaints, XISP asked YPL to stop this practice. When the unsolicited commercial e-mail
continued, XISP initiated legal action against YPL, alleging in part trespass to chattels-an unlawful
interference with another’s rights to possess personal property.

Did the spamming constitute trespass to chattels? Explain in the light of relevant legal provisions and
judicial pronouncements.

ANSWER –

### Understanding Trespass to Chattels in the Context of Cyber Law

**Trespass to chattels** is a tort wherein the right of an individual to possess their personal property is
unlawfully interfered with. Historically, this tort related to physical interference with physical objects.
However, in the realm of cyber law, courts have extended the concept to include electronic or digital
interference with computer systems. This form of trespass occurs when someone intentionally and
without authorization interferes with the rightful owner's use of their personal property (in this case,
computer systems, network resources, or digital chattels).

### Application to the Case of XISP and YPL

In the scenario with XISP and YPL, XISP has accused YPL of using its internet services to send over 500
million unsolicited commercial emails (spam), which not only violated the terms of service agreed upon
by users but also resulted in additional costs and operational burdens to XISP due to the volume of traffic
generated by these emails. The key points to consider include:

1. **Unauthorized Use of Resources**: The spamming activity by YPL utilized XISP's network resources
without proper authorization, especially when considering that these actions were explicitly prohibited
as per the user agreement.

2. **Interference and Damage**: The massive volume of spam emails interfered with XISP's ability to
serve other legitimate users and increased its operational costs, potentially degrading the quality of
service for others. Trespass to chattels in cyberspace has been recognized in cases where the defendant's
actions have resulted in measurable harm to the plaintiff's computer systems or network.

### Relevant Legal Provisions and Judicial Pronouncements

- **United States Case Law**: In cases like *CompuServe Inc. v. Cyber Promotions, Inc.* (1997), the
court held that sending massive amounts of unsolicited email constituted a trespass to chattels. The
court noted that the defendant’s actions impaired the condition, quality, or value of the plaintiff’s
computer systems.

- **Indian Context**: While India does not have a direct precedent or specific legislation that parallels
the concept of trespass to chattels in the context of spam emails, provisions under the **Information
Technology Act, 2000** could be applicable. For instance, Section 43(a) penalizes anyone who causes or
is likely to cause unauthorized damage to a computer resource or diminishes its value or utility through
any means. Additionally, Section 66C provides for punishment for identity theft (which can include using
false headers in emails), and Section 66A (though struck down) highlighted the issues related to
annoying, inconvenient, or misleading electronic communications.

### Conclusion

In the scenario with XISP and YPL, the actions of YPL can be seen as constituting trespass to chattels,
given that they unlawfully utilized XISP’s digital property (email servers and network infrastructure)
against the agreed terms of use, leading to measurable harm. XISP’s legal action against YPL is grounded
in recognizable claims under both traditional tort theories (extended into digital contexts in various
jurisdictions) and under statutes aimed at regulating cyber activities.

XISP could potentially argue its case under the broad principles of unauthorized use of digital assets and
interference with its services, leading to additional operational costs and degradation of service quality,
which are central tenets of trespass to chattels. Moreover, YPL’s continued actions despite complaints
and requests to cease further solidify the case for intentional and wrongful interference.

Q.2 ‘ABC’ is a leading Indian banking institute headquartered in Mumbai. ‘ABC? Offers various internet
and mobile banking services to its customers. “Y” resident of Netherlands developed a bot system to
generated thousands of internet service requests. On 11 November 2020, “Y” targeted “ABC” bank to
cause a distributed denial of service attack and as a result “ABC” faced major interruption in the
internet banking services. Advise “ABC” of the legal action that they can take against ‘Y’. Support your
answer with relevant statutory provisions and judicial decisions.

ANSWER –

### Legal Actions Against "Y" for DDoS Attack on ABC Bank

**1. Jurisdictional Challenges:**

The first challenge that ABC Bank faces is the jurisdictional issue, as "Y" is a resident of the Netherlands.
For ABC Bank headquartered in Mumbai, India, initiating legal proceedings against a foreign national
involves considerations of international law and cooperation.

**2. Applicable Indian Laws:**

ABC Bank can consider the following Indian legal provisions to address the cyberattack:

- **Information Technology Act, 2000 (IT Act)**:

- **Section 43**: It penalizes unauthorized access and damage to computer systems. If "Y"’s actions
caused damage or denial of access to ABC’s internet banking services, this section could be invoked.
 - **Section 66**: This section deals with computer-related offenses that involve dishonesty or fraud by
means of a computer resource. Given that a DDoS attack disrupts services, this could potentially be
applied.

- **Section 66F**: It pertains to cyber terrorism and could be relevant if the interruption caused severe
economic damage, which is likely in the case of a bank experiencing a major service outage.

**3. Legal Steps ABC Bank Should Take:**

- **Filing a Complaint in India**: ABC Bank should file a formal complaint with the Indian Cyber Crime
Coordination Centre or the appropriate cyber cell of the police. This is essential for documenting the
crime and initiating any possible legal action under Indian jurisdiction.

- **MLAT (Mutual Legal Assistance Treaty)**: India and the Netherlands are part of mutual legal
assistance treaties that allow for cooperation on legal matters across borders. ABC Bank, through Indian
authorities, can seek help under MLAT to handle investigations and legal proceedings involving "Y".

- **Interpol Coordination**: For cybercrimes involving international actors, coordination through

Interpol can be beneficial. ABC can push for Red Corner Notices and other Interpol mechanisms to
apprehend and extradite "Y" if he is charged and found guilty in absentia.

**4. Civil Lawsuit for Damages:**

ABC Bank can explore filing a civil lawsuit against "Y" for damages incurred due to the DDoS attack. This
would involve quantifying the financial losses resulting from service interruptions and possibly seeking
compensation for reputational damage.

**5. Injunctions and Cease and Desist:**

While these are more challenging to enforce internationally, seeking an injunction against "Y" to prevent
further attacks, or a cease and desist order, could be part of the legal strategy if "Y" has assets or
connections in jurisdictions where these orders are enforceable.

**6. Coordination with Dutch Authorities:**

Engaging directly with law enforcement and legal bodies in the Netherlands through formal channels can
aid in addressing the cyberattack. Collaboration with Dutch ISPs or tech companies to identify and
mitigate the source of the attack can also be sought.

### Conclusion

While the legal actions available to ABC Bank are somewhat complicated by international borders and
jurisdictional issues, the IT Act provides a robust framework for prosecuting cybercrimes in India.
Utilizing international treaties, Interpol mechanisms, and cooperation with Dutch authorities represents
the practical approach to dealing with "Y"’s illegal activities. Meanwhile, safeguarding measures and
enhanced cybersecurity protocols are recommended to mitigate the impact of potential future attacks.
Q.3 Explain the meaning of cyber pornography. Discuss the law relating to cyber pornography in India.

ANSWER –

### Meaning of Cyber Pornography

**Cyber pornography** refers to the use of electronic or digital media to create, distribute, or access
sexually explicit content over the internet. This can include images, videos, websites, or even streaming
platforms that host adult content. The advent of the internet has facilitated widespread access to
pornographic material, raising significant legal and ethical concerns, particularly regarding the consent of
participants and the protection of minors from exposure to such content.

### Law Relating to Cyber Pornography in India

The legal framework in India addressing cyber pornography is primarily contained within the
**Information Technology Act, 2000 (IT Act)**, supplemented by relevant sections of the **Indian Penal
Code, 1860 (IPC)**. Here are the key legal provisions:

#### Information Technology Act, 2000

- **Section 67**: Penalizes the publication or transmission of obscene material in electronic form. The
act defines "obscene material" as any material which is lascivious or appeals to the prurient interest or if
its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant
circumstances, to read, see or hear the matter contained or embodied in it. The punishment can be up
to three years of imprisonment and a fine for the first conviction, and up to five years and a larger fine
for subsequent convictions.

- **Section 67A**: Deals specifically with the publication or transmission of material containing sexually
explicit acts or conduct in electronic form. The penalties are more severe compared to Section 67, with
imprisonment up to five years and fine for the first conviction, and up to seven years and a fine for
subsequent convictions.

- **Section 67B**: Addresses the publication or transmission of material depicting children in sexually
explicit acts, in electronic form. It includes stringent punishments for crimes involving child pornography,
which include imprisonment up to five years and a fine for the first conviction, and up to seven years and
a fine for subsequent convictions.

#### Indian Penal Code, 1860

- **Section 292**: This section deals with the sale and distribution of obscene books, pamphlets,
papers, films, and other materials. While it primarily targets physical media, it has been invoked
alongside IT Act provisions in cases involving digital dissemination of obscene content.

### Enforcement Challenges

Enforcing laws against cyber pornography in India faces several challenges:

- **Jurisdictional Issues**: Much of the internet's pornographic content is hosted outside India,
complicating the enforcement of local laws.
- **Technological Evasion**: The use of VPNs and proxy servers allows users to bypass geographical
restrictions and access banned content.

- **Anonymity**: The internet provides a high degree of anonymity, making it difficult to track down
offenders and apply legal measures effectively.

### Conclusion

The legal provisions under the IT Act and the IPC provide a framework for addressing the distribution and
access of cyber pornography in India. However, the effectiveness of these laws depends significantly on
technological advances in monitoring and enforcement, as well as international cooperation, given the
global nature of the internet. Efforts to address cyber pornography must balance legal enforcement with
respect for privacy and freedom of expression, within the bounds of the law.

Q.4 What do you understand by the cyber defamation? Discuss the regulatory framework for cyber
defamation in India.

ANSWER –

### Understanding Cyber Defamation

**Cyber defamation** refers to the act of harming someone's reputation by publishing defamatory
material on digital platforms, including social media, websites, blogs, and forums. Unlike traditional
defamation, which involves newspapers, television, or other non-digital media, cyber defamation can
spread more rapidly and have a wider reach due to the nature of the internet. The content that could be
considered defamatory includes false statements or accusations that could harm a person’s reputation,
lead to public ridicule, hatred, or diminish the esteem in which the person is held.

### Regulatory Framework for Cyber Defamation in India

The laws governing cyber defamation in India are not contained in a single statute but are spread across
various laws:

#### 1. Information Technology Act, 2000 (IT Act)

- **Section 66A (Struck Down)**: Originally, this section penalized sending offensive messages through
communication service, etc. However, it was struck down by the Supreme Court in 2015 in the case of
*Shreya Singhal vs. Union of India* due to its vague definitions and potential to infringe on freedom of
speech.

- **Section 67**: It penalizes the publication or transmission of obscene content in electronic form, but
doesn't directly address defamation. However, if the defamatory content also overlaps with obscene
content, this section might be invoked.

#### 2. Indian Penal Code, 1860 (IPC)

- **Section 499**: Defines defamation and applies to both spoken and written forms, including
electronic and digital media. It includes making or publishing any imputation concerning any person
intending to harm, or knowing or having reason to believe that such imputation will harm, the
reputation of such person.
- **Section 500**: Provides the punishment for defamation, which is simple imprisonment for up to two
years, a fine, or both.

#### 3. Indian Evidence Act, 1872

- **Section 65B**: Deals with the admissibility of electronic records and is crucial for cases of cyber
defamation, as it outlines the requirements for electronic evidence to be accepted in court.

### Judicial Decisions Impacting Cyber Defamation in India

Several court cases have shaped the understanding and enforcement of cyber defamation laws:

- **Shreya Singhal vs. Union of India (2015)**: The Supreme Court's decision to strike down Section 66A
of the IT Act was pivotal, mainly because the section was being used broadly to curb freedom of speech
under the guise of preventing offensive messages. The court emphasized the need for laws to be specific
and not overly broad.

- **Visaka Industries vs. Venu (2009)**: This case established that Indian companies could use IPC
Section 499 and 500 to address defamation occurring over the internet, thereby applying traditional
defamation laws to the digital realm.

### Conclusion

The regulatory framework for cyber defamation in India currently relies heavily on the provisions of the
IPC, as specific provisions in the IT Act that could have addressed such cases have been struck down or
are not directly applicable. This situation underscores the need for clear and specific legislation that
addresses the nuances of digital communications and protects individuals against defamation while
respecting freedom of expression. The laws must evolve to catch up with the rapid advancement of
digital media to ensure they effectively address the complexities of cyber defamation.

Q.5 Discuss the jurisdiction in cyberspace. Also discuss the principles of jurisdiction in cyberspace.

ANSWER –

### Understanding Jurisdiction in Cyberspace

Jurisdiction in cyberspace refers to the ability and power of legal authorities to apply and enforce legal
norms to activities, individuals, and entities on the Internet. This is a complex area due to the global
nature of the internet, which transcends traditional physical and territorial boundaries. Determining
jurisdiction in cyberspace involves deciding which country's laws apply to a particular internet-related
activity, person, or organization, and whether a court in that country has the authority to adjudicate a
case.

### Principles of Jurisdiction in Cyberspace

Jurisdiction over internet disputes can generally be categorized under several legal principles:

#### 1. **Territorial Principle**

This principle suggests that jurisdiction is based on the geographical location where the internet activity
occurs or where its effects are felt. However, due to the internet’s global reach, this can often be
challenging to determine. In practice, if a server hosting illegal content is located within a country, that
country typically has the jurisdiction to enforce its laws against the parties involved.

#### 2. **Nationality Principle**

Jurisdiction can be claimed based on the nationality of the perpetrator, regardless of where the internet
activity took place. Many countries use this principle to regulate the online behavior of their citizens
even when they are abroad.

#### 3. **Effects Principle**

This principle allows a state to exercise jurisdiction over actions that occur outside their borders but have
substantial harmful effects within their territory. This is particularly relevant in cases of cybercrimes like
hacking or dissemination of malicious software that affect users or systems in a different country from
where the action originated.

#### 4. **Objective Territoriality Principle**

Under this principle, a state may claim jurisdiction over an act committed outside its territory but
intended to produce and producing detrimental effects within its territory. This is often applied in cases
of cross-border cybercrimes and internet fraud.

#### 5. **Universality Principle**

This principle holds that states have a right or obligation to exercise jurisdiction over a particular offense
committed by anyone, anywhere in the world because the crime is so universally condemned (e.g., child
pornography).

### Challenges in Applying Jurisdiction in Cyberspace

- **Multiple Jurisdictions**: A single act on the internet can involve multiple jurisdictions, as the data
might travel through various countries from the source to the destination.

- **Conflict of Laws**: Different countries have varying laws regarding freedom of expression, privacy,
and cybercrime, leading to potential conflicts when trying to enforce laws across borders.

- **Enforcement**: Even if a country establishes jurisdiction over a cybercrime, the practical

enforcement of laws and court decisions across borders can be challenging and relies heavily on
international cooperation and treaties.

### Key Examples and Judicial Approaches

- **Yahoo! Inc. vs. La Ligue Contre Le Racisme Et L'Antisemitisme (2001)**: A French court ordered
Yahoo! to prevent French users from accessing Nazi memorabilia on its site. The case highlighted the
conflict between U.S. principles of free speech and French anti-hate speech laws.

- **Google Spain SL, Google Inc. vs. Agencia Española de Protección de Datos, Mario Costeja González
(2014)**: The European Court of Justice ruled that EU citizens have a "right to be forgotten," meaning
that they could demand search engines to remove information about them. This applied to all EU
members and established a jurisdictional basis for data protection within the EU.
### Conclusion

Jurisdiction in cyberspace remains one of the most challenging aspects of internet law, requiring a
careful balance between respecting national sovereignty and the need for international cooperation. As
digital technologies and global connectivity continue to evolve, so too must the legal frameworks and
international agreements that govern jurisdiction in cyberspace.

Q.6 What do you understand by the cyber corporate frauds? Discuss ‘Cyber Smearing’ and Financial
frauds with relevant examples.

ANSWER –

### Understanding Cyber Corporate Frauds

**Cyber corporate frauds** refer to deceitful and illegal activities conducted using the internet,
targeting companies to gain financial advantages, steal sensitive corporate data, or disrupt business
operations. These activities often exploit digital communication technologies to manipulate, deceive, or
damage corporate entities. The perpetrators might be insiders (such as disgruntled employees) or
external entities (like hackers or competitive businesses).

### Cyber Smearing

**Cyber Smearing** involves using the internet to spread false information, rumors, or exaggerated
claims about a company or individual, often to damage their reputation or for competitive advantage.
This can be done through social media, blogs, emails, forums, or other digital platforms.

**Examples:**

- **Competitor Smear Campaign**: A competitor might post false reviews claiming that a company's
new product causes harm to users, with the intent to deter customers and harm the company's sales.

- **Disgruntled Employee**: An unhappy former employee might use online forums or social media to
make baseless accusations about unethical practices at their former workplace.

### Financial Frauds

**Financial frauds** in the cyber context involve the use of digital tools and online platforms to conduct
fraudulent financial transactions, steal money, or obtain unauthorized access to financial information.

**Examples:**

- **Phishing Attacks**: Cybercriminals send emails posing as a legitimate bank or financial institution,
asking users to provide sensitive account information. Once obtained, these credentials are used to steal
money from the victims’ accounts.

- **CEO Fraud**: In a CEO fraud, attackers pose as the company's CEO or another high-ranking executive
and send emails to employees in finance, requesting urgent wire transfers to fraudulent accounts. This is
often supported by social engineering tactics that make the emails appear convincingly real.
- **Investment Scams**: Fraudsters create fake investment schemes that promise high returns and use
digital platforms to advertise these scams to potential investors. Once the money is transferred, the
scheme collapses, and the perpetrators disappear.

### Regulatory and Legal Framework

The legal framework to combat cyber corporate frauds includes several legislations and regulations, both
on national and international levels:

- **Information Technology Act, 2000 (IT Act)**: Under the IT Act, provisions like Section 66 (Computer
Related Offences) and Section 43 (Penalty and Compensation for Damage to Computer, Computer
System, etc.) are instrumental in addressing cyber frauds.

- **Indian Penal Code, 1860 (IPC)**: Various sections of the IPC, including Section 420 (Cheating and
Dishonestly Inducing Delivery of Property), are used to prosecute financial frauds.

- **Prevention of Money Laundering Act, 2002**: This act includes measures to prevent, control, and
penalize money laundering activities, which can be linked to cyber financial frauds.

### Conclusion

Cyber corporate frauds pose significant threats to the stability and integrity of business operations.
Cyber smearing and financial frauds represent just two methods by which malicious actors can exploit
digital technologies to commit corporate fraud. Continuous advancements in cybersecurity measures,
coupled with strict legal penalties and international cooperation, are essential to combat these cyber
threats effectively. As technology evolves, so too must the strategies to protect against and mitigate the
damages caused by such fraudulent activities.

Q.7 Write a short note on the following:

A. Data Diddling and Salami Attack
B. Malwares (Virus, Worm and Trojan Horse)
C. Cyber Warfare
D. Artificial Intelligence and Cybercrime

ANSWER – ### A. Data Diddling and Salami Attack

**Data Diddling** refers to unauthorized altering of data before or during its entry into a computer
system, and then changing it back after the processing is completed. This type of manipulation is often
hard to detect as the tampering is subtle and designed to go unnoticed. It can affect any information
being entered into a system, from financial data to personal records.

**Example**: A programmer might alter the code of an application to change the numbers being
entered for financial transactions, misdirecting small amounts of money.

**Salami Attack** is similar to data diddling in that it involves small data manipulations, but these are
typically accumulative in nature. The alterations are so minor that they go unnoticed, but over time, they
accumulate into a significant amount.
**Example**: Skimming a few cents from thousands of transactions in a large company’s payroll system,
depositing the skimmed money into a different account.

### B. Malwares (Virus, Worm, and Trojan Horse)

**Malware** is short for malicious software, designed to harm, exploit, or otherwise illegally access a
computer system without the owner’s informed consent.

- **Virus**: A type of malware that attaches itself to clean files and infects other clean files. Viruses can
spread uncontrollably, damaging a system’s core functionality and deleting or corrupting files. They
usually require the execution of a program to cause damage.

- **Worm**: Worms infect entire networks of devices, either local or across the internet, by using
network interfaces. They use each consecutive infected machine to infect more. Unlike viruses, worms
do not need to attach themselves to an existing program.

- **Trojan Horse**: Trojans disguise themselves as legitimate software, or are hidden in legitimate
software that has been tampered with. They tend to act discreetly and create backdoors in your security
to let other malware in.

### C. Cyber Warfare **Cyber Warfare** involves the use of digital attacks by one nation to disrupt the
digital systems of another, with the intention to cause damage and disruption. These attacks can target
critical infrastructure like power grids, water systems, and healthcare records, as well as military and
national security systems. **Examples**: Disabling national infrastructure, interfering with the
operations of military units, spreading propaganda, or disrupting financial systems.

Cyber warfare activities can range from espionage to the outright sabotage, often forming part of a
broader strategy of a state or organization against its targets.

### D. Artificial Intelligence and Cybercrime

**Artificial Intelligence (AI) and Cybercrime** refers to how AI technologies can be used both to
perpetrate and prevent cybercrimes. AI systems can learn from vast amounts of cybersecurity threat
data and help to identify and respond to threats based on patterns that human analysts might not catch.

**Criminal Uses**: AI can be used for creating sophisticated phishing content that is tailored to
individual users, automating attacks on networks, or even manipulating AI systems used in other
applications like autonomous vehicles or drones.

**Preventive Uses**: AI is used in behavioral analytics which allows security systems to learn the typical
patterns of users and to identify anomalies that may indicate a security breach. It also enhances the
capabilities of systems in terms of detecting malware and analyzing the behavior of applications.

### Conclusion

Each of these topics - Data Diddling and Salami Attack, Malware, Cyber Warfare, and AI in Cybercrime -
illustrates the evolving landscape of cybersecurity threats and the complexity of the defenses required to
protect against them. The interplay between rapidly advancing technology and security measures
underpins the ongoing arms race in cyberspace.
 Trimester-II End Term Examination- (December, 2018)
Q.1 X is an employee of Bhopal Plastic Works (Pvt.) Ltd. Company (BPWL). On account of poor
business and financial crunch company had to go for restructuring. X’s position is eliminated by way of
restructuring and he is given three months’ notice by the Company. On July 31,2016 X’s last day of
work, he e-mails some of BPWL’s confidential files to one of BPWL’s competitors. On the same day, X
creates a computer virus, which he calls “Balloon” and releases it into BPWL’s computer system.
“Balloon” wipes out the data on BPWL’s drives and makes it impossible for the computers to boot up
for fifteen hours. X programmed “Balloon” to reactivate on the fifth day of each month. Does BPWL
have any legal recourse against X? Discuss in the light of statutory provisions and judicial
pronouncements.

ANSWER –

### Legal Recourse Against X for BPWL

BPWL has multiple legal avenues to pursue against X, given his actions involved both theft of confidential
data and intentional damage to company property (cyber infrastructure). Here are the relevant statutory
provisions and potential legal actions:

#### 1. **Information Technology Act, 2000 (IT Act)**:

- **Section 43**: This section deals with penalties and compensation for damage to computer,
computer systems, etc. According to this section, if any person without permission of the owner or any
other person who is in charge of a computer, computer system or computer network, accesses or
secures access to such computer, computer system or computer network or computer resource,
downloads, copies or extracts any data, introduces or causes to be introduced any computer
contaminant or virus, damages or causes to be damaged any computer, computer system or computer
network, disrupts or causes disruption of any computer, computer system or computer network, denies
or causes the denial of access to any person authorized to access any computer, computer system or
computer network by any means, such actions are covered under this provision. X can be held liable
under this section for his actions involving the dissemination of a destructive computer virus (“Balloon”).

- **Section 66**: This section covers computer-related offenses and states that if any person,
dishonestly, or fraudulently, does any act referred to in Section 43, they shall be punishable with
imprisonment for a term which may extend to three years or with a fine which may extend to five lakh
rupees or with both.

#### 2. **Indian Penal Code, 1860 (IPC)**:

- **Sections 425-439**: These sections pertain to malicious mischief, which includes any act done with
intent to cause damage to the property of any person. Given that X’s actions were intentional and meant
to harm BPWL’s business operations, these could potentially be invoked.

- **Section 408**: Criminal breach of trust by clerk or servant. X, being an employee, who was
entrusted with company property (data, access to the computer system), has committed criminal breach
of trust by stealing confidential information and deliberately releasing a harmful virus.
#### 3. **Theft of Confidential Information**:

- **Misappropriation of Trade Secrets**: If the data emailed to competitors includes trade secrets, X
could potentially be sued under civil laws pertaining to the misappropriation of trade secrets. The
company can seek injunctive relief and damages for the loss caused by such actions.

### Steps BPWL Should Take:

- **Immediate Investigation**: Conduct a thorough forensic investigation to assess the extent of damage
and gather evidence for legal proceedings.

- **Secure Systems**: Immediately secure and restore all systems affected by the virus. Implement
enhanced cybersecurity measures to prevent future incidents.

- **Legal Action**: File a criminal complaint under relevant sections of the IT Act and IPC against X for
his actions. Consider also pursuing civil litigation for damages and injunctions to prevent further misuse
of stolen data.

- **Notification and Remediation**: Notify all affected parties, including clients and partners, about the
breach and take steps to mitigate any damage caused by the theft of confidential information.

### Conclusion:

BPWL has robust grounds to take legal action against X for his malicious actions that caused significant
harm to the company's operations and financial position. Actions under both the IT Act and IPC,
combined with civil remedies for the theft of confidential information, would provide a comprehensive
legal response to address the offenses committed by X.

Q.2 Stating the material facts of Avnish Bajaj v. State, [150(2008) DLT 769] explain the principles of law
laid down in it. Also discuss the concept of due diligence enshrined under the Information Technology
Act, 2000. How relevant should the concept be in determining liability of an intermediary?
Substantiate your answer in the light of relevant legal provisions.

ANSWER –

### Material Facts of Avnish Bajaj v. State, [150(2008) DLT 769]

**Avnish Bajaj v. State** is a landmark case involving Avnish Bajaj, the CEO of Baazee.com, an online
marketplace that later became a part of eBay India. The case arose when a video depicting two minors in
an obscene act was listed and sold on Baazee.com. The seller was a user who had listed the video as an
MMS clip, which caught public attention and led to a criminal complaint. Avnish Bajaj was charged under
Section 67 of the Information Technology Act, 2000 (IT Act) for publishing obscene content online.

### Principles of Law Laid Down

1. **Liability of Intermediaries**: The key legal question was whether Avnish Bajaj, as the CEO of an
intermediary (Baazee.com), could be held liable for the actions of its users. The court focused on the
nature of the intermediary’s role and responsibilities under the IT Act.
2. **Due Diligence and Actual Knowledge**: The court emphasized the need for intermediaries to
practice due diligence and the importance of actual knowledge of unlawful acts to establish liability. It
was highlighted that an intermediary must have had actual knowledge of the unlawful act or must have
been notified about it to attract liability.

3. **Safe Harbor Provisions**: The judgment clarified the application of the safe harbor provisions under
the IT Act, which protect intermediaries from liability for user-generated content, provided they fulfill
certain conditions.

### Concept of Due Diligence Under the Information Technology Act, 2000

The concept of due diligence under the IT Act is encapsulated in Section 79, which provides immunity to
intermediaries (like online platforms) from liabilities arising from user-generated content, provided they
meet certain conditions:

- They must not initiate the transmission, select the receiver of the transmission, or select or modify the
information contained in the transmission.

- They must observe due diligence while discharging their duties under the Act and also observe such
other guidelines as prescribed by the Central Government.

### Relevance of Due Diligence in Determining Liability of an Intermediary

Due diligence is critically relevant in determining the liability of an intermediary for several reasons:

- **Determines Scope of Liability**: Due diligence helps define the boundary between passive and
active participation in the content handling process. An intermediary that actively participates or
contributes to the content can no longer avail itself of the safe harbor protections.

- **Mandates Proactive Measures**: The IT Act implicitly requires intermediaries to take proactive steps
to prevent misuse of their platforms, which includes implementing effective user agreements, privacy
policies, and take-down procedures.

- **Legal Compliance**: Adhering to the standards of due diligence ensures that intermediaries remain
compliant with legal requirements, thus avoiding potential legal liabilities.

- **Role of Actual Knowledge**: Due diligence also involves mechanisms to gain actual knowledge of any
unlawful activity, which must trigger take-down actions. This aspect was highlighted in the case of Shreya
Singhal v. Union of India (2015), where the Supreme Court stipulated that intermediaries are required to
take down content only upon receiving actual knowledge through a court order or a government
notification.

### Conclusion

In light of the Avnish Bajaj case and subsequent legal developments, due diligence remains a
cornerstone of legal strategy for intermediaries. It not only protects them from potential liabilities but
also ensures that they maintain the integrity of their platforms and comply with regulatory
requirements. Effective implementation of due diligence protocols is essential for intermediaries to
balance user freedoms with legal obligations.
Q.3 Stating the meaning of “cyber terrorism” discuss when “denial of service attack” and “introduction
of computer contaminant” would result in “cyber terrorism”? Also identify the legal issues involved in
the case of Firos v. State of Kerala (AIR2006Ker279).

ANSWER –

### Meaning of "Cyber Terrorism"

**Cyber terrorism** is defined as the use of computer resources to intimidate or coerce a government,
the civilian population, or any segment thereof, in furtherance of political or social objectives. This term
encompasses a broad range of activities, including but not limited to, attacks on computer systems,
networks, or digital information with the intent to cause grave harm that results in violence against
persons, significant economic loss, or damage to a nation’s security infrastructure.

### Denial of Service Attack and Introduction of Computer Contaminant as Cyber Terrorism

A **Denial of Service (DoS) attack** or **Distributed Denial of Service (DDoS) attack** happens when
multiple systems flood the bandwidth or resources of a targeted system, usually one or more web
servers. Such attacks can qualify as cyber terrorism when they:

- Intentionally disrupt access to critical infrastructure or systems, with the intent to cause significant
harm or panic.

- Affect systems crucial to national security, emergency services, major economic assets, or key
government functions.

The **introduction of a computer contaminant**, such as a virus, worm, or any other malicious code,
becomes an act of cyber terrorism when:

- It deliberately disrupts or damages critical national infrastructure, leading to potential harm or death of
individuals.

- It targets computer systems integral to national defense, security services, or other critical societal
functions with the intent to steal, alter, or destroy classified data.

### Legal Framework

In India, cyber terrorism is addressed under **Section 66F** of the **Information Technology Act,
2000**. This section specifically deals with cyber terrorism, providing for punishment of imprisonment
which may extend to life if the act of cyber terrorism causes or is likely to cause death or injuries to
persons or loss of life or damage to property.

### Firos v. State of Kerala (AIR2006Ker279)

**Legal Issues Involved:**

In this landmark case, the petitioner was accused of various offences under the Information Technology
Act, 2000. The critical legal issues addressed included:

1. **Unauthorized Access and Hacking (Section 66 of the IT Act):** The case delved into whether the
acts committed by the petitioner constituted unauthorized access and hacking under the IT Act.
2. **Transmission of Obscene Content (Section 67 of the IT Act):** This was another focal point,
assessing whether the petitioner’s actions involved the transmission of obscene materials via electronic
means.

**Discussion:**

The court in this case highlighted the need for a stringent interpretation of what constitutes a crime
under the IT Act, particularly discussing the nature of unauthorized access and the transmission of
materials deemed obscene. It also examined the evidentiary requirements to prove such offences under
cyber law, stressing the importance of digital evidence and its authenticity.

### Conclusion

Cyber terrorism, including acts like DoS/DDoS attacks and the introduction of computer contaminants,
represents a serious threat to national and individual security. Legal interpretations, as seen in Firos v.
State of Kerala, underline the evolving nature of cyber law enforcement, where judicial precedents
continue to shape the application and understanding of statutory provisions. The critical takeaway is that
legal provisions must be dynamically interpreted to keep pace with technological advancements and
emerging new threats in cyberspace.

Q.4 ‘People who complain about cyberstalking should spend less time on their computers and more
time in the real world, and besides, you cannot actually get hurt on the Internet because it’s not real,
so there is no real problem any way. Is this a realistic perception of the perils of the internet
Substantiate your view in the light of relevant legal provisions and decided case law.

ANSWER –

The perception that cyberstalking is not a real problem and that potential victims should simply spend
less time online is both outdated and misinformed. It underestimates the significant impact that
cyberstalking can have on individuals' lives and overlooks the legal protections put in place to combat
this issue.

### Understanding Cyberstalking

**Cyberstalking** involves using the Internet or other electronic means to stalk or harass an individual,
a group, or an organization. It may include false accusations, defamation, slander, and libel. More severe
forms can threaten security, involve monitoring, identity theft, and threats, or gather information that
may be used to threaten, embarrass, or harass. Cyberstalking can cause profound psychological distress
and has been linked to various negative mental health outcomes, including depression, anxiety, and even
post-traumatic stress disorder (PTSD).

### Legal Provisions Against Cyberstalking

Several legal provisions specifically address cyberstalking:

#### Indian Context

1. **Information Technology Act, 2000**:

- **Section 66E**: Penalties for violation of privacy.

 - **Section 67**: Punishes the publishing or transmitting of obscene material in electronic form.

- **Section 72**: Punishes the breach of confidentiality and privacy.

2. **Indian Penal Code (IPC)**:

- **Section 354D**: Stalking, including online stalking, is recognized and punished in this section.

- **Sections 503 to 507**: Deal with criminal intimidation, anonymous communication, and threats.

#### International Perspective

- In the **United States**, cyberstalking is recognized under both state and federal laws. For instance,
the Violence Against Women Act includes provisions that categorize cyberstalking as a criminal offense
under federal law.

- The **European Union** has directives that address harassment and stalking, including cyberstalking,
urging member states to ensure that such behaviors are penalized.

### Case Law

**Krittika Biswas v. City of New York et al.**:

- In this U.S. case, an Indian diplomat's daughter was wrongly accused of sending harassing emails to her
teachers. Although the case centered around wrongful accusation and subsequent detention, it
highlighted the serious implications of cyberstalking and the importance of accurate identification and
response by authorities.

### Real-World Implications of Cyberstalking

The idea that one cannot get hurt on the Internet ignores the reality that emotional, psychological, and
financial harm can and does occur. Cyberstalking can lead to real-world stalking, where the perpetrator
escalates their behavior from the digital to the physical world. The stress and fear resulting from being
constantly harassed online can disrupt daily life, affecting one's ability to work, socialize, and feel safe
even in their own home.

### Conclusion

Dismissing the dangers of cyberstalking by suggesting people should simply disconnect from technology
is an unrealistic solution in a world increasingly reliant on digital communication for personal and
professional use. The law recognizes cyberstalking as a serious crime that can deeply affect individuals'
lives. As such, acknowledging its severity and understanding the legal protections against it are crucial
steps in addressing and mitigating its impact.
Q.5 Write short note on of the following:
a) Cybersmearing and legal issues
b) Child pornography and role of filtering softwares
c) Buffer overflow
d) Differentiate between ‘identity theft’ and ‘cheating by personation’

ANSWER –

### a) Cybersmearing and Legal Issues

**Cybersmearing** refers to the act of using the internet to spread false or misleading information
about individuals, businesses, or organizations, typically to harm their reputation. This can involve
posting negative comments, false accusations, or defamatory content on forums, blogs, social media
platforms, or review sites.

**Legal Issues:**

- **Defamation:** Most legal actions against cybersmearing fall under defamation laws, which cover
libel (written statements) and slander (spoken statements). Plaintiffs must typically prove that the
information was false, publicly shared, and caused harm to reputation or finances.

- **Intellectual Property Rights:** In some cases, cybersmearing may involve the unauthorized use of
trademarked names or logos to mislead or harm the brand.

- **Cyber Harassment:** If cybersmearing includes threatening communications, it may also be

prosecuted under cyber harassment or cyberstalking laws.

### b) Child Pornography and Role of Filtering Software

**Child Pornography:** Involves images, videos, or other depictions of minors engaged in sexual
activities or in sexually explicit poses. It is illegal and considered a severe criminal offense in most
jurisdictions around the world due to the exploitation and abuse of children involved.

**Role of Filtering Software:**

- **Prevention of Access:** Filtering software helps prevent access to websites that host child
pornography. They can be installed on individual devices or used at the network level by ISPs.

- **Detection and Reporting:** Some advanced software solutions are capable of detecting suspect
material that might be stored or shared via a network, alerting administrators or law enforcement.

- **Limitations:** While beneficial, filtering software is not foolproof. It can sometimes block non-
offensive content (overblocking) or fail to block all inappropriate material (underblocking).

### c) Buffer Overflow

**Buffer Overflow** is a programming error that occurs when more data is written to a buffer (a
temporary data storage area) than it can hold. This excess data can overwrite adjacent memory
locations, corrupting or altering the data stored in these locations.
**Exploitation:**

- **Security Vulnerability:** Buffer overflows can be exploited by attackers to alter the execution path of
a program, inserting malicious code into memory spaces that are executed by the computer’s processor.

- **Common Targets:** Applications written in languages that do not automatically manage memory
allocation, such as C and C++, are particularly vulnerable to buffer overflow attacks.

### d) Differentiate between ‘Identity Theft’ and ‘Cheating by Personation’

**Identity Theft:**

- **Definition:** Involves the unauthorized use of someone else’s personal information (such as Social
Security numbers, credit card numbers, or other financial account information) to commit fraud or other
crimes.

- **Purpose:** Often used to gain financial benefits in the victim's name, potentially damaging the
victim’s credit status and personal finances.

**Cheating by Personation:**

- **Legal Definition (Under IPC Section 416):** Occurs when someone impersonates another person,
falsely or deceitfully, to cause harm or to gain an unfair advantage.

- **Purpose:** Involves deceiving others by pretending to be someone else, leading to benefits for the
impersonator and potential legal or financial harm for the impersonated individual or a third party.

**Key Differences:**

- **Scope:** Identity theft usually involves the use of the victim’s identity in multiple fraudulent
activities, often financially oriented, while cheating by personation might involve a one-time or specific
act of deception.

- **Method:** Identity theft can occur without direct interaction with the victim (e.g., by stealing data
from a database), whereas cheating by personation typically involves interacting with others under a
false identity.
 EX-STUDENT EXAMINATION, AUGUST 2022

1. How is Cyber Contravention different from Cyber Offences? Discuss the most prominent
cybercrimes during the COVID-19 pandemic.

ANSWER –

### Cyber Contravention vs. Cyber Offences

**Cyber Contravention** and **Cyber Offences** are two distinct categories under the legal framework
dealing with cyber activities, specifically differentiated under the Information Technology Act, 2000 (IT
Act) in India. Here’s how they differ:

1. **Cyber Contraventions**: These are civil wrongs where the penalty primarily involves paying
damages. Cyber contraventions deal with actions that may not necessarily be malicious but violate the
provisions of the IT Act due to negligence, oversight, or non-compliance. For instance, failure to protect
data as required under reasonable security practices and procedures, or non-compliance with the
guidelines issued by the government or regulatory authorities.

2. **Cyber Offences**: These are more serious and are treated as criminal acts. Cyber offences include
actions that are intentionally malicious and harmful, targeting individuals, organizations, or systems.
These offences are punishable by fines, imprisonment, or both. Examples include hacking, identity theft,
phishing, and spreading viruses.

### Prominent Cybercrimes During the COVID-19 Pandemic

The COVID-19 pandemic saw a significant rise in cybercrime as more people and businesses increased
their reliance on digital platforms for work, shopping, and communication. Some of the most prominent
cybercrimes included:

1. **Phishing Attacks**: There was a significant increase in phishing emails and messages.
Cybercriminals often used COVID-19 themed messages, such as offering information about the virus,
vaccines, and financial relief measures to trick victims into revealing sensitive information or
downloading malware.

2. **Ransomware Attacks**: These attacks also saw a rise during the pandemic. Hospitals, research
facilities, and other healthcare-related organizations were particularly targeted, likely due to the critical
nature of their work and the urgency of the situation, which increased the likelihood of ransom
payments.

3. **Misinformation and Scams**: Numerous scams surfaced offering fake COVID-19 cures, vaccines,
and personal protective equipment. Misinformation was also spread through social media and other
digital platforms, often leading to public health risks and exploitation.

4. **Work-from-Home and Video Conferencing Vulnerabilities**: With a surge in remote work,

cybercriminals targeted vulnerabilities in remote work infrastructures. Attacks on video conferencing
software and breaches of company networks became more common, exploiting weak security practices
of employees working from home.
5. **Data Breaches and Data Leaks**: With the increased load on online services, there were numerous
instances of data breaches, where personal and health information was compromised. This was often
due to inadequate cybersecurity measures being in place.

### Conclusion

The distinction between cyber contraventions and cyber offences is critical for legal and regulatory
purposes, helping define the severity and intent behind cyber activities. During the COVID-19 pandemic,
the rise in cybercrimes highlighted the vulnerabilities in our increasing reliance on digital technologies. It
underscored the need for stronger cybersecurity measures, better awareness among the public about
cyber risks, and robust legal frameworks to deter cybercriminals and protect individuals and
organizations.

2. What is hacking under the Information Technology Act, 2000? How is identity theft different from
impersonation?

ANSWER -

### Hacking Under the Information Technology Act, 2000

Under the Information Technology Act, 2000 (IT Act) of India, "hacking" is primarily addressed under
**Section 43** and elaborated upon in **Section 66**.

**Section 43** of the IT Act lays out penalties for unauthorized access and damage to computer
systems. It states that if anyone without permission of the owner or any person who is in charge of a
computer, computer system or computer network,

- accesses or secures access to such system,

- downloads, copies or extracts any data,

- introduces or causes to be introduced any computer contaminant or virus,

- disrupts or causes disruption of the system,

- denies access to system information which is entitled to a user,

- provides assistance to any person to facilitate access to a computer,

- charges the services availed by a person to the account of another by tampering or manipulating any
computer,

- destroys, deletes or alters any information residing in a computer, or

- steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer
source code,

is liable for damages by way of compensation to the person affected.

**Section 66** further elaborates on the above acts and makes them punishable offenses if they are
done dishonestly or fraudulently. The penalties can include imprisonment, fines, or both.
### Identity Theft vs. Impersonation

**Identity Theft** and **Impersonation** are often used interchangeably but refer to distinct concepts
in legal terms:

#### Identity Theft

Identity theft involves illegally obtaining and using someone else’s personal data in some way that
involves fraud or deception, typically for economic gain. This could include acquiring someone's credit
card numbers, social security numbers, or other personal identification to make transactions or
fraudulently open new accounts.

**Legal Framework**: Under the IT Act, **Section 66C** provides punishment for identity theft, stating
that whoever, fraudulently or dishonestly, uses the electronic signature, password, or any other unique
identification feature of any other person, shall be punished with imprisonment of either description for
a term which may extend to three years and shall also be liable to fine which may extend to one lakh
rupees.

#### Impersonation

Impersonation in a cyber context (often termed as "Cheating by Personation" in legal terms) involves
pretending to be another person or entity to deceive others, which can lead to obtaining property or any
benefit by using the identity of another person. It involves an act of portraying oneself as another
person.

**Legal Framework**: Under the IPC, **Section 416** deals with cheating by personation, and the
punishment is outlined in **Section 419**, which prescribes imprisonment of up to three years, or a
fine, or both.

### Key Differences

- **Objective**: Identity theft is primarily aimed at the theft of personal data for use in various forms of
fraud, generally without direct interaction with the victim. In contrast, impersonation involves directly
interacting with others under a false identity, often in real-time, to deceive the victim into giving up
property, money, or sensitive information.

- **Method**: Identity theft can be carried out without the victim’s immediate knowledge and often
involves silently harvesting personal data. Impersonation, however, involves active deception and
interaction using a false persona.

### Conclusion

Understanding the distinctions between hacking, identity theft, and impersonation under the IT Act and
IPC is crucial for navigating the legal implications of these actions and ensuring appropriate measures are
taken both for prevention and recourse.
3. What is phishing attack under the Information Technology Act, 2000? Discuss cyberstalking with
relevant statutory provisions and judicial decisions.

ANSWER -

### Phishing Attack Under the Information Technology Act, 2000

**Phishing** refers to the fraudulent practice of sending emails purporting to be from reputable
companies in order to induce individuals to reveal personal information, such as passwords and credit
card numbers. Although the term "phishing" itself is not specifically mentioned in the Information
Technology Act, 2000 (IT Act), the actions constituting a phishing attack can be prosecuted under several
provisions:

1. **Section 66C**: Deals with identity theft and provides for punishment for anyone who fraudulently
or dishonestly makes use of the electronic signature, password, or any other unique identification
feature of any other person.

2. **Section 66D**: Pertains to cheating by personation using computer resources or communication

devices. This section is particularly applicable to phishing as it often involves personation to deceive
others into providing sensitive personal information.

### Cyberstalking Under the Information Technology Act, 2000

**Cyberstalking** involves the use of the internet or other electronic means to stalk or harass an
individual or group. Cyberstalkers use various online platforms, including social media, to harass their
victims. This may include false accusations, defamation, slander, and libel. Cyberstalking can be
prosecuted under several provisions in the IT Act and the Indian Penal Code (IPC):

1. **Section 354D of the IPC**: Deals with the offense of stalking, which can include cyberstalking. It
states that any man who follows a woman and contacts, or attempts to contact her to foster personal
interaction repeatedly despite a clear indication of disinterest by such woman, or monitors the use of the
internet, email, or any other form of electronic communication commits the offense of stalking.

2. **Section 66E of the IT Act**: Provides for the punishment for violation of privacy, which can apply in
cases where a cyberstalker is involved in the monitoring or capturing of a person's private acts without
their consent.

### Relevant Judicial Decisions

- **Krittika Biswas vs. City of New York et al.**: While not directly under the IT Act or IPC as it is a U.S.
case, it highlights issues related to cyberstalking and cyber harassment. The plaintiff was wrongfully
accused based on emails sent by someone else, which impacted her significantly, showcasing the
broader implications of cyber harassment.

- **Shreya Singhal vs. Union of India (2015)**: This landmark decision by the Supreme Court of India is
critical for understanding the boundaries of lawful online expression. Although primarily focused on the
constitutionality of Section 66A (struck down for being vague and unconstitutional), the ruling indirectly
impacts how cyberstalking cases are treated, especially concerning online speech.
### Conclusion

Both phishing attacks and cyberstalking represent significant challenges under cyber law due to the
anonymous nature of the internet and the ease with which perpetrators can hide their identities and
cross international borders. The Information Technology Act, 2000, along with relevant sections of the
IPC, provides a framework for addressing these crimes, but continuous updates and international
cooperation are necessary to effectively manage and mitigate these issues.

4. Discuss the cyber offences against an organization with relevant statutory provisions and judicial
decisions.

ANSWER - ### Cyber Offenses Against an Organization

Cyber offenses against organizations can range from unauthorized access and data breaches to malware
deployment and financial fraud. These offenses pose significant threats to the security, reputation, and
financial stability of businesses. Below, we discuss various cyber offenses against organizations under the
Information Technology Act, 2000 (IT Act) of India, along with relevant statutory provisions and judicial
decisions.

### Key Cyber Offenses and Statutory Provisions

1. **Unauthorized Access (Hacking)**

- **Section 43** of the IT Act: This section covers unauthorized access and damage to computer
systems. It provides a civil remedy where compensation can be claimed by the affected party.

- **Section 66** of the IT Act: This turns unauthorized access from a civil wrong into a criminal offense,
punishable by up to three years in prison or a fine.

2. **Data Theft**

- **Section 43** and **Section 66** are also applicable here, especially if data theft results from
unauthorized access.

- **Section 72** of the IT Act: Deals with the breach of confidentiality and privacy, providing for
penalties if someone breaches lawful contract or without the consent of the concerned party discloses
any electronic record, book, or document.

3. **Spread of Malicious Software (Viruses, Worms, Trojan Horses)**

- **Section 43** and **Section 66**: These sections address the introduction of contaminants into a
computer resource, causing damage to data or systems.

4. **Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks**

- **Section 66F**: Deals with cyber terrorism and can be invoked if the DoS or DDoS attack threatens
the unity, integrity, security, or sovereignty of India or causes terror in the minds of the people. The
penalty can be life imprisonment.

5. **Identity Theft and Phishing**

- **Section 66C**: Provides for punishment for identity theft.

 - **Section 66D**: Punishes cheating by personation using a computer resource.

### Relevant Judicial Decisions

- **Avnish Bajaj v. State (2005)**: This case involved the CEO of Baazee.com (now eBay India) where
obscene material was sold on the website. It highlighted the responsibilities of intermediaries and
brought attention to the due diligence required under Section 79 of the IT Act.

- **Tata Consultancy Services v. State of Andhra Pradesh (2005)**: The Supreme Court recognized
software as "goods" for the purpose of tax, which indirectly affects how theft of software or data
breaches might be treated under tax and civil laws.

### Key Points for Organizations

- **Preventive Measures**: Organizations must implement robust cybersecurity measures, including

firewalls, intrusion detection systems, and regular audits.

- **Legal Compliance**: Ensuring compliance with the IT Act and other relevant legislations is crucial.
This includes maintaining data privacy as per specified standards and reporting breaches as necessary.

- **Employee Training**: Regular training on cybersecurity best practices and legal obligations is
essential to prevent insider threats and enhance awareness about potential cyber risks.

### Conclusion

Organizations must proactively manage their cybersecurity posture to mitigate risks associated with
cyber offenses. Legal frameworks like the IT Act provide a foundation for prosecuting cyber offenses, but
continuous updates to the law and international cooperation are necessary to address the evolving
nature of cyber threats effectively. Additionally, organizations should be aware of the judicial precedents
which continually shape the interpretation and application of these laws.

5. Discuss the principles of jurisdiction in cyberspace under the Information Technology Act, 2000,
with relevant statutory provisions and judicial decisions.

ANSWER -

### Principles of Jurisdiction in Cyberspace under the Information Technology Act, 2000

Jurisdiction in cyberspace refers to the authority under which legal bodies govern and adjudicate laws
applicable to activities conducted over the Internet. This becomes complex due to the borderless nature
of the Internet, which allows digital activities to transcend geographic and sovereign boundaries. The
Information Technology Act, 2000 (IT Act) of India provides the legal framework for addressing the
jurisdictional challenges posed by the Internet and related technologies.

### Statutory Provisions in the IT Act

1. **Section 1(2) and Section 75**: These sections of the IT Act are pivotal for understanding the
territorial scope and jurisdiction of the Act. Section 1(2) states that the IT Act extends to the whole of
India, and if necessary, it can also apply to conduct outside India as per Section 75. Section 75 further
specifies that the Act applies to any offense or contravention committed outside India by any person if
the act involves a computer, computer system, or computer network located in India. This provision is
crucial for dealing with cybercrimes committed from abroad that affect victims within India.

2. **Section 46**: This section covers the adjudication of cases where the claim does not exceed five
crore rupees. It empowers the Central Government to appoint any officer not below the rank of Director
to the Government of India or an equivalent officer of a state government as an adjudicating officer for
holding inquiries under this Act. The jurisdictional aspect here depends on the nature of the cyber
incident and its impact within the territorial limits of India.

### Judicial Decisions

- **SMC Pneumatics (India) Pvt. Ltd. vs. Jogesh Kwatra (2001)**: This case is considered India’s first case
of cyber defamation, where the court issued an ex-parte injunction against the defendant, restraining
him from defaming the plaintiff by sending derogatory emails. This case highlighted how Indian courts
handle jurisdiction issues in cyber defamation cases, applying traditional legal principles to cyberspace.

- **Kapil Sibal vs. Facebook Inc. & Ors**: In this case, a PIL was filed seeking measures to ensure the
removal of content from social networks that could incite violence or harm public order. The case
discussed the jurisdiction of Indian courts over foreign entities operating on the internet but having
significant user interaction in India.

### Principles of Jurisdiction Applied

1. **Effects Principle**: This principle is often applied where actions conducted outside India have
substantial effects within the country. It underpins the application of Section 75 of the IT Act, allowing
Indian authorities to extend their jurisdiction to foreign entities affecting Indian cyberspace.

2. **Active Personality Principle**: India applies this principle under Section 75 by asserting jurisdiction
over Indian nationals or persons in Indian territories who commit offenses outside India affecting a
computer resource located in India.

3. **Passive Personality Principle**: While less frequently invoked, this principle could apply in
situations where non-Indian perpetrators target Indian victims, with the IT Act providing the framework
for such jurisdiction based on the effects and targets of the conduct.

### Conclusion

The IT Act's approach to jurisdiction in cyberspace reflects an understanding of the global nature of
digital interactions and the necessity for laws that can effectively address offenses that cross
international borders. By incorporating provisions that extend jurisdiction based on the location of the
affected computer systems and the impact of the actions, the Act allows Indian authorities to combat
cybercrimes more effectively, even if these originate from outside national boundaries. These provisions,
supported by judicial decisions, continue to shape the evolving landscape of cyber law jurisdiction in
India.
6. Elaborate on the process of cybercrime investigation in India with relevant statutory provisions.

ANSWER -

### Cybercrime Investigation Process in India

Cybercrime investigation in India involves a series of steps designed to efficiently address and mitigate
crimes committed using or against computer systems and networks. The investigation process is guided
by various statutory provisions mainly under the Information Technology Act, 2000 (IT Act),
supplemented by the Indian Penal Code, 1860 (IPC) and specific procedures outlined in the Code of
Criminal Procedure, 1973 (CrPC).

### Steps in the Cybercrime Investigation Process:

#### 1. **Reporting the Crime**

- **Cyber Cells:** Victims of cybercrime can lodge a complaint directly at the local police station or at
dedicated cyber cells established by state police departments. Major cities like Delhi, Mumbai,
Bangalore, and Hyderabad have well-established cyber cells.

- **Online Reporting:** The Ministry of Home Affairs also operates the National Cyber Crime Reporting
Portal, where victims can report complaints about cybercrimes.

#### 2. **Filing an FIR**

- **First Information Report (FIR):** Upon receiving a complaint about a cybercrime, the police register
an FIR under the relevant sections of the IT Act or IPC, depending on the nature of the crime.

- **Sections Involved:** Commonly invoked sections include Section 66 (hacking), 66C (identity theft),
66D (cheating by impersonation online), and 67 (publishing or transmitting obscene material).

#### 3. **Preliminary Assessment**

- Police assess the nature and severity of the crime, determining the immediate steps needed to
prevent further damage. This might involve alerting financial institutions, freezing accounts, or notifying
other potential victims.

#### 4. **Collection of Evidence**

- **Digital Evidence:** The collection of digital evidence is critical and must be done ensuring the
integrity and admissibility of the evidence. Techniques include imaging hard drives, securing transaction
logs, capturing metadata, etc.

- **Preservation:** Digital evidence is preserved under strict chain-of-custody protocols to ensure it is

not tampered with or altered.

#### 5. **Analysis**

- **Forensic Analysis:** Specialists perform digital forensic analysis to recover data, analyze
communication records, and trace the origins of the attack or crime.
 - **Use of Software Tools:** Forensic tools like EnCase, FTK, and others are used to analyze the data
and establish the specifics of the crime.

#### 6. **Identification of Suspects**

- Using the data collected, investigators work to identify and locate the perpetrator(s). This might
involve cooperation with ISPs, other law enforcement agencies, and international bodies.

#### 7. **Arrest and Interrogation**

- Upon establishing probable cause, law enforcement can make arrests. Interrogations and further
investigations help in uncovering broader aspects of the crime or network.

#### 8. **Prosecution**

- **Court Proceedings:** Cases are presented before the court with collected evidence. The IT Act and
IPC provide the legal framework under which the cases are prosecuted.

- **Adjudication:** Under Section 46 of the IT Act, adjudicating officers (appointed under the Act)
have the power to hold inquiries into the contraventions and impose penalties.

#### 9. **Judicial Decisions**

- Based on the evidence and the applicable laws, the judiciary decides the case and pronounces the
judgment.

### Key Statutory Provisions

- **IT Act, 2000:** Provides the primary legal framework for addressing cybercrimes.

- **IPC, 1860:** Offers provisions for traditional crimes that can be applied to cyber contexts, such as
fraud, forgery, and cheating.

- **CrPC, 1973:** Governs the procedural aspects of criminal investigations and the trial process.

### Conclusion

The process of cybercrime investigation in India is comprehensive and involves multiple stages from
reporting to prosecution. Given the complexity and technical nature of cybercrimes, continuous updating
of technology, skills, and legal knowledge is essential for law enforcement agencies. Effective
collaboration between national and international agencies is also crucial due to the borderless nature of
cybercrimes.
7. Write short notes on the following:
a. Critical Information Infrastructure
b. Ransomware Attack
c. Cyber Warfare
d. Virtual Money Laundering

ANSWER -

### a. Critical Information Infrastructure

**Critical Information Infrastructure (CII)** refers to the computer systems, networks, and data that are
essential to the operation of critical sectors of the economy and government. These infrastructures
include systems related to banking and finance, transportation, energy, communications, and essential
government services. The disruption or destruction of CII can have significant impacts on national
security, economic stability, public health, or safety.

**Protection of CII**: Various countries have established specific agencies or units responsible for
protecting CII against cyber threats. In India, for instance, the protection of CII is overseen by the
National Critical Information Infrastructure Protection Centre (NCIIPC), which operates under the
National Technical Research Organisation (NTRO). The IT Act includes provisions to safeguard against
unauthorized access, damage, and disruptions to CII.

### b. Ransomware Attack

**Ransomware Attack** involves a type of malware that encrypts a victim's files, making them
inaccessible, and demands a ransom payment to restore access. These attacks can target individuals,
businesses, and even government agencies.

**How it Works**: Typically, ransomware is spread through phishing emails or visiting infected websites.
Once infected, the ransomware encrypts valuable data and displays a message demanding payment,
often in cryptocurrencies, for decryption keys.

**Prevention and Response**: Effective countermeasures include maintaining regular backups, using
antivirus programs, educating users about phishing, and implementing strong network security
measures. Law enforcement agencies advise against paying the ransom, as it does not guarantee file
recovery and encourages further crimes.

### c. Cyber Warfare

**Cyber Warfare** involves the use of digital attacks by one state to disrupt the digital systems of
another, aiming to damage national interests. This can include disabling national infrastructure, stealing
sensitive data, or disrupting military operations.

**Characteristics**:

- **Offensive Operations**: Might involve strategies like deploying viruses to sabotage industrial
operations (as seen with Stuxnet), or DDoS attacks to disable government websites.

- **Defensive Measures**: Countries invest in cybersecurity defenses, threat intelligence, and

countermeasures to protect against and respond to cyber attacks.
- **Information Warfare**: Part of cyber warfare can also involve the manipulation of information to
influence public opinion or disrupt societal cohesion.

### d. Virtual Money Laundering

**Virtual Money Laundering** involves the use of digital currencies and online transactions to conceal
the origins of illegally obtained money. Cryptocurrencies, such as Bitcoin, provide degrees of anonymity
and can be traded internationally, making them attractive for laundering activities.

**Process**:

- **Placement**: Illicit funds are first converted into virtual currencies.

- **Layering**: The virtual currency is moved and traded to complicate the audit trail and obscure the
origins of the funds.

- **Integration**: Finally, the laundered money is converted back into legal currency or spent in the
virtual economy, appearing as legitimate income.

**Challenges and Regulations**: Regulating virtual money laundering is challenging due to the
pseudonymous nature of transactions and the global jurisdiction of cryptocurrencies. Efforts include the
implementation of know-your-customer (KYC) and anti-money laundering (AML) regulations at
cryptocurrency exchanges and cooperation between international law enforcement agencies.

These short notes outline the complexities and broad scope of contemporary cyber issues,
demonstrating the intertwined nature of technology and security in the modern world.