. | Last week, Chennai, in India witnessed two Cyber Crimes. Firstly, many of the top IT companies in the city were inflicted with a virus identified as “fun love”. Even the so called security experts from these companies were unable to crack the infection and even Mcafee appeared to let the virus pass. The virus is expected to have caused substantial damage to data and also inflicted loss of precious man hours in these companies. Secondly, many who had registered themselves at www.appuonline.com started receiving mails redirected from the server mailsend@appuonline.com. Some of these mails were redirected with the sender’s name substituted with one of the member’s email addresses. Many received this spam mail carrying the e-mail address of the undersigned. It is possible that this was a trojan planted at the appuonline.com mail server. These incidents open up two main issues. One , the inability of the network managers to prevent an intrusion and exposing their companies to loss and legal action. Two, the weakness in our legal system which may let the culprits go scot free. In the case of appuonline.com, the site has clearly been exposed to legal action in countries where Spam is a punishable cyber crime. It is also possible that multiple cases may be filed on the site by irritated receivers of the mail as well as those intermediaries whose names have been used for sending the mails. For example, the undersigned may claim loss of prestige and reputation and seek compensation. ( even though there is no such intention as of now). Until the writing of this article, there has been no attempt from the owners of appuonline.com to apologise for the problem, which is an essential step in dealing with the crisis. This shows that a mechanism to deal with the PR problems arising out of such attacks is also not available with the site. It is possible that the owners of the site may consider themselves safe since ITA-2000 doesnot cover Spam. However it is necessary to remember that Cyber laws in most countries have a clause to make any offence punishable even if it has been committed by a foreigner. Theoretically therefore, appuonline.com is liable to be sued by a resident of some foreign country. Further, if the mail server has been hosted in say USA, the ISP is also be liable to be sued. Appuonline.com is actually a friendly site that we donot wish
be punished for the action of some Hacker or a Virus introducer. We sympathise
with them for their plight but regret that they have not acted as quickly
as they should have to stop the mails going out of their server.
Unfortunately, these companies cannot do anything significant in legal terms, since the ITA-2000 has not provided a proper mechanism to meet with such a situation. The reason is that even though Virus introduction is defined as a crime, action can be invoked only by the sufferring company against the person who has committed the crime and for such amount as compensation for the damages sufferred by them. This means that before thinking of action, the companies have to quantify the damages in financial terms and also identify the person against whom action has to be initiated. As per the current reading of the Act with the accompanying rules, the attacked company has to file a “Civil Complaint” with the appropriate authority. Practically however, it may be impossible to file a complaint in any Police Station or a Court without either quantifying the extent of damage or identifyng the defendant. The preferred course is for inviting the Ministry of Information Technology to appoint an Adjudicating officer to conduct an enquiry and provide a remedy. It is not however clear whether the Adjudicating officer would be appointed unless the crime falls under the categories mentioned in Ch 11 of the Act. Even if eventually the Adjudicating officer is able to identify the criminal ( say with the help of CBI ), the pain of going through with the case in a Civil Court will put off any company. Remedy if any cannot also come within a reasonable time to make the exercise worthwhile. More over, by the time an enquiry officer gets into the act, most of the evidence might have been lost. The criminals can therefore feel pleased that the long arm of law may not be able to reach them because the alw in India has been drafted with no understanding of the needs of the society. It is in this context that attention has to be again drawn to the need for a Computer Emergency Response Team (CERT) for India. The earlier attempt of naavi.org to draw the attention of industry leaders to come together to discuss the need drew a blank. Communications sent to Infosys, Wipro, Satyam and many others in this regard have been totally ignored. Had such a set up been in place, the experts could have moved in quickly to reduce the adverse impact of these attacks and capture vital clues before they are lost. They could then have put together a research team to crack the virus and prevent further damage. Perhaps all the industry majors are too busy making money in the short term and are not able to visualise the long term needs of the society in which they have large stakes. Perhaps a few more such attacks are required to wake them up from their slumber!!. |
. |