1

INTRODUCTION

“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.”
• Marlon Brando1

According to Calicut Committee2, “The right of the individual to be protected against

intrusion into his personal life or affairs, or those of his family, by direct physical means or by
publication of information”

In the modern era, the world is shrinking in terms of information sharing and globe is
quickly converting into a global village. The cyber age has enabled us to collect information
regarding anything in just far seconds and most importantly information can be accessed and
shared within seconds irrespective of the place where the individual is sitting and the place form
where the information are being collected. Gone are the days when it used to take weeks and
months to send and collect the information through postal services. Now days the cyber world is
ruling the roost for information exchange. Its growth even in distant villages is increasing by
leaps and bounds. However, it is natural phenomenon that every thesis has an antithesis and
every system and technology is liable to be misutilised and abused by those who find fun and
innovation in abusing the technology. Similarly in the cyber space, abuse and mis utilisation of
the technologies is becoming rampant. It has compelled the government to enact the legislations
like Information Technology Act 2000 however due to the very nature of the information
technology the effective implementation of the Act is very difficult. Since cyber net is spread
world over, it is very difficult to identify the actual culprit and to bring him before justice. In the
modern context privacy and security of the information have become a burgeoning issue.
Recently there was news that China has tried to infringe the data security of the government
computers of India and tried to remove the information from there. Such developments are
initiating the era of cyber conflict at the international level and due to lack of effective norms it
is very difficult to reach at the conclusive position on such conflict. Besides this, there are
thousands of instances of the breach of individual privacy through internet and emails. Hacking
1
American motion picture and tage actor, 1924 – 2004
2
The Calcutta Committee, Report of the Committee on Privacy and Related Matter, 1990, p. 7
 2

is though given the status of an offence nevertheless it has always been very difficult for
authorities to catch the real culprit and bring him to the justice.

PROTECTION OF PRIVACY IN THE INTERNET AGE

 3

The growing use and enhance enhancements of the technologies in the information age
has brought us to stand before the new dangers related with the privacy and secrecy of
individuals and organisations. The cyber world in the internet age has shaken the very
foundations of secrecy and there have been cases when the privacy has been infringed through
computers and internet and the secret information have been leaked. Now there are established
technologies using which the data regarding people can be manipulated as well as can be
modified by entering into other’s domain. The practices commonly used on the internet like,
cookies, web bugs, hacking, spamming, could lead to the violation of privacy. In this mad
rush, one of the important aspects of human life that is privacy has been ignored to a point of
oblivion. Irrespective of the society or the culture people are concerned about their privacy and
always put strong opposition to acts of violation of privacy. There is a growing perception that
what measures can be taken on the part of the government protect the privacy of the
individuals in the faceless and body less cyber world so that the privacy of the individuals vis-
a-vis that of the nations and organizations could be protected. The growing concern also draws
our attention towards the issue of extent that th e authorities are free to use personal data
and from what sources? As it is evident that there are free available data on the
internet that can be publicly used be it for the academic purposes or the non academic
ones. Government websites and databases those are prone to be misutilised and interfered with by
the external sources sitting outside the contours of the national boundaries.

The issue of privacy in the light of above mentioned issues regarding privacy is of prime
importance since privacy is something that has got intimate relationship with some of the
important rights such as freedom of association and freedom of speech.

There are often the issues where people think that privacy means to hide something
from the world at large however the statement is not true had loose water in one goes into deep
debate on the issue. Privacy has nothing to do absolutely with hiding something from the
world at large rather the other face of the privacy can be understood as the psychology to grow
one own personality in a place where no one has got anything to interfere with the person
concerned. Privacy is a basic human right and the reasonable expectation of every person
and radical change in the means of communication and communication networks, the
 4

need for privacy and its recognition as a ‘right’ has come to the forefront. In the information
and communication revolution (ICR), privacy in cyberspace can be free of interpretation and
intrusion and where one can control the time and manner of disclosures of personal
information but it requires cumulative efforts of the sovereign nations at large and a joint effort
so that the privacy could be maintained vis-a-vis the free flow of information could be promoted
and protected.

PERSONAL DATA PROTECTION

The importance of the personal data protection can be understood from the text of the
Netherlands Minister of the Interior and Kingdom relations where he quoted those terroristic
 5

actions and its offenders. New forms of automated data-analysis will be used like the search
on profiles and the recognition of patterns of behaviour by data-mining. Therefore large
databases with personal data of non-suspects must be searched. Recent inventions and
business methods call attention to the next step which must be taken for the protection of
the person, and for securing to the individual what Judge Cooley calls the right “to be let
alone”.

Data protection is one of the essential rights and needs to be preserved in digital age
as it was protected in the traditional societies. There must be open discussions for threats to
society are it internal and external, but constitutional rights such as privacy must be placed at a
greater value and platform of great value in a democratic society and must be available for all
individuals on an equal basis. In a digital society, new developments are taking place, but in
essence it seems that not much has changed concerning the threats towards privacy in
general and the validity of the fundamental essence of this right. Photographs and print
media activities are invading the sacred annexes of private domestic life and even such type of
devices have been invented which are capable of infringing the privacy of the computers and that
of the data stored in the personal computers. There is a growing debate that there must be
adequate laws to protect the individuals privacy in the cyber space so that the information gathered
2
are not leaked to the world at large be it the print media or the electronic one. Warren and
Brandeis saw the threats to privacy developing out of modern society of more than 100 years
ago, and stated that privacy was a dynamic concept capable to be adapted to the needs and

values of individuals and institutions be it a nation or a organisation.3 Clarcke concept of

privacy in the following dimensions:

Privacy of the individual- It is commonly referred to as to as ‘bodily privacy’. It is basically

concerned with the integrity of the individual’s own body. Debates like compulsory
immunization, blood transfusion without consent, narco-analysis and compulsory provision of
samples of body fluids and body tissue, and compulsory sterilization are such areas of the

3
A.F. Wetin, Privacy and freedom, 1967, New York 1967, p. 7.
 6

law which fall under the above category.

Personal Behaviour: The issue of the privacy to the personal behaviour relate the growing
debate of the privacy with activities such as religious practices, both in private and in public
places. Media privacy is the commonly referred term for the privacy of the personal
behaviour.4

Privacy of personal communications: The freedom to communicate freely has been recognised
as one of the most important aspects of the free functioning of the democratic institutions. When
one talks about the personal privacy of the communication; it must be jept in mind that the right
to free communicate includes communication not only with the people who are face to face
rather with those people who are sitting in other distant places and in the modern cyber age even
those people whom we often have seen for ever rather know only through the modern tools of
internet. Individual must be able to exercise substantial degree of control over that data and its
use. This is sometimes referred to as ‘data privacy’ and ‘information privacy’.
According to Clarcke, particularly since the 1980s, with the close coupling occurring between
computing and communications, the last two aspects i.e privacy of personal communications and
personal behaviour are closely linked. Term “information or informational privacy” as the
summation of the above two terms, can be of the more useful notation for the above two added
ideas.

Converging technologies have enabled an enormous increase in data collection and

processing, Now a d a y ’ s n o t only data are stored in not only data bases e.g., Google,
customer databases, social networking, e-community sites, loyalty schemes, CCTV images),
but also, new types of data have appeared, such as location data (mobile phones), Internet
surfing data, identification data (RFID), and DNA data (like geographic ancestry), that
traditionally were not generated or processed. Now days it has become much easier to process
and use data, through tools like digitization, automated recognition, data sharing, and
profiling.5 Data collection can be done through unidentifiable aerial photography,

4
Paper by Roger Clarcke, National Univerity of Autralia, www.anu.edu.au/people/Roger.Clarke/DV/Privacy.html
5
ecurity Application for Converging Technologie Impact on the contitutional tate and the legal order’, Telemetric
Intitute, Encheda, Report TI/R/2007/039, p. 109
 7

miniature cameras, directional microphones and micro sensors, ‘smart dust’, using more senses
than sight and sound olfactory sensors, chemical ‘cameras’. All these new developments are
capable of influencing the personal lives as well as the security of nation in the present cyber
age. With reference to the issue that sensitive aspect in surveillance can be done by the
authorities, it is also important to concentrate on sensitive personal data, as mentioned under
the third point. Alan Westin’s concept focuses on this conception of privacy: privacy is the
claim of individuals, groups or institutions to determine for themselves when, how and to
what extent information about them is communicated to others.

CYBER PRIVACY AND THE INTERNET SOCIETY

The cyber age has broken all the geographical barriers and the world has been converted to the
global village. In the modern verandas of the cyber world, now days the term “glocal” i.e. a
combination of global world being local is ruling the roost. This ‘global village’, in the
cyberspace, is now full with new risk, and challenges the very essence of individual privacy.
 8

Protection of potential of powerful computer systems promoted demands for specific rules
governing the collection and handling of personal information. The genesis of modern
legislation in goes back to the ‘Europe’s 1981 convention’ for the protection of individuals with
regard to the automatic processing of personal data and the organization for economic
cooperation and development’s (OECD) guidelines governing the protection of privacy and
trans border flows of personal data7, set out specific rules describe personal information as data.

Beyond the legislative efforts ‘Privacy Impact Assessment (PIA)’, is an analytical technique
that is attracting interest in many policy quarters. However, there are other strategies as well as
players in the present field of the cyber age. It includes pressure-group activity by privacy
advocates and civil society groups, and the media, citizen and consumer education. In the 1981
OECD Guidelines, the 1981 Convention of the Council of Europe and the European Union’s
Data Protection Directive 95/46/EC, and the principles were laid down to protect the data
enlisted in the influential documents were listed. Till March 2004, thirty-seven of the Council’s
forty-five members had signed the Convention, and thirty-one had ratified it, signifying that they
have incorporated its principles into national law, allowing citizens of one country to seek
redress in another. The OECD Guideline Convention sought to establish an equivalent level of
protection among contracting parties, assuring the free movement of personal data among them.
The enactment of the first UK Data Protection Act in 1984 is an important example of the effect
of above convention in the domestic legislations. The European Council has also adopted many
influential privacy- related recommendations in a range of practices and technologies, and has
developed a ‘Model Contract’ for international data flows in the present cyber space.

The OECD has also promulgated guidelines for the security of information systems
(OECD 1992) and for cryptography policy (OECD 1997), the latter after years of intense
controversy over the export of cryptographic products. A complementary telecommunications
privacy directive was adopted in 1997 (EU 1997) based on the general Directive; this was
repealed and replaced by an electronic communications Directive in 2002 (EU 2002).
 9

CURRENT TRENDS

One of the compelling reasons that require safeguarding privacy rights is the notion that personal
information is specific of property. Hence an individual is well within his rights to protect or
control any flow of information about him and is legally entitled to protection just akin to
property ownership.6 Although India has no specific data protection laws, the ambit of ‘Personal

6
Arthur Millar, “The Aault on Privacy; Computer, Data Bank and Doier” 1971 p.211
 10

liberty’ stands covered by the constitution of India, art. 21 which has been successful interpreted
in plethora of cases dealing with the question of right to privacy (7) and protection of confidential
information.

The debate over protected privacy over internet has led to the emergence of many
technological and legal changes in this sphere, for instance public key cryptography
mathematical inventions that created protocols for protecting privacy and integrity of messages
in complex transaction, sociological revolution brought about by privacy activist and the
incentive to draft separate legislation pertaining the rights in India. The need to draft the same
highlighted by the certain breach of confidentiality cases specially the emphasis BPO fraud and
other similar cases. Harmonisation of technology, a well networked global policy community
and uniform legal guidelines of personal data flow in the EU and outside EU are underway.

Many experts feel that privacy is difficult to measure and define and could vary from jurisdiction
to jurisdiction. This also presents a big challenge in creating a harmonisation of privacy rights.8

PROTECTION OF CONFIDENTIAL INFORMATION AND TRADE SECRETS

Confidential information in the context of personal data and use of internet would compromise
many different things. For instance confidential information could mean pertaining to an item of
software code or personal information of a person or a trade secret. In most jurisdictions,
software codes stand protected by specific legislation or by the law of contacts or under common
law of torts. Usually in case of breach of confidential information a remedy is sought by
initiating proceeding for breach of confidence or breach of trust and relief is granted through a
suit for injunction or damages.

It is well-settled that information imparted in confidence stands protected if there is a breach

of good faith and confidence. The courts restrain the use of it and awards damages for any loss
caused due to breach of confidential information. This is a basic principle of equity that he who
has received the information of confidence shall not take unfair advantage of it. He must not
make use of it to the prejudice of the person to give it without obtaining his consent.

7
Govind v tate of Madhya Pradeh (1975) 2 CC 148
8
Article 12; Univeral Declaration Of Human Right 1948; Article 17,ICCPR
 11

A trade secret includes a method of conducting business, a method of production not protected
by a patent, financial structuring of the undertaking, information like the billing rates and
turnovers of a business. There is also general application of legal principle of confidence implied
in a contract.

The duty of maintaining confidence or trust results from equitable obligations of confidence
which may even be implied from the circumstances of the cases. In identifying the confidential
information four elements must be present.

1. The information must be information release of which owners believes will be injurious
to him or of advantage to his rivals or others

2. The owner must believe that the information is confidential or secret .

3. The owners under two previous heading must be reasonable

4. The information must be judge in light of the usage and practice of particular industry or
trade concerned.

To succeed in an action for breach of confidence , the plaintiffs need to prove following
things-

1. The information has the necessary quality of confidence about it

2. The information must have been imparted in circumstances imparting an obligation of

confidence

3. There must be unauthorised use of that information to the detriment of the party
communicating it.

There are certain exceptions to the breach of confidence as public interest, national security 9,
and breach of law, statutory duty or fraud. Wherever there is strong public interest in disclosure
of matter, the courts do not hold such disclosure as breach of confidence. Remedy for breach of
confidence consists of an injunction and damages and delivery up wherever applicable.

9
ection 69, Information technology Act 2000; ection8, Right to Information Act, 2005
 12

The damages or compensation is determined based on market value of confidential

information on basis of notional sale between a willing seller and a willing purchaser.

EMPLOYEE PRIVACY RIGHTS

Employee’s privacy is considered one of the most important issues facing companies today. This
is so because no longer is employee privacy relegated to the employer ‘monitoring their
workers’ performance by observing production lines, counting sale orders, and simply looking
over employees shoulder. Instead, employers now have the capability to monitor their employees
through electronic means, including computers and e-mail, these developments of sophisticated
technology is greatly expanding the advanced and highly effective methods by which employers
monitor at workplace.10 There is often a debate about whether employers have the right to look at
employees e-mails and whether employers have a right to privacy to restrain such intrusion
activities.

Many employees may feel that their communications through e-mail are password protected
and they can access and delete any message and hence communicate in private, this in most
cases is a misconception .The employers can indulge into several types of monitoring like
follows:

Performance Tracking: Here, the employer can take screenshots to know what his employees
are doing, how much time they dedicate to work, and how productive they actually are.

Computer searches: computers provided by employer are personal but not private . so
employees should not except privacy in computer.

Monitoring Calls: Employers can monitor calls of employees to ensure quality. To keep a check
on that, employers can monitor calls.

Monitoring Mails: for preventing employees from indulging into offensive writings, spreading
rumours’ employers can review e-mails.

SOME COMMON OFFENCES

10
Larry O NAtt GAnnt, II, ‘An Affront to Human Dignity; Electronic Mail Monitoring in the Private ector Work
Place’, Harvard Journal of Law and Technology, 1995, pp.345
 13

Some of the most prevalent instances of misuse are:

1. Sending offensive messages

2. Online chatting and instant messaging

3. Surfing pornographic sites

4. Unproductive downloads

5. Breach of confidentiality

6. Browsing social networking sites

Employers can protect against liability for infringement of their employees private rights by
giving express notice to the employees of electronic surveillance practices in an organisation and
do that in a manner that describes the employees understanding of the policies also the employer
should limit the enquiry to matters associated to workplace and the ability of an individual to do
their job.

CURRENT DATA PROTECTION LAWS IN INDIA

India does not currently have a specific data protection law. 11 Data protection and privacy are
given scattered and rather sparse coverage by existing laws. The existing data protection laws,
discussed in some detail below, are strewn in laws pertaining to information technology,
intellectual property, crimes, and contractual relations. Under increasing pressure from BPO
operations and call centers in India that handle large volumes of data from the United States and
Europe, the Indian government is contemplating the passage of a comprehensive law protecting
11
Andy McCue, Offhore Data Protection Law Flounder, ILICON.COM, May 3, 2005, http://
www.ilicon.com/reearch/pecialreport/offhoring/0,3800003026,39130054,00.htm
 14

data.12 Despite the urgency of the matter and pressure from internal and external fronts, India has
delayed enactment of legislation for several years.13 At this point, it appears likely that India's
Information Technology Act of 2000 will be amended to incorporate laws that provide
comprehensive protection to data.14 This approach, which continues to be discussed as the
probable solution to India's data protection dilemma, does not entail enactment of a separate
comprehensive law to deal with data security and privacy issues across all industries, as has been
the case with the European Union.

Until such time as India enacts adequate data protection laws, the current laws in India are
the only protection offered for data privacy violations. These existing laws, including the IT Act
of 2000 which is the most pertinent since it pertains specifically to the use of computer data have
their shortcomings, which are discussed below. Unlike the Directive, which imposes liability on
each participant within the chain of command who failed to protect the sanctity of the data,
India's existing laws only prosecute those individuals who directly violate laws related to
computer systems or copyright. Entities are exempt for breaches of data privacy, unless such a
violation was made knowingly. Unlike the Directive, which protects data breaches by limiting its
collection and use, the Indian laws do not specify conditions under which data can be collected
and used. Where liability may be found by stretching the existing laws to cover breaches of data
privacy, penalties afforded to victims are inadequate in a transnational context. The existing
Indian laws and their deficiencies are addressed in further detail below.

IT Act of 2000

Section 43(b) of the IT Act of 2000, affords cursory safeguards against breaches in data
protection.15 The scope of Section 43(b) is limited to the unauthorized downloading, copying or
extraction of data from a computer system: essentially unauthorized access and theft of data

12
Id.
13
An amendment to the IT Act of 2000, offering enhanced protection to data, wa cloe to enactment in 2004, after 7
year in the making; unfortunately thi propoed amendment wa helved due to a change of India' Central Government.
McCue, Offhore Data.
14
The Information Technology Act, 2000 (the "IT Act of 2000"), No. 21, Act of Parliament, 2000, available at
http:// www.mit.gov.in/itbillonline/it_framef.ap.
15
IT Act of 2000, No. 21, 43(b).
 15

from computer systems.16 Section 43(b) is limited in scope, and fails to meet the breadth and
depth of protection that the E.U. Directive mandates. The law creates personal liability for illegal
or unauthorized acts, while making little effort to ensure that internet service providers or
network service providers, as well as entities handling data, be responsible for its safe
distribution or processing. Furthermore, the liability of entities is diluted in Section 79 of the
Act, which inserts "knowledge" and "best efforts" qualifiers prior to assessing penalties.17 A
network service provider or intermediary is not liable for the breach of any third party data made
available by him if he proves that the offence or contravention was committed without his
knowledge, or that he had exercised all due diligence to prevent the commission of such offence
or contravention.18 Similarly, while Section 85 of the Act does invoke entity liability, such
liability is limited to the specified illegal acts under the IT Act of 2000, which does not offer
broad protection of data.19 Section 85 does extend liability to key employees (managers,
directors, officers, etc.) of the company for intentional or negligent acts that result in a breach of
the specific violations under the IT Act of 2000.20

With regard to damages available in the event of a breach of data privacy, Section 43(b) is
deficient in that the maximum penalty for this breach is monetary compensation in the paltry
amount of approximately $220,000.21 The maximum monetary damages available for a breach,
which can potentially be worth several times more, is clearly inadequate in a transnational
context. The law makes no differentiation based on the intentionality of the unauthorized breach,
and no criminal penalties are associated with a breach of Section 43(b). The more limited crimes
of computer hacking and tampering are considered criminal offenses under the IT Act of 2000:
Section 65 offers protection against intentional or knowing destruction, alteration, or
concealment of computer source code.22 Section 66, while offering no clear language that
protects personal data, offers limited protection when personal data is destroyed, deleted or

16
Id.
17
Id. 79.
18
Id.
19
Id. s 85
20
Id. s 85(2)
21
IT Act of 2000, No. 21, ss 43(b), 43(h).
22
Id. s 65.
 16

altered.23 Both Sections 65 and 66 are punishable with criminal penalties including jail time of
up to 3 years or a monetary penalty of up to $440,000.24 Although Chapter XI of the IT Act of
2000 specifies criminal penalties for a laundry list of illegal acts, no such recourse is available
for the broad realm of breaches of personal data security. In addition to the protections discussed
above, Section 72 of the IT Act of 2000 offers some protection for breaches of confidentiality
and privacy.25 Non-consensual disclosure of confidential information is punishable by
imprisonment for up to 2 years, or a maximum fine of approximately $220,000.26

In contrast to the IT Act of 2000, the E.U. Directive envisions much broader violations
associated with breach of data security than does the limited sphere of the IT Act of 2000. As
described previously, the E.U. Directive provides for protections in the entire chain of control of
data and creates systems of security and associated penalties within the various stages of data
processing.27 For instance, the Directive prescribes limits to the collection of personal data,
requiring that a purpose for the data collection be articulated. 28 The Directive also requires that
data must be obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject; personal data should be relevant to the purposes for which they are to
be used, and, to the extent necessary for those purposes, should be accurate, complete and kept
up-to-date.29 The 1980 Guidelines on the Protection of Privacy and Trans-border Flows of
Personal Data promulgated by the Organization for Economic Cooperation and Development
(the "OECD") are also instructive, demonstrating that a large void exists in India's IT Act of
2000.30 A reformation of the IT Act of 2000 should encompass the principles contained in the
Directive, and the parallel OECD principles related to limitation of data collection, data quality,
specified purpose, use limitation, security safeguards, individual participation and
accountability.31
23
Id. s 66,
24
Id. ss 65, 66.
25
Id. s 72.
26
IT Act of 2000, No. 21, s 72.
27
Id.
28
Id
29
Id
30
Organization for Economic Co-operation and Development ("OECD"), Information security and Privacy,
Guideline on the Protection of Privacy and Tran-Border Flow of Personal Data,
http://www.oecd.org/document/18/0,2340,en_ 2649_34255_1815186_1_1_1_1,00.html (lat visited Aug. 6, 2010).
31
See also Organization for Economic Cooperation and Development, Information security and Privacy, Guideline
on the Protection of Privacy and Tran-Border Flow of Personal Data, http://
 17

Further, in matters of transnational data protection, the IT Act of 2000 is deficient in that
jurisdiction for cases arising out of violations lies in India. A special tribunal is established by
the Central Government, and all matters arising out of the IT Act of 2000 are within the
jurisdiction of this Cyber Appellate Tribunal.32 While the IT Act of 2000 is diligent in
establishing a tribunal headed by a qualified judicial officer, the difficulty in accessibility to this
tribunal is stark in a transnational setting.33 Injured parties who are non-residents of India would
have to adjudicate disputes in a foreign jurisdiction, incurring the related expense and
inconvenience thereof. The limited parties from whom recourse can be sought, limited
circumstances under which remedy may be established, and the limited nature of the damages is
even more bare when the avenues for recourse and compensatory sums are viewed from a
perspective of third party nationals.

Additional Sources of Legal Protection in India

In addition to the scattered provisions of the IT Act of 2000, the Indian criminal laws and
intellectual property laws afford limited protection for personal data. As illustrated below, these
provisions contain many gaps making the overall existing data protection scheme in India
inadequate. Given this sparse and scattered protection, the most prevalent mode of data
protection is contractual arrangements between the data collector, the transferee, and the data
subject. These additional data protection regimens are addressed below.

Indian Criminal Laws

The Indian criminal laws do not specifically address breaches of data privacy. Under the existing

www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html (lat visited Oct. 16, 2010).

32
IT Act of 2000, No. 21, ss 48-64.
33
Id. ss 46, 47.
 18

Indian Penal Code, liability for such breaches must be inferred from tangentially related crimes.
For instance, Section 403 of the Indian Penal Code imposes criminal penalty for dishonest
misappropriation or conversion of "movable property" for one's own use.34 Movable property has
been defined as property which is not attached to anything, and not land. Although no
jurisprudence has developed on this interpretation, arguably, movable property encompasses
computer-related data and intellectual property.35 Wrongful misappropriation of data, or
conversion for one's own use may, under this interpretation, be punishable as a crime in India.

In addition, Indian Penal Code Section 405 provides criminal penalties for criminal breach of
trust. Section 405 provides that:
Whoever, being in any manner entrusted with property, or with any dominion over
property, dishonestly misappropriates or converts to his own use that property, or dishonestly
uses or disposes of that property in violation of any direction of law prescribing the mode in
which such trust is to be discharged, or of any legal contract, express or implied, which he
has made touching the discharge of such trust, or willfully suffers any other person so to do,
commits 'criminal breach of trust.'36 Liability under Section 405 extends to employees and
agents of the violator, and the crime is punishable by imprisonment and/or fine.37 Section 424
of the Indian Penal Code provides criminal liability for dishonest or fraudulent concealment
or removal of property.38 Accomplice liability is also envisioned, with jail and fines imposed
on the first party or accomplice.39 Section 420 of the Indian Penal Code may also offer some
protection for failure to adequately protect data. Section 420 pertains to dishonest delivery of
property to a third person.40

While it was not likely envisioned at the time of enactment that the criminal laws referenced
above would be used to offer protection for misuse of data, given the importance of the data
processing industry to the Indian economy and seriousness of the harm from breaches in data
34
India Pen. Code, No. 45 of 1860, s 403.
35
Id. s 22 (defining "movable property" a "corporeal property of every description, except land and thing attached
to the earth or permanently fastened to anything which i attached to the earth.").
36
Id. s 405.
37
Id.
38
Id. s 424.
39
Id.
40
India Pen. Code, No. 45 of 1860, s 420.
 19

privacy, Indian courts may extend the protections offered by these criminal statutes. The
adequacy of the remedies under India's criminal laws in a transnational context remains
questionable, as is the case with the remedies under the IT Act of 2000.41 Similarly, jurisdictional
issues remain problematic--the cost, delay and inconvenience associated with foreign nationals
bringing actions in Indian courts offsets the availability of the recourse.42

Intellectual Property Law Protection

Computer software (including computer programs, databases, computer files, preparatory design
material and associated printed documentation, such as users' manuals) have copyright
protection under Indian laws. Computer programs per se are not patentable, being patentable
only in combination with hardware.43 Thus in India, by past practice and under current laws,
copyright is the preferred mode of protection for computer software.

A 1994 amendment of the Copyright Act of 1957 brought sectors such as satellite
broadcasting, computer software and digital technology under Indian copyright protection. 44
Protection of intellectual property rights in India was considerably strengthened in 1999. In
addition to major legislation pertaining to patent and trademark laws, the Indian Copyright Act
of 1957 was amended to make it fully compatible with the provisions of the Agreement on
Trade-Related Aspects of Intellectual Property Rights (the "TRIPS Agreement"). Known as the
Copyright (Amendment) Act, 1999 (the "Indian Copyright Act"), this Act came into force on
January 15, 2000.45

The Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter
commensurate with the gravity of the offense. Section 63B of the Indian Copyright Act provides
that any person who knowingly makes use on a computer of an infringing copy of computer
program shall be punishable for a minimum period of six months and a maximum of three years

41
IT Act of 2000.
42
Id.
43
India Patent (Amendment) Act, 2005, No. 15, Act of Parliament, 2005, s 3(k)
44
Copyright (Amendment) Act, 1994, No. 38, Act of Parliament, 1994, s 2.
45
Copyright (Amendment) Act, 1999, No. 49, Act of Parliament, 2000.
 20

in prison.46 Fines in the minimum amount of approximately $1,250, up to a maximum of

approximately $5,000 may be levied for copyright infringement of computer software. An
enhanced penalty is available for second or subsequent convictions--imprisonment for a
minimum term of one year, with a maximum of three years, and fines between $2,500 and
$5,000.47 As with penalties under the IT Act of 2000, these penalties are inadequate in a
transnational context.

In addition to the strengthening of copyright laws, a number of measures have been taken in
the past few years to strengthen the enforcement of copyright laws in India. Such measures
include education and building awareness of copyright issues in the public sector (through state
government offices and Central Government ministries), as well as in private business (including
company stakeholders, enforcement agencies, professional users like the scientific and academic
communities and members of the public). The government has initiated a number of seminars
and workshops on copyright issues. Workshop participants include law enforcement personnel
as well as representatives of industry organizations. Enhanced and specialized programs have
been established to give law enforcement officials training in copyright issues. Judicial officers
have been selected and trained to deal with these intellectual property violations.

Contractual Relations

Private contractual terms have been used as a means for filling the gap left by the IT Act of
2000 and other laws in India. Until a tighter data protection legal regime is in place, the U.S. and
other countries outsourcing to India are relying upon contractual obligations to impose
obligations for protecting and preserving data. There is growing recognition within the out-
sourcing industry that contractual obligations do not provide the most efficient or effective
recourse. In the event of a breach of the security of data, getting effective remedy under the
contractual obligations is time consuming and often insufficient. Contractual recourse can be
sought only against the contracting party in violation of the contracted terms; the actual wrong-
doer may not be liable in damages or for criminal penalties. Having appropriate statutory
protection with associated penalties, sanctions, damages and other remedies would likely act as a
46
India Copyright Act, 1957, No. 14, Act of Parliament, 1957, ss 63A-B.
47
Id.
 21

more appropriate deterrent against the breach of data privacy.

Reform of Indian Data Protection Regime

The Indian system of data protection can be best described as a web: many protections are
offered through various sources and the web traps some violations, but gaps and holes remain
through which others slide through. In order to address the inadequacies of the IT Act of 2000
and the miscellaneous laws providing protection of data, Indian businesses and the Indian
government drafted amendments which would fill the voids. Although passage of the amended
law covering data protection was anticipated in 2004, the proposed legislation was shelved due
to a change in government in 2004. Whether the IT Act is amended, or alternative legislation
enacted to protect the sanctity of transferred data, the new laws must offer effective enforcement
in order to conform to the "adequacy" norms of the Directive and the Safe Harbor privacy
principles of the U.S. After the new rules are in force, India will enter discussions with the E.U.
to get recognition as a country that offers an adequate level of protection for personal data.

Enactment of law that facially provides protection is but one step in the fight to maintain the
sanctity of data. Even if satisfactory data protection laws are in place in India, the real question
in assessing the adequacy of the law is whether these laws will be effective in deterring wrongful
data piracy. Two issues are examined in this context. The first general issue is whether
punishment deters crime. If it is concluded that appropriate sanctions do prevent and deter crime,
the second issue is whether wrongful appropriation of data will be prosecuted in India
sufficiently so as to be a deterrent. If the Indian enforcement system is found inadequate,
alternative enforcement processes must be established to prosecute violations of data privacy. A
system of specialized courts instituted in India to prosecute cyber infringement cases, including
data privacy violations, is essential for this purpose.
 22

CYBER CONFLICT AND INTERNATIONAL LAW

Cyber warfare is a new type of weapon that has the potential to alter modern warfare
significantly. Computer technology has advanced to the point where military forces now have
the capability to inflict injury, death, and destruction via cyberspace.48 Cyber warfare can range
from relatively innocuous web vandalism to severe attacks on critical national infrastructure.49
While the temporary deactivation of government web pages may represent little more than a
nuisance, the threat of misinformation spread to military commanders in the field, or a concerted
attack on a state's electric, water, communications, transportation, or fuel networks represents a
serious risk to both soldiers and civilians. The infiltration of state information networks and the
procurement of classified data--commonly called computer espionage-- also fall within the
spectrum of cyber warfare, and are made easier by the increased dependence of state agencies on
electronic communications.

Despite the potential lethality of cyberwarfare, the practice currently exists in a legal

48
Davi Brown, A Propoal for an International Convention to Regulate the Ue of Information ytem in Armed
Conflict, 47 HARV. INT'L L. J. 179, 180 (2006).
49
Walter Gary Harp, “Cyberpace And The Ue Of Force” 132 (1999).
 23

netherworld.50 The highly destructive scenarios, as well as the potential use of cyberwar
techniques in asymmetrical warfare, underscore the need for an unambiguous standard of
conduct for cyber warfare that will be universally recognized and respected.51 Whether cyber
warfare constitutes a use of force giving rise to the right of self-defense therefore represents an
important question in international law.52

Modern law on the use of force is based on article 2(4) of the United Nations (U.N.) Charter
(Charter); however, the precise definition of what constitutes the use of force is unclear.53
Neither the Charter nor any international body has defined the term clearly.54 Attempts to define
cyber warfare within the meaning of article 2(4) have strained traditional interpretations
further.55 Analysis of the acceptability under the jus ad bellum, the body of international law
governing the use of force as an instrument of national policy, of cyber warfare centers on the
Charter's prohibition of the use of force in article 2(4), its Chapter VII security scheme, the
inherent right to self-defense codified in article 51, and customary international law as
established by the behavior of states.56

While a considerable body of international law applies to the use of force by states, its
application to cyberspace is not always obvious and many questions remain surrounding
precisely how international law relates to cyber warfare. After a brief look at the history of cyber
warfare, this Comment initially seeks to answer a threshold question: what constitutes a use of
force in cyberspace? Discussion addresses the related questions of what qualifies as an armed
attack in cyberspace, and whether certain acts of cyber warfare could constitute a per se use of
force. Once the key prescriptions on the use of force are identified, the discussion moves to the
right to use force in self-defense, and the circumstances when a state may legally invoke the

50
The Mouse that Roared, THE ECONOMIT ONLINE, Sept. 5, 2007,
http://www.economit.com/daily/new/diplaytory.cfm?tory_ Id=9752625&frc=nwl
51
Brown, Supra note 49, at 180-81.
52
Eric Talbot Jenen, “Computer Attack on Critical National Infratructure: A Ue of Force Invoking the Right of elf
Defene,” 38 TAN. J. INT'L L. 207 (2002)
53
Jason Barkham, “Information Warfare and International Law on the Use of Force”, 34 NYUJ Int’l L & Pol 57
54
Id. at 70.
55
Id. at 57; See also Raymond C. Park & David P. Duggan, Principle of Cyberwarfare, Proceeding of the 2001
IEEE Workhop on Information Aurance and ecurity (June 5-6, 2001)
56
Michael N. Schmitt, Computer Network Attack and the Ue of Force in International Law: Thought on a
Normative Framework, 37 COLUM. TRANNAT'L L. 885 (1999)
 24

right. Conclusions in the analysis include the assertion that the prevalence of cyberwarfare will
require either an expansion of the application of the article 2(4) definition of the use of force or
the development of new means of addressing the threat.

Cyberwarfare, Treaty Law, and International Norms

In 1999, the U.S. Department of Defense produced a document that examined the range of
treaties and international law that might pertain to the conduct of cyberwarfare, supplementing
the various U.S. laws guiding the conduct of warfare in general and U.S. government conduct in
cyberspace.57 The assessment concluded first that the international community is unlikely to
promptly produce a coherent body of law on the subject.58 Second, no clear legal remedies exist
to address the type of cyberwarfare operations being considered by the United States.59 Third, the
document recommended analyzing the various elements and circumstances of any particular
planned operation or activity to determine the applicability of existing international legal
principles.

A number of existing international treaties suggest norms which could ultimately be used to
regulate cyberwarfare.60 The International Telecommunications Convention (ITC), for instance,
prohibits harmful interference with telecommunications.61 While the effectiveness of the treaty is
limited by its state security exception, the creation of a norm analogizing network space to
airspace could prove vital to the development of international law in cyberspace.62 Of course, a
violation of the ITC does not constitute a per se use of force within the meaning of article 2(4) of
the Charter and therefore does not necessarily generate the same opposition within the
international community as other clear-cut acts of aggression.63

Another potentially relevant international legal document is the Agreement on the Prevention
57
Stephen HILDRETH CRS REPORT FOR CONGRESS, CYBERWARFARE 16-17 (2001) available at
http://www.fas.org/irp/crs/RL30375.pdf
58
HILDRETH, Supra note 58, at 9.
59
Id
60
Barkham, Supra note 54, at 95.
61
Id.
62
Id. at 95-96.
63
Id. at 96.
 25

of Dangerous Military Activities, signed by the United States and the Soviet Union in 1989. This
treaty prohibits harmful interference with enemy command and control systems, therefore
suggesting a possible emergent norm that could designate cyberwarfare attacks as a use of
force.64

In the 1990s as the concept of cyberwarfare first began to receive widespread attention from
the media, there were some efforts within the international community to negotiate an
agreement. Russia tabled a resolution in the U.N.'s First Committee in October 1998 in an
apparent effort to get the U.N. to focus on the subject.65 The resolution included a call for states
to support their views regarding the advisability of elaborating international legal regimes to ban
the development, production, and use of particularly dangerous information weapons.66 The
initiative, however, found little support among the international community, and was never
submitted to the General Assembly for a plenary vote.67

As a result of the failure of the international community to produce a directly applicable

international agreement key legal issues regarding cyberwarfare remain unresolved.68 These
include, for example, the need for standards informing the expeditious pursuit of those violating
the law, law enforcement needs in the conduct of electronic surveillance of those launching
cyberattacks, and the establishment of clear and appropriate rules of engagement for cyber
defense activities.69

Cyberwarfare and International Law on the Use of Force

Any number of purposes might motivate a state to conduct cyberwarfare and regardless of
the aim the normative evaluation by the international community will center on whether the
cyberattacks, both offensive and retaliatory, constituted a wrongful use of force, or threat

64
Id.
65
Id.
66
Id.
67
Id.
68
Barkham, Supra note 54, at 96-97.
69
Id.
 26

thereof, in violation of international law.70 In order to define cyberwarfare effectively, the

international community must come to some consensus on the meaning of such activities within
the penumbra of the Charter, specifically article 2(4) regulating the use of force, and article 51,
which outlines the right of self-defense.

Article 2(4) of the Charter expresses the key prescription in international law regarding the
use of force.71 The provision states that "[a]ll members shall refrain in their international
relations from the threat or use of force against the territorial integrity or political independence
of any state, or in any other manner inconsistent with the Purposes of the United Nations." 72
Given this analytical framework, the dispositive question is whether an act constitutes a use of
force.73 The Charter clearly outlaws the aggressive use of force, while recognizing a state's
inherent right of individual and collective self-defense in article 51. Accordingly, if a state
activity constitutes a use of force within the meaning of article 2(4), it is unlawful unless it is an
exercise of that state's inherent right of self-defense.

While the precise definition of what constitutes the use of force is unclear, some of the
parameters are well-defined.74 For instance, conventional weapons attacks are included within
the article 2(4) definition.75 Furthermore, cyberattacks intended to directly cause physical
damage to tangible property or injury or death to human beings are reasonably characterized as a
use of armed force and, therefore, en-compassed in the prohibition.76 Conversely, despite
attempts by developing states to include economic coercion within article 2(4) during the
drafting of the Charter, such practices have been expressly excluded.77 Thus, analysis based on
either the text of article 2(4) or the history underlying its adoption requires an interpretation
excluding economic, and for that matter political, coercion from the article's prescriptive
sphere.78
70
Schmitt, Supra note 57, at 900.
71
Id.
72
U.N. Charter, art. 2, para. 4.
73
Schmitt, Supra note 57, at 904.
74
Barkham, Supra note 54, at 70.
75
Id.; Schmitt, Supra note 57, at 904.
76
Schmitt, Supra note 57, at 913.
77
M. Antolin-Jenkin, Defining the Parameter of Cyberwar Operation: Looking for Law in all the Wrong Place?, 51
NAVAL L. REV. 132, 134-35 (2005); Barkham, Supra note 54, at 70-71.
78
Schmitt, Supra note 57, at 905.
 27

The potential application of article 2(4) to cyberwarfare creates serious interpretive

difficulties for the existing distinction between force and coercion.79 Including all cyberwarfare
actions within the definition of use of force would require a major expansion of article 2(4). 80
Such an expanded definition of the use of force would make it very difficult to continue to
exclude acts of coercion from article 2(4) because international law would have to distinguish
cyberattacks that do not cause physical damage, such as electronic incursions and block-ades,
from acts of economic and political coercion, such as economic sanctions, which traditionally
and specifically have been excluded from article 2(4), but which may often have the same
effect.81 The dilemma lies in classifying cyberattacks that do not cause physical damage, or do so
indirectly, vis-á-vis the prohibition on the use of force.82

In an attempt to solve this classification impasse, Michael Schmitt delimits economic and
political coercion from the use of armed force by reference to six criteria: 1) severity, 2)
immediacy, 3) directness, 4) invasiveness, 5) measurability, and 6) presumptive legitimacy.83
Through this scheme, the consequences of the act of cyber warfare are measured against
commonalities to ascertain whether they more closely approximate consequences of the sort
characterizing armed force or whether they are better placed outside the use of force boundary. 84
According to Schmitt, this technique allows the force "box" to expand to fill gaps resulting from
the emergence of coercive possibilities enabled by technological advances without altering the
balance of the current framework.85 Instead, the expansion of the use of force definition is cast in
terms of the underlying factors driving the existing classifications.86

Applying Schmitt's technique, in determining whether an a cyberattack falls within the more
flexible consequence-based understanding of force, the nature of the act's reasonably foreseeable

79
Barkham, Supra note 54, at 84.
80
Id.
81
Id. at 84-85.
82
Shmitt, Supra note 13, at 913.
83
Id. at 915.
84
Id.; Antolin-Jenkin, Supra note 78, at 170.
85
Schmitt, Supra note 57, at 915.
86
Id.
 28

consequences are assessed to determine whether they resemble those of an armed attack.87 If the
consequences resemble those of an armed attack, extension of the use of force prohibition to the
act is justified.88 If not, wrongfulness under international law would have to be determined by
resort to prescriptions other than those prohibiting force.89

An even less onerous, purely result-oriented test represents another potential framework for
determining whether specific acts of cyber warfare constitute a use of force.90 Under the strict
results-oriented approach no difference exists between an attacker firing a missile at a target or
using a computer to remotely cause physical damage.91 If a cyberattack achieves the same result
that could have been achieved with bombs or bullets, it will be treated the same under
international law governing the use of force.92 The problem with the result-oriented approach to
cyberattacks is that it blurs the distinction excluding economic coercion from the traditional use
of force classification characterized by armed attacks, since economic coercion could also serve
as the proximate cause of disruptive or destructive effects.93

Cyber warfare and the Self-Defense Exception

Under the Charter, there are two exceptions to the prohibition on the use of force: Security
Council action pursuant to article 42, and individual or collective self-defense under article 51. 94
Legal scholars disagree on the current state of customary international law as it relates to the use
of force in self-defense and the proper interpretation of article 51.95 Article 51 of the Charter
states:
Nothing in the present Charter shall impair the inherent right of individual or
collective self-defence if an armed attack occurs against a member of the United Nations,
until the Security Council has taken the measures necessary to maintain international
87
Id. at 915-16.
88
Id. at 916.
89
Id.; ee alo Antolin-Jenkin, Supra note 78, at 170
90
Barkham, Supra note 54, at 86.
91
Brown, Supra note 49, at 187.
92
Id.
93
Barkham, Supra note 54, at 86.
94
M. Condron, “Getting it Right: Protecting American Critical Infratructure in Cyberpace,” 20 HARV. J. L.
TECH. 403, 413 (2007).
95
Condron, upra note 95.
 29

peace and security. Measures taken by Members in the exercise of this right of self-
defence shall be immediately reported to the Security Council and shall not in any way
affect the authority and responsibility of the Security Council under the present Charter
to take at any time such action as it deems necessary in order to maintain or restore
international peace and security.96

The scope of article 51 represents the subject of considerable controversy among international
legal scholars.97 Some scholars interpret article 51 strictly, arguing that a state may not act in
self-defense until that state has suffered an armed attack.98 According to this reading, a state
could not act in anticipation of an armed attack.99 Nevertheless, a great many states take the
counter-restrictionist view and support the proposition that in certain circumstances it may be
lawful to use force in advance of an actual armed attack. 100 Legal scholars supporting the latter
stance argue that article 51 incorporates customary international law as articulated by the
Caroline standard, allowing anticipatory self-defense.101 As defined by then Secretary of State,
Daniel Webster in the Caroline case, this point in time occurs when the "necessity of that self-
defence is instant, overwhelming and leaving no choice of means, and no moment for
deliberation."102

Under the jus ad bellum paradigm, a state response to an armed attack must meet three
conditions to qualify as self-defense: necessity, proportionality, and immediacy.103 To fulfil the
principle of necessity the state must attribute the attack to a specific source, characterize the
intent behind the attack, and conclude that the state must use force in response. 104 The principle
of proportionality requires that the force used in the response be proportional to the original

96
U.N. Charter art. 51.
97
Barkham, Supra note54, at 74; Condron, Supra note 95, at 412-13.
98
Condron, Supra note 95, at 412; See also Barkham, Supra note 54, at 74-75
99
Condron, Supra note 95, at 412.
100
Anthony C. Arend & Robert J. Beck, “International Law And The Ue Of Force: Beyond The Un Charter
Paradigm” 79 (1993).
101
Condron, Supra note 95, at 412-13
102
Letter from Secretary of state, Daniel Webter, to Lord Ahburton (Aug. 6, 1842) available at http://
www.yale.edu/lawweb/avalon/diplomacy/britain/br-1842d.htm.
103
Condron, supra note 95.
104
Id.
 30

attack.105 The requirement of immediacy prohibits a response from occurring after too much time
has passed.106 With regard to immediacy as a general criterion, however, no requirement exists
for defensive action to be exercised (or risk forfeiture), immediately following an armed
attack.107

Attribution and characterization are especially important in context of cyber warfare.108

Generally, the international law of self-defense does not justify acts of active defense across
international borders unless the provocation can be attributed to an agent of the nation
concerned. Given the opportunities cyberspace creates for the remote commission of attacks and
attacker anonymity, perpetrators of cyber attacks are likely to go unidentified. Attribution helps
to ensure that a state does not target an innocent person or place. 109 Furthermore, a state must
attribute an attack because the laws governing a permissible response vary depending on whether
the attacker is a state actor or a non-state actor.110 The article 2(4) prohibition on the use of force
generally applies only to states and not to individuals.111 States, therefore, are prevented under
international law from threatening or using force against each other, while similar acts by
individuals fall under the province of domestic criminal laws.112

While it is difficult to discover the identity of the attacker, identifying his or her intent in
time to take preventive action represents an equally problematic and potentially more important
task.113 In order to respond with force, a victim state must first identify the attacker's intentions
as hostile.114 Unlike conventional kinetic warfare, the instantaneous nature of a cyber attack
deprives the victim state of the opportunity to preemptively contemplate a response.115 As a
solution, Walter Gary Sharp has proposed that all states should adopt a rule of engagement that
allows them to use force in anticipatory self-defense against any identified state that
105
Id
106
Condron, supra note 95, at 414.
107
T.D. Gill, “The Temporal Dimenion of elf-Defence: Anticipation, Pre-emption, Prevention and Immediacy,” 11
J. CONFLICT & ECURITY L. 361, 369 (2006).
108
ee DOD OGC, upra note 15, at 22.
109
Condron, supra note 95, at 414.
110
Id.; Jenen, supra note 53, at 232-33.
111
Jenen, supra note 53, at 232
112
Id. at 232-33.
113
Id. at 235.
114
Id.
115
Id.
 31

demonstrates hostile intent by penetrating a computer system which is critical to their respective
vital national interests.

Analysis

Existing attempts at defining cyber warfare within the current jus ad bellum paradigm fail to
offer adequate safeguards from cyber attacks.116 The technology inherent in cyber warfare makes
it nearly impossible to attribute the attack to a specific source or to characterize the intent behind
it.117 Furthermore, acts of cyber warfare occur almost simultaneously.118 A legal system that
requires a determination of the attacker's identity and intent does not account for these features
of the digital age. The current international paradigm therefore limits the options available to
states, making it difficult to effectively respond without risking a violation of international law.
Restraining a state's ability to respond will encourage rogue nations, terrorist organizations, and
individuals to commit increasingly severe cyber attacks.119

Serious flaws exist in Michael Schmitt's consequence-based framework for analyzing cyber
warfare under article 2(4). By using presumptive legitimacy as a factor, Schmitt's approach
requires determining the legitimacy of an attack under international law by asking whether the
attack is legitimate. In effect, the approach is backwards.120 Furthermore, unlike other types of
warfare, instances of cyber warfare cannot be assessed readily at the time of the attack to
determine their magnitude and the permitted responses.121 This problem will arise with any
framework that requires an ex post analysis, including the aforementioned results-oriented
approach.122

To address the unique nature of cyber warfare, international law should afford protection for
states who initiate a good-faith response to an attack, thus acting in cyber self-defense, without

116
Condron, supra note 95, at 414.
117
Condron, supra note 95, at 415; Jenen, supra note 53, at 232.
118
Condron, supra note 95, at 415; Jenen, supra note 53, at 239- 40.
119
Jenen, supra note 53, at 228.
120
Id.
121
Barkham, supra note 54, at 86; Jenen, supra note 53, at 239-40.
122
Barkham, supra note 54, at 86.
 32

first attributing and characterizing the attack.123 State survival may depend on an immediate,
robust, and aggressive response; therefore international law should not impose an inflexible
requirement on states to fully satisfy the traditional necessity requirements when acting in self-
defense of vital state interests.124 The law should evolve to recognize a state's inherent right to
self-defense, including anticipatory self-defense, in response to a cyber attack, especially when
the attack targets critical national infrastructure.

Allowing a state to exercise active defense measures in response to an attack on critical

national infrastructure, without incurring liability, represents a preferable governing principle to
the treatment of cyber warfare under the existing jus ad bellum paradigm.125 In order to delineate
this exception to the usual rule governing the use of force, the international community should
promulgate a list of critical national infrastructure that a state may protect with active defense
measures. If the critical infrastructure identified on the list were subjected to a cyber attack, a
state could respond in presumptively good-faith self-defense without first attributing or
characterizing the attack to the level of specificity required under the traditional formulation.126
Such an exception would not fundamentally alter the jus ad bellum framework, but would
instead allow the state to exercise its inherent right of self-defense in response to a novel threat.

123
Condron, supra note 95, at 415.
124
Id.; Jenen, supra note 53, at 239-40.
125
Condron, supra note 95, at 416.
126
Condron, supra note 95, at 416.
 33

CONCLUSION

Technology effects change. It changes individual and institutional possibilities. It alters our
culture, economics, and politics. The new communications technologies are transforming our
society, propelling us further into the Information Age. And as we accelerate into this new era,
we slam into new problems or old ones that have morphed into unrecognizable shapes. One such
problem is information privacy, which the coming cyberspace threatens.

Internet which came as a boon for the mankind has enlarged its scopes and has engulfed
almost each and every aspect of the life of the modern people. It raises three main questions in
the judicial system of every question i.e. it infringes the right to freedom of speech and
expression, it infringes the right to privacy which is the foundation of every modern society and
the intellectual protection laws conflict with it. Now, it depends upon the creativity of judiciary
and executive as to how they reconcile the foundation based rights with the modern rights which
emanated from the internet regime. Apart from this it also raises a number of fundamental
questions when we try to see the problem from an international angle. Today the cyber terrorism
and internet warfare are the new means of “war” in this cyber world. Now will this kind of
warfare will constitute a use of force of not is a subjective question which will be determined
according to the need of the modern society and will be decided consensual by the nation states.
The U.N. Charter was written before the internet existed and, therefore, cyber warfare presents a
unique challenge to traditional definitions of what constitutes a use of force. Despite this
difficulty, the serious and pervasiveness of the threat demand that the international community
come to a consensus on both the meaning of cyber warfare within the jus ad bellum paradigm,
 34

and the options available to states subjected to cyber attack. Serious threats to international peace
will result unless states have the ability to respond in self-defence to cyber attacks without being
restrained by outdated interpretations of international law governing the use of force.

Though different countries have tried to legislate their domestic laws as per the existing
international contours of the cyber world, despite the fact every effort of the world at large is
facing challenges of the cyber world since the very character of cyber technology pose a
challenge before the legislators to meet the ever growing needs. The cyber conflicts have not
only threatened the individual privacy rather it is capable of violating the international contours.
There have been various incidents due to which the cyber securities of countries like India have
been challenged and it has also created problems of international conflict. It is true that need of
the hour is to strengthen the cyber legislations however it is also true that the proposed cyber
legislations can be effective only if the executors of the law are properly trained to utilise the
existing laws.
 35

SUMMARY

1. Cyber law connotes all the existing legal and regulatory aspects of network of networks
covering wide area like e-governance, e-commerce, cyber contraventions and cyber
offences. Information Technology Act is the exhaustive legislation on the cyber
technology and its use. The cyber legislation seeks to provide the remedies for the
contemporary problems of the cyber world. It has provisions against the unauthorised use
of data using the cyber technology.
2. Cyber Terrorism refers to organised cyber attack including use of cyber tools like
Botnets, Malicious code, DDOS. These result in immense pecuniary and strategic loss to
the government and its agencies.
3. In India, government has enacted Information technology Act 2000 to meet the
challenges of the cyber conflicts. The Act tries to comprehensively define the offences
like spamming, hacking, cookies, fishing etc. nevertheless it is also true that new areas of
the cyber abuse are coming on the fore and posing new challenges before the legislators.
4. The cyber warfare is the new dimension of abuse of cyber technology not only this now
espionage have been increasing at the international level threatening the national security
and enhancing the threat of the international conflicts. In India, the 2009 Amendment to
the IT Act, 2000 is the concrete law on the subject. It codifies the ingredients of cyber
terrorism and prescribes life imprisonment as punishment for such crimes.
 36

REFERENCES

INTERNATIONAL CONVENTIONS AND DOMESTIC LEGISLATION

• Univeral Declaration Of Human Right 1948;
• ICCPR
• Copyright (Amendment) Act, 1994, No. 38, Act of Parliament, 1994.
• Copyright (Amendment) Act, 1999, No. 49, Act of Parliament, 2000.
• India Copyright Act, 1957, No. 14, Act of Parliament, 1957.
• India Patent (Amendment) Act, 2005, No. 15, Act of Parliament, 2005.
• India Penal. Code, No. 45 of 1860.
• Information security and Privacy, Guideline on the Protection of Privacy and Tran-
Border Flow of Personal Data
• Organization for Economic Co-operation and Development ("OECD"),
• Right to Information Act, 2005
• U.N. Charter.

ARTICLES & JOURNALS:

• A.F. Wetin, Privacy and freedom, 1967, New York 1967, p. 7.
• Andy McCue, Offhore Data Protection Law Flounder.
• Anthony C. Arend & Robert J. Beck, “International Law And The Ue Of Force: Beyond
The Un Charter Paradigm” 79 (1993).
• Arthur Millar, “The Aault on Privacy; Computer, Data Bank and Doier” 1971 p.211.
• Davi Brown, A Propoal for an International Convention to Regulate the Ue of
Information ytem in Armed Conflict, 47 HARV. INT'L L. J. 179, 180 (2006).
• Eric Talbot Jenen, “Computer Attack on Critical National Infratructure: A Ue of Force
Invoking the Right of elf Defene,” 38 TAN. J. INT'L L. 207 (2002).
• Jason Barkham, “Information Warfare and International Law on the Use of Force”, 34
 37

NYUJ Int’l L & Pol 57.

• Larry O NAtt GAnnt, II, ‘An Affront to Human Dignity; Electronic Mail Monitoring in
the Private ector Work Place’, Harvard Journal of Law and Technology, 1995, pp.345.
• M. Antolin-Jenkin, Defining the Parameter of Cyberwar Operation: Looking for Law in
all the Wrong Place?, 51 NAVAL L. REV. 132, 134-35 (2005).
• M. Condron, “Getting it Right: Protecting American Critical Infratructure in
Cyberpace,” 20 HARV. J. L. TECH. 403, 413 (2007).
• Michael N. Schmitt, Computer Network Attack and the Ue of Force in International
Law: Thought on a Normative Framework, 37 COLUM. TRANNAT'L L. 885 (1999).
• Paper Roger Clarcke, National Univerity of Autralia.
• Raymond C. Park & David P. Duggan, Principle of Cyberwarfare, Proceeding of the
2001 IEEE Workhop on Information Aurance and ecurity.
• Stephen, HILDRETH CRS REPORT FOR CONGRESS, CYBERWARFARE.
• T.D. Gill, “The Temporal Dimenion of Self-Defence: Anticipation, Pre-emption,
Prevention and Immediacy,” 11 J. CONFLICT & ECURITY L. 361, 369 (2006).
• Walter Gary Harp, “Cyberpace and the Ue Of Force” 132 (1999).