Vishalakshi, Faculty of Law, Banaras Hindu University.
IDENTITY THEFT AND SOCIAL MEDIA: A DETAILED ANALYSIS OF LAWS AND PROTECTION
21st Century has lead the revolution in technology. Humans are living in the era of internet and the world has shrinked to data now-a-days. With the advancement of information technology, today, everything is possible in just a single click. People sitting in any corner of the world can meet, see and talk to other persons sitting in other corner of the world. People can visit virtually all across the world and even in the space. A single click can let the person know what’s happening in other parts of the world. Everything is available on the internet and it has become the second home of 99% of the world’s population. One cannot imagine one’s life without internet today and even if one wants to, it cannot be done because everything has shifted on internet. From virtual offices to e-banking, from virtual classes to exams, from virtually meeting loved ones to virtually travelling, from virtual shopping to virtual treatments, everything is on and because of internet only. This revolution has many advantages. Just two decades ago, it was impossible for common man to think that, he can talk to other person sitting hundreds of miles away from him just the way he is talking to the person sitting right next to him. Nobody could have thought that messages can be sent to other persons within a fraction of second and can be talk to them face to face. Nobody could have thought that beauty of the world could be seen and experienced without travelling and shopping can be enjoyed even at mid-night without going out of home. It was just beyond the thinking of a common man that one can be taught without going to schools and money can be withdrawn without visiting to banks as well. Information technology made everything possible. But as it is said, excess of everything is bad and leads to destruction. So, is in the case of internet.
Data1 is the real power and treasure today. The one who has knowledge of data is the most intelligent person. The one who stores data is the richest and most powerful person. The rampant usage of internet has lead destruction of privacy of world. No doubt, internet has made lives easier but at the same time it has made the life and privacy of the man open to threat and terrorism. It can be invaded by anyone, anytime. The one who has knowledge how to optimize the data and how to use software can attack into anyone’s life without his permission and knowledge. Privacy no more exists and we are being followed by invisible eyes everywhere, what we do, what we search, what we talk, our passwords, our bank and other personal details everything is being recorded. Even our physical conversation is being listened by someone. Whole world is in a trap called data and have been confined to a place called internet.
CYBER CRIME AND IDENTITY THEFT
The internet is way more dangerous than what is seems to be. Human are being controlled by those who know how to use data. Just like physical crimes, criminal activity can be targeted by using computer, computer network or a network device as well through internet. Such crimes that involve usage of data are called cybercrimes and the persons committing cybercrimes are referred as cyber criminals. Cybercrime is the most crucial crime faced by the world and are more catastrophic than the wars.
Cybercrime affects both the real and virtual body and includes hacktivist protests, harassment, theft and extortion, money laundering, stalking etc. Cybercrimes are done by accessing the information of the victim in unauthorized manner and by breaking security like privacy, password etc. of anyone. Though there are various types of cyber crimes but the most common of all is the cyber theft. Almost 99% of the cybercrime on internet is carried by the means of theft which is called as cyber theft. Cyber theft includes identity theft, password theft, theft of information, etc.
Identity theft/fraud is the fastest growing and most common white-collar crime which has affected almost every person using the internet, in insidious way. When someone illegally either by fraud or deception obtains and uses another person’s data for stealing money or getting other benefits by pretending to be that other person, it amounts to identity fraud. The data can also be used by the offender to commit any other crime by using other person’s data or identity or to tarnish that person’s public image. And the person whose identity is used suffers various consequences such as monetary loss, loss of reputation in the society and sometimes they are held responsible for the perpetrator’s actions, which may cause mental trauma to them.
“For example, they might use the credit card information to run up huge bills, forcing the credit card firms to suffer large losses, or they might sell the information to others who can use it in a similar fashion. Second, they might use individual credit card names and numbers to create new identities for other criminals. For example, a criminal might contact the issuing bank of a stolen credit card and change the mailing address on the account. Next, the criminal may get a passport or driver’s license with his own picture but with the victim’s name. With a driver’s license, the criminal can easily acquire a new Social Security card; it is then possible to open bank accounts and receive loans—all with the victim’s credit record and background. The original cardholder might remain unaware of this until the debt is so great that the bank contacts the account holder. Only then does the identity theft become visible”.2
Facebook, Instagram, Gmail etc. have become most common places for the population today. These social networking sites can be said to be the second home of the world. On these sites, all the major information such as the phone number, email address, photo, birthdate etc. is asked while creating an account. Today, the world is so engaged in creating their social image that they have forgotten that they are being followed by invisible eyes. This information can be used to clone the identity in order to attack the public image, monetary status via online banking systems and online credit card processing or as a tool to blackmail that owner of identity. Identity theft can also be used to facilitate some bigger crimes such as illegal immigration, terrorism and espionage. In such cases, it is very difficult to track the person impersonating as firstly, online transaction provides a kind of anonymity and privacy to an individual and secondly these crimes are committed using Dark Web or Dark Net.
Dark web is a part of internet that isn’t visible to search engines. Dark net is encrypted online content that is not indexed by the conventional search engines hence, the offender cannot be traced by normal software. Only some special software can be used to track the person. All forms of cybercrimes and white-collar crimes takes place on Dark web. One can buy the credit card number, all the illegal drug and arms business is carried on dark web. The counterfeit money, hacked Netflix accounts, stolen login credientials of bank accounts, usernames, passwords etc. can be brought through the dark net software that break into other person’s account without being tracked.
TECHINIQUES THROUGH WHICH IDENTITY THEFT IS COMMITTED
Phishing and Smishing
Whenever any website is opened to search anything, the users are asked to provide their email id and mobile number. Normally, just to avoid that interface, users without reading the terms and conditions, without checking that whether that website is authentic or not, write down their email ids and mobile numbers. And this gathered information is used by those websites to mail and message by the users, different ads and promotions. Sometimes, fake mails such as Congratulations! You have won XYZ amount or You can get a Car by clicking on this link etc. is sent to them. Users blindly click on those links and fill the required information such as bank account number etc. They fall in trap by believing on such deceptive mails which is sent to them to gather their sensitive information.
This act of gathering sensitive information by sending deceptive emails to the recipient through fake accounts is called Phishing. These emails are often spoofed i.e., send through some different origin and show the origin different from where it actually originated.
And gaining the personal information of the victim through mobile number by sending fraud text messages which directs them to move on some link or make a phone call, is called smishing. These SMS can also be sent by internet.
Vishing is one of the most common ways to extract the information of the recipient that every user may have experienced at some or the other point. Vishing is basically the combination of Voice and Phishing i.e., sending deceptive messages via fake phone calls. When a call is made to any person, the phone number of the dialler can be seen on the phone of the recipient and through phone number, the name and address of the dialer can be traced. Hence, the offers use fake caller ID and phone numbers to call the victim. But sometimes, users receive those phone calls in which the number isn’t visible. Who is the person, what is his phone number, all these cannot be recorded in such cases because the number cannot be seen on the screen. This is done by the criminal through Voice over Internet Protocol (VOIP). The cybercriminal in vishing, call the person posing to be a bank representative or call center employee and fool them to disclose crucial information.
Hacking is a very common term and simply means unauthorized access to someone’s computer, mobile, any other network device or accounts such as social networking accounts or bank accounts etc. The cybercriminals unscrupulously break into the information contained in any other networking device and control the activities of the victim. The offence of hacking is direct infringement of the fundamental right to privacy of the person suffering this attack as guaranteed by the Constitution.
Hacking has been talked in Section 66 of Information Technology Act, 2000. Section 66 deals with the offence of unauthorized access to the computer resource and defines it as “Whoever with the purpose or intention to cause any loss, damage or to destroy, delete or to alter any information that resides in a public or any person’s computer. diminish its utility, values or affects it injuriously by any means, commits hacking.”
Credit Card Skimming
The digitalization of banks and cashless payment schemes across the world poses the risk of monetary loss to the card holder anytime and anywhere. People find it easier to carry the cards rather than having cash in their pockets. But it is also easier and convenient for the cybercriminals as well to access those cards in unauthorized manner and withdraw money from the bank accounts of the individual. The surprising part of such method is that all these happens while the card is in the possession of the victim. Card gets swiped and charges are levied on the individual without his knowledge.
For any transaction, the credit card needs to be swiped on a small device called skimeer. This skimmer, collects the information such as, credit card number, the expiry date, full name of the individual etc. The cybercriminals can steal these pieces of information through the skimmer and then n number of cards can be cloned from these information to make fraudulent transactions.
People while creating their accounts on social media or while generating bank account passwords or ATM pins, are asked to generate some strong passwords. But this is often neglected by the users and they create very common passwords such as 12345678 or 87654321 or they put their birth dates or full names or combination of name and birthdates as passwords. These information of a persons like his name and birthdate is very common and is known by almost everyone knowing him. Hence, it becomes easier for the offenders to break these passwords and enter into the victim’s privacy. Thus, it is always advised by the banks or the social medial sites to use long passwords with a combination of upper and lower alphabets, numbers and special characters.
It is often advisable to check the authenticity of the website before entering any personal information of before clicking on any link given in the website. Authenticity of the website can be checked by clicking on the link of the website. If the link starts with http, it means that the source is not secured one and so one must avoid filling any information there. If the link starts with https, it means that the website is a secured platform. ‘s’ means the website is secured. It will reduce the chances of users’ information getting compromised.
Unauthorized websites, often contain various links which on clicking direct the person to some other website or some applications start installing without users’ permission. It is very often seen that these malicious websites, start showing information such as “your phone contains viruses, click here to clean your phone” or “click here to win XYZ amount.” Malicious softwares also get installed without user’s knowledge when he tries to download some movies, songs or games from unauthorized sources. These malwares are especially designed to harm the computer or mobile phone of the user.
WHAT FIGURES SAY?
According to National Crime Record Bureau, India recorded 9622, 1192, 12317 and 21796 cybercrimes in the years 2014, 2015, 2016 and 2017 respectively.3 And according to the same bureau, the year 2018 recorded 27248 cybercrimes out of which, 55.2% (15,051 out of 27248) were registered for the motive of fraud.4According to the Norton Cyber Security Insights Report 2016, 49% of India’s online population, or more than 115 million Indians, are affected by cybercrime at some point making the country ranking second in terms of highest number of victims.
LAWS GOVERNING INDENTITY THEFT IN INDIA
Identity theft is a crime that is committed with the use of data and internet. The Act that governs the internet related issues is Information Technology Act, 2000. IT Act,2000 is the parent act which deals with the laws governing all types of cybercrimes including the identity theft. But identity theft is a kind of theft and fraud which is done steal, cheat, defame the victim and can also be used to make forged/false documents. Hence, provisions of IPC is also invoked with IT Act. After the IT Act, certain changes were made to the Indian Penal Code to add different electronic means such as “electronic record”.5
Identity Theft Under Indian Penal Code
Section 463– This section defines Forgery as “Whoever makes any false document or false ‘electronic record’ or part of a document or electronic record with intent to cause damage or injury, to the public or to any person, or to support any claim or title, or to cause any person to part with property, or to enter into any express or implied contract, or with intent to commit fraud or that fraud may be committed, commits forgery”.
Section 464– According to this section a person is said to make a false document when-
“First— Who dishonestly or fraudulently—
makes, sign, seals or executes a document or part of a document;
makes or transmits any electronic record or part of any electronic record;
affixes any digital signature on any electronic record;
makes any mark denoting the execution of a document or the authenticity of the digital signature, with the intention of causing it to be believed that such document or part of document, electronic record or digital signature was made, signed, sealed, executed, transmitted or affixed by or by the authority or a person by whom or by whose authority he knows that it was not made, signed, sealed, executed or affixed; or
Secondly— who, without lawful authority, dishonestly or fraudulently, by cancellation or otherwise, alters a document or an electronic record in any material part thereof, after it has been made, executed or affixed with digital signature either by himself or by any other person, whether such person be living or dead at the time of such alteration; or
Thirdly— who dishonestly or fraudulently causes any person, sign, seal, execute or alter a document or an electronic record or to affix his digital signature on any electronic record knowing that such person by reason of unsoundness of mind or intoxication cannot, or that by reason of deception practiced upon him, he does not know the contents of the document or electronic record or the nature of the alteration”.
Section 468– This section punishes the person committing the offence of forgery with the intention that the document or electronic record forged is going to used for the purpose of cheating the other person with imprisonment up to 7 years and fine. This offence is compoundable and non-bailable.
Section 469– This section deals with the provisions of forgery for the purpose of harming the reputation of any person or knowing that it is likely to be used for that purpose. The person committing offence under this section shall be punishable with fine and imprisonment.
Section 471– According to this section whoever used any forged document as a genuine document, knowingly or which he has reason to believe that the document is forged shall be held liable in the same manner as he himself has forged that document. Offence under this section is a cognizable and bailable offence.
The terms “dishonestly” and “fraudulently” are defined under sections 24 and 25 of the Indian Penal Code,1860. The offence of Identity theft is always committed by the offenders with the intention to cause wrongful loss to the victim by intentionally downloading, extracting or copying his data and information through network devices to or wrongful gain the other. It is always committed by dishonestly taking away the identity or data of the person to steal something or to harm his reputation in the society or to commit any other crime. Hence, the above provisions of IPC also come into picture while dealing with the case of identity theft.
Identity Theft Under Information Technology Act, 2000
Section 43– If any person without permission of the owner damages to computer, computer system, etc. he/she shall be liable to pay compensation to the person so affected
Section 66– “If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both”.
Section 66 B– This section was added by the Information Technology (Amendment) Act,2008 and deals with the punishment for dishonestly receiving stolen computer resource or communication device. This offence is punishable with imprisonment for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.
Section 66 C- This section prescribes the punishment for identity theft and defines the term as “Whoever, fraudulently or dishonestly make use of the ‘electronic signature’6, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine with may extend to rupees one lakh”.7The Information Technology (Amendment) Act,2008 made certain changes in the existing Act and several new section along with this section and new terms were added. The term electronic signature was also added by the Parliament through this amendment.
Offence under this section is cognisable and bailable.
Section 66 D– This section was inserted to punish cheating by impersonation using computer resources. This section defines as “Whoever, by means for any communication device or computer resource cheats by personating, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees”8. The instances where fake profiles are created on social media or fraud e-mail accounts for the purpose of cheating, the cases of data theft of infringement of privacy by illegal access are punishable under this section. Offences under this section are cognisable and bailable.
PREVENTION, REMEDIES AND RECOVERY
Identity theft in majority of cases have been found to have committed on those persons who were negligent in handelling their data or who had shared any piece of their sensitive information to some other persons at some point. Hence, it is often advisable not to share any personal information with anyone else. While cybercrimes can be committed by the offenders and after tight security, account of celebrities is also sometimes hacked and even the social media account of a US President was hacked by the hackers. So, it cannot be said that by taking precautions, such crimes can be prevented completely but yes, the chances can be reduced. Changing passwords every 2-3 months, generating strong password with a combination of upper & lower case alphabets, numbers and special characters and changing password immediately in case of suspicion can be one way to reduce the chances. Temporarily deactivating the account after changing the password in case of suspicion or after any identity theft is a way to protect the account. One should immediately contact the bank or lender etc. to protect the records and temporarily or permanently close the account when someone tries to access without permission.
Identity can also be stolen by the use of viruses and malwares. Constantly checking and cleaning of viruses through security software must also be done to avoid greater harm.
Government has also created cybercrime portal. In case of any suspicion or in case one has become the victim of fraud and has lost money from account, it should be immediately reported to the cybercrime branch through the online portal. It can also be reported by visiting to the nearest police station directly. Filing a complaint is very important for getting qualified as a proof of identity theft. This complaint is also required if the victim decides to file for the compensation from the bank. And this complaint can save the victim from further damage and threats.
At present various agencies have been set up by the government to look into the matters relating to cybercrime and cyber security such as Cyber and Information Security Division (C&IS). This body deals with the matters related to Cyber Security, Cyber Crime, National Information Security Policy & Guidelines and implementation of NISPG and NATGRID, etc.
Apart from different bodies set up by central government, various states and UTs have also specialised cells which deals by cyber matters. Different technologies such as cyber mapping, analytics and predictive system, data mining, statistical modelling is being used by governments to protect the citizens and reduce the cybercrime.
In present time, use of Information technology is at its peak. Recent scenarios have forced the world to move to Internet and make is the new village on this planet. Despite having a number of advantages, the disadvantages are more and will shadow the advantages completely in the upcoming years. Humans are already in control but the upcoming years will witness the AI controlling humans mind and all the activity of the man-kind. Saddest part is that, no body can get out of this trap and no body can live without this trap. But, awareness, consciousness and precautions can reduce the harm and chances to much extent. Internet should be used but wisely. Red flags given by the attackers can be read sometimes when they send fraud messages and emails, when someone on behalf of bank calls and asks for account number and passwords and OTPs. These are sensitive information and no bank or any organization asks for these pieces. Government is doing its part but Indian Laws in current times is not very complex and up to the mark for cybercrimes. The very pitfall of IT Act is that it lacks extra-territorial jurisdiction. Extra territorial jurisdiction means the power of the state extends beyond its territorial jurisdiction i.e., the IT Act is only applicable withing the Indian territory, and hence, only those identity thefts which are committed by the computer or device sourcing in the Indian Territory can be considered as cybercrimes. It is important here to note that 20-25% of the cybercrimes takes place in the country by the offenders sitting outside the Indian subcontinent and due to the lacuna, the instances are left unreported. More or less, the exact definitions of various crimes are also missing which are the need of the hour and strict enforcement of the laws and strict punishment should be made to create deterrence among the offenders. Under IT Act, cybercrime is a compoundable and bailable offence, imprisonment is also provided for three years only, such provisions cannot be said to be the stringent punishment, these are inadequate punishments. The intention and knowledge of the offender that he is doing a wrongful act which not only affects the monetary conditions of the victim but also creates a deep effect on his mental conditions and social reputation, in some cases, it has also been reported that some victims have ended their lives. And the criminals, after committing such offences, get bail and sometimes the victim is forced to compromise. Therefore, these punishments need revisions. But on individual basis also, people have become careless in handeling their data. In the name of some money or reward they share their sensitive information with other persons without having a second thought. Here it must be noted that self-awareness is must. People should realise their duties and responsibilities towards themselves and others. Youth should come forward and take up the responsibility of training the weaker section of the society who are more vulnerable to this crime.
1The Information Technology Act, 2000, § 2 (1) (o)
2BRITANNICA, https://www.britannica.com/topic/cybercrime/Identity-theft-and-invasion-of-privacy (last visited Apr. 8,2021).
3livemint, https://www.livemint.com/companies/news/cyber-crime-cases-in-india-almost-doubled-in-2017-11571735243602.html (last visited Apr. 8, 2021).
4 National Crime Record Bureau, Crime Report 2018, Page no.- xiii.
5The Information Technology Act, 2000, § 2 (1) (t)
6Defined under section 2(1) (ta) of the IT ACT, 2000 as “electronic signature” means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature
7Added by Information Technology Amendment Act, 2008
8Added by Information Technology Amendment Act, 2008