Let's Build a Responsible Cyber Society

How Changes in a Printed Document could amount to Hacking

Cyber Crime Complaints and Resolution Center (CCC-RAC), Bangalore recently received a complaint which brought out some interesting but subtle aspects of the Information Technology Act 2000 often missed at first glance.

The essential part of the complaint was that an online stock broking agency had taken an application form of a client in print. The manager then sent one more form which had some boxes meant for e-mail address blank and requested the client to sign and return the form. When the client asked the reason for the blank e-mail address space he was told that it is not required. Subsequently there were some disputes and when the client asked for a copy of the application form submitted by him he found that some body had entered an email address in the form which he had earlier signed without filling up the relevant portion. The e-mail address appeared to match the name of the client but was different from his genuine e-mail address. As a result of the false e-mail address some key communications that the broker's trading software generated from time to time were deposited in the wrong address and did not reach the customer. After a few months it was found that several unauthorized transactions were made in the account causing financial losses to him. Also some of the trading were in the shares of the broking firm itself which amounted to "insider Sharing" perhaps to prop up the shares of the broking firm. Thus the wrong e-mail address facilitated commission of some investment related irregularities/frauds, the adverse consequence of which could be faced by the customer.

In this incident, one of the queries raised was whether the incident reflected any offence under ITA 2000. In view of the wide ramification of the incident, we are presenting herewith some of the provisions of ITA 2000 which makes the above offence an offence under Section 66 of ITA 2000. Consequently Section 85 of ITA 2000 becomes relevant to establish vicarious liability of the Broking firm and also Section 43 of ITA 2000 to invoke a claim for damages.

Section 2(O) of ITA 2000 states as under:

"Data" means a representation of information, knowledge, facts, concepts   or instructions which are being prepared or have been prepared in a formalised   manner, and is intended to be processed, is being processed or has been   processed in a computer system or computer network. ,.and may be in any form   (including computer printouts magnetic or optical storage media, punched   cards, punched tapes) or stored internally in the memory of the computer;

The critical part of this definition is "..representation of instructions which are being prepared...in a formalised maner".. "..intended to be processed..in a computer system...and may be in any form". The inclusive explanation mentions "Computer Printouts" indicating that "Data" can be in "printed form".

The section therefore indicates that "Data" can be in printed form and if the "instruction being prepared is in a formalized manner" and intended to be processed in a computer, the printed instruction can be considered as "Data".  The membership form of the broker firm where boxes are created for data elements which may be either input by a data entry operator or scanned by a character recognition computer system therefore eminently qualifies to be called "Data".

Now Under Section 66 of ITA 2000, any "...alteration of data" knowing that it may cause wrongful harm to the customer qualifies as an offence.

Hence modification of the member application form which is in print form before the data is entered into a computer causing a wrong data to be entered is "hacking" under Section 66 of ITA 2000.

Once an offence under Section 66 is recognized to having been committed in a company, the CEO of the Company and the other operative executives will become liable under Section 85 except when they can prove that they have practiced "Due Diligence".  Hence, under the above offence the CEO and the Directors of the broking firm will be liable as if the offence under Section 66 has been committed by any of them

Further the changing of the information on the application form amounts to "Access of data" which is "Unauthorized" and hence becomes a contravention under Section 43 of the ITA 2000 also.

Additionally, in the instant case, the unauthorised trade transactions involve giving instructions to buy and sell  which also is altering data residing inside the computer and hence additionally qualifies as section 66 offence.

The victim therefore has a recourse under ITA 2000 and the Police have to take cognizance of the offence under ITA 2000.

Naavi

Nov 10, 2007

 

 

 

 

 

 

Home