This article was written by Praveen Dalal, CEO of Sovereign P4LO and PTLB, in 2006. It has been published again so that the historical journey can be analysed in subsequent articles. This article does not reflect the latest position and the same would be discussed by us in our subsequent articles.

The aim of this article is to analyse the applicability of the concept of “private defence” in cyberspace, particularly against cyber terrorism. The traditional concept of private defence is available under the provisions of Indian Penal Code, 1860 (IPC). The same is equally applicable to the Information Technology Act, 2000, (ITA) as well, though with its peculiar modifications. The future of “Cyber forensics” depends upon this recognition very much as cyber forensic is not only “curative” but also “preventive” in nature.

I. Introduction

The information technology is a double edge sword, which can be used for destructive as well as constructive work. Thus, the fate of many ventures depends upon the benign or vice intentions, as the case may be, of the person dealing with and using the technology. For instance, a malicious intention forwarded in the form of hacking, data theft, virus attack, etc can bring only destructive results. These methods, however, may also be used for checking the authenticity, safety and security of one’s technological device, which has been primarily relied upon and trusted for providing the security to a particular organisation. For instance, the creator of the “Sasser worm” has been hired as a “security software programmer” by a German firm, so that he can make firewalls, which will stop suspected files from entering computer systems . This exercise of hiring those persons who are responsible for causing havoc and nuisance is the recognition of the growing and inevitable need of “self protection”, which is recognised in all the countries of the world. In fact, a society without protection in the form of “self help” cannot be visualised in the present electronic era. The content providers, all over the world, have favoured proposed legislations in their respective countries, which allow them to disable copyright infringers’computers. In some countries the software developers have vehemently supported the legislations which allows them to remotely disable the computer violating the terms and conditions of the license allowing the use of the software. This position has, however, given birth to a debate about the desirability, propriety and the legality of a law providing for a disabling effect to these “malware” . The problem is further made complicate due to absence of a uniform law solving the “jurisdictional problem”. The Internet recognises no boundaries; hence the attacker or offender may belong to any part of the world, where the law of the offended country may not be effective. This has strengthened the need for a “techno-legal’ solution rather than a pure legal recourse in the present electronic era.

II. The Need Of Private Defence

The most deadly and destructive consequence of this helplessness is the emergence of the concept of “cyber terrorism”. The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of information technology the terrorists have acquired an expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as “Cyber Terrorism”. The expression “cyber terrorism” includes an intentional negative and harmful use of the information technology for producing destructive and harmful effects to the property, whether tangible or intangible, of others. For instance, hacking of a computer system and then deleting the useful and valuable business information of the rival competitor is a part and parcel of cyber terrorism. The definition of “cyber terrorism” cannot be made exhaustive as the nature of crime is such that it must be left to be inclusive in nature. The nature of “cyberspace ” is such that new methods and technologies are invented regularly; hence it is not advisable to put the definition in a straightjacket formula or pigeons hole. In fact, the first effort of the Courts should be to interpret the definition as liberally as possible so that the menace of cyber terrorism can be tackled stringently and with a punitive hand. The law dealing with cyber terrorism is, however, not adequate to meet the precarious intentions of these cyber terrorists and requires a rejuvenation in the light and context of the latest developments all over the world. The laws have to take care of the problems originating at the international level because the Internet, through which these terrorist activities are carried out, recognises no boundaries. Thus, a cyber terrorist can collapse the economic structure of a country from a place with which a country may not have any reciprocal arrangements, including an “extradition treaty”. The only safeguard in such a situation is to use the latest technology to counter these problems. Thus, a good combination of the latest security technology and a law dealing with cyber terrorism is the need of the hour.

III. The Concept Of Private Defence

In India there is no law, which is specifically dealing with prevention of malware through private defense. Thus, the existing analogous provisions have to be applied in a purposive manner. The following provisions of the I.P.C, which is a general law dealing with offences in India, are of great significance in dealing with and tackling the use of malware by the use of private defence:

(i) Section 96 of the Code declares that nothing is an offence, which is done in the exercise of the right of private defence. This section recognises the principle of self-help which is considered to be just, fair and reasonable in all the countries of the world.

(ii) Section 97 of the Code provides that every person has a right, subject to the restrictions contained in Section 99, to defend:
Secondly- The property, whether moveable or immoveable, of himself or of any other person, against any act which is an offence falling under the definition of theft, robbery, mischief or criminal trespass. This section recognises the right of a “third party” to protect the property of another, besides protecting his property. Thus, a public-spirited individual has a right to self-help by helping innocent victims of malware. For instance, a netizen who is an expert in protecting computers from viruses may make a programme, which has a potential to curb the virus put on the internet and may launch the same on it. In such a situation the person launching the malware cannot complain that such third party has no reason to feel aggrieved and has no right to retaliate. Such an action on the part of that public-spirited individual is morally, equitably and legally justified and will be protected by this section. This is a benign concept and it requires the most liberal, purposive and updating interpretation.

(iii) Section 99, among other things, provides that there is no right of private defence in cases in which there is time to have recourse to the protection of the public authorities. Further, it provides that the right to private defence in no case extends to the inflicting of more harm than it is necessary to inflict for the purpose of defence, i.e. the principle of proportionality. It is suggested that this section applies to offences involving human beings as such and not the results created due to acts or omissions of the human beings. Thus, the requirement of taking recourse to public authorities arises only when the following two requirements are fulfilled:

(a) There must not be any apprehension of death or grievous hurt (because in that case the concerned person is left with no choice but the instant life saving action) by the act or omission in question, and
(b) Such act or omission must originate out of an active physical participation of human agency and it should not be limited to any act or omission unsupported by its physical presence.

Reading Section 103 along with Section 99 further strengthens this argument. Section 103 provides that the “right of private defence of property” extends, under the restrictions mentioned in Section 99, to the voluntary causing “death” or of any other harm to the wrongdoer, if the offence of robbery, house breaking by night, mischief by fire to certain properties, theft, mischief or house trespass, are committed or attempted to be committed under such circumstances as may reasonably cause apprehension that death or grievous hurt will be the consequence, if such right of private defence is not exercised. A close reading of these sections reveals that these sections are tracing the operation of private defence vis-Ã -vis human being’s active and physical involvement and not in the sense of malware. This position is made crystal clear if we read the definition of “death” under section 46, which provides that the word “death” denotes death of a human being, unless the contrary appears from the context. It would bring absurd results if we argue that the context in the present situation is talking about the “death of the computer” or the “operating system”. Similarly, it will be unreasonable, in fact unrealistic and imaginary, to argue that for protecting one’s computer from malware, every time recourse to public authorities has to be taken. In fact, the main reason for providing the provisions concerning private defense is that State cannot protect the life and property of the citizen at all times.

Thus, as a measure of public policy and practical convenience, the concept of self-help has been given a moral, equitable and legal sanction. Even under the Code there is an inherent and patent conflict between Section 99 and Section 103. Section 103 is subject to section 99, whereas section 99 itself is subject to Section 99. It is talking about taking recourse of public authorities when the act “does not” reasonably cause the apprehension of death or of grievous hurt. It means that if there is an immediate threat of death or grievous hurt, then recourse to public authorities need not be taken. This is logical and satisfies the tests of common sense, because a person cannot approach the public authorities after his death, which may result due to immediate peril to the life. Similarly, no useful purpose will be served by approaching the public authorities if grievous hurt has already been afflicted. In fact if there is an apprehension of death or grievous hurt, the right to private defence can be exercised even against a public servant who is though acting in good faith under the colour of his office is not strictly justifiable by law. It must be appreciated that no malware can cause any physical injury or apprehension of the same, which may necessitate recourse to public authorities within the meaning of section 99. Thus, it can safely be concluded that recourse to self-help can be taken under section 103 of the Code without approaching public authorities since it does not involve the real and active physical presence of the human agency. This is also in conformity with the basic theme and object of the concept of self-help and the practical requirements of law and its regulation of society.

The application of Section 99 is not, however, completely excluded while exercising the right of private defense under Section 103. It must be noted that section 99 also recognises the principle of proportionality among other things. This means that the proposed harm given by the technological property holder must commensurate with the nature and gravity of the threat. Thus, the harm, if at all it is considered to be so, caused must be reasonable, proportionate and not unduly harsh. The moment it exceeds the limits, which may be deemed to be appropriate by a reasonable person, it will offend the benign objects of section 99, and may become illegal. Thus, to this extent, and in this sense only, Section 103 is subject to section 99. This interpretation satisfies the conflicting interests of private defence of information technology and the proportionate action required to be taken by the person exercising the private defence. This is not the end of this matter. Sections 99 and 103 must be interpreted in the light of Section 105 to make them meaningful. Section 105 of the Code provides that the right of private defence of property commences as soon as a reasonable apprehension of danger to property commences. There is a possibility that a particular malware may not give rise to such apprehension at all because of its programming and operational specifications. In such a case, the owner of the information technology comes to its knowledge when the damage has already been done. In such a situation no useful purpose will be served by approaching the public authorities, as they cannot undo what has already been done. To avoid such an eventuality, it is advisable to adopt precautionary technological measures, since precaution is always better than the cumbersome and expensive cure. As a concluding argument it may be pointed out that, by virtue of Section 40 of the Code, the right of private defence is allowed against offences committed under the “special laws” as well. In India the Information Technology Act, 2000 (ITA) is a special law applicable to matters pertaining to information technology. Thus, the provisions pf private defence will also take their colour from it. In case there is a conflict between the provisions of the Code and the ITA, the latter will prevail. Fortunately, there is no conflict between the provisions of the Code and ITA, hence the interpretation given to the sections, as mentioned above, together with a purposive interpretation of the provisions of the ITA would be sufficient to take care of the principles governing private defence of technological property, including the Intellectual property Rights stored in it.

IV. Conclusion

The problems associated with the use of malware are not peculiar to any particular country as the menace is global in nature. The countries all over the world are facing this problem and are trying their level best to eliminate this problem. The problem, however, cannot be effectively curbed unless popular public support and a vigilant judiciary back it. The legislature cannot enact a law against the general public opinion of the nation at large. Thus, first a public support has to be obtained not only at the national level but at the international level as well. The people all over the world are not against the enactment of statutes curbing the use of malware, but they are conscious about their legitimate rights. Thus, the law to be enacted by the legislature must take care of public interest on a priority basis. This can be achieved if a suitable technology is supported by an apt legislation, which can exclusively take care of the menace created by the computers sending the malware. Thus, the self-help measures recognised by the legislature should not be disproportionate and excessive than the threat received by the malware. Further, while using such self-help measures the property and rights of the general public should not be affected. It would also not be unreasonable to demand that such self-help measures should not themselves commit any illegal act or omission. Thus, a self-help measure should not be such as may destroy or steal the data or secret information stored in the computer of the person sending the malware. It must be noted that two wrongs cannot make a thing right. Thus, a demarcating line between self-help and taking law in one’s own hand must be drawn. In the ultimate analysis we must not forget that self-help measures are “watchdogs and not blood-hounds”, and their purpose should be restricted to legitimate and proportionate defensive actions only. In India, fortunately, we have a sound legal base for dealing with malware and the public at large has no problem in supporting the self-help measures to combat cyber terrorism and malware. If still there remains any doubt or objection, then it will be sufficient to mention that only a computer can react fast enough to take care of the menace of malware and the traditional methods of law enforcement are helpless in this regard. The problems of lack of harmonisation, doubt regarding jurisdiction, lack of a uniform extradition law between various countries of the world, etc can be solved only by using a legitimate, proportionate and reasonable mechanism of self-help, which is not only instant but also free from technicalities and formalities .

List Of Reference

1. The Times of India (Delhi Times); “Net gain for e-crime”, D/ 20-09-04, P-5.
2. The use of worms, viruses, etc is collectively referred to as malware.
3. Praveen Dalal, “Preventing violations by aggressive defense” (Under publication).
4. The expression “includes,” means that an inclusive, and not exhaustive, option is given by the legislature to meet the future challenges. If the expression “means” is used, then it signifies that the subject matter is exhaustive in nature.
5. The concept of cyber space signifies that the act or omission occurred due to the use of information technology (internet), which generally is intangible in nature, but may have adverse tangible consequences.
6. Praveen Dalal; “Cyber terrorism and its solutions: An Indian perspective”, www.naavi.org, dated: 25-10-04.
7. Praveen Dalal, “Preventing violations by aggressive defense” (Under publication).