Table of Contents

1. Introduction..............................................................Pg 2

2. Access related Violations in India....................Pg 3

3. Assisting unauthorised access in India..........Pg 6

4. Scope of Sec 43 of IT Act 2000..........................Pg 9

5. United States of America......................................Pg 11

6. United Kingdom......................................................Pg 15

7. R vs Gold and Schifreen...................................Pg 17

8. Pakistan.....................................................................Pg 19

9. Conclusion...............................................................Pg 20

10. References...................................................................Pg

1
Introduction

In the era of cyber world as the usage of computers became more

popular, there was expansion in the growth of technology as well,
and the term Cyber became more familiar to the people. The
evolution of Information Technology (IT) gave birth to the cyber
space wherein internet provides equal opportunities to all the
people to access any information, data storage, analyse etc with
the use of high technology. Due to increase in the number of net
users, misuse of technology in the cyberspace was clutching up
which gave birth to cyber law violation at the domestic and
international level as well.

Cyber Laws are the laws prevailing in the cyber space. Cyber
space has a vast definition which encompasses the terms like
computers, computer networks, software, data storage devices,
the Internet, websites, emails and even electronic devices such as
cell phones, ATM machines, satellites, Microwaves etc. These
Laws cover firstly that they must be standardized by government.
Secondly it should be in force under some specific region and
finally must be obeyed by all persons under such specified region.
Any violation of these rules could give the right to government to
take action such as imprisonment, or fine or an order to pay
compensation as per specified through proper legal jurisdiction.

In India, Cyber Law is a generic term which refers to all the legal
and regulatory aspects of Internet and the World Wide Web. It
handles those crimes, which accomplishes with the help of
computer, computer system, computer network, internet, storage
devices or communication device. The I.T. Act in India has no

2
strict definition but it includes cyber contraventions and cyber
offences. For e.g. cyber contravention is in general describes to
any unauthorized access may or may not come under law and is
of degree of penetration to lesser (may be not to harm
or for educational research purpose ) extent while in case of
cyber crimes they are the exploits for gaining unauthorized access
intentionally to harm. It should be noted that in Indian context the
punishment under for cyber crimes is also given on the basis of
Indian Penal Code (IPC) which is also a constitutional legal hand
book to prosecute criminals engaged in other social crime.

Access Related Violation in India

According to section 2(1)(a) of the IT Act "access" with its

grammatical variations and cognate expressions means gaining
entry into, instructing or communicating with the logical,
arithmetical, or memory function resources of a computer,
computer system or computer network Here access simply
describes right to use the computer or any other resource
attached to that computer whether in terms of executing any
command or in terms of any communication through computer,
computer system or computer network which is/are logical,
arithmetical, or memory function. Additionally the term access
not only limited to the aforesaid explanation but also applicable to
any physical touch to computer or any resource attached to
it. It should be noted that as per law grammatical variations

3
means that term access can also be replaced by its noun, verb,
adjective or any grammatical form. Further cognate expressions
are synonyms or the words related to name access e.g. entrance,
sign in, start etc. All the grammatical variations and cognate
expressions are used according to the situation observed.

According to section 43(a) of the IT Act if any person without

permission of the owner or any other person who is in charge
of a computer, computer system or computer network
-(a) accesses or secures access to such computer, computer
system or computer network; he shall be liable to pay
damages by way of compensation not exceeding one
crore rupees to the person so affected.
Here the term secure access means that any person who is sure
that that he can access the system and whenever he wants from
anywhere without permission.

Analogies:
1. To access computer system remotely with the help of
Trojans
2. Through application of Social Engineering on friends,
relatives etc.
3. With the help of hacking through any software or otherwise
e.g. by using telnet or ftp command.
4. Bye- mail spoofing or MAC spoofing or IP spoofing.
5. By knowing passwords with the help of Key loggers or
shoulder surfing.
Now we will like to define term permission. It can be Full, Partial
or Implied analogy. The best example to understand this term is
Intranet. In colleges each faculty has separate Log-in ID and
password. There is also a Director Log-in which reserves the full
right to verify records of marks, attendances etc. of students that

4
are uploaded by concerned faculty of concerned subject(s) of
whole college. He further can add, delete or modify any uploaded
data of faculty if found with error or in case of any discrepancy.
Now
1. Director Log-in has Full permission to access anybodys
account.
2. Management of College authorized Director Log-in to
confer full right to access any faculty record.
This comes into partial and implied categories of permission. In
regard of Implied it means that Director can access record of
faculty but it is also a Partial permission since he has to look out
only academic activities of faculties he is not authorized to view
the salary status or any financial transaction of faculty which is
under the control of accounts department.
3. There is only one scenario which comes under unauthorized
access. Suppose the Director is on leave and he gives his-log-in Id
and password to his assistant. But due to some malaise intention
he modified the data of a particular faculty. The only way to find
out that what had happened that day is the Log in recovery
through IDPS. The penalty provided for this section is
compensation up to Rs.1 Crore.

5
Assisting Unauthorised Access

According to section 43(g) of the IT Act If any person without

permission of the owner or any other person who is in charge of a
computer, computer system or computer network-

(a) provides any assistance to any person to facilitate access to a

computer, computer system or computer network in
contravention of the provisions of this Act, rules or regulations
made there under; he shall be liable to pay damages by way of
compensation not exceeding one crore rupees to the person so
affected.
The essential element of this section is that assistance is provided
for obtaining access to a computer in contravention of the IT Act
and its allied laws. A person who obtains access to a computer in
contravention of the IT Act would be liable under the relevant
sections (e.g. 43(a) or 66 or 70 etc). What this section specifically
covers is providing assistance to such a person so that such
assistance facilitates the unlawful access.
Under this section of Indian Cyber Laws this comes under the
Breach of privilege. Here the two terms Assistance i.e. the act of
helping and facilitate i.e. the approach to provide any aid to
complete the task, are also mentioned. It is like that to obtain
passwords or any confidential details related to protected
systems from close friends or relatives etc in order to oblige
him/her some financial or moral obligation to obtain confidential
information by using such passwords or to manipulate Firewalls
or intrusion Detection System settings and so on. It has been seen
that all these acts are unlawful access provided by the disgruntled
employee or nay traitor inside the organization.

6
The penalty provided for this section is compensation up to
Rs.1 crore. Some important case studies which have been
registered in courts of law under Indian Cyber Laws are detailed
down. Further they also describe the Concept of terms hacking
and unauthorized access.
1. A displeased employee of a bank putted down a strong
Magnet near the banks main server. After sometimes the
bank lost the important information related to customers account.
2. Two persons were allegedly arrested in 2002. They used
password cracking software to crack the FTP password for
the Mumbai police website and then change the homepage
of this website with pornographic content.
3. The Delhi Municipal Corporation (DMC) on behalf of
electricity department used to collect money provided
receipts and performed accounting of Electricity bills through
Computer Systems. When this process is transferred to private
party then one of them who was Computer Expert dispensed
large amount of funds by manipulating data files to show less
receipt and bank remittance.
4. A young lady reporter was in trap when during online
surfing related to her articles, she was victimized by somebody.
Someone installed Trojan in her computer. This ladys computer
was located in one of the corners of her bedroom. Trojan
activated everytime she started her internet connection. This
Trojan further starts her web cam International Journal of
Computer Applications Volume 58 No.7, November 2012 15 and
microphone without her knowledge. The connection further
works when she used to disconnect her internet connection. Later
she came to know that many of her pictures and videos were
transferred to pornographic websites.
5. India witnessed its first cybercrime conviction recently in
2002. This all started when Sony India Private Ltd. ran

7
website called www.sony-sambandh.com. The aim of this website
was to send Sony products to their friends and relatives in India
through online payment. In May 2002, someone logged onto the
website under the identity of Barbara Campa and placed a order
of Sony Colour Television set and a cordless head phone and
made online payment through Credit Card for Arif Azim, Noida
The payment was cleared by the credit card agency and the
transaction processed. After following the relevant procedures,
the Sony company delivered the items to Arif Azim. But after one
and a half months the credit card agency informed the company
that this was an unauthorized transaction as the real owner had
denied having made the purchase. The Sony Company lodged a
complaint for online cheating at the Central Bureau of
Investigation which registered a case under Section 418, 419 and
420 of the Indian Penal Code. The matter was investigated into
and Arif Azim was arrested. Investigations revealed that Arif
Azim, while working at a call centre in Noida gained access to the
credit card number of an American national which he misused on
the companys site. The CBI recovered the colour television and
the cordless head phone and Arif was arrested.

8
Scope of Section 43 of IT Act 2000
Information Technology Act 2000
Section 43. Penalty and
Compensation for damage to
computer, computer system, etc.
If any person without permission of
the owner or Any other person who
is incharge of computer, computer
system or computer network,-
(a) Accesses or secures
access to such computer,
computer system or network
or computer resources;
(b) Downloads, copies or
extracts any data, computer
data base or information from
such computer, computer
system or computer network
including information or data
held or stored in any
removable storage medium.
(c)Introduces or causes to be
introduced any computer
containment or computer
virus into any computer,
computer system or computer
network;
(d) Damages or causes to be
damaged any computer,
computer system or computer
network, data, computer data
base or any other programs
residing in such computer,
Scope of Section 43
This section primarily deals with all
such conventions resulting from
unauthorised access to computer,
computer system or computer
resources.
It may cover instances of
cracking(or hacking), computer
trespass, data theft, privacy
violation, software piracy/theft etc.
It may cover instances related to
digital copying, data and computer
database theft, violation of privacy
etc.
It may cover instances of deletion,
alteration, damage, modifications of
stored computer data or computer
programs leading data interference.
It may cover instances related to
computer/online fraud, forgery,
privacy violations etc.
9
 computer system or computer
network;
(e) Disrupts or causes It may cover instances leading to
disruption of any computer, denial of service attacks, spamming
computer system or computer etc.
network;
(f) Denies or causes the denial of It may cover instances of system
access to any person interference, misuse of computer
authorised to access any devices etc.
computer, computer system or
computer network by any
means;
(g) Provides any assistance It may cover instances of illegal
to any person to facilitate access, misuse of computer devices
access t a computer, computer etc
system or computer network
in contravention of the
provisions of this Act, rules of
this regulations made
thereunder;
(h) Charges the service It may cover instances leading to
availed of by a person to the computer/ online fraud, phishing
account of another person by identity theft etc.
tampering with or
manipulating any computer,
computer system or computer
network;
(i) Destroys, deletes or alters any It may cover instances of
information residing in a cracking(or hacking), data theft,
computer resource or data interference, data loss, denial of
diminishes its value or utility service attacks, online frauds/
or affect it injuriously by any forgeries etc.
means
(j) Steals, conceals, destroys or It may cover instances related to
alters or causes any person to computer programme/ software-
steal, conceal, destroy or alter copyright violations, piracy, theft
any computer source code etc.
used for a computer resource
with an intention to cause
damage.

10
United States

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030,

1 protects computers in which there is a federal interestfederal
computers, bank computers, and computers used in or affecting
Inter state and foreign commerce. It shields them from
trespassing, threats, damage, espionage, and from being corruptly
used as instruments of fraud. It is not a comprehensive provision;
instead it fills cracks and gaps in the protection afforded by other
state and federal criminal laws. It is a work that over the last
three decades, Congress has kneaded, reworked, recast, amended,
and supplemented to bolster the uncertain coverage of the more
general federal trespassing, threat, malicious mischief, fraud, and
espionage statutes.
2. This is a brief description of 1030 and its federal statutory
companions. There are other laws that address the subject of
crime and computers. CFAA deals with computers as victims;
other laws deal with computers as arenas for crime or as
repositories of the evidence of crime or from some other
perspective. These other lawslaws relating to identity theft,
obscenity, pornography, gambling, among othersare beyond
the scope of this report.
3. In their present form, the seven paragraphs of subsection
1030(a)(1)
outlaw computer trespassing in a government computer, 18
U.S.C. 1030(a)(3);
computer trespassing resulting in exposure to certain
governmental, credit,
financial, or computer-housed information, 18 U.S.C.
1030(a)(2);

11
 damaging a government computer, a bank computer, or a
computer used in, or
affecting, interstate or foreign commerce, 18 U.S.C.
1030(a)(5);
committing fraud an integral part of which involves
unauthorized access to a
government computer, a bank computer, or
a computer used in, or affecting,
interstate or foreign commerce, 18 U.S.C. 1030(a)(4);

threatening to damage a government computer, a bank

computer, or a computer
used in, or affecting, interstate or foreign commerce, 18
U.S.C. 1030(a)(7);

trafficking in passwords for a government computer, or

when the trafficking
affects interstate or foreign commerce, 18 U.S.C.
1030(a)(6); and

accessing a computer to commit espionage, 18 U.S.C.

1030(a)(1).
Subsection 1030(b) makes it a crime to attempt or conspire
to commit any of these offenses.
Subsection 1030(c) catalogs the penalties for committing
them, penalties that range from
imprisonment for not more than a year for simple
cyberspace trespassing to imprisonment for not
more than 20 years for a second espionage-related
conviction and to life imprisonment for death-
result offenses. Subsection 1030(d) preserves the
investigative authority of the Secret Service.
Subsection 1030(e) supplies common definitions.
Subsection 1030(f) disclaims any application to
otherwise permissible law enforcement activities.
Subsection 1030(g) creates a civil cause of
12
 action for victims of these crimes. Subsection 1030(h),
which has since expired, called for annual
reports through 1999 from the Attorney General and
Secretary of the Treasury on investigations
under the damage paragraph (18 U.S.C. 1030(a)(5)). And
subsections 1030(i) and (j) authorize
the confiscation of property generated by, or used to
facilitate the commission of, one of the
offenses under subsection 1030(a) or (b).

Unauthorised Access-

While the question of what constitutes access without

authorization might seem fairly straightforward, Congress was
willing to accept a certain degree of trespassing by government
employees in order to protect whistleblowers.

Jurisdiction
The reports offer little insight into the meaning of the third
elementwhat computers are protected from trespassing. There
may be two reasons. Paragraph 1030(a)(3) protects only
government computers and therefore explanations of the sweep
of its coverage in the area of interstate commerce or of financial
institutions are unnecessary. Besides, at least for purposes of
these trespassing offenses of paragraph 1030(a)(3), the statute
itself addresses several of the potentially more nettlesome
questions. First, the construction of the statute itself strongly
suggests that it reaches only computers owned or leased by the
federal government: whoever ... without authorization to access
any non public computer of a department or agency of the United
States, accesses such a computer of that department or agency....
Second, the language of the statute indicates that nonpublic
computers may nevertheless include government computers that
13
the government allows to be used by nongovernmental purposes:
in the case of a [government] computer not exclusively for the
use of the Government of the United States....
Third, the statute covers government computers that are
available to nongovernment users: accesses such a computer ...
that ... in the case of a [government] computer not exclusively for
the use of the Government of the United States, is used by
or for the Government of the United States.... The use of the term
nonpublic, however, makes it clear that this shared access may
not be so broad as to include the general public.
Finally, the section supplies a definition of department of the
United States: [a]s used in this section ... the term department of
the United States means the legislative or judicial branch of the
Government or one of the executive departments enumerated in
[s]ection 101 of title 5;10 and the title supplies a definition of
agency of the United States: [a]s used in this title ... [t]he term
agency includes any department, independent establishment,
commission, administration, authority, board or bureau of the
United States or any corporation in which the United States has a
proprietary interest, unless the context shows that such term was
intended to be used in a more limited sense.

14
United Kingdom

The Computer Misuse Act 1990 is an Act of the Parliament of the

United Kingdom, introduced partly in response to the decision in
R v Gold & Schifreen (1988) 1 AC 1063 . Critics of the bill
complained that it was introduced hastily and was poorly thought
out. Intention, they said, was often difficult to prove, and that the
bill inadequately differentiated "joyriding" hackers like Gold and
Schifreen from serious computer criminals. The Act has
nonetheless become a model from which several other countries,
including Canada and the Republic of Ireland, have drawn
inspiration when subsequently drafting their own information
security laws, as it is seen "as a robust and flexible piece of
legislation in terms of dealing with cybercrime.Several
amendments have been passed to keep the Act up to date.

Based on the ELC's recommendations, a Private Member's Bill

was introduced by Conservative Mp Michael Colvin. The bill,
supported by the government, came into effect in 1990. Sections
1-3 of the Act introduced three criminal offences

1. unauthorised access to computer material, punishable by 12

months' imprisonment (or 6 months in Scotland) and/or a
fine "not exceeding level 5 on the standard scale" (since
2015, unlimited);
2. unauthorised access with intent to commit or facilitate
commission of further offences, punishable by 12
months/maximum fine (or 6 months in Scotland) on
summary conviction and/or 5 years/fine on indictment;
3. unauthorised modification of computer material, punishable
by 12 months/maximum fine (or 6 months in Scotland) on
summary conviction and/or 10 years/fine on indictment;

15
23 They intended to deter the more serious criminals from
using a computer to assist in the commission of a criminal offence
or from impairing or hindering access to data stored in a
computer. The basic offence is to attempt or achieve access to a
computer or the data it stores, by inducing a computer to perform
any function with intent to secure access. Hackers who program
their computers to search through password permutations are
therefore liable, even though all their attempts to log on are
rejected by the target computer. The only precondition to liability
is that the hacker should be aware that the access attempted is
unauthorised. Thus, using another person's username or
identifier (ID) and password without proper authority to access
data or a program, or to alter, delete, copy or move a program or
data, or simply to output a program or data to a screen or printer,
or to impersonate that other person using e-mail, online chat, web
or other services, constitute the offence. Even if the initial access
is authorised, subsequent exploration, if there is a hierarchy of
privileges in the system, may lead to entry to parts of the system
for which the requisite privileges are lacking and the offence will
be committed. But looking over a user's shoulder or using
sophisticated electronic equipment to monitor the
electromagnetic radiation emitted by VDUs ("electronic
eavesdropping") is outside the scope of this offence.

The 23 offences are aggravated offences, requiring a specific

intent to commit another offence (for these purposes, the other
offences are to be arrestable, and so include all the major common
law and statutory offences of fraud and dishonesty). So a hacker
who obtains access to a system intending to transfer money or
shares, intends to commit theft, or to obtain confidential
information for blackmail or extortion. Thus, the 1 offence is
committed as soon as the unauthorised access is attempted, and
the 2 offence overtakes liability as soon as specific access is
made for the criminal purpose. The 3 offence is specifically
aimed at those who write and circulate a computer virus (see
Simon Vallor) or worm, whether on a LAN or across networks.
Similarly, using phishing techniques or a Trojan horse to obtain

16
identity data or to acquire any other data from an unauthorised
source, or modifying the operating system files or some aspect of
the computer's functions to interfere with its operation or
prevent access to any data, including the destruction of files, or
deliberately generating code to cause a complete system
malfunction, are all criminal "modifications". In 2004, John
Thornley pleaded guilty to four offences under 3, having
mounted an attack on a rival site, and introduced a Trojan horse
to bring it down on several occasions, but it was recognized that
the wording of the offence needed to be clarified to confirm that
all forms of denial of service attack are included.

R v Gold & Schifreen

Robert Schifreen and Stephen Gold, using conventional home
computers and modems in late 1984 and early 1985, gained
unauthorised access to British Telecom's Prestel interactive view
data service. While at a trade show, Schifreen by doing what
latterly became known as shoulder surfing, had observed the
password of a Prestel engineer: the username was 1234 and the
password was 22222222. This later gave rise to subsequent
accusations that BT had not taken security seriously. Armed with
this information, the pair explored the system, even gaining
access to the personal message box of Prince Philip.

Prestel installed monitors on the suspect accounts and passed

information thus obtained to the police. The pair were charged
under section 1 of the Forgery and Counterfeiting Act 1981 with
defrauding BT by manufacturing a "false instrument", namely the
internal condition of BT's equipment after it had processed Gold's
eavesdropped password. Tried at Southwark Crown Court, they
were convicted on specimen charges (five against Schifreen, four
against Gold) and fined, respectively, 750 and 600.

17
Although the fines imposed were modest, they elected to appeal
to the Criminal Division of the Court of Appeal. Their counsel cited
the lack of evidence showing the two had attempted to obtain
material gain from their exploits, and claimed the Forgery and
Counterfeiting Act had been misapplied to their conduct. They
were acquitted by the Lord Justice Lane, but the prosecution
appealed to the House of Lords. In 1988, the Lords upheld the
acquittal. Lord Justice Brandon said:

We have accordingly come to the conclusion that the

language of the Act was not intended to apply to the
situation which was shown to exist in this case. The
submissions at the close of the prosecution case should have
succeeded. It is a conclusion which we reach without regret.
The Procrustean attempt to force these facts into the
language of an Act not designed to fit them produced grave
difficulties for both judge and jury which we would not wish
to see repeated. The appellants' conduct amounted in
essence, as already stated, to dishonestly gaining access to
the relevant Prestel data bank by a trick. That is not a
criminal offence. If it is thought desirable to make it so, that
is a matter for the legislature rather than the courts.

The Law Lords' ruling led many legal scholars to believe that
hacking was not unlawful as the law then stood. The English Law
Commission (ELC) and its counterpart in Scotland both
considered the matter. The Scottish Law Commission (SLC)
concluded that intrusion was adequately covered in Scotland
under the common law related to deception, but the ELC believed
a new law was necessary.

Since the case, both defendants have written extensively about IT

matters. Gold, who detailed the entire case at some length in the
Hacker's Handbook, has presented at conferences alongside the
arresting officers in the case

18
Pakistan

New cyber crime Bill passed in the National Assembly of Pakistan

on August 11 2016. It will be called Prevention of Electronic
Crimes Act 2015.
Some salient features of this Act are-

Up to three years imprisonment, Rs1 million fine or both for

unauthorised access to critical infrastructure information
system or data
The government may cooperate with any foreign
government, foreign or international agency, organisation or
24x7 network for investigation or proceedings relating to an
offence or for collecting evidence
The government may forward any information to any
foreign government, 24x7 network, foreign or international
agency or organisation any information obtained from its
own investigation if the disclosure assists their
investigations
Up to seven years, Rs10 million fine or both for interference
with critical infrastructure information system or data with
dishonest intention
Up to seven years, Rs10 million fine or both for glorification
of an offence relating to terrorism, any person convicted of a
crime relating to terrorism or proscribed individuals or
groups. Glorification is explained as depiction of any form
of praise or celebration in a desirable manner
Up to six months imprisonment, Rs50 thousand or both for
producing, making, generating, adapting, exporting,
supplying, offering to supply or importing a device for use in
an offence
Up to three years imprisonment, Rs5 million fine or both for
obtaining, selling, possessing, transmitting or using another
persons identity information without authorisation
19
 If your identity information is used without authorisation,
you may apply to the authorities to secure, destroy or
prevent transmission of your information.

Conclusion

In India the government has taken steps in the framing of The

National Cyber Security Policy. This policy proposes to

a) Facilitate collaboration between government agencies and

private cyber security solutions developers in order to optimize
and protect critical government initiatives

b) The policy is a road map for strengthening cyber security as it

will secure a computing framework that will inspire consumer
confidence for electronic transaction.

c) At the macro level the policy will facilitate cyber security

intelligence that will form an integral component to anticipate
attacks and quickly adopt counter measures.

The Central and the State Government have been authorized to

issue directions for interception or monitoring or decryption of
any information through any computer resource. Both the
governments, in the interest of sovereignty or integrity of India,
defense of India, security of the state, friendly relations with
foreign states or public order or for preventing incitement to the
commission of any cognizable offence relating to above or for
investigation of any offence, may intercept, monitor or decrypt or
cause to intercepted, monitored or decrypted any information
generated, transmitted received or stored in any computer

20
resource. They can block public access to any information through
any computer resource.
Dream to keep the society crime-fee will remain a dream in India
as there should be constant endeavour for the legislation to keep
in pace with the fast pace in crimes. Especially in a society that is
dependent more and more on technology, crime based and
electronic offences are bound to increase and the law makers
have to go the extra mile keeping in pace to the fraudsters as
technology is always a double-edged sword and can be used for
both the purposes good or bad.
We can conclude that though the cyber police have become
proactive but the rise in the number of instances may be due to
weak law and to have appropriate legislations for the fast track
crime.

21
References

1. http://www.isaca.org/cyber/Pages/cybersecuritylegislation.as

px

2. https://en.wikipedia.org/wiki/Computer_Misuse_Act_1990

3. https://www.sans.org/reading-

room/whitepapers/legal/federal-computer-crime-laws-1446

4. http://research.ijcaonline.org/volume58/number7/pxc38835

07.pdf

5. https://www.fas.org/sgp/crs/misc/97-1025.pdf

6. http://www.dawn.com/news/1276662

7. Information and Technology Act 2000: Vakul Sharma

22