INTRODUCTION
Technology has fostered great advancements. It has alleviated our perspective about boundaries of communications and transactions but as every cloud has a silver lining technology has paved a way for humans to embezzle the perks of it. The technology that we use today has unintended consequences and its growth has given rise to most trivial to most complicated cyber-crimes. One of the alarming crimes in the world is Identity Theft. According to statistical data, Identity theft contributes to 28 percent of overall fraud in India. Several large scale identity theft instances in India include the RBI Phishing Scam, ICC World Cup, 2011 scam and the password phishing scam targeting Google email account holders.
MEANING OF IDENTITY THEFT
‘Identity’ is evidence of an individual’s existence and ‘theft’ is possession without ownership or consent of the entitled person. Identity theft refers to the unauthorized use of an individual’s personal information, such as their name, date of birth, social security number, or credit card number, for fraudulent purposes or an economic gain. Identity theft is a very broad term and it extends to a considerable number of offences from misrepresentation to forgery, some are traditional crimes and some can be considered as newer versions of cyber-crimes like ATM skimming, phishing, hacking,exaggerating claims or leaving out key information in order to encourage traffic.), identity frauds when criminals identify themselves as bank or customer service clerks or credit card agents being popular for email and numerous social media sites.
Following are the extended branches of identity theft
1. Hacking: It is a method through which malware like computer viruses or worms are used to divert information to the hackers who decrypt it and then either use it themselves or sell it to others to commit fraud using such information. Such attacks can be done in the garb of infected links, free software download, signing in through social media accounts or where there is no proper firewall protection or strong password to protect networks or computers as such.
2. Phishing: The fraudster may send an e-mail with a link of a fake website which may resemble some authentic link to, say a bank site, where personal information and account information will be asked. The reasons for seeking such information may be for keeping the customer’s information up to date for better services by the bank, or claiming that the failure of giving such information would amount to suspension of the account.
3. Pharming: It is similar to Phishing but in this, clicking on the authentic link of the bank website would redirect the websites traffic to a fake site even if the user has entered a valid internet address. Pharming is done by installing malicious code either in the personal computer or in a server. Hence, it can target various users at the same time. It happens without the consent or knowledge of the victim and is often called “Phishing without a lure”.
4. Skimming: This employs various devices stealthily attached to the ATM machines or any other machines where the credit or debit card is put to use. These stealth devices fit on the original machines and have a magnetic card reader which a pin hole camera to shoot the victims movement on the machine while he/she enters the PIN. Some sophisticated skimming devices generate an automatic message received by the thief, each time a person swipes his card.
5. Vishing: The fraudster calls the victim by posing to be a bank representative or a call center employee, thereby tricking the victim to disclose crucial information about the identity.
LAWS GOVERNING IDENTITY THEFT IN INDIA
In India identity theft is punishable under two legislations namely Indian Penal Code 1860 (IPC 1860) and Information Technology Act 2000. Identity theft as an offence was recognized after the Indian penal code was amended by the Information Technology Act 2000. The amended provisions in the Indian Penal Code 1860 specifically deal with offences related to the electronic record to be precise. Electronic record as defined in the IPC 1860 is identical under the IT act 2000 i.e. section 2(1)(t)defines electronic record as data, record or data generated, image, sound which is sent or received through electronic form.
Provisions in accordance with The Information Technology (Amendment) Act, 2008
The Information Technology Act, 2000 (vide Information Technology (Amendment) Act, 2008) is the main legislation in India governing cybercrimes. Some of the important provisions in respect of Identity Theft are:
1. Section 43: If any person without the permission of the owner damages the computer system, etc. He/she shall be liable to pay compensation to the person so affected.
2. Section 66: If any person, fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or both.
3. Section 66B: Punishment for dishonestly receiving stolen computer resource or communication device is Imprisonment for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.
4. Section 66C: provides for punishment for Identity theft as Whoever, fraudulently make use of the any unique identification feature of any other person shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine with may extend to rupees one lakh.
5. Section 66D: on the other hand was inserted to punish cheating by impersonation using computer resources.
6. Section 65: protects against any tampering with computer source documents.
7. Section 72: provides punishment for any breach of privacy and confidentiality.
Provisions in accordance with the Indian Penal Code
Under Section 419 and 420, identity theft is punishable as cheating specifically cheating by impersonation
1. Section 416 addresses cheating by impersonation and section 419 prescribes a punishment for cheating by impersonation extending up to three years of imprisonment, or fine, or both.
2. Section 420: This section deals with defrauding and dishonestly procuring the handover of the property, and it lays forth a punishment that includes both a fine and a term of imprisonment that can last up to seven years.
3. Section 464 of IPC is regarding the forgery of documents. Section 465 deals with the punishment for Forgery which may be extended to two years or fine or both. Section 468 deals with Forgery for purpose of cheating shall be punished with imprisonment which may be extended to seven years and also liable to fine. Section 469 deals with Forgery for purpose of harming reputation shall be punished imprisonment which may be extended up to three years and also liable to fine.
RELEVANT CASE LAWS
1. BinodSitaram Agarwal v/s The State of Maharashtra
Facts: This is an application for bail. The applicant was arrested in connection with crimes under Sections 43, 70 and 66C of the Information Technology Act 2000and Section 408 of the Indian Penal Code, 1860.
· The complainant is the Assistant Development Commissioner with M/s. Seepz, Sez in Mumbai. Seepz, Sez is a Central Project which provides financial assistance to Special Economic Zones.
· The Deputy Development Commissioner uses email id – ddcseepz-mah@nic.in which is used for carrying out day-to-day affairs of the undertaking. The said email-id is used by the Deputy Development Commissioner or a person authorized by him.
· In the past, there has been an instance wherein the Deputy Development Commissioner had informed the Development Commissioner that his official email-id had been misused by some unknown person.
· Directions were issued for inquiry in this regard. During the investigation, it was noted that that the IP addresses of GioInfocom Company were found to be suspicious and were reported to Seepz with a view to submitting the complaint to the concerned police station.
· It is further alleged that the applicant had hacked and accessed the email address of the Deputy Development Commissioner of Seepz. Thus, the applicant was arrested.
Judgment: The F.I.R. was lodged against unknown persons. While lodging the F.I.R., Section 43 and 66C of the Information Technology Act, 2000 were invoked.
· Section 43 relates to penalty and compensation, damage to the computer, computer system etc. This provision further mentions that whoever breaches the provisions is liable to pay damages by way of compensation to the person so affected. Section 66C provides for punishment for identity theft. It states that whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person shall be punished with imprisonment of either description for a term which may extend to three years and shall so be liable to fine which may extend to one lakh.
· During the course of the investigation, Section 70 of the Information Technology Act, 2000 was also invoked. The section relates to the protected system. The invocation of the above section requires determining a particular system as a protected system and should be notified. The charge-sheet does not contain any such notification.
· Further custody of the applicant is not necessary. The bail application is allowed.
2. K Sudhakar vs N Balaji
Facts: K. Sudhakar, the father-in-law of respondent N. Balaji, obtained his savings account statement from HDFC Bank without his consent. The respondent filed a private complaint stating that he has a savings account in HDFC Bank, Thillai Nagar Branch, Tiruchirapalli and for the above-stated reason, the petitioner has committed offences punishable under sections 66B and 66C of the Information Technology Act read with section 406 and section 416 of IPC.
Judgment: If the said bank had issued the bank statement to the petitioner without the consent of the respondent, utmost he can ask for any relief that is available under the law against the bank authorities. He cannot prosecute the petitioner in court instead. Therefore, this court is of the view that continuance of the proceedings against the petitioner would result in an abuse of procedure of the court, and hence, these proceedings must be quashed.
CONCLUSION AND RECOMMENDATION
Thus, Indian laws are on a back foot when it comes to protection of an individual’s data, leaving a lot of room for improvement in laws as well as policies made in favor of identity theft. The laxity in specific laws, acts as a host for such manipulative offences which have become more and more common as compared to the last two decades. To ensure adequate implementation of the existing laws, there arises a need to establish proper system with efficient hierarchy of jurisdiction. Mechanism and laws to punish identity thieves should be taken care of by the legislature. The major sources from which sensitive identity information can be accessed by cyber criminals are the service providers which are basically BPO and IT companies having the personal database of people around the world. Although, the data protection laws in India are not very strong at present but the proposed Personal Data Protection Bill is a positive step towards implementing stricter data protection laws.
Following are the recommendations that can be implemented in India to make the laws regarding identity theft more effective.
· Making amendment to the present laws for imposing stricter punishment for aggravated forms of identity theft. The laws can be made victim friendly such that he/she is able to recover from the loss caused and providing as much restitution as possible. The victim must be given support, both for the immediate loss caused by Identity theft and for the aftermath of such crime.
· In order to prevent or minimize threat of identity theft, the biological aspect of identity verification (biometric) like fingerprint, voiceprint, iris scan and hand geometry, etc. should be used where ever there is an online financial transactions or email account login. Such unique information can be collected and stored at the time of registration or signing up with the websites.
· Lastly, the government needs to create awareness amongst consumers with respect to ways of protecting personal information and safe internet practices. Further, they need to be educated about their rights and redressal mechanism available to them in case of an identity theft.
REFERENCES
Indian Penal Code, 1860
S.66C of The Information Technology (Amendment) Act, 2008.
Written By,
PurvaDhamale,
Intern, Chanchlani Law World
Comments