Archive for the ‘Information Technology Act’ Category

Phishing Scams in India and Legal Provisions

March 21, 2011

The media runs stories on an almost daily basis covering the latest bank to have their customers targeted and how many victims succumbed to the attack. It may be you too. Suppose, one day you open your email, and found a weird looking mail, something phisy! A message in your inbox from your bank with which you have an internet enabled account asking to update your account with your personal information, login detail etc. on pretext of up gradation of server of the bank. You would also see a link, by clicking on which you would be linked to a look alike website of your bank which looks quite authentic and convincing. However, you may be smart enough to know that this is a trap by a con to get your vital personal information to make fraudulent financial transactions and swindle your money. But there are many others who are not as smart as you, and fall into the trap and pass on their vital login details and lose their valuable money.

Phishing is the internet age crime, born out of the technological advances in internet age. “Phishing” is a newer form of social engineering. Typically, Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords, usernames, login IDs, ATM PINs and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The phishing attacks will then direct the recipient to a web page (mirror webpage) so exactly designed to look as a impersonated organization’s (often bank & financial institution) own website and then they cleverly harvest the user’s personal information, often leaving the victim unaware of the attack.
Phishing has become so rampant that even, the Oxford English Dictionary added “Phishing” to its latest publication making it a definitive word of English Language. It defines “Phishing” as:

“phishing • noun the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online.”

As per the American Banker’s Association “Phishing attacks use ‘spoofed’ e-mails and fraudulent Web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, Social Security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5 percent of recipients to respond to them.”

The Anti-Phishing Working Group (APWG) which is an industry association focused on eliminating identity theft and fraud from the growing problem of phishing and email spoofing defines Phishing as a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.

According to the Annual Report of the Indian Computer Emergency Response Team (CERT-In), Deptt. of Information Technology, Ministry of Communications & Information Technology, (Govt. of India) in the year 2009, the CERT-In handled about 374 phishing incidents.

Major factors for increase in Phishing Attacks:
There are three major factors behind the recent spurt in phishing attacks worldwide particularly in India:

Unawareness among public: Worldwide, particularly in India, there has been lack of awareness regarding the phishing attacks among the common masses. The users are unaware that their personal information is actively being targeted by criminals and they do not take proper precautions when they conduct online activities.

Unawareness of policy – The fraudsters often count on victim’s unawareness of Bank/financial institution policies and procedures for contacting customers, particularly for issues relating to account maintenance and fraud investigation. Customers unaware of the policies of an online transaction are likely to be more susceptible to the social engineering aspect of a phishing scam, regardless of technical sophistication.

Technical sophistication – Fraudsters are now using advanced technology that has been successfully used for activities such as spam, distributed denial of service (DDoS), and electronic surveillance. Even as customers are becoming aware of phishing, criminals are developing techniques to counter this awareness. These techniques include URL obfuscation to make phishing emails and web sites appear more legitimate, and exploitation of vulnerabilities in web browsers that allow the download and execution of malicious code from a hostile web site.

Techniques of Phishing attacks

Man-in-the-middle attacks: In this class of attack, the attacker sits between the customer and the real web-based application, and proxies all communications between the systems. This form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-based application server – typically in real-time.

URL Obfuscation Attacks: Using URL obfuscation techniques which involves minor changes to the URL, the fraudster tricks the user to follow a hyperlink (URL) to the attacker’s server, without the users realizing that he has been duped. URL Obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.

XSS (Cross-site Scripting): Cross-site scripting attacks (XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these XSS techniques are the result of failure of a site to validate user input before returning it to the client’s web-browser.
Phishing scenario in XSS:
• Victim logs into a web site
• Attacker has spread “mines” using an XSS vulnerability
• Victim fall upon an XSS mine
• Victim gets a message saying that their session has terminated, and they have to to authenticate again
• Victim’s username and password are send to attacker

Some cases of phishing in India:
Phishing is a relatively new concept in India, unheard of couple of years back but recently there has been rise in the number of phishing cases in India where the innocent public fall prey to the sinister design of fraudster. In India, the most common form of phishing is by email pretending to be from a bank, where the sinister asks to confirm your personal information/login detail for some made up reason like bank is going to upgrade its server. Needless to say, the email contains a link to fake website that looks exactly like the genuine site. The gullible customers thinking that it is from the bank, enter the information asked for and send it into the hands of identity thieves.
There were phishing attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI etc. in which the Modus operandi was similar. It was reported that a large number of customers of these banks had received emails, which have falsely been misrepresented to have been originated from their bank. The recipients of the mails were told to update their bank account information on some pretext. These emails included a hyperlink with-in the email itself and a click to that link took recipients to a web page, which was identical to their bank’s web page. Some of the unsuspecting recipients responded to these mails and gave their login information and passwords. Later on, through internet banking and by using the information so collected a large number of illegal/fraudulent transactions took place.

Apart from the general banking phishing scams, some of the recent phishing attacks that took place in India are as follows:

• RBI Phishing Scam: In a daring phishing attack of its kind, the fraudsters even have not spared the Reserve Bank of India. The phishing email disguised as originating from the RBI, promised its recipient prize money of Rs.10 Lakhs within 48 hours, by giving a link which leads the user to a website that resembles the official website of RBI with the similar logo and web address. The user is then asked to reveal his personal information like password, I-pin number and savings account number. However, the RBI posted a warning regarding the fraudulent phishing e-mail on the bank’s official website.
• IT Department Phishing Scam: The email purporting to be coming from the Income Tax Department lures the user that he is eligible for the income tax refund based on his last annual calculation, and seeks PAN CARD Number or Credit Card details.
• ICC World Cup 2011: One of the biggest sporting events is also under phishing attack. The fraudsters have specifically targeted the internet users of the host countries i.e. India, Bangladesh and Sri Lanka where the matches of the world cup are going on. India, which has been allotted 29 matches of the world cup, is obviously the prime targets of the phishing attacks. The Modus Operandi is similar to the banking phishing attack. The fraudsters through the similar looking fake website of organizers of the event have tried to lure victims with special offers and packages for the grand finale of the event. The Users were asked for credit card details to book tickets and packages along with their personal information which once submitted would be used to compromise the online banking account of the victim leading to financial losses to the victim.
• Google under Phishing Attack: Recently, the users of the Google email services, “Gmail” purportedly received a legal notice from the Gmail team which wanted users to refurbish their account name, password, occupation, birth date and country of residence with a warning that users who did not update their details within 7 days of receiving the warning would lose their account permanently. However, the spokesperson of the Google denied any such legal notice coming from them and stated it to be a phishing attack designed to collect personal information, called ‘spoofing’ or ‘password phishing’.

Modus Operandi of phishing attack used to target bank customers in India:-
1. The hackers have created a fake look alike websites of the target Bank or the organization and sent emails to the customers of the bank/organization luring them to provide them the login details in order to upgrade the server. It was revealed that for this purpose the fraudster hosted the web page containing URL Links of the target bank/organization with the help of their associates from foreign countries like Nigeria, Russia etc.
2. Before a transfer of funds through internet banking is executed, the bank sends a SMS to the transferor in order to confirm the transaction. The fraudsters, when they get hold of the customer’s personal information changed the contact numbers of customers with their own, so that the transfer of funds through victim account to beneficiary accounts goes unnoticed.
3. In these cases, when the customers fell into trap and passed on their Internet banking password and user name, the fraud was perpetuated in three forms:-
a) The account to account transfer from1 the victim’s account to a beneficiary account.
b) For recharging the mobile phones.
c) Making purchases online permissible by net banking facility.
4. The beneficiary account in which the funds were transferred were fake accounts which were opened by giving fake ID documents, like fake passports, fake election I Cards, Fake Pan Cards etc.
5. The phishing scam revealed the involvement of Nigerians but the beneficiary accounts were opened in the name of Indians as the account with Nigerian names would arouse suspicion. Some of the beneficiary account holders were carrier of the hackers while some of the beneficiary’s accounts were opened by luring the persons by giving them some consideration in lieu of their services to open the account in their names and get the ill-gotten money transferred in their accounts.
6. The suspected IP addresses from which the fraudulent internet transaction took place were of various foreign countries which indicate the use of proxy IPs by the hackers to mislead the investigation agencies.
7. It has been revealed that the amount has been withdrawn immediately by the hacker after the account has been compromised.

Phishing-A Cyber Crime, the provisions of Information Technology Act, 2000
The phishing fraud is an online fraud in which the fraudster disguise themselves and use false and fraudulent websites of bank and other financial institutions, URL Links to deceive people into disclosing valuable personal data, later on which is used to swindle money from victim account. Thus, essentially it is a cyber crime and it attracts many penal provisions of the Information Technology Act, 2000 as amended in 2008 adding some new provisions to deal with the phishing activity. The following Sections of the Information Technology Act, 2000 are applicable to the Phishing Activity:

Section 66: The account of the victim is compromised by the phisher which is not possible unless & until the fraudster fraudulently effects some changes by way of deletion or alteration of information/data electronically in the account of the victim residing in the bank server. Thus, this act is squarely covered and punishable u/s 66 IT Act.

Section 66A: The disguised email containing the fake link of the bank or organization is used to deceive or to mislead the recipient about the origin of such email and thus, it clearly attracts the provisions of Section 66A IT Act, 2000.

Section 66C: In the phishing email, the fraudster disguises himself as the real banker and uses the unique identifying feature of the bank or organization say Logo, trademark etc. and thus, clearly attracts the provision of Section 66C IT Act, 2000.

Section 66D: The fraudsters through the use of the phishing email containing the link to the fake website of the bank or organizations personates the Bank or financial institutions to cheat upon the innocent persons, thus the offence under Section 66D too is attracted.

The Information Technology Act, 2000 makes penal provisions under the Chapter XI of the Act and further, Section 81 of the IT Act, 2000 contains a non obstante clause, i.e. “the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force”. The said non obstante clause gives an overriding effect to the provisions of the IT Act over the other Acts including the Indian Penal Code. The aforesaid penal provisions of the IT Act, 2000 which is attracted to the phishing scam are however been made bailable by virtue of Section 77B IT Act intentionally in view of the fact that there is always an identity conflict as to the correct or accurate identity of the person behind the alleged phishing scam and there is always a smokescreen behind the alleged crime as to the identity of the person who has actually via these online computer resources have or have not committed the offence and in view of the possible misuse of the penal provision for cyber offences as contained in the IT Act, the offence is made bailable.

What Should Internet Users Do About Phishing Schemes?
With online transactions on rise, certain precautionary measures are to be taken by all those who make their transactions online, like credit card holders, internet bank users, to shield themselves from such frauds. Some of the precautionary measures are as follows:-
1) The US Department of Justice recommends the user to follow a golden rule what is known as Stop, Look & Call (SLC). The SLC rule emphasizes that:-
a. You must STOP because the phishing emails are always desperate in their language and so eager to retrieve information from you. It generally comes with a warning you give the personal information or else your account would be deactivated. Be automatically suspicious of any email with urgent/desperate requests for personal financial information.
b. You must LOOK because the link provided in the phishing email is a fake URL and by using your sixth sense, you would see that email address itself is bogus. For example, an email which purportedly come from UTI Bank might be UTI.Bank @ which obviously is not the original email address of UTI Bank.
c. You must CALL because in case you find the email suspicious & even if you don’t fall into the trap, it should be your endeavor as a good citizen to inform the target bank and the law enforcement agencies so that timely action should be taken to save other customers from being trapped by the fraudster.
2) Check your credit card and bank account statements regularly and look for unauthorized transactions, even small ones. Report discrepancies immediately
3) Ensure that your system has the current security software applications like; anti-spam, anti-phishing, anti-virus and anti-spyware etc.

What do you do if you think you are a victim?
• If you have provided account numbers, pin number, password, login detail to the phisher, immediately notify the bank with which you have the account so that your accounts can’t be compromised.
• Even if you don’t fall into the trap, it is your duty as a good citizen to avoid others from falling into the trap. You should report phishing to bank or agency that was being impersonated as well as to police.

Phishing is a major concern in the contemporary e-commerce environment in India and will continue to be so because of the lack of awareness among the Internet users who are new to the internet realm. There is no silver bullet to thwart the phishing attack. However, it has been noticed in the most of the phishing scams worldwide particularly in India that the hacker succeeds in phishing attempt due to the uninformed, gullible customers who without knowing that they are being trapped unwittingly pass on the information asked for by the fraudster. Therefore, the awareness and customer education is the key here to fight the menace of the “Phishing” apart from mitigating or preventative measures. The law enforcement agencies, the legislature, the industry should come together and coordinate in their fight against the menace of the Phishing.

Neeraj Aarora


FIR in Cyber Squatting: Misinterpretation of IT Act

November 26, 2010

Recently, a FIR has been lodged by the Economic Offences Wing of the Delhi Police on the complaint of the President Secretariat alleging the existence of the domain name having no connection with the Hon’ble President. The preliminary enquiry revealed that a person from Kerala has got it registered and the website was hosted from Germany. The website has been got removed. There was no content on the website except some links of the other websites. The FIR u/s 66/66A IT Act and Section 469 Indian Penal Code was registered by the EOW with the opinion of the Public Prosecutor.

How much it is difficult for a common folk to get register FIR in a genuine case as heinous as rape where police simply turn down the complaint and do not register the FIR except when they are forced to do so by the order of the Court. However, the police acted very promptly on a complaint of President Secretariat where the preliminary enquiry made by police itself reveals that no offence is made out and Sections imputed under the Information Technology Act and Indian Penal Code is gross abuse of law and wastage of time by the investigating agencies that should devote its productive time to curb crimes and do some meaningful investigations into the genuine complaint registered as FIR. The Sections of the IT Act and IPC imputed in the aforesaid FIR has no connection with the allegations as mentioned in the FIR. Section 66 IT Act is applicable when a person dishonestly or fraudulently, does any act referred to in section 43 which contains mainly ten acts which mainly comprises of downloading, copying from computer without permission, introducing virus or contaminant, hacking etc. Clearly, the registration of the domain in the name of the President does not fall under any of the ten acts specified under Section 43 IT Act. Further, Section 66A is applicable for sending offending messages through communication device etc. which is clearly not applicable to allegations as made in the complaint. Lastly, the Section 469 IPC is applicable when electronic record forged is used or intended to be used to harm the reputation of other. The alleged website with the domain name containing the he President istered the name of the President do not attract the Section 66A IT Act either. allegations as mentionname of the President is without any content. Now, the question arises, how can it harm the reputation of the President except misleading the general public.

The aforesaid allegation in the complaint simply discloses the abusive registration of the domain name using the name of the President, which is a case of cyber squatting. The word “cyber squatting” is not defined under the Indian Laws. However, Cyber squatting (also known as domain squatting), according to the United States federal law known as the Anti cyber squatting Consumer Protection Act, is registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cyber squatter then offers to sell the domain to the person or company who owns a trademark contained within the name at an inflated price.

The aforesaid case of cyber squatting or domain name squatting is not first of its kind in India. There have been instances where the domain names in the name of the famous personalities have been registered. One such domain name containing the name of Senior Counsel and BJP Leader Mr. Arun Jaitley was registered by the cyber squatter. Mr Jaitley filed the suit in the Hon’ble Delhi High Court, stating that his name was being used by some other person who had made a website using his name. Justice S Murlidhar granted an injunction to use the website and directed Network Solutions & Portfolio Brains Ltd not to sell or transfer the domain in his name until the proceedings of the court were completed.

The recourse available to the prominent person in whose name there is abusive registration of the domain name as alleged in the complaint filed by the President Secretariat is to:-

a)      Filing a case under the Uniform Domain Name Dispute Resolution Policy (UDRP) created by ICANN

b)      Pursuing a litigation in the Court of Law or

c)      Buying the Domain name

Thus, the allegation as contained in the complaint made by the President Secretariat do not attract any provisions of the Information Technology Act or the Indian Penal Code and the registration of the FIR is gross abuse of process of law and wastage of time by investigating agency.

Neeraj Aarora


Fake profile of President posted by imposter

September 9, 2010

The imposter have not even spared the first citizen of India and made a fake profile in the name of the Hon’ble President her Excellency Pratibha Devi Sing Patil. The fake profiles in the social networking websites are doing the rounds in Face book and Orkut and one can find many fake profiles in the name of celebrities, even one can find 10-15 fake profiles in the name of single celebrity. Recently, a complaint has been received from the Additional Comptroller, President Household, President Secretariat who made a complaint regarding the four fake profiles created in the name of Hon’ble President in the famous social networking site, “FACE BOOK”. The said complaint reportedly stated that president house has nothing to do with the facebook and the said fake profile is misleading the general public. The First Information Report Under Sections 469 IPC and 66A Information Technology Act, 2000 was registered based on the said complaint at the police station, Economic Offences Wing, the elite wing of Delhi Police which specializes in investigating economic crimes including cyber offences. The investigation is still going on in the said FIR and culprits are yet to be arrested. Similar incident was witnessed on cyber space when the fake profile of President of President of Guyana Mr. Bharrat Jagdeo appeared on Facebook. The Annual Threat Report of Aladdin states that the potential damage of these fake profiles can be devastating, both on the personal level by creating difficulties in employment, ruining social and professional connections, damaging reputations; as well as on a financial level, such as stealing customers, corporate data etc. It has been found that the social networking sites are being exploited by the spammers who use fake profiles to spread spam or viruses. Further, the fake profiles also poses threat to data security, as is revealed from the study conducted by one Thomas Ryan from a security company who created fake profile and befriended persons from US Military, intelligence agencies some of whom shared personal and professional information which could have compromised corporate and possibly even national security. The provisions of Information Technology Act and Indian Penal Code do have some provisions to deal with menace posed by fake profiles on Social networking sites. They are particularly, Section 66, 66A, 66C, 66D, 67, 67A & 67 B of the Information Technology Act and Section 469 and 499/500 IPC is attracted. The victim of the fake profile can lodge FIR with local police under the said appropriate provisions of IT Act and IPC. They should also save the screen shots of such fake profiles for the evidentiary purposes.

Neeraj Aarora


Legislation to protect Individual Privacy

June 23, 2010

The Right to privacy is recognition of the individual’s right to be let alone and to have his personal space inviolate. India does not have a constitutional right to privacy, although the courts have found an implicit right to privacy in the constitution. No one has a right to peep into one’s privacy and the law of privacy is a recognition of the of the individual’s right to be let alone and to have his personal space inviolate. Right to Privacy is a ‘right to be let alone’ and a citizen has a right ‘to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters’. Right to privacy is not enumerated as a fundamental right in our Constitution but has been inferred from Article 21. The Right to Privacy has been developed by the Supreme Court over a period of time and with the expansive interpretation of the phrase `personal liberty’, this right has been read into Article 21.

Amid going concern over possible misuse of data under government control, the government has set up a panel comprising of senior babus to prepare a blueprint laying down the ground rules for privacy and data protection and fixing the criminal liability of offenders. The government has moved forward to enact new legislation on privacy in the backdrop of Aadhaar, the project to provide unique identity cards to residents of the country, and the National Intelligence Grid (Natgrid) which will give access to 21 categories of database like rail and air travel, income tax, phone calls, bank account details, credit card transactions, visa and immigration records, driving licenses of all citizens. The NIG database will be accessed by a total of 11 agencies, including the recently set-up National Investigation Agency (NIA). The Civil Right Activists made a huge cry over the possible misuse of the individual privacy and insisted on legislative measure to stop the possible misuse and punish the violators of the privacy, including the government.

The present Information Technology Act, 2000 does contain some provisions which deal with data base security and privacy for instance Section 43, 43 A, 66E and 72A. However, these provisions deals with the security of the electronic records, e-commerce transactions, and web content alone and do not address “individual privacy”. As the organizations, government non government acquires more personal information store in electronic form, privacy and confidentiality have become urgent issues. This author feels that the privacy of an individual be given due respect and should be protected by uniform, national legislation. Privacy legislation needs to be constructed carefully and prudently to protect the privacy of individuals, while facilitating the ongoing national mission to ensure the security of the state that can benefit us all.

Neraj Aarora


The Legislative response to Grossly Offensive or menacing emails and SMS

May 21, 2010

The electronic communications has changed the way the world communicates and also the communication habit.  The communication via SMS or electronic email manifests the freedom of speech and expression guaranteed by our constitution to every citizen [Article 19 (1) (a)], however, the freedom is not absolute, it is a qualified right, as constitution also sets significant limitations on that freedom, as the state may by law effect such reasonable restrictions as it deems necessary or expedient in the interest of the security of the state, the sovereignty and integrity of India, friendly relations with foreign states, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.

Due to the misuse of the modern communication device and increased incidents of sending hate messages, threatening SMS, threatening Email to politicians, VIPs in politically charged environment, the legislature introduced Section 66A Information Technology (Amendment) Act, 2008 notified w.e.f. 27th October, 2009 which reads as follows:-

66A. Punishment for sending offensive messages through communication service, etc.-  Any person who sends, by means of a computer resource or a communication device,—

(a) any information that is grossly offensive or has menacing character; or

(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,

(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

‘Explanation.— For the purpose of this section, terms “electronic mail” and “electronic mail message” means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, images, audio, video and any other electronic record, which may be transmitted with the message.”

Thus, the legislative intent was to make act of sending SMS, emails, or posting of any messages via communication device or computer resource which is grossly offensive or of menacing character or any information which the sender knows to be false but posted for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity etc. or disguised or anonymous emails or fake emails to cause annoyance.

“Grossly offensive or menacing character”: However, when an information or message shall be termed as grossly offensive or having menacing character has not been defined or explained in the Section 66A IT Act which leaves room for controversy.  Interestingly, the Section 66A IT Act is deeply influenced and probably originated from Section 127 of the Communication Act 2003, an UK Legislation.

The wordings of Section 127 of the Communication Act, 2003 are as follows:-

“127 Improper use of public electronic communications network

(1) A person is guilty of an offence if he—

(a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or

(b) causes any such message or matter to be so sent.

(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he—

(a) sends by means of a public electronic communications network, a message that he knows to be false,

(b) causes such a message to be sent; or

(c) persistently makes use of a public electronic communications network.

(3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.

(4) Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).”

Thus, the Communications Act 2003 section 127 covers the sending of grossly offending or menacing messages via public electronic communications network. Section 127(1)(a) relates to a message etc that is grossly offensive or of an indecent, obscene or menacing character and should be used for indecent phone calls and emails. Section 127(2) targets false messages and persistent misuse intended to cause annoyance, inconvenience or needless anxiety. The judgment of DPP v. Collins ([2005] EWHC 1308 (Admin)), an UK High Court decision sheds some light to what is “Menacing Character”, in which it observed that “A menacing message, fairly plainly, is a message which conveys a threat – in other words, which seeks to create a fear in or through the recipient that something unpleasant is going to happen. Here the intended or likely effect on the recipient must ordinarily be a central factor in deciding whether the charge is made out. Obscenity and indecency, too, are generally in the eye of the beholder; but the law has historically treated them as a matter of objective fact to be determined by contemporary standards of decency.”

Further, House of Lords has clarified what makes a message sent by means of a public electronic communications network “grossly offensive” and therefore capable of amounting to a crime under the Communications Act 2003 (“Act”) in Director of Public Prosecutions (Appellant) v. Collins (Respondent) on appeal from [2005] EWHC 1308 (Admin). Their Lordship held that “to determine as a question of fact whether a message is grossly offensive, that in making this determination the Justices must apply the standards of an open and just multi-racial society, and that the words must be judged taking account of their context and all relevant circumstances.  Usages and sensitivities may change over time. Language otherwise insulting may be used in an unpejorative, even affectionate, way, or may be adopted as a badge of honour (“Old Contemptibles”). There can be no yardstick of gross offensiveness otherwise than by the application of reasonably enlightened, but not perfectionist, contemporary standards to the particular message sent in its particular context. The test is whether a message is couched in terms liable to cause gross offence to those to whom it relates.”

The instances/cases of offending emails, SMS

Cases abroad:

  • A blogger who “let off steam” about the way he was treated by police was convicted of posting a grossly offensive and menacing message. Gavin Brent, 24, from Holywell, Flintshire, was fined £150 with £364 costs by magistrates at Mold. The court heard Brent had been charged with theft offences – which have yet to be dealt with – and posted a message about a police officer’s new-born baby.  Magistrates said any reasonable person would find the comments menacing.
  • A man was found guilty for tweeting airport bomb threat. His tweet, “Robin Hood airport is closed. You’ve got a week and a bit to get your shit together, otherwise I’m blowing the airport sky high!!” The tweeter Paul Chambers was actually just kidding. However, the police arrested him and he was charged with sending by a public communications network a message that was grossly offensive or of an indecent, obscene or menacing character contrary to Section 127 of the Communications Act 2003. A district judge at Doncaster Magistrates Court ruled that the Tweet was ”of a menacing nature in the context of the times in which we live”. Chambers has been ordered to pay a £385 fine, a £15 victims surcharge and £600 costs.
  • A man from South Yorkshire who sent offensive, threatening and abusive emails directed at children’s social workers in East Sussex was convicted. The accused sent number of very disturbing, obscene and threatening emails in the Children’s Services department. On the complaint of Children’s service department, the police investigated and the man behind the messages was traced and charged with offences under section 127 of the Communications Act.


The threatening emails and SMS were hitherto covered under Section 506 Indian Penal Code. However, with the insertion of Section 66A IT Act, in force w.e.f. 27th October, 2009, these offending emails, SMS are covered under IT Act.

  • Threatening Email to Naveen Patnaik, Chief Minister of Orissa: The news report shows that various threatening emails have been sent to the Chief Minister, Orissa Mr. Naveen Patnaik. A person was arrested and the investigation revealed that though the e-mail was sent in the name of one Prakash Behera alias Babuli Behera, the police nabbed his cousin Pratap Behera (35) of Astarang in Puri  who confessed to the crime during interrogation. The investigation revealed that the Prakash Behera has no knowledge of Internet. The investigation revealed that Pratap’s family had some land dispute with Prakash’s family and to settle a score Pratap created an e-mail ID in the name of Prakash and sent the mail to the Chief Minister. The case was registered u/s 66A IT Act, r/w 506 IPC.
  • Man arrested for making hoax call: A 25-year-old man was arrested on 9TH May, 2010  for making an anonymous call warning that Delhi Chief Minister Sheila Dikshit’s life was in danger. Veer Singh, a resident of Farsh Vihar in east Delhi, allegedly made the call Thursday to implicate a man who was harassing him to repay his dues. He had stolen a mobile phone from Narela in outer Delhi to make the call to the police control room and then called up the other man. Veer Singh thought the police would track down the other person and arrest him in connection with the death threat to the Delhi chief minister.
  • Threatening SMS sent to Shashi Tharoor, Ex-Union Minister for State and other Parliamentarians: The accused person “A” was having animosity towards other person “B” in a love triangle, and the A in order to frame B, impersonated himself as B and send threatening SMSs to parliamentarians. The various FIRs were registered u/s 66A IT Act, r/w 506, 507, 509 IPC was registered in various police stations in Delhi, Haryana and Himanchal Pradesh.

The aforesaid incidents revealed that the offending SMS, emails were generally send by the accused persons via electronic medium be it mobile phone or computer network to implicate others. Thus, the alleged act of sending SMS via mobile phone or offending or threatening Email involving criminal intimidation including danger and obstruction are squarely covered under Section 66 A of Information Technology Act, 2000 and there is no application of Section 506 IPC to the alleged act. It would be pertinent to mention here that the bail of the accused person who sent threatening email to CM Naveen Patnaik was denied because of the applicability of Section 506 IPC which in State of Orissa is non bailable. However, the invoking of Section 506/507 IPC to the alleged act is not correct by virtue of Section 81 of the Information Technology Act, 2000 which gives an overriding effect to the provisions of the IT Act over the other Acts including the Indian Penal Code. It clearly states that, “the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” Thus, this section of the Information Technology Act 2000 if read with Section 66A makes the legislative mandate very clear & loud that in matters pertaining to threat or criminal intimidation via a computer resource or communication device, the IT Act 2000 would have an overriding effect over other law including the Indian Penal Code in view of the clear mandate of Section 81 IT Act. The Section 81 IT Act, is reproduced below:-

“81. Act to have overriding effect.

The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970.”

Even otherwise, Hon’ble Apex Court in case titled as Suresh Nanda Vs. C.B.I. in Criminal Appeal No. 179 of 2008 in SLP (Crl.) No. 3408 of 2007 held that the Special Act prevails over General Acts. The author has successfully represented the accused persons in the Shashi Tharoor SMS case and secured their bail by successfully arguing that in view of the specific provisions in the I.T. Acts, 2000, which are bailable in nature, the same would have the overriding effect by virtue of non obstante clause in Section 81 IT Act and the other offences of the IPC have been added by the prosecution merely for the purpose of making the offence non bailable in nature and they are not applicable. The author argued in length and stated vehemently before the Session Court that as the result of the investigation done by the Delhi Police which clearly reveals that the alleged act of threatening, criminal intimidation and endanger was with the sole intention to harass the other person involved in love triangle and clearly, there was no intention to execute the threat or commit extortion which is one of the essential ingredients to bring home the offences mentioned under Section 506 IPC. Even otherwise the offence u/s 506 IPC in Delhi is bailable. Further, no overt act has been alleged to be done by the accused persons which show any intention to execute the threat or extortion.

Neeraj Aarora


Prying eyes on privacy through peeping toms

April 28, 2010

In an age of modern & revolutionized communication electronic equipments, the privacy of an individual is under siege. The video surveillance equipment has become smaller, more portable, more easily concealed and more accessible to the general public; its clandestine application has contributed to today’s cultural fascination with voyeurism. This advance video surveillance equipment has had a profound adverse impact upon our concept of privacy as we know it. The India is not untouched by the adverse impact of these peeping toms and the newspapers were flooded with various unsavory stories (even from small towns) of surreptitiously concealed video cameras prying into bedrooms, bathrooms, malls, changing rooms, washroom, swimming pool in prurient attempt to film unsuspecting victims while in various states of undress. There has been an unprecedented increase in incidents involving the surreptitious video tapping of the private parts of unwilling females even in public places like Lady’s washroom in Call Centre’s or BPOs where one can reasonable expect his or her privacy. The BPOs are prone to these voyeuristic acts as females constitute the major work force in this sector and most of them work in night shifts.

A male employee of a call center at Pitampura, Rohini, Delhi was detained by the police, on the suspicion that he placed a spy camera pen in the female washroom of the call centre with the intent to click the female workers in various states of undress. Although the offending act of this male employee may appear as ridiculous or laughable at the first instance, it is in fact a very invasive and intimidating crime particularly in our society where the females or ladies are respected or worshipped. Many of innocent victims mostly women, ladies or even minor girls have unwittingly become the object of video voyeurism websites whose privacy have been surreptitiously invaded using the high gadget peeping toms installed in the washrooms. It is the general human tendency particularly females who take great precautions that to ensure that either certain bodily actions or specific body parts remain guarded from public view whether they are situated at public place or private place.

The Law to deal with Voyeuristic Conduct:

While in many other countries, there are now a variety of statutes to deal with voyeuristic conduct in place that seeks to protect these inviolable rights, India is not legging behind to check this new form of felony due to the advancement in the technology, the legislature introduced Section 66E vide the Information Technology Amendment Act, 2008 which came into force on 27 October, 2009. The Section recognizes the right of privacy as inviolable and makes the felony punishable with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both. The section recognizes the natural human desire of privacy. It deserves respect and particularly in our society and cultural ethos & values as we know, it deserves legal protection too.

With flagrant disregard, the video voyeur blatantly defies this legitimate desire for privacy by utilizing technology to observe, record, and often to disseminate images of the very acts and body parts that were never intended or reasonably assumed to be open to public inspection. In effect, the video voyeur disrobes the victim without knowledge or consent and in so doing, strips the victim of both privacy and dignity. The Section 66E IT Act, 2000 recognizes the right to protect the human body from unreasonable and obscene intrusion by surreptitious video technology and adequately protects the individual privacy from the crime of video voyeurism which destroys personal privacy and dignity by secretly videotaping or photographing unsuspecting individuals.

Section 66E Information Technology Act, 2000:

“Punishment for violation of privacy- Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation.— For the purposes of this section—

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;

(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;

(c) “private area” means the naked or undergarment clad genitals, public area, buttocks or female breast:

(d) “publishes” means reproduction in the printed or electronic form and making it available for public;

(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that—

(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or

(ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place.”

Transmit, capture or publish the image: The section says that whoever with willful intention (read mens-rea) captures, publishes or transmits the image of private area of any person without his/her consent under circumstances violating the privacy of that person, shall be punished with imprisonment or fine as prescribed. The wordings of the section suggests that even the act of capturing by a digital or non digital camera of images of private parts of an individual without his or her consent would be covered under this section. It is not necessary that publication of the images should take place only through an electronic medium as is the case in Section 67 IT Act, 2000. The publication covers electronic & print medium both. However, the electronic transmission of objectionable images is also covered under this section.

Meaning of “under circumstances violating privacy”: The most significant expression used in the section is “under circumstances violating privacy” which means that circumstances under which a person can have reasonable expectation that he can change in privacy without being concerned that his or her private images may be surreptitiously clicked or any part of his or her private area would be visible whether he or she is in a public place or private place. Thus, the section rejects formalistic distinctions regarding space and prohibits patently unreasonable invasions of privacy wherever they occur. The clause (e) of Section 66E explaining the expression “under circumstances violating privacy” recognizes that even a person can have reasonable expectation of privacy in public places say office. Though a person has more privacy in the cool comfort of his home but it does not mean that anyone can disrobe of her privacy in the public place, say by hiding camera in office and surreptitiously clicking her objectionable photo without her consent.

Invasion of privacy may be in Public or Private space: The wordings recognizes that criminal law must break free from fallacious distinctions between public and private space and must specifically recognize an individual’s legitimate expectation of privacy even in the public space. After all Video Voyeurism is not limited to window peeping. Modern electronics have transformed the deviant, usually solitary, act of peeping into a booming and perverse online-industry, built specifically upon the exploitation of non-consensual pornography.

The blatant invasion of privacy is not limited to private place alone; it can be anywhere even in public places like lady washroom in the BPO, thanks to the advance technology. The legislature was well aware of the fact that the failure on their part to include public place where one can have legitimate expectation of privacy would tacitly grant the video voyeur a license to act with impunity, and leaves victims with little or no recourse.

Thus, the wording clearly suggests that the surface of the body is itself, a private space. The ability to determine when, to what degree, to whom, and under what circumstances the body is exposed, is among the most fundamental aspects of the right to privacy and deeply tied to the concept of human dignity. Therefore, in response to the crime of video voyeurism, the legislature rejected the fallacious notions of any difference between private place where persons can have reasonable expectation of privacy and public place where he cannot. Instead, the legislature recognized a limited, but fundamentally reasonable, expectation of privacy that is sensitive to an individual’s desire to control exposure to both intimate acts and intimate body parts regardless of setting.

In other words, the Section 66E protects individual privacy in both enclosed and public settings. It does not rely on the vague test of the reasonable expectations of the victim, and instead focuses directly on the unreasonable and offensive nature of the conduct committed by the video voyeur. “Private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast.

Section of IT Act dealing with Video Voyeurism based on US Federal Law: The section is deeply influenced and based on Section 1801 of ‘‘Video Voyeurism Prevention Act of 2004’’ a Federal Law of USA dealing with the felonious act of video voyeurism. The section has been introduced in the Information Technology Act, 2000 by IT Amendment Act, 2008 in view of the dramatic advances in the field of video technology aiding covert clicking of photos without the subject even have a hint about it. The insertion of the said section is a specific attempt to prohibit voyeuristic conduct and by corollary, to protect individual privacy.

Legal Provisions do not have deterrent effect:

The police have arrested the culprit under Section 509 Indian Penal Code and not invoked the provisions of the Information Technology Act, 2000, may be they may not be aware of the applicability of the provisions of the IT Act to the offending act. Nevertheless, the very offending act attracts the provisions of the Section 509 IPC as the intention of the accused was to cause insult to the modesty of a woman which has been done by intruding upon the privacy of such woman. As stated above, even the capturing of image of private area is sufficient to constitute an offence under Section 66E, and it is not necessary that the transmission or publication is necessary to complete the offence. Further, the pen drive has been seized by the police and if the images stored in the pen drive has been further transmitted by the accused, then it would also attract the offence under Section 67 IT Act which makes punishment for publishing or transmitting of material containing sexually explicit act in electronic form.

However, the offences under both Section 509 IPC, Section 66E & 67 IT Act though cognizable is bailable and in view of the increased incidents of gross intrusion of privacy of woman at work place by use of peeping cameras, it is imperative on the legislature to make the offence non-bailable and also enhance the punishment. The offence is not simple as it seems to be. It is a very serious offence having deep adverse ramifications. Let’s take the example of this case, what if, accused person transmits or post the obscene images on internet. It would definitely cause irreparable damage to the reputation of the victim girl or her family and would spoil her life. So, the legislature, categorize the offence as non-bailable offence in view of the seriousness of the offence.

Neeraj Aarora


Mobile without valid IMEI Number are a threat to National Security

December 25, 2009

Mobile phones have grown to be indispensable to our life. It has done wonders to stay us connected 24×7. India is being recognized as the fastest growing mobile phone market in the world. However, the same mobile phones may also sometime pose a threat to national security. It is estimated that there are around 30 million Chinese handsets[i] in the country which lack an International Mobile Equipment Identity (IMEI) number which poses a serious threats to the national security as such phones have allegedly been used by the terrorists. The telecom ministry also estimates that around 30 million or eight percent of India’s mobile phone subscribers use the cheap handsets without IMEI number that are generally imported from China and Taiwan.

The Chinese handsets without a valid IMEI number were hitherto (before ban) available very easily in Grey Indian Market and one can buy such Chinese handset mostly imitation of popular costly mobile brands like Nokia N 97 being sold like hotcakes as the customers from lower income groups can purchase it at cheaper rates offering them the same features as that of the costly original version. However, without valid IMEI number, as stated aforesaid the customers were using such sets at the cost of national security.

So what is an IMEI Number[ii]?

IMEI is known as International Mobile Equipment Identity. The IMEI is a 15 digit number which includes information on the origin, model, and serial number of the device. It helps in uniquely identifying a handset and its location on the network and most importantly allows security agencies to track down a specific user. It can be displayed on most phones by dialing *#06#. It is also usually printed on the compliance plate under the battery. The numerical format of IMEI currently utilized is:-


It should be noted that no two mobile handsets in the world should have the same IMEI number. With the IMEI number, the GSM operators can locate, track or immobilize a handset. Whenever a user makes a call from his handset IMEI number on genuine handsets gets reflected at the operator’s network thus enabling identification of the caller or lawful interception of all calls and it also allow the investigating agencies to trace various mobile number used on the same mobile instruments. With the IMEI number in hand and working in collaboration with the telecom operators, it becomes very easy for the investigating agencies to detect the location or user of the subject mobile number. It was on the basis of the IMEI number that the police established that LeT operative David Coleman Headley had stayed in Lemon Tree Hotel in Mithakali, before 26/11 attacks[iii]. Further, recently in the Mumbai Terror attacks, the investigation into some of the mobile numbers used by the deceased terrorists of the Mumbai terror attacks revealed the Pakistani connection. The terrorists in the course of offence used five mobile handsets for communicating/seeking instructions from the co-conspirators in Pakistan. The investigation into the IMEI numbers of these handsets has revealed that these were manufactured at the Nokia factory, at Dong Guan, China and shipped to Pakistan[iv]. The details are as per overleaf:

S. No. Details of mobile Place of offence Details of vendor
1. Nokia 1200, IMEI No.  353526024049451 Hotel Taj United Mobile, Pakistan
2. Nokia 1200, IMEI No.  353526025840890 Hotel Taj 12 Pakistan (Pvt) Ltd
3. Nokia 1200, IMEI No.  353526025828739 Nariman House 12 Pakistan (Pvt) Ltd
4. Nokia 1200, IMEI No. 353526025842235 Nariman House 12 Pakistan (Pvt) Ltd
5. Nokia 1200, IMEI No. 353526025933620 Hotel Oberoi United Mobiles, Pakistan

It is further revealed that the address of 12 Pakistan (Pvt) Ltd is, 2nd Typical Floor, Executive Tower, Dolmen City, Block 4, Clifton, Karachi, Pakistan.

The importance of IMEI number from the security point of view cannot be overlooked as investigators investigating the various terrorist attacks in our country have reported that some of the terrorists were using Chinese mobile phones in which the International Mobile Equipment Identity (IMEI) number, or a 15-digit code that appears on the operator’s network whenever a call is made, is absent. The intelligence agencies warned that in the past too, terrorists have been found using Chinese phones, in which the code is absent, to carry out attacks in the country. The absence of this IMEI number literally makes the work of the investigating agencies impossible to trace the culprit and connect him with crime particularly when the culprit replaces his existing SIM card with a new SIM card in his mobile phone without a valid IMEI number. However, it is to be noted that though by dialing *#16# one can see IMEI number being displayed on the screen, however, the mobile call records reveal only first 14 digit out of 15 digit and the last digit is always missing which is known as Check Digit. The investigating agencies, obviously match the 14 digit IMEI number i.e. made available by the mobile service provider companies with the subject mobile. The defense often raises question/objection with respect to the missing last 15 digit known as “Check Digit”. Generally, the controversy pertains to the last digit recorded in the seizure memo prepared by the investigating agencies when the handset is recovered and the last digit recorded in the call details provided by the service provider. The same question arose before the Supreme Court, in the decision reported as State (NCT of Delhi) v. Navjot Sandhu, AIR2005SC3820 , the Supreme Court dealt with the said issue as under:

One more point has to be clarified. In the seizure memo (Ext. 61/4), the IMEI number of Nokia phone found in the truck was noted as …52432. That means the last digit ‘2’ varies from the call records wherein it was noted as …52430. Thus, there is a seeming discrepancy as far as the last digit is concerned. This discrepancy stands explained by the evidence of PW 78 – a computer Engineer working as Manager, Siemens. He stated, while giving various details of the 15 digits, that the last one digit is a spare digit and the last digit, according to GSM specification should be transmitted by the mobile phone as ‘0’….

How to check the “Check Digit”?

To understand the calculation of “Check Digit”, first let’s see at the structure of the IMEI itself:

  1. The origin and model comprise the initial 8-digit portion of the IMEI, known as the Type Allocation Code (TAC).
  2. The first two digits of TAC are for the Reporting Body Identifier and indicate the GSMA-approved organization that registered a given mobile device, and allocated the model a unique code.
  3. The remainder of the IMEI is manufacturer-defined serial no. which has been uniquely assigned to the specific type of handset.
  4. The CD (Check Digit) is used to check the code for its validity (which is never transmitted) for Phase 2 and Phase 2+ handsets. Phase 1 GSM handsets, however, always have zero (“0”) as check digit.

Check Digit:

  1. The last number of the IMEI is a check digit calculated using the Luhn algorithm.
  2. The check digit shall always be transmitted to the network as “0”
  3. The purpose of the Check Digit is to help guard against the possibility of incorrect entries to the CEIR and EIR equipment.
  4. The Software Version Number (SVN) of a mobile is not included in the calculation

“Computation of Check Digit”

The check digit is validated in three steps:

  1. Starting from the right, double a digit every 2 digits (e.g. 7 → 14)
  2. Sum the digits (e.g. 14 → 1 + 4)
  3. Check if the sum is divisible by 10

Conversely, one can calculate the IMEI by choosing the check digit which would give a sum divisible by 10. For the example IMEI 49015420323751?

IMEI 4 9 0 1 5 4 2 0 3 2 3 7 5 1 ?
Double every other 4 18 0 2 5 8 2 0 3 4 3 14 5 2 ?
Sum digits 4 + (1 + 8  ) + 0 + 2 + 5 + 8 + 2 + 0 + 3 + 4 + 3 + (1 + 4) + 5 + 2 + ? = 52 + ?

To make the sum divisible by 10, we set ? = 8, so the IMEI is 490154203237518

This is how the investigating agencies calculate the missing 15th digit which is also known as Check Digit”.

Evidentiary value of IMEI number: In the number of the cases, conviction has been done on the basis of the mobile record and analysis of the IMEI number found on the mobile which has been well settled in the famous Parliament Attack Case stated supra. Further, in a recent case decided by the Hon’ble Delhi High Court in Gajraj V. State decided on 18.03.2009 (Crl. A. No. 461/2008) reveals that the crucial evidence relating to the subject mobile phone having IMEI No. 35136304044030 was considered. In this case the most important piece of evidence brought on record by the prosecution to connect the accused with the commission of the crime was that the handset having IEMI No. 35136304044030 was being used by the deceased just before his death as evidenced from the call record and the said handset was in the possession of the accused soon after the death of the deceased, inasmuch as, call record evidenced that the mobile number 9818480558, which number was registered in the name of the accused, was being used in the said handset with effect from 24.07.2005; the factum of the possession of the said handset by the accused is further reinforced by the fact that the said handset was recovered from his house at the instance of the accused. Thus, independent of the physical recovery of the handset at the instance of the accused, through the medium of the call details of deceased and accused, there is unimpeachable evidence that the mobile phone of the deceased came in possession of the accused/appellant within 19 hours of the death of the deceased. Similarly, in another case of Vinod Kumar Vs. State [Crl. A. No. 521/2008] decided on 16.03.2009 (Delhi High Court), reveals that the IMEI number of the mobile phone used by the accused person connected him with the crime of the murder of the deceased.

Mobile Phone without IMEI Numbers banned in the interest of national security

Taking serious note of the situation pertaining to the circulation of mobile phones without IMEI number and its potential threat for the national security in view of recent Mumbai Terror attacks, the Department of Telecommunication, Government of India, vide its Letter No. 20-40/2006-BS-III(Pt.) (Vol. I)/201, dt. 3rd September, 2009 has directed all the Cellular Mobile Service Providers that calls from the mobile handsets with any IMEI number which is not available in the latest updated IMEI database of GSMA[v] along with without IMEI or all zeros as IMEI are also not processed and rejected with effect from 24 hrs of 30th November, 2009.

The government approved earlier this year a Genuine IMEI Implant (GII) proposal from service providers that programs genuine IMEI on mobile handsets. In a letter to service providers in April, the Ministry of Communications & IT recognized that some of the users of phones without proper IMEIs were “genuine innocent subscribers”[vi]. The cellular operators in India in compliance of the DoT communiqué and direction had offered such subscribers without IMEI number to either discard their handsets or bring them to official outlets of cellular companies to re-programme their IMEI numbers. One without valid IMEI number can go to these official outlets and get IMEI reactivated at a nominal charge of Rs 199/- only. The Mobile Standards Alliance of India (MSAI) is exclusively authorized body in India by GSM Association (GSMA) to perform Genuine IMEI Implant program (GII). MSAI is working in partnership with Cellular Operators Association of India (COAI) and Department of Telecommunications (DOT) to implant the genuine IMEI numbers on to the mobile handsets which are carrying bad/non genuine IMEI numbers as a one time Amnesty Program. The subscribers without having any valid IMEI numbers while visiting these GII centre’s (about 1600 such centers) across the country had to carry with a valid identity proof like, PAN CARD, driving license, Voter ID Card, Passport, ration card etc. for identification purposes.

There were significant rush seen at the GII centre’s and some unscrupulous mobile vendors in the Grey market have taken advantage of the situation and claimed that they have the facility to implant valid IMEI number in the mobiles or their mobiles are sold with valid IMEI numbers. The Crime Branch of Delhi Police on the complaint of the Indian Cellular Association have conducted raid on December 9, 2009 at in the Karol Bagh Electronics market and arrested 23 mobile vendors who were found selling banned Chinese mobile phones. The police have seized from them a total of 3,500 mobile handsets without the IMEI numbers. A “Spiderman Software Box” which was imported from China to upload fake IMEI number on handsets has also been seized from these vendors. The implanting of fake IMEI numbers and selling it to innocent customers have very serious ramifications as far as the national security is concerned. Given the large number of banned Chinese mobiles in circulation, it could lead to large scale tampering/manipulation of IMEI numbers. Given the increasing role of cell phone transcripts in monitoring and investigating anti-social activities including high profile terror cases, usage of fake IMEI number could lead to failure of the very objective of the GII drive initiated by the Department of Telecommunications, Government of India.

Earlier, the Mumbai police have also conducted similar raids on October, 2009 and seized banned Chinese mobile phones without IMEI numbers. The offenders were booked under Section 41(d) of the Criminal Procedure Code which empowers the police to arrest any person who is suspected to be in possession of stolen property. However, Section 41 Cr.P.C. is not a penal provision and only empowers the police to arrest a person under certain circumstances mentioned under the said Section 41 Cr.P.C.

However, the implantation of fake IMEI number in the mobile phone attracts the penal provision of Section 420, 468 read with Section 471 Indian Penal Code, as the mobile vendors are cheating the gullible customers by passing them banned mobile phones with fake IMEI numbers as genuine one and part with their hard earned money. Further, they for the purpose of cheating commit forgery of the IMEI number which is an electronic record and thus attracts Section 468 IPC and by showing the mobile having fake IMEI number as genuine one, when they have reasons to believe that the same are forged one, the section 471 IPC is also attracted. The Delhi police have imposed these sections of Indian Penal Code on these unscrupulous vendors of banned Chinese mobile phones which are cognizable and non-bailable and have shown non compromising attitude of the Government of India as far as national security is concerned.

Neeraj Aarora


[i] Source: KPMG: Information, Communication and Entertainment -An Inconvenient Reality The unaccounted consequences of non-genuine software usage -Advisory

[ii] For details about IMEI number please visit:

[iii] Source: News article published in Ahmedabad on December, 11, 2009.

[iv] Source:,

[v] GSMA representing the interests of the worldwide mobile communication industry is the only body which supplies the IMEI numbers to Mobile Handset manufacturers worldwide through its reporting bodies and maintains the IMEI database of worldwide genuine IMEI numbers. This IMEI database is also activated and updated every 15 days in the EIR of mobile operator’s network.

[vi] See DoT letter no. 20-40/2006-BS-III (Pt.) (Vol.I)/109 dt. 27th April, 2009

Ghaziabad Changing Room Incident Shines Spotlight On Video Voyeurism

December 25, 2009

The arrest of famous store room owner at Ghaziabad for allegedly planting secret camera to make clippings of the female customer while using the trial room has shown adverse impact upon our concept of privacy. The peeping cameras are becoming technologically advanced, tiny and easily available at cheaper prices. They can be planted secretly with ease and its pervasive application has contributed to the growing fascination for younger generation obsession with voyeurism. The Ghaziabad incident is not an unprecedented act and various newspapers have reported similar incidents of surreptitiously concealed peeping toms prying into locker rooms, changing rooms of malls, swimming pools in prurient attempts to film unsuspecting victims while in various state of undress.  The said newspaper reports are alarming being a very invasive and intimidating crime which also poses a fundamental challenge to individual privacy.

What is Video Voyeurism?

A new phenomenon of video voyeurism also known as “cyber peeping” has emerged in recent times where images of private area of subject mostly females are captured without her knowledge and then transmitted widely without her consent thus violating privacy rights. Video Voyeurism is the act of secretly or discreetly photographing certain parts of the body mostly unclothed without the person’s consent. Video voyeurism typically refers to “up-skirt” or “down-blouse” images taken of women without their consent. We have seen the rise in the cases of video voyeurism, where the victims have been clicked without ever knowing that they have been clicked revealing their private parts. The phenomenal growth of the internet and its user, mostly of the younger age has given rise to this up-skirt and down-blouse photography which one can view easily at host of video voyeurism websites. The voyeurs who are psychopath to satisfy their lust see surreptitious video surveillance as a form of high-tech hunting and take pride in showcasing their talent in various video voyeurism Web sites which has mushroomed at the World Wide Web and mostly go free taking shelter under the current gap in the law. The Acts of video voyeurism are not only an invasion of a person’s privacy, but are also a serious threat to the liberties of a free society as we know and also against our high moral & cultural values or ethos. These criminal activities undermine the most basic levels of privacy to which every citizen is entitled.

Do we have law to deal with menace of Video Voyeurism?

Realizing the ever growing menace of the Video Voyeurism, the USA, passed federal legislation known as the Video Voyeurism Prevention Act of 2004, which prohibits knowingly capturing an image of private area of an individual by video tape, photograph, film, or any means or broadcast without that individual’s consent and under circumstances in which the individual has a reasonable expectation of privacy. (See relevant Section 1801 of Video Voyeurism Prevention Act of 2004) Thus the said law, make it a crime to secretly record or distribute images of people in places where they have a reasonable expectation of privacy, such as bathrooms, dressing rooms, locker rooms, hotel rooms and mall etc. The law defines a “private area” as the naked or undergarment clad genitals, pubic area, buttocks, or female breast of an individual. The law however makes an exception and does not apply to people engaged in lawful law enforcement or intelligence activities.

In India also, we have seen increasing incidents of video voyeurism due to advance technology that has made today’s hidden cameras tiny, sleek and adapted for WiFi connections to make transfer of the captured film or movie clip to the web easier and faster. Internet is a product of US Technology, so issues relating to Internet are heavily flavoured by US Constitutional and Legal doctrines. The legislature was aware of this problem and there was no stringent law to specifically deal with the menace of video voyeurism which was rampant due to modern technology. The amendment proposed to the IT Act, inserted a new Section 66E which specifically addresses video voyeurism which is inspired by the Video Voyeurism Prevention Act of 2004 of US. The wordings of proposed Section 66E which makes this sort of “cyber peeping” a felony is as under:

“66E  Punishment for violation of privacy”

Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with  imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both

Explanation.- For the purposes of this section–

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;

(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;

(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;

(d) “publishes” means reproduction in the printed or electronic form and making it available for public;

(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that–

(i)  he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or

(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

Why the Ghaziabad Police have invoked the Indian Penal Code and not the aforesaid provision of IT Amendment Act?

In the reported cases of similar nature the police have invoked Section 294 IPC (obscene acts) and Section 509 IPC (insult to modesty of Women) both of which are bailable as per the 1st Schedule to the Code of Criminal Procedure, 1973. The 1st Schedule to the Cr.P.C. categorizes the offences as Cognizable/non cognizable or Bailable/non-bailable. The IT Amendment Act has yet not been notified by the Government and therefore, the offender cannot be booked under newly inserted Section 66E of the IT Amendment, in view of the clear mandate of Article20 (1) of the Constitution of India which says that,  “No person shall be convicted of any offence except for violation of the law in force at the time of the commission of the act charged as an offence….”. However, it would be pertinent to mention here that aforesaid Section 66E is bailable offence as per the scheme of the yet to be notified Act and if it would have been invoked had the amendment act been notified, would not have much difference for it would not have any deterrent effect on the offender as he can walk out freely, the offence being bailable.

Nevertheless, the police should have invoked the provisions of Section 67 IT Act, 2000 (which deals with publication or transmission of obscene information in electronic form) which is stringent penal provision of the IT Act, 2000 as the same is cognizable and non-bailable offence and attracts imprisonment of upto five years and fine upto one lakh rupees in case of first conviction. However, it has been seen that the police in similar cases including the present one have not resorted to Section 67 IT Act, 2000 for the reasons best known to them only. The provisions of Section 67 IT Act, 2000 is clearly attracted as there has been publication or transmission of clippings of female client in various state of undress and same has been transmitted, generated or received stored in electronic/computer equipment which is magnetic, optical or similar device. Thus, the offence is complete in view of Section 67 IT Act read with Section 2 (r) IT Act(defines “Electronic Form”). The provision of Section 67 IT Act, 2000 and Section 2 (r) IT Act is reproduced below:

67. Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

Section 2 (r) “electronic form” with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device.

Thus, not invoking the provisions of Section 67 IT Act, 2000 which has a deterrent effect on the offenders as well as which would deter the prospective offenders to commit the crime, in a way amounts to shielding the criminal from the criminal process of law and would encourage them to commit the crime with impunity without any fear of law as they know that they can walk out freely, in view of bailable sections slapped on them by the police.

Neeraj Aarora


Fake Social Networking Profiles Still Big Problem- What To Do

December 25, 2009

Online social networks have rapidly increased in popularity, especially over the past couple of years. Social networking sites are popular because they easily allow you to find, connect with, and develop friendships with other internet users, often ones that share the same interests as you. There are various SNSs available which is very popular among net savvy younger generation such as Facebook, MySpace, Friendster, Orkut and Xuqa which allows users to post personal profiles, photographs, and random musings; to link to the profiles of “friends”, thereby creating “networks” of people with supposedly common interests; and to establish and join groups on any and every topic visible in their mind like topics of personal interest for ex; Their Girl Friends, Their first date, Experiences of their first date and topics of political interest like Free Tibet etc. For obvious reasons these services are extremely popular for it gives the public particularly the younger generation a platform to share their view, ideas, stories, photographs etc. Among the most popular SNS in India is Orkut (belongs to Google) which operates in a similar way to other big sites such as Myspace, Friendster and Facebook. Registered users can create profiles, upload photographs, communicate with other members and join groups.

However, despite the advantages, the SNS brings in; there is a dark side of it too. There has been a spurt in Orkut-related obscenity cases in various parts of India. Cases of misuse on Orkut have been reported widely. Most common among them are Orkut-related complaints concerning pictures of young girls that have been posted on communities with lewd allusions and a listing of the victims’ mobile numbers. Let’s have a look on some of these recent incidents:-

  • An air-hostess residing in Delhi and working for Kingfisher Airlines filed an application in a city court to order the Delhi Police for registering a case against Orkut after a vulgar profile was posted by someone. The fake profile had a pic of her in her work uniform and her neighbors’ (an official at the Lok Sabha Secretariat) telephone number listed for ‘friendship’. Her neighbors were flooded with vulgar calls leading to a lot of harassment.
  • The father of a South Delhi schoolgirl suffered from the fake profile of his daughter posted on Orkut that not only described the teenager as a ’sex teacher’, but also contained obscene photographs and her contact details. He lodged a complaint with the Cyber Cell of the Delhi Police’s Economic Offences after his family started receiving calls following the appearance of the fake profile.
  • A student of Bachelor of Management Studies was arrested some months ago for creating a classmates profile and uploading her picture with offensive messages on an online community site without her permission. The Cyber Cell of Thane Police swing into action as soon as they got complaint from the victim girl about being abused they contacted all the way to Sweden (Orkut servers are located at Sweden) and got the IP of the Profile creator and tracked him down to his house.
  • A 20 year old economics student at Mumbai University received hundreds of vulgar phone calls after someone posted a fake profile of hers on Orkut. She later complained to Cyber Crime Cell in Mumbai.
  • The investigation of cases of posting of fake obscene profiles in another names particularly innocent girls/ladies have revealed that they are usually created by the people who know the personal details of a user and create a profile to impersonate him or her and there by causing all sorts of problems for the victim. These so called ‘pranksters’ are not unknown strangers living in a far off country but some of the people most closest to the victim or their families. They usually include classmates, college friends, ex boyfriends, neighbors, colleagues, relatives, family or business rivals who are jealous to victim due to variety of reasons. Like a frustrated lover who has been turned down by a girl who is her classmate, an employee who has been yelled at by her female boss, a student who has been punished by her female teacher etc. However, there are some psychos do it simply as a ‘prank’ or joke as they seek kind of pleasure and adventurism in it.

If suppose you or any of your relative/friend is a victim of such obscene profile on Orkut or other SNS, the question, then, is what – if anything – to do about it. You must always remember that Cyberspace is not a separate, law-free jurisdiction. There are few steps you can take:-

  • Guess who the ‘prankster’ is. It will usually be someone you know like your classmate or your colleague or your old boyfriend or your immediate neighbor. Watch their reactions and the language used to describe you in the site and you may be able to guess who the prankster is. Tell that person to stop and threaten him/her with legal action/media publicity. However, if that person seems like a psycho then don’t contact them.
  • Report to SNS or Orkut:- You may make a formal complaint giving the detail of the url of your profile and the bogus profile, then report them as bogus to the administrator of social networking website like Orkut with a request to remove the objectionable content.

Legal Action under the Information Technology Act, 2000:- If the fake profile is not withdrawn and the obscene phone calls continue, don’t panic because there is a legal recourse available to you. Section 67 of the Information Technology Act of 2000 provides that publishing of information that is obscene in the electronic media is amenable for imprisonment for a term or extended to five years and with fine which may extend to Rs 1 lakh. The offence is cognizable and non-bailable. Thus, it is considered a very serious offence. So serious is the offence, that as per the provision of IT Act, every offence under the IT Act is to be investigated by an officer not below the rank of Deputy Superintendent of Police. It is advisable that you make a written complaint clearly disclosing the commission of cognizable offence (i.e. fact of posting of fake obscene profile in your name) to the dedicated Cyber Cell of the State Police which is well equipped and specially created to handle this type of complaints. Before making complaint ensure that the copy of the objectionable content & concerned URL Link is saved by you as the same would be required for the investigation, more so it is also necessary due to the fact that the prankster may remove the objectionable content to escape the criminal liability. Insist on the registration of the FIR as the Criminal Procedure Code clearly mandates that the FIR has to be registered on the complaint if it discloses the commission of cognizable offence (a cognizable offence is one where a police officer may arrest a person without a warrant). If the cyber cops refuse for some reason to register your FIR, then it is open to you to send the complaint in writing and by post to the concerned Superintendent of Police under Section 154 (3) of Cr.P.C. It is also open to the informant to directly approach the Court of Magistrate of the concerned Police Station with the information under Section 200 of Cr.P.C. with a prayer to direct the police to investigate the offence.

There is a need to sensitize the public particularly the younger generation to sensibly use the cyberspace. Awareness must be created that they are not anonymous on the cyberspace and there is always a trail of their misdeeds on the cyber space.

Neeraj Aarora


Cyber Criminal Arrested Through Digital Footprint- An Excellent Job By Special Cell, Delhi Police

December 25, 2009

Neeraj Aarora: AICWA, LLB, PGD (Cyber & DLTA), CFE (USA)

There is lack of security culture amongst the user of computer, computer system, and computer networks. The same is evident from the recent report of Anoushka Shankar (daughter of the legendary music maestro Pandit Ravi Shankar) email hacked into by an offender who took control of some very private photographs stored in the inbox of the email.

Pandit Ravi Shankar has made a complaint to Union Home Ministry that his daughter is blackmailed and threatened via email by some unknown person. Later the complaint was referred to the Delhi Police and the investigation of the case was taken up by Inspector Pawan Kumar under the supervision of ACP Sanjeev Yadav elite Special Cell of Delhi Police. The unknown accused person was allegedly blackmailed and threatened Anoushka via emails that he would make some of her photographs public found in her email inbox, if his demand of $ 100,000 is not paid by her. The unknown accused person apparently hacked the email account of Anoushka and took control of some of private photographs stored in the inbox.

The aforesaid officers of Elite Wing of the Delhi Police, the Special Cell, did a commendable job. Apparently, the accused person took control of the password of the email account of Anoushka by hacked into it. He found some very private photographs of her and thought to make some easy bucks out of it, by blackmailing Anoushka as it would cause great embarrassments to the father daughter duo who are internationally recognized musicians.

The special cell cops traced the internet protocol address (IP address) from which the Emails were sent. An IP address or “Internet Protocol” address is the unique number assigned to every device such as a computer on an internet network so that data can be routed to and from that device and no other. It is much similar to a postal mailing address that identifies the physical location of your post office and allows the mail carrier to know where to deliver the mail, a device’s IP address is what allows the internet to know where to send the data destined for the particular computer. It’s not an easy task to trace the physical location of the computer to which an internet IP address has been assigned and thereby identify the computer’s user as we are made to believe through some Hollywood movies. It’s not that just you located the IP address, you located a criminal. It’s nowhere that easy.

The IP address are assigned to a netuser not based on his location but from the Internet service provider (ISP) from where he gets the net connectivity, which may be different from user to user, if they avail the services of different ISPs.  Even, if the user avails the services of the same ISPs there are no hard & fast rules that the IP addresses necessarily appear “close” to one another in any sense, other than the convenience of the ISP.

The IP address can be tracked from the header of the Email IDs. There are various IP address locator available like from where one can get information about the ISP address to which the particular IP address belongs. Some additional information may be available that indicates the general area that an IP address might reside, i.e. the location of the country or city, if ever, but nothing more specific than that. Here the help of the ISP is required to pinpoint the location and identity of the user. The ISP that allots the IP address to particular computer knows where the user lives. But the ISP’s would not provide the information to the general public due to the strict privacy policy which they adhere to. Here the role of law enforcement machinery comes into picture. The Police and the courts can, with appropriate cause, direct the ISP that the requisite information with respect to the IP addresses be provided. The Section 91 of Code of Criminal Procedure, 1973 and Section 69 of the Information Technology Act, 2000 makes provision to this effect.

The extortive emails sent by the offender were found to be sent mostly from Gmail Account. However, the Gmail blocks the IP address of the sender and it is not visible to the recipient of the email.  However, one email was found to be from other email service provider and it was found that it had been sent from India; rest of the emails were found to be from Dubai, elsewhere in the UAE, and the USA. The police tracked down one of the IP address to a residential address located at MUMBAI and nabbed the accused person, whose name came to be known as Junaid Jameel Ahmed Khan who confessed to his crime.  The cops seized the hard disk of the computer from which the alleged emails were sent, prepared the mirror image of the same and the hard disk was sent to the Forensic Science Laboratory, Hyderabad for further analysis. The cops also seized the passport of the offender through which it was found that the offender was at Dubai on the same date when the extortive emails from Dubai were received by Anoushka, which clearly corroborates the offence committed by the offender.

The Special Cops did a commendable job in nabbing the accused person who was blackmailing Anoushka and giving her sleepless nights. The police have seized and preserved the crucial digital evidences and other documentary evidences which would prove the guilt of the accused person. Cyber technology is an extremely complicated field and the internet is being increasingly used as a place to commit crimes using personal computers, as well as network-based computers. It clearly shows that the Special Cell Cops know their job; they not only understand the criminal mindset but also Computers and networks, how they work, and how to track down information on them and know the basics of gathering evidence and bringing offenders to justice.

The Special Cell cops registered the case under Section 386 Indian Penal Code which deals with offence of extortion. The maximum punishment for such a crime, if proven guilty, is 10 years’ imprisonment. The offence is cognizable and non bailable. The accused hacked into the email of the Anoushka, however the police at the preliminary investigation stage did not invoked Section 66 IT Act, because the modus operandi of the offender was not known as how he took control of the private photographs of Anoushka, which during investigation and seizure of the computer become apparent that the same has been copied into his computer by hacking the email id of Anoushka. Now Section 66 IT Act has been added as the same is attracted to the offence. The material evidence seized by the cops proves the involvement of the offender as the IP address has been traced to his residence. Further, the examination and analysis of the seized hard disk of the computer of offender at the forensic laboratory would prove that the emails have been hacked into and photographed copied by the offender from the inbox of the email. If it is further revealed by the analysis of the hard disk that the photographs (read obscene or nude) found in the possession of the offender, have been transmitted by him electronically, say some of his friends, the same would amount to publication in electronic form which would be squarely covered and punishable under Section 67 of the IT Act, 2000 as well.

Thus, the excellent investigation done by Inspector Pawan Kumar under the supervision of ACP Sanjeev Yadav of the Special Cell, Delhi Police should be applauded which gives a warning to the prospective criminals that they are not anonymous in the virtual world. Their activity on the internet leaves a footprint through which they can be traced and brought to justice. However, at the same time the netizens need to be educated about the best security practices they should adopt and keep in mind while they use computers, computer systems, computer networks and should not fell into the trap of cyber criminals, like Anoushka. After all, prevention is better than cure.