Preventive Defense For Cyberspace Violations (2006)

Posted on by

This article was written by Praveen Dalal, CEO of Sovereign P4LO and PTLB, in 2006. It has been published again so that the historical journey can be analysed in subsequent articles. This article does not reflect the latest position and the same would be discussed by us in our subsequent articles.

The aim of this article is to explore how far a person can use the retaliation tactics of preventive defence in India, whose computer has been targeted for a wrong, nuisance, virus attacks, etc. The opinion in this context is sharply divided across the globe and some advocate for its use while others considers it to be an illegal act.

I. Introduction

The information technology is a double edge sword, which can be used for destructive as well as constructive work. Thus, the fate of many ventures depends upon the benign or vice intentions, as the case may be, of the person dealing with and using the technology. For instance, a malicious intention forwarded in the form of hacking, data theft, virus attack, etc can bring only destructive results. These methods, however, may also be used for checking the authenticity, safety and security of one’s technological device, which has been primarily relied upon and trusted for providing the security to a particular organisation. For instance, the creator of the “Sasser worm” has been hired as a “security software programmer” by a German firm, so that he can make firewalls, which will stop suspected files from entering computer systems . This exercise of hiring those persons who are responsible for causing havoc and nuisance is the recognition of the growing and inevitable need of “self protection”, which is recognised in all the countries of the world. In fact, a society without protection in the form of “self help” cannot be visualised in the present electronic era. The content providers, all over the world, have favoured proposed legislations in their respective countries, which allow them to disable copyright infringers’computers. In some countries the software developers have vehemently supported the legislations which allows them to remotely disable the computer violating the terms and conditions of the license allowing the use of the software. This position has, however, given birth to a debate about the desirability, propriety and the legality of a law providing for a disabling effect to these “malware” . The problem is further made complicate due to absence of a uniform law solving the “jurisdictional problem”. The Internet recognises no boundaries; hence the attacker or offender may belong to any part of the world, where the law of the offended country may not be effective. This has strengthened the need for a “techno-legal’ solution rather than a pure legal recourse, which is not effective in the electronic era.

II. Cyber Terrorism

The most deadly and destructive consequence of this helplessness is the emergence of the concept of “cyber terrorism”. The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of information technology the terrorists have acquired an expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as “Cyber Terrorism”. The expression “cyber terrorism” includes an intentional negative and harmful use of the information technology for producing destructive and harmful effects to the property, whether tangible or intangible, of others. For instance, hacking of a computer system and then deleting the useful and valuable business information of the rival competitor is a part and parcel of cyber terrorism. The definition of “cyber terrorism” cannot be made exhaustive as the nature of crime is such that it must be left to be inclusive in nature. The nature of “cyberspace ” is such that new methods and technologies are invented regularly; hence it is not advisable to put the definition in a straightjacket formula or pigeons hole. In fact, the first effort of the Courts should be to interpret the definition as liberally as possible so that the menace of cyber terrorism can be tackled stringently and with a punitive hand. The law dealing with cyber terrorism is, however, not adequate to meet the precarious intentions of these cyber terrorists and requires a rejuvenation in the light and context of the latest developments all over the world. The laws have to take care of the problems originating at the international level because the Internet, through which these terrorist activities are carried out, recognises no boundaries. Thus, a cyber terrorist can collapse the economic structure of a country from a place with which a country may not have any reciprocal arrangements, including an “extradition treaty”. The only safeguard in such a situation is to use the latest technology to counter these problems. Thus, a good combination of the latest security technology and a law dealing with cyber terrorism is the need of the hour .

III. Counterstrike Through Aggressive Defence

The concept of counterstrike through aggressive defence presupposes the adoption and use of information technology to produce legitimate and legalized disabling and reasonably destructive effects. Some adopted measures completely destroys the functioning of the offending computer while others simply disable the computer for the time being by either shutting it down or making it temporarily non-functional. Thus, the adopted measure to gain public support and legitimacy must be “proportionate” to the harm that could have caused had that measure not been adopted. For instance, the shutting down of the computer of the person using the malware is permissible whereas the destruction or procurement of data and information stored in such computer, having no connection and association with that malware, may not be commensurate with the protection requirements. Such destruction or procurement of data may be unlawful and perhaps exceed the limits of self-defence. Thus, technology adopted must not only be safe and effective, but it must also be “ legal and law-abiding”. A countermeasure, which is not very accurate, and law abiding would be a remedy worst than the malady and hence it should be avoided. For instance, if a virus has been launched by using a public server, then by disabling that server the genuine and legitimate users will be unnecessarily harassed and they would be denied the services which they are otherwise entitled to. Thus, the countermeasure measure adopted must be job specific and not disproportionate to the injury sought to be remedied.

IV. Indian Perspective

In India there is no law, which is specifically dealing with prevention of malware through aggressive defense. Thus, the analogous provisions have to be applied in a purposive manner. The protection against malware attacks can be claimed under the following categories:
(1) Protection available under the Constitution of India, and
(2) Protection available under other statutes.

(1) Protection Under The Constitution Of India: The protection available under the Constitution of any country is the strongest and the safest one since it is the supreme document and all other laws derive their power and validity from it. If a law satisfies the rigorous tests of the Constitutional validity, then its applicability and validity cannot be challenge and it becomes absolutely binding. The Constitutions of India, like other Constitutions of the world, is organic and living in nature and is capable of molding itself as per the time and requirements of the society. It is presumed that the Parliament intends the court to apply to an ongoing Act a construction that continuously updates its wordings to allow for changes since the Act was initially framed. While it remains law, it has to be treated as always speaking. This means that in its application on any day, the language of the Act though necessarily embedded in its own time, is nevertheless to be construed in accordance with the need to treat it as a current law . We cannot allow the dead hand of the past to stifle the growth of the living present. Law cannot stand still; it must change with the changing social concepts and values. If the bark that protects the tree fails to grow and expand along with the tree, it will either choke the tree or if it is a living tree it will shed that bark and grow a living bark for itself. Similarly, if the law fails to respond to the needs of changing society, then either it will stifle the growth of the society and choke its progress or if the society is vigorous enough, it will cast away the law, which stands in the way of its growth. Law must therefore constantly be on the move adapting itself to the fast-changing society and not lag behind . Thus, horizons of constitutional law are expanding and they can easily tackle the problems of cyber terrorism and the menace of malware. It must be noted that as a general rule the protection of fundamental rights is available against the might of the “ State and its Instrumentalities”. This, however, does not mean that the protection cannot be extended against “Private individuals” having no element and colour of Statehood. There are instances where the Supreme Court has extended the protection of fundamental rights against private individuals. For instance, a writ of Habeas Corpus can be issued, when a person complains of illegal custody or detention of an individual by a private person . Similarly, the Supreme Court has the power to regulate private rights in public interest by legitimately exercising its powers . In Vishaka v State of Rajasthan the Supreme Court held that the protection against sexual harassment at workplace is available even against private employers and individuals. The court held that this protection originates from Articles 14,15,19(1)(g) and 21of the Constitution of India. It is interesting to note that the decision was given even in the absence of any domestic law dealing with protection against sexual harassment. Infact, there have been some instances where no violation of any specified fundamental right was alleged and yet the Supreme Court entertained a petition under Article 32 of the Constitution of India and granted the relief . Further, private individuals would normally not be amenable to the writ jurisdiction U/A 226 of the constitution of India. But in certain circumstances, a writ may be issued to such private person, as there may be statutes, which need to be complied with by all concerned including the private individuals and companies . As far as “Constitutional Rights” are concerned, they can be enforced against private individuals without any doubt or hesitation . For instance, the protection of Articles 19(1)(g) and Article 21 can be claimed as “Fundamental Rights” whereas Articles 300A and Articles 301 to 305 are “Constitutional Rights”. The importance of this distinction is that the former can be enforced under Part III of the Constitution whereas the latter cannot. Thus, a writ petition U/A 32 is directly maintainable in the Supreme Court in case of violation of the former whereas it cannot be in the latter case. Thus, Fundamental Rights, like the nomenclature itself suggests, stand on a higher footing than the Constitutional Rights. If in a given cause of action both Fundamental Rights and the Constitutional rights are pleaded and proved to be violated, then they can be enforced under Part III of the Constitution of India. The remedy for the violation of these Fundamental and Constitutional Rights can be claimed as “public law remedy” or “Private law remedy”. Under the former category, the relief can be claimed only if the aggrieved person can show that there is a violation of his/her Fundamental Rights by the State or its instrumentalities. On the other hand, a private law remedy can be claimed by filing a civil suit for damages or other appropriate proceedings before the competent court. These two remedies are not mutually exclusive and the aggrieved person can combine both of them in an appropriate and deserving case . The following Articles of the Constitution are relevant for our present purpose:
(a) Article 19(1) (g),
(b) Article 21,
(c) Article 300A, and
(d) Articles 301 to 305.

(a) Article 19(1) (g): Article 19 of the Constitution guarantees to the “citizens” of India the six fundamental freedoms which are exercisable by them throughout and in all parts of the territory of India. Article 19(1) (g) guarantees that all citizens have the right to practice any profession or to carry on any occupation or trade or business. This freedom is, however, not absolute and is subject to Clause (6) of Article 19. Thus, reasonable restrictions can be imposed to curtail this right. Since use of information technology is an integral and inseparable part of any trade, occupation or business, the same can safely be presumed to be a part of Article 19 (1) (g). Similarly the reasonable restrictions are equally applicable to it. Thus, if by way of malware the value or utility of information technology is diminished, it will definitely affect the trade of the concerned person, hence his right under Article 19(1) (g).

(b) Article 21: Article 21 mandates that no person shall be deprived of his life and personal liberty except according to procedure established by law. It must be noted that Article 21 is available to all persons, whether natural or artificial. Further, right to life includes right to livelihood because no person can live without the means of living . The question whether deprivation of property leading to “ deprivation of life or liberty or livelihood” falls within the reach Article 21 has been left open though where it does not result in such deprivation, Article 21 has no application . It is submitted that the answer to this question should be in affirmative since if the means of livelihood are themselves taken away, then right to life is definitively violated. The Apex Court in Kapila Hingorani v State of Bihar held that the term “life”, as used in the Article 21, includes livelihood and facets thereof. Thus, it can be presumed that means of livelihood cannot be taken away except by a procedure established by law. One of the means, which is very useful and effective for the successful trade or business of a person, is the use of information technology. It is difficult to visualize that even when the State cannot take the means of livelihood, a private person can do so. The moment a malware is used, it inevitably takes away one of the income earning means of livelihood. Thus, the protection of Article 21 can be taken to prevent such deprivation.

(c) Article 300A: Article 300A of the Constitution confers a right on all persons to hold and enjoy their properties. Thus a person cannot be deprived of his property save by authority of law. Any violation of this right can be challenged in a court of law. In Bhavnagar University v Palitana Sugar Mills Pvt Ltd the Supreme Court held that an owner of a property, subject to reasonable restrictions, which may be imposed by the Legislature, is entitled to enjoy the property in any manner he likes. A right to use a property in a particular manner or in other words a restriction imposed on user thereof except in the mode or manner laid down under the statute would not be presumed. Thus, no person can be forced to keep his technological property vulnerable to malware attacks and he is entitled to take all legitimate and reasonable precaution to make it safe and secure. In Dharam Dutt v U.O.I the Supreme Court held that the protection of Article 300A is available to any person, including legal or juristic person and is not confined only to a citizen. However, the same cannot be sought to be enforced by a petition U/A 32 of the Constitution, since it is not a fundamental right but merely a Constitutional Right. This judgment of the Supreme Court has strengthened the position of big multinational companies and organisations, which primarily rely upon information technology for its effective functioning. It must be appreciated that the expression “property” is of wide amplitude and it includes tangible as well as intangible properties. It is difficult to accept the proposition that technological property is not a property falling within the scope of Article 300A of the Constitution of India. It is definitely a property within the meaning of this Article and will get the Constitutional protection.

(d) Article 301 to 305: Articles 301 to 305 of the Constitution confers on a person a right to have a free trade, commerce and intercourse throughout the territory of India. This right, however, is subject to the provisions of Articles 302 to 305 of the Constitution. Thus, so long as the individual is carrying on his business in accordance with the law, his business activities cannot be interfered with. A free trade, commerce and intercourse cannot be visualized without protecting the technological property. Thus these beneficial provisions can be effectively used to enhance technological property protection in India.

(2) Protection Under Other Statutes: The protection available under the Constitution is further strengthened by various statutory enactments. These protections can be classified as:
(A) Protection under the Indian Penal Code (I.P.C), 1860, and
(B) Protection under the Information Technology Act (ITA), 2000.

(A) Protection Under I.P.C:

The following provisions of the I.P.C, which is a general law dealing with offences in India, are of great significance in dealing with and tackling the use of malware:

(i) Section 22 of the Code gives an inclusive definition of the term “movable property”, which includes all corporal properties. The words “include” in the section indicate that information stored in the computer can be conveniently and safely regarded as movable property, since it is capable of moving from one place to another. Thus, wherever an offence specified under the Code uses the expression “movable property”, then the same will cover all the information stored in the information technology infrastructure and the components used by it to make it functional. It means that whenever the information technology is damaged in any of its form, including the diminishing of its value, the same will be an offence against the property as mentioned in the respective section.

(ii) Section 23 of the Code provides that “wrongful gain” is the gain by unlawful means of the property to which the person gaining is not legally entitled. Wrongful loss is the loss by unlawful means of the property to which the person losing it is legally entitled. A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property, as well as when such person is wrongfully deprived property. These principles are self-explanatory and they can conveniently be applied to unlawful and illegal gain derived or loss incurred through use of malware.

(iii) Section 29 of the Code specifies the word document as any matter expressed or described upon any substance by means of letters, figures, or marks, or by more than one of those means, intended to be used, or which may be used, as evidence of that matter. Explanation-1 provides that it is immaterial by what means or upon what substance the letters, figures or marks are formed, or whether the evidence is intended for, or may be used in, a Court of justice or not. Thus, information stored in the computers or web sites would be documents within the meaning of this section.

(iv) Section 29A of the Code read with Section 2(1)(t) of the Information Technology Act, 2000 provides that the expression electronic record means data, record, or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer generated microfiche. This, section further supports the fact that information stored in the computer, etc is not only a document but also an electronic record, which if properly stored may be admissible in evidence in a Court of Law.

(v) Section 32 provides that in every part of this Code, except where a contrary intention appears from the context, words which refers to acts done extends also to illegal omissions. Thus, the use of malware for the sake of fun may not attract a stringent punishment as compared to a situation when the person using it did not remove the same despite the fact of its destructive results coming to his knowledge. In that case the punishment prescribed may be more stringent due to the illegal omission on his part.

(vi) Section 33 of the Code provides that the word “act” denotes as well a series of acts as a single act: the word “omission” denotes as well a series of omissions as a single omission. Thus, a virus launched on the Internet may continue to cause inconvenience and destruction in a series and the same will clearly attract the application of this section.

(vii) Section 40 provides that the term “offence’ denotes a thing made punishable by this Code. It must be noted that for provisions dealing with “General Exceptions, as contained in Chapter IV (including” private defence principles”) the term offence denotes a thing punishable under this code or under any special or local laws. A special law is a law applicable to a particular subject (Section 41) and a local law is a law applicable only to a particular part of India (Section 42). This section is very important and is of great practical significance. It acts as a bridge between various statutes and harmonises the provisions contained in different statutes to bring the desired results. For instance, if an act or omission is described as an offence under the provisions of Information Technology Act, 2000, the same will be deemed to be an offence within the meaning of this section.

(viii) Section 43 provides that the word “illegal” is applicable to everything which is an offence or which is prohibited by law, or which furnishes ground for a civil action; and a person is said to be legally bound to do whatever it is illegal in him to omit. Thus, a very wide meaning has been given to the term” illegal”, which definitely covers the use of a malware.

(ix) Section 44 provides that the word “injury” denotes any harm whatever illegally caused to any person, in body, mind, reputation or property. This provision is very widely drafted and it will consider the use of malware as an injury.

(x) Section 96 of the Code declares that nothing is an offence, which is done in the exercise of the right of private defence. This section recognises the principle of self-help which is considered to be just, fair and reasonable in all the countries of the world.

(xi) Section 97 of the Code provides that every person has a right, subject to the restrictions contained in Section 99, to defend:
Secondly- The property, whether moveable or immoveable, of himself or of any other person, against any act which is an offence falling under the definition of theft, robbery, mischief or criminal trespass. This section recognises the right of a “third party” to protect the property of another, besides protecting his property. Thus, a public-spirited individual has a right to self-help by helping innocent victims of malware. For instance, a netizen who is an expert in protecting computers from viruses may make a programme, which has a potential to curb the virus put on the internet and may launch the same on it. In such a situation the person launching the malware cannot complain that such third party has no reason to feel aggrieved and has no right to retaliate. Such an action on the part of that public-spirited individual is morally, equitably and legally justified and will be protected by this section. This is a benign concept and it requires the most liberal, purposive and updating interpretation.

(xii) Section 99, among other things, provides that there is no right of private defence in cases in which there is time to have recourse to the protection of the public authorities. Further, it provides that the right to private defence in no case extends to the inflicting of more harm than it is necessary to inflict for the purpose of defence, i.e. the principle of proportionality. It is suggested that this section applies to offences involving human beings as such and not the results created due to acts or omissions of the human beings. Thus, the requirement of taking recourse to public authorities arises only when the following two requirements are fulfilled:
(a) There must not be any apprehension of death or grievous hurt (because in that case the concerned person is left with no choice but the instant life saving action) by the act or omission in question, and
(b) Such act or omission must originate out of an active physical participation of human agency and it should not be limited to any act or omission unsupported by its physical presence.
Reading Section 103 along with Section 99 further strengthens this argument. Section 103 provides that the “right of private defence of property” extends, under the restrictions mentioned in Section 99, to the voluntary causing “death” or of any other harm to the wrongdoer, if the offence of robbery, house breaking by night, mischief by fire to certain properties, theft, mischief or house trespass, are committed or attempted to be committed under such circumstances as may reasonably cause apprehension that death or grievous hurt will be the consequence, if such right of private defence is not exercised. A close reading of these sections reveals that these sections are tracing the operation of private defence vis-Ã -vis human being’s active and physical involvement and not in the sense of malware. This position is made crystal clear if we read the definition of “death” under section 46, which provides that the word “death” denotes death of a human being, unless the contrary appears from the context. It would bring absurd results if we argue that the context in the present situation is talking about the “death of the computer” or the “operating system”. Similarly, it will be unreasonable, in fact unrealistic and imaginary, to argue that for protecting one’s computer from malware, every time recourse to public authorities has to be taken. In fact, the main reason for providing the provisions concerning private defense is that State cannot protect the life and property of the citizen at all times. Thus, as a measure of public policy and practical convenience, the concept of self-help has been given a moral, equitable and legal sanction. Even under the Code there is an inherent and patent conflict between Section 99 and Section 103. Section 103 is subject to section 99, whereas section 99 itself is subject to Section 99. It is talking about taking recourse of public authorities when the act “does not” reasonably cause the apprehension of death or of grievous hurt. It means that if there is an immediate threat of death or grievous hurt, then recourse to public authorities need not be taken. This is logical and satisfies the tests of common sense, because a person cannot approach the public authorities after his death, which may result due to immediate peril to the life. Similarly, no useful purpose will be served by approaching the public authorities if grievous hurt has already been afflicted. In fact if there is an apprehension of death or grievous hurt, the right to private defence can be exercised even against a public servant who is though acting in good faith under the colour of his office is not strictly justifiable by law. It must be appreciated that no malware can cause any physical injury or apprehension of the same, which may necessitate recourse to public authorities within the meaning of section 99. Thus, it can safely be concluded that recourse to self-help can be taken under section 103 of the Code without approaching public authorities since it does not involve the real and active physical presence of the human agency. This is also in conformity with the basic theme and object of the concept of self-help and the practical requirements of law and its regulation of society.
The application of Section 99 is not, however, completely excluded while exercising the right of private defense under Section 103. It must be noted that section 99 also recognises the principle of proportionality among other things. This means that the proposed harm given by the technological property holder must commensurate with the nature and gravity of the threat. Thus, the harm, if at all it is considered to be so, caused must be reasonable, proportionate and not unduly harsh. The moment it exceeds the limits, which may be deemed to be appropriate by a reasonable person, it will offend the benign objects of section 99, and may become illegal. Thus, to this extent, and in this sense only, Section 103 is subject to section 99. This interpretation satisfies the conflicting interests of private defence of information technology and the proportionate action required to be taken by the person exercising the private defence. This is not the end of this matter. Sections 99 and 103 must be interpreted in the light of Section 105 to make them meaningful. Section 105 of the Code provides that the right of private defence of property commences as soon as a reasonable apprehension of danger to property commences. There is a possibility that a particular malware may not give rise to such apprehension at all because of its programming and operational specifications. In such a case, the owner of the information technology comes to its knowledge when the damage has already been done. In such a situation no useful purpose will be served by approaching the public authorities, as they cannot undo what has already been done. To avoid such an eventuality, it is advisable to adopt precautionary technological measures, since precaution is always better than the cumbersome and expensive cure. As a concluding argument it may be pointed out that, by virtue of Section 40 of the Code, the right of private defence is allowed against offences committed under the “special laws” as well. In India the Information Technology Act, 2000 (ITA) is a special law applicable to matters pertaining to information technology. Thus, the provisions pf private defence will also take their colour from it. In case there is a conflict between the provisions of the Code and the ITA, the latter will prevail. Fortunately, there is no conflict between the provisions of the Code and ITA, hence the interpretation given to the sections, as mentioned above, together with a purposive interpretation of the provisions of the ITA would be sufficient to take care of the principles governing private defence of technological property, including the Intellectual property Rights stored in it.

(xiii) Section 268 of the Code talks about public nuisance which is an offence against the public either by doing a thing which tends to annoy the community in general, or by neglecting to do anything which he common good requires. It cannot be disputed that viruses and worms are perfect examples of public nuisance and the person launching them can be prosecuted under this section.

(xiv) Section 378 of the code provides that whoever dishonestly misappropriates or converts to his own use any moveable property, he shall be punished with the specified punishment. As per the section it is not necessary that the finder should know who is the owner of the property or that any particular person is the owner of it. It is sufficient is, at the time of appropriating it; he dos not believe to be his own property. It must be noted that wrongfully gaining data from the computer of another through hacking or violating the copyright of a software developer by illegally downloading it could be safely treated as criminal misappropriation of property within the meaning of this section. Similarly, the data derived or software may be sold or used for commercial purposes. In such a situation, the offender converts that property for his own use and is liable to be prosecuted under this section.

(xv) Section 425 provides that whoever, with intent to cause, or knowing that he is likely to cause, wrongful loss or damage to the public or to any person, causes the destruction of any property, or any such change in any property or in the situation thereof as destroys or diminishes its value or utility or affects injuriously, commits mischief.
Explanation 1 to the section provides that it is not essential to the offence of mischief that the offender should intend to cause loss or damage to the owner of the property injured or destroyed. It is sufficient if he intends to cause, or knows that he is likely to cause, wrongful loss or damage to any person by injuring any property, whether it belongs to that person or not. This section is directly applicable to any mischief caused by malware. The applicability of the section is very wide and it is capable of taking care of all sorts of mischief through malware.

(B) Protection Under I.T.Act, 2000: The menace created by the malware can be effectively curbed only if we supplement the provisions of the I.P.C with the stringent provisions of the Information Technology Act, 2000. It must be appreciated that there is nothing, which prevent the Courts from combining provisions of various statutes to do the complete justice; so long the provisions can operate in the presence of each other. If, however, the provisions contained in the different enactments are in conflict with each other and are irreconcilable, then the statute later in point of time will prevail due to its overriding provisions. Further, there is presumption against a repeal by implication; and the reason of this rule is based on the theory that the Legislature while enacting a law has a complete knowledge of the existing laws on the same subject matter, and therefore, when it does not provide a repealing provision, the intention is clear not to repeal the existing legislation . When the new Act contains a repealing section mentioning the Acts, which it expressly repeals, the presumption against implied repeal of other laws is further strengthened on the principle that the express intention of one person or thing is the exclusion of another. Thus, with the enactment I.T.A, the Indian Penal Code, 1860 is neither expressly nor impliedly repealed and the provisions of I.T.A can be supplemented with the provisions of I.P.C to do complete justice.
The protection of I.T.A can be claimed for:
(a) Preventing privacy violations,
(b) Preventing information and data theft,
(c) Preventing distributed denial of services attack (DDOS), and
(d) Preventing network damage and destruction.

(a) Prevention Of Privacy Violations: The law of privacy is the recognition of the individual’s right to be let alone and to have his personal space inviolate. The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognised. In recent times, however, this right has acquired a constitutional status , the violation of which attracts both civil as well as criminal consequences under the respective laws. The intensity and complexity of life have rendered necessary some retreat from the world. Man under the refining influence of culture, has become sensitive to publicity, so that solitude and privacy have become essential to the individual. Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury . Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology the traditional concept of right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge recourse of Information Technology Act, 2000 can be taken. The various provisions of the Act aptly protect the online privacy rights of the netizens. Certain acts have been categorised as offences and contraventions, which have tendency to intrude with the privacy rights of the netizens. These rights are available against the offenders using the malware. Section 1 (2) read with Section 75 of the Act provides for an extra-territorial application of the provisions of the Act. Thus, if a person (including a foreign national) contravenes the privacy of an individual by means of computer, computer system or computer network located in India, he would be liable under the provisions of the Act .

(b) Prevention Of Information And Data Theft: The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defence and other top secrets, which the Government will not wish to share otherwise. In R.K. Dalmia v Delhi Administration the Supreme Court held that the word “property” is used in the I.P.C in a much wider sense than the expression “movable property”. There is no good reason to restrict the meaning of the word “property” to moveable property only, when it is used without any qualification. Whether the offence defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word “property” but on the fact whether that particular kind of property can be subject to the acts covered by that section. Thus, if any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network –
(a) accesses or secures access to such computer, computer system or computer network.
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected . The expression “Damage” means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means . These provisions make it clear that secret information appropriation and data theft by use of malware will be dealt with punitive sting and monetary impositions .
(c) Prevention of distributed denial of services attack: A malware may also use the method of distributed denial of services (DDOS) to overburden the electronic bases of individuals. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses. Further, due to this unnecessary Internet traffic the legitimate traffic is prohibited from reaching the Government or its agencies computers. The law in this regard is crystal clear. If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network –
(a) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(b) disrupts or causes disruption of any computer, computer system or computer network;
(c) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected . The expression “Computer Contaminant” means any set of computer instructions that are designed –
(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer system, or computer network . Thus, distribute denial of services by use of malware will be tackled by invoking the provisions of sections 43,65 and 66 collectively.

(d) Prevention Of Network Damage And Destruction: The law in this regard provides that if any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network –
(a) accesses or secures access to such computer, computer system or computer network
(b) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(c) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(d) disrupts or causes disruption of any computer, computer system or computer network;
(e) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected . The expression “Computer Virus” means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource . The person tampering with such computer source documents shall be punishable with imprisonment up to 3 years or with fine, which may extend up to Rs.2 lakhs, or with both . Further, if a person causes wrongful loss or damage to any person, by destroying, deleting or altering any information residing in his (owner’s) compute resource or diminishes its value or utility or affects it injuriously by any means, he commits hacking and thus, violates the rights of the owner. The person hacking shall be punishable with imprisonment up to 3 years or with fine, which may extend up to Rs.2 lakhs, or with both. However, an innocent infringer will not be liable if he proves that he committed the act without any intention or knowledge . A network service provider will be liable for various violations and contraventions mentioned under the Act if he makes available any third party information or data to a person for the commission of an offence or contravention. However, a network service provider will not be liable if he proves that the offence or contravention was committed without his knowledge or he had exercised all due diligence to prevent such commission . Thus, these provisions can be safely invoked to punish the offender for network damage and disruptions caused by the use of malware.

V. Jurisdictional Problem

Jurisdiction is an aspect of state sovereignty and it refers to judicial, legislative and administrative competence. Although jurisdiction is an aspect of sovereignty, it is not coextensive with it. The laws of a nation may have extra-territorial impact extending the jurisdiction beyond the sovereign and territorial limits of that nation. This is particularly so where the medium of Internet is used which recognizes no sovereignty and territorial limitations. The Indian jurisprudence regarding jurisdiction over Internet is in its earlier stages, which is developing and maturing in a systematic manner. The existence of Internet has eliminated the safeguards, which were traditionally available for the protection of various rights, including the copyright. This has given rise to the jurisdictional problems for all the countries of the world. The countries all over the world, realizing this problem, resorted to the only available method of dealing with this problem by harmonizing their domestic laws as per various international treaties and conventions. This, however, has not completely eliminated the jurisdictional problems though moderate success has been achieved by exercising the “long arm jurisdiction” by the municipal courts of foreign countries. This necessity of long-arm jurisdiction is particularly felt in cases of violations of various intellectual property rights, including the copyright. It must be noted that, generally, the scholars point towards the following “theories” under which a country may claim prescriptive jurisdiction:
(a) a country may claim jurisdiction based on “objective territoriality” when an activity takes place within the country,
(b) a “subjective territoriality” may attach when an activity takes place outside a nation’s borders but the “primary effect” of the action is within the nation’s borders,
(c) a country may assert jurisdiction based on the nationality of either the actor or the victim,
(d) in exceptional circumstances, providing the right to protect the nation’s sovereignty when faced with threats recognised as particularly serious in the international community.
In addition to establishing a connecting nexus, traditional international doctrine also calls for a “reasonable” connection between the offender and the forum. Depending on the factual context, courts look to such factors, as whether the activity of individual has a “substantial and foreseeable effect” on the territory, whether a “genuine link” exists between the actor and the forum, the character of the activity and the importance of the regulation giving rise to the controversy, the extent to which exceptions are harmed by the regulation, and the importance of the regulation in the international community. The traditional jurisdictional paradigms may provide a framework to guide analysis of cases arising in cyberspace .

VI. Judicial Response

One the problem of jurisdiction is solved; the court has to consider the reasonability and desirability of the action of the person who has defended his technological property. The first duty of a court, while doing so, is to do complete justice. In today’s world we cannot afford to say that “justice must not only be done but it must also be seemed to be done”. The concept of justice requires that:
(1) It must firstly be done in a just, fair and reasonable manner,
(2) It must be seemed to be done, and
(3) It must be “felt” to be done.
Thus, unless this third element of “felt to be done” is satisfied, the concept of justice is not complete because this third element is the most important component of justice delivery system. The public at large in India has a great faith in Indian judiciary and this third element is absolutely essential to maintain and preserve that faith and confidence. A court of law cannot render justice unless the ultimate decision is based on the contemporary law as prevailing in the society. A decision based on an old law, which does not satisfy the requirements of the present situation, and environment should be avoided. In such a situation the efforts of the courts should be to give the law a “purposive, updating and an ongoing interpretation”. This position makes the interface of justice delivery system with the information technology inevitable and unavoidable . The response of the Supreme Court of India is satisfactory and justice oriented, as far as the awareness and use of information technology is concerned. The Supreme Court has held that if the notice were transmitted by Fax, it would be a due compliance with the legal requirement . Similarly, the Supreme Court has held that an accused need not be physically present in the Court to answer the questions put to him by the court, whilst recording his statement through means of modern technologies, under section 313 of the Criminal Procedure Code, 1973 . The Supreme Court also used and encouraged the use of “video conferencing” for doing complete justice . The Supreme Court further declared that in holding trial of child sex abuse or rape a screen or some arrangements may be made where the victim or witness do not see the body or face of the accused. The Court further declared that recording of evidence by way of video conferencing is permissible . The Supreme Court has held that a domain name is capable of distinguishing the subject of trade or service made available to potential users of the Internet. It is apparent from this judgment that a domain name may have all the characteristics of a trademark and could found an action for passing off . These judgments of the Supreme Court recognise the need to meet the challenges posed by the complex problems in a purposive and technology friendly manner through the mode of information technology.

VII. Conclusion

The problems associated with the use of malware are not peculiar to any particular country as the menace is global in nature. The countries all over the world are facing this problem and are trying their level best to eliminate this problem. The problem, however, cannot be effectively curbed unless popular public support and a vigilant judiciary back it. The legislature cannot enact a law against the general public opinion of the nation at large. Thus, first a public support has to be obtained not only at the national level but at the international level as well. The people all over the world are not against the enactment of statutes curbing the use of malware, but they are conscious about their legitimate rights. Thus, the law to be enacted by the legislature must take care of public interest on a priority basis. This can be achieved if a suitable technology is supported by an apt legislation, which can exclusively take care of the menace created by the computers sending the malware. Thus, the self-help measures recognised by the legislature should not be disproportionate and excessive than the threat received by the malware. Further, while using such self-help measures the property and rights of the general public should not be affected. It would also not be unreasonable to demand that such self-help measures should not themselves commit any illegal act r omission. Thus, a self-help measure should not be such as may destroy or steal the data or secret information stored in the computer of the person sending the malware. It must be noted that two wrongs cannot make a thing right. Thus, a demarcating line between self-help and taking law in one’s own hand must be drawn. In the ultimate analysis we must not forget that self-help measures are “watchdogs and not blood-hounds”, and their purpose should be restricted to legitimate and proportionate defensive actions only. In India, fortunately, we have a sound legal base for dealing with malware and the public at large has no problem in supporting the self-help measures to combat cyber terrorism and malware. If still there remains any doubt or objection, then it will be sufficient to mention that only a computer can react fast enough to take care of the menace of malware and the traditional methods of law enforcement are helpless in this regard. The problems of lack of harmonisation, doubt regarding jurisdiction, lack of a uniform extradition law between various countries of the world, etc can be solved only by using a legitimate, proportionate and reasonable mechanism of self-help, which is not only instant but also free from technicalities and formalities.