Deccan Education Society’s

Brihan Maharashtra College of Commerce

(AUTONOMOUS)
845, Shivajinagar, Pune-411004

Subject code - 4601 Semester - VI Credit - 2

Subject title – Cyber Security (Revised 2017)

Objectives:

1. To understand various types of Cybercrime

2. To understand fundamentals of Cyber security

Unit Topics
No.
1 Introduction to Cyber Crime and Cyber Security
 Introduction
 Cybercrime and Information Security
 Data Privacy and Data Protection
Difference between Data privacy and Data protection

Governing laws of Data privacy and Data protection in

India and their model laws
 Challenges posed by Cyber Crime.

2 Cyber Law and Information Technology Act, 2000

 Introduction
 Cybercrime and the Legal Landscape around the World
 Why Do We Need Cyberlaws: The Indian Context
 Information Technology Act, 2000
 Amendments and important definitions (Information
Technology Act, 2000)
 Indian Scheme of offences & punishment
 Types of Cybercrimes and contraventions:
E-mail Spoofing, Spamming, Salami attack, Internet
Time Theft, Web Jacking, Identity theft, Cyberstalking,
Hacking, Software Piracy, Computer Network Intrusions,
Usenet Newsgroup as the Source of Cybercrimes,
Password Sniffing, Credit Card Frauds, Email bombing

Contraventions: Sections 43 to 45
  Tools and Methods Used in Cybercrime
Phishing
Password Cracking
Keyloggers and Spywares
Virus and Worms
Trojan Horses and Backdoors
DoS and DDoS Attacks
SQL Injection
 CIA triad
 Digital Signature and Electronic Signature
 E- commerce under Information Technology Act, 2000
and other important laws
3 Cyber Law: International Perspective

 EDI: Concept and legal Issues.

 UNCITRAL Model Law.
 Cryptography
 Cryptocurrency and security issues
 Metaverse, Internet of Things and other recent
developments in cyberspace and cybersecurity
 EU Convention on Cyber Crime

4 Intellectual Property in Cyberspace

 Meaning and types of IPRs

 Copyright issues in cyberspace
 Trademark issues in cyberspace
 Other IPR related issues in cyberspace
 Protection of IPR
 International Law governing IPR

Suggested Reference Material –

1. Information Systems Security Management by Nina S. Godbole (Wiley India

Pvt.Ltd.)

2. Computer Security: Principles and Practice -William Stallings and Lawrie Brown, 3rd
edition, Pearson, 2015.
3. Cyber Security Essentials- James Graham Richard Howard Ryan Olson
4. Cyber Security – Nina Godbole and Sunit Belapure , Wiley
Cyber Security's main objective is to ensure data protection. The security community
provides a triangle of three related principles to protect the data from cyber-attacks.
This principle is called the CIA triad. The CIA model is designed to guide policies for
an organization's information security infrastructure. When any security breaches are
found, one or more of these principles has been violated.

Confidentiality, integrity and availability, also known as the CIA triad, is a model
designed to guide policies for information security within an organization.

The objective of Cybersecurity is to protect information from being stolen,

compromised or attacked. Cybersecurity can be measured by at least one of three
goals-

• Protect the confidentiality of data.

• Preserve the integrity of data.
• Promote the availability of data for authorized users.

Confidentiality is a set of rules that limits access to information, integrity is the

assurance that the information is trustworthy and accurate, and availability is a
guarantee of reliable access to the information by authorized people.

• Confidentiality involves measures designed to prevent sensitive information from

unauthorized access attempts. Confidentiality avoids the unauthorized disclosure
of information. It involves the protection of data, providing access for those who
are allowed to see it while disallowing others from learning anything about its
content.

• Integrity involves maintaining the consistency, accuracy and trustworthiness of

data over its entire lifecycle. Data must not be changed in transit, and steps must
be taken to ensure data cannot be altered by unauthorized people (for example, in
a breach of confidentiality).

• Availability means information should be consistently and readily accessible for

authorized parties. It is the guarantee of reliable and constant access to
 information by authorized people. This involves properly maintaining hardware
and technical infrastructure and systems that hold and display the information.

Why CIA triad is important

Confidentiality, integrity and availability together are considered the three most
important concepts within information security.

Considering these three principles together within the framework of the "triad" can
help guide the development of security policies for organizations. When evaluating
needs and use cases for potential new products and technologies, the triad helps
organizations ask focused questions about how value is being provided in those
three key areas.

Confidentiality

Training can help familiarize authorized people with risk factors and how to guard
against them. Further aspects of training may include strong passwords and
password-related best practices and information about social engineering methods
to prevent users from bending data-handling rules with good intentions and
potentially disastrous results.

Data encryption is another common method of ensuring confidentiality. User IDs and
passwords constitute a standard procedure; two-factor authentication (2FA) is
becoming the norm. Other options include Biometric verification and security tokens,
soft tokens. In addition, users can take precautions to minimize the number of places
where information appears and the number of times it is actually transmitted to
complete a required transaction.

Integrity

These measures include file permissions and user access controls. Organizations
must put in some means to detect any changes in data that might occur as a result
of non-human-caused events such as an electromagnetic pulse (EMP) or server
crash. Backups or redundancies must be available to restore the affected data to its
correct state.

Availability

This is best ensured by rigorously maintaining all hardware, performing hardware

repairs immediately when needed and maintaining a properly functioning operating
system (OS) environment that is free of software conflicts. Providing adequate
communication bandwidth and preventing the occurrence of bottlenecks are equally
important. Safeguards against data loss or interruptions in connections must include
unpredictable events such as natural disasters and fire. To prevent data loss from
such occurrences, a backup copy may be stored in a geographically isolated
location. Extra security equipment or software such as firewalls and proxy servers
can guard against downtime and unreachable data blocked by malicious denial-of-
service (DoS) attacks and network intrusions.
`What is Cryptocurrency?

Bitcoin and other types of cryptocurrencies have exploded onto the market in recent years, and based
on virtual currency's popularity, it seems to be here to stay. Cryptocurrencies are digital or virtual
currencies secured by cryptography, with many using decentralized networks based on blockchain
technology – an open, distributed ledger that records transactions in code. Crypto is stored in a digital
"wallet," which can be on a website, on a computer or an external hard drive. To put it simply,
cryptocurrencies as systems that allow for secure payments online, which are denominated in terms
of virtual "tokens."

Bitcoin, the first cryptocurrency that launched a little over a decade ago, was created by Satoshi
Nakamoto, who described it as "an electronic payment system based on cryptographic proof instead
of trust." Other common types of cryptocurrencies include Litecoin, Namecoin, Dogecoin, Ethereum,
Cardano and others. In March 2021, there were reportedly over 18.6 million bitcoins in circulation,
with a total market cap of around $927 billion.

Unlike the U.S. dollar, there is no physical coin or bill involved in cryptocurrency. It is a type of
digital currency that only exists electronically, with no backing from a government and no central
authority managing the value. One advantage of cryptocurrency is that it can be easily exchanged
online, using a computer or phone, usually for quick payments to avoid transaction fees charged by
traditional banks. However, due to the semi-anonymous nature of the transaction, users could be
opening themselves up for a host of different types of scams or even illegal activities like money
laundering.

Types of Cryptocurrency Scams that affect Cybersecurity

In early May 2021, a ransomware attack struck the Colonial Pipeline. A hacker group known as
DarkSide forced the company to shut down over 5,000 miles of pipeline in the south-eastern United
States until the hackers received a total of $5 million in bitcoin ransom payments. Luckily, U.S. law
enforcement officials were able to recover $2.3 million of the ransom paid after identifying a virtual
currency wallet the hackers used to collect the payment. However, in total, DarkSide reportedly has
been paid $90 million in bitcoin ransom payments from 47 victims, with the average amount being
$1.9 million.

The Federal Trade Commission (FTC) states that one of the biggest signs of a cyber scam is when a
cybercriminal asks an individual or company to pay by cryptocurrency. Whenever there's a request to
pay by gift card, wire transfer or cryptocurrency, it's a major red flag that you're about to fall victim to
a cyber- attack. Once the scammer is paid in one of those ways, it becomes nearly impossible to
recover the money. Cryptocurrency can be mysterious, complicated and confusing to many people,
and as it continues to grow in popularity, so does the opportunity for crypto scams. The FTC reports
that between October 2020 and May 2021, Americans lost over $80 million to cyberattacks on
cryptocurrency.

Investment Scams

Investment scams, for example, lure individuals to websites with seemingly legitimate testimonials
and credible-looking charts and wording that make it appear an investment is growing. However, the
victim is asked to send more crypto when they attempt to withdraw their profits and soon find out
they get nothing in return.

Giveaway Scams

Giveaway scams are also popular cyberattacks on cryptocurrency. The hackers pose as well-known
investors or even celebrity figures who offer to help small investors. However, when the victim sends
their crypto, instead of growing their own investment, the money goes right into the scammer's
hands.

Initial Coin Offering (ICO) Fraud

Scammers also have found ways to hack into crypto wallets or use bitcoin-stealing malware to
commit their attacks. What's known as ICO (initial coin offering) fraud is also a common type of
crypto scam, as victims get lured into investing in the launch of a new cryptocurrency that turns out
to be fake.

Scammers generally promise that you will make a profit, offering big payouts with guaranteed
returns or even promise free money. They may make big claims without any explanations or details.
It's important for business owners to understand where their investment is going and how it works,
so always research both the company name and the type of cryptocurrency offered.

Cryptocurrency and Business’s Cybersecurity

More and more public companies and major financial institutions have begun to recognize digital
currencies, amplifying the need for crypto-related insurance policies. The Colonial Pipeline attack
was one of the most disruptive cyberattacks in history, resulting in substantial expenses, including
days of lost revenue and the $5 million ransom payment. Unlike other cybersecurity scams that target
personal data, this attack had a major impact on the entire country's infrastructure and became a
wake-up call to consumers everywhere.

There are pros and cons when it comes to businesses and cryptocurrency.

Cyber liability insurance is vital to protect a company from a wide range of cyberattacks. While
policies specifically designed for crypto-related risks remain limited, cyber liability insurance helps
cover ransomware payments, the costs associated with an investigation, data breach notifications and
legal defence should there be third-party lawsuits related to the attack.
What are the measures businesses can take to protect themselves from cryptocurrency scams?

Businesses can take a few measures to protect themselves from cryptocurrency scams.
1. Educate yourself and your employees about cryptocurrency and how it works. It will help
you spot red flags that indicate a scam.
2. Only deal with reputable exchanges and businesses. Do your research to make sure you’re
dealing with a legitimate company.
3. Keep your computer security up-to-date to protect yourself from mining malware and
other attacks.
4. Be careful when accepting cryptocurrency as payment. Make sure you understand the
risks involved before you agree to receive it.
5. If you use cryptocurrency to buy or sell goods and services, only deal with reputable
companies. Be aware of the risks involved in doing this.
Cyber Crime and Cyber Security
What is cybercrime

Cybercrime refers to any criminal activity accomplished through using a network, technological
devices, and the internet. Common motives behind committing cybercrimes include monetary gains,
personal gains, and creating chaos within an organization or an individual’s life.
What are the common types of cyber-attacks
Cyber theft
Cyber theft is a type of cybercrime that involves an individual stealing money, personal information,
financial data, or intellectual property through infiltrating another person or company’s system.
Fraudulent crimes such as identity theft and embezzlement can also fall under the cyber theft crimes
umbrella.
Cyberbullying
Cyberbullying refers to instances of bullying an individual online. Acts of cyberbullying include any
threat to a person’s safety, coercing a person to say or perform an action, and displays of hate or bias
towards someone or a group of people.
While children tend to fall victim to cyberbullying more often, adults are not necessarily
immune. According to a study, 40% of teenagers surveyed stated they had faced online harassment,
and 24% of adults between ages 26–35 reported having experienced cyberbullying.
Malware
Malware is a word used to refer to any program or software designed to infiltrate or damage a device.
Viruses are an example of programs that fall under the malware umbrella. Viruses perform a variety
of harmful actions once they land in a device. They may destroy files, log your keystrokes, reformat
your hard drive, or manipulate your files.
Phishing
Phishing occurs when cybercriminals pose as an organization to trick victims into sharing their
sensitive information. Oftentimes, cybercriminals successfully achieve their phishing goals by using
scare tactics such as informing the victim that their bank account or personal device is under attack.
Cyber extortion
Cyber extortion is a form of online blackmailing. In these cases, cybercriminals attack or threaten to
attack the victim and demand some form of compensation or response to stop their threats.
Ransomware
Ransomware is a type of cyber extortion which uses malware to reach its end goal. This malware
threatens to publish the victim’s data or prevent the victim from accessing her data until the
cybercriminal receives a specified amount of money.
Crypto jacking
Crypto jacking refers to when hackers use other people’s computing power to mine cryptocurrencies
without consent. Crypto jacking differs from cybercrimes that use malware to infect a device since
cryptojackers do not wish to pursue a victim’s data. Instead, cryptojackers use the processing power
of their victim’s device.
Despite seeming less harmless than other cybercrimes, individuals should not take cryptojacking
lightly because falling victim to it can significantly slow one’s device and make it vulnerable to other
cyber attacks.
Cyber spying
When hackers attack the network of a public or private entity to access classified data, sensitive
information, or intellectual properties, they commit cyber spying. Cybercriminals may use the
classified data they find for other ends, such as blackmail, extortion, public humiliation of an
individual or organization, and monetary gains.
Spyware
Spyware refers to software that cybercriminals use to monitor their victim’s activities and record their
personal information. Often, a victim accidentally downloads spyware onto their device, which is
how they unknowingly provide access to their data to a cybercriminal. Depending on the type of
spyware used, cybercriminals can access a victim’s credit card numbers, passwords, web cam, and
microphone.
Adware
Adware is the software you may accidentally install onto your computer while downloading another
application. Developers of adware programs gain monetary benefits from their activities on people’s
computers every time someone views or clicks on an advertisement window.
While some adware programs are legal and harmless, others are intrusive because of the type and
frequency of the advertisements they show. Some adware programs are illegal in many countries
because they carry spyware, viruses, and other malicious software.
Botnets
Botnets are networks of malware-infected computers. Cybercriminals infect and take control of these
computers to perform tasks online without the user’s permission to carry out fraudulent acts without
being tracked. Their actions may include sending spam emails and carrying out targeted breaches
into a company’s assets, financial data, research data, and other valuable information.
Romance scams
Some cybercriminals use dating sites, chat rooms, and dating applications to masquerade as potential
partners and seduce people to gain access to their data.
Hacking
Hacking commonly refers to any unauthorized access to a computer system. When a hacker breaks
into the computers and networks of any company or individual without permission, they can gain
access to sensitive business information or personal and private data without authorization.
Nonetheless, not all hackers are criminals. Some hackers often called “white hat” hackers, are hired
by software companies to find flaws and holes in their security systems. These hackers hack their way
through a company’s network to find existing flaws in their client’s system and offer them solutions
to those flaws.
Sometimes, cybercriminals or “black hat” hackers might want to go clean and turn away from crime.
In these cases, working as a security consultant for the companies they used to torment is one of the
best options. These have more knowledge and experience about the infiltration of networks than
most computer security professionals.
Cyber security solutions
What does cyber security mean?

Cyber security, sometimes referred to as IT security or computer security, is the body of technologies
and processes designed to protect computer systems, networks, and devices from the dangers of
cybercrimes. Moreover, cyber security solutions prevent damage to hardware, software, electronic
data, or any disruption or misdirection of the services they provide.
The importance of cyber security solutions stems from their ability to provide comprehensive
protection to users. If you wish to keep your networks and devices safe from unauthorized access or
malicious attacks, then consider the different types of cyber security to determine the best one for
your needs.
1. Antivirus
The first step in securing your device(s) is installing proper antivirus software on them.
Antivirus programs scan data and incoming files to detect unsafe software and remove any threats
before they cause an issue. These programs identify and eliminate known viruses, worms, and
malware based on what is available in their extensive database.
2. Internet security
Internet security programs establish measures against attacks over the internet to ensure the security
of devices and networks. These programs prevent attacks targeted at browsers, networks, operating
systems, and other applications.
Internet security software uses many methods to protect the transfer of data, including encryption
and from-the-ground-up engineering. The most common and significant ones include firewalls,
access controls, data loss prevention (DLP), distributed denial-of-service prevention, and email
security.
3. Firewall
Firewalls act as filters that allow or deny access to a network, thus protecting the devices connected to
it. Firewalls keep harmful files away and prevent malicious codes from being embedded into
networks. Apart from that, they also screen and block dangerous traffic.
Moreover, firewalls create checkpoints between an internal private network and the public internet.
They limit network exposure by hiding your private network system and information from the public
internet.
4. Endpoint security
Endpoint security refers to a software approach for ensuring that all the endpoint devices, such as
computers, tablets, scanners, and others, connected to a network remain safe. Such devices serve as
access points to an enterprise network since they offer attack paths and points of entry that malicious
files can exploit. Therefore, endpoint security aims to secure every endpoint to avoid potential
threats.
Moreover, network administrators can use endpoint security solutions to restrict the use of sensitive
data and access to certain websites to maintain compliance with the policies and standards of the
organization.
These features make endpoint security solutions particularly well-suited for small and large
organizations.
 Cyber security
Cyber Crime
It refers to all the criminal activities done using medium of communication
devices such as computers, mobile phones, tablets, etc.the internet ,cyber
space & the world wide web.Cyber crimes are a new class of crimes that is
rapidly expanding due to extensive use of internet.
Eg. Phishing cyberstalking, identify theft, etc.

Cyber Law
The law that governs cyber space. It is the term used to describe legal issues
related to the use of communication technology, particularly cyber space i.e
the internet. It is an attempt to apply laws designed for physical world, to
human activity on the internet.

Cyber security
It means protecting equipment, devices, computers, computer resources,
communication devices and information stored there in from un-authorized
access, use, disclosure, disruption, modification or destructions. The term
incorporates both the physical security of devices as well as the information
stored there.

Cyber crimes

1. Email spoofing
A spoofed email is the one that appears to originate from
one source but actually has been sent from another source.
2. Spamming
Spam is the abuse of electronic messaging system to send
unsolicited bulk messages indiscriminately.
3. Internet time theft
Such theft occurs when an unauthorized person uses
the internet hours paid for by another person. It comes under hacking
because the person who gets access to someone else’s ISP users ID and
password either by hacking or by gaining access to it by illegal means,
uses it to access the internet without the other persons knowledge.
One can identify time theft if the Internet time has to be recharged
often, even when one’s own use of the Internet is not frequent.
The issue of Internet time theft is related to the crimes conducted
through “identity theft”.
4. Salami attack
These attacks are used for committing financial crimes.
The idea here is to make the alternations so insignificant that in a single
case it would go completely unnoticed.
e.g A bank employee inserts a program into the bank servers, that
deducts a small amount of money say Rs.2 from the account of every
customer. No account holder will probably notice this unauthorized
debit but the bank employee will make a sizable amount every month.

5. Web Jacking
Web jacking occurs when someone forcefully takes control
of the website (by cracking the password and later changing it). Thus the
first stage of this crime involves password sniffing. The actual owner of
the website doesn’t have any more control over what appears on that
website.

6. Hacking
It may be done for the following reasons:
a. greed
b. power
c. publicity
d. revenge
e. adventure

Every act committed towards breaking into a computer and/or network

is hacking and it is an offense. Hackers use readymade computer
programs to attack or target the computer. They possess the desire to
 destruct and they get enjoyment out of such destruciton. Some hackers
hack for personal monetary gains such as stealing credit card
information, transferring money from various bank accounts to their
own account followed by withdrawal of money. They extort money from
some corporate giant threatening him to publish the stolen information
that is critical in nature.

7. Software Piracy
Cyber crime investigation cell of India defined software
piracy as theft of software through the illegal copying of genuine
programs or the counter feiting the distribution of products intended to
pass from the original.
e.g a. End users copying friends loaning disks to each other.
b. hard disk loading with elicit means hard disk vendors load pirated
software.
c.Counter feiting – large scale duplication and distribution of illegally copied
software.
d.Illegal downloads from the internet – by intrusion,by cracking serial
number,etc.
Following problems may be faced on buying pirated software.
a. Getting untested software that may have been copied thousands of
times over.
b. The software is pirated may contain hard drive infecting viruses.
c. There is no technical support in the case of software failure that is lack
of technical product support available to properly licensed users.
d. There is no warranty protection
e. There is no legal right to use the product

8. Email bombing/Mail bomb

It refers to sending a large number of emails
to the victim to crash victims email account in the case of an individual
or to make victims mail serves crash in case of a company or an email
service providers computer program can be written to instruct a
computer to do such tasks on repeated basis by instructing a computer
to repeatedly send email to a specified person’s email address. The
 cyber criminal can overwhelm the recipients’s personal account and
potentially shut down the entire system.

9. Usenet newsgroup as a source of cyber crime

Usenet is a popular means of sharing and
distributing information on the web with respect to a specific topic or
subject. Usenet is a mechanism that allows sharing information in a
many-to-many manners.it is possible to put usenet to the following
criminal use :
A. Distribution or sale of pirated software package
B. Distribution of hacking software
C. Sale of stolen credit card number
D. Sale of stolen data or stolen property.

10. Computer network intrusions:

Computer networks pose a problem by way of
security threat because people can get into them from anywhere.
Hackers can break into computer system from anywhere in the world
and steal data, plant viruses, create back doors, insert trojan horses or
change username/passwords. Network intrusions are illegal but
detection and enforcement are difficult. The cracker can bypass existing
password protection creating a program to capture login IDs and
passwords. The practice of strong password is therefore important.

11. Password sniffing

Password sniffers are programs that monitor and
record the name and password of network users as they login
jeopardizing security at a site. Whoever installs the sniffer can then
impersonate an authorized user and login to access restricted
documents. Laws designed to prevent unauthorized access to
information may be effective in apprehending crackers using sniffer
programs.
12. Credit card frauds

a. Traditional techniques
This is paper based fraud wherein a criminal
uses stolen or fake documents such as utility bills and bank
statements that can build up useful personally identifiable
information to open an account in someone else’s name. Illegal use
of lost and stolen cards is another form of traditional technique.
Stealing a credit card is either by pickpocket or from postal service
before it reaches its final destination.

b. Modern techniques
Sophisticated techniques enable criminals to
produce fake and proctored cards. Skimming is also used to commit
frauds. Skimming is where the information held on either the
magnetic strip on the back of the credit card or the data stored on
the smart chip are copied from one card to another. Site cloning and
false merchant sites on the internet are becoming a popular method
of fraud. Such bogus or fake sites are designed to handover their
credit card details without realizing that they have been directed to a
fake weblink or website.

How to prevent credit card frauds?

Do’s
1) Put your signature on the card immediately upon its receipt.
2) Change the default personal identification number (PIN) received
from the bank before doing any transaction.
3) Always carry the details about contact numbers of your bank in
case of loss of your card. Report the loss of card immediately in
your bank and at the police station if necessary.
4) Ensure the legitimacy of website before providing any of your card
details.
5) Preserve all the receipts to compare with credit card invoice.
 Dont’s

1) Don’t store your card numbers and pins in your cell.

2) Don’t lend your card to anyone.
3) Don’t give out immediately your account number over the
phone.
4) Don’t leave cards and transactions receipts lying around.

13.Denial of service attack. (DoS attack)

In this type of attack, the attackers floods the
bandwidth of the victims network or fills his email box with spam mails
depriving him of the services he is entitled to access or provide. The
attackers typically target sites or services hosted on high profile
webservers such as banks, credit card payment gateways, mobile phone
networks. The goal of DoS is not to gain unauthorized access to systems
or data but to prevent legitimate users of service from using it.
A DoS attack may do the following:
A. Flood a network with traffic, thereby preventing legitimate network
traffic.
B. Disrupt connections between two systems thereby preventing access
to a service.
C. Prevent a particular individual from accessing a service.
D. Disrupt service to a specific system or a person.

14. Distributed denial of service attacks (DDoS)

In DDoS attack , an attacker may use your computer to
attack another computer by taking advantage of security vulnerabilities
or weaknesses.An attacker could take control of your computer.the
attacker could take control of your computer. The attacker could then
force your computer to send huge amounts of data to a website or send
spam to a particular email address. The attack is distributed because the
attacker is using multiple computers including yours to launch the DoS
attack. A DDoS attack is a distributed DoS wherein a large no of zombie
systems are synchronized to attack a particular system.
 How to protect from DoS and DDoS ?

a) Implement router filters which can reduce exposure to certain DoS

attacks.
b) Disable any unused or inessential network service. This can limit the
ability of an attacker to take advantage of these services to execute a
DoS attack.
c) Invest in redundant and fault tolerant network configuration.
d) Establish and maintain regular backup schedule and policies
particulary for important configuration information.
e) Establish and maintain appropriate password policies, especially
access to highly privileged accounts such as Microsoft windows NT
administrator.

15.Password cracking
It is a process of recovering passwords from data that
have been stored in/or transmitted by a computer system. It is
categorized into

a) Online attack
An attacker can create a script file that will be executed to try each
password in a list and when matches an attacker can gain the access
to the system. The most common online attack is the Man-in-the-
middle attack.it is a form of active eavesdropping in which the
attacker establishes a connection between a victim and server to
which a victim is connected. When a victim client connects to the
fraudulent server the man-in-the-middle server intercepts the call,
hashes the password and passes the connection to the victim’s
server. This type of attack is used to obtain passwords for email
accounts on public website such as Gmail, Yahoo and also used to get
the password for financial website that would like to gain the access
to banking websites.

b) Offline attacks
Offline attacks are mostly performed from a location other than the
target(i.e. either a computer system or while on the network) where
these passwords reside or are used. Offline attacks usually require
 physical access to the computer and copying the password file from
the system onto a removable media.

Types of offline password attacks

a. Dictionary attack
Attempts to match all the words from the dictionary to get the
password

b. Brute-force attack
Attempts all possible permutations and combination of letters,
numbers and special characters.

Guidelines about password policies

1. Password and user login identities should be unique.
2. Password should be kept private i.e they should not be shared
with friends, colleagues,etc.
3. Passwords should be changed every 30-45 days or less. Most
operating systems can enforce a password with an automatic
expiration and prevent repeated or reused passwords.
4. Users accounts should be frozen after five or less failed logon
attempts. All erroneous passwords entries should be recorded
in an audit log for later inspection and action as necessary.
5. Session should be suspended after 15 min or other specified
period of inactivity and require the passwords to be re-entered
6. Login ID’s and passwords should be suspended after a specific
period of nonuse.
7. Passwords used previously should not be used while renewing
the password.

16. Software Keyloggers

Keystroke logging often called keylogging is the practice of noting
(or logging) the keys struck on a keyboard. Keystroke logger or
keyloggers is a quicker and easier way of capturing the passwords.
Software keyloggers are software programs installed on the computer
systems which usually are located in between the OS and the keyboard
hardware and every keystroke is recorded. Software keyloggers are
 installed on a computer system by trojans or viruses without the
knowledge of the users. Cyber criminals always install such tools on the
insecure computer systems available in public places (i.e. cybercafes)
and can obtain the required information about the victim very easily.

Hardware keyloggers

To install these keyloggers ,physical access to computer system in

required. Hardware keyloggers are small hardware devices connected
to the PC and /or to the keyboard and save every keystroke into a file
or in the memory of the hardware device. Cyber criminals install such
devices on ATM machines to capture ATM card PINs. Each keypress
on the keyboard of the ATM gets registered by these keyloggers.
These keyloggers look like an integrated part of such systems, hence
bank customers are unaware of their presence.
 Anti-keylogger is a tool that can detect the keylogger installed on the
computer system and also can remove the tool.

17. Spyware
Spyware is a type of malware that is installed on computers
which collect information about users without their knowledge. The
presence of spyware is typically hidden from the users. It is secretly
installed on the user’s personal computer. Spyware program collect
personal information about the victim such as internet surfing habits
and the websites visited. Spyware may also have an ability to change
computer settings which may result in slowing of the internet
connection speed and slowing of response time that may result into user
complaining about the internet speed connection with internet service
provide.
The future of technology is truly mind blowing. Artificial intelligence, robotics, quantum computing, augmented/virtual
reality, and IoT represent only a fraction of the major technological advancements that are set to reshape our world in the
coming years.
One of the most exciting and anticipated advancements it appears is the metaverse; a virtual space where individuals can
socialise and engage in various activities, such as concerts, video games, workspaces and so much more. The metaverse has
the potential to create new markets and industries that haven’t even been thought of until now, however, as with any new
innovation, the metaverse comes with its own set of risks and challenges.

Cyber Risks of Metaverse

New space, new dangers

The metaverse was founded with the idea of bringing people together, and while this naturally offers certain advantages, it
can also present a number of challenges. Within the metaverse, users will encounter individuals whose opinions differ from
theirs, with research suggesting that people often exhibit different behaviours in virtual settings compared to the physical
world. In particular, this is seen in the field of massively multiplayer online role-playing games (MMORPGs), where regular
gamers often criticise new players, even verbally abusing female players, for simply being female
System outages and disruptions

Due to the sheer amount of data that they contain, metaverse platforms are susceptible to a number of system disruptions,
which may result in major inconveniences for users, and in some cases, financial losses if transactions are disrupted.
Additionally, such outages may be caused by malicious actors with the intent to destabilise and disrupt the platform,
highlighting the importance of users remaining vigilant when online.

Mental health and real-world impacts

We are all probably guilty of spending a little too long looking at our screens. However, prolonged screen exposure and
extensive social media engagement, especially relating to that of the metaverse, may begin to have an effect on the
psychological well-being of the user. Extended time spent in virtual worlds could also begin to significantly disrupt sleep
patterns and quality, which would result in the users’ behaviour changing in the real world, potentially affecting work,
relationships, and simple daily routines.

Threats from bots

The widespread presence of automated bots poses a significant threat to metaverse users. These bots can be harnessed by
malicious actors to flood servers with spam, initiate DDoS attacks, or potentially seize control of user accounts. The absence
of strict regulation on metaverse platforms makes it challenging to identify and respond to these malicious bots effectively.

A lack of regulatory frameworks

As it stands, Metaverse systems operate outside the regulatory framework and are not subject to the same regulations as
software platforms or traditional financial institutions. According to an article published by McKinsey, ‘one of the main
challenges posed by the intersection of law, compliance, and the metaverse is the lack of clear legal frameworks.

There are a number of aspects in the metaverse, including virtual currencies, digital property, and user-generated content,
which have legal implications that remain unclear or are not understood at this time.

Virtual currencies and fraudulent activity

Virtual currencies enable users of metaverse platforms to buy virtual goods and unlock access to premium content. But as
with any online purchases, there are risks associated with using virtual money and assets. One such threat is the risk of
financial loss if users fail to exercise caution due to the fluctuation of asset value. Additionally, the use of virtual currencies
may make consumers more vulnerable to fraudulent activities and scams, primarily due to the lack of regulations compared
to traditional currencies.

Ransomware attacks

Ransomware refers to malicious software that has been designed to encrypt users’ data, preventing both the user and others
from accessing it. Following this encryption, a message will typically be displayed on the screen with the hacker demanding
a specific sum of money in order for the user to restore access to their data. A user’s metaverse profile contains a wealth of
information, often including sensitive data, far beyond that of a typical social media page, which renders it highly vulnerable
to these types of attacks.
Collection of unauthorised data

Data collection is an integral component of the metaverse experience. As users engage in these virtual environments, the
platform gathers information about their actions and preferences, even their physical attributes through avatars, which can
possibly lead to an increased risk of discrimination. Once accumulated, this data can then be used for unwanted targeted
advertising or sold to third parties for financial gain, heightening the risk of unauthorised use of personal data. As well as
this, businesses may no longer require an individual's consent or independent verification to access and maintain their data,
due to the metaverse’s decentralised nature.

Harassment, cyberbullying, and safety of children

Mental health and well-being within the metaverse have been gaining some significant traction in the news. In this digital
age, young adults and children in particular are extremely susceptible to cyberbullying and harassment online and are being
exposed to a range of explicit content. According to experts, the metaverse's human experience is as authentic as our
experiences in the physical world, therefore safeguarding users of any age in the metaverse is of utmost importance.
In order to begin combating these types of challenges, Meta launched Personal Boundary for the online game, Horizon
Worlds, which will give users greater control of their VR experience. Personal Boundary is an invisible four-foot barrier
feature that surrounds a user’s avatar in order to keep non-friends from getting too close.

Identity Theft

The decentralised structure of the metaverse makes it considerably easier for cybercriminals to stealthily access users' data,
resulting in private information being more susceptible to fraud or unauthorised access to their accounts or services. Identity
theft in the metaverse is a cause for concern, as there are no current measures to prevent a user from creating a digital avatar
that replicates another person's identity and appearance.

To address these issues effectively, user authentication needs to be implemented, combining biometric verification with
multi-factor authentication and integrating blockchain technology. Through the use of biometric data like fingerprints, facial
recognition, and voice recognition, we will begin to see a reduction in identity theft and fraud risks, since biometric data is
considerably more challenging to replicate compared to conventional identification methods.
 Data Privacy and Data Protection

Data Privacy:
Data Privacy refers to the proper handling of data means how a organization or user is
determining whether or what data to be shared with third parties. Data privacy is
important as it keeps some data secret from others/third parties. Data privacy is all about
authorized access. It is also called as Information privacy.

Example –
In Bank, A lot of customers have their account for monetary transactions. So the bank
needs to keep customers data private, so that customers identity stays safe and protected
as much as possible by minimizing any external risks and also it helps in maintaining the
reputation standard of banks.

2. Data Protection:

Data Protection refers to the process of keeping safe the important information. In simple
it refers protecting data against unauthorized access which leads to no corruption, no
compromise, no loss and no security issues of data. Data protection is allowed to all forms
of data whether it is personal or data or organizational data.
Example –
A bank has lot of customers, so the bank needs to protect all types of data including self
bank records as well as customer information from unauthorized accesses to keep
everything safe and to ensure everything is under the control of bank administration.
The terms Data Privacy and Data Security are used interchangeably and seems to be same.
But actually they are not same. In reality they can have different meanings depending
upon its actual process and use. But it is sure they are very closely interconnected and one
complements the other during the entire process. So, now let’s know how Data Privacy is
different from Data Protection from the below table.

Difference between Data Privacy and Data Protection :

S.No. Data Privacy Data Protection

Data Protection is the process of protecting

Data Privacy refers maintaining secrecy or data from external risks such corruption, loss
01. keeping control on data access. etc.

It is all about unauthorized access means if

It is all about authorized access means it anyone has not access to data then it keeps the
02. defines who has authorized access to data. data safe from that unauthorized access.

Data Privacy is a legal process/situation Data Protection is a technical control system

which helps in establishing standards and which keeps data protected from technical
03. norms about accessibility. issues.

Data protection is the procedures and

04. Data Privacy is the regulations or policies. mechanism.
 It can be said as a security from sales means It can be said as s security from hacks means
05. holding the data from shared and sold. keeping the information away from hackers.

Data Privacy controls are mainly exits at the Data Protection is mainly controlled by the
end user level. The users knows which data organization or company end. They tech all the
is shared with whom and which data they required measures to protect their data from
06. can access. being exposed to illegal activities.

Data privacy teams are made of experts Data protection teams are made of experts
with law making, policies and some from technical background, security
07. engineering experts. background etc

Data Privacy on social media :

the main revenue source for the social media applications is by selling advertisements, but
this is not the only way. For example, if we take the example of Facebook. Facebook does
user profiling on the basis of demographics, on the basis of brands you like, movies you
see etc and show you the relevant advertisements, links for apps of your interest and so
on.
Facebook even keeps a track of all the activities that you do in offline world, that are not
even shared on the platform.
Please read Terms and Conditions carefully.
Go through privacy settings in your account. Don’t rely on default settings.

Stop clicking on posts like “Check your death day”, “Find which celebrity do you look
like” and so on.
Install a good antivirus software in your laptop and phone.

Turn off your location. Some sites even keep track of your activities in the offline world,
but turning off location will at least do the least possible loss.

Don’t forget to set up Security Answers.

Never leave your account logged in. You are in a way inviting cyber criminals to hack
your account or act as an impostor.

Always check and analyse your post before posting. Try not to put too much revealing
photos online.
Always try to create strong password for a site and try to change it in regular interval of
time. Never ever set same passwords for multiple sites.
.
Below is the list of few security threats that we might face in social media accounts:
1. Most social networking sites have information like Birthday or Email address.
Hacker can hack your email account by using social information and can have
access to all the information he/she wants. You don’t need to hide all
information. You just need to take the following precautions:
 Always set strong passwords. Don’t go for the easy passwords built
using your Birthday or child’s name etc. i.e., from the information
that is easily accessible from the social media account.
 Don’t reveal too much information in a post. Be careful with what
you post online. For example, if I write “Happy Mother’s Day Mumma
Richa Sahani”. Now you see one can guess an answer to one of my
security question “What is your Mother’s Maiden Name?”. This how
it works for the thieves to get information by just analyzing your
posts. They get so much information that they can even compromise
your account.
 Don’t reveal your location. Try to keep the location section either
blank or set it to a false location.
 Do not use social media accounts from untrusted devices and
networks in hotels, cafés, hospitals etc.
 Do not elect to remember passwords/passphrases for social media
accounts when offered by web browsers.
2. With the advent of Social Media like Twitter, there comes URL Shorteners in
picture. Twitter allows a post to be maximum of 280 characters. Thus limiting
the size and amount of information that can be shared. Shortened URL’s can
trick users into visiting harmful sites since full URL’s are not visible. It is best to
keep following points in mind before clicking on shortened URL to avoid being
hacked.
 Before clicking a link, place the cursor on the shortened URL. This
will show the complete URL and will give you an idea about where
the full URL actually points.
 Check the shortened URL using the services that are available online
like Sucuri to check whether the link is secure or not.
 Use services like URL Void or MyWOT to check the safety status of
the link.
3. Avoid posting too much details online. Will you ever stand in the middle of the
crowd and shout that you are going on a vacation to so and so place? So why
you post all the details of your trip on social media, with every second detail
like “Travelling to London, United Kingdom from Air India Business Lounge New
Delhi”. You are clearly giving your house keys to burglars. Try to take following
precautions while posting any information online:
 Avoid posting specific travel plans and itinerary. Never mention
exact date and time.
 Never post photos during the trip. Try to post photos after your
return home from the vacation.
 Try to stay offline during vacation.
 Use the highest privacy controls to let only selective groups like
family, selected friends to view your status updates and photos.
4. Have you ever wondered how we see a product on Flipkart and when we open
another site, it will show the advertisement related to the product that we
earlier searched on Flipkart. Every time we visit a website, it put invisible
marker which we call Cookies in technical terms in our computer. Job of these
cookies is to track the user activity as we navigate from one site to another. This
is the reason we are able to see the advertisements of our interest on the new
 page that we open. Cookies are the major loophole in the entire secure scenario.
Most sites provide a option to opt out of the tracking feature, but if you don’t
get that option, Please be careful to clear the cache and the cookies on your
browser regularly.
I hope after having such a detailed discussion on Privacy and Security in Social Media,
you will surely try to implement these steps and Try to achieve a Private and Secure Social
Media Account.

Ways to protect Online Data Privacy

There is a cool new gaming app available online. Now, what do you do if you want to
download it? Well, you quickly run through the terms and conditions without looking and
then move right on to the game. And what if a site wants to store your credit card
information? You may allow it to do this so that you don’t have to enter the data again
and again.

But have you ever wondered what happens to the data that you so casually share online?

This data may end up in the hands of third-party companies that use it to analyze your
online habits and create a profile that can be used in various ways like customized ads etc.
And that’s the relatively harmless option. In the worst-case scenario, your online data can
also be used maliciously to cause great personal or financial harm. So what are the steps
you can take to protect your online data privacy and prevent these things from occurring?
This article provides you some basic tips that will make your online presence much more
private and secure.

1. Always Browse in Anonymous Mode

Browsing in Anonymous Mode is only the first line of defense! Incognito Mode on Google
Chrome or Private Windows on Firefox and Safari only `````````provides an extra layer of
protection and not complete online privacy. That’s maybe not even possible!!!

But what anonymous mode can do for you is block cookies so that most online tracking of
you is defeated. Normally you see ads on websites that are tailored according to your
browser history and the sites you have visited. This is achieved using cookies that store
information about your online interactions. And browsing in Anonymous Mode is the first
step in blocking these cookies and achieving more privacy online.

2. Change Your Default Search Engine with a Privacy-Focused Search Engine

Do you ever wonder how the search engine you are using is making money? How are they
paying for the service they are offering you? Well, there are only 2 ways for the search
engine to do that and that’s either using donations from people or using profits from ads.

And if the search engine is free for you, then most likely it’s making money using you!!!
Search engines record all your data from your searching habits such as your likes and
dislikes, your personal information, etc. Then they sell this data about customer profiles to
various advertisers and make money off that.

In case you wish to avoid that, use a search engine that is funded by donations and is
privacy oriented. Some examples of these alternate search engines that you can use
are DuckDuckGo, Qwant, Startpage, etc.

3. Use End-to-End Encrypted Messaging Apps

Most messaging apps employ encryption, but it’s only encryption in transit which means
that your encrypted messages are decrypted on the provider’s side and then stored in
servers. But that’s hardly safe! So it’s best to use end-to-end encrypted messaging apps to
provide you some privacy. The most popular end-to-end encrypted messaging app that
you can use is WhatsApp. Other options are Viber, LINE, Telegram, etc.

4. Use a VPN to Protect Yourself from Service Providers

Do you think that if you are browsing the internet from your home connection your data is
safe. In fact, there is a high chance that your internet service provider may actually be
collecting and selling your browsing data to third parties. And it’s not even illegal to do so
since the data protection laws are quite unclear.
You can use a VPN (Virtual Private Network) that creates a private network across a
public network. So your data will be encrypted in this manner and no other third party
will be able to view it. Some of the good VPN services for usage
are ExpressVPN, NordVPN, Hotspot Shield, IPVanish etc.

5. Enforce Browser Security with these Extensions

You can always improve your online privacy and increase your security by using
some extensions and online security tools. For example: Make HTTPS Everywhere
extension your best friend as it will encrypt your communication with most websites
leading to a secure connection with fewer chances of anyone snooping in.
The Ghostery Browser Extension is another great option as that will make your online
browsing much safer by detecting and blocking all the third-party data-tracking items.

Also, another great online security tool is AdBlock. This handy little tool will filter out all
the annoying ads you don’t want and also protect you from malicious ads that can be used
to infect your machine.
Another free cybersecurity tool is CheckShortURL that checks where shortened URLs are
taking you because double-checking is always good!

6. Don’t Use Public Storages for Private Information

You should definitely not use public storages that are meant for sharing data for storing
private information as that is hardly safe! For example, It’s not a good idea to store
your passwords or other confidential information in Google Docs as it is relatively easy
to access them from there.
Similarly, don’t store important scans or other documents in your Dropbox unless they are
in an encrypted archive.

Always assume that all information stored on public storages may actually become public
at some point (accidentally or on purpose) and so store that information accordingly.

7. Stay Private on Wi-Fi Networks

There is no encryption on public Wi-Fi networks and so anyone can snoop onto your
connections and access your data.
So if you are just using public Wi-Fi networks, you are risking the loss of your personal
information, the leakage of your digital identity and even loss of money in the worst cases.
So always avoid transmitting any sensitive data like logins, credit card data,
passwords, etc. over public Wi-Fi if you are using it. Also, use a VPN as that creates a
private network across the public Wi-Fi network. So your data will be encrypted in this
manner and no other third party will be able to view it.

8. Use Secure Passwords

Using weak or basic passwords to secure your important information is like keeping the
key next to the lock! So make sure to keep secure and complex passwords for your data if
want them to be useful. Passwords should be sufficiently long and complex with at
least 12 characters which include upper and lower-case alphabets, numbers and special
characters. Also, never use personal information like your name, birthday, pet’s name, etc.
for your password as that is easy information to guess.
Another basic thing to remember is that you should not use the same password for
multiple applications. Now it may be difficult to remember multiple unique passwords
but it is worth it if you want to protect your data.

9. Evade Tracking on Websites

Websites use cookies to gather information relating to your browsing history. These
websites can also sell this analysis based on customer profiles to various third parties and
make money off that. In case you wish to avoid that, make sure you have at least some
control over where your data ends up. Therefore, it is best to control your cookies settings
so that websites cannot access your data without your permission. You can do this
on Chrome by clicking Cookies under Privacy and Security and then clicking off the
cookies.

10. Change Your Social Media Privacy Settings

The biggest mistake you can make is just to keep on using the default settings as social
media companies also make money as search engines do. By selling all your online data to
the highest bidder!
Adjust your social media privacy settings to provide the maximum possible privacy. For
example, You can change the privacy settings on Facebook to regulate your posts,
locations, faces, etc. that are freely available.
Data Protection Laws in India

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one's privacy
caused by the collection, storage and dissemination of personal data.

Personal data generally refers to the information or data which relate to a person who can be identified from that information
or data whether collected by any Government or any private organization or an agency.

India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in
India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified
law on the subject of data protection is likely to be introduced in India in the near future.

The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and
punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in
respect of personal data.

The primary objectives of the IT Act, 2000 are:

 Granting legal recognition to all transactions done through electronic data exchange, other means of electronic
communication or e-commerce in place of the earlier paper-based communication.

 Providing legal recognition to digital signatures for the authentication of any information or matters requiring
authentication.

 Facilitating the electronic filing of documents with different Government departments and also agencies.

 Facilitating the electronic storage of data

 Providing legal sanction and also facilitating the electronic transfer of funds between banks and financial
institutions.

 Granting legal recognition to bankers for keeping the books of accounts in an electronic form. Further, this is
granted under the Evidence Act, 1891 and the Reserve Bank of India Act, 1934.
Features of the Information Technology Act, 2000

a. All electronic contracts made through secure electronic channels are legally valid.

b. Legal recognition for digital signatures.

c. Security measures for electronic records and also digital signatures are in place

d. A procedure for the appointment of adjudicating officers for holding inquiries under the Act is finalized

e. Provision for establishing a Cyber Regulatory Appellant Tribunal under the Act. Further, this tribunal will
handle all appeals made against the order of the Controller or Adjudicating Officer.

f. An appeal against the order of the Cyber Appellant Tribunal is possible only in the High Court

g. Digital Signatures will use an asymmetric cryptosystem and also a hash function

h. Provision for the appointment of the Controller of Certifying Authorities (CCA) to license and regulate the
working of Certifying Authorities. The Controller to act as a repository of all digital signatures.

i. The Act applies to offences or contraventions committed outside India

j. Senior police officers and other officers can enter any public place and search and arrest without warrant

k. Provisions for the constitution of a Cyber Regulations Advisory Committee to advise the Central Government
and Controller.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011. The Rules only deals with protection of "Sensitive personal data or information
of a person", which includes such personal information which consists of information relating to:-

 Passwords;
 Financial information such as bank account or credit card or debit card or other payment instrument details;
 Physical, physiological and mental health condition;
 Sexual orientation;
 Medical records and history;
 Biometric information.

The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of
body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with
"Personal sensitive data or information". In case of any breach, the body corporate or any other person acting on behalf of
body corporate, the body corporate may be held liable to pay damages to the person so affected.

Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and
intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made
punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000

It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the
information, provides that where the Government is satisfied that it is necessary in the interest of:

 the sovereignty or integrity of India,

 defence of India,
 security of the State,
 friendly relations with foreign States or
 public order or
 for preventing incitement to the commission of any cognizable offence relating to above or
 for investigation of any offence,

It may by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer
resource. This section empowers the Government to intercept, monitor or decrypt any information including information of
personal nature in any computer resource.

Where the information is such that it ought to be divulged in public interest, the Government may require disclosure of such
information. Information relating to anti-national activities which are against national security, breaches of the law or
statutory duty or fraud may come under this category.

Information Technology Act, 2000

The Information Technology Act, 2000 (hereinafter referred to as the "IT Act") is an act to provide legal recognition
for transactions carried out by means of electronic data interchange and other means of electronic communication,
commonly referred to as "electronic commerce", which involve the use of alternative to paper-based methods of
communication and storage of information to facilitate electronic filing of documents with the Government agencies.

The Government has also notified the Information Technology (Procedures and Safeguards for Blocking for Access of
Information) Rules, 2009, under section 69A of the IT Act, which deals with the blocking of websites. The Government has
blocked the access of various websites.

Penalty for Damage to Computer, Computer Systems, etc. under the IT Act

Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing any of the following acts:

1. accesses or secures access to such computer, computer system or computer network;

2. downloads, copies or extracts any data, computer data base or information from such computer, computer system or
computer network including information or data held or stored in any removable storage medium;
3. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or
computer network;

4. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any
other programmes residing in such computer, computer system or computer network;

5. disrupts or causes disruption of any computer, computer system or computer network;

6. denies or causes the denial of access to any person authorised to access any computer, computer system or computer
network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made thereunder;

7. charges the services availed of by a person to the account of another person by tampering with or manipulating any
computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person
so affected.

8. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it
injuriously by any means;

9. steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for
a computer resource with an intention to cause damage.

Tampering with Computer Source Documents as provided for under the IT Act, 2000

Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer
source code used for a computer, computer programme, computer system or computer network, when the computer source
code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to
three years, or with fine which may extend up to Rs 2,00,000, or with both.

Computer related offences

Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in section 43, he shall be
punishable with imprisonment for a term which may extend to three years or with fine which may extend to Rs 5,00,000 or
with both.

Penalty for Breach of Confidentiality and Privacy

Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person
who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured
access to any electronic record, book, register, correspondence, information, document or other material without the consent
of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which
may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.

Amendments as introduced by the IT Amendment Act, 2008

Section 10A was inserted in the IT Act which deals with the validity of contracts formed through electronic means which
lays down that contracts formed through electronic means "shall not be deemed to be unenforceable solely on the ground that
such electronic form or means was used for that purpose".

The following important sections have been substituted and inserted by the IT Amendment Act, 2008:

1. Section 43A – Compensation for failure to protect data.

2. Section 66 – Computer Related Offences

3. Section 66A – Punishment for sending offensive messages through communication service, etc. (This provision had been
struck down by the Hon'ble Supreme Court as unconstitutional on 24th March 2015 in Shreya Singhal vs. Union of India)

4. Section 66B – Punishment for dishonestly receiving stolen computer resource or communication device.
5. Section 66C – Punishment for identity theft.

6. Section 66D – Punishment for cheating by personation by using computer resource.

7. Section 66E – Punishment for violation for privacy.

8. Section 66F – Punishment for cyber terrorism.

9. Section 67 – Punishment for publishing or transmitting obscene material in electronic form.

10. Section 67A – Punishment for publishing or transmitting of material containing sexually explicit act, etc, in electronic
form.

11. Section 67B – Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc, in
electronic form.

12. Section 67C – Preservation and Retention of information by intermediaries.

13. Section 69 – Powers to issue directions for interception or monitoring or decryption of any information through any
computer resource.

14. Section 69A – Power to issue directions for blocking for public access of any information through any computer
resource.

15. Section 69B – Power to authorize to monitor and collect traffic data or information through any computer resource for
cyber security.

16. Section 72A – Punishment for disclosure of information in breach of lawful contract.

17. Section 79 – Exemption from liability of intermediary in certain cases.

18. Section 84A –Modes or methods for encryption.

19. Section 84B –Punishment for abetment of offences.

20. Section 84C –Punishment for attempt to commit offences.

Email spoofing is a technique used in spam and phishing attacks to trick users into
thinking a message came from a person or entity they either know or can trust. In
spoofing attacks, the sender forges email headers so that client software displays
the fraudulent sender address, which most users take at face value. Unless they
inspect the header more closely, users see the forged sender in a message. If it’s a
name they recognize, they’re more likely to trust it. So they’ll click malicious links,
open malware attachments, send sensitive data.

Email spoofing is possible due to the way email systems are designed. Outgoing
messages are assigned a sender address by the client application; outgoing email
servers have no way to tell whether the sender address is legitimate or spoofed.

How Email spoofing works and Example

The goal of email spoofing is to trick users into believing the email is from someone
they know or can trust—in most cases, a colleague, vendor or brand. Exploiting that
trust, the attacker asks the recipient to divulge information or take some other action.

As an example of email spoofing, an attacker might create an email that looks like it
comes from PayPal. The message tells the user that their account will be suspended
if they don’t click a link, authenticate into the site and change the account’s
password. If the user is successfully tricked and types in credentials, the attacker
now has credentials to authenticate into the targeted user’s PayPal account,
potentially stealing money from the user.

More complex attacks target financial employees and use social engineering to trick
a targeted user into sending millions to an attacker’s bank account.

To the user, a spoofed email message looks legitimate, and many attackers will take
elements from the official website to make the message more believable.

Spamming is a form of cyber-attack done purposefully to irritate the email service

user making his email storage full or done with intention of harming or taking
valuable data. Spam messages are unsolicited email messages sent in a bulk
amount where the content of the email is not important to the recipient and remains
full of unwanted or unrequested information, links or attachments. Some of them
may be harmful to you or for your system also.

Types of spam

Spammers use many forms of communication to bulk-send their unwanted

messages. Some of these are marketing messages peddling unsolicited goods.
Other types of spam messages can spread malware, trick you into divulging
personal information, or scare you into thinking you need to pay to get out of trouble.

Email spam filters catch many of these types of messages, and phone carriers often
warn you of a “spam risk” from unknown callers. Whether via email, text, phone, or
social media, some spam messages do get through, and you want to be able to
recognize them and avoid these threats.

Phishing emails

Phishing emails are a type of spam cybercriminals send to many people, hoping to
“hook” a few people. Phishing emails trick victims into giving up sensitive information
like website logins or credit card information.

Email spoofing

Spoofed emails mimic, or spoof, an email from a legitimate sender, and ask you to
take some sort of action. Well-executed spoofs will contain familiar branding and
content, often from a large well-known company such as PayPal or Apple. Common
email spoofing spam messages include:

A request for payment of an outstanding invoice

A request to reset your password or verify your account

Verification of purchases you didn’t make

Request for updated billing information

Tech support scams

In a tech support scam, the spam message indicates that you have a technical
problem and you should contact tech support by calling the phone number or clicking
a link in the message. Like email spoofing, these types of spam often say they are
from a large technology company like Microsoft or a cybersecurity company like
Malwarebytes.

If you think you have a technical issue or malware on your computer, tablet, or
smartphone, you should always go to the official website of the company you want to
call for tech support to find the legitimate contact information.

Advance fee scams

This type of spam promises a financial reward if you first provide a cash advance.
The sender typically indicates that this cash advance is some sort of processing fee
or earnest money to unlock the larger sum, but once you pay, they disappear.
While it may not be possible to avoid spam altogether, there are steps you can take
to help protect yourself against falling for a scam or getting phished from a spam
message:

All of us can fall victim to phishing attacks. We may be in a rush and click a malicious
link without realizing. If a new type of phishing attack comes out, we may not readily
recognize it. To protect yourself, learn to check for some key signs that a spam
message isn’t just annoying—it’s a phishing attempt:

Sender’s email address: If an email from a company is legitimate, the sender’s email
address should match the domain for the company they claim to represent.
Sometimes these are obvious but other times the changes are less noticeable, like
example@paypa1.com instead of paypal.com.

Missing personal information: If you are a customer, the company should have your
information and will likely address you by your first name. A missing personal
greeting alone isn’t enough to spot a phishing email, but it’s one thing to look for,
especially in messages that say they are from a company with whom you do
business. Receiving an email that says your account has been locked or you owe
money is cause to worry, and sometimes we rush to click a link in order to fix the
problem. If it’s phishing, that’s exactly what the sender wants, so be careful and
check if the email is generic or addressed specifically to you.

Links: Beware of all links, including buttons in an email. If you get a message from a
company with whom you have an account, it’s wise to log in to your account to see if
there is a message there rather than just clicking the link in the message without
verifying first. You can contact the company to ask if a suspicious message is
legitimate or not. If you have any doubts about a message, don’t click any links.

Grammatical errors: We all make them, but a company sending out legitimate
messages probably won’t have a lot of punctuation errors, poor grammar, and
spelling mistakes. These can be another red flag to indicate that the email could be
suspect.

Too-good-to-be-true offers: Many phishing messages pretend to be from large, well-

known companies, hoping to ensnare readers who happen to do business with the
company. Other phishing attempts offer something for free like cash or a desirable
prize. The saying is often true that if something sounds too good to be true it
probably is, and this can be a warning that a spam message is trying to get
something from you, rather than give you something.

Attachments: Unless you are expecting an email with attachments, always be wary
before opening or downloading them. Using anti-malware software can help by
scanning files that you download for malware.

Report spam

Email providers have gotten pretty good at filtering out spam, but when messages
make it through to your inbox, you can report them. This is true for spam calls and
text messages, as many carriers give you the ability to report spam as well. You can
also choose to block the sender, often in the same step as reporting the message.

Reporting spam can help your email provider or phone service carrier get better at
detecting spam. If legitimate emails get sent to your spam filter, you can report that
they should not be marked as spam, and that also provides useful information on
what should not be filtered. Another helpful step is to add senders you want to hear
from to your contacts list proactively.
Identity theft is a fraud involving another person’s identity for an illicit purpose. This occurs
when a criminal uses someone else’s identity for his/her own illegal purposes.

Examples – fraudulently obtaining credit , stealing money from the victim’s bank account,
using the victim’s credit card number

How to prevent being victim of identity theft

Sr. No. Security Measures Brief of Description

1 Monitor your credit closely The credit report contains information about your
credit accounts and bill paying history so that you
can be tipped off when someone is impersonating
you. Watch for suspicious signs such as accounts
you did not open. You can also consider identity
protection services, which range from credit
monitoring to database scanning, for extra security
2 Keep records of your Review your statements regularly for any activity or
financial data and charges you did not make
transactions
3 Install security software Install security software (firewall, antivirus and anti-
Spyware software) and keep it up to date as a safety
measure against online intrusions
4 Use an updated Web Use an updated web browser to make sure you’re
browser taking advantage of its current safety features
5 Be wary of E-Mail Use caution even when the message appears to
attachments and links in come from a safe sender as identity information in
both E-Mail and instant messages can easily be spoofed.
messages
6 Store sensitive data Just as you keep sensitive paper documents under
securely lock and key, secure sensitive online information.
This can be done through file encryption software
7 Shred documents It is important to shred the documents that contain
personal or financial information (both paper and
electronic) before discarding them. This prevents
dumpster diving and in the online world, the ability
for hackers to bypass information that has not been
permanently deleted from your system

- 1 -
 8 Protect your PII Be cautious about giving out your personally
identifiable information (Pll) to anyone. Find out why
the information is needed and if it’s absolutely
necessary to give out. Be careful about the details
you provide about yourself online, such as on social
networking sites.
9 Stay alert to the latest Awareness and caution are effective methods to
scams counter fraud. Create awareness among your
friends and family members by sharing security tips
you learn with them.

Spywares

Spyware is a type of malware that is installed on computers which collects information about
users without their knowledge. The presence of Spyware is typically hidden from the user;
it is secretly installed on the user’s personal computer. Sometimes, however, Spywares such
as keyloggers are installed by the owner of a shared, corporate at public computer on
purpose to secretly monitor other users.

It is clearly understood from the term Spyware that it secretly monitors the user. The
features and functions of such Spyware are beyond simple monitoring. Spyware programs
collect personal information about the victim, such as the Internet surfing habits/patterns
and websites visited. The Spyware can also redirect Internet surfing activities by installing
another stealth utility on the users’ computer system. Spyware may also have an ability to
change computer settings, which may result in slowing of the Internet connection speeds
and slowing of response time that may result into user complaining about the Internet speed
connection with Internet Service Provider (ISP).

To overcome the emergence of Spywares that proved to be troublesome for the

normal user, anti- Spyware softwares are available in the market. Installation of anti-
Spyware software has become a common element nowadays from computer security
practice perspective.

- 2 -
Malwares

Malware short for malicious software, is a software designed to infiltrate a computer system
without the owner’s informed consent. The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive or annoying software or program
code. Malware can be classified as follows:

1. Viruses and worms: These are known as infectious malware. They spread from one
computer system to another with a particular behaviour.
2. Trojan Horses: A Trojan Horse, Trojan for short, is a term used to describe malware
that appears to the user, to perform a desirable function but, in fact, facilitates
unauthorized access to the user’s computer system.
3. Rootkits: Rootkits is a software system that consists of one or more programs
designed to obscure the fact that a system has been compromised.
4. Backdoors: Backdoor in a computer system (or cryptosystem or algorithm) is a
method of bypassing normal authentication, securing remote access to a computer,
obtaining access to plain text and so on while attempting to remain undetected.

Virus and Worms

Computer virus ia program that can infect legitimate programs by modifying them to include
a possibly evolved copy of itself. Viruses spread themselves, without the permission or
knowledge of user, to potentially large number of programs on many machines. A computer
virus passes from computer to computer in a similar manner as a biological virus passes
from person to person. Viruses may also contain malicious instructions that may cause
damage or annoyance. The combination of malicious code with the ability to spread is what
makes viruses a considerable concern. Viruses can often spread without any readily visible
symptoms. A virus can start on event-driven effects (e.g. triggered after a specific number
of executions), time-driven effects (e.g. triggered on a specific date, such as Friday the 13th)
or can occur at random.

Viruses can take some typical actions

1. Display a message to prompt an action which may set of the virus.

2. Delete file inside the system into which virus enter
3. Scramble data on a hard disk

- 3 -
 4. Cause erratic screen behaviour
5. Halt the screen (PC)
6. Just replicate themselves to propagate further harm

A computer worm is a software program, self-replicating in nature, which spreads through a

network. It can send copies through the network with or without user intervention.

Backdoor

A backdoor is a means of access to a computer program that bypasses security

mechanisms. A programmer may sometimes install a backdoor so that the program can be
accessed for troubleshooting or other purposes. However, attackers often use backdoors
that they detect or install themselves as part of an exploit. In some cases, a worm is
designed to take advantage of a backdoor created by an earlier attack.

A backdoor works in background and hides from the user. It is very similar to a virus and
therefore is quite difficult to detect and completely disable. Most backdoors are automatic
malicious programs that must be somehow installed to a computer. Some parasites do not
require installation, as their parts are already integrated into particular software running on
a remote host. Programmers sometimes leave such backdoors in their software for
diagnostics and troubleshooting purposes. Attackers often discover these undocumented
features and use them to intrude into the system.

Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it get control and cause harm, for example
ruining the file allocation table on the hard disk.

Like Spyware and Adware, Trojans can get into the system in a number of ways,
including from a web browser, via E-Mail or in a bundle with other software downloaded from
the Internet. It is also possible inadvertently transfer malware through a USB flash drive or
other portable media. It is possible that one could be forced to reformat USB flash drive or
other portable device to eliminate infection and avoid transferring it to other machines.
(Users would not know that these could infect their network while bringing some music along
with them to be downloaded.)

Unlike viruses or worms, Trojans do not replicate themselves, but they can be equally
destructive. On the surface, Trojans appear benign and harmless, but once the infected

- 4 -
code is executed, Trojans kick in and perform malicious functions to harm the computer
system without the user’s knowledge.

For example, waterfalls.scr is a waterfall screen saver as originally claimed by the

author: however it can be associated with malware and become a Trojan to unload hidden
programs and allow unauthorized access to the user’s PC.

How to Protect from Trojan Horses and Backdoors

Follow the following steps to protect your systems from Trojan Horses and backdoors:

1. Stay away from suspect websites/weblinks : Avoid downloading free/pirated

softwares that often get infected by Trojans, worms, viruses and other things.
2. Surf on the Web cautiously: Avoid connecting with and/or downloading any
information from peer-to-peer (P2P) networks, which are most dangerous networks
to spread Trojan Horses and other threats. P2P networks create files packed with
malicious software, and then rename them to files with the criteria of common search
that are used while surfing the information on the Web.

It may be experienced that, after downloading the file, it never works and here is a
threat that – although the file has not worked, something must have happened to the
system – the malicious software deploys its gizmos and the system is at serious
health risk. Enabling Spam filter “ON” is a good practice but is not 100% fool proof,
as spammers are constantly developing new ways to get through such filters.

3. Install antivirus / Trojan remover software: Nowadays antivirus software(s) have

built-in feature for protecting the system not only from viruses and worms but also
from malware such as Trojan Horses. Free Trojan remover programs are also
available on the Web and some of them are really good.

Phishing

The word Phishing comes from the analogy that Internet scammers are using E-mail lures
to fish for passwords and financial data from the sea of Internet users.

The E-mail will usually ask the user to provide valuable information about himself/herself or
to “verify” information that the user may have provided in the past while registering for online

- 5 -
account. To maximize the chances that a recipient will respond, the phisher might employ
any or all of the following tactics:

1. Names of legitimate organizations: Instead of creating a phony company from

scratch, the phisher might use a legitimate company’s name and incorporate the look
and feel of its website (i.e., including the color scheme and graphics) into the Spam
E-mail.
2. “From” a real employee: Real name of an official, who actually works for the
organization, will appear in the “from” line or the text of the message (or both). This
way, if a user contacts the organisation to confirm whether “Rajeev Arora” truly is
“Vice President of Marketing” then the user gets a positive response and feels
assured.
3. URLs that “look right”: The E-mail might contain a URL (i.e. weblink) which seems
to be legitimate website wherein user can enter the information the phisher would like
to steal. However, in reality the website will be a quickly cobbled copycat – a
“spoofed” website that looks like the real thing, that is, legitimate website. In some
cases, the link might lead to selected pages of a legitimate website – such as the real
company’s actual privacy policy or legal disclaimer.
4. Urgent messages: Creating a fear to trigger a response is very common in Phishing
attacks – the E-mails warn that failure to respond will result in no longer having access
to the account or E-mails might claim that organization has detected suspicious
activity in the users’ account or that organization is implementing new privacy
software for ID theft solutions.

Examples of phrases used to entice the user to take the action.

1. “Verify your account”: The organization will never ask the user to send passwords,
login names, permanent account numbers (PANs) or SSNs and other personal
information through E-mail. For example, if you receive an E-mail message from
Microsoft asking you to update your credit card information, do not respond without
any confirmation with Microsoft authorities – this is a perfect example of Phishing
attack.
2. “You have won the lottery”: The lottery scam is a common Phishing scam known
as advanced fee fraud. One of the most common forms of advanced fee fraud is a
message that claims that you have won a large sum of money, or that a person will
pay you a large sum of money for little or no work on your part. The lottery scam often

- 6 -
 includes references to big companies, for example, Microsoft. There is no Microsoft
lottery. It is observed that most of the phished E-mails display the name of the
agencies/companies situated in Great Britain and hence it is extremely important for
netizens to confirm/verify the authenticity of such E-mail before sending any
response.

3. “If you don’t respond within 48 hours, your account will be closed”: These
messages convey a sense of urgency so that you will respond immediately without
thinking. A Phishing E-mail message might even claim that your response is required
because your account might have been compromised.

Phishing vis-a-vis Spoofing

1. Phishing is used to get the victim to reveal valuable (or at times invaluable)
information about him/her. Phishers would use Spoofing to create a fake E-mail.
2. Spoofing is not intended to steal information but to actually make the victim do
something for phishers.
3. Phishing may, at times, require Spoofing to entice the victim into revealing the
information but Spoofing does not always necessarily result in Phishing someone
else’s account.

The Combined Attack – Phishing and Spoofing

Phisher sends an E-mail, during Income Tax return filing period, from an official looking
IT (Income Tax) account which is spoofed. The E-mail would contain URL to download
a new tax form that was recently issued. Once the victim clicks the URL, a “virus cum
Trojan Horse” is downloaded to the victim’s system. The IT Form may seem official, but
like a Trojan Horse, the payload has already been delivered. The virus lies in wait,
logging the actions of the victim. Once the victim inputs certain keywords, like bank
names, credit card names, social networking websites and so forth, it logs the site and
the passwords used. Those results are flagged and sent to the phisher. The virus could
then gather the user’s E-mail contacts and send a fake E-mail to them as well, containing
the virus. The phisher now has gained the required personal information as well as virus
was sent, downloaded, and spread to entice other netizens.

- 7 -
How to avoid being victim of Phishing attack

Sr. No. Security Measures Brief of Description

1 Keep antivirus up to date Important aspect is to keep antivirus software up
to date because most antivirus vendors have
signatures that protect against some common
technology exploits. This can prevent things such
as a Trojan disguising the web address bar or
mimicking the secure link (i.e., HTTPS)
2 Do not click on hyperlinks It should always be practiced that, in case an E-
in E-mails mail has been received from unknown source,
clicking on any hyperlinks displayed in an E-mail
should be avoided. This may lead to either the link
taking the victim to the website created by the
phisher or triggering a Malicious Code installation
on the system. Instead, to check out the link,
manually retyping it into a web browser is highly
recommended.
3 Take advantage of Anti-Spam software can help keep Phishing
antispam software attacks at a minimum. A lot of attacks come in the
form of Spam and by using anti-spam software,
many types of phishing attacks are reduced
because the messages will never end up in the
mailboxes of end-users
4 Verify https (SSL) Ensure the address for displays “ https://” rather
than past “http://” along with a secure lock icon that
has been displayed at the bottom right hand corner
of the web browser while passing any sensitive
information such as credit cards or bank
information. One may like to check by double
clicking the lock to guarantee the third-party SSL

- 8 -
 certificate that provides the https service. Always
ensure that the webpage is truly encrypted
5 Use anti-Spyware Keep Spyware down to a minimum by installing an
software active Spyware solution such as Microsoft anti-
Spyware and also scanning with a passive solution
such as Spybot. If for some reason your browser
is hijacked, anti- Spyware software can often
detect the problem and provide a fix
6 Get educated Always update the knowledge to know new tools
and techniques used by phishers to entice the
netizens and to understand how to prevent these
types of attacks. Report any suspicious activity
observed to nearest cyber security cell
7 Use the Microsoft The netizens on the Microsoft platform should use
Baseline Security MBSA to ensure the system is up to date by
Analyzer (MBSA) applying all the security patches. MBSA is a free
tool available on Microsoft’s website. This protects
the IT systems against known exploits in Internet
Explorer and Outlook and Outlook that can be
used in Phishing attacks
8 Firewall Firewall can prevent Malicious Code from entering
into the system and hijacking the browser. Hence,
a desktop (software) such as Microsoft’s built-in
software firewall in Windows-XP and/or network
(hardware) firewall should be used. It should be up
to date in case any cyber security patches have
been released by the vendor
9 Use backup system Always keep a backup copy or image of all
images systems to enable to revert to a original system
state in case of any foul play;
10 Do not enter sensitive or A common Phishing technique is to launch a bogus
financial information into pop-up window when someone clicks on a link in a
pop-up windows Phishing E-mail message. This window may even
be positioned directly over a legitimate window a

- 9 -
 netizen trusts Even if the pop-up window looks
official or claims to be secure entering sensitive
information should be avoided because there is no
way to check the security certificate
11 Secure the hosts file The attacker can compromise the hosts file on
desktop system and send a netizen to a fraudulent
site. Configuring the host file to read only may
alleviate the problem, but complete protection will
depend on having a good desktop firewall such as
Zone Alarm that protects against tampering by
outside attackers and keeps browsing safe
12 Protect against DNS This is a new type of Phishing attack that does not
Pharming attacks Spam you with E-mails but poisons your local DNS
server to redirect your web request to a different
website that looks similar to a company website
(e.g. eBay or PayPal).

- 10 -
 Cyber Crime
It refers to all the criminal activities done using medium of communication devices
such as computer, mobile phones, tablets, etc., the internet, cyber space & the
world wide web. Cybercrimes are a new class of crimes that is rapidly expanding
due to extensive use of internet.
E.g. phishing,cyberstalking, identity theft, etc.

Cyber Law
The law that governs cyber space. It is the term used to describe legal issues
related to the use of communication technology, particularly cyber space i.e. the
internet. It is an attempt to apply laws designed for physical world, to human
activity on the internet.

Cybercrimes are often committed beyond the national border. It is very difficult to
identify the perpetrator of wrong because internet facilitates anonymity. Thus,
cybercrimes pose challenges that are unique in character unlike traditional
crimes.
Challenges posed by Cyber Crime.
1) Legal challenges which are dependent on the statutory provisions to be used
as a tool to investigate and control the cyber crimes.
2) Operational challenges require well trained and well-equipped force of
investigators operating and coordinating at national and international level.
3) Technical challenges stopping the efforts of law enforcement agencies’ ability
to catch and prosecute the online offenders.
Cyberstalking

Cyberstalking has been defined as the use of information and communication technology,
particularly the Internet, by an individual or group of individuals to harass another individual,
group of individuals or organisation.
The behaviour includes false accusations, monitoring, transmission of threats, ID theft,
damage to data or equipment and gathering information for harassment purposes.

Cyberstalking refers to the use of Internet and/or other electronic communications

devices to stalk another person. It involves harassing or threatening behaviour that an
individual will conduct repeatedly, for example, following a person, visiting a person’s home
and/or at business place, making phone calls, leaving written messages, or vandalizing
against the person’s property. As the Internet has become an integral part of our personal
and professional lives, cyberstalkers take advantage of ease of communication and an
increased access to personal information available with a few mouse clicks or keystrokes.

How Stalking Works ?

It is seen that stalking works in the following ways :

1. Personal information gathering about the victim: Name, family background; contact
details such as cell phone and telephone numbers (of residence as well as office);
address of residence as well as of the office; E-Mail address; date of birth, etc.
2. Establish a contact with victim through telephone/cell phone. Once the contact is
established, the stalker may make calls to the victim to threaten/harass.
3. Stalkers will almost always establish a contact with the victims through E-Mail.
4. Some stalkers keep on sending repeated E-Mails asking for various kinds of favours
or threaten the victim.

If you are a victim of stalking, consider suspending your social networking accounts until the
stalking has been resolved. If you decide to continue to use social networking sites, here are
a few tips to help keep you safe:
• Take advantage of privacy settings. With some social networking sites, you may be
able to make your profile completely private simply by checking a box. With others,
such as Facebook, privacy settings can be complex to navigate.
• Take advantage of added security settings. One of the best examples is two-factor
authentication. When you enable this, your account will require you to provide
something you know (like a password) with something you have (like a specific
device). Therefore, if someone gets your password, he or she will not be able to log in
to the account without the specific code that the service sends to your device
 • Limit how much personal information you post to your account. For example, you may
not want to include contact information, your birth date, the city you were born in or
names of family members.
• Do not accept "friend requests" (or "follow requests") from strangers. If you recognize
the individual sending the request, contact him or her off-line to verify he or she sent
the request.
• Warn your friends and acquaintances not to post personal information about you,
especially your contact information and location.
• Avoid online polls or quizzes, particularly those that ask for personal information.
• Don't post photographs of your home that might indicate its location. For example,
don't post photographs showing a house number or an identifying landmark in the
background.
• Use caution when joining online organizations, groups or "fan pages." Never publicly
RSVP to events shown online.
• Use caution when connecting your cell phone to your social networking account. If
you do decide to connect your cell phone to your online account, use extreme caution
in providing live updates on your location or activities.
• Avoid posting information about your current or future locations, or providing
information a stalker may later use to hone in on your location, such as a review of a
restaurant near your house.
• Always use a strong, unique password for every social networking site.

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability

occurring in the database layer of an application. The vulnerability is present when user input
is either filtered incorrectly for string literal escape characters embedded in SQL statement or
user input is not strongly typed and thereby unexpectedly executed. It is an instance of a
more general class of vulnerabilities that can occur whenever one programming or scripting
language is embedded inside another.

Attackers target the SQL servers - common database servers used by many
organizations to store confidential data. The prime objective behind SQL injection attack is to
obtain the information when accessing a database table that many contain personal
information such as credit card numbers, social security numbers or passwords. During an
SQL injection attack, Malicious Code is inserted into a web form field or the website’s code to
make a system execute a command shell or other arbitrary commands. Just as a legitimate
user enters queries and additions to the SQL database via a web form, the attacker can
insert commands to the SQL server through the same web form field. For example, an
arbitrary command from an attacker might open a command prompt or display a table from
the database. This makes an SQL sever a high-value target and therefore a system seems to
be very attractive to attackers.

The attacker determines whether a database and the tables residing into it are
vulnerable, before launching an attack. Many webpages take parameters from web user and
make SQL query to the database. For example, when a user logs in with username and
password, an SQL query is sent to the database to check if a user has valid name and
password. With SQL injection, it is possible for an attacker to send crafted username and/or
password field that will change the SQL query.

Steps for SQL Injection Attack

Following are some steps for SQL injection attack:

1. The attacker looks for the webpages that allow submitting data, that is, login page,
search page, feedback etc. The attackers also looks for the webpages that display the
HTML commands such as POST or GET by checking the site’s source code.
2. To check the source code of any website, right click on the webpage and click on “view
source” (if you are using IE – Internet Explorer) – source code is displayed in the
notepad. The attacker checks the source code of the HTML and look for “FORM” tag in
the HTML code. Everything between the <FORM> and </FROM> have potential
parameters that might be useful to find the vulnerabilities.
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
3. The attacker inputs a single quote under the text box provided on the webpage to
accept the username and password. This checks whether the user-input variable is
sanitized or interpreted literally by the server. If the response is an error message such
as use “a” = “a” (or something similar) then the website is found to be susceptible to an
SQL injection attack.
4. The attacker uses SQL commands such as SELECT statement command to retrieve
data from the database or INSERT statement to add information to the database.

How to Prevent SQL Injection Attacks

SQL injection attacks occur due to poor website administration and coding. The following
steps can be taken to prevent SQL injection.
1. Input validation
• Replace all single quotes (escape quotes) to two single quotes.
• Sanitize the input: User input needs to be checked and cleaned of any characters or
strings could possibly be used maliciously. For example, character sequences such
as ; ,--,select, insert and xp_ can be used to perform an SQL injection attack.
• Numeric values should be checked while accepting a query string value. Function
IsNumeric( ) for Active Server Pages (ASP) should be used to check these numeric
values.
• Keep all text boxes and form fields as short as possible to limit the length of user
input.
2. Modify error reports: SQL errors should not be displayed to outside users and to avoid
this, the developer should handle or configure the error reports very carefully. These
errors some time display full query pointing to the syntax error involved and the
attackers can use it for further attacks.
3. Other preventions
• The default system accounts for SQL server 2000 should never be used.
• Isolate database server and web server. Both should reside on different machines.
• Most often attackers may make use of several extended stored procedures such as
xp_cmdshell and xp_grantlogin in SQL injection attacks. In case such extended
stored procedures are not used or have unused triggers, stored procedures, user-
defined functions, etc. then these should be moved to an isolated server.
Why is cyber security important?

Today we live in a digital era where all aspects of our lives depend on the network,
computer and other electronic devices, and software applications.

All important infrastructure such as the banking system, healthcare, financial

institutions, governments, and manufacturing industries use devices connected to
the Internet as a core part of their operations.

Some of their information, such as intellectual property, financial data, and personal
data, can be sensitive for unauthorized access or exposure that could have harmful
effects.

This information gives intruders and threat actors to infiltrate them for financial gain,
extortion, political or social motives, or just vandalism.

Cyber-attack is now an international concern that hacks the system, and other security
attacks could endanger the global economy. Therefore, it is essential to have an
excellent cybersecurity strategy to protect sensitive information from high-profile
security breaches.

As the volume of cyber-attacks grows, companies and organizations, especially those

that deal with information related to national security, health, or financial records, need
to use strong cybersecurity measures and processes to protect their sensitive business
and personal information.

------------------------------------------------------------------------------------------------------

Indian Scheme of Offences and Punishments.

The Indian parliament has adopted a 2-fold strategy to control cyber crimes. It has
amended the Indian Penal Code to cover cyber crimes and has provided provisions in the
IT Act to deal with the computer crimes.

Section Offences Punishment

Damage to computer, computer Compensation to the affected
43
system. person.
Imprisonment under 3 years or fine
Tampering with computer source
65 which may extend up to 2 lakh
document.
rupees or both.
Sending any offensive message
66A Imprisonment of 3 years with fine.
through communication service.
 Imprisonment of 3 years or fine
Dishonestly receiving stolen
66B which may extend to 1 lakh rupees
computer or communication device.
or both.
Imprisonment of 3 years or fine
66C Identity theft.
which may extend to 1 lakh rupees.
Some Important Facts
There are following kinds of cyber players who harm cybersecurity:

� Cyber Criminals
� Cyber Terrorists
� Cyber Espionage
� Cyber Hacktivist

Legal Landscape in India for Cybersecurity

Laws related to Cyber Important Facts

Security in India

Information and Technology � Came into force in October 2000

Act, 2000
� Also called Indian Cyber Act
� Provide legal recognition to all e -transactions
� To protect online privacy and curb online crimes

Information Technology The amendments in the IT Act mentioned:

Amendment Act 2008 (ITAA)
� ‘Data Privacy’
� Information Security
� Definition of Cyber Cafe
� Digital Signature
� Recognizing the role of CERT -In
� To authorize the inspector to investigate cyber offenses against
DSP who was given the charge earlier

National Cyber Security Indian Government has come up with the National Cyber Security
Strategy 2020 Strategy 2020 entailing the provisions to secure cyberspace in India.

Cyber Surakshit Bharat MeitY in collaboration with National e -Governance Division (NeGD)
Initiative came up with this initiative in 2018 to build a cyber -resilient IT set up
The Indian Computer Emergency Response Team (CERT -In) serves as the national agency
for performing various functions in the area of cyber security in the country as per the
provisions of section 70B of the Information Technology Act, 2000.

CERT-In (The I ndian Computer Emergency Response Team)

CERT-In has been operational since January 2004.

� CERT-In comes under the Ministry of Electronics and Information Technology

(MeitY).
� It regularly issues advisories to organisations and users to enable them to protect
their data/information and ICT (Information and Communications Technology)
infrastructure.
� In order to coordinate response activities as well as emergency measures with
respect to cyber security incidents, CERT -In calls for information from servic e
providers, intermediaries, data centres and body corporates.
� It acts as a central point for reporting incidents and provides 24 ✕ 7 security service.
� It continuously analyses cyber threats and handles cyber incidents tracked and
reported to it. It incre ases the Indian Internet domain’s security defences.
� CERT-In is leading the implementation of CCMP across Central Government
Ministries/Departments/states and critical organisations operating in Indian
cyberspace.
o The Cyber Crisis Management Plan (CCMP) fo r Countering Cyber Attacks
and Cyber Terrorism is a framework document for dealing with cyber -related
incidents.

CERT-In Functions
In the IT Amendment Act 2008, CERT -In has been designated to perform the following
functions in the area of cyber security –

� Collection, analysis and dissemination of information on cyber incidents.

� Forecast and alerts of cyber security incidents.
� Emergency measures for handling cyber security incidents.
� Coordination of cyber incident response activities.
� Issue guidelines, advisories, vulnerability notes and whitepapers relating to
information security practices, procedures, prevention, response and reporting of
cyber inc idents.
� Such other functions relating to cyber security as may be prescribed.
CERT- In Issued Directions in April 2022
In April 2022, CERT -In has issued directions relating to information security practices,
procedures, prevention, response and reporting of cyber incidents for a safe and trusted
internet.

� In order to facilitate incident response measures, CERT -In issued directions relating
to infor mation security practices, procedures, prevention, response and reporting of
cyber incidents under the provisions of sub -section (6) of section 70B of
the Information Technology Act, 2000 .
� The directions cover aspects relating to –
o synchronisation of ICT system clocks
o mandatory reporting of cyber incidents to CERT -In (within six hours)
o maintenance of logs of ICT systems (for 180 days)
o subscriber/customer registrations details by Data centres, Virtual Private
Server (VPS) providers, VPN Service providers, Cloud service providers
o KYC norms and practices by virtual asset service providers, virtual asset
exchange providers and custodian wal let providers.
These directions shall enhance the overall cyber security posture and ensure safe & trusted
Internet in the country.
The National Cyber Security Policy

The National Cyber Security Policy, which was first drafted in the wake of reports that the
US government was spying on India and there were no technical or legal safeguards against
it.

National Cyber Security Policy is a policy framework by Department of Electronics and

Information Technology (DeitY) It aims at protecting the pu blic and private infrastructure
from cyber attacks. The policy also intends to safeguard “information, such as personal
information (of web users), financial and banking information and sovereign
data”. Ministry of Communications and Information Technolog y (India) defines Cyberspace
as a complex environment consisting of interactions between people, software services
supported by worldwide distribution of information and communication technology.

Need for a cybersecurity policy

� Before 2013, India did not have a cybersecurity policy. The need for it was felt during
the NSA spying issue that surfaced in 2013.
� Information empowers people and there is a need to create a distinction between
information that can run freely between systems and those that need to be secured.
This could be personal information, banking and financial details, security
information which when passed onto the wrong hands can put the country’s safety
in jeopardy.
� This Policy has been drafted in consultation with all the stakeholders.
� In order to digitise the economy and promote more digital transactions, the
government must be able to generate trust in people in the Information and
Communications Technology systems that govern financial transactions.
� A strong integrated and coherent policy on cybersecurity is also needed to curb the
menace of cyber terrorism.

National Cyber Security Policy Vision

To build secure and resilient cyberspace for citizens, businesses and Government.

National Cyber Security Policy Mission

� To protect information and information infrastructure in cyberspace.

� To build capabilities to prevent and respond to cyb er threats.
� To reduce vulnerabilities and minimize damage from cyber incidents through a
combination of institutional structures, people, processes, technology and
cooperation.

National Cyber Security Policy Objectives

� Encouraging the adoption of IT in all sectors of the economy by creating adequate

trust in IT systems by the creation of a secure cyber ecosystem.
� Creating an assurance framework for the design of security policies and for the
promotion and enabling actions for compliance with global security standards and
best practices through conformity assessment.
 � Bolstering the regulatory framework for ensuring a secure cyberspace ecosystem.
� Enhancing and developing national and sectoral level 24 x 7 mechanisms for
obtaining strategic information concerning threats to ICT infrastructure, creating
scenarios for response, resolution and crisis management through effective
predictive, preventive, protective, response and recovery actions.
� Operating a 24×7 National Critical Information Infr astructure Protection Centre
(NCIIPC) to improve the protection and resilience of the country’s critical
infrastructure information.
� Developing suitable indigenous security technologies to address requirements in this
field.
� Improving the visibility of the ICT (Information and Communication Technology )
products/services’ integrity by having testing and va lidation infrastructure.
� Creating a workforce of 500,000 professionals skilled in cybersecurity in the next 5
years.
� Providing businesses with fiscal benefits for adopting standard security practices
and processes.
� Safeguarding of the privacy of citizen’s data and reducing economic losses due to
cybercrime or data theft.
� Enabling effective prevention, investigation and prosecution of cybercrime and
enhancement of law enforcement capabilities through legislative intervention.
� Developing a culture of cybersec urity and privacy.
� Developing effective public -private partnerships and collaborative engagements by
means of technical and operational cooperation.
� Promoting global cooperation by encouraging shared understanding and leveraging
relationships for furtherin g the cause of security of cyberspace.
Examples of Cyber Attack s

Cyber Attacks in India Description of the Cyber Attacks

Coronavirus Pandemic Microsoft has reported that cyber crooks are using Covid -19 situation in
Based Cyber Attack 2020 to defraud people through phishing and ransomware in India and
the world

Phishing Union Bank of India heist in July 2016

Wannacry Ransomware In May 2017, various computer networks in India were locked down by
the ransom -seeking hackers.

Data Theft In May 2017, the food tech company Zomato faced the theft of information
of 17 million users.
Petya Ransomware Container handli ng functions at a terminal operated by the Danish firm
AP Moller -Maersk at Mumbai’s Jawaharlal Nehru Port Trust got affected

Mirai Botnet In September 2016, Mirai malware launched a DDoS attack on the website
of a well -known security expert.
 Data Privacy and Data Protection

Data Privacy:
Data Privacy refers to the proper handling of data means how a organization or user is
determining whether or what data to be shared with third parties. Data privacy is
important as it keeps some data secret from others/third parties. Data privacy is all about
authorized access. It is also called as Information privacy.

Example –
In Bank, A lot of customers have their account for monetary transactions. So the bank
needs to keep customers data private, so that customers identity stays safe and protected
as much as possible by minimizing any external risks and also it helps in maintaining the
reputation standard of banks.

2. Data Protection:

Data Protection refers to the process of keeping safe the important information. In simple
it refers protecting data against unauthorized access which leads to no corruption, no
compromise, no loss and no security issues of data. Data protection is allowed to all forms
of data whether it is personal or data or organizational data.
Example –
A bank has lot of customers, so the bank needs to protect all types of data including self
bank records as well as customer information from unauthorized accesses to keep
everything safe and to ensure everything is under the control of bank administration.
The terms Data Privacy and Data Security are used interchangeably and seems to be same.
But actually they are not same. In reality they can have different meanings depending
upon its actual process and use. But it is sure they are very closely interconnected and one
complements the other during the entire process. So, now let’s know how Data Privacy is
different from Data Protection from the below table.

Difference between Data Privacy and Data Protection :

S.No. Data Privacy Data Protection

Data Protection is the process of protecting

Data Privacy refers maintaining secrecy or data from external risks such corruption, loss
01. keeping control on data access. etc.

It is all about unauthorized access means if

It is all about authorized access means it anyone has not access to data then it keeps the
02. defines who has authorized access to data. data safe from that unauthorized access.

Data Privacy is a legal process/situation Data Protection is a technical control system

which helps in establishing standards and which keeps data protected from technical
03. norms about accessibility. issues.
 Data protection is the procedures and
04. Data Privacy is the regulations or policies. mechanism.

It can be said as a security from sales means It can be said as s security from hacks means
05. holding the data from shared and sold. keeping the information away from hackers.

Data Privacy controls are mainly exits at the Data Protection is mainly controlled by the
end user level. The users knows which data organization or company end. They tech all the
is shared with whom and which data they required measures to protect their data from
06. can access. being exposed to illegal activities.

Data privacy teams are made of experts Data protection teams are made of experts
with law making, policies and some from technical background, security
07. engineering experts. background etc

Data Privacy on social media :

the main revenue source for the social media applications is by selling advertisements, but
this is not the only way. For example, if we take the example of Facebook. Facebook does
user profiling on the basis of demographics, on the basis of brands you like, movies you
see etc and show you the relevant advertisements, links for apps of your interest and so
on.
Facebook even keeps a track of all the activities that you do in offline world, that are not
even shared on the platform.
Please read Terms and Conditions carefully.
Go through privacy settings in your account. Don’t rely on default settings.

Stop clicking on posts like “Check your death day”, “Find which celebrity do you look
like” and so on.
Install a good antivirus software in your laptop and phone.

Turn off your location. Some sites even keep track of your activities in the offline world,
but turning off location will at least do the least possible loss.

Don’t forget to set up Security Answers.

Never leave your account logged in. You are in a way inviting cyber criminals to hack
your account or act as an impostor.

Always check and analyse your post before posting. Try not to put too much revealing
photos online.
Always try to create strong password for a site and try to change it in regular interval of
time. Never ever set same passwords for multiple sites.
.

Below is the list of few security threats that we might face in social media accounts:

1. Most social networking sites have information like Birthday or Email address.
Hacker can hack your email account by using social information and can have
access to all the information he/she wants. You don’t need to hide all
information. You just need to take the following precautions:
� Always set strong passwords. Don’t go for the easy passwords built
using your Birthday or child’s name etc. i.e., from the information
that is easily accessible from the social media account.
� Don’t reveal too much information in a post. Be careful with what
you post online. For example, if I write “Happy Mother’s Day Mumma
Richa Sahani”. Now you see one can guess an answer to one of my
security question “What is your Mother’s Maiden Name?”. This how
it works for the thieves to get information by just analyzing your
posts. They get so much information that they can even compromise
your account.
� Don’t reveal your location. Try to keep the location section either
blank or set it to a false location.
� Do not use social media accounts from untrusted devices and
networks in hotels, cafés, hospitals etc.
� Do not elect to remember passwords/passphrases for social media
accounts when offered by web browsers.
2. With the advent of Social Media like Twitter, there comes URL Shorteners in
picture. Twitter allows a post to be maximum of 280 characters. Thus limiting
the size and amount of information that can be shared. Shortened URL’s can
trick users into visiting harmful sites since full URL’s are not visible. It is best to
keep following points in mind before clicking on shortened URL to avoid being
hacked.
� Before clicking a link, place the cursor on the shortened URL. This
will show the complete URL and will give you an idea about where
the full URL actually points.
� Check the shortened URL using the services that are available online
like Sucuri to check whether the link is secure or not.
� Use services like URL Void or MyWOT to check the safety status of
the link.
3. Avoid posting too much details online. Will you ever stand in the middle of the
crowd and shout that you are going on a vacation to so and so place? So why
you post all the details of your trip on social media, with every second detail
like “Travelling to London, United Kingdom from Air India Business Lounge New
 Delhi”. You are clearly giving your house keys to burglars. Try to take following
precautions while posting any information online:
� Avoid posting specific travel plans and itinerary. Never mention
exact date and time.
� Never post photos during the trip. Try to post photos after your
return home from the vacation.
� Try to stay offline during vacation.
� Use the highest privacy controls to let only selective groups like
family, selected friends to view your status updates and photos.
4. Have you ever wondered how we see a product on Flipkart and when we open
another site, it will show the advertisement related to the product that we
earlier searched on Flipkart. Every time we visit a website, it put invisible
marker which we call Cookies in technical terms in our computer. Job of these
cookies is to track the user activity as we navigate from one site to another. This
is the reason we are able to see the advertisements of our interest on the new
page that we open. Cookies are the major loophole in the entire secure scenario.
Most sites provide a option to opt out of the tracking feature, but if you don’t
get that option, Please be careful to clear the cache and the cookies on your
browser regularly.
I hope after having such a detailed discussion on Privacy and Security in Social Media,
you will surely try to implement these steps and Try to achieve a Private and Secure Social
Media Account.

Ways to protect Online Data Privacy

There is a cool new gaming app available online. Now, what do you do if you want to
download it? Well, you quickly run through the terms and conditions without looking and
then move right on to the game. And what if a site wants to store your credit card
information? You may allow it to do this so that you don’t have to enter the data again
and again.

But have you ever wondered what happens to the data that you so casually share online?

This data may end up in the hands of third-party companies that use it to analyze your
online habits and create a profile that can be used in various ways like customized ads etc.
And that’s the relatively harmless option. In the worst-case scenario, your online data can
also be used maliciously to cause great personal or financial harm. So what are the steps
you can take to protect your online data privacy and prevent these things from occurring?
This article provides you some basic tips that will make your online presence much more
private and secure.
1. Always Browse in Anonymous Mode

Browsing in Anonymous Mode is only the first line of defense! Incognito Mode on Google
Chrome or Private Windows on Firefox and Safari only provides an extra layer of
protection and not complete online privacy. That’s maybe not even possible!!!

But what anonymous mode can do for you is block cookies so that most online tracking of
you is defeated. Normally you see ads on websites that are tailored according to your
browser history and the sites you have visited. This is achieved using cookies that store
information about your online interactions. And browsing in Anonymous Mode is the first
step in blocking these cookies and achieving more privacy online.

2. Change Your Default Search Engine with a Privacy-Focused Search Engine

Do you ever wonder how the search engine you are using is making money? How are they
paying for the service they are offering you? Well, there are only 2 ways for the search
engine to do that and that’s either using donations from people or using profits from ads.

And if the search engine is free for you, then most likely it’s making money using you!!!
Search engines record all your data from your searching habits such as your likes and
dislikes, your personal information, etc. Then they sell this data about customer profiles to
various advertisers and make money off that.

In case you wish to avoid that, use a search engine that is funded by donations and is
privacy oriented. Some examples of these alternate search engines that you can use
are DuckDuckGo, Qwant, Startpage, etc.

3. Use End-to-End Encrypted Messaging Apps

Most messaging apps employ encryption, but it’s only encryption in transit which means
that your encrypted messages are decrypted on the provider’s side and then stored in
servers. But that’s hardly safe! So it’s best to use end-to-end encrypted messaging apps to
provide you some privacy. The most popular end-to-end encrypted messaging app that
you can use is WhatsApp. Other options are Viber, LINE, Telegram, etc.

4. Use a VPN to Protect Yourself from Service Providers

Do you think that if you are browsing the internet from your home connection your data is
safe. In fact, there is a high chance that your internet service provider may actually be
collecting and selling your browsing data to third parties. And it’s not even illegal to do so
since the data protection laws are quite unclear.
You can use a VPN (Virtual Private Network) that creates a private network across a
public network. So your data will be encrypted in this manner and no other third party
will be able to view it. Some of the good VPN services for usage
are ExpressVPN, NordVPN, Hotspot Shield, IPVanish etc.

5. Enforce Browser Security with these Extensions

You can always improve your online privacy and increase your security by using
some extensions and online security tools. For example: Make HTTPS Everywhere
extension your best friend as it will encrypt your communication with most websites
leading to a secure connection with fewer chances of anyone snooping in.

The Ghostery Browser Extension is another great option as that will make your online
browsing much safer by detecting and blocking all the third-party data-tracking items.

Also, another great online security tool is AdBlock. This handy little tool will filter out all
the annoying ads you don’t want and also protect you from malicious ads that can be used
to infect your machine.
Another free cybersecurity tool is CheckShortURL that checks where shortened URLs are
taking you because double-checking is always good!

6. Don’t Use Public Storages for Private Information

You should definitely not use public storages that are meant for sharing data for storing
private information as that is hardly safe! For example, It’s not a good idea to store
your passwords or other confidential information in Google Docs as it is relatively easy
to access them from there.
Similarly, don’t store important scans or other documents in your Dropbox unless they
are in an encrypted archive.

Always assume that all information stored on public storages may actually become public
at some point (accidentally or on purpose) and so store that information accordingly.
7. Stay Private on Wi-Fi Networks

There is no encryption on public Wi-Fi networks and so anyone can snoop onto your
connections and access your data.
So if you are just using public Wi-Fi networks, you are risking the loss of your personal
information, the leakage of your digital identity and even loss of money in the worst cases.
So always avoid transmitting any sensitive data like logins, credit card data,
passwords, etc. over public Wi-Fi if you are using it. Also, use a VPN as that creates a
private network across the public Wi-Fi network. So your data will be encrypted in this
manner and no other third party will be able to view it.

8. Use Secure Passwords

Using weak or basic passwords to secure your important information is like keeping the
key next to the lock! So make sure to keep secure and complex passwords for your data if
want them to be useful. Passwords should be sufficiently long and complex with at
least 12 characters which include upper and lower-case alphabets, numbers and special
characters. Also, never use personal information like your name, birthday, pet’s name, etc.
for your password as that is easy information to guess.
Another basic thing to remember is that you should not use the same password for
multiple applications. Now it may be difficult to remember multiple unique passwords
but it is worth it if you want to protect your data.

9. Evade Tracking on Websites

Websites use cookies to gather information relating to your browsing history. These
websites can also sell this analysis based on customer profiles to various third parties and
make money off that. In case you wish to avoid that, make sure you have at least some
control over where your data ends up. Therefore, it is best to control your cookies settings
so that websites cannot access your data without your permission. You can do this
on Chrome by clicking Cookies under Privacy and Security and then clicking off the
cookies.

10. Change Your Social Media Privacy Settings

The biggest mistake you can make is just to keep on using the default settings as social
media companies also make money as search engines do. By selling all your online data to
the highest bidder!
Adjust your social media privacy settings to provide the maximum possible privacy. For
example, You can change the privacy settings on Facebook to regulate your posts,
locations, faces, etc. that are freely available.
India’s Digital Personal Data Protection Act, 2023: Key provisions

Initially introduced in 2019, the Digital Personal Data Protection Act holds considerable importance as a legislative measure
aimed at safeguarding individuals’ privacy rights. Its primary focus lies in regulating the collection, storage, processing, and
transfer of personal data in the digital landscape. The DPDP Bill underwent 81 amendments after its initial introduction,
resulting in a comprehensive overhaul to its present form.

By prioritizing privacy and security, the DPDP Act strives to create a robust framework that addresses the challenges posed
by data handling in the digital age. Key provisions of the DPDP Act, 2023 are as follows:

� Definitions: Although many concepts in the DPDP Act closely resemble those found in the EU’s General Data
Protection Regulation (GDPR), framework, there are differences in how terminology is used.
a) Data fiduciary: This refers to the entity that, either independently or in collaboration with others, establishes
both the purpose and the methods for processing personal data (similar to a data controller). The government can
classify any data fiduciary or a specific group of data fiduciaries as ‘significant data fiduciaries’ (SDFs). The
criteria for this classification as an SDF includes he nature of processing activities (such as the volume and
sensitivity of personal data involved and the potential impact on data principals’ rights) to broader societal and
national concerns (such as the potential effects on India’s sovereignty and integrity, electoral democracy, state
security, and public order). The designation of SDF comes with heightened compliance obligations as explained
below.
b) Data processor: This is an entity responsible for processing digital personal data on behalf of a data fiduciary.
c) Data principal: These are individuals whose personal data is gathered and processed (equivalent to a data
subject).
d) Consent manager: A person registered with the Data Protection Board, who acts as a single point of contact to
enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent, and
interoperable platform.
� Applicability: The DPDP Act applies to all data, whether originally online or offline and later digitized, in India.
Additionally, the Act applies to the processing of digital personal data beyond India’s borders, particularly when it
encompasses the provision of goods or services to individuals within the Indian territory.

Age verification mechanisms will be necessary for all companies in India (telcos, banks, e-commerce, etc.) under the new
DPDP law, per reporting from The Economic Times. The compliance requirement is not just limited to social media
platforms. This is essential to record the verifiable consent of users per legal experts.

� Personal data breach: This means any unauthorized processing of personal data or accidental disclosure,
acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the
confidentiality, integrity, or availability of personal data.
� Individual consent to use data and data principal rights: Under the new legislation, personal data will be
included and processed only with explicit consent from the individual, unless specific circumstances pertaining to
national security, law, and order require otherwise.
Under data principal rights, individuals also have the right to information, right to correction and erasure, right to
grievance redressal, and right to nominate any other person to exercise these rights in the event of the individual’s
death or incapacity. Currently, there is no specified timeline for the implementation of grievance redressal and data
principal rights.
� Additional obligations of SDFs: Depending on the quantity and sensitivity of the data they manage—data
fiduciaries deemed as SDF are subject to additional obligations under the DPDP Act. Every significant data
fiduciary is required to appoint a Data Protection Officer (DPO) responsible for addressing the inquiries and
concerns of data principals—those individuals whose data is collected and processed. Regarding international data
transfers, the DPDP Act permits data fiduciaries to transfer personal data for processing to any country or territory
outside India. However, the central government can impose restrictions through notifications. These restrictions
will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure the
maintenance of data protection standards during international processing.
� Establishment of a Data Protection Board: The Data Protection Board will function as an impartial adjudicatory
body responsible for resolving privacy-related grievances and disputes between relevant parties. As an
independent regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s
provisions and impose penalties accordingly. The appointment of the chief executive and board members of the
Data Protection Board will be carried out by the central government, ensuring a fair and transparent selection
process. To provide an avenue for customers to challenge decisions made by the Data Protection Board, the
government will establish an appellate body. This appellate body may be assigned to the Telecom Disputes
Settlement and Appellate Tribunal (TDSAT), which will be responsible for adjudicating disputes related to data
protection and hearing appeals against the decisions made by the Data Protection Board.
� Voluntary undertaking: Under this provision, the Data Protection Board has the authority to accept a voluntary
commitment related to compliance with the DPDP Act’s provisions from any data fiduciary at any stage of
complaint proceedings. This voluntary undertaking may entail specific actions to be taken or refrained from by the
 concerned party. Furthermore, the terms of the voluntary undertaking can be modified by the Board if necessary.
The voluntary undertaking serves as a legal barrier to proceedings concerning the subject matter of the
commitment, unless the data fiduciary fails to adhere to its terms. In the event of non-compliance, such a breach is
considered a violation of the DPDP Act, and the Board is authorized to impose penalties for this infringement.
Additionally, the Board has the discretion to require the undertaking to be made public.
� Alternate disclosure mechanism: This mechanism will allow two parties to settle their complaints with the help
of a mediator.
� Offence and penalties: Data fiduciaries can face penalties of up to INR 2.5 billion for failing to comply with the
provisions. These include: penalties of up to INR 10,000 for breach of the duty towards data principals; penalty up
to INR 2.5 billion for failing to take reasonable security safeguards to prevent breach of personal data; fines up to
INR 2 billion for failure to notify the Data Protection Board and affected data principals in case of a personal data
breach; penalties of up to INR 2 billion for violation of additional obligations related to children’s data; penalty of
INR 1.5 billion for failure to comply with additional obligations of significant data fiduciary; penalty of INR 500
million for breach of any other provision of the DPDP Act, 2023 and rules made thereunder.
� Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other
law currently in effect. However, in case of any conflict between a provision of this Act and a provision of any
other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict.

Exemptions under the DPDP Act

FIND BUSINESS SUPPORT

Build Your Asia Business with Turnkey Market Entry and Cross-Regional Support

The exemptions provided in the DPDP Act are as follows:

� For notified agencies, in the interest of security, sovereignty, public order, etc.
� For research, archiving, or statistical purposes.
� For start-ups or other notified categories of data fiduciaries.
� To enforce legal rights and claims.
� To perform judicial or regulatory functions.
� To prevent, detect, investigate, or prosecute offences.
� To process in India personal data of non-residents under foreign contract.
� For approved merger, demerger, etc.
� To locate defaulters and their financial assets etc.

How can companies prepare for compliance under the Digital Personal Data Protection Act

By following the below steps, companies can prepare for compliance with India’s DPDP Act and protect personal data in
line with regulatory guidelines.

Assess and build data privacy:

– Evaluate current compliance status.
– Create a phased action plan covering governance, technology, people, and processes.
– Establish a privacy organization with defined roles, including the DPO, especially if your entity’s status is an SDF.

Inventory personal data systems:

– Identify critical data storage and processing systems.

Identify data processors:

– List third parties handling personal data.
– Update agreements and communicate responsibilities.

Draft DPDP Act-compliant documents:

– Create approved data privacy policies and processes.
– Update necessary documents.
– Develop privacy notices, consent forms, and standard contract clauses.

Design consent mechanisms:

– Define consent types.
– Develop user-friendly consent processes.
– Implement efficient consent management tools.

Establish data principal rights handling:

– Set up processes for addressing data principal rights.
– Develop procedures for request handling.
– Use tools for efficient rights management.

Implement data breach response:

– Create breach management processes.
– Integrate with incident management.

Define data retention periods:

– Categorize data and align retention periods with requirements.
Intellectual property (IP) refers to creations of the mind, such as inventions, literary and artistic
works, designs, symbols, names, and images used in commerce. It is a category of property that
includes intangible creations and the legal rights associated with them. Intellectual property is
protected by law through patents, copyrights, trademarks, and trade secrets, enabling creators or
owners to control the use of their creations or inventions.

Intellectual property is a broad categorical description for the set of intangible assets owned and
legally protected by a company or individual from outside use or implementation without consent.
An intangible asset is a non-physical asset that a company or person owns.

The concept of intellectual property relates to the fact that certain products of human intellect should
be afforded the same protective rights that apply to physical property, which are called tangible
assets. Most developed economies have legal measures in place to protect both forms of property.

KEY TAKEAWAYS

� Intellectual property is an umbrella term for a set of intangible assets or assets that are not
physical in nature.
� Intellectual property is owned and legally protected by a person or company from outside
use or implementation without consent.
� Intellectual property can consist of many types of assets, including trademarks, patents, and
copyrights.
� Intellectual property infringement occurs when a third party engages in the unauthorized
use of the asset.
� Legal protections for most intellectual property expire after some time; however, for some
(e.g., trademarks), they last forever.

Intellectual Property

Companies are diligent when it comes to identifying and protecting intellectual property because it
holds such high value in today's increasingly knowledge-based economy. Also, producing value
intellectual property requires heavy investments in brainpower and time of skilled labor. This
translates into heavy investments by organizations and individuals that should not be accessed with
no rights by others.

Extracting value from intellectual property and preventing others from deriving value from it is an
important responsibility for any company. Intellectual property can take many forms. Although it's
an intangible asset, intellectual property can be far more valuable than a company's physical assets.
Intellectual property can represent a competitive advantage and as a result, is fiercely guarded and
protected by the companies that own the property.

Types of Intellectual Property

Intellectual property can consist of many types of intangibles, and some of the most common are
listed below.

Patents

A patent is a property right for an investor that's typically granted by a government agency, such as
the U.S. Patent and Trademark Office. The patent allows the inventor exclusive rights to the
invention, which could be a design, process, an improvement, or physical invention such as a
machine. Technology and software companies often have patents for their designs. For example, the
patent for the personal computer was filed in 1980 by Steve Jobs and three other colleagues at Apple
Inc.2

Copyrights

Copyrights provide authors and creators of original material the exclusive right to use, copy, or
duplicate their material. Authors of books have their works copyrighted as do musical artists. A
copyright also states that the original creators can grant anyone authorization through a licensing
agreement to use the work.

Trademarks

A trademark is a symbol, phrase, or insignia that is recognizable and represents a product that legally
separates it from other products. A trademark is exclusively assigned to a company, meaning the
company owns the trademark so that no others may use or copy it. A trademark is often associated
with a company's brand. For example, the logo and brand name of "Coca-Cola," is owned by the Coca-
Cola Company.

Franchises

A franchise is a license that a company, individual, or party–called the franchisee–purchases allowing

them to use a company's–the franchisor–name, trademark, proprietary knowledge, and processes.

The franchisee is typically a small business owner or entrepreneur who operates the store or
franchise. The license allows the franchisee to sell a product or provide a service under the company's
name. In return, the franchisor is paid a start-up fee and ongoing licensing fees by the franchisee.
Examples of companies that use the franchise business model include United Parcel Service (UPS)
and McDonald's Corporation (MCD).

Trade Secrets

A trade secret is a company's process or practice that is not public information, which provides an
economic benefit or advantage to the company or holder of the trade secret. Trade secrets must be
actively protected by the company and are typically the result of a company's research and
development (which is why some employers require the signing of non-disclosure agreements, or
NDAs).

Examples of trade secrets could be a design, pattern, recipe, formula, or proprietary process. Trade
secrets are used to create a business model that differentiates the company's offerings to its customers
by providing a competitive advantage.

Digital Assets

Digital assets are also increasingly recognized as IP. These would include proprietary software code
or algorithms, and online digital content.
Type of IP

IP Protection Duration (in the U.S)

Patents Inventions, industrial designs, computer code 20 years

Unique identifiers for a business or its products or As long as the trademarked

Trademarks
services (e.g., logos, brand names) material remains active

Works of authorship, including books, poems, films,

Copyrights 70 years after the author dies5
music, photographs, online content

Intellectual Property Infringement

Attached to intellectual property are certain rights, known as Intellectual Property Rights (IPR), that
cannot be infringed upon by those without authorization to use them.

IPRs give owners the ability to bar others from recreating, mimicking, and exploiting their work.

Patents infringement occurs when a legally-protected patent is used by another person or Company
without permission. Patents filed before June 8, 1995, are valid for 17 years, whereas patents filed
after this date are valid for 20 years.7 After the expiration date, the details of the patent are made
public.

Copyright violations occur when an unauthorized party recreates all or a portion of an original work,
such as a work of art, music, or a novel. The duplicated content need not be an exact replica of the
original to qualify as an infringement.

Similarly, trademark infringement occurs when an unauthorized party uses a licensed trademark or a
mark resembling the licensed trademark. For example, a competitor might use a mark similar to its
rival's to disrupt business and attract their customer base. Also, businesses in unrelated industries
may use identical or similar marks in an effort to capitalize on other companies' strong brand images.

Trade secrets are often protected by non-disclosure agreements (NDA). When a party to the
agreement discloses all or parts of a trade secret to uninterested parties, they have violated the
agreement and infringed upon the trade secret. It is possible to be guilty of trade secret infringement
when an NDA is not present.
INTRODUCTION

In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act,

2023.1 The new law is the first cross-sectoral law on personal data protection in India and has been enacted after

more than half a decade of deliberations.2 The key question this paper discusses is whether this seemingly

interminable period of deliberations resulted in a “good” law—whether the law protects personal data

adequately, and in addition, whether it properly balances, as the preamble to the law states, “the right of

individuals to protect their personal data” on one hand and “the need to process such personal data for lawful

purposes” on the other.

Details the key features of the law and compares it to earlier versions, especially the previous official bill

introduced by the government in Parliament in 2019.3 The second part of the paper then examines the DPDP Act

from two perspectives. First, it highlights certain potentially problematic features of this law to understand its

consequences for consumers and businesses as well as the Indian state. Second, it places the act in context of the

developments and deliberations that have taken place over the last five years or so. The third part speculates on

the key factors that will influence the development of data protection regulation in India in the next few years.

The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An initial version was

prepared by a committee of experts and circulated for public feedback in 2018.4 This was followed by the

government’s version of the bill that was introduced in Parliament in 2019—the Personal Data Protection Bill,

2019. This version was studied by a parliamentary committee that published its report in December 2021.5 The

government, however, withdrew this bill, and in November 2022, published a fresh draft for public

consultations—the draft Digital Personal Data Protection Bill, 2022.6 This draft was quite different compared to

the previous versions. The 2023 law is based, in significant part, on this draft. However, it has some new

provisions that are consequential for the questions this paper seeks to answer.

These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court in Justice K.S.

Puttaswamy and Anr. v. Union of India and Ors.7 The judgment declared that the right to privacy is part of the

fundamental right to life in India and that the right to informational privacy is part of this right. The judgment,

however, did not describe the specific contours of the right to informational privacy, and it also did not lay down

specific mechanisms through which this right was to be protected.

Following this, the first government version of the law, the Personal Data Protection Bill, 2019, was introduced

in Parliament in December 2019. This version was expansive in scope and proposed cross-sectoral, economy-

wide data protection regulation to be overseen by an all-powerful data protection regulator—the Data Protection

Authority (DPA). The 2019 bill provided for a preventive framework.8 It imposed a number of obligations on
entities collecting personal data—to provide notice and take consent from individuals, to store accurate data in a

secure manner, and to use it only for purposes listed in the notice. Businesses were also required to delete data

once the purpose was satisfied and to provide consumers rights to access, erase, and port their data. Businesses

were required to maintain security safeguards and transparency requirements, implement “privacy by design”

requirements, and create grievance redress systems. Finally, this bill introduced an entity known as “consent

managers,” who were intermediaries for collecting and providing consent to businesses on behalf of

individuals.9

The bill grouped personal data into different categories and required elevated levels of protection for “sensitive”

and “critical” personal data. Certain businesses were also to be categorized as “significant data fiduciaries,” and

additional obligations were proposed for them—registration in India, data audits, and data impact assessments.

In addition, the bill-imposed localization restrictions on the cross-border flows of certain categories of data. The

DPA was empowered to impose penalties on businesses for violating these requirements. The bill also proposed

to criminalize activities related to the deanonymization of individuals from anonymized datasets.

The 2019 bill exempted certain entities and businesses from notice and consent requirements under certain

circumstances—for lawful state functions, medical and health services during emergencies or epidemics,

breakdown of public order, employment-related data processing, the prevention and detection of unlawful

activity, whistleblowing, and credit recovery, among others.

The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It allowed the

government to require private entities to hand over specific nonpersonal data that the government asked for as

per conditions it prescribed. In short, the 2019 bill proposed a comprehensive, cross-sectoral framework based

on preventive requirements for businesses (defined as “data fiduciaries”) and rights for individuals or consumers

(“data principals”).

This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna Committee—the

committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court judge, was set up by the Ministry of

Electronics & Information Technology in July 2017 to help frame data protection norms. The recommendations

of this committee, in turn, were based on major regulatory developments that were popular while the work of

the committee was proceeding. Primary among these was the European Union’s (EU’s) General Data Protection

Regulation (GDPR).10 While the general preventive framework of the 2019 bill was welcome, its expansive

scope was problematic. It created a number of significant compliance requirements that would have affected

both big and small firms in the economy. It also proposed the creation of a DPA that had significant regulation-

making and supervisory powers. These regulations would have further detailed the already significant
 compliance requirements in the bill. The novelty of the law and the lack of prior experience in implementing a

data protection law of this nature would have created serious risks of overregulation or under-regulation.11

The DPDP Act is based on the draft proposed by the government in November 2022, which adopted a radically

different approach to data protection regulation.12 The next section details the key provisions of the act.

KEY FEATURES OF THE DPDP ACT, 2023

Compared to the 2019 version of the bill, the DPDP Act, 2023 is more modest—it has reduced obligations for

businesses and protections for consumers. On the one hand, the regulatory structure is simpler, but on the other,

it vests the central government with unguided discretionary powers in some cases.

Applicability to Non-residents

The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents. Interestingly, it

also applies to non-citizens living in India whose data processing “in connection with any activity related to

offering of goods or services” happens outside India.13 This has implications for, say, a U.S. citizen residing in

India being provided digital goods or services within India by a provider based outside India.

Purposes of Data Collection and Processing

The 2023 act allows personal data to be processed for any lawful purpose.14 The entity processing data can do so

either by taking the concerned individual’s consent or for “legitimate uses,” a term that has been explained in

the law.

Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and

for a specific purpose. The data collected has to be limited to that necessary for the specified purpose. A clear

notice containing these details has to be provided to consumers, including the rights of the concerned individual

and the grievance redress mechanism. Individuals have the right to withdraw consent if consent is the ground on

which data is being processed.

Legitimate uses are defined as: (a) a situation where an individual has voluntarily provided personal data for a

specified purpose; (b) the provisioning of any subsidy, benefit, service, license, certificate, or permit by any

agency or department of the Indian state, if the individual has previously consented to receiving any other such

service from the state (this is a potential issue since it enables different government agencies providing these

services to access personal data stored with other agencies of the government);15 (c) sovereignty or security; (d)

fulfilling a legal obligation to disclose information to the state; (e) compliance with judgments, decrees, or

orders; (f) medical emergency or threat to life or epidemics or threat to public health; and (g) disaster or

breakdown of public order.16

Rights of Users/Consumers of Data-Related Products and Services

The DPDP Act also creates rights and obligations for individuals.17 These include the right to get a summary of

all the collected data and to know the identities of all other data fiduciaries and data processors with whom the

personal data has been shared, along with a description of the data shared. Individuals also have the right to

correction, completion, updating, and erasure of their data. Besides, they have a right to obtain redress for their

grievances and a right to nominate persons who will receive their data.

Obligations on Data Fiduciaries

Entities responsible for collecting, storing, and processing digital personal data are defined as data fiduciaries

and have defined obligations. These include: (a) maintaining security safeguards; (b) ensuring completeness,

accuracy, and consistency of personal data; (c) intimation of data breach in a prescribed manner to the Data

Protection Board of India (DPB); (d) data erasure on consent withdrawal or on the expiry of the specified

purpose; (e) the data fiduciary having to appoint a data protection officer and set up grievance redress

mechanisms; and (f) the consent of the parent/guardian being mandatory in the case of children/minors (those

under eighteen years of age). The DPDP Act also states that any processing that is likely to have a detrimental

effect on a child is not permitted. The law prohibits tracking, behavioral monitoring, and targeted advertising

directed at children.18 The government can prescribe exemptions from these requirements for specified

purposes. This is potentially a problem since the powers to exempt are broad and without any guidelines.

While the 2023 act retains the broad categories of obligations for the most part, the key difference from the 2019

bill is the absence of the scope for the regulator, the DPA, to make detailed regulations on these obligations. In

addition, the substantive requirements under each of these categories have been reduced.

There is an additional category of data fiduciaries known as significant data fiduciaries (SDFs). The government

will designate data fiduciaries as SDFs based on certain criteria—volume and sensitivity of data and risks to

data protection rights, sovereignty and integrity, electoral democracy, security, and public order.19

SDFs will have additional obligations that include: (a) appointing a data protection officer based in India who

will be answerable to the board of directors or the governing body of the SDF and will also serve as the point of
contact for grievance redressal; and (b) conducting data protection impact assessments and audits and taking

other measures as prescribed by the government. The 2019 bill required that SDFs register in India. This

requirement has been removed from the 2023 act.

Moderation of Data Localization Requirements

The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted certain data flows,

the 2023 law only states that the government may restrict flows to certain countries by notification. While this is

not explicit, the power to restrict data flows seems to be to provide the government necessary legal powers for

national security purposes. The law also states that this will not impact measures taken by sector-specific

agencies that have or may impose localization requirements. For example, the Reserve Bank of India’s

localization requirements will continue to be legally valid.

Exemptions From Obligations Under the Law

The law provides exemptions from consent and notice requirements as well as most obligations of data

fiduciaries and related requirements in certain cases: (a) where processing is necessary for enforcing any legal

right or claim; (b) personal data has to be processed by courts or tribunals, or for the prevention, detection,

investigation, or prosecution of any offenses; (c) where the personal data of non-Indian residents is being

processed within India; and so on.20

In addition, the law exempts certain purposes and entities completely from its purview.21 These include:

1. Processing in the interests of the sovereignty and integrity of India, security of the state, friendly

relations with foreign states, maintenance of public order, or preventing incitement to any

cognizable offense. This will allow investigative and security agencies to remain outside the

purview of this law.

2. Data processing necessary for research, archiving, or statistical purposes if the personal data is not to

be used to take any decision specific to a data principal.

3. The government can exempt certain classes of data fiduciaries, including startups, from some

provisions—notice, completeness, accuracy, consistency, and erasure.

4. One problematic provision allows the government to, “before expiry of five years from the date of

commencement of this Act,” declare that any provision of this law shall not apply to such data

fiduciary or classes of data fiduciaries for such period as may be specified in the notification. This is

a significant and wide discretionary power and is not circumscribed by any guidance on the basis for

such exemption, the categories that may be exempted, and the time period for which such

exemptions can operate.

New Regulatory Structure for Regulating Data Privacy

The 2023 law completely changes the proposed regulatory institutional design. The 2019 bill proposed an

independent regulatory agency. The DPA was proposed on the lines of similar government agencies in many EU

countries that function independently of government and implement the GDPR. The proposed Indian DPA was

arguably more powerful since it was proposed to have much more extensive regulation-making powers than

DPAs under the GDPR. In addition to framing regulations, the DPA would have been responsible for framing

codes of conduct for businesses, investigating cases of noncompliance, collecting supervisory information, and

imposing penalties on businesses.

In contrast, the 2023 law establishes the DPB.22 The board is not a regulatory entity and is very different from

the DPA. Compared to the latter, the board has a limited mandate to oversee the prevention of data breaches and

direct remedial action and to conduct inquiries and issue penalties for noncompliance with the law.23 The board

does not have any powers to frame regulations or codes of conduct or to call for information to supervise the

workings of businesses. It can only do so during the process of conducting inquiries.

The members of the board will be appointed by the government, and the terms and conditions of their service

will be prescribed in rules made by the government.24 The law states that these terms and conditions cannot be

varied to a member’s disadvantage during their tenure.

The law allows the board to impose monetary penalties of up to 250 crore rupees (approximately $30.5

million).25 Appeals from the board’s orders will go to an existing tribunal— the Telecom Disputes Settlement

and Appellate Tribunal (TDSAT). In addition to monetary penalties, the bill allows data fiduciaries to provide

voluntary undertakings to the board as a form of settlement of any complaints against them.26 Therefore, the

board is a very different institution in design compared to the DPA.

Finally, the 2023 law contains a novel provision not included or discussed in any previous version. This is

Section 37, which allows the government, based on a reference from the board, to block the public’s access to

any information that enables a data fiduciary to provide goods or services in India. This has to be based on two

criteria: (a) the board has imposed penalties against such data fiduciaries on two or more prior occasions, and (b)

the board has recommended a blockage. The government has to provide the data fiduciary an opportunity to be

heard before taking such action.

ANALYZING THE DPDP ACT, 2023

This section analyzes the 2023 act from two perspectives. First, it explains the broad structure of the law and

highlights its key features and issues. Second, it contextualizes the law in the background of the different drafts

proposed before this and elaborates upon the deliberations that have led to it.

How Well Does the DPDP Act, 2023, Protect Privacy?

The 2023 act creates, for the first time, a data privacy law in India. It requires consent to be taken before

personal data is processed and provides a limited number of exceptions that are clearly enumerated in the law. It

provides consumers the right to access, correct, update, and erase their data, in addition to a right to nomination.

It creates additional safeguards for the processing of children’s data. For businesses, it creates purpose

limitations and obligations to provide notice of data collection and processing and mandates security safeguards.

The law requires the creation of grievance redress mechanisms by businesses. The DPB will also handle

complaints and grievances and is empowered to issue penalties for noncompliance with the law.

For the first time, therefore, India has a statutory framework for data protection. The presence of the law will

gradually lead to the development of minimal standards of behavior and compliance among businesses that

collect data. In this regard, the approach of the government toward implementing and enforcing the law will be

the critical variable—for example, whether implementation will be focused on data-heavy businesses or across

the economy would be an important factor.

However, other than open questions related to implementation, there are some concerns with different

provisions of the law and their potential for undermining the protections seemingly accorded in it.

First, the exceptions carved out for consent empower the state significantly and place state imperatives on a

different pedestal compared to private entities. While this may be truly legitimate in some circumstances, like

disasters or emergencies, the law enlarges the scope of such circumstances. For example, Section 7(b) of the law

enables the government to sidestep consent requirements where a government service beneficiary has previously

consented to receiving any other benefit from the state. While this may allow easier access to personal data of

beneficiaries for receiving government services, it also creates a potential for the government to aggregate

databases. This is because making true use of the potential of this provision would mean that government

agencies would have to be exempted from purpose limitations that require personal data to be deleted after the

purpose of the data has been satisfied.

Another example of this is the set of exemptions to the state for investigative, prosecutorial, and national

security purposes. In Section 17(1)(c), the law exempts the requirements of notice and consent, among others,
for the purposes of processing for “prevention, detection, investigation or prosecution of any offence or

contravention of any law.”27 While this is understandable, Section 17(2)(a) subsequently provides a blanket

exemption from the whole law to any government agency that the government may notify, in the interests of

sovereignty, security, integrity, public order, and preventing incitement. Given the fact that Section 17(1)(c)

already exists, Section 17(2)(a) only indicates the desire of Parliament to ensure a complete non-application of

the data protection law to certain state agencies.

Provisions like these create a separate category of activity that is beyond the purview of data privacy

requirements. It is problematic that the Indian state is not subject to many of the constraints that private entities

are, especially in cases where there is no pressing requirement for such an exception.

Second, the discretionary rule-making powers that the government has under the law could, in some cases,

undermine the protections provided in the law. For example, under Section 17(5), the government has the power

to declare that any provisions of this law will not apply to any business or class of businesses within five years

of the commencement of the law. There is no time frame for the operation of this exemption or any guidance on

how this provision is to be used. An optimistic interpretation of this provision would suggest that this could be

used to allow sunrise industries or startups some time to comply with the law. However, provision for this has

already been made in Section 17(3), which provides limited exemptions to startups and other industries the

government may notify. Therefore, Section 17(5) could potentially be used in a manner that defeats the purpose

of the law. It is worth reiterating that the law only limits the government’s power to give these exemptions for

an initial period of five years. It does not provide any limit on how long these exemptions can last for.

Similarly, the government has some unguided rule-making powers for exempting businesses from certain

requirements regarding the processing of children’s data. Sections 9(1) to 9(3) specify certain requirements for

the same—they require parental consent and prohibit profiling, among others. Section 9(4) allows the

government to exempt any business or class of businesses from Sections 9(1) to 9(3) “subject to such

conditions, as may be prescribed.” This provision, again, fails to indicate on what grounds this exemption will

be given, how the conditions are to be determined, and so on. Since there is a lack of sufficient guidance, this

provision is also subject to misuse.

While there are other provisions where the government has powers to prescribe conditions and make substantive

rules, the examples highlighted above provide almost no guidance. This is also problematic when judged against

the tenets of Indian administrative law, which requires that laws should not confer unguided and excessive

discretion on the implementing authority.28 If improperly used, such legal provisions are potentially in violation

of the Indian Constitution.

Third, the design of the DPB is problematic. The board is an independent agency with a limited mandate, and

the government will create mechanisms for the selection and appointment of its members. While the law sets out

qualifications for members, it does not state how many members shall be on the board and requires only one of

them to be a legal expert. This last provision is a problem since one of the board’s main functions is to issue

penalties and directions for noncompliance.

In addition, the chairperson of the DPB is empowered to authorize any board member to perform “any of the

functions of the board and conduct any of its proceedings.” It is possible that the chairperson may not authorize

the legal member of the board to conduct the proceedings leading up to the issuance of a penalty. This design

also fails to maintain an internal separation of functions between the members conducting inquiries and the

chairperson. Since the chairperson appoints members to conduct inquiries, they may potentially not discharge

this function impartially in all cases.

Therefore, while the DPDP Act creates data privacy protections in law for the first time, certain provisions in

the law can effectively undermine its benefits if the government does not act under them in the most scrupulous

manner possible.
UNCITRAL Model Law

The United Nations Commission on International Trade Law (UNCITRAL) facilitates international commerce
through the modernization of trade rules and the harmonization of commercial laws, primarily through the
drafting of treaties, model laws, and explanatory texts. The
United Nations Commission on
International Trade Law (UNCITRAL) was established by the General Assembly in
1966 (Resolution 2205(XXI) of 17 December 1966

The United Nations Commission on International Trade Law (UNCITRAL)

(established in 1966) is a subsidiary body of the General Assembly of the United
Nations with the general mandate to further the progressive harmonization and
unification of the law of international trade.

These documents are prepared by ad hoc committees of subject specialists known as working groups.

Since its inception, UNCITRAL’s Working Group on Electronic Commerce has produced one treaty, three

model laws, and two explanatory texts:

Treaty

� Convention on the Use of Electronic Communications in International Commerce (2005)

The full text of the convention and an explanatory note are available for download in PDF format. Click
on the Status link to see which countries have ratified the convention.

Model Laws

� Model Law on Electronic Commerce (1996)

The full text of the model law and a guide to its enactment are available for download in PDF
format. Click on the Status link to see which countries have enacted legislation based on the model law.
Model Law on Electronic Signatures (2001)
The full text of the model law and a guide to its enactment are available for download in PDF
format. Click on the Status link to see which countries have enacted legislation based on the model law.
Model Law on Electronic Transferable Records (2017)
The full text of the model law and a guide to its enactment are available for download in PDF
format. Click on the Status link to see which countries have enacted legislation based on the model law.

Explanatory Texts

� Notes on the Main Issues of Cloud Computing Contracts (2019)

� Promoting Confidence in Electronic Commerce: Legal Issues on International Use of
Electronic Authentication and Signature Methods (2007)

UNCITRAL Working Group on Online Dispute Resolution

UNCITRAL’s Working Group on Online Dispute Resolution met from 2010 to 2016. Although it did not

produce any treaties or model laws, the Working Group did publish its Technical Notes on Online Dispute

Resolution.
UNCITRAL has prepared a suite of legislative texts to enable and facilitate the use of electronic means to engage in
commercial activities, which have been adopted in over 100 States.

The most widely enacted text is the UNCITRAL Model Law on Electronic Commerce (1996), which establishes rules for
the equal treatment of electronic and paper-based information, as well as the legal recognition of electronic transactions
and processes, based on the fundamental principles of non-discrimination against the use of electronic means, functional
equivalence and technology neutrality. The UNCITRAL Model Law on Electronic Signatures (2001) provides additional
rules on the use of electronic signatures.

The United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005)
builds on pre-existing UNCITRAL texts to offer the first treaty that provides legal certainty for electronic contracting in
international trade.

Most recently, the UNCITRAL Model Law on Electronic Transferable Records (2017) applies the same principles to
enable and facilitate the use in electronic form of transferable documents and instruments, such as bills of lading, bills of
exchange, cheques, promissory notes and warehouse receipts.

In 2019, UNCITRAL approved the publication of Notes on the Main Issues of Cloud Computing Contracts, while
continuing work towards a new instrument on the use and cross border recognition of electronic identity management
services (IdM services) and authentication services (trust services).

Significant work in cooperation with other organizations has also been conducted in the field of legal aspects of single
windows and paperless trade facilitation. The results of joint work with United Nations ESCAP in that field include the
online Readiness Assessment Guide for Cross-Border Paperless Trade.

Recent advances in information and communications technology and the emergence of new technologies in digital trade
pose new legal questions. Accordingly, UNCITRAL continues its efforts to legally enable emerging technologies such as
artificial intelligence, data transactions, digital platforms and digital assets, including in connection with other areas of
work such as dispute resolution, security interests, insolvency and the international transport of goods, as well as, more
generally, digital trade.
Phishing

Company Overview: XYZ Corporation is a global technology company specializing in software development
and IT services.
Incident Overview: In [Month, Year], XYZ Corporation fell victim to a sophisticated phishing attack that
compromised sensitive information and raised concerns about cybersecurity.
Background:
Attack Vector: The attackers utilized email as the primary vector, sending seemingly legitimate messages to
employees.
Social Engineering Tactics: The phishing emails employed tactics such as urgency, fear, and authority to
manipulate employees into divulging confidential information or performing unauthorized actions.
Timeline of Events:
Initial Phishing Emails: Employees began receiving emails appearing to be from internal departments or trusted
external entities, requesting urgent actions or information.
Clicking on Malicious Links: Some employees unknowingly clicked on links within the emails, leading them to
deceptive websites designed to mimic legitimate login portals.
Credentials Compromised: Employees who entered their credentials on these fake portals unwittingly provided
the attackers with access to their accounts.
Detection and Response:
Internal Alerts: The IT security team detected unusual activities, including multiple login attempts from
unfamiliar locations and multiple failed login attempts.
Incident Response: XYZ Corporation promptly initiated an incident response plan, isolating compromised
accounts, resetting passwords, and investigating the extent of the breach.
Impact:
Data Breach: The attackers gained access to sensitive company data, including client information, intellectual
property, and employee credentials.
Financial Loss: XYZ Corporation suffered financial losses due to the costs associated with incident response,
legal actions, and potential damage to the company's reputation.
Mitigation and Remediation:
Employee Training: XYZ Corporation implemented extensive cybersecurity awareness training for all
employees, emphasizing the identification of phishing attempts and the importance of verifying emails.
Enhanced Email Filtering: The company upgraded its email filtering systems to better detect and block phishing
emails before reaching employee inboxes.
Multi-Factor Authentication (MFA): MFA was enforced across all employee accounts to add an extra layer of
security.
Lessons Learned:
Continuous Education: Regular training and awareness programs are essential to keep employees informed
about evolving phishing tactics.
Technology Enhancements: Regularly updating and improving cybersecurity infrastructure is crucial to stay
ahead of sophisticated phishing attacks.
Incident Response Preparedness: Having a robust incident response plan in place can minimize the impact of a
phishing attack and expedite recovery.
Conclusion:
XYZ Corporation's experience with the phishing attack underscored the importance of proactive cybersecurity
measures and continuous employee education. By implementing stronger security protocols and fostering a
culture of vigilance, the company aims to mitigate the risk of future phishing incidents.

Malware

Organization Overview: ABC Bank is a leading financial institution providing a wide range of banking and
financial services.
Incident Overview: In [Month, Year], ABC Bank experienced a significant cybersecurity incident involving the
infiltration of malware, which posed a threat to the security of sensitive customer data and the overall stability of
the bank's systems.
Background:
Attack Vector: The malware entered the bank's network through a malicious attachment in an email, exploiting a
vulnerability in the email filtering system.
Type of Malware: The malware was identified as a sophisticated banking Trojan designed to steal financial
information and gain unauthorized access to banking systems.
Timeline of Events:
Email Attachment: Employees received seemingly legitimate emails with attachments that purported to be
important documents related to banking regulations.

Malicious Payload Execution: Upon opening the attachment, the malware executed, evading initial detection by
exploiting zero-day vulnerabilities in the bank's outdated software.

Data Exfiltration: The malware successfully infiltrated the bank's systems, exfiltrating sensitive customer
information, including login credentials and financial transaction data.

Detection and Response:

Anomaly Detection: Unusual network activities and a sudden increase in data exfiltration triggered alarms in the
bank's security monitoring systems.
Incident Response: ABC Bank's cybersecurity team promptly initiated an incident response plan, isolating
affected systems, disconnecting compromised devices, and assessing the extent of the malware's impact.

Impact:
Financial Loss: The bank suffered financial losses due to unauthorized transactions initiated by the malware,
impacting both individual customers and the bank's overall assets.
Reputation Damage: The incident led to a loss of trust among customers and stakeholders, impacting the bank's
reputation in the market.
Mitigation and Remediation:
System Patching: ABC Bank immediately implemented software updates and patches to address the
vulnerabilities exploited by the malware.
Enhanced Email Security: The bank upgraded its email filtering system to better detect and block malicious
attachments, reducing the risk of similar incidents in the future.
Customer Communication: ABC Bank proactively communicated with affected customers, providing guidance
on securing their accounts and offering credit monitoring services.

Lessons Learned:
Regular Vulnerability Assessments: Conducting regular vulnerability assessments and promptly applying
patches can significantly reduce the risk of malware infiltration.
Employee Training: Continuous training on recognizing phishing emails and avoiding the opening of suspicious
attachments is crucial to prevent malware infections.
Incident Response Improvement: Regular testing and refinement of incident response plans are necessary to
ensure a swift and effective response to cybersecurity incidents.

Conclusion:
The malware incident at ABC Bank highlighted the persistent and evolving threats faced by financial
institutions. By implementing robust cybersecurity measures, staying vigilant against emerging threats, and
maintaining open communication with customers, the bank aims to fortify its defenses and rebuild trust in the
aftermath of the incident.

Ransomware
Introduction:
Organization Overview: XYZ Healthcare System is a large medical institution that provides a broad range of
healthcare services, including patient care, research, and education.
Incident Overview: In [Month, Year], XYZ Healthcare System fell victim to a devastating ransomware attack,
compromising critical patient data, disrupting operations, and posing a significant threat to the organization's
ability to deliver healthcare services.
Background:
Attack Vector: The ransomware was introduced through a targeted phishing email, tricking an employee into
clicking on a malicious link that initiated the download of the ransomware payload.
Type of Ransomware: The attackers employed a sophisticated strain of ransomware that encrypted files across
the healthcare system's network, rendering them inaccessible.
Timeline of Events:
Phishing Email: An employee in the finance department received an email that appeared to be from a trusted
vendor, containing a seemingly innocuous invoice attachment.
Ransomware Execution: Upon opening the attachment, the ransomware was activated, quickly spreading
through the network and encrypting critical patient records, administrative files, and research data.
Ransom Demand: The attackers left a ransom note demanding a substantial sum of cryptocurrency in exchange
for the decryption key required to restore access to the encrypted data.
Detection and Response:
File Encryption Alerts: Unusual patterns of file access and encryption triggered alerts in the healthcare system's
security monitoring systems.
Incident Response: The IT and security teams swiftly isolated affected systems, shut down network connections
to prevent further spread, and engaged law enforcement agencies.
Impact:
Operational Disruption: The ransomware attack disrupted normal hospital operations, leading to delayed patient
care, canceled appointments, and a halt in non-emergency medical procedures.
Data Loss and Privacy Concerns: The encrypted data included sensitive patient information, raising concerns
about potential data loss and privacy breaches.
Mitigation and Remediation:
Data Restoration: The healthcare system opted not to pay the ransom and instead focused on restoring systems
from backup files, which had been regularly updated and securely stored.
Enhanced Security Measures: XYZ Healthcare System implemented advanced cybersecurity measures,
including endpoint protection, network segmentation, and regular security audits.
Employee Training: The organization conducted extensive training programs to educate employees on
recognizing and avoiding phishing attempts.

Lessons Learned:
Regular Backup Practices: Regularly backing up critical data and ensuring the availability of offline backups is
essential for swift recovery without succumbing to ransom demands.
Employee Vigilance: Continuous training and awareness programs for employees can help in identifying and
mitigating the risks associated with phishing attacks.
Collaboration with Law Enforcement: Prompt collaboration with law enforcement agencies can aid in tracking
and apprehending the perpetrators.

Conclusion:
The ransomware attack on XYZ Healthcare System underscored the critical need for robust cybersecurity
measures in the healthcare sector. By leveraging the lessons learned from this incident, the organization is
committed to strengthening its
defenses, safeguarding patient data, and ensuring the uninterrupted delivery of healthcare services.

Cyber Extortion

Introduction:
Company Overview: A leading global manufacturing company, referred to as ABC Manufacturing, specializing
in the production of automotive components and industrial machinery.
Incident Overview: In [Month, Year], ABC Manufacturing experienced a cyber extortion attack that involved the
compromise of sensitive intellectual property, disruption of production processes, and a demand for a substantial
ransom.
Background:
Attack Vector: The cybercriminals gained access to ABC Manufacturing's network through a combination of
targeted phishing emails and exploiting vulnerabilities in outdated software.
Type of Cyber Extortion: The attackers utilized ransomware to encrypt critical manufacturing process data,
threatening to release proprietary information if the ransom was not paid.
Timeline of Events:
Phishing and Initial Access: Employees across various departments received phishing emails containing
malicious attachments. Once opened, these attachments delivered malware, granting the attackers initial access
to the company's network.
Lateral Movement and Data Encryption: The cybercriminals moved laterally within the network, identifying and
encrypting crucial manufacturing process data, rendering it inaccessible to the company.
Ransom Note and Threats: Following the successful encryption, ABC Manufacturing received a ransom note
demanding a significant sum in cryptocurrency. The note threatened to expose sensitive company information if
the ransom was not paid within a specified timeframe.
Detection and Response:
Abnormal Network Activity: Unusual patterns of data access and encryption triggered alerts in ABC
Manufacturing's security systems.
Incident Response: The company's cybersecurity team, in collaboration with external cybersecurity experts,
isolated affected systems, shut down network connections, and initiated an investigation into the extent of the
breach.
Impact:
Operational Disruption: The ransomware attack resulted in significant disruption to ABC Manufacturing's
production processes, leading to delays in fulfilling client orders and potential financial losses.
Intellectual Property Exposure: The threat of releasing proprietary manufacturing data could have severe
consequences for the company's competitive edge in the market.
Mitigation and Remediation:
Non-Payment Decision: ABC Manufacturing opted not to pay the ransom, prioritizing the restoration of systems
from secure backups.
Enhanced Security Measures: The company implemented advanced endpoint protection, network segmentation,
and regular penetration testing to identify and address vulnerabilities.
Employee Training: ABC Manufacturing conducted comprehensive training sessions for employees,
emphasizing the importance of cybersecurity awareness and the identification of phishing attempts.
Lessons Learned:
Comprehensive Security Audits: Regularly conducting thorough security audits can help identify and patch
vulnerabilities before they are exploited.
Backup and Recovery Planning: Maintaining secure and regularly updated backups ensures a quick recovery
from cyber extortion incidents without succumbing to ransom demands.
Crisis Communication Planning: Preparing for effective communication with stakeholders, including customers
and regulatory bodies, is crucial in managing the fallout from a cyber extortion attack.
Conclusion:
The cyber extortion incident at ABC Manufacturing highlighted the ever-present threat of ransomware and the
importance of proactive cybersecurity measures. By learning from this experience, the company is committed to
fortifying its defenses, safeguarding its intellectual property, and ensuring the resilience of its manufacturing
processes against future cyber threats.

Corporate Espionage Through Spyware

Introduction:
Company Overview: XYZ Corporation is a multinational technology company specializing in software
development, cloud services, and data analytics.
Incident Overview: In [Month, Year], XYZ Corporation fell victim to a sophisticated corporate espionage
campaign involving the deployment of spyware. The attack aimed to gain unauthorized access to proprietary
software codes, research data, and confidential business strategies.
Background:
Attack Vector: The spyware was introduced into XYZ Corporation's network through targeted phishing emails
that exploited the trust and curiosity of employees.
Type of Spyware: The attackers utilized a custom-designed spyware variant capable of keylogging, screen
capturing, and exfiltrating sensitive data without raising suspicion.
Timeline of Events:
Phishing Emails: Employees in the research and development department received convincing phishing emails
containing seemingly relevant attachments, such as industry reports and software updates.
Spyware Activation: Once opened, the attachments deployed the spyware across targeted devices, allowing the
attackers to gain persistent access to XYZ Corporation's internal network.
Data Exfiltration: The spyware silently collected information over an extended period, exfiltrating proprietary
software codes, research findings, and business strategies to remote servers controlled by the attackers.
Detection and Response:
Anomalous Network Activity: XYZ Corporation's security systems detected unusual patterns of data access and
exfiltration.
Incident Response: The company's cybersecurity team swiftly initiated an incident response plan, isolating
affected devices, disconnecting compromised systems from the network, and launching an investigation into the
extent of the breach.
Impact:
Intellectual Property Compromise: The theft of proprietary software codes and research data jeopardized XYZ
Corporation's competitive advantage, potentially undermining its market position.

Reputation Damage: The incident led to concerns among clients and stakeholders about the security and
confidentiality of their data stored with XYZ Corporation.

Mitigation and Remediation:

Spyware Removal: XYZ Corporation deployed advanced anti-malware tools to identify and remove the spyware
from affected devices.
Enhanced Endpoint Security: The company upgraded its endpoint protection measures to prevent future spyware
infections, implementing behavior-based detection and response mechanisms.
Employee Training: XYZ Corporation conducted regular cybersecurity training sessions for employees,
emphasizing the importance of vigilance against phishing attempts and suspicious emails.
Lessons Learned:
Continuous Monitoring: Regularly monitoring network activities and user behavior is crucial for early detection
and mitigation of spyware threats.
Advanced Threat Intelligence: Leveraging threat intelligence services can provide organizations with insights
into emerging spyware threats and proactive defense mechanisms.
Supply Chain Security: Strengthening security measures across the entire supply chain, including third-party
vendors and partners, is essential to prevent infiltration through indirect routes.
Conclusion:
The spyware incident at XYZ Corporation highlighted the evolving nature of corporate espionage threats in the
technology sector. By implementing robust security measures, fostering a culture of cybersecurity awareness,
and continuously adapting to emerging threats, the company aims to fortify its defenses against future attempts
at intellectual property theft and corporate espionage.
Some Important Facts
There are following kinds of cyber players who harm cybersecurity:

• Cyber Criminals
• Cyber Terrorists
• Cyber Espionage
• Cyber Hacktivist

Legal Landscape in India for Cybersecurity

Laws related to Cyber Important Facts

Security in India

Information and Technology • Came into force in October 2000

Act, 2000
• Also called Indian Cyber Act
• Provide legal recognition to all e-transactions
• To protect online privacy and curb online crimes

Information Technology The amendments in the IT Act mentioned:

Amendment Act 2008 (ITAA)
• ‘Data Privacy’
• Information Security
• Definition of Cyber Cafe
• Digital Signature
• Recognizing the role of CERT-In
• To authorize the inspector to investigate cyber offenses against
DSP who was given the charge earlier

National Cyber Security Indian Government has come up with the National Cyber Security
Strategy 2020 Strategy 2020 entailing the provisions to secure cyberspace in India.

Cyber Surakshit Bharat MeitY in collaboration with National e-Governance Division (NeGD)
Initiative came up with this initiative in 2018 to build a cyber-resilient IT set up
The Indian Computer Emergency Response Team (CERT-In) serves as the national agency
for performing various functions in the area of cyber security in the country as per the
provisions of section 70B of the Information Technology Act, 2000.

CERT-In (The Indian Computer Emergency Response Team)

CERT-In has been operational since January 2004.

• CERT-In comes under the Ministry of Electronics and Information Technology

(MeitY).
• It regularly issues advisories to organisations and users to enable them to protect
their data/information and ICT (Information and Communications Technology)
infrastructure.
• In order to coordinate response activities as well as emergency measures with
respect to cyber security incidents, CERT-In calls for information from service
providers, intermediaries, data centres and body corporates.
• It acts as a central point for reporting incidents and provides 24 ✕ 7 security service.
• It continuously analyses cyber threats and handles cyber incidents tracked and
reported to it. It increases the Indian Internet domain’s security defences.
• CERT-In is leading the implementation of CCMP across Central Government
Ministries/Departments/states and critical organisations operating in Indian
cyberspace.
o The Cyber Crisis Management Plan (CCMP) for Countering Cyber Attacks
and Cyber Terrorism is a framework document for dealing with cyber-related
incidents.

CERT-In Functions
In the IT Amendment Act 2008, CERT-In has been designated to perform the following
functions in the area of cyber security –

• Collection, analysis and dissemination of information on cyber incidents.

• Forecast and alerts of cyber security incidents.
• Emergency measures for handling cyber security incidents.
• Coordination of cyber incident response activities.
• Issue guidelines, advisories, vulnerability notes and whitepapers relating to
information security practices, procedures, prevention, response and reporting of
cyber incidents.
• Such other functions relating to cyber security as may be prescribed.
CERT-In Issued Directions in April 2022

In April 2022, CERT-In has issued directions relating to information security practices,
procedures, prevention, response and reporting of cyber incidents for a safe and trusted
internet.

• In order to facilitate incident response measures, CERT-In issued directions relating

to information security practices, procedures, prevention, response and reporting of
cyber incidents under the provisions of sub-section (6) of section 70B of
the Information Technology Act, 2000.
• The directions cover aspects relating to –
o synchronisation of ICT system clocks
o mandatory reporting of cyber incidents to CERT-In (within six hours)
o maintenance of logs of ICT systems (for 180 days)
o subscriber/customer registrations details by Data centres, Virtual Private
Server (VPS) providers, VPN Service providers, Cloud service providers
o KYC norms and practices by virtual asset service providers, virtual asset
exchange providers and custodian wallet providers.
These directions shall enhance the overall cyber security posture and ensure safe & trusted
Internet in the country.
The National Cyber Security Policy

The National Cyber Security Policy, which was first drafted in the wake of reports that the
US government was spying on India and there were no technical or legal safeguards against
it.

National Cyber Security Policy is a policy framework by Department of Electronics and

Information Technology (DeitY) It aims at protecting the public and private infrastructure
from cyber attacks. The policy also intends to safeguard “information, such as personal
information (of web users), financial and banking information and sovereign
data”. Ministry of Communications and Information Technology (India) defines Cyberspace
as a complex environment consisting of interactions between people, software services
supported by worldwide distribution of information and communication technology.

Need for a cybersecurity policy

• Before 2013, India did not have a cybersecurity policy. The need for it was felt during
the NSA spying issue that surfaced in 2013.
• Information empowers people and there is a need to create a distinction between
information that can run freely between systems and those that need to be secured.
This could be personal information, banking and financial details, security
information which when passed onto the wrong hands can put the country’s safety
in jeopardy.
• This Policy has been drafted in consultation with all the stakeholders.
• In order to digitise the economy and promote more digital transactions, the
government must be able to generate trust in people in the Information and
Communications Technology systems that govern financial transactions.
• A strong integrated and coherent policy on cybersecurity is also needed to curb the
menace of cyber terrorism.

National Cyber Security Policy Vision

To build secure and resilient cyberspace for citizens, businesses and Government.

National Cyber Security Policy Mission

• To protect information and information infrastructure in cyberspace.

• To build capabilities to prevent and respond to cyber threats.
• To reduce vulnerabilities and minimize damage from cyber incidents through a
combination of institutional structures, people, processes, technology and
cooperation.

National Cyber Security Policy Objectives

• Encouraging the adoption of IT in all sectors of the economy by creating adequate

trust in IT systems by the creation of a secure cyber ecosystem.
• Creating an assurance framework for the design of security policies and for the
promotion and enabling actions for compliance with global security standards and
best practices through conformity assessment.
 • Bolstering the regulatory framework for ensuring a secure cyberspace ecosystem.
• Enhancing and developing national and sectoral level 24 x 7 mechanisms for
obtaining strategic information concerning threats to ICT infrastructure, creating
scenarios for response, resolution and crisis management through effective
predictive, preventive, protective, response and recovery actions.
• Operating a 24×7 National Critical Information Infrastructure Protection Centre
(NCIIPC) to improve the protection and resilience of the country’s critical
infrastructure information.
• Developing suitable indigenous security technologies to address requirements in this
field.
• Improving the visibility of the ICT (Information and Communication Technology)
products/services’ integrity by having testing and validation infrastructure.
• Creating a workforce of 500,000 professionals skilled in cybersecurity in the next 5
years.
• Providing businesses with fiscal benefits for adopting standard security practices
and processes.
• Safeguarding of the privacy of citizen’s data and reducing economic losses due to
cybercrime or data theft.
• Enabling effective prevention, investigation and prosecution of cybercrime and
enhancement of law enforcement capabilities through legislative intervention.
• Developing a culture of cybersecurity and privacy.
• Developing effective public-private partnerships and collaborative engagements by
means of technical and operational cooperation.
• Promoting global cooperation by encouraging shared understanding and leveraging
relationships for furthering the cause of security of cyberspace.
Examples of Cyber Attacks

Cyber Attacks in India Description of the Cyber Attacks

Coronavirus Pandemic Microsoft has reported that cyber crooks are using Covid-19 situation in
Based Cyber Attack 2020 to defraud people through phishing and ransomware in India and
the world

Phishing Union Bank of India heist in July 2016

Wannacry Ransomware In May 2017, various computer networks in India were locked down by
the ransom-seeking hackers.

Data Theft In May 2017, the food tech company Zomato faced the theft of information
of 17 million users.
Petya Ransomware Container handling functions at a terminal operated by the Danish firm
AP Moller-Maersk at Mumbai’s Jawaharlal Nehru Port Trust got affected

Mirai Botnet In September 2016, Mirai malware launched a DDoS attack on the website
of a well-known security expert.
Africa

 South Africa
o Cybercrimes Act 2021 – South Africa (South Africa signed the
Budapest Convention in 2001)
o National Cybersecurity Policy Framework (‘NCPF’)
 Tanzania – Cybercrimes Act, 2015

The Americas

 The United States of America

o Cybersecurity Information Sharing Act (CISA)
o United States Code
o Framework for Improving Critical Infrastructure
Cybersecurity Version 1.1

 Brazil’s Internet Act stipulates that connection and application providers

must comply with certain security standards when storing personal data and
private communications.

Canada

 The Personal Information Protection and Electronic Documents Act, SC 2000

(‘PIPEDA‘) is a privacy statute, but establishes two central cybersecurity
obligations for private sector organisations in Canada. The PIPEDA requires
organisations to
o notify the regulator and affected individuals of certain cybersecurity
incidents, and
o adopt appropriate security safeguards.
 Criminal Code of Canada

Asia-Pacific

 Australia
o Privacy Principles (‘APPs‘) under the Privacy Act 1988 contain
information security obligations.
o Criminal Code Act 1995 Australia
o Cybercrime Act 2001 Australia
 Brunei Darussalam has the Computer Misuse Act, 2007
 China has two main laws governing cybercrimes:
o the Cybersecurity Law 2016, and
o the Data Security Law of the People’s Republic of China which came
into effect in September2021

 India has two laws that recognise the importance of cybersecurity:

o The Information Technology Act, 2000, and
 o specific rules, like the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011.
 Japan’s Basic Act on Cybersecurity is the central law governing
cybersecurity.
 Malaysia has the Computer Crimes Act
 Philippines has the Cybercrime Prevention Act of 2012
 Thailand has the Act on Computer Crimes
 New Zealand’s main information cybersecurity obligations are contained in
Information Privacy Principle 5 under the Privacy Act 2020. The Crimes
Act,1961 also contains provisions relating to cybercrimes.

Europe

 Network and Information Security Directive

 France – Criminal Code
 UK – Computer Misuse Act, 2013

The Middle East

 Israel has several laws and regulations covering various aspects of

cybersecurity such as:
o the Protection of Privacy Law
o The Protection of Privacy Regulations (Data Security) (translated
version)
 Jordan’s laws are available in Arabic only:
o The Cybersecurity Law No. 16 of 2019
o The Cybercrime Law No. 27 of 2015
 Saudi Arabia has the Law on the Use of Information Communications
Technology in Government Agencies (in Arabic only)

Cybercrime is a growing concern to countries at all levels of developments and affects both,
buyers and sellers.
While 156 countries (80 per cent) have enacted cybercrime legislation, the pattern varies by
region: Europe has the highest adoption rate (91 per cent) and Africa the lowest (72 per cent).
The evolving cybercrime landscape and resulting skills gaps are a significant challenge for
law enforcement agencies and prosecutors, especially for cross-border enforcement.

5% at Draft Legislation

13% with No legislation

Cyberspace is the connected Internet Ecosystem and it refers to the
virtual computer world, and more specifically, the notional
environment in which communication over computer networks
occurs. When this cyberspace is compromised, this leads to
cybercrime and even Cyberterrorism which is intended to undermine
the electronic systems to cause panic or fear and even monetary loss.
The techniques of protecting computers, networks, programs and
data from unauthorized access or attacks that are aimed for
exploitation is called cybersecurity. As a body of UN, International
Telecommunication Union releases Global Cybersecurity Index
(GSI) in which, by assessing certain parameters, it measures the
commitment of countries to Cybersecurity at a global level and it has
ranked Denmark, Australia, Republic of Korea, in top ten category.

India drastically slipped down from 23rd Ranked in 2017 to 47 th rank

in the latest GCI ,2018 which is a matter of grave concern and it seeks
immediate attention. Cyber law is the part of the overall legal system
that deals with the Internet, cyberspace, and their respective legal
issues.

In most nations globally, there are many legislations governing e-

commerce and cyber-crimes going into different facets of cybercrimes.
In Indian context, the IT Act’ 2000 which was amended in 2008 and is
known as Cyber Law. Though we have seen many new laws,
initiatives and policies from the government of India, there are grave
threats despite progress. Here, we want to give a brief overview of the
cyberattacks, cyberspace encroachment and security concerns around
the world and India with major thrust to Jharkhand which came into
limelight when one of its cities, Jamtara, earned the title of Cyber
Crime Capital of India. We have tried to explore existing legislative
dimensions with regard to its effectiveness in handling Cybercrime
and possible future perspective for a more digitised and inclusive
social order and economy for global growth.

INTRODUCTION
A global domain within the information environment consisting of
the interdependent network of information technology
infrastructures, including the Internet, telecommunications networks,
computer systems, and embedded processors and controllers has
been termed as cyberspace. Cyberterrorism is intended to undermine
electronic systems to cause panic or fear. Cybercrime includes single
actors or groups targeting systems for financial gain or to cause
disruption. To control computers or networks cyber attackers use
viruses, worms, spyware, Trojans, and ransomware. Viruses and
worms are usually self-replicating and damages files or systems,
while spyware and Trojans are often used for surreptitious data
collection. Ransomware waits for an opportunity to encrypt all the
user’s information and demands payment in return of access by the
user. Malicious code often spreads via an unsolicited email
attachment or a legitimate-looking download that actually carries
malware or other spywares.

To counter attack these malicious practices, certain techniques are

used which safeguards the electronic devices.

The techniques of protecting computers, networks, programs and

data from unauthorized access or attacks that are aimed for
exploitation is called Cybersecurity. In the Global Cybersecurity
Index (GSI), India slipped down from 23rd rank in 2017 to 47 th rank
in the latest GCI , 2018 which calls for upgrading and improvisation in
the security domain. Here, we have tried to assess cybersecurity and
affiliated laws in India, focusing on Jharkhand and have tried to give
critical picture for consideration in near future.

NEED FOR CYBERSECURITY

After the world wars, the world realised that wars are no solution and
mutual cooperation is the essence of progress together. Thus to ensure
peace, global cooperation and concerns in mind, the United Nations
(UN) was born in 1945 which comprises almost all the countries in the
world. The United Nations serves as a common platform where
countries design framework and a time window to achieve the
decided goals. It just completed its Millennium development goals
(MDGs) in 2015 and it is now striving for Sustainable Development
Goals (SGDs) 2030, adopted in September 2015 which aspires to end
poverty in all its forms everywhere, end hunger, achieve food security
and improved nutrition and promote sustainable agriculture inclusive
of its 17 defined goals.

UNESCO conducted a study emphasizing on correlations between

SDGs and ICT (Information and communication technologies) which
summarises that ICT is directly related to 6 of the 17 SDGs. Studies
from Arizona state University bolds out the role of Cybersecurity in
achievement of SDGs. It’s not only a single study done pinpointing
this fact but there are myriad number of research papers stating the
similar tone highlighting the importance of cybersecurity as a
foundation in the SGD 2030 attainment thus establishing the fact that
Privacy, Data Rights and Cybersecurity are the master player in
deciding the economic and social progress around the globe.

CYBERSECURITY IN RELEVANCE TO INDIA

India, being a UN member is also striving for SGD 2030 attainment.

The Sustainable Development Goals (SDGs) were adopted in
September 2015 as a part of the resolution, ‘Transforming our world:
the 2030 Agenda for Sustainable Development’.

India is devoted to achieve the 17 SDGs and the 169 associated targets,
which comprehensively cover social, economic and environmental
dimensions of development and focus on ending poverty in all its
forms and dimensions.

At the Central Government level, NITI Aayog has been assigned the
role of overseeing the implementation of SDGs in the country. To
spread awareness about the Goals, bring together stakeholders and
build capacities for the realization of SDGs, NITI Aayog has
organized several national and regional level consultations.

CYBERSECURITY ASSESSMENT AROUND THE GLOBE

The Convention on Cybercrime or the Budapest Convention, 2001

The Convention on Cybercrime or the Budapest Convention is the

first international treaty which seeks to address the issue of Cyber
Crime. It was drafted by the Council of Europe along with active
participation of Canada, Japan, South Africa and the United States of
America. It is the only legally binding international instrument on this
issue. It was opened for signature in Budapest from 23 November
2001 and it entered into force on 1 July 2004.The convention was
formed with an aim to harmonize national laws, improving
investigative techniques, and increasing cooperation among nations.
It acts as a guideline for any state developing national legislation
against cybercrime. India has not adopted the convention and
declined to ratify it as it was not a participant in its drafting. India is
also concerned with the sovereignty issue that may arise due to data
sharing with foreign law enforcement agencies.

Internet Corporation for Assigned Names and Numbers (ICANN)

It is a non-profit organization responsible for coordinating the

maintenance and procedures of several databases related to the
namespaces and numerical spaces of the Internet, ensuring the
network’s stable and secure operation. It has its headquarters in Los
Angeles, U.S.A.

International Telecommunication Union (ITU)

UN , to ensure connectivity in communication networks around the

globe, established a body which would facilitate international
connectivity in communications networks, develop the technical
standards that ensure networks and technologies seamlessly
interconnect and strive to improve access to ICTs to underserved
communities worldwide, thus International Telecommunication
Union (ITU) came into picture.

The International Telecommunication Union (ITU) is a specialized

agency of the UN ensuring connectivity around the world networks.
To monitor and to keep a track of global connectivity and its security
it releases an index annually called GCI.

To assess the countries worldwide in the matter of cyber safety, it

takes 5 parameters into consideration that is – (i) legal, (ii) technical,
(iii) organizational, (iv) capacity building, and (v) cooperation – For
each of the pillars, country commitment was assessed through a
question-based online survey, which further allowed for the collection
of supporting evidence. Through consultation with a group of
experts, these questions were weighted in order to arrive at an overall
GCI score.

India’s ranking

India is well known as an Information and technological hub proving

it very well in the GCI 2017 by landing at rank 23 but in the latest GCI
2018 , released two months ago, it slipped to 47th rank. With this it
calls for worry, as we are moving towards a digital cashless and
inclusive economy with more calibre.

ASSOCHAM’s (Associated Chambers of Commerce and Industry of

India) study shows that there is a 350% increase in cyber attacks in the
last five years further the 3.2 million debit card data theft in 2016 has
hit India hard and can be seen in the GCI ranking.

Cybersecurity Investment around the world

The U.S. government spends $19 billion per year on cyber-security

but warns that cyber-attacks continue to evolve at a rapid pace.
According to Gartner, the rising tide of cyber crime has pushed
information security spending to more than $86.4 billion in 2017.

But in India, two out of three companies spend less than 5% of their IT
budget for beefing up their cyber security.

CYBERCRIME DIMMING THE LIGHT OF INDIA

A survey by India Today, highlights that Indian consumers lose $18.5

bn in a year due to cybercrime. Also, we have seen a 77% increase of
cybercrime in the last few years. If we consider the Indian population
in this regard, the primary motive includes, financial gains, malicious
damage to other’s business due to rivalry or competition, spying on
others etc.
Source: Survey published in Business Today

Business Espionage is one of the major players in the increase of

cybercrime. While employers would like to believe that their workers
can be trusted, the real situation is that some staff members are ready
to sell company data for personal profit. Though data shows that in
four out of five cases of cybercrime, there’s an external perpetrator,
experts feel insiders play a big role in selling secrets.

Cybercrime and Indian Economy

Survey from business today shows the segment of industry affected

by cybercrime in the indian economy.
Source: Survey published in Business Today

With this we could state that the economy also gets affected hugely
accounting for huge monetary loss accounting upto 20 billion dollars
per year.

CYBER LAWS

After the Internet was made public in the early 1990s , it was soon
realised that there is a need to protect the internet based system after
the major attack on US based bank, citi bank, leading to loss of billions
and billions of dollars to a hacker who never moved from his chair.
With this, every state started making certain norms to ensure
cybersecurity in this domain. There are laws in India which were
designed to tackle the problem of cybercrime which started in 2000 in
lieu of such cyberattacks.

Cyber Laws in India:

Mid 90’s saw a global impetus towards digitization and

computerization and India saw the move towards Liberalization,
Privatization and Globalization. With the opening up of indian
market and linking of indian economy with the global economy, the
scope of Information and communication Technology (ICT) also grew
and with that grew the crime related to ICT.

With the global trade shifting towards electronic form a need was felt
to give legal recognition to the electronic records. Responding to this
global need the United Nations Commission on International Trade
Law (UNCITRAL) adopted the Model Law on e-commerce in 1996.
The General Assembly of United Nations passed a resolution in
January 1997 recommending all States in the UN considerations to the
said Model Law, which provides for recognition to electronic records
and according to it the same treatment like a paper communication
and record.

Information Technology Act 2000

It was against this background that the government of India

passed the Information Technology Act 2000 which was made
effective from 17 October 2000 and hence India became the 12th
Country to have a cyber law.

The Information Technology Act, 2000 gives legal recognition to the

transaction done by electronic means. This act also amended Indian
Penal Code 1860, the Indian Evidence Act 1872, the Bankers’ Books
Evidence Act 1891, and the Reserve Bank of India Act 1934 to certain
extent.

The main intent to pass the 2000’s Act was to provide legal
recognitions to transactions carried out by means of electronic data
interchange and other means of electronic communications,
commonly known as electronic commerce, which involved the use of
alternatives to paper based methods of communication and storage of
information and to facilitate the filing of documents of government
agencies.

The main objective of this Act are :

1. To give legal recognition to the transactions done by

electronic means of communication generally used for e
commerce.
 2. It gave legal recognition to digital signatures.
3. It facilitated the electronic filing of documents with
Government agencies and departments.
4. It facilitates the electronic storage of data.
Applicability of the Act: The Act is applicable to all of India.

Legal Applicability:

As per Section 1(4) of the Information Technology Act, 2000, the Act is
not applicable to the following documents:

1. Execution of Negotiable Instrument under Negotiable

Instruments Act, 1881, except cheques.
2. Execution of a Power of Attorney under the Powers of
Attorney Act, 1882.
3. Creation of Trust under the Indian Trust Act, 1882.
4. Execution of a Will under the Indian Succession Act, 1925
including any other testamentary disposition by whatever
name called.
5. Entering into a contract for the sale of conveyance of
immovable property or any interest in such property.
6. Any such class of documents or transactions as may be
notified by the Central Government in the Gazette.
This Act was amended in 2008.

Need for amendment :

Cyber crime was addressed by this Act but there was still need to
address the specific cyber crimes that were taking place along with
the technological advancement.

With the booming of Software Companies and e commerce there grew

a greater dependence on ICT therefore there was need for a strict law
to protect the customers and corporates from cyber crimes.

Information Technology Amendment Act’ 2008

Thus with the growing cybercrime there was a greater need for a
more holistic need to deal with the changing nature of cybercrimes
and therefore Information Technology Amendment Act 2008 was
passed on 23rd December 2008.

The Salient Features of Information Technology Amendment Act’

2008 :

The Act has been made technology neutral a new section has been
added to define Cyber Cafe i.e. any facility from where access to the
internet is accessed by any person in ordinary course of business to
the members of the public further Intermediaries have been defined in
this act. It also added a new section 10A which provided legal validity
to contracts concluded electronically even a new section to protect
sensitive data or information possessed, dealt or handled by a body in
computer resource which such a body owns, controls or operates. If
such a body is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causing wrongful
information loss or gain then such a body is liable to pay
compensation to the affected person. In section 66 new section 66A to
66F have been added prescribing punishment for offences like
cheating,cyber terrorism etc. Section 67 of the IT Act has been
amended to reduce the term of imprisonment for publishing or
transmitting obscene materials in electronic to three from five years
and the fine has been increased to rupees five lakh from one lakh.
Section 69 has been amended giving power to the state to issue
direction for intercept and monitoring of decryption of any
information through any electronic medium. Section 79 of the act
which exempted intermediaries has been modified. A provision has
been added in sec 81 of the Act which states that the provision of the
Act shall have an overriding effect. The Act authorizes an Inspector to
investigate cyber offences (as against the DSP earlier).

Further with the ever changing dynamic of the cyber ecosystem there
is a need for certain amendments in the Information Technology
Amendment Act 2008 and with this in mind the Government of India
has asked for citizen participation for suggestion for the upcoming
amendment to the IT Act.
National Cybersecurity Policy, 2013

Since the 2013 NSA spying issue the need for cyber security was felt
in India as a response to which the National Cybersecurity Policy was
formulated in 2013.Information can be classified into two group one
which can be freely flowed and the other that needs to be
guarded.The cyber security policy 2013 is formulated keeping in mind
both these aspects of the information.

National Cyber Security Policy Vision, 2013

The Vision of this policy is to build a secure and resilient cyberspace

for citizens, businesses and Government.

Some other Initiatives by the Government:

National Cyber Security Coordination Centre (NCCC),2017:

Operationalised in 2017 it is mandated to perform real-time threat

assessment and create situational awareness of potential cyber threats
to the country.

National Critical Information Infrastructure Protection Centre (NCIIPC):

The organisation was created under section 70A of the IT Act. It is

designated as a national nodal agency in respect of critical
information infrastructure protection and it aims to protect and
safeguard critical information infrastructure (CII) against
cyberterrorism, cyberwarfare and other threats. The critical
Infrastructure includes power and energy, Banking financial service
and insurance, telecom, transport, government, strategic and public
enterprises.

Cyber Forensic Laboratory:

In case of cyber crime the Cyber Forensic Laboratory and Digital

Imaging Centre assists law enforcement agencies in the collection and
forensic analysis of electronic evidence.
Cyber Swachhta Kendra (2017)

It was launched in early 2017,it provides a platform where they can

analyse and clean their systems of various viruses, torjants, malwares
etc.

Cyber Surakshit Bharat (2018)

Cyber Surakshit Bharat initiative was launched by the Ministry of

Electronics and Information Technology (MeitY),in association with
National e-Governance Division (NeGD) in 2018.

It was launched with the objective of creating awareness about

cybercrime and building capacity for safety measures for Chief
Information Security Officers (CISOs) and frontline IT staff across all
government departments.

The Cyber Warrior Police Force (2018)

The government has come up with the initiative in 2018 to create a

cyber warrior police force. It is proposed to be formed on the lines of
the Central Armed Police Force.

Indian Cyber Crime Coordination Centre(I4C), 2020

The centre was inaugurated in 2020 by the Union Home Minister

along with the National Cyber Crime Reporting Portal.

I4C has seven major components National Cybercrime Threat

Analytics Unit (TAU),National Cybercrime Reporting,Platform For
Joint Cybercrime Investigation Team,National Cybercrime Forensic
Laboratory (NCFL) Ecosystem,National Cybercrime Training Centre
(NCTC),Cybercrime Ecosystem Management Unit,National Cyber
Research And Innovation Centre.National Cyber Crime Reporting
Portal is a citizen-centric initiative that will enable citizens to report
cyber crimes online.

National Cyber Security Policy Mission 2020

The Mission of this policy is to protect information and information

infrastructure in cyberspace and build capabilities to prevent and
respond to cyber threats,to reduce vulnerabilities and minimize
damage from cyber incidents through a combination of institutional
structures, people, processes, technology and cooperation.

With the change in ICT ecosystem there was felt a need for amending
the existing Cyber Security Polity and therefore the government is in
process of coming up with a new cyber security policy in 2020.

Cyber Security issue in Jharkhand

Cyber crimes are mostly bailable offences. Also scamsters often go

scot-free for lack of evidence. There is also a shortage of investigating
officers as only inspectors and above are allowed to investigate cyber
crimes.

Jamtara in Jharkhand has been identified as a new cyber crime capital

of India. More than fifty percent of cyber crimes in India are traced
back to this town of Jharkhand. The revelation was made by Union
Home Secretary Rajiv Gauba who himself is a 1982 batch IAS officer
from Jharkhand.

It takes us to the next question as to why Jamtara, the answer can be

lack of education as average literacy rate in Jamtara is around 64%
and lack of employment opportunities due to which youth are forced
into the cyber crime domain which gives them short term benefits. As
Ramesh Kumar Dubey, deputy commissioner, Jamtara says

“It is not uncommon to find people here operating laptops on the

roadside. They could be just making fraudulent money transfers. We
have arrested hundreds of people, mostly between 20 and 30 years of
age, who have taken this up as a profession. As per our estimates,
close to 150 gangs are involved in developing cyber fraud as an
industry,”

SUGGESTION

Considering the benefits and risks associated the use Information and
Communication Technology we authors have tried to throw light on
critical assessment and possible recommendations in lieu of need for
improvisation in this so called 5th domain ,”Cybersecurity”.

Cyber Warfare : India needs to define its stance

Cyber warfare is the use of information and communication

technology to attack a nation causing damage comparable to actual
warfare. It has emerged as the fifth domain of warfare. In case of a
cyber-attack the identity of attacker can easily get concealed by use of
layering. The problem with cyber-attack is that the aggressor cannot
be traced back easily and therefore it becomes difficult to pinpoint the
involvement of any country behind it or even if the origin or attack is
traced back the country can easily blame it on non-state actors.

The other difficulty comes of how to respond to a cyber-attack when a

country lacks credible offensive cyber capability that it could use as a
deterrent, the question is should it turn to conventional weapons in
such a scenario but the problem with use of conventional weapons is
that it can become too escalatory and comes with the danger of an
escalation to all out war. The policy of showing restrain in such a case
can not go very long as restrain when practiced for too long can
encourage the enemy to continue with more attacks and therefore
India needs a Cyber Warfare Policy which can take inspiration from
India’s Nuclear Policy which can act as a deterrent to aggressive
counties such as China.

Moving in lines similar to the defence policy India can form a

Multilateral Coalition for Cybersecurity consisting of like minded
countries, an inspiration can be taken from NATOs approach on cyber
defence where NATO supports its members by sharing real-time
intelligence on threats and best practices for handling such threats.

More robust Cyber security Infrastructure

The Indian Computer Emergency Response Team (CERT-In) formed

in 2004 coming under the Ministry of Information and Technology,
Government of India, has been designated as the National Nodal
Agency for incident response but CERT itself lacks experts and
infrastructure to effective combat the growing cyber crimes in India
thus there is need for technological upgradation and capacity building
in CERT.

Digital India – The vision of the government is to create ICT

infrastructure connecting gram panchayats, providing government
services on demand , digital literacy etc. Under it one of the
components is about promoting electronics manufacturing in the
country with the target of NET ZERO Imports by 2020 which can be
seen in the context of government fear of chinese smartphones
involved in data stealing.

More involvement of Public- Private partnership

India is one of the few countries to have a cyber security law it even
ranks 47 in GCI 2018 index which shows that India is doing
remarkable in this front but as the NCRB 2017 data shows that cyber
crimes in India jumped by 77% in 2017, many new crime heads such
as cyber blackmailing, cyber stalking and dissemination of fake news
were introduced. Cybercriminal are ahead of Police in technological
advancement. The Investigating officer is generally found lacking in
many cases but projects like Cyberdome project in Kerala are showing
the way by involving Public private partnership in investigating cyber
cases.

Need for Laws to makes banks more responsible

Most of the cyber crimes cases involves frauds related to debit/credit

cards ,the card are details are extracted and money siphoned off
money through account by extracting opt code and other account
related information in all these cases the banks are a major party as
the debit/credit cards are ultimately banks property the and account
is held in the bank but presently there is no law which makes banks
liable in case of cyber crimes thus there is no liability on the banks to
make their facility more adapted to tackle emerging cyber crime
threats.

Awareness about Cyber Hygiene : Need of the hour

As people are buying mobile phones and other gadgets the

vulnerability associated with the cyberworld is increasing since it is
an open ecosystem and less resource incentive. Anyone with a good
computer, internet connection and computer knowledge can get
involved in this domain. India is the 2nd largest consumer of mobile
phones in the world, thus , it is high time now to understand the
alertness required to build a safety wall between personal data and
cyberattack prone realm. Experts feel most victims get conned
because of the sheer carelessness about securing their devices.
Moreover most of the websites even government websites fail to
maintain cyber hygiene which results in leak of user data awareness
needs to be created about the need for cyber hygiene.

Cyber hygiene can be easily maintained by the use of legitimate

operating systems for your devices and keeping them updated,keep
your browsers updated and use the latest version by installing a good
anti-virus and anti-malware protection on your devices that you use
for your banking transactions when using public Wi-Fi networks, be
on your guard by turning on a Virtual Private Network. This will
shield your browsing activity and connect securely.

Recruitment of “Ethical Hackers” : Solving youth Unemployment to an extent

With technological evolution to prevent crime , the need is to be

ahead of criminals. We can do the same by involving experts who are
willing to counter the hackers, they can be from NGO or from private
companies or even volunteers.

Looking at the domain of cyber crimes taking place in India it is

generally observed that most of the cyber criminals are between 20-30
yrs of age and are unemployed youth who due to lack of employment
opportunity and need for money are attracted into this domain in
search of easy money therefore there is urgent need to create
awareness about cyber crime in affected areas such as Jamtara and
employment opportunities needs to be created to utilise their talent in
a constructive way.

As we are moving towards a more digital and inclusive economy , Jan

dhan account, National optical fibre etc , it is very important to
consider this aspect seriously.
India’s Digital Personal Data Protection Act, 2023: Key provisions

Initially introduced in 2019, the Digital Personal Data Protection Act holds considerable importance as a legislative measure
aimed at safeguarding individuals’ privacy rights. Its primary focus lies in regulating the collection, storage, processing, and
transfer of personal data in the digital landscape. The DPDP Bill underwent 81 amendments after its initial introduction,
resulting in a comprehensive overhaul to its present form.

By prioritizing privacy and security, the DPDP Act strives to create a robust framework that addresses the challenges posed
by data handling in the digital age. Key provisions of the DPDP Act, 2023 are as follows:

 Definitions: Although many concepts in the DPDP Act closely resemble those found in the EU’s General Data
Protection Regulation (GDPR), framework, there are differences in how terminology is used.
a) Data fiduciary: This refers to the entity that, either independently or in collaboration with others, establishes
both the purpose and the methods for processing personal data (similar to a data controller). The government can
classify any data fiduciary or a specific group of data fiduciaries as ‘significant data fiduciaries’ (SDFs). The
criteria for this classification as an SDF includes he nature of processing activities (such as the volume and
sensitivity of personal data involved and the potential impact on data principals’ rights) to broader societal and
national concerns (such as the potential effects on India’s sovereignty and integrity, electoral democracy, state
security, and public order). The designation of SDF comes with heightened compliance obligations as explained
below.
b) Data processor: This is an entity responsible for processing digital personal data on behalf of a data fiduciary.
c) Data principal: These are individuals whose personal data is gathered and processed (equivalent to a data
subject).
d) Consent manager: A person registered with the Data Protection Board, who acts as a single point of contact to
enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent, and
interoperable platform.
 Applicability: The DPDP Act applies to all data, whether originally online or offline and later digitized, in India.
Additionally, the Act applies to the processing of digital personal data beyond India’s borders, particularly when it
encompasses the provision of goods or services to individuals within the Indian territory.

Age verification mechanisms will be necessary for all companies in India (telcos, banks, e-commerce, etc.) under the new
DPDP law, per reporting from The Economic Times. The compliance requirement is not just limited to social media
platforms. This is essential to record the verifiable consent of users per legal experts.

 Personal data breach: This means any unauthorized processing of personal data or accidental disclosure,
acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the
confidentiality, integrity, or availability of personal data.
 Individual consent to use data and data principal rights: Under the new legislation, personal data will be
included and processed only with explicit consent from the individual, unless specific circumstances pertaining to
national security, law, and order require otherwise.
Under data principal rights, individuals also have the right to information, right to correction and erasure, right to
grievance redressal, and right to nominate any other person to exercise these rights in the event of the individual’s
death or incapacity. Currently, there is no specified timeline for the implementation of grievance redressal and data
principal rights.
 Additional obligations of SDFs: Depending on the quantity and sensitivity of the data they manage—data
fiduciaries deemed as SDF are subject to additional obligations under the DPDP Act. Every significant data
fiduciary is required to appoint a Data Protection Officer (DPO) responsible for addressing the inquiries and
concerns of data principals—those individuals whose data is collected and processed. Regarding international data
transfers, the DPDP Act permits data fiduciaries to transfer personal data for processing to any country or territory
outside India. However, the central government can impose restrictions through notifications. These restrictions
will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure the
maintenance of data protection standards during international processing.
 Establishment of a Data Protection Board: The Data Protection Board will function as an impartial adjudicatory
body responsible for resolving privacy-related grievances and disputes between relevant parties. As an independent
regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s provisions and
impose penalties accordingly. The appointment of the chief executive and board members of the Data Protection
Board will be carried out by the central government, ensuring a fair and transparent selection process. To provide
an avenue for customers to challenge decisions made by the Data Protection Board, the government will establish
an appellate body. This appellate body may be assigned to the Telecom Disputes Settlement and Appellate
Tribunal (TDSAT), which will be responsible for adjudicating disputes related to data protection and hearing
appeals against the decisions made by the Data Protection Board.
 Voluntary undertaking: Under this provision, the Data Protection Board has the authority to accept a voluntary
commitment related to compliance with the DPDP Act’s provisions from any data fiduciary at any stage of
complaint proceedings. This voluntary undertaking may entail specific actions to be taken or refrained from by the
 concerned party. Furthermore, the terms of the voluntary undertaking can be modified by the Board if necessary.
The voluntary undertaking serves as a legal barrier to proceedings concerning the subject matter of the
commitment, unless the data fiduciary fails to adhere to its terms. In the event of non-compliance, such a breach is
considered a violation of the DPDP Act, and the Board is authorized to impose penalties for this infringement.
Additionally, the Board has the discretion to require the undertaking to be made public.
 Alternate disclosure mechanism: This mechanism will allow two parties to settle their complaints with the help
of a mediator.
 Offence and penalties: Data fiduciaries can face penalties of up to INR 2.5 billion for failing to comply with the
provisions. These include: penalties of up to INR 10,000 for breach of the duty towards data principals; penalty up
to INR 2.5 billion for failing to take reasonable security safeguards to prevent breach of personal data; fines up to
INR 2 billion for failure to notify the Data Protection Board and affected data principals in case of a personal data
breach; penalties of up to INR 2 billion for violation of additional obligations related to children’s data; penalty of
INR 1.5 billion for failure to comply with additional obligations of significant data fiduciary; penalty of INR 500
million for breach of any other provision of the DPDP Act, 2023 and rules made thereunder.
 Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other
law currently in effect. However, in case of any conflict between a provision of this Act and a provision of any
other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict.

Exemptions under the DPDP Act

FIND BUSINESS SUPPORT

Build Your Asia Business with Turnkey Market Entry and Cross-Regional Support

The exemptions provided in the DPDP Act are as follows:

 For notified agencies, in the interest of security, sovereignty, public order, etc.
 For research, archiving, or statistical purposes.
 For start-ups or other notified categories of data fiduciaries.
 To enforce legal rights and claims.
 To perform judicial or regulatory functions.
 To prevent, detect, investigate, or prosecute offences.
 To process in India personal data of non-residents under foreign contract.
 For approved merger, demerger, etc.
 To locate defaulters and their financial assets etc.

How can companies prepare for compliance under the Digital Personal Data Protection Act

By following the below steps, companies can prepare for compliance with India’s DPDP Act and protect personal data in
line with regulatory guidelines.

Assess and build data privacy:

– Evaluate current compliance status.
– Create a phased action plan covering governance, technology, people, and processes.
– Establish a privacy organization with defined roles, including the DPO, especially if your entity’s status is an SDF.

Inventory personal data systems:

– Identify critical data storage and processing systems.

Identify data processors:

– List third parties handling personal data.
– Update agreements and communicate responsibilities.

Draft DPDP Act-compliant documents:

– Create approved data privacy policies and processes.
– Update necessary documents.
– Develop privacy notices, consent forms, and standard contract clauses.

Design consent mechanisms:

– Define consent types.
– Develop user-friendly consent processes.
– Implement efficient consent management tools.

Establish data principal rights handling:

– Set up processes for addressing data principal rights.
– Develop procedures for request handling.
– Use tools for efficient rights management.

Implement data breach response:

– Create breach management processes.
– Integrate with incident management.

Define data retention periods:

– Categorize data and align retention periods with requirements.
The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or
the Budapest Convention, is the first international treaty seeking to
address Internet and computer crime (cybercrime) by harmonizing national laws, improving
investigative techniques, and increasing cooperation among nations. It was drawn up by
the Council of Europe in Strasbourg, France, with the active participation of the Council of
Europe's observer states Canada, Japan, the Philippines, South Africa and the United States.

The Convention and its Explanatory Report was adopted by the Committee of Ministers of the
Council of Europe at its 109th Session on 8 November 2001. It was opened for signature
in Budapest, on 23 November 2001 and it entered into force on 1 July 2004.
As of October 2022, 67 states have ratified the convention, while a further two states
(Ireland and South Africa) have signed the convention but not ratified it.
Since it entered into force, important countries like Brazil and India have declined to adopt the
Convention on the grounds that they did not participate in its drafting. Russia opposes the
Convention, stating that adoption would violate Russian sovereignty, and has usually refused to
cooperate in law enforcement investigations relating to cybercrime. It is the first multilateral
legally binding instrument to regulate cybercrime.[5] Since 2018, India has been reconsidering its
stand on the Convention after a surge in cybercrime, though concerns about sharing data with
foreign agencies remain.[6]
The United Nations is developing an alternative treaty on cybercrime.[8]

Objectives
The Convention is the first international treaty on crimes committed via the Internet and other
computer networks, dealing particularly with infringements of copyright, computer-related
fraud, child pornography, hate crimes, and violations of network security.[9] It also contains a
series of powers and procedures such as the search of computer networks and lawful
interception.
Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the
protection of society against cybercrime, especially by adopting appropriate legislation and
fostering.
The Convention aims principally at:

 Harmonizing the domestic criminal substantive law elements of offenses and

connected provisions in the area of cyber-crime
 Providing for domestic criminal procedural law powers necessary for the
investigation and prosecution of such offenses as well as other offenses committed
by means of a computer system or evidence in relation to which is in electronic form
 Setting up a fast and effective regime of international cooperation
The following offenses are defined by the Convention:
illegal access, illegal interception, data interference, system interference, misuse of devices,
computer-related forgery, computer-related fraud, offenses related to child pornography, and
offenses related to copyright and neighbouring rights.
It also sets out such procedural law issues as expedited preservation of stored data, expedited
preservation and partial disclosure of traffic data, production order, search and seizure of
computer data, real-time collection of traffic data, and interception of content data. In addition,
the Convention contains a provision on a specific type of trans-border access to stored computer
data which does not require mutual assistance (with consent or where publicly available) and
provides for the setting up of a 24/7 network for ensuring speedy assistance among the
Signatory Parties. Further, as conditions and safeguards, the Convention requires the provision
for adequate protection of human rights and liberties, including rights arising pursuant to
obligations under European Convention on Human Rights, International Covenant on Civil and
Political Rights, and other applicable international human rights instruments, and shall
incorporate the principle of proportionality.[10]
The Convention is the product of four years of work by European and international experts. It
has been supplemented by an Additional Protocol making any publication of racist and
xenophobic propaganda via computer networks a criminal offense, similar to Criminal Libel
laws. Currently, cyber terrorism is also studied in the framework of the Convention.

Agreement by the United States

Its ratification by the United States Senate by unanimous consent in August 2006 was both
praised and condemned.[11] The United States became the 16th nation to ratify the convention.[12]
[13]
The Convention entered into force in the United States on 1 January 2007.
Senate Majority Leader Bill Frist said: "While balancing civil liberty and privacy concerns, this
treaty encourages the sharing of critical electronic evidence among foreign countries so that law
enforcement can more effectively investigate and combat these crimes".[14]
The Electronic Privacy Information Center said:
The Convention includes a list of crimes that each signatory state must transpose into their own
law. It requires the criminalization of such activities as hacking (including the production, sale,
or distribution of hacking tools) and offenses relating to child pornography, and
expands criminal liability for intellectual property violations. It also requires each signatory state
to implement certain procedural mechanisms within their laws. For example, law enforcement
authorities must be granted the power to compel an Internet service provider to monitor a
person's activities online in real time. Finally, the Convention requires signatory states to provide
international cooperation to the widest extent possible for investigations and proceedings
concerning criminal offenses related to computer systems and data, or for the collection of
evidence in electronic form of a criminal offense. Law enforcement agencies will have to assist
police from other participating countries to cooperate with their mutual assistance requests. [15]
Although a common legal framework would eliminate jurisdictional hurdles to facilitate the law
enforcement of borderless cybercrimes, a complete realization of a common legal framework
may not be possible. Transposing Convention provisions into domestic law is difficult especially
if it requires the incorporation of substantive expansions that run counter to constitutional
principles. For instance, the United States may not be able to criminalize all the offenses relating
to child pornography that are stated in the Convention, specifically the ban on virtual child
pornography, because of its First Amendment's free speech principles. Under Article 9(2)(c) of
the Convention, a ban on child pornography includes any "realistic images representing a minor
engaged in sexually explicit conduct". According to the Convention, the United States would
have to adopt this ban on virtual child pornography as well, however, the U.S. Supreme Court,
in Ashcroft v. Free Speech Coalition, struck down as unconstitutional a provision of the CPPA that
prohibited "any visual depiction" that "is, or appears to be, of a minor engaging in sexually
explicit conduct". In response to the rejection, the U.S. Congress enacted the PROTECT Act to
amend the provision, limiting the ban to any visual depiction "that is, or is indistinguishable
from, that of a minor engaging in sexually explicit conduct" (18 U.S.C. § 2252(B)(b)).

Accession by other non–Council of Europe states

The Convention was signed by Canada, Japan, the United States, and South Africa on 23
November 2001, in Budapest. As of October 2022, the non–Council of Europe states that have
ratified the treaty are Argentina, Australia, Cabo Verde, Canada, Chile, Colombia, Costa
Rica, Dominican Republic, Ghana, Israel,
Japan, Mauritius, Morocco, Nigeria, Panama, Paraguay, Peru, the Philippines, Senegal, Sri
Lanka, Tonga and the United States.
Although Egypt has not signed off on the Convention, Egyptian President el-Sisi's government
in 2018 has legislated two major computer-crime related laws. Targeting social networking
service such as Facebook and Twitter, the legislation criminalizes fake news and terrorism,
setting a flag on accounts which carry more than 5,000 subscribers or followers. The early
legislation had been criticized by Amnesty International, thus websites can appeal to the courts
within 7 days of blacklisting.
In fact India too "was reconsidering its position on becoming a member of the Budapest
Convention because of the surge in cybercrime, especially after a push for digital India.
Intellectual property (IP) refers to creations of the mind, such as inventions, literary and artistic
works, designs, symbols, names, and images used in commerce. It is a category of property that
includes intangible creations and the legal rights associated with them. Intellectual property is
protected by law through patents, copyrights, trademarks, and trade secrets, enabling creators or
owners to control the use of their creations or inventions.

Intellectual property is a broad categorical description for the set of intangible assets owned and
legally protected by a company or individual from outside use or implementation without consent.
An intangible asset is a non-physical asset that a company or person owns.

The concept of intellectual property relates to the fact that certain products of human intellect should
be afforded the same protective rights that apply to physical property, which are called tangible
assets. Most developed economies have legal measures in place to protect both forms of property.

KEY TAKEAWAYS

 Intellectual property is an umbrella term for a set of intangible assets or assets that are not
physical in nature.
 Intellectual property is owned and legally protected by a person or company from outside
use or implementation without consent.
 Intellectual property can consist of many types of assets, including trademarks, patents, and
copyrights.
 Intellectual property infringement occurs when a third party engages in the unauthorized
use of the asset.
 Legal protections for most intellectual property expire after some time; however, for some
(e.g., trademarks), they last forever.

Intellectual Property

Companies are diligent when it comes to identifying and protecting intellectual property because it
holds such high value in today's increasingly knowledge-based economy. Also, producing value
intellectual property requires heavy investments in brainpower and time of skilled labor. This
translates into heavy investments by organizations and individuals that should not be accessed with
no rights by others.

Extracting value from intellectual property and preventing others from deriving value from it is an
important responsibility for any company. Intellectual property can take many forms. Although it's
an intangible asset, intellectual property can be far more valuable than a company's physical assets.
Intellectual property can represent a competitive advantage and as a result, is fiercely guarded and
protected by the companies that own the property.

Types of Intellectual Property

Intellectual property can consist of many types of intangibles, and some of the most common are
listed below.

Patents

A patent is a property right for an investor that's typically granted by a government agency, such as
the U.S. Patent and Trademark Office. The patent allows the inventor exclusive rights to the
invention, which could be a design, process, an improvement, or physical invention such as a
machine. Technology and software companies often have patents for their designs. For example, the
patent for the personal computer was filed in 1980 by Steve Jobs and three other colleagues at Apple
Inc.2
Copyrights

Copyrights provide authors and creators of original material the exclusive right to use, copy, or
duplicate their material. Authors of books have their works copyrighted as do musical artists. A
copyright also states that the original creators can grant anyone authorization through a licensing
agreement to use the work.

Trademarks

A trademark is a symbol, phrase, or insignia that is recognizable and represents a product that legally
separates it from other products. A trademark is exclusively assigned to a company, meaning the
company owns the trademark so that no others may use or copy it. A trademark is often associated
with a company's brand. For example, the logo and brand name of "Coca-Cola," is owned by the Coca-
Cola Company.

Franchises

A franchise is a license that a company, individual, or party–called the franchisee–purchases allowing

them to use a company's–the franchisor–name, trademark, proprietary knowledge, and processes.

The franchisee is typically a small business owner or entrepreneur who operates the store or
franchise. The license allows the franchisee to sell a product or provide a service under the company's
name. In return, the franchisor is paid a start-up fee and ongoing licensing fees by the franchisee.
Examples of companies that use the franchise business model include United Parcel Service (UPS)
and McDonald's Corporation (MCD).

Trade Secrets

A trade secret is a company's process or practice that is not public information, which provides an
economic benefit or advantage to the company or holder of the trade secret. Trade secrets must be
actively protected by the company and are typically the result of a company's research and
development (which is why some employers require the signing of non-disclosure agreements, or
NDAs).

Examples of trade secrets could be a design, pattern, recipe, formula, or proprietary process. Trade
secrets are used to create a business model that differentiates the company's offerings to its customers
by providing a competitive advantage.

Digital Assets

Digital assets are also increasingly recognized as IP. These would include proprietary software code
or algorithms, and online digital content.

Type of IP

IP Protection Duration (in the U.S)

Patents Inventions, industrial designs, computer code 20 years

Unique identifiers for a business or its products or As long as the trademarked

Trademarks
services (e.g., logos, brand names) material remains active

Works of authorship, including books, poems, films,

Copyrights 70 years after the author dies5
music, photographs, online content
Intellectual Property Infringement

Attached to intellectual property are certain rights, known as Intellectual Property Rights (IPR), that
cannot be infringed upon by those without authorization to use them.

IPRs give owners the ability to bar others from recreating, mimicking, and exploiting their work.

Patents infringement occurs when a legally-protected patent is used by another person or Company
without permission. Patents filed before June 8, 1995, are valid for 17 years, whereas patents filed
after this date are valid for 20 years.7 After the expiration date, the details of the patent are made
public.

Copyright violations occur when an unauthorized party recreates all or a portion of an original work,
such as a work of art, music, or a novel. The duplicated content need not be an exact replica of the
original to qualify as an infringement.

Similarly, trademark infringement occurs when an unauthorized party uses a licensed trademark or a
mark resembling the licensed trademark. For example, a competitor might use a mark similar to its
rival's to disrupt business and attract their customer base. Also, businesses in unrelated industries
may use identical or similar marks in an effort to capitalize on other companies' strong brand images.

Trade secrets are often protected by non-disclosure agreements (NDA). When a party to the
agreement discloses all or parts of a trade secret to uninterested parties, they have violated the
agreement and infringed upon the trade secret. It is possible to be guilty of trade secret infringement
when an NDA is not present.
INTRODUCTION

In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act,

2023.1 The new law is the first cross-sectoral law on personal data protection in India and has been enacted after

more than half a decade of deliberations.2 The key question this paper discusses is whether this seemingly

interminable period of deliberations resulted in a “good” law—whether the law protects personal data

adequately, and in addition, whether it properly balances, as the preamble to the law states, “the right of

individuals to protect their personal data” on one hand and “the need to process such personal data for lawful

purposes” on the other.

Details the key features of the law and compares it to earlier versions, especially the previous official bill

introduced by the government in Parliament in 2019.3 The second part of the paper then examines the DPDP Act

from two perspectives. First, it highlights certain potentially problematic features of this law to understand its

consequences for consumers and businesses as well as the Indian state. Second, it places the act in context of the

developments and deliberations that have taken place over the last five years or so. The third part speculates on

the key factors that will influence the development of data protection regulation in India in the next few years.

The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An initial version was

prepared by a committee of experts and circulated for public feedback in 2018.4 This was followed by the

government’s version of the bill that was introduced in Parliament in 2019—the Personal Data Protection Bill,

2019. This version was studied by a parliamentary committee that published its report in December 2021. 5 The

government, however, withdrew this bill, and in November 2022, published a fresh draft for public

consultations—the draft Digital Personal Data Protection Bill, 2022. 6 This draft was quite different compared to

the previous versions. The 2023 law is based, in significant part, on this draft. However, it has some new

provisions that are consequential for the questions this paper seeks to answer.

These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court in Justice K.S.

Puttaswamy and Anr. v. Union of India and Ors.7 The judgment declared that the right to privacy is part of the

fundamental right to life in India and that the right to informational privacy is part of this right. The judgment,

however, did not describe the specific contours of the right to informational privacy, and it also did not lay down

specific mechanisms through which this right was to be protected.

Following this, the first government version of the law, the Personal Data Protection Bill, 2019, was introduced

in Parliament in December 2019. This version was expansive in scope and proposed cross-sectoral, economy-

wide data protection regulation to be overseen by an all-powerful data protection regulator—the Data Protection

Authority (DPA). The 2019 bill provided for a preventive framework.8 It imposed a number of obligations on
entities collecting personal data—to provide notice and take consent from individuals, to store accurate data in a

secure manner, and to use it only for purposes listed in the notice. Businesses were also required to delete data

once the purpose was satisfied and to provide consumers rights to access, erase, and port their data. Businesses

were required to maintain security safeguards and transparency requirements, implement “privacy by design”

requirements, and create grievance redress systems. Finally, this bill introduced an entity known as “consent

managers,” who were intermediaries for collecting and providing consent to businesses on behalf of

individuals.9

The bill grouped personal data into different categories and required elevated levels of protection for “sensitive”

and “critical” personal data. Certain businesses were also to be categorized as “significant data fiduciaries,” and

additional obligations were proposed for them—registration in India, data audits, and data impact assessments.

In addition, the bill-imposed localization restrictions on the cross-border flows of certain categories of data. The

DPA was empowered to impose penalties on businesses for violating these requirements. The bill also proposed

to criminalize activities related to the deanonymization of individuals from anonymized datasets.

The 2019 bill exempted certain entities and businesses from notice and consent requirements under certain

circumstances—for lawful state functions, medical and health services during emergencies or epidemics,

breakdown of public order, employment-related data processing, the prevention and detection of unlawful

activity, whistleblowing, and credit recovery, among others.

The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It allowed the

government to require private entities to hand over specific nonpersonal data that the government asked for as

per conditions it prescribed. In short, the 2019 bill proposed a comprehensive, cross-sectoral framework based

on preventive requirements for businesses (defined as “data fiduciaries”) and rights for individuals or consumers

(“data principals”).

This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna Committee—the

committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court judge, was set up by the Ministry of

Electronics & Information Technology in July 2017 to help frame data protection norms. The recommendations

of this committee, in turn, were based on major regulatory developments that were popular while the work of

the committee was proceeding. Primary among these was the European Union’s (EU’s) General Data Protection

Regulation (GDPR).10 While the general preventive framework of the 2019 bill was welcome, its expansive

scope was problematic. It created a number of significant compliance requirements that would have affected

both big and small firms in the economy. It also proposed the creation of a DPA that had significant regulation-

making and supervisory powers. These regulations would have further detailed the already significant
 compliance requirements in the bill. The novelty of the law and the lack of prior experience in implementing a

data protection law of this nature would have created serious risks of overregulation or under-regulation. 11

The DPDP Act is based on the draft proposed by the government in November 2022, which adopted a radically

different approach to data protection regulation.12 The next section details the key provisions of the act.

KEY FEATURES OF THE DPDP ACT, 2023

Compared to the 2019 version of the bill, the DPDP Act, 2023 is more modest—it has reduced obligations for

businesses and protections for consumers. On the one hand, the regulatory structure is simpler, but on the other,

it vests the central government with unguided discretionary powers in some cases.

Applicability to Non-residents

The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents. Interestingly, it

also applies to non-citizens living in India whose data processing “in connection with any activity related to

offering of goods or services” happens outside India.13 This has implications for, say, a U.S. citizen residing in

India being provided digital goods or services within India by a provider based outside India.

Purposes of Data Collection and Processing

The 2023 act allows personal data to be processed for any lawful purpose.14 The entity processing data can do so

either by taking the concerned individual’s consent or for “legitimate uses,” a term that has been explained in

the law.

Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and

for a specific purpose. The data collected has to be limited to that necessary for the specified purpose. A clear

notice containing these details has to be provided to consumers, including the rights of the concerned individual

and the grievance redress mechanism. Individuals have the right to withdraw consent if consent is the ground on

which data is being processed.

Legitimate uses are defined as: (a) a situation where an individual has voluntarily provided personal data for a

specified purpose; (b) the provisioning of any subsidy, benefit, service, license, certificate, or permit by any

agency or department of the Indian state, if the individual has previously consented to receiving any other such

service from the state (this is a potential issue since it enables different government agencies providing these

services to access personal data stored with other agencies of the government);15 (c) sovereignty or security; (d)

fulfilling a legal obligation to disclose information to the state; (e) compliance with judgments, decrees, or

orders; (f) medical emergency or threat to life or epidemics or threat to public health; and (g) disaster or

breakdown of public order.16

Rights of Users/Consumers of Data-Related Products and Services

The DPDP Act also creates rights and obligations for individuals.17 These include the right to get a summary of

all the collected data and to know the identities of all other data fiduciaries and data processors with whom the

personal data has been shared, along with a description of the data shared. Individuals also have the right to

correction, completion, updating, and erasure of their data. Besides, they have a right to obtain redress for their

grievances and a right to nominate persons who will receive their data.

Obligations on Data Fiduciaries

Entities responsible for collecting, storing, and processing digital personal data are defined as data fiduciaries

and have defined obligations. These include: (a) maintaining security safeguards; (b) ensuring completeness,

accuracy, and consistency of personal data; (c) intimation of data breach in a prescribed manner to the Data

Protection Board of India (DPB); (d) data erasure on consent withdrawal or on the expiry of the specified

purpose; (e) the data fiduciary having to appoint a data protection officer and set up grievance redress

mechanisms; and (f) the consent of the parent/guardian being mandatory in the case of children/minors (those

under eighteen years of age). The DPDP Act also states that any processing that is likely to have a detrimental

effect on a child is not permitted. The law prohibits tracking, behavioral monitoring, and targeted advertising

directed at children.18 The government can prescribe exemptions from these requirements for specified purposes.

This is potentially a problem since the powers to exempt are broad and without any guidelines.

While the 2023 act retains the broad categories of obligations for the most part, the key difference from the 2019

bill is the absence of the scope for the regulator, the DPA, to make detailed regulations on these obligations. In

addition, the substantive requirements under each of these categories have been reduced.

There is an additional category of data fiduciaries known as significant data fiduciaries (SDFs). The government

will designate data fiduciaries as SDFs based on certain criteria—volume and sensitivity of data and risks to

data protection rights, sovereignty and integrity, electoral democracy, security, and public order. 19

SDFs will have additional obligations that include: (a) appointing a data protection officer based in India who

will be answerable to the board of directors or the governing body of the SDF and will also serve as the point of
contact for grievance redressal; and (b) conducting data protection impact assessments and audits and taking

other measures as prescribed by the government. The 2019 bill required that SDFs register in India. This

requirement has been removed from the 2023 act.

Moderation of Data Localization Requirements

The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted certain data flows,

the 2023 law only states that the government may restrict flows to certain countries by notification. While this is

not explicit, the power to restrict data flows seems to be to provide the government necessary legal powers for

national security purposes. The law also states that this will not impact measures taken by sector-specific

agencies that have or may impose localization requirements. For example, the Reserve Bank of India’s

localization requirements will continue to be legally valid.

Exemptions From Obligations Under the Law

The law provides exemptions from consent and notice requirements as well as most obligations of data

fiduciaries and related requirements in certain cases: (a) where processing is necessary for enforcing any legal

right or claim; (b) personal data has to be processed by courts or tribunals, or for the prevention, detection,

investigation, or prosecution of any offenses; (c) where the personal data of non-Indian residents is being

processed within India; and so on.20

In addition, the law exempts certain purposes and entities completely from its purview. 21 These include:

1. Processing in the interests of the sovereignty and integrity of India, security of the state, friendly

relations with foreign states, maintenance of public order, or preventing incitement to any

cognizable offense. This will allow investigative and security agencies to remain outside the

purview of this law.

2. Data processing necessary for research, archiving, or statistical purposes if the personal data is not to

be used to take any decision specific to a data principal.

3. The government can exempt certain classes of data fiduciaries, including startups, from some

provisions—notice, completeness, accuracy, consistency, and erasure.

4. One problematic provision allows the government to, “before expiry of five years from the date of

commencement of this Act,” declare that any provision of this law shall not apply to such data

fiduciary or classes of data fiduciaries for such period as may be specified in the notification. This is

a significant and wide discretionary power and is not circumscribed by any guidance on the basis for

such exemption, the categories that may be exempted, and the time period for which such

exemptions can operate.

New Regulatory Structure for Regulating Data Privacy

The 2023 law completely changes the proposed regulatory institutional design. The 2019 bill proposed an

independent regulatory agency. The DPA was proposed on the lines of similar government agencies in many

EU countries that function independently of government and implement the GDPR. The proposed Indian DPA

was arguably more powerful since it was proposed to have much more extensive regulation-making powers than

DPAs under the GDPR. In addition to framing regulations, the DPA would have been responsible for framing

codes of conduct for businesses, investigating cases of noncompliance, collecting supervisory information, and

imposing penalties on businesses.

In contrast, the 2023 law establishes the DPB.22 The board is not a regulatory entity and is very different from

the DPA. Compared to the latter, the board has a limited mandate to oversee the prevention of data breaches and

direct remedial action and to conduct inquiries and issue penalties for noncompliance with the law. 23 The board

does not have any powers to frame regulations or codes of conduct or to call for information to supervise the

workings of businesses. It can only do so during the process of conducting inquiries.

The members of the board will be appointed by the government, and the terms and conditions of their service

will be prescribed in rules made by the government.24 The law states that these terms and conditions cannot be

varied to a member’s disadvantage during their tenure.

The law allows the board to impose monetary penalties of up to 250 crore rupees (approximately $30.5

million).25 Appeals from the board’s orders will go to an existing tribunal— the Telecom Disputes Settlement

and Appellate Tribunal (TDSAT). In addition to monetary penalties, the bill allows data fiduciaries to provide

voluntary undertakings to the board as a form of settlement of any complaints against them. 26 Therefore, the

board is a very different institution in design compared to the DPA.

Finally, the 2023 law contains a novel provision not included or discussed in any previous version. This is

Section 37, which allows the government, based on a reference from the board, to block the public’s access to

any information that enables a data fiduciary to provide goods or services in India. This has to be based on two

criteria: (a) the board has imposed penalties against such data fiduciaries on two or more prior occasions, and (b)

the board has recommended a blockage. The government has to provide the data fiduciary an opportunity to be

heard before taking such action.

ANALYZING THE DPDP ACT, 2023

This section analyzes the 2023 act from two perspectives. First, it explains the broad structure of the law and

highlights its key features and issues. Second, it contextualizes the law in the background of the different drafts

proposed before this and elaborates upon the deliberations that have led to it.

How Well Does the DPDP Act, 2023, Protect Privacy?

The 2023 act creates, for the first time, a data privacy law in India. It requires consent to be taken before

personal data is processed and provides a limited number of exceptions that are clearly enumerated in the law. It

provides consumers the right to access, correct, update, and erase their data, in addition to a right to nomination.

It creates additional safeguards for the processing of children’s data. For businesses, it creates purpose

limitations and obligations to provide notice of data collection and processing and mandates security safeguards.

The law requires the creation of grievance redress mechanisms by businesses. The DPB will also handle

complaints and grievances and is empowered to issue penalties for noncompliance with the law.

For the first time, therefore, India has a statutory framework for data protection. The presence of the law will

gradually lead to the development of minimal standards of behavior and compliance among businesses that

collect data. In this regard, the approach of the government toward implementing and enforcing the law will be

the critical variable—for example, whether implementation will be focused on data-heavy businesses or across

the economy would be an important factor.

However, other than open questions related to implementation, there are some concerns with different

provisions of the law and their potential for undermining the protections seemingly accorded in it.

First, the exceptions carved out for consent empower the state significantly and place state imperatives on a

different pedestal compared to private entities. While this may be truly legitimate in some circumstances, like

disasters or emergencies, the law enlarges the scope of such circumstances. For example, Section 7(b) of the law

enables the government to sidestep consent requirements where a government service beneficiary has previously

consented to receiving any other benefit from the state. While this may allow easier access to personal data of

beneficiaries for receiving government services, it also creates a potential for the government to aggregate

databases. This is because making true use of the potential of this provision would mean that government

agencies would have to be exempted from purpose limitations that require personal data to be deleted after the

purpose of the data has been satisfied.

Another example of this is the set of exemptions to the state for investigative, prosecutorial, and national

security purposes. In Section 17(1)(c), the law exempts the requirements of notice and consent, among others,
for the purposes of processing for “prevention, detection, investigation or prosecution of any offence or

contravention of any law.”27 While this is understandable, Section 17(2)(a) subsequently provides a blanket

exemption from the whole law to any government agency that the government may notify, in the interests of

sovereignty, security, integrity, public order, and preventing incitement. Given the fact that Section 17(1)(c)

already exists, Section 17(2)(a) only indicates the desire of Parliament to ensure a complete non-application of

the data protection law to certain state agencies.

Provisions like these create a separate category of activity that is beyond the purview of data privacy

requirements. It is problematic that the Indian state is not subject to many of the constraints that private entities

are, especially in cases where there is no pressing requirement for such an exception.

Second, the discretionary rule-making powers that the government has under the law could, in some cases,

undermine the protections provided in the law. For example, under Section 17(5), the government has the power

to declare that any provisions of this law will not apply to any business or class of businesses within five years

of the commencement of the law. There is no time frame for the operation of this exemption or any guidance on

how this provision is to be used. An optimistic interpretation of this provision would suggest that this could be

used to allow sunrise industries or startups some time to comply with the law. However, provision for this has

already been made in Section 17(3), which provides limited exemptions to startups and other industries the

government may notify. Therefore, Section 17(5) could potentially be used in a manner that defeats the purpose

of the law. It is worth reiterating that the law only limits the government’s power to give these exemptions for

an initial period of five years. It does not provide any limit on how long these exemptions can last for.

Similarly, the government has some unguided rule-making powers for exempting businesses from certain

requirements regarding the processing of children’s data. Sections 9(1) to 9(3) specify certain requirements for

the same—they require parental consent and prohibit profiling, among others. Section 9(4) allows the

government to exempt any business or class of businesses from Sections 9(1) to 9(3) “subject to such

conditions, as may be prescribed.” This provision, again, fails to indicate on what grounds this exemption will

be given, how the conditions are to be determined, and so on. Since there is a lack of sufficient guidance, this

provision is also subject to misuse.

While there are other provisions where the government has powers to prescribe conditions and make substantive

rules, the examples highlighted above provide almost no guidance. This is also problematic when judged against

the tenets of Indian administrative law, which requires that laws should not confer unguided and excessive

discretion on the implementing authority.28 If improperly used, such legal provisions are potentially in violation

of the Indian Constitution.

Third, the design of the DPB is problematic. The board is an independent agency with a limited mandate, and

the government will create mechanisms for the selection and appointment of its members. While the law sets out

qualifications for members, it does not state how many members shall be on the board and requires only one of

them to be a legal expert. This last provision is a problem since one of the board’s main functions is to issue

penalties and directions for noncompliance.

In addition, the chairperson of the DPB is empowered to authorize any board member to perform “any of the

functions of the board and conduct any of its proceedings.” It is possible that the chairperson may not authorize

the legal member of the board to conduct the proceedings leading up to the issuance of a penalty. This design

also fails to maintain an internal separation of functions between the members conducting inquiries and the

chairperson. Since the chairperson appoints members to conduct inquiries, they may potentially not discharge

this function impartially in all cases.

Therefore, while the DPDP Act creates data privacy protections in law for the first time, certain provisions in

the law can effectively undermine its benefits if the government does not act under them in the most scrupulous

manner possible.
UNCITRAL Model Law

The United Nations Commission on International Trade Law (UNCITRAL) facilitates international commerce
through the modernization of trade rules and the harmonization of commercial laws, primarily through the
drafting of treaties, model laws, and explanatory texts. The
United Nations Commission on
International Trade Law (UNCITRAL) was established by the General Assembly in
1966 (Resolution 2205(XXI) of 17 December 1966

The United Nations Commission on International Trade Law (UNCITRAL)

(established in 1966) is a subsidiary body of the General Assembly of the United
Nations with the general mandate to further the progressive harmonization and
unification of the law of international trade.

These documents are prepared by ad hoc committees of subject specialists known as working groups.

Since its inception, UNCITRAL’s Working Group on Electronic Commerce has produced one treaty, three

model laws, and two explanatory texts:

Treaty

 Convention on the Use of Electronic Communications in International Commerce (2005)

The full text of the convention and an explanatory note are available for download in PDF format. Click
on the Status link to see which countries have ratified the convention.

Model Laws

 Model Law on Electronic Commerce (1996)

The full text of the model law and a guide to its enactment are available for download in PDF
format. Click on the Status link to see which countries have enacted legislation based on the model law.
Model Law on Electronic Signatures (2001)
The full text of the model law and a guide to its enactment are available for download in PDF
format. Click on the Status link to see which countries have enacted legislation based on the model law.
Model Law on Electronic Transferable Records (2017)
The full text of the model law and a guide to its enactment are available for download in PDF
format. Click on the Status link to see which countries have enacted legislation based on the model law.

Explanatory Texts

 Notes on the Main Issues of Cloud Computing Contracts (2019)

 Promoting Confidence in Electronic Commerce: Legal Issues on International Use of
Electronic Authentication and Signature Methods (2007)

UNCITRAL Working Group on Online Dispute Resolution

UNCITRAL’s Working Group on Online Dispute Resolution met from 2010 to 2016. Although it did not

produce any treaties or model laws, the Working Group did publish its Technical Notes on Online Dispute

Resolution.

UNCITRAL has prepared a suite of legislative texts to enable and facilitate the use of electronic means to engage in
commercial activities, which have been adopted in over 100 States.
The most widely enacted text is the UNCITRAL Model Law on Electronic Commerce (1996), which establishes rules for
the equal treatment of electronic and paper-based information, as well as the legal recognition of electronic transactions
and processes, based on the fundamental principles of non-discrimination against the use of electronic means, functional
equivalence and technology neutrality. The UNCITRAL Model Law on Electronic Signatures (2001) provides additional
rules on the use of electronic signatures.

The United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005)
builds on pre-existing UNCITRAL texts to offer the first treaty that provides legal certainty for electronic contracting in
international trade.

Most recently, the UNCITRAL Model Law on Electronic Transferable Records (2017) applies the same principles to
enable and facilitate the use in electronic form of transferable documents and instruments, such as bills of lading, bills of
exchange, cheques, promissory notes and warehouse receipts.

In 2019, UNCITRAL approved the publication of Notes on the Main Issues of Cloud Computing Contracts, while
continuing work towards a new instrument on the use and cross border recognition of electronic identity management
services (IdM services) and authentication services (trust services).

Significant work in cooperation with other organizations has also been conducted in the field of legal aspects of single
windows and paperless trade facilitation. The results of joint work with United Nations ESCAP in that field include the
online Readiness Assessment Guide for Cross-Border Paperless Trade.

Recent advances in information and communications technology and the emergence of new technologies in digital trade
pose new legal questions. Accordingly, UNCITRAL continues its efforts to legally enable emerging technologies such as
artificial intelligence, data transactions, digital platforms and digital assets, including in connection with other areas of
work such as dispute resolution, security interests, insolvency and the international transport of goods, as well as, more
generally, digital trade.