(This article is written by Astitva Kumar, a research associate at ICMCR.)

Cybercrime has risen considerably in recent years, including phishing, identity theft, and fraud. The majority of cyber-attack or fraud victims in India have no idea how to respond to a cyber-attack. Even though there are several online cybercrime compliant platforms.[1] In countries like India, where the internet is widely used, cyber rules are extremely vital. The digital interchange of information, software, information security, e-commerce, and monetary transactions are all governed by cyber laws. By providing optimal connectivity and eliminating cybersecurity threats, India’s cyber laws have cleared the path for electronic commerce and electronic government in the country, as well as expanded the scope and usage of digital media. The Information Technology Act of 2000 establishes a framework for resolving cyber-attacks such as hacking, data theft, and phishing.[2]

History of internet

The Internet is a worldwide network of interconnected computer networks that utilize the Internet Protocol Suite as its standard. It is a network of networks made up of millions of private and public, academic, corporate, and government networks that are connected via copper lines, fibre optic cables, wireless connections, and other technologies and spans the globe. The Internet hosts a diverse set of information resources and services, including the World Wide Web’s (WWW) interconnected hypertext documents and the infrastructure that supports electronic mail, as well as popular services like online chat, file transfer and file sharing, online gaming, and Voice over Internet Protocol (VoIP) voice and video communication. The Internet’s beginnings may be traced back to the 1960s when the US military financed research efforts to develop reliable, fault-tolerant, and dispersed computer networks. This research, combined with a period of civilian funding by the National Science Foundation for a new U.S. backbone, sparked global participation in the development of new networking technologies, resulting in the commercialization of an international network in the mid-1990s, and the subsequent popularisation of countless applications in virtually every aspect of modern human life.

The phrases ‘Internet’ and ‘World Wide Web’ are frequently interchanged in common conversation. The Internet and the World Wide Web, on the other hand, are not the same thing. The Internet is a worldwide computer network. It is a hardware and software architecture that allows computers to communicate with one another. The Web, on the other hand, is one of the Internet-based services. It is a collection of papers and other resources that are linked together using hyperlinks and the Uniform Resource Locator (URL) (URLs).

The World Wide Web was created in 1989 by Tim Berners-Lee, an English physicist who is currently the Director of the World Wide Web Consortium, with the help of Belgian computer scientist Robert Cailliau, when both were working at CERN in Geneva, Switzerland. They suggested establishing a “web of nodes” to store “hypertext pages” read by “browsers” over a network in 1990, and that web was published in December of that year.

Cyber laws in India

There are predominantly four cyber laws that India embraces:

  1. Information Technology Act, 2000: Indian cyber legislation is governed by the Information Technology Act, which was implemented in 2000. The major purpose of this Act is to offer reliable legal protection for eCommerce by making it easier to register real-time data with the government. However, as cyber attackers got more sophisticated, as well as the human proclivity to abuse technology, several changes were implemented.
  2. Companies Act, 2013: The SFIO (Serious Frauds Investigation Office) was given the jurisdiction to prosecute Indian firms and their directors for cyber frauds under the Companies Act of 2013. Following the adoption of the Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs have become considerably more strict and unforgiving in this area. The law covers all regulatory compliances, including cyber forensics, e-discovery, and cybersecurity diligence. The Companies (Management and Administration) Rules, 2014 specifies stringent cybersecurity standards and responsibilities for company directors and executives.
  3. Indian Penal Code (IPC), 1860: Identity theft and associated cyber crimes are prosecuted under the Indian Penal Code (IPC), 1860, as well as the Information Technology Act, 2000. The primary sections of the IPC that deal with cyber scams include false documentation (Section 464), forgery (Section 465), forging pre-planned for deceiving (Section 468), reputation injury (Section 469), and presenting a fabricated document as real (Section 471).
  4. Cybersecurity Framework (NCFS): The National Institute of Standards and Technology (NIST), the world’s most trusted certifying authority, has certified the Cybersecurity Framework (NCFS), which provides a systematic approach to cybersecurity. All required regulations, standards, and best practices for efficiently managing cyber-related risks are included in the NIST Cybersecurity Framework. This system’s versatility and cost-effectiveness are important considerations.

Information Technology Act, 2000

With the adoption of the Information Technology Act 2000 (ITA 2000) on October 17, 2000, India recognized regulations that apply to the usage of electronic documents. The legislation recognized many types of violations and imposed civil and criminal penalties in some circumstances. Furthermore, the legislation detailed methods for resolving grievances and demanding damages through an organization known as “Adjudication” with an appeal process through the Cyber Appellate Tribunal (CyAT, which is now called Appellate Tribunal or AT and merged with TDSAT).

The framework’s use is restricted; it only applies to cases involving breaches of the IT Act. Under the IT Act, there are two types of violations: (i) contraventions[3] relating to damage to the computer, computer systems; protection of data; failure to furnish information, violation of any provision, rule, regulation, or direction under the Act; and (ii) offenses[4] including cyber terrorism, violation of privacy and cheating. Only disputes relating to contraventions can be resolved through the dispute resolution framework.[5] Offenses are criminal and are prosecuted under Indian criminal laws. The IT Act applies to individuals and businesses both inside and outside of India.

Dispute Resolution under Cyber law

The Information Technology Act of 2000 provides quasi-judicial entities to arbitrate disputes, such as adjudicating authorities (offenses of a civil nature as well as criminal offenses). The adjudicating officer has civil and criminal court-like powers, including the ability to award compensation as a civil remedy and to impose fines for violations of the Act. The first stage of appeal is the Cyber Appellate Tribunal, which consists of a Chairperson and any additional members are chosen by the Central Government. Within 60 days of the Cyber Appellate Tribunal’s verdict being conveyed, a second appeal may be filed with a High Court with jurisdiction. Because it possesses dual powers, the AO is a quasi-judicial body.

(i) order investigation i.e. hold an inquiry into the violation of the IT Act based on evidence produced before it; and[6]

(ii) adjudicate i.e. it decides the quantum of compensation or penalty be awarded in case of a violation. The AO can exercise its jurisdiction over matters in which the claim for compensation or damage does not exceed INR 5 crore. As per Section 47 of the Information Technology Act, 2000, while adjudging the quantum of compensation or penalty, the Adjudicating Officer shall have due regard to the following factors: (i) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (ii) the amount of loss caused to any person as a result of the default; and (iii) the repetitive nature of the default.

The adjudication process as provided by the Information Technology Act, 2000 has been discussed in pointers hereunder:

  1. Filing of the complaint to the AO.
  2. Notice to the necessary parties containing the date and time of the first hearing is issued by the AO.
  3. On the date provided in the notice, the AO explains alleged contraventions to the party against whom allegations are made.

The three possible instances that can take place after this are provided below:

  1. The person against whom the allegation is made pleads guilty, or
  2. The person against whom the allegation is made shows cause why an inquiry should not be held against him/her, or
  3. The person against whom the allegation is made fails to appear. In that case, the AO proceeds with the inquiry in absence of such a person.

If the circumstance described in item (a) occurs, the AO will impose a penalty or award compensation following the provisions of the IT Act, 2000.

If the circumstance provided in point (b) unfolds itself, the outcomes are:

  1. The AO decides based on the submission of parties and/or preliminary investigation to determine whether there is sufficient cause to order an inquiry or not. The AO will fix another date for the production of documents or evidence and then finally pass an order based on the evidence presented.
  2. The AO dismisses the complaint on finding no sufficient cause to proceed with it.

In circumstances where the demand for compensation or injury is less than INR 5 crore, the AO has jurisdiction. Any time after receiving a complaint, the AO can order an investigation. The investigation is conducted by an officer from the Office of the Controller of Certifying Authorities, or (CERT-In), or a Deputy Superintendent of Police.

Appeal

The Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) hears appeals from AO orders. Within 45 days of obtaining the AO’s order, a party can file an appeal with the TDSAT. If the adjudication order was made with the parties’ permission, the parties do not have the right to appeal.

After providing the parties a reasonable chance to be heard, the TDSAT may confirm, amend, or set the adjudication order under appeal. To call the parties, mandate the production of documents, and review its rulings, the TDSAT has the same authorities as a civil court.[7] Within 60 days of obtaining the order, a party can submit an appeal with the High Court against the TDSAT’s decision.[8]

Effectiveness of Dispute Resolution under Cyber Law

  1. The AOs are endowed with enormous abilities. They have the jurisdiction to rule on any IT Act of 2000 statute, rule, regulation, or directive. Several AOs are grappling with the same problems at the same time. As a result, there are divergent perspectives on the same issue. In Rajendra Prasad Yadav v. ICICI Bank (2011), for example, the AO determined that Section 43 of the IT Act did not apply to the bank since it was a corporate organization. On the other hand, AOs in other states have come to various decisions. In several cases, Section 43 has been invoked against companies. This may make it more difficult for a company to comply with the IT Act of 2000 since it would have to consider the views of numerous AOs to operate across India.
  2. Secretaries of state departments of information technology were intended to be AOs under an old MeitY Order from 2003. They are responsible for the administration of their department and are actively involved in the co-working of the government of the state in which they are appointed, in addition to fulfilling their obligations as AOs. The fact that they work two jobs is really difficult.
  3. In the Indian regulatory context, there is no guiding document on the cyber investigation or cyber forensics. The Information Technology (Amendment) Act of 2008 established the “Examiner of Electronic Evidence.” This group provides expert guidance on electronic evidence. The MeitY has designated various forensic science laboratories as examiners.
  4. According to the TRAI Act of 1997, the TDSAT consists of only a chairperson and two more members. Because telecom and information technology are two distinct fields, choosing one requires a different set of abilities.

Conclusion

Given the high number of cyber-attacks in the country, the present dispute resolution structure under the IT Act must be strengthened. By requiring cyber violators to pay damages and compensation, the dispute resolution structure can serve as a strong deterrence. It may also be used as a venue for victims to file complaints and seek redress. It has failed to produce the desired outcome in its current state. The AOs’ capacity must be enhanced. The Crown Prosecution Service of the United Kingdom has developed ‘Cybercrime-prosecution advice,’ which defines significant categories of cybercrime, such as hacking and social media-related offenses, and acts as a guideline for deciding on cybercrime cases. Similar guidelines should be developed and applied in India to promote better complaint management. In India, similar standards are needed for efficient dispute settlement under cyber legislation.

[1] National Cyber Crime Reporting Portal, Ministry of Home Affairs, https://www.cybercrime.gov.in/

[2] Chapter IX, Information Technology Act, 2000.

[3] Section 43-44, Chapter IX, Information Technology Act, 2000.

[4] Section 61 of the Information Technology Act, 2000

[5]  Rule 4(l) of the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003

[6] Rule 4, the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003.

[7] Section 58(2), Information Technology Act, 2000.

[8] Section 62, Information Technology Act, 2000.