PHISHING: MAKING INDIA DIGITALLY SECURE

We need a rule that regulates data, which is not personally identifiable, to deter cybercrime and to ensure that firms protect their assets

With the onset of the digital era, crimes in cyberspace have been aggressively increasing – taking myriad forms and targeting people for both monetary and informational reasons. The effects of cybercrime are significant for a country like India, where both traditional and digital literacy rates, are still low, despite slight improvements in the past few years. Phishing scams, internet fraud, online IPR (intellectual property) violations, identity theft, online harassment and bullying are some of the common types of cybercrimes.

Among these malicious attacks, phishing (pronounced fishing) in particular, lacks a statutory framework and therefore a definition. The crime usually manifests in two ways: i) impersonation of a legitimate person and ii) theft of data. Given the lack of a regulatory framework around phishing, this article attempts to understand the phenomenon and the manner in which it is regulated under the existing laws.

UNDERSTANDING PHISHING

From planes to rockets, the human race has made significant technological strides over the past century. Perhaps, the most important invention of all would be the the Internet – a technology that allows people across the globe to communicate with each other at the click of a mouse or the press of a few buttons.

Now with the pandemic, a major part of human lives have shifted to the virtual world. But the convenience hasn't come without its share of hassles. Internet applications and software, function utilising both private as well as non-personal data. This has allowed criminals to gain access to a significant amount of personal data, including details of financial transactions.

To this end, 'phishing' – wherein an individual impersonates another in the virtual world to gain access to sensitive data– has been found to be one of the least expensive methods for criminals. Though steps have been takento curb the same, they have not proved to be entirely efficient thus far.

(Thus, phishing essentially involves a person sending a bogus communication to another wherein they impersonate a trusted source so as to gain sensitive information. The objective behind phishing is to steal sensitive information/data or infect a victim's machine with malicious software. Examples of such communication include, sending fraudulent mails and messages on behalf of some bank in the hope of gaining credit card information.

HOW PHISHING HAPPENS?

Phishing occurs when an unsuspecting victim follows through on a fake e-mail, link, or any other kind of communication that may appear to have been sent by an individual or an organisation, which the viticm trusts.. In most cases, the malware gets automatically or unintentionally downloaded onto the target's device. Some of the most prominent ways in which phishing occurs are;

  1. Link manipulation
  2. IDN (International domain name) spoofing
  3. Filter evasion
  4. Social engineering, etc

Once installed, the malware begins to extract confidential information and, in some cases, even corrode the software.. Some of the most pernicious dangers of phishing include;

  1. Financial Loss
  2. Data Loss
  3. Corruption of the device
  4. Unauthorised use of user data

LAWS GOVERNING PHISHING IN INDIA

In order to gain an overall understanding of phishing within India's statutory framework we will bifurcate the criminal and data protection aspect of phishing and then understand the laws covering the same, individually.

Criminal Aspect of Phishing

Given that phishing involves a practice where data is extracted from the virtual world, it is treated as a cybercrime and as such, is subject to the provisions of the Information and Technology Act, 2000 ( ('IT Act). The provisions dealing with the crime were incorporated via the 2008 amendment. The provisions that have been incorporated and regulate the crime of phishing are :

  • Section 43 – extracting or accessing data without consent
    Section 43 stipulates that if an individual accesses another person's computer system or network for the purposes of downloading, accessing, disrupting, denying or corrupting the data contained therein, without the consent of the owner – then that person may be held liable under this provision.
  • Section 66 – Punishment for phishing
    The provision under Section 66 of the IT Act prescribes the punishment that can be inflicted for the act of stealing a victims account by a phisher. The punishment includes either imprisonment for a term that can exceed up to three years or a fine that can exceed up to five lakh rupees, or both, depending on the severity of the crime.
  • Section 66A – spreading false information
    The provision stipulates that the act of spreading information knowing that it is false, with the intent of causing some form of damage to the victim would be punishable. The provision additionally, outlines the offences that attract the punishment prescribed under the provision.
  • Section 66C
    The provisions under this Section forbids the use of passwords, electronic signatures, or any other feature which is a unique identification of any person. Phishers commit fraudulent actions while disguising themselves as the legitimate owner of the account and carrying out fraudulent acts.
  • Section 66D – Impersonation
    Cheating by impersonating another person while utilising communication devices or computer sources is covered under the provisions outlined under this section. Fraudsters commit fraud by impersonating banks and other organisations by using URLs that take customers to phoney versions of the official websites, giving the impression that they are part of the same organisation.

Additionally, the provision under Section 81 of the Act is an obstante clause whereby the provisions of the IT act would take precedent and override all other provisions within the exiting framework. However, it is also important to note that, pursuant to Section 77B of the IT Act (Amendments 2008), phishing scams are bailable. This is based on the inability to determine with certainty, who is the perpetrator behind the crime. The mode of the crime creates a translucent screen before the phisher, which hides their identity and results in situations wherein an innocent person can get convicted for a crime that they have never committed; this creates the need to make provisions for bail under Section 81.

Additionally, the Indian Penal Code contains the following provisions under which an individual can be held liable for the crime of phishing:

  • Theft under Section 378 and 379
  • Criminal breach of trust under Section 405 and 406
  • Cheating under Section 415 to 419
  • Mischief under Section 425 and 426, and
  • Forgery under Sections 463 – 465, and Sections 467-477.

Data Protection aspect of Phishing

The Information Technology (Reasonable security practices and procedures and personal data or information) Rules of 2011 ("IT rules") looks into the manner in which corporate bodies retain data – as collected from their clients and users. The rules mandate that the data being collected is of a nature that is required for the purposes of their operation. Additionally, they are required to implement and follow all appropriate security policies and procedures and they should only transfer personal information to a recipient who meets the same or better security requirements than the transferor.

Additionally, the Reserve Bank of India has further issued directions with respect to the storage of payment system data or, in other words, data that pertains to financial or payment systems. Thereunder, it mandates that the RBI be given access to all payment data for the purposes of maintaining vigilance over payments and further simplify the process of identifying the payment system operators who fail to incorporate the mandated security measures. In furtherance of this, a cyber security framework has also been formulated by the banking regulator, which preforms the following functions:

  1. provides the minimum requirement for ensuring cybersecurity which all the banks must maintain;
  2. imposes the duty on every financial institution to establish a security operations centre; and
  3. a reporting mechanism in the event of a cybersecurity breach to the RBI.

The rules are also applicable upon entities in the nature of payment aggregators and payment gateways, whereby they are mandated to adhere to the baseline technological standards – including those for withholding or storing data.

Note: In addition to the aforementioned rules, the legislature is currently contemplating the Personal Data Protection Bill, 2021 – which would find itself applicable in terms of storing and processing all personal data. Additionally, it creates a separate class of data – sensitive data – which includes information related to health, sex life, finance, and other such information. Though the bill has not been passed to this date and is criticised for its potential to create an Orwellian state, the bill is a first of its kind, which attempts to regulate the process of collecting, storing and processing of data.

JUDICIAL PRECEDENTS

Shreya Singhal v. Union of India, 20151

The constitutionality of Section 66A of the IT Act was challenged on the touchstone of the right to free speech under article 19(1)(a) in the case of Shreya Singhal v. Union of India. The provision criminalised the action of spreading false information with the intent of causing damage to the victim. Applying the overbreadth analysis and the test of whether the said provision results in a chilling effect on the right to free speech, the Supreme Court found that Section 66A of the IT infringes upon the right enshrined under article 19(1)(a) as it results in creating an environment whereby, the very act of speaking and deliberation is curbed (chilling effect).

Moving onto the next part of its analysis under article 19(2) of the Constitution, the court found that the provision did not fall within the ambit of the exceptions for the terms used within the verbatim of the provision viz – 'annoy, inconvenience or insult' are vague in nature'. It was further observed that the vague and overbroad nature of the exceptions would result in creating chilling effect on the freedom of free speech in the country. On this rationale, the court struck down Section 66A of the IT Act.

Punjab National Bank v. Poona Auto Ancillaries Pvt. Ltd. (2018)2

In this 2018 case, the primary argument raised was that the police department had handled the matter carelessly in dealing with cybercrimes like phishing, which had resulted in a loss of over Rs. 45 lakhs. As a result, the Maharashtra police department was ordered by the Bombay high court to undertake specialised training sessions for all employees assigned to cybercrime sections. According to media reports, police officers in several Indian states are increasingly relying on commercial cyber forensics firms to help them deal with cybercrime, which is a positive step taken by law enforcement organisations. It was highlighted, however, that entrusting a private firm with sensitive data (may be challenging/may not be such a wise idea). Yet another compelling reason to establish a competent team of cyber security specialists within the law enforcement organisation.

Pursuant to this case, a nodal entity called the Indian Computer Emergency Response Team (CERT-In) was established under the Union ministry of electronics and information technology which is entrusted to deal with cyber security issues such as phishing.

NASSCOM v. Ajay Sood and Ors, (2005)3

The defendants in this case, impersonated NASSCOM, a leading software association. In this case, the defendants had curated certain emails and had sent the same to third parties for the purposes of extracting information about them, as they were the owners and operators of a placement company that specialised in headhunting and recruiting. Inter-alia, the petitioners prayed for an interim order, restraining the defendants from using the term "NASSCON" on any of their goods/services (emails).

The Delhi High Court concluded that phishing attacks would constitute a criminal offence. Additionally, it was in furtherance of an issue that arose in this case that a cybercrime case study was undertaken by the State.

While it has been previously highlighted the term phishing is not defined within the legal framework, it was first defined in this case as - as "a type of internet fraud in which a person impersonates a legitimate organisation, such as a bank or an insurance company in order to extract personal data from a customer, such as access codes, passwords, and other sensitive information." Personal information obtained by misrepresenting the legitimate party's identity is frequently exploited to the benefit of the collecting party.

The Delhi high court has declared phishing to be an illegal act, despite the fact that there is no legislation in India which criminalises the practise. The court defined it as "a misrepresentation made in the course of trade, leading to confusion as to the source and origin of the email, causing immense harm, not only to the consumer, but also to the person whose name, identity, or password is misused."

While acknowledging the trademark rights of NASSCOM, an ex-parte interim injunction was issued whereby the defendant was prohibited from using the trade name or any other name which might bear a resemblance to that of NASSCOM. Additionally, the court barred the defendants from claiming that they were associated with the petitioners and further constituted a committee which was tasked with carrying out a search of the house of the accused. The hard-disks retrieved during the search revealed that they were used by the accused person to send fraudulent emails to a variety of recipients. After that , the problematic emails were removed from the hard drives so that they could be used as evidence in court.

During the course of the lawsuit that was brought in India, it became evident that the defendants, in whose names the infringing e-mails were sent, were in fact false identities that had been constructed on the defendants' orders by an employee in order to avoid detection and legal action. The lawsuit was brought against the company that had sent the infringing e-mails. After it was determined that the act was false, the names of the defendants in the lawsuit were changed to eliminate any imaginary defendants.

The defendants finally admitted guilt for their illegal conduct, and the attorneys for both the sides eventually struck a settlement that was documented as a compromise throughout the court procedures. The parties to the settlement agreed that the defendants would pay the plaintiff a sum of Rs.1.6 million as compensation for the infringement of the plaintiff's trademark rights. It was further ruled that the hard drives that were confiscated from the defendants' premises should be given to the plaintiff, who would be the person who is legally entitled to hold the hard discs.

This case accomplishes two significant goals:

  1. the practice of "phishing" is now placed within the purview of Indian legal framework, despite the absence of a specific statute;
  2. it debunks the myth that there is no "damages culture" in India for the infringement of intellectual property rights.

Both of these goals were previously thought to be impossible. This decision bolsters the faith of intellectual property owners in the capacity and desire of the Indian judicial system to protect intangible property rights. Additionally, it is indicative of the fact that intellectual property owners can conduct their business without giving up their intellectual property rights.

CONCLUSION

The Information Technology Act (IT Act) and its guidelines, in conjunction with the Indian Penal Code (IPC) create an appropriate anti-phishing framework that penalises phishing in India. From a regulatory perspective, India's structure has certain holes in it, which is unfortunate. The SPDI (sensitive personal data or information) regulations are restricted, both in terms of their scope and their application.. They are solely applicable to the personally identifiable information of persons. In addition, the compliance with the SPDI requirements is waived for organisations that are run by the government and organisations that are not for profit. This is especially troubling in light of the fact that the government compiles huge quantities of financial information, such as records on income tax, Aadhar, and PAN cards. Phishers now feel more empowered to go after government employees since there are so few protections in place at the federal level.

Even though the RBI has set certain laws to safeguard data security, phishers are able to take advantage of metadata thanks to the extensive usage of artificial intelligence and digitisation. This is the case despite the fact that the RBI has established some restrictions. In any case, the restrictions imposed by the RBI are not applicable to companies outside the financial sector; as a result, their scope of influence is restricted.

Only the personal data of individuals are governed by the SPDI standards, and there is no all-encompassing framework in place to protect the proprietary data of corporate organisations. Data that does not pertain to an individual's identity, such as intellectual property, sensitive information, and trade secrets, run the risk of not being sufficiently safeguarded, which is especially concerning for start-up businesses and small businesses that are focused on minimising expenses. Additionally, an open-source security tool may further be developed under the guidance of the Union ministry of electronics and information technology whereby small enterprises and start-ups may incorporate and implement the necessary technology for adhering to the safety standards prescribed by the State. This would simply be in furtherance of the 'make-in-India' and digital India programmes.

It is essential to protect Indian citizens from becoming victims of cybercrime as there is no comprehensive data protection regulation in place. This regulation must include the principles of data minimisation, strictly govern the collection, processing, and use of personal data, and place stringent limits on the retention of such data. Data that has been anonymised and that cannot be used to identify a specific individual are considered non-personal data. There must be an adequate number of protections in place to guarantee that the de-identified data cannot be re-identified and that the original data principal cannot be harmed in any way. As a result, a rule that regulates data that is not personally identifiable is necessary if the goal is to deter cybercrime and guarantee that enterprises will protect their assets.

A person who has been a victim of cybercrime has access to a number of different enforcement methods, including criminal punishments. The government has been considering a number of different measures, including a proposed bill to safeguard non-personal data, and a draft of the Personal Data Protection Bill, 2019, which was introduced in parliament in 2019. These are necessary laws that, if passed by the legislature, will have to come together to create an all-encompassing structure that incorporates the aforementioned protections.

Footnotes

1. Shreya Singhal v. Union of India, AIR 2005 SC 1523.

2. Punjab National Bank v. Poona Auto Ancillaries Pvt. Ltd., Compliant No. 4/11, available at https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PoonaAuto_Vs_PNB-22022013.PDF

3. NASSCOM v. Ajay Sood, 2005 SCC OnLine Del 402

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.