Assignment Code: MCS-215/Assign/2022

Course Code: MCS-215

Assignment Name: Security and Cyber Laws

Year: 2022

Verification Status: Verified by Professor

Q1: List and explain any ten security breaches in the Cyberspace. How can these breaches be handled with the use of technology? (10 Marks)

Ans) “A virtual environment or, to be more precise, an electronic medium intended to promote the exchange of ideas via electronic means might be referred to as "cyber space." Cybersecurity risks have been changing over time, and additional threats seem to be appearing every day. Although it would be impossible to list them all, the following are the most frequent security breaches that have recently been observed in cyberspace:

Unauthorised access: It is gaining access to a computer, network, system, or device without the consent of the people who are authorised to do so. For instance, Mr. Shyam might spy on Ms. Rita and discover the unlocking pattern she has chosen for her smartphone. Then, Mr. Shyam gained access to Ms. Rita's mobile device's images without her knowledge. Unauthorized access has been made.

Distributed Denial of Service Attack: By sending a website numerous requests that it is unable to manage, it is intended to adversely impair how well it functions. A system or network resource is being attacked in order to overwhelm it with unneeded traffic and render it unavailable to intended users. Mr. AB sets up a botnet herd that, when instructed by a command and control server, transmits massive amounts of data to a server hosting a bank website, slowing it down. This is an illustration of a bank denial-of-service attack.

Malwares: Software that is intended to damage a network or device is known as malware. It comprises Trojans, Viruses, Worms, Spywares, Ransomwares, Trojans, and so forth. Botnets are groups of connected, malware-infected machines that are connected over the internet and used to carry out cyberattacks. Ransomware is a type of software that encrypts the victim's files, data, and other items before demanding a ransom to unlock the encryption or allow access to the files or data.

Trojan is malicious software that at first glance appears to be legitimate but is actually designed to steal from, hurt, or damage the victim's device. A virus is a harmful programme that can spread from one computer to another and is intended to interfere with the operation of the computer or device in which it is performed. A virus is a harmful programme with the ability to replicate itself and propagate via networks. Spywares are malicious programmes that are secretly placed on a victim's device to spy on and collect information about victims.

Social Engineering attacks: These attacks heavily emphasise psychologically manipulating their victims and duping them into disclosing private information. The victim is duped into responding to bogus correspondence, clicking on a harmful website, etc.

Phishing: By posing as a reliable entity, one can trick the victim into disclosing important information like usernames, passwords, credit/debit card numbers, etc. Phishing is a term that was inspired by fishing because, like when fishing, deceptive messages, emails, and websites are used to trick unsuspecting online users. For instance, employee Ms. CD appears to receive correspondence from the company's finance officer. The correspondence is actually being sent by a fraudster posing as a finance official.

Crypto jacking: It entails the clandestine mining of cryptocurrencies using the victims' devices without their consent. Cryptocurrency is a virtual currency secured by cryptocurrency that is neither governed nor issued by a single entity. Crypto jacking affects how devices function since it wears down the target device. Malware, for instance, uses CPUs to mine cryptocurrency.

Exploiting vulnerability: A vulnerability is a weakness in the safeguards put in place to protect a device. The attacker takes use of such a weakness to damage the device or get access to it.

Cyber physical attacks: These cyberattacks affect the physical environment and violate security. This can entail turning off remotely operated devices like cameras and lights. For instance, a cyberattacked may commandeer technology-controlled water pumps and wreak havoc on property. If an attacker takes over the cooling systems of a nuclear reactor, it might do enormous damage and present a threat to national security and safety.

Internet of Things (IOT) attacks: Embedded devices that can send data over a network and are connected to one run the danger of being attacked by hackers who take advantage of security flaws. For instance, internet-connected fax machines may be vulnerable and have their data stolen.

Web Jacking: In web jacking, a word derived from hijacking, a website gets hijacked, or the attacker gains access and control of it. This take over is then used improperly to deceive website visitors or vandalise the website.

Q2: Explain the following terms with the help of an example: (20 Marks)

(i) Steganography

Ans) It is one of the methods for concealing sensitive information in a regular, non-sensitive file or preventing its deletion. The decoder will be at the station. Modern digital steganography involves the use of a special technique to inject data into data that is part of a certain file type, such as a JPEG image, audio, or video file, after the data has been encrypted or otherwise obfuscated. There are numerous techniques to insert the hidden message into regular data files. One method is to conceal data in bits that correspond to consecutive rows of the same colour pixels in a picture file. The output will be an image file that looks just like the original image but has noise patterns of regular, unencrypted data. This is achieved by applying the encrypted data to this redundant data in some covert manner. It can be categorised into the five main types:

1. Steganography in text.

2. Steganography of images.

3. Steganography in video.

4. Steganography for audio.

5. Steganography over a network.

The advantage of this approach is that the data is additional and doubly secure—first, it is hidden, and second, it is encrypted. It becomes difficult for the individual to first find or trace the data and then encrypt it as a result of this process.

The head of the messenger was shaved, a tattoo was applied, and the messenger was sent. When the messenger's hair came back, the recipient once more shaved his or her head to read the tattooed message. World War II Navaho code talkers in the U.S. Marine Corps Osama bin Laden's pre-recorded videos, which are replayed on TV stations all over the world, include concealed messages written in disappearing ink and microdots. attacks on September 11 in Washington, D.C., and New York City

(ii) Different types of cipher used in cryptography

Ans) There are typically two different kinds of cyphers. Here are some of them:

Substitution Ciphers

Each letter or combination of letters is replaced with a different set of letters to mask it. The Caesar Cipher, credited to Julius Caesar, is one of the first cyphers ever discovered. For instance, assault becomes DWWDFN when using this cypher. Here, the encryption text is in capital characters, while the plaintext is in lowercase. The Caesar cypher can be slightly generalised so that the cypher text alphabet can be shifted by k letters instead of always 3. In this situation, k turns into a key to the general circular shifting method of alphabets. Below is an illustration:

JULIUSCAESAR Plaintext

EFGEFGEFGEFG Key EFG repeated

10 21 12 09 21 19 03 01 05 19 01 18 Plaintext, numeric

05 06 07 05 06 07 05 06 07 05 06 07 Key EFG, numeric

15 19 11 12 19 20 06 07 02 22 07 21 Cipher text (Plain XOR key)

A Function Based Substitution Cipher

A long, non-repeating key can be used to make a substitution cypher impossible to crack. One-time pad is the name given to such a key. A one-time pad can be created by using passages from a book that begin in a known location for both the sender and the recipient. For instance, beginning with this phrase and applying XOR to the ASCII encoding of the plaintext and key's letters Encryption would continue. The cypher text's textual equivalent is not provided since it uses nonprintable ASCII characters. Reversing the procedure will reveal the message. XO The ASCII encoding of a letter from the plaintext is created by ringing each letter of the cypher text with the key's ASCII representation.

JULIUSCAESAR Plaintext

FOREXAMPLEST key-starting sentence (one-time pad)

74 85 76 73 85 83 67 65 69 83 65 82 Plaintext, ASCII

70 79 82 69 88 65 77 80 76 69 83 84 Key ASCII

12 26 30 12 13 18 14 17 09 22 18 06 Cipher text = Plain XOR key

A One-Time Pad

One-time pad cyphers are impenetrable since they provide the cryptanalyst with no useful information. One-time pads' main drawback is that the key needs to be as long as the message itself. As a result, key distribution becomes problematic because a new pad needs to be used for each communication.

Ciphers for transposition: While substitution cyphers attempt to conceal the plaintext symbols while maintaining their order, it works by rearranging the symbols. Columnar transposition is illustrated by the following example:

C O N S U L T Keyword

1 4 3 5 7 2 6 Column numbers

E N C R Y P T Plaintext:

I ONISP E ENCRYPTIONSPERFORMEDBYWRITINGTHEPLAINTEXT R FORMED

B YWR ITI

N G T H E P L cipher text:

AINTE X TEIRBNAPPETPXCNOWTNNOFYGIRIRRHTTEDILTYSMIEE FIGURE for

Transposition Cipher.

The following are the other cypher types that are available.

1. Polyalphabetic substitution cipher: In this cypher, the plaintext is encrypted using a blended alphabet, but at random intervals, it switches to a unique, unusual mixed alphabet, which is indicated by an uppercase letter in the ciphertext.

2. Transposition Cipher: This encryption, which also goes by the name Rail Fence Cipher, alters the plaintext.

3. Permutation Cipher: In this cypher, the plaintext's supposed locations are transferred to a uniform system, resulting in a permutation of the plaintext in the ciphertext.

4. Private-key Cryptography: Even the attacker is aware of the plaintext and accompanying ciphertext with this cypher. A pre-shared key is required for both the sender and the recipient. The shared key is used for both encryption and decryption and is kept secret from all other parties. Examples of this kind of cypher include the DES and AES algorithms. The term "symmetric key algorithm" is another name for this encryption.

5. Public-key Cryptography: For encryption and decryption with this cypher, two distinct keys—the public key and the private key—are utilised. While the receiver is kept in the dark about the private key, the sender utilises the public key to perform encryption. Asymmetric key algorithm is another name for this.

(iii) RSA algorithm

Ans) Three M.I.T. discoverers (Rivest, Shamir, and Adleman) are represented by these initials. They all contributed to the creation of this method, which is entirely based on number theory's modular mathematics. Because it uses two separate keys for encoding and decoding, the algorithm is asymmetric. It is one of the characteristics of modular arithmetic that multiplicative inverses can be calculated.

That is, given an integer e in the range of [0, n1], it is sometimes possible to find a unique integer d in the range [0, n1] such that:

ed mod n = 1

For instance, the multiplicative inverses of 3 and 7 are 20 because 21 mod 20 =

It is demonstrable that integer e [0.n1] has a unique multiplicative inverse mod n when e and n are relatively prime, that is when gcd (e, n) = 1.(gcd denotes the greatest common divisor). The no. of positive integers that are relatively prime to n is a function denoted as @n.

For n = pq and p and q are prime, it can be shown that:

@n = (p1)(q1)

For number P set of [0, n1] it it is demonstrable that the equation

C = pe mod n (First) is an inverse of

P = Cd mod n (Second)

If ed mod @(n) = 1 where @n = (p1)(q1)

Many public key algorithms encrypt data using the first equation using e and n as the key.

With d and n serving as keys, the second equation is used for decryption. Only the integer d in the decryption pair (d, n) is private because the key (e, n) is public.

This concept is used to RSA as well. The following method is recommended for determining n, d, and e:

Pick two substantial primes., p and q, each greater than 10100 Calculate n= pq and @n = (p1)(q1)

Assume a number d to be a large, random integer that is relatively prime to @n that is such that ed mod @(n) = 1

Calculate e such that ed mod @(n) = 1

With 0 less than equal to less than n, these parameters can be used to encrypt plaintext P. The plaintext must be divided into strings less than n if it is longer.. Cipher text is obtained as C = pc mod n. C may be then decrypted as P = cd mod n. Algorithm steps make sure that encryption and decryption are the opposites of one another.

Although RSA has not yet been broken, its usage has greatly expanded despite this. Factoring is probably how a cryptoanalyst would get d from the known values of n and e.

The best encryption method that combines symmetric and asymmetric encryption is called hybrid encryption. However, each of them have advantages and disadvantages. For example, the symmetric encryption approach is quick for massive data encryption but is less effective for identity verification. In contrast, the asymetric encryption method is sluggish but has a public and private key pair, which is essential for online security. Currently, identity verification and speed are both requirements, which is how the hybrid encryption method came into being.

(iv) Authentication and authorisation

Ans) The term "authentication" is used (and frequently abused) in a very broad sense. By itself, it doesn't signify much other than to suggest that there are mechanisms in place to ensure that parties are who they say they are or that information hasn't been tampered with by unauthorised parties. Authentication is particular to the security goal that is being pursued. Access control is an example of a defined purpose. The host nations may not let the channel to be private; one or both nations may desire to have the power to monitor all communications. However, Jack and Bond want proof of each other's identities as well as the accuracy and source of the information they give and receive.

One of the most crucial information security goals is authentication. Up until the middle of the 1970s, most people thought that secrecy and authentication were inextricably linked. Secrecy and authentication were seen to be really separate information security goals after the invention of hash functions and digital signatures. Separating the two may not seem critical at first, yet there are instances where it is not only advantageous but also necessary.

For instance, if Jack and Bond need to communicate when Jack is in one country and Bond is in another, the host countries may not allow for channel confidentiality; one or both countries may wish to be able to monitor all communications. However, Jack and Bond want proof of each other's identities as well as the accuracy and source of the information they give and receive.

The scenario above demonstrates a number of distinct features of authentication. There are two options to think about if Jack and Bond want confirmation of one another's identities.

There may not be a noticeable lag in communication between Jack and Bond. In other words, they are engaged in "real time" communication together.

Bond or Jack might be communicating with one another slowly. In other words, communications may be transmitted through several networks, then stored and forwarded at a later date. Jack and Bond would initially seek to confirm identities in real time. Jack may achieve this by posing a challenge to Bond, the only person or thing capable of answering it right.

To find Jack, Bond may do a similar action. Entity authentication is another name for this sort of authentication, as is the more straightforward phrase challenge for identity.

The second possibility makes it difficult to dispute and wait for a response, and there may only be one way to communicate. It is now necessary to use several methods to verify the message's sender. Data origin authentication is the name given to this type of authentication. In order to ensure uniqueness, one can use data origin authentication or message authentication mechanisms.

The authentication process verifies users and establishes whether they are users or not, whereas the authorization process validates users and establishes if they have the necessary permissions to access the data or information. Prior to the authorization process, authentication is completed. While permission just needs the user's privilege or security levels, authentication requires the user's login information.

(v) Use of Hash function in security

Ans) The cryptographic hash function, often known as a one-way hash function or simply a hash function, is one of the essential primitives in contemporary cryptography. A brief definition of a hash function is provided below.

Definition: A hash function, often known as a hash-value, is a computationally efficient function that maps binary strings of any length to binary strings of a specific length.

Hash functions are most frequently used in cryptography for data integrity and digital signatures. A long message is typically hashed with digital signatures (using a hash function that is readily accessible to the public) and just the hash value is signed. After that, the party receiving the message hashes it and checks that the received signature matches the hash value.

When compared to signing the message directly, which usually entails dividing it into manageable parts and signing each one separately, this saves both time and space. Because the signature on one message's hash value would be identical to that on another, a signer may sign one message and then later claim to have signed another, it is important to note that it is impossible to find two messages with the same hash value.

For data integrity, hash functions can be applied as follows. At some stage, the hash-value associated with a certain input is calculated. This hash-integrity value's is safeguarded in some way. The hash-value is recalculated using the current input and compared for equality with the original hash-value at a later time to ensure that the input data has not been changed. Software distribution and virus prevention are two examples of specific uses.

A third use for hash functions is in prior commitment-based protocols, such as various digital signature methods and identification protocols.

As mentioned above, hash functions often use known public keys and are open to the public. They are known as modification detection codes when they are used to determine if the message input has been altered. These are related to message authentication codes, which are hash functions that use a secret key to offer both data integrity and data origin authentication.

Popular hashing operations include:

1. A 128-bit hash function called Message Digest provides assurance on the validity of transmitted files. However, it is no longer used in practise because in 2004 there were successful collisions, or analytical attacks.

2. The Secure Hash Functions family consists of the SHA-0, SHA-1, SHA-2, and SHA-3 SHA algorithms. The most recent is the Keccak algorithm, which NIST selected as the new SHA-3 standard in October 2012. It offers several advantages, including effective performance and strong attack resistance.

3. RACE Integrity Primitives Evaluation Message Digest is known as RIPEMD. This group of hash functions, which is also referred to as a family of European hash functions, was developed by the open research community.

4. The 512-bit hash algorithm known as Whirlpool was developed from the Advanced Encryption Standard's updated edition (AES). AES co-creator Vincent Rijmen was one of the designers.

Q3: Explain the security measures and security policies of an online systems. (10 Marks)

Ans) Security Measures: These security risks are destructive to an organisation because they steal, damage, or distort information kept in the system of the company. They also constantly change.

An organisation should equip itself with the necessary tools to protect itself from the security risks that are only going to get worse. There are a few other data security factors that one should be aware of in addition to the CIA triad, which serves as a security model and guide for enterprises to protect their sensitive data:

Access security: By limiting access to those who have been given access to information, it is possible to keep track of who has access to what data overall.

As a result, it may be simpler to find the offender in cases of data theft by looking through the periods of access granted to users.

Data encryption: Unencrypted data allows thieves to misuse personal information. In order to prevent the leaking of sensitive data contained in databases, data must be encrypted using specific encryption methods. Data theft is prevented when data is encrypted and only the user has access to such data and the decryption key.

Email security: It is a process to prevent unauthorised access to an email account and the contents within an email account. Since emails are a common platform for hackers to disseminate malware, spam, and phishing attempts, security measures including using strong email passwords and encrypting emails or communications transferred from one person to another prevent the exploitation of data. Consider WhatsApp's use of end-to-end encryption.

Risk-assessment analysis: When addressing issues with information security, organisations must be proactive. Finding the hazards related to the data kept in a system of an organisation is the major goal of a risk assessment. An organisation can analyse and evaluate internal and external risks to its security, confidentiality, and personal information kept in various storage media, such as laptops and portable devices, by completing a risk assessment analysis.

Monitor effectiveness: It is crucial for an organisation to confirm the existence of security programmes and to determine whether such security programmes oversee cyber security measures put in place to protect an organization's information or data. This is accomplished by routine information security programme testing and monitoring, which is done yearly or quarterly to determine the frequency of attacks on an organization's data.

Third party issues: Websites are crucial for highlighting an organization's accomplishments. As a result, businesses use third-party solutions to enhance the interactivity and usability of their websites and to provide stable connectivity for user interaction. These outside resources assist in making money for a company's website. Therefore, before granting access to third-party service providers, an organisation must take the necessary steps to confirm that those third-party service providers have implemented the strictest security measures.

Strong firewall: A system's firewall is a component of its cyber security measures. A firewall makes it possible to shield a system from the services and internet traffic to which it is exposed.

Anyone who utilises the internet can access these services. Therefore, firewalls make it possible to manage who has access to a system within a company, such as in the case of insider attacks that may come from a company's own network. Firewalls are required to protect networks from unauthorised access and usage, while antivirus software is used to secure files. Simply put, a firewall aids in the management of Internet traffic produced by the use of a network for business purposes.

Antivirus protection: Antivirus software is one way to get protection from viruses. This software is a tool created to help a business prevent, recognise, and respond to potential cyber security issues. An antivirus works by running background checks on a system to find and prevent malware-related unauthorised access as well as to shield it from potential vulnerabilities. These solutions must be deployed on computer systems since they are crucial for data security. These antivirus programmes can be used to safeguard files and data from unwanted threats on mobile devices in addition to laptops and desktop PCs.

Back-up regularly: A data security is intended to safeguard information that is kept on a system against unauthorised access, information destruction, and network security. Data should therefore be regularly stored and maintained somewhere safe where it cannot be accessed by anyone or violated in order to prevent data loss. Furthermore, protecting such data helps to avoid disclosing data before it has been verified and authenticated and prevents data theft, unintentional change, and release.

Security Policy: The National Cyber Security Policy, 2013, published by the Department of Electronics and Information Technology of the Ministry of Communication and Information Technology, was the first official action taken by the Indian government in the direction of cyber security.

The goal of the policy is to make the internet a secure and reliable place for the government, businesses, and people. The goal is to protect data and the framework used in cyberspace, build capacity to stop and respond to cyberattacks, and lessen damage through cooperation between institutional systems, people, processes, and technology.

According to Government Initiatives, the policy has employed a number of different tactics.

1. Building a structure for assertions.

2. Support for open standards

3. Enhancing the administrative framework while synchronising it with international standards, conducting periodic audits, and raising awareness of the legal system

4. Securing e-administration through the application of globally recognised practises and greater use of public key infrastructure.

The government of India recently established the following crucial instruments to address cyber security issues:

1. The government started USB Pratirodh to keep an eye on removable USB storage media devices being used without authorization.

2. Samvid restricts the execution of executable files to a pre-approved list and protects work areas against the execution of shady programmes.

3. M-Kavach offers protection from malware-related concerns such as malware that steals user credentials and personal information, abuses Wi-Fi and Bluetooth resources, loses or steals portable devices, and unwanted/spontaneous approaching calls.

A tool called Browser JSGuard acts as an addition to a programme that recognises and defends against harmful HTML and JavaScript attacks. When browsing harmful websites, it alerts the user and offers a thorough threat analysis report of the website.

Q4: Why is Cyber laws needed? How can cyberspace be regulated? Explain the cyberspace regulation in India. (10 Marks)

Ans) In today’s techno-savvy environment, the world is becoming more and more digitally sophisticated and so are the crimes. Internet was initially developed as a research and information sharing tool and was in an unregulated manner. As the time passed by it became more transactional with e-business, e-commerce, e-governance and e-procurement etc. All legal issues related to internet crime are dealt with through cyber laws. As the number of internet users is on the rise, the need for cyber laws and their application has also gathered great momentum.  In today’s highly digitalized world, almost everyone is affected by cyber law.

Regulation of Cyberspace

Lawrence Lessing makes the case in "Code and other Laws of Cyberspace" that the technology and software that create the internet's architecture, or "code," can serve as a means of governance. It is a collection of guidelines that are applied or defined in the software by the code writers and call for ongoing identity certification. James Boyle stated in "A Non delegation doctrine for the digital era" (Cited: 50 Duke L.J. 5) that internet regulation can increasingly rely on a three-pronged approach:

Privatization: The state can employ a private organisation to accomplish those objectives it was unable to accomplish directly and then enforce the organization's decision using legally required technological arrangements. The Clinton administration's original plan, for example, was to hold Internet Service Providers (ISPs) strictly liable for copyright violations committed by their subscribers. This would have created a private police force that was largely exempt from statutory and constitutional privacy restrictions and had strong incentives to develop cutting-edge surveillance and technical enforcement methods.

Propertization: He contends that efforts should be undertaken to extend and then safeguard intellectual property rights online. This will result in numerous technical enforcement strategies.

The system must be developed with technological controls in mind in order to incorporate the appropriate regulatory characteristics. Digital writings and music, for instance, may be personalised to a certain person. Players may have detection features built in to prevent unauthorised use of the music. Machine chips might be designed with unique IDs so that when a user browsed the internet, their computer broadcast a global ID along with a set of legal features.

Other technologically based laws include software that blocks websites or grading systems for Internet content. The government of Korea has started evaluating internet content. Sites that are flagged as having "material harmful to children" are required by the system to add an electronic tag that the blocking software can detect. In particular, LGBT websites are frequently restricted in Korea because the government considers them to contain material that is detrimental to children.

Regulation of Cyberspace Content in India

The law in India that governs the area of cyber law is the Information Technology Act, 2000. The primary goal of the Act is to give legal recognition to transactions made through electronic data interchange and other forms of electronic communication, also known as ecommerce, which use electronic alternatives to paper-based methods of information storage and communication to make it easier for people to file documents electronically with government agencies.

Electronic Signatures [Chapter II]: Any subscriber (i.e., the person in whose name the digital signature certificate is issued) is able to affix his digital signature to an electronic record to serve as the record's authenticator. Data records or data-generated images or sounds that are saved, received, or communicated in electronic form, on microfiche created by computer, or on microfilm, are referred to as electronic records.

Electronic Governance [Chapter III]: When a law specifies that information must be submitted in writing, typewritten, or printed form, sending it electronically satisfies the need for legal compliance. Additionally, if a statute calls for affixing a signature to a document, digital signatures can be used to accomplish this. Similar to this, government offices can use electronic forms to submit any forms, applications, or other documents to the authorities, as well as to issue or grant any licences, permits, sanctions, or approvals, as well as to provide any receipts acknowledging payments. Electronic records can be kept in order to retain documents, records, or information as required by law. The Official Gazette or the Electronic Gazette may publish any rule, regulation, order, bylaw, or notification.

However, no Ministry, Department, State Government, or Authority established by any Law may insist that a document be accepted only in the form of an electronic record.

Regulation of Certifying Authorities [Chapter IV]: A Controller of Certifying Authorities may be appointed by the central government to oversee the operations of Certifying Authorities.

Digital Signature Certificate [Chapter VII]: For the issuance of a digital signature certificate, anyone may submit an application to the certifying authority. When granting the certificate, the Certifying Authority must attest that it has complied with all of the Act's requirements.

Penalties and Adjudication [Chapter IX]: If someone accesses the owner's computer, computer system, or computer network without the owner's permission, downloads copies or any extracts, introduces a computer virus, or corrupts computer, computer system, or computer network data, among other things, that person is responsible for paying damages to the person so harmed in an amount not to exceed Rupees One Crore.

The Appellate Tribunal [Chapter X]: According to section 48 of the Information Technology Act, "The Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997 shall, on and from the commencement of Part XIV of Chapter VI of the Finance Act, 2017, be the Appellate Tribunal for the purposes of this Act and the said Appellate Tribunal shall exercise the jurisdiction, powers, and authority conferred upon it by or under this Act." But the subjects and locations over which the Appellate Tribunal may exercise jurisdiction must be specified by notification from the Central Government.

A person who feels wronged by an order issued by the Controller of the Certifying Authority or the Adjudicating Officer may appeal it to the Cyber Regulations Appellate Tribunal, which the Central Government may create under the act.

Offences [Chapter XI]: Computer source code tampering and computer system hacking are punishable by up to three years in prison, a fine of up to Rs. 2 lakhs, or a combination of the two.

Publishing pornographic information in electronic form is punishable by up to five years in prison or a fine of up to Rs. 10 lakh, and for a second conviction by up to ten years in prison and a fine of up to Rs. 2 lakh. In 2015, the Supreme Court knocked down Section 66A of the Information Technology Act, 2000, ruling that it violated the right to free speech and expression guaranteed by Article 19(1)(a) of the Indian Constitution. As a result, the Information Technology Act, 2000 was revised.

Q5: Explain the following with the help of suitable examples (20 Marks)

(i) Cybercrimes and its classification

Ans) Cybercrime is defined as crimes done online that target the victim for the purpose of carrying out the intended offence. Although it can hurt a victim even while they are seated at a distance, making it difficult to pinpoint where a specific cybercrime occurred. As previously said, there were significant changes between 1997 and 2008, which aid the judicial system in identifying the particular type of cybercrime. It just depends on which of the two is the main goal because victims in all cybercrimes are both the computer and the person using it.

1. Example – Attacking the data and other resources on a computer is known as hacking.

2. Example – Attacking someone's personal space is a part of stalking.

Because they are frequently more difficult to identify, investigate, and prosecute, cybercrimes differ significantly from traditional crimes in that they frequently inflict more harm to society. Traditional crimes committed online or with other computer technologies are included under the category of "cybercrime." For instance, when classic crimes like defamation, forgery, identity theft, terrorism, cyber-stalking, hacking, software piracy, web jacking, and bullying are performed using a computer and the internet, they are referred to as cybercrimes.

Based on the evidence of the offences, these two crimes also differ from one another. In classic crimes, the perpetrators typically leave behind any physical evidence of the crime, such as fingerprints. However, because cybercrime is carried out online, there is virtually little possibility that any tangible evidence will remain.

However, there are several general categories into which cybercrimes can be divided:

1. Harassment, cyberstalking, deception, indecent exposure, cheating, email spoofing, fraud, etc. are all crimes against people.

2. Viral distribution, network intrusion, unlawful access to a computer system, online theft, infringement of intellectual property, etc. are all examples of property crimes.

3. Crimes against organisations include the dissemination of pirated software, the use of unlawful information, and cyberterrorism within government institutions.

4. Crimes against society include child pornography, financial crimes, the sale of illegal goods, human trafficking, record-keeping fraud, and gambling.

(ii) Penalties and Compensation against cyber crimes

Ans) Information Technology Act, 2000's Sections 43 to 45 outline the circumstances in which the wrongdoer is required to compensate the party they have injured with damages. However, according to Section 66 of the Information Technology Act of 2000, anyone who commits one of the acts listed in Section 43 dishonestly or fraudulently faces a sentence of up to three years in prison, a fine up to five lakh rupees, or a combination of the two.

A body corporate is liable for compensation under Section 43A of the Information Technology Act of 2000 if it fails to protect data. A body corporate is described in this section's explanation as "any company, including a firm, sole proprietorship, or other group of people engaged in commercial or professional activity;"

According to the explanation, reasonable security measures are "security measures and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure, or impairment, as may be specified in an agreement between the parties or as may be specified in any law currently in effect, and in the absence of such agreement or any law, such reasonable security measures and procedures, as may be prescribed by the

Penalties for failure to submit information, a return, etc. are set forth in Section 44 of the Information Technology Act of 2000. If any individual is obligated to do something by this Act or any rules or regulations created in its wake.

1. If he fails to provide any document, return, or report to the Controller or the Certifying Authority, he would be subject to a fine of no more than Rs. 1,050,000 for each infraction.

2. If a person is required to file a return or provide information, books, or other papers within the time frame stipulated in the regulations but fails to do so, he will be subject to a fine of no more than 5,000 rupees for each day that the failure persists.

3. If he fails to keep books of accounts or records, he will be subject to a fine of no more than 10,000 rupees for each day that the failure continues.

The residuary penalty is outlined in Section 45 of the Information Technology Act of 2000. Any rule or regulation that was made in violation of this Act but for which there was no specific penalty assigned. In such circumstances, the maximum fine is 25000 rupees.

Adjudication

The resolution of disputes for the purpose of awarding compensation is provided for in Section 46. It gives the Central Government the authority to designate any officer, not below the level of Director to the Government of India, or an equivalent official of a State Government, as an adjudicating officer for the purpose of conducting an investigation. This officer would have the authority to decide cases if the total amount claimed for harm or damage does not exceed five crore rupees. A fair chance to offer comments on the subject and the results of the investigation must be provided. Where it exceeds $5,000,000, the appropriate civil court will have jurisdiction:

1. According to sections 193 and 228 of the Indian Penal Code, 1860, all procedures before an adjudicating authority should be deemed to constitute judicial proceedings.

2. For the purposes of sections 345 and 346 of the 1973 Code of Criminal Procedure, it shall be assumed to be a civil court.

3. In terms of Order XXI of the Civil Procedure Code, 1908, it shall be deemed to be a civil court.

If a person does not have the explicit IT experience and legal or judicial expertise required by the Central Government, he or she shall not be qualified to be appointed as an adjudicating officer.

Appellate Tribunal

A special court or committee known as an appeal tribunal is established to review a judgement rendered by another court or committee. According to Section 48, the Telecom Disputes Settlement and Appellate Tribunal (established under Section 14 of the Telecom Regulatory Authority of India Act, 1997) will serve as the Appellate Tribunal for the purposes of this Act, and it will exercise the jurisdiction, powers, and authority granted to it by or under this Act as of the date the Finance Act of 2017 enters into force.

Section 57 outlines the appeals process. Anyone who feels wronged by a controller's or an adjudicating officer's order made under this Act may request an appeal to an appellate tribunal with jurisdiction over the situation. However, a decision reached by an adjudicating officer with the parties' agreement is final, and there is no right of appeal to the Appellate Tribunal. Every appeal must be submitted within 45 days of the aggrieved party receiving a copy of the order issued by the Controller or the adjudicating official, and it must be in the required form and include the applicable fee: With the caveat that the appellate tribunal may still consider an appeal if it determines that there was a good reason why it was not filed within the allotted 45 days.

The appeal must be handled as quickly as feasible, and every effort must be made to resolve it definitively within six months of the date the appeal was received.

In accordance with Section 58 of this Act, the Appellate Tribunal shall not be bound by the Code of Civil Procedure, 1908 (5 of 1908), but rather shall be guided by the principles of natural justice and shall have, subject to the other provisions of this Act and any rules, the same powers that are granted to a civil court under the Code of Civil Procedure, 1908 (5 of 1908), while trying a suit, in respect of the following:

1. Calling someone to appear, requiring their presence, and having them submit to an oath examination.

2. Requiring the investigation and supply of documents or other digital records.

3. Receiving affidavit-based evidence.

4. Issuing commissions to examine documents or witnesses

5. Examining its judgments.

6. Denying a default application or making an ex parte decision on it.

7. Anything else that might be regulated.

There is a high court appeal option under Section 62. Any person who feels wronged by an Appellate Tribunal decision or order may appeal the decision or order to the High Court within sixty days of the date the decision or order was communicated. However, the High Court may grant an extension of time to file the appeal if it determines that the appellant was prevented from doing so for good reason. This extension cannot exceed sixty days.

(iii) Cyber forensic

Ans) Cyber forensics, commonly referred to as computer forensics, is the use of investigation and analytical tools to collect and preserve data from a specific computing system in a way that is suitable for legal presentation. For the purpose of rendering an expert opinion on electronic form evidence before any court or other authority, Section 79A gives the Central Government the authority to designate any department, body, or agency of the Central Government or a State Government as an Examiner of electronic evidence.

"The process of acquiring, authenticating, analysing, and documenting evidence collected from the systems or websites used to perpetrate the crime is known as cyber forensics. Computers, networks, digital media, and storage devices are just a few examples of the technologies that could provide the investigators with useful data to investigate. Online sources could include other websites or e-commerce domains. The most popular methods in cyber forensics for obtaining digital evidence from a source, hard disc, or web domain are file carving or data carving techniques.

Computer forensics is vital not only because it can recover files that have been lost or deleted from storage systems and devices, but also because it can inform forensics professionals about any suspicious activity taking place or whether the systems have been compromised. Information recovery from files where the file system is inaccessible, or the file system structure is broken has been made easier thanks to computer forensics. Files may be purposefully destroyed or worsened formatted in the suspect's interest to hide his actions. It's critical to understand how, when called upon, a qualified forensics professional can perform to expectations when gathering and presenting his evidence findings to appropriate agencies in the modern period where technology is a part of practically all electronic equipment.

Computer forensics investigators typically examine forensic evidence in forensic laboratories or clean rooms. It is always important to preserve the integrity of the data and avoid its destruction, so it is better to choose a qualified and experienced forensics specialist to be present during the examination process. It might be a major problem since many forensics experts have their own standards and guidelines for conducting computer forensics exams. Having two sets of standards could compromise the legitimacy, credibility, and integrity of the digital evidence, which could have major consequences down the road.

As a result, recommendations to standardise and streamline the examination procedures had been made as early as 1991. The goal was to sand down the rough edges of the evidence-finding strategy. The International Organization on Computer Evidence and the Scientific Working Group on Digital Evidence were eventually established as a result of all of these factors (SWGDE). Helping law enforcement agencies worldwide collaborate more closely in relation to forensics investigations became a global initiative.

A subfield of forensic science called "digital forensics" focuses on the recovery and examination of digital or electronic data. This information may originate from a computer system, a mobile device, a cloud service, or another source. Computer forensics, network forensics, forensic data analysis, and mobile device forensics are some of its many sub divisions.

Cyber or computer forensics is the use of forensic science to gather, analyse, and present digital evidence in court as well as to assist in criminal investigations. With the rise of cybercrime, this field of forensic science focuses on finding evidence on computers and other digital devices, and it is now essential for law enforcement, national security, and public safety.

(iv) Cybercrime investigation

Ans) Investigations into cybercrime are conducted with the aid of specialised technical equipment and abilities, without which they are almost impossible. Some provisions of the Evidence Act of 1872 and the Criminal Procedure Code of 1973 have been properly revised since the Information Technology Act of 2000's implementation. In addition to these, the Indian legal system had implemented a number of new laws to address the need for a cybercrime investigation.

Regarding jurisdiction in relation to cybercrimes, see Section 75. Cybercrime is a global problem, as we all know. Someone sitting in one country can commit crimes with repercussions in another. According to Section 75, regardless of the person's nationality, the provisions of this Act apply to any offence or contravention committed outside of India by anyone. This is true even if the act or conduct that constitutes the offence or contravention involves a computer, computer system, or computer network that is located in India.

According to Section 76, any computer, computer system, floppies, CDs, tape drives, or other similar accessories that have been or are now being used in violation of any provisions of this Act, rules, orders, or regulations imposed thereunder are subject to seizure. However, only the defaulting party will be detained if it can be demonstrated that such resources were not utilised to commit fraud.

Compensation, fines, or confiscation are not to conflict with other forms of punishment, according to Section 77. Compounding of offences is covered under Section 77A. Infractions under this Act that are not punishable by life in prison or a sentence of more than three years may be combined by a court of competent jurisdiction.

Given that the accused is, as a result of his prior conviction, subject to either an aggravated sentence or a penalty of a different sort, the court shall not compound such an offence:

Furthermore, the court will not add charges to any offences that have been committed against women, children under 18, or those that have an impact on the nation's socioeconomic conditions. According to Section 77B, bail is allowed for offences carrying a three-year jail sentence.

The authority to inquire is covered in Section 78. It states that any violation of this Act shall be investigated by a police officer with at least the level of inspector. The authority of police officers and other officers to enter, search, etc., is covered in Section 80. It states that any officer of the Central Government or a State Government authorised by the Central Government in this regard may enter any public place, search anyone found there, and arrest anyone without a warrant who is reasonably suspected of having committed, committing, or about to commit any offence under this Act. This includes police officers up to the rank of inspector. When a person is detained by an officer who is not a police officer, that officer must immediately take or send the detained person before a magistrate with relevant authority or the officer in charge of a police station.

Q6: Explain the copyright issues in the context of digital medium, music and goods with the help of an example. (10 Marks)

Ans) The widespread use of the Internet makes it possible for any user to share information in cyberspace through a variety of social media platforms. This has given rise to a number of concerns and issues regarding piracy and counterfeit goods, which have resulted in significant financial losses and the availability of fake and pirated products in the market. The Internet "in a way offers a difficult situation for copyright holders as the users become mass disseminators of others' copyright work and causes disequilibrium between the writers and users," as Gulla, R. K., 2007 has correctly noted.

The reproduction right, which gives the copyright owner the sole right to control the making of a copy of the work or to provide authorization for its reproduction, is thought to be a very significant and fundamental right. The copyright owner has other rights, some of which were already mentioned. The right to communicate with the public is a part of every copyright owner's rights, however as digital technology develops and computer systems and networks are used more frequently, the copyrighted work becomes less distinct and when it is shared with the public, it may be infringed upon.

As stated in Books, Inc. V. Kinko's Graphics Corp. (1991), repetition of copyrighted material that "merely repackages or republishes the original" is unlikely to be deemed a fair use, copyright is violated when the defendant copies CDs onto its servers without creating any new form of aesthetics, expression, instead choosing to repackage and retransmit the same expression through another medium. It was retracted in Infinity Broadcast Corp. V. Kirkwood, 2d Cir. 1998, where the court rejected the fair use defence by the operator of a service that retransmitted copyrighted radio broadcasts over telephone lines as cited in the case UMG Recordings, Inc. 2000. In this case, the defendant or around in January 2000, launched it using the technology "MP3," which enables rapid and efficient conversion of compact disc recordings to computer files easily accessed over the Internet.

In order to fulfil this promise, the defendant bought tens of thousands of well-known CDs for which the plaintiffs owned the copyrights and, without their consent, copied the recordings into its computer servers so that it could play the CDs back to its members. According to the court's ruling in this instance, the defendant's "fair use" defence is unjustified and must be rejected as a matter of law. Other affirmative defences including copyright infringement, abandonment, plaintiff's dirty hands, and estoppel are also dismissed as they are fundamentally frivolous.