THIS ARTICLE WAS WRITTEN BY SHAMBHAVI SUYESHA, A STUDENT OF KIIT SCHOOL OF LAW.
The mechanization of the world and the storage of information in form of binary data, in storage devices such as computers have truly made it possible to keep track of various data in an efficient manner. With the invention of the World Wide Web by Tim Berners Lee, it is now possible for people to interact with several people and transact various businesses all at the same time through the internet. The earliest computer was the Electronic Numerical Integrator Analyzer and Computer (ENIAC), used to do ballistic calculations for the U.S. military during the World War II. With the advent of microprocessor and subsequently the microcomputers ( also called personal computers) , the idea of putting a computer to exclusive use of an individual came up as it became affordable and reduced in size. The use of computers did away with manual storage and management of information and finding a particular piece of stored information became easier. The evolution of computer technology and increased human interactions using computers, has led to myriad offenses or illegal practices (called cybercrimes) in this arena as well. One such crime is identity theft.
Identity theft refers to all types of crimes wherein a person fraudulently obtains another person’s personal information and uses it primarily for economic gain. Identity theft can be understood as a sub set of data theft wherein personal information of an individual forms the data stolen and is the means to perpetrate several other crimes. It has emerged to be one of the fastest growing crimes in America and several other countries. This is primarily because, in America, all the personal identification information has been linked to a single Social Security Number. Through this number, an individual avails government schemes and record of the entire database pertaining to the individual revolves around his social security number. In such circumstances, a leakage of this number to identity thieves can have serious irreparable repercussions unless such miscreant is tracked down. As per the India Risk Survey Report, 2014, there has been a 11% increase in ransom ware and identity theft in India, followed by a 9% increase in Phishing attacks. In 2013, India had been ranked amongst the top 5 countries with the most number of cybercrimes. Despite high level of cybercrimes, there is a startling level of low conviction rate in India.With around 354 Million internet users in India, the fact of rising number of cybercrimes and low conviction rates is problematic. Therefore, the present laws catering to the cybercrime need to be critically analyzed, to understand whether the law or its implementation has certain lacunae which have led to this problem.
The research question is whether and to what extent are the Indian laws pertaining to identity theft sufficient to cater to the present requirement and whether the implementation mechanism of the laws is in synchrony with the legislations. The researcher would go into the intricacies of the crime of identity theft committed through electronic resources specially computer and internet. The country of study would be India and the researcher would analyze various legal provisions in the Indian Penal Code, 1860 and primarily in the Information Technology (Amendment) Act, of 2008 aimed at civil and criminal liability of an identity thief and the remedies available to the victim. The shortcomings (if any) would be exposed and certain reform measures would be suggested.
WHAT CONSTITUTES IDENTITY
In general parlance, identity of an individual is a collection of unique and stable characteristics associated with the person which distinguishes him/her from others. Each individual, even two similar looking individuals have a unique identity. In legal context, identity encompasses the recognition aspect of an individual as per the government records through birth registration, voter ID, driving license, etc. It constitutes the name, citizenship, address, physically distinguishing feature (a scar or mole), photograph, and blood group information. This can help the authorities to keep a track of the people residing or visiting the territory. Identity for the purpose of Identity theft crimes can range from Social Security Numbers to details of credit card account. It includes any such information which can be used by the criminal to take over the victim’s identity to commit myriad crimes.Section 66 C of the Information Technology (Amendment) Act, 2008 includes electronic signatures and password into the meaning of identity.
IDENTITY THEFT – MEANING AND THE WAYS IN WHICH THE CRIME CAN BE COMMITTED
Identity theft includes usage of fraud or cheating methods to procure someone’s identity information so as to use such information to access resources or to obtain credit and other benefits in the victim’s name.
Although identity theft was possible even before the advent of the internet era wherein traditional methods of physical crimes were used to perpetrate identity theft, excessive dependence on internet has led to the comparatively less laborious identity theft as we understand it today. Earlier, some of the methods used to illegally get hold of an individual’s personal identity information were stealing personal mails like bill statements from the letter box, bribing or deceiving the employer or relevant authorities who possess their employee’s/ client’s personal information or purchasing the stolen identity cards from the dealers associated with this illicit trade. Another method was dumpster diving where identity information is gathered from the trash dumped by individuals consisting of documents like bank statements, cheque, bills, and storage devices or discarded credit cards. Information was also accessed by the victim directly by the fraudster pretending to be a customer service representative, a survey researcher, etc. Though these methods are still prevalent, they were quite risky, cumbersome and had a high chance of the culprit being traced quickly.
Technology has made the whole process much easier, while tracking it much difficult or sometimes even impossible. Internet and online transactions provide a kind of anonymity and privacy to an individual. He/she can live a life of multiple identities through e-mail ids and passwords, which do not require physical verification of the details of the actual person. Although such conduct is illegal under Section 464 of the IPC ( making a false electronic document) and punishable under Section 465 of the same code, it is generally not brought under the notice of the police unless some other crime is reported of being committed using such false identity. Hence this practice is widely prevalent and provides a broader scope of committing crime with less chances of detection.
The crime of identity theft consists of two steps which may or may not be committed by the same person, namely:
1). Wrongful collection or procurement of personal identity information of an individual.
2). Wrongful use of such information with an intention of causing legal harm to that person.
The first step of fraudulently obtaining personal identification information can be done in several ways. It can be done by the thief who fraudulently uses such data himself or buys the stolen identity from dealers in such illegal trade. Here too, coming in contact with such traders becomes easier through the internet. As the researcher is focusing on computer aided ID theft, techniques of procuring personal data from electronic devices are as follows:
1). Hacking : It is a method through which malware like computer viruses or worms are used to divert information to the hackers who decrypt it and then either use it themselves or sell it to others to commit fraud using such information. Such attacks can be done in the garb of infected links, free software download, signing in through Facebook account or where there is no proper firewall protection or strong password to protect networks or computers as such.
2). Phishing: The fraudster may send an e-mail with a link of a fake website which may resemble some authentic link to, say a bank site, where personal information and account information will be asked. The reasons for seeking such information may be for keeping the customer’s information up to date for better services by the bank, or claiming that the failure of giving such information would amount to suspension of the account.
3). Pharming : It is similar to Phishing but in this, clicking on the authentic link of the bank website would redirect the websites traffic to a fake site even if the user has entered a valid internet address. Pharming is done by installing malicious code either in the personal computer or in a server. Hence, it can target various users at the same time. It happens without the consent or knowledge of the victim and is often called “Phishing without a lure”.
4). Nigeria 419 Scam: This method is target specific where the fraudster sends an e-mail as a rich family member of a dead African millionaire wanting to use the victim’s bank account to transfer some money on the pretext that it is difficult to access it due to the political turmoil in his country, in return of a huge sum of money as payment for the transfer. Another of its kind is intimating the victim of a huge lottery amount won by him amongst thousands of accounts and asking for the account details to transfer such lottery amount. Such details once given by the gullible user are used to steal their funds.
5). Skimming: This employs various devices stealthily attached to the ATM machines or any other machines where the credit or debit card is put to use. These stealth devices fit on the original machines and have a magnetic card reader which a pin hole camera to shoot the victims movement on the machine while he/she enters the PIN. Some sophisticated skimming devices generate an automatic message received by the thief, each time a person swipes his card.
6). Vishing: In this, the fraudster calls the victim by posing to be a bank representative or a call center employee, thereby tricking the victim to disclose crucial information about the identity.
Some other forms of methods include online frauds like advertising/ advertisement click frauds and business transaction fraud involving online payment through unsecured gateways.
After the initial step of illegal personal identity information collection is completed, various crimes aimed at achieving economic enrichment like withdrawing money from the existing account or applying for new bank loans, credits cards, benefit from certain government schemes in the name of the stolen identity are committed. This creation of new means of identification using an existing identity of the victim is called breeder identification. Such thief might not have been able to avail these facilities if he had applied in his real name. Sometimes, graver crimes other than impersonation, forgery, cheating, immigration fraud, etc. can be committed. The stolen identity information can be used to procure illegal weapons or bomb parts by the terrorists to dodge the authorities which can subject the victim to stricter laws. In such a case, proving the victim’s innocence becomes very difficult unless the fact of stolen identity information comes to the notice of the victim before it is used in furtherance of terrorist activities and he reports it to the police. This again is not possible if such personal information is stealthily accessed through a computer, in which case no trace or sign of theft can be gauged before the information is actually used for illegal purposes.
PROVISIONS OF THE IPC THAT CAN BE USED FOR IDENTITY THEFT
Certain provisions in the IPC, like forgery and fraud, which earlier governed such crimes with respect to false documents, were amended by the Information Technology Act, 2000 to include electronic record. Hence, the ambit of such crimes was widened to include computer data related crimes as well. Hence forgery(Section 464), making false documents(Section 465), forgery for purpose of cheating (Section 468), forgery for purpose of harming reputation( Section 469), using as genuine a forged document (Section 471) and possession of a document known to be forged and intending to use it as genuine (Section 474) can be coupled with those in the IT Act. For instance, Section 468 and Section 471 can be triggered when a person forges a website in nature of electronic record in order to lure the victims into divulging their sensitive information with the intention to cheat them.
Further, Section 419 can be used in cases where the accused has used the personal identity information of the victim and impersonates such victim to commit fraud or cheating. Section 420 can be used if “anything capable of being converted into a valuable security” within the meaning of the act is read to include unique identification information of an individual. Further, the Expert Committee on Amendments to the IT Act, 2000 had recommended certain amendments in the IPC to include Section 417 A which would provide up to three years of punishment for cheating using any unique identification feature of another person. It also made cheating by impersonation by way of a network or computer resource punishable with up to five years imprisonment and a fine, under Section 419 A. These recommendations have not been incorporated into the IPC as yet, but would have provided a more comprehensive law on identity theft.
PROVISIONS IN THE INFORMATION TECHNOLOGY ACT, 2000
The IT Act, 2000 is the main legislation in India governing cybercrimes. Although, its aim was to mainly recognize e- commerce in India and it did not define cybercrimes as such. Before its amendment in 2008, Section 43 of the Act could be used to impose civil liability by way of compensation not exceeding one Crore for unauthorized access to a computer system or network ( Subsection a ) and for providing assistance to facilitate such illegal act ( Subsection g ). Section 66 of the Act only pertained to cybercrime of hacking wherein some destruction, deletion, alteration or reduction in the value of computer resource attracted penal sanctions. If a person obtained identity information from the computer stealthily without causing any changes in it whatsoever, this provision could not be used. The term identity theft itself was used for the first time in the amended version of the IT Act in 2008. Section 66 criminalizes any fraudulent and dishonest conduct with respect to Section 43 of the same Act.Section 66 (A) which is now held to be unconstitutional, covered the crimes of Phishing. Section 66 B pertains to dishonestly receiving any stolen computer resource. Section 66 C specifically provides for punishment for identity theft and is the only place where it is defined. Section 66 D on the other hand was inserted to punish cheating by impersonation using computer resources. This provision can be seen to be similar to the Section 419 A) recommendations of the expert committee as mentioned earlier. Several other provisions inserted in the amendment include punishment for violation of privacy and for cyber terrorism. Women and children have also been provided protection under Section 67 A and 67 B of the Act. Further, stronger laws have been formulated with respect to protection of “sensitive personal data” in the hands of the intermediaries and service providers (body corporate) thereby ensuring data protection and privacy. Only exceptional cases where such data can be revealed is to an agency authorized by the State or Central government for surveillance, monitoring or interception, under Section 69 of the IT Act. The ambit of sensitive personal data is defined by the IT Rules, 2011 to mean password, financial information, physical physiological and mental health condition, sexual orientation, medical record and history, and biometric information.
Hence, depending upon the method using which identity theft has been committed, the aforementioned laws can be applied.
LACUNAE IN THE INDIAN LAWS ON IDENTITY THEFT AND ITS IMPLEMENTATION
The Information Technology Act, 2000 subsequent to its amendment in 2008 has gone a long way in protecting data and personal information of an individual from being misused. Still, there are certain aspects of the legislation and laws on identity theft that require clarity or changes. Firstly, Section 66 C of the amended Act protects “unique identification feature”, the meaning of which has not been specified anywhere in the Act. The Information Technology Rules, 2011 has defined “sensitive personal information” which need to be protected by the intermediaries. But it would be too farfetched to decipher unique identification feature to mean sensitive personal information unless interpreted by the judiciary or expressly provided by a legislation.
Secondly, although the IT Act is applicable to any individual who is involved in identity theft involving any computer resource based in India, the jurisdictional issues still cannot be reconciled. When the accused is a non-Indian citizen, the country of his citizenship has dissimilar laws pertaining to identity theft and has not signed an extradition treaty with India, arrest of such accused cannot be undertaken.
Thirdly, considering the compensation awarded to the victim, the Act is inadequate. Under Section 43of the IT Act, the compensation awarded has an upper limit of 1 Crore and if loss of data is caused by body corporate, the cap is 5 Crore. A victim might suffer larger loss than this amount, but that aspect is disregarded. Further, as per Section 47 of the Act, the Adjudicating Officer looking into the cases where claims are below 5 Crore has to consider only into tangible/quantifiable loss caused to the victim while awarding compensation. As discussed earlier in the paper, there is huge amount of mental trauma and hardship that the victim faces as an aftermath of the crime depending upon the subsequent crime to which the unique identification information is put to use. It takes much time and resources to regain the lost reputation or to get the credit report corrected, which should also be accounted for while awarding compensation.
Fourthly, the fine provided for identity theft under Section 66 C of the Act is up to I Lakh only. Identity theft is a larger umbrella under which crimes of different intensity can be perpetrated. An identity thief can cause loss of property to a single person worth some thousand rupees or to a large population where loss may amount to millions. In both the cases, a minimal token fine not exceeding one lakh would be imposed. Further, the other Sections of the Indian Penal Code along with which Section 66 C of the IT Act may be clubbed, do not mention the limit (upper or lower) of fine or the manner in which it should be tabulated, thus leaving it to the discretion of the judge.
Lastly, laws are meant to serve a dual purpose of prevention of a crime and deterrence. Pre-emption and thereby prevention of identity theft is not possible. The deterrence effect can be created in case of this crime where generally a certain amount of premeditation or pre thought is invested before its commission. This can be done by imposing stricter punishment and/or fines. At present, the IT Act makes identity theft a cognizable, bailable and compoundable offence. Section 77 A provides for offences committed under Section 66 C to be compoundable. Further, a three year imprisonment term is meagre and will not serve the purpose of deterrence. By making the provision bailable, it might provide an opportunity to the accused might interfere with the investigation of the crime by the cyber cell by tampering with his digital footprints and evidence of his crime.
PROBLEMS IN IMPLEMENTATION OF THE LAWS
Although the occurrence of cybercrimes is burgeoning year after year, the conviction rate in India is dismally low. As against 3682 complaints, 1600 out of the accused have been arrested and merely 7 out of them have been convicted as per 2013 data.This might be due to improper implementation of the existing rules or an insufficiency in the infrastructure required in implementing the laws. Firstly, there is a dearth of police personnel specialized in dealing with cybercrime cases. With time, due to technological advancement, new forms of encryption technology are used by the cyber criminals, which is difficult to decipher owing to the limited resources of the authorities. This delays the entire process, sometimes leading to releasing the accused due to lack of proof. In U.S. some judicial pronouncements have given the power to the police to ask the cybercriminal to decrypt the digital evidence in return of some imprisonment concessions, but it has not been deployed often. Also, the number of cyber labs in India is eight till date, which are overburdened due to the numerous cybercrime cases. Lastly, one of the reasons for low rate of conviction or reporting may be because of non-registration of cybercrime complaints by the police. This issue should also be looked into. These shortcomings can be overcome by increasing the number of vacancies for skilled police officers by the government and deploying more funds to update to the latest technology which can aid in the present day requirement of confronting a cybercriminal.
CONCLUSION AND RECOMMENDATIONS FROM CROSS CULTURAL LEGAL SYSTEMS
Mechanism and laws to punish identity thieves should be taken care of by the legislature. But it is also important that the data theft is prevented altogether by implementing stricter data protection laws. The major sources from which sensitive identity information can be accessed by cyber criminals are the service providers which are basically BPO and IT companies having the personal database of people around the world. Although, the data protection laws in India are not very strong at present but the proposed Personal Data Protection Bill is a positive step towards implementing stricter data protection laws. It is based on the European Union Data Privacy Directive of 1996 and applies to both the government as well as the private companies.
Following are the recommendations that can be implemented in India to make the laws regarding identity theft more effective.
Making amendment to the present laws for imposing stricter punishment for aggravated forms of identity theft. The laws can be made victim friendly such that he/she is able to recover from the loss caused and providing as much restitution as possible. India can look into the laws in U.S. which has incorporated the above ideas in the form of two legislations.Therefore, the victim must be given support, both for the immediate loss caused by Identity theft and for the aftermath of such crime.
In India, various police departments have their own cyber-crime units where police officers are not well trained and find it difficult to deal with cybercrimes. Due to their lack of expertise in this area, either the cybercrimes remain unreported or prone to improper investigation. This issue has been brought to the honorable Supreme Court’s notice in several PILs. Special agency independent of the police (like the National Hi- Tech Crime Unit in U.K.), or a different training academy must be established in India which can help the local police department to investigate the cybercrime.
Cybercrime which happens at a large scale is generally transnational in nature. Various countries should co-operate using multilateral treaties in order to have basic uniformity in terms of sharing cybercrime information. One such example is the Indo-American alert, watch and warn network which deals with cases falling in Indo-American jurisdiction.
In order to prevent or minimize threat of identity theft, the biological aspect of identity verification (biometric) like fingerprint, voiceprint, iris scan and hand geometry, etc. should be used where ever there is an online financial transactions or email account login. Such unique information can be collected and stored at the time of registration or signing up with the websites.
Lastly, the government needs to create awareness amongst consumers with respect to ways of protecting personal information and safe internet practices. Further they need to be educated about their rights and redressal mechanism available to them in case of an identity theft. To minimize the harm and early detection of identity theft, individuals should keep a track of their credit report.
It is submitted that a careful perusal of the identity theft practices and laws in India gives an impression that by slight modification, as suggested, to the existing laws and its effective implementation, instances of identity theft can be controlled. The loss caused to the victim can be mitigated as far as possible and by holding the intermediaries accountable for the data that they hold, data privacy can be upheld. The law and its implementation does not seem to overlap. The implementation aspect lags behind the legislations, due to which the true efficiency of the present laws is not being achieved.
 History of Computers, available at http://homepage.cs.uri.edu/faculty/wolfe/book/Readings/Reading03.html (last visited September 23, 2017).
 Vivek Tripathi, Cyber Laws India Cyberlawsindia.net, http://www.cyberlawsindia.net/index1.html (last visited September 23, 2017)
 India Risk Survey, 2014, (1 ed. 2014), http://www.ficci.com/Sedocument/20276/report-India-Risk-Survey- 2014.pdf (last visited September 23, 2017).
 Rajlakshmi Wagh, Comparative Analysis of Trends of Cyber Crime Laws in USA and India, 2 International Journal of Advanced Computer Science and Information Technology pp. 42-50 (2013), http://technical.cloudjournals.com/index.php/IJACSIT/article/view/Tech-160 (last visited September 23, 2017).
 Dazeinfo, Internet Users In India: 354M, 60% Access From Mobile [REPORT] – Dazeinfo (2015), available at http://dazeinfo.com/2015/09/05/internet-users-in-india-number-mobile-iamai/ (last visited September 23, 2017).
 Siddharth Buxy, IDENTITY THEFT ON THE INTERNET: SUGGESTIONS FOR THE INFORMATION TECHNOLOGY ACT (1 ed.), http://thegiga.in/LinkClick.aspx?fileticket=KX1_Imk_gDs%3D&tabid=589 (last visited September 23, 2017).
 LARRY J. SIEGEL, E-STUDY GUIDE FOR: CRIMINOLOGY: THEORIES, PATTERNS, AND TYPOLOGIES (11 ED. 2014).
 Rohas Nagpal, Is it legal to open a Facebook account in a fake name? | Facebook Law (India) Facebooklaw.in (2013), http://www.facebooklaw.in/is-it-legal-to-open-a-facebook-account-in-a-fake-name/ (last visited September 23, 2017).
 Privacymatters.com, Computer Hacking and Identity Theft | PrivacyMatters.com, available at www.privacymatters.com/identity-theft-information/identity-theft-computer-hacking.aspx (last visited September 23, 2017).
 Neeraj Aarora, Identity Theft or Identity Fraud | A Platform to discuss & analyse Financial and Cyber ForensicsA Platform to discuss & analyse Financial and Cyber Forensics Neerajaarora.com (2009), available at www.neerajaarora.com/identity-theft-or-identity-fraud/ (last visited September 23, 2017).
 SearchSecurity, What is pharming? – Definition from WhatIs.com (2007), available at http://searchsecurity.techtarget.com/definition/pharming (last visited September 23, 2017).
 Australian Competition and Consumer Commission, Nigerian scams, https://www.scamwatch.gov.au/typesof-scams/unexpected-money/nigerian-scams (last visited September 23, 2017)
 Krebsonsecurity.com, Would You Have Spotted the Fraud? — Krebs on Security (2011), available at http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/ (last visited September 24, 2017).
 Robin George, Data Theft in Cyber Space Legalserviceindia.com (2008), available at www.legalserviceindia.com/article/l267-Data-Theft-in-Cyber-Space.html (last visited September 24, 2017).
 Sanjay Pandey, Curbing Cyber Crime: A Critique of Information technology Act 2000 and IT Act Amendment 2008 (1 ed.), http://www.softcell.com/pdf/IT-Act-Paper.pdf (last visited September 24, 2017).
 MINISTRY OF LAW, JUSTICE AND COMPANY AFFAIRS (Legislative Department), THE INFORMATION TECHNOLOGY ACT, 2000 (No. 21 OF 2000) (2000).
 Amber Gupta, Data Privacy in India and data theft Slideshare.net (2013), available at www.slideshare.net/AmberGupta6/data-privacy-in-india-and-data-theft (last visited September 24, 2017).
 Prashant Mali et al., Data Theft and The IT Act, 2000 of India | Daily Host News Dailyhostnews.com (2013), available at www.dailyhostnews.com/data-theft-and-the-it-act-2000-of-india (last visited September 24, 2017).
 The purpose of Criminal Punishment, (1 ed. 2004), http://www.sagepub.com/sites/default/files/upmbinaries/5144_Banks_II_Proof_Chapter_5.pdf (last visited September 24, 2017).
 Rajlakshmi Wagh, Comparative Analysis of Trends of Cyber Crime Laws in USA and India, 2 International Journal of Advanced Computer Science and Information Technology pp. 42-50 (2013), http://technical.cloudjournals.com/index.php/IJACSIT/article/view/Tech-160 (last visited September 24, 2017).
 Neeraj Aarora, GOONDA ACT- INEFFICACY OF POLICE TO CONQUER INTERNET CRIME | A Platform to discuss & analyse Financial and Cyber Forensics A Platform to discuss & analyse Financial and Cyber Forensics Neerajaarora.com (2014), available at www.neerajaarora.com/goonda-act-inefficacy-ofpolice-to-conquer-internet-crime/ (last visited September 24, 2017).
 Dsci.in, Cyber Labs | Data Security Council of India, available at www.dsci.in/taxonomypage/283 (last visited September 24, 2017).
 Data Protection Act in India with Compared to the European Union Countries, 11 International Journal of Electrical & Computer Sciences (2011), available at www.ijens.org/Vol_11_I_06/112206-7474-IJECSIJENS.pdf.
 The Identity Theft Penalty Enhancement Act, 2004& The Identity Theft Enforcement and Restitution Act of 2008
 B Singh, Regulations and Guidelines for Effective Investigation of Cyber Crimes in India | Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) Perry4law.org (2013), available at http://perry4law.org/cecsrdi/?p=302 (last visited September 24, 2017).
 F Cassim, Protecting personal information in the era of identity theft: just how safe is our personal information from identity thieves?, 18 Potchefstroom Electronic Law Journal/Potchefstroomse Elektroniese Regsblad 68 (2015).
 Cyber Law Trends and Developments of India 2013, (1 ed. 2013), http://ptlb.in/ccici/wpcontent/uploads/2013/12/Cyber-Law-Trends-And-Developments-Of-India-2013.pdf (last visited September 24, 2017)