India’s cyber infrastructure needs more than patches
India’s cyber infrastructure needs more than patches
India’s cyber infrastructure needs more than patches
India’s cyber infrastructure needs more than patches
There has been a steady spike in cases of cybercrime in the last five years. According to the National Crime Records Bureau (NCRB), from 12,317 cases of cybercrime in 2016, there were 50,035 cases registered in 2020. In India, cybercrime is increasing with the increased use of information and communication technology (ICT).
However, despite this alarming trend, the capacity of the enforcement agencies to investigate cybercrime remains limited. With ‘police’ and ‘public order’ being in the State List, the primary obligation to check crime and create the necessary cyber infrastructure lies with States.
At the same time, with the IT Act and major laws being central legislations, the central government is no less responsible to evolve uniform statutory procedures for the enforcement agencies. Though the Government of India has taken steps that include the setting up of the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs to deal with all types of cybercrime, much needs to be done to plug the infrastructural deficit.
No procedural code
There is no separate procedural code for the investigation of cyber or computer related offences. As electronic evidence is entirely different in nature when compared with evidence of traditional crime, laying down standard and uniform procedures to deal with electronic evidence is essential.
The guidelines, if followed meticulously, may ensure that electronic evidence is neither tampered with nor subject to spoliation during investigation.
A significant attempt has been made by the higher judiciary in this field also. As resolved in the Conference of the Chief Justices of the High Court in April 2016, a five- judge committee was constituted in July 2018 to frame the draft rules which could serve as a model for the reception of digital evidence by courts.
The committee, after extensive deliberations with experts, the police and investigation agencies, finalized its report in November 2018, but the suggested Draft Rules for the Reception, Retrieval, Authentication and Preservation of Electronic Records are yet to be given a statutory force.
Shortage of technical staff
SecondA regular police officer, with an academic background in the arts, commerce, literature, or management may be unable to understand the nuances of the working of a computer or the Internet. He can at best, after proper training, act as a first responder who could identify digital evidence and secure the scene of crime or preserve digital evidence till the arrival of an expert. It is only a technically qualified staff who could acquire and analyse digital evidence.
It is relevant here to mention that the Court, during the trial of the infamous State of Goa, through C.I.D. C.B., North Goa, Goa. vs Tarunjit Tejpal took objection to the fact that the investigating subin-spector, who seized the relevant CDs, did not know the meaning of the term ‘hash value’.
Similarly, in the Aarushi murder case of Noida, reported as Dr. (Smt.) Nupur Talwar vs State of U.P. and Anr., the Allahabad High Court observed that the Indian Computer Emergency Response Team (CERTIN) expert was not provided with the details of the Internet logs, router logs and laptop logs to prove whether the Internet was physically operated on the fateful night. Even the certificate under Section 65B of the IE Act (which is statutorily required), was undated, and hence rejected by the trial court.
Therefore, it is essential that State governments build up sufficient capacity to deal with cyber crime. It could be done either by setting up a separate cyber police station in each district or range, or having technically qualified staff in every police station. Further, the Information Technology (IT) Act, 2000 insists that offences registered under the Act should be investigated by a police officer not below the rank of an inspector. The fact is that police inspectors are limited in number in districts, and most of the field investigation is done by sub inspectors. Therefore, it will be pragmatic to consider a suitable amendment in Section 80 of the act and make sub inspectors eligible to take up investigation of cybercrimes.
Upgrade cyber labs
Third, the cyber forensic laboratories of States must be upgraded with the advent of new technologies. Offences related to crypto- currency remain underreported as the capacity to solve such crimes remains limited. The central government has proposed launching a digital rupee using block chain technology soon. State enforcement agencies need to be ready for these technologies. The Centre helps in upgrading the State laboratories by providing modernization funds, though the corpus has gradually shrunk over the years. While most State cyber labs are sufficiently equipped to analyze hard disks and mobile phones, many are yet to be notified as ‘Examiner of Electronic Evidence’ (by the central government) to enable them to provide expert opinion on electronic records. Since there is now a state- of art National Cyber Forensic Lab and the Cyber Prevention, Awareness and Detection Centre (Cy-PAD) of the Delhi Police, there may be an extension of professional help to States in getting their labs notified.
Need for localization Most cybercrimes are transnational in nature with extraterritorial jurisdiction. The collection of evidence from foreign territories is not only a difficult but also a tardy process. India has extradition treaties and extradition arrangements with 48 and 12 countries, respectively. In most social media crimes, except for the prompt blocking of an objectionable website or suspect’s account, other details do not come forth quickly from large IT firms. Therefore, ‘data localization’ must feature in the proposed Personal Data Protection law so that enforcement agencies are able to get timely access to the data of suspected Indian citizens. Also, the police still get Cyber Tip line reports on online Child Sexual Abuse Material (CSAM) from the U.S.’s nonprofit agency, the National Center for Missing & Exploited Children (NCMEC). It would be a step forward if India develops its in house capacity and/or makes intermediaries accountable to identify and remove online CSAM for immediate action by the police.
In fact, the Centre and States must not only work in tandem and frame statutory guidelines to facilitate investigation of cybercrime but also need to commit sufficient funds to develop much awaited and required cyber infrastructure