INTRODUCTION

Cyber Crime
Mankind as a race has progressed through a series of stages. We have
had the stage of the Stone Age, the Medieval Period, and the stage of
the

Industrial

Revolution.

One

interesting

thing

is

that

every

succeeding stage has multiplied the pace of advancement. So if the

Stone Age lasted for x years, the Medieval Period last for far less. The
Industrial Revolution lesser still. The Revolution which we are living
through today is the Technological Revolution. This Revolution is unique
in two ways. One is the sheer pace at which it is happening. The world
in 2003 is an order of magnitude different technologically than the
world in 1995. To understand this, think back to 1995. August 15 th,
1995 was the day when VSNL launched Indias first publicly available
Internet service. Prior to this the Internet was the domain of a few
lucky universities under the ERNET scheme, and some large companies
who could afford the staggeringly expensive bills. VSNLs service was
limited to a few cities. It was expensive, and difficult to get. No-one
knew about the net and even fewer cared. Cut to 2003. The Internet is
fast becoming a commodity. Everyone knows about it. Everyone is
using it. There are hundreds of service providers in India. And this is
only in India. There are many other examples, a notable one being the
staggeringly fast increase of Processing Power. Todays desktop
computers, like the one being used at this very moment are vastly
more powerful than the lumbering mainframes of the 70s. It was the
CEO of Intel, Gordon Moore who made the statement that has been
immortalized as Moores Law in the 70s. He said that processing
power will double every 18 months, at half the cost. This law still holds
true today, three decades later.

This has had interesting implications for human society. Previously, as

technology advanced, the societal control systems advanced at the
same rate, or at most lagged behind by a few months or a year or so.
So when immigrant workers flooded the industrial cities, housing and
zoning laws followed soon after. And when the banking and securities
sectors grew after the II World War, laws to regulate them were soon in
place. But this no longer holds true in the Internet Society. Technology
has quite simply outstripped the control of society. This is especially
true in the field of law enforcement. Todays cyber criminals are blazing
new trails in the ancient fields of fraud, extortion, theft, and larceny. A
legal trial against a computer criminal nine times out of ten brings up
new, unprecedented issues. And after the trial is concluded, it becomes
irrelevant within a few years, as technology advances. In criminal law,
we routinely use precedents which go back 50, 60 even a hundred
years. This simply cannot be done in the field of cyber law.
This paper attempts to probe the boundaries of this emerging field,
and to try and shed some light on what is a murky, undefined area.

CYBER CRIME
Crimes, as traditionally conceived, are committed in the so-called real
world, in our shared physical reality. The conduct used to commit such
crimes, the circumstances involved in their commission, and the harms
that result from their commission all occur in corporeal venues such as
public streets or private residences. Consequently, our extant law of
crimes is concerned with imposing liability and sanctions (death,
incarceration, fines, and so forth) for conduct that results in the
infliction of corporeal harms, such as injury to persons or property or
the unauthorized taking of another persons property. The modern
criminal law insists, as a fundamental premise, that liability be
predicated upon some conductaction or inaction in the face of a duty
to acttaken in the external, physical world; it rejects the notion that
liability can be imposed for incorporeal behaviors such as improper
thoughts.
Cyberspace is a domain that exists along with but apart from the
physical world. It is a shared conceptual reality, a virtual world, not a
shared physical reality.

Since it is not a physical domain, some

question whether the current principles of criminal law we employ are

adequate to address crimes that exploit the unique advantages of
cyberspace. This postulated inadequacy cannot exist unless there are
material differences between cyber crimes and crimes with regard to
the conduct used to commit the offenses that fall into both categories,
the attendant circumstances involved in committing offenses and the
harms that result from their commission.
In so doing, it operates on the premise that we should not simply
assume that criminal conduct that exploits cyberspace represents an

entirely new phenomenon, that is, cyber crime.

It may represent

nothing more than perpetrators using cyberspace to engage in conduct

that has long been outlawed. The development of the telephone, radio
and television, for example, all made it possible to perpetrate fraud in
new and different ways, but fraud itself has been outlawed for
centuries. If cyberspace is simply a medium being used to commit
traditional crimes, then there may be no need to recognize a separate
category of cyber crimes and develop specialized legislation to deal
with them; existing laws should be adequate to do so. Law has, for
example, long made it a crime intentionally to cause the death of
another human being. For the most part, contemporary law defines
this generically, as homicide, rather than differentiating varieties of
homicide depending on the method that is used to cause death. In
other words, we do not have method-specific crimes like homicide by
firearm, homicide by poison, homicide by beating, homicide by
stabbing, and so forth. Instead, we focus on the harm that results
from specific conduct, such as conduct intended to cause the death of
another person, and define an offense that encompasses that harm. It
may be that what we are currently calling cyber crimes represent
nothing more than the use of a particular methodfor example, crime
by computer and cyberspaceto perpetrate crimes that have long
been established
In the Anglo-American common law tradition, which is also followed in
India, crimes consist of four elements: conduct, mental state,
attendant circumstances and a forbidden result or harm.1
If cyber crimes and crimes do indeed share these constituent
elements, then their differences, if any, must lie in how some or all of
the elements manifest themselves in the commission of specific crimes
1

Criminal Law, Cases and Materials,, Gaur, K.D (New Delhi: Butterworths India, 1999), 23

and specific cyber crimes. It is not possible to hypothesize material

differences that pertain to the second element of mental state. The
existence and characteristics of the individual perpetrator is the one
indisputably constant element of both types of crimes. Neither a crime
nor a cyber crime can (at least so far) be realized except through the
agency of one or more individuals. Since the existence of an individual
perpetrator is a constant in both categories, and since there appear to
be no reasons to establish different culpability levels for the two
categories, we can eliminate this element as a potential point of
difference between them.
That is not true of the remaining elements: We can at least
hypothesize that the two types of crimes differ in terms of the conduct
used to commit the offenses that fall into each category, the
circumstances involved in their commission, and the results or harms
ensuing from their commission.

These hypothesized differences can

be derived from the single empirical divergence between the two

categories of criminal activity: the respective venues within which they
are committed.
Indian law bases criminal liability on the coincidence of four elements:
a culpable mental state (the mens rea); an act or a failure to act when
one is under a duty to do so (the actus reus)2; the existence of certain
necessary conditions or attendant circumstances; and a prohibited
result or harm. The crime of bigamy illustrates how all these elements
must combine for the imposition of liability. To commit bigamy,
someone must enter into a marriage knowing either that she is already
married or that the person whom she is marrying is already married. 3
The prohibited act is the redundant marriage, the culpable mental
2

Criminal Law, Cases and Materials,, Gaur, K.D (New Delhi: Butterworths India, 1999), 23

Section 494. Marrying again during lifetime of husband or wife

state is the perpetrators knowledge that she is entering into a

redundant marriage, the attendant circumstance is the existence of a
pre-existing, valid marriage, and the harm is the threat bigamous
marriages pose to the stability of family life.
Bigamy does not appear to be a crime that can become a cyber crime.
It does not seem that bigamy can be committed in cyberspace; for
various reasons, including the fact that marriageat least as
heretofore constitutedis an intrinsically real world endeavor, bigamy
seems inevitably relegated to the confines of the physical world. But it
does appear that other crimes can make this transition into the virtual
world and become cyber crimes.
For virtual crimes to exist, cyber crimes must differ from crimes in
some material respect. Both cyber crimes and crimes involve socially
unacceptable conduct for which we impose criminal liability, so the
most likely source of material differences between them is the
principles needed to impose this liability. If cyber crimes differ in one
or more material respects from crimes, the principles used to impose
liability for crimes should not suffice to impose liability for cyber
Whoever, having a husband or wife living, marries in any case in which such marriage is void by
reason of its taking place during the life of such husband or wife, shall be punished with
imprisonment of either description for a term which may extend to seven years, and shall also be
liable to fine.
Exception- This section does not extend to any person whose marriage with such husband or
wife has been declared void by a court of competent jurisdiction,
nor to any person who contracts a marriage during. the life of a former husband or wife, if such
husband or wife, at the time of the subsequent marriage, shall have been continually absent from
such person for the space of seven years, and shall not have been heard of by such person as
being alive within that time provided the person contracting such subsequent marriage shall,
before such marriage takes place, inform the person with whom such marriage is contracted of
the real state of facts so far as the same are within his or her knowledge.

crimes. If, on the other hand, the principles we use for crimes can be
used to impose liability for cyber crimes, they cannot be discrete
entities: cyber crimes would be simply a subset of crimes.
As a previous paragraph explained, we define crimes as consisting of
four elements: prohibited conduct, culpable mental state, specified
attendant circumstances and a forbidden result or harm. These
elements are the method we use to impose liability for the commission
of crimes. To convict someone of a crime, the prosecution must prove
all of these elements beyond a reasonable doubt.4
These elements, and the related principles we use to operationalize
them, were developed to deal with prohibited conduct occurring in the
physical world. The premise that cyber crimes represent a new legal
phenomenon derives from the empirically undeniable fact that they
involve conduct that is committed wholly or partially in a different
venue: the virtual world of cyberspace. And depending on the offense
at issue, cyber crimes may also involve attendant circumstances or
harms that are located in cyberspace.

For the premise that cyber

crimes are a new legal phenomenon to be valid, the locus of criminal

conduct (plus attendant circumstances or results) must constitute a
material difference between crime and cyber crime. The premise fails
unless making cyberspace the venue for criminal conduct means we
cannot use these elements and principles to impose criminal liability
on cyber-perpetrators. The virtual status of the crime must, in other
words, put it outside the scope of the principles we use to impose
liability in the real world.
What is a cyber offence?
i.
4

Meaning

Criminal Law, Cases and Materials,, Gaur, K.D (New Delhi: Butterworths India, 1999), 39

ii.

Elements

iii.

Distinctive features as against IPC offences

iv.

Types

Definition
A cyber offence may be defined as an offence involving the use of a
computer system. It may either be used as a tool for committing the
offence or be made the target of such an offence or both.
Elements
The elements of a cyber offence are as follows:

Commission of an unlawful or prohibited act

Commission of such an act through a computer system

Intention to commit such an act (this means that the offender

must be aware at the time of committing the act that the access
being sought to the particular system was unauthorized and
protected or that the commission of any such other act was
prohibited by law.)

Distinctive features as against IPC offences

Cyber offences are different from traditional offences such as theft,
fraud, forgery, defamation and mischief as defined under the Indian
Penal Code, 1860 because cyber offences are essentially committed on
or through computer systems and do not necessarily involve any
physical contact between the offender and the victim or target. The
various distinctive features as against IPC offences are as follows:

Essential usage of a computer system

Jurisdictional complexities

Lack of necessity of physical contact between the offender and

the victim/target

Advantage and incentive of anonymity for the offender

Lack

of

appropriate

investigative

infrastructure

designed

exclusively for investigation of cyber offences.

Absence of a comprehensive set of laws applicable all over the

world irrespective of geographical boundaries.

Types
Cyber offences may be categorized into the following two types:

Offences involving the use of a computer as a tool; or

Offences involving the use of a computer as a target

Cyber Crime in India

Computer crime can involve criminal activities that are traditional in
nature, such as theft, fraud, forgery, defamation and mischief, all of
which are subject to the Indian Penal Code. The abuse of computers
has also given birth to a gamut of new age crimes that are addressed
by the Information Technology Act, 2000.
Defining cyber crimes, as "acts that are punishable by the Indian Penal
Code" would be unsuitable as the Information Technology Act also
covers many cyber crimes, such as email spoofing and cyber
defamation, sending threatening emails etc.
A simple yet sturdy definition of cyber crime would be "unlawful acts
wherein the computer is either a tool or a target or both".
India has enacted the first I.T.Act, 2000 based on the UNCITRAL model
recommended by the General Assembly of the United Nations by a
resolution dated 30th January, 1997.
There has already been some amount of litigation in India on matters
enumerated in the IT Act 2000. Cases on Section 65, 66 and 67 are
becoming common. A recent article about the pioneering Hyderabad
Cyber Crime cell is very instructive at this stage. This is attached in
Appendix A for reasons of clarity and brevity. The reader may look at it
there. The first land mark case of cyber crime is the go2nextjob.com
case. The facts of this case are as follows:

10

Landmark law
The two men have been charged under a landmark law - the
Information Technology Act - which was approved by parliament last
year. It allows police to enter and search public places, such as cyber
cafes, without a warrant and to arrest suspects when they believe a
cyber crime is being committed.5
There is another case about a student of Air Force Bal Bharati School in
Delhi, which is generally considered the second land mark case of
cyber crime in India. This is a case which did not reach the High Court
or Supreme Court, therefore the citation is not known. However the
facts of this case from newspapers etc. have been given below.
Recent Indian incidents revolving around cyber pornography include
the Air Force Bal Bharati School case. A student of the Air Force Bal
Bharati School, Delhi, was teased by all his classmates for having a
pockmarked face. Tired of the cruel jokes, he decided to get back at his
tormentors. He scanned photographs of his classmates and teachers,
morphed them with nude photographs and put them up on a website
that he uploaded on to a free web hosting service. It was only after the
father of one of the class girls featured on the website objected and
lodged a complaint with the police that any action was taken.6
The Amendments made by the Information Technology Act 200, to the
Indian Penal Code are given in Appendix 2. On the next page is a table
5

Indian Hackers Busted, http://news.bbc.co.uk/1/hi/world/south_asia/1162245.stm, Last Visited

on 12th September, 2003

6

http://www.hindustantimes.com/news/1238_0,0000.htm Last Visited on 13th September, 2003

11

of all the penal sections of the IT Act, along with the respective
punishments.

S.

Punishment

Offence and Section

No.
1.

Imprisonment up to 3 years Tampering with computer Source

and/or fine up to two lakh Document.
rupees

(Sec.

65);

Hacking

with computer system (Sec.66);

Failure

to

comply

with

the

direction of the Controller (Sec.

2.

Imprisonment

up

to

68)
two Breach

of

confidentiality

or

years and/or fine up to one privacy (Sec. 72);

lakh rupees

Publishing false digital certificate

(Sec. 73)
Publishing digital certificate for
fraudulent

purposes.

(Sec.

74)

Misrepresentation or suppression
3.

of material facts (Sec 71)

Imprisonment up to seven Directions of Controller
years

to

subscriber to extend facilities to

4.

Imprisonment

up

to

decrypt information (Sec. 69)

ten Secring access to protected

5.

years
Imprisonment

up

to

system (Sec. 70)

five Publishing information which is

years (first conviction), ten obscene (Sec. 67)

years and fine up to rupees
one lakh (first conviction)
and

two

lakhs

(second

conviction)

12

6.

Imprisonment

up

to

6 Failure

to

surrender

license

months and/ or fine upto ten ( Section 33)

thousand rupees

13

CYBER LAW IN AMERICA

American society has traditionally been at the forefront of technology
related cases, due to the high PC penetration in that country. It is
interesting to see the direction American law has taken in dealing with
the menace of cyber crime.
Although there has never been accurate nationwide reporting of
computer crime, it is clear from the reports which do exist and from
anecdotal information that computer crime is on the rise. For example,
the Computer Emergency and Response Team at Carnegie-Mellon
University reports that from 1991 through 1994, there was a 498%
increase in the number of computer intrusions, and a 702% rise in the
number of sites affected.. During 1994, for example, approximately
40,000 Internet computers were attacked in 2,460 incidents. Similarly,
the FBI's National Computer Crime Squad has opened over 200 hacker
cases since the Squad was created in 1991. 7
That computer crime is on the rise is perhaps a natural result of
introducing computers into American society. In an earlier era, the
advent of the automobile opened the way for criminals to target the
automobile itself (e.g., auto theft) or use it to facilitate traditional
crimes (e.g., the bank robbery getaway vehicle). In addition, law
enforcement had to learn to seize vehicles to search them for evidence
of some offense unrelated to the vehicle itself (e.g., the box of
documents in the trunk). In many of the same ways, computers, too,
have proven important to criminal investigations. First, a computer
7

THE NATIONAL INFORMATION INFRASTRUCTURE PROTECTION ACT OF 1996

LEGISLATIVE ANALYSIS By The Computer Crime and Intellectual Property Section

United States Department of Justice, <http://www.cybercrime.gov/1030_anal.html> Last Visited
13th September, 2003

14

may be the target of the offense. In these cases, the criminal's goal is
to steal information from, or cause damage to, a computer, computer
system, or computer network. Second, the computer may be a tool of
the offense. This occurs when an individual uses a computer to
facilitate some traditional offense such as fraud (e.g., a bank teller who
once stole money from a cash drawer may now use a computer
program to skim money directly from depositors' accounts). Last,
computers are sometimes incidental to the offense, but significant to
law enforcement because they contain evidence of a crime. Narcotics
dealers, for example, may use a personal computer to store records
pertaining to drug trafficking instead of relying on old-fashioned
ledgers.
The different ways in which criminals can use computers have created
a philosophical debate among law enforcement experts. Some argue
that computer crime is nothing more than traditional crime committed
with new, high-tech devices. Others contend that computer crime
cannot be analogized to traditional crime and that combating it
requires both innovative law enforcement techniques and new laws
designed to address abuses of emerging technologies. In 1984,
Congress adopted the latter view and enacted discrete legislation to
address crime in electronic environments. Although certain computer
crimes appear simply to be old crimes committed in new ways (e.g.,
the bank teller who uses a computer program to steal money is still
committing bank fraud), some computer offenses find their genesis in
our new technologies and must be specifically addressed by statute.
For example, the widespread damage caused by inserting a virus into a
global computer network cannot be prosecuted adequately by relying
upon common law criminal mischief statutes. Indeed, it is questionable
whether Robert Morris, the individual responsible for launching the
Morris worm and crippling 6,000 computers around the world, could
15

have been prosecuted had Congress not had the foresight to enact the
Computer Fraud and Abuse Act.8
Whether classified as "old" or "new," computer crime creates unique
problems for law enforcement and a concomitant threat to the public
welfare.

The

most

significant

legislative

problems

stem

from

technology's shift from a corporeal to an intangible environment. This

departure from a physical world (where items are stored in a tangible
form that can be carried, such as information written on paper) to an
intangible, electronic environment means that computer crimes (and
the methods used to investigate them) are no longer subject to
traditional rules and constraints. Consider, for example, the way the
crimes of theft and criminal mischief have evolved. Before the advent
of computer networks, the ability to steal information or damage
property was to some extent determined by physical limitations. A
burglar could break only so many windows and burglarize only so many
homes in a week. During each intrusion, the burglar could carry away
only so many items. This does not, of course, make this conduct trivial,
but it points out that the amount of property a burglar could steal, or
the amount of damage he could cause, had physical limits.
In the information age, of course, these limitations no longer apply. A
criminal seeking information stored in a networked computer with dialin access can acquire that information from virtually anywhere in the
world. The quantity of information stolen or the amount of damage
caused by malicious programming code may be limited only by the
speed of the network and the criminal's computer equipment.
Moreover, such conduct can easily occur across state and national
borders.

Id.

16

This clear shift to a borderless, incorporeal environment and the

increased risk that information will be stolen and transported in
electronic form is difficult to address by relying upon older laws written
to protect physical property. For example, the statute pertaining to
interstate transportation of stolen property, 18 U.S.C. 2314 9, speaks
of "goods, wares and merchandise," and consequently has been held

Sec. 2314. - Transportation of stolen goods, securities, moneys, fraudulent State tax stamps, or

articles used in counterfeiting

Whoever transports, transmits, or transfers in interstate or foreign commerce any goods, wares,
merchandise, securities or money, of the value of $5,000 or more, knowing the same to have
been stolen, converted or taken by fraud; or
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining
money or property by means of false or fraudulent pretenses, representations, or promises,
transports or causes to be transported, or induces any person or persons to travel in, or to be
transported in interstate or foreign commerce in the execution or concealment of a scheme or
artifice to defraud that person or those persons of money or property having a value of $5,000 or
more; or
Whoever, with unlawful or fraudulent intent, transports in interstate or foreign commerce any
falsely made, forged, altered, or counterfeited securities or tax stamps, knowing the same to have
been falsely made, forged, altered, or counterfeited; or
Whoever, with unlawful or fraudulent intent, transports in interstate or foreign commerce any
traveler's check bearing a forged countersignature; or
Whoever, with unlawful or fraudulent intent, transports in interstate or foreign commerce, any tool,
implement, or thing used or fitted to be used in falsely making, forging, altering, or counterfeiting
any security or tax stamps, or any part thereof Shall be fined under this title or imprisoned not more than ten years, or both.
This section shall not apply to any falsely made, forged, altered, counterfeited or spurious
representation of an obligation or other security of the United States, or of an obligation, bond,
certificate, security, treasury note, bill, promise to pay or bank note issued by any foreign

17

by at least one court not to apply to intangible property. 10 Similarly, the

long-familiar extortion statute makes it illegal, in some cases, to
threaten physical violence to property. 18 U.S.C. 1951(a) 11. Although
a threat to fire bomb a building would clearly satisfy this test, a threat
to delete files may not.
There are two ways, conceptually, to address the growing computer
crime problem. The first would be to comb through the entire United
States Code, identifying and amending every statute potentially
affected

by

the

implementation

of

new

computer

and

telecommunications technologies. The second would be to focus

substantive amendments on the Computer Fraud and Abuse Act to
specifically address new abuses that spring from the misuse of new
technologies.
The new legislation adopts the latter approach for a host of reasons:

government. This section also shall not apply to any falsely made, forged, altered, counterfeited,
or spurious representation of any bank note or bill issued by a bank or corporation of any foreign
country which is intended by the laws or usage of such country to circulate as money.
http://www4.law.cornell.edu/uscode/18/2314.html Last Visited 13th September, 2003
10

United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991). www.westlaw.com, Last visited

10th Sepetember, 2003.

Sec. 1951. - Interference with commerce by threats or violence

11

(a) Whoever in any way or degree obstructs, delays, or affects commerce or the movement of
any article or commodity in commerce, by robbery or extortion or attempts or conspires so to do,
or commits or threatens physical violence to any person or property in furtherance of a plan or
purpose to do anything in violation of this section shall be fined under this title or imprisoned not
more than twenty years, or both.
http://www4.law.cornell.edu/cgi-bin/htm_hl?
DB=uscode18&STEMMER=en&WORDS=18+1951+&COLOUR=Red&STYLE=s&URL=/uscode/1
8/1951.html#muscat_highlighter_first_match Last visited 13th September, 2003.

18

(1) The United States, in a single statute, continues to address the core
issues driving computer and information security at both domestic and
international levels; that is, protecting the confidentiality, integrity, and
availability of data and systems. Indeed, these three themes provide
the foundation for the Organization for Economic Cooperation and
Development's (OECD) Guidelines for the Security of Information
Systems. They also serve as the linchpin for emerging domestic works
on information privacy.. By patterning the amended Computer Fraud
and Abuse Act on the OECD guidelines, the U.S. is at the forefront of
rethinking how information technology crimes must be addressed-simultaneously protecting the confidentiality, integrity, and availability
of data and systems.
(2) In most cases, a single point of reference--The Computer Fraud and
Abuse Act, 18 U.S.C. 1030--is provided for investigators, prosecutors,
and legislators as they attempt to determine whether a particular
abuse of new technology is covered under federal criminal law.
(3) As new technologies are introduced and the criminal law requires
reconsideration, fine-tuning 1030 may well be adequate, and it will
not be necessary to continually parse through the entire United States
Code.
(4) This statutory scheme will give a better understanding of the scope
of the computer crime problem by enabling more reliable statistics to
be generated regarding computer abuse. Under current law, computer
crimes can be charged under a host of criminal statutes, and this
situation will continue if the U.S. chooses a patchwork approach and
amends the various provisions of Title 18 to address new computer
crimes. Indeed, a June 1996 study by the United States Sentencing

19

Commission concluded that there were only 174 cases in which the
statute of conviction included 18 U.S.C. 1030, but conceded that
. .pertinent questions remain unanswered. For example, how
much criminal behavior that could have been successfully prosecuted
under

18

U.S.C.

1030

was

prosecuted

under

other

fraud

statutes. . . ?12

(5) Last, 18 U.S.C. 1030(f) specifically provides that certain

government officials, if engaging in lawfully authorized investigative,
protective, or intelligence activities, are not restricted by 1030. By
amending only 18 U.S.C. 1030 to address new high-tech offenses,
this exception clearly continues to apply to any newly defined criminal
conduct.
18 U.S.C. 1030(f) is attached as Appendix 4, for the benefit of the
reader.

12

http://www.cybercrime.gov/1030_anal.html , Last visited 12th Sepetember, 2003

20

Chapter 5
Landmark US Cyber Cases Studied
The landmark US cases on cyber law are studied below. I have tried to
incorporate a wide variety of cases on different subjects to give a
comprehensive picture on the evolution of cyber law in the United
States of America. The complete text of the cases is not included for
reasons of brevity; however, they are available with the author if the
reader wishes to read any or all of them.
UNAUTHORISED ACCESS
Briggs v. State of Maryland
348 Md. 470 (1998) [USA]
The Court held that the statute of the state of Maryland that
criminalizes unauthorized access to computers "was intended to
prohibit use of computers by those not authorized to do so in the first
place, and may not be used to criminalize the activities of employees
who use employers' computer systems beyond the scope of their
authority to do so".
Scott Moulton and Network Installation Computer Services, Inc. v. VC3
Civ. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6, 2000) [USA]
The Court held that the plaintiff's act of conducting an unauthorized
port scan and throughput test of defendant's servers does not
constitute a violation of either the Georgia Computer Systems
Protection Act or the Computer Fraud and Abuse Act.

21

EMAIL RELATED
United States v. Kammersell
1998 U.S. Dist. LEXIS 8719 (D. Utah 1998) [USA]
The Court found that federal interstate jurisdiction was proper where
defendant sent a threatening email via AOL, an interstate service, even
though the message was sent from and received in the same state.
The Court held that federal laws prohibiting transmission in interstate
commerce of communications containing threats applied, because the
e-mail was sent via a commercial online service and routed outside the
state before reaching its final destination within the state. The 10th
Circuit Court of Appeals affirmed this decision (See 196 F.3d 1137 (10th
Cir. Utah 1999) [USA]).
United States v. Machado
C.D. Cal. 2/10/98 [USA]
The accused was convicted in violation of federal hate-crime law for
sending threatening email to Asian students at University of California
at Irvine based on race/ethnicity. The accused stated that the emails
were sent idly and without intention to act on the threats.
State of Washington v. Townsend
No. 19304-7-III (Wash. Ct. App. 2001) [USA]
A Washington Appellate Court affirmed a conviction for second-degree
rape of a child. The defendant appealed the lower court's decision to

22

admit into evidence copies of email messages between himself and a

police officer posing as a 13 year old girl.
The defendant argued that the email messages were copied in
violation of the Washington Privacy Act, which prohibits the "copying of
private communications transmitted by telephone, telegraph, radio, or
other device...."
The court held that email by its nature must be recorded, and an email
user impliedly consents to the copying by the act of using email.
Accordingly, the court affirmed the lower court's decision to admit the
email messages.
America Online Inc. v. National Health Care Discount, Inc
2000 U.S. Dist. Lexis 17055 (N.D. Iowa, September 29, 2000 [USA]
The court denied plaintiff AOL's motion for summary judgment seeking
to hold defendant liable for violations, inter alia, of the Computer Fraud
and Abuse Act, the Virginia Computer Crimes Act, and common law
trespass to chattels, as a result of the transmission of unsolicited bulk
e-mail advertising defendant's products to AOL users.
The court reached this conclusion because, based on the record before
it, it could not determine whether the parties who sent the e-mail in
question were defendant's agents, acting under its control, or
independent contractors.
DEFAMATION
Anderson v New York Telephone Co
(1974) 35 NY 2d 746) [USA]

23

The plaintiff was a bishop. A person by the name of Jackson broadcast

a programme on radio urging the listeners to call up two telephone
numbers.
'A person calling these numbers would hear accusations against
plaintiff involving him in all sorts of scurrilous activities not the least of
which was illegitimately fathering children by women and girls in the
church. Jackson's telephones were attached to equipment leased to
Jackson

by defendant.

This

equipment

contained the recorded

messages which would automatically play upon activation of the

telephone by a caller.'
The Court held that ' the telephone company's role is merely passive
and no different from any company which leases equipment to another
for the latter's use In order to be deemed to have published a libel a
defendant must have had a direct hand in disseminating the material
whether authored by another, or not It could not be said, for
example, that International Business Machines, Inc., even if it had
notice, would be liable were one of its leased typewriters used to
publish a libel. Neither would it be said that the Xerox Corporation,
even if it had notice, could be held responsible were one of its leased
photocopy machines used to multiply a libel many times.'
Cubby Inc v CompuServe Inc
(1991) 776 F Supp 135 [USA]
'Action was brought against computer service company for its alleged
libel, business disparagement, and unfair competition. On company's
motion for summary judgment, the District Court, Leisure, J., held that:
(1) computer service company that provided its subscribers with
access to electronic library of news publications put together by
24

independent third party and loaded onto company's computer banks

was mere "distributor" of information, which could not be held liable for
defamatory statements made in news publications without showing
that it knew or had reason to know of defamation'
'CompuServe develops and provides computer-related products and
services, including CompuServe Information Service ("CIS"), an on-line
general information service or "electronic library" that subscribers may
access from a personal computer or terminal. Subscribers to CIS pay a
membership fee and online time usage fees, in return for which they
have access to the thousands of information sources available on CIS.
Subscribers may also obtain access to over 150 special interest
"forums," which are comprised of electronic bulletin boards, interactive
online conferences, and 349 topical databases.
One forum available is the Journalism Forum, which focuses on the
journalism industry. Cameron Communications, Inc. ("CCI"), which is
independent of CompuServe, has contracted to "manage, review,
create, delete, edit and otherwise control the contents" of the
Journalism Forum "in accordance with editorial and technical standards
and conventions of style as established by CompuServe".
"New York courts have long held that vendors and distributors of
defamatory publications are not liable if they neither know nor have
reason to know of the defamation."The requirement that a distributor
must have knowledge of the contents of a publication before liability
can be imposed for distributing that publication is deeply rooted in the
First

Amendment,

made

applicable

to

the

states

through

the

Fourteenth Amendment"

25

CompuServe's CIS product is in essence an electronic, for-profit library

that carries a vast number of publications and collects usage and
membership fees from its subscribers in return for access to the
publications.
CompuServe and companies like it are at the forefront of the
information

industry

revolution.

High

technology

has

markedly

increased the speed with which information is gathered and processed:

it is now possible for an individual with a personal computer, a modem,
and telephone line to have instantaneous access to thousands of news
publications from across the world.
While CompuServe may decline to carry a given publication altogether,
in reality, once it does decide to carry a publication, it will have little or
no editorial control over that publication's contents. This is especially
so when CompuServe carries the publication as part of a forum that is
managed by a company unrelated to CompuServe.... CompuServe has
no more editorial control over such a publication than does a public
library, book store, or newsstand, and it would be no more feasible for
CompuServe to examine every publication it carries for potentially
defamatory statements than it would be for any other distributor to do
so.
"First Amendment guarantees have long been recognized as protecting
distributors or publications ...Obviously, the national distributor of
hundreds of periodicals has no duty to monitor each issue of every
periodical it distributes. Such a rule would be an impermissible burden
on the First Amendment."... Technology is rapidly transforming the
information industry.

26

A computerized database is the functional equivalent of a more

traditional news vendor, and the inconsistent application of a lower
standard of liability to an electronic news distributor such as
CompuServe than that which is applied to a public library, a book store,
or newsstand would impose an undue burden on the free flow of
information. Given the relevant First Amendment considerations, the
appropriate standard of liability to be applied to CompuServe is
whether it knew or had reason to know of the allegedly defamatory
Rumorville statements.'
Stratton Oakmont v Prodigy
(1995) NY Misc Lexis 229 [USA]
The Court held that 'A computerized database is the functional
equivalent of a more traditional news vendor, and the inconsistent
application of a lower standard of liability to an electronic news
distributor such as CompuServe than that which is applied to a public
library, book store, or newsstand would impose an undue burden on
the free flow of information.'
The Court held that computer bulletin boards should generally be
regarded in the same context as bookstores, libraries and network
affiliates. The Court held that in this case, because of PRODIGY's own
policies, technology and staffing decisions, the scenario had been
altered and the Court held that PRODIGY was a publisher.
Zeran v America Online Inc
(1997) 129 F 3d 327 [USA]
The Court held that a federal immunity was granted to any cause of
action that would make service providers liable for information
27

originating with a third-party user of the service and that lawsuits

seeking to hold a service provider liable for its exercise of a publisher's
traditional editorial functions-such as deciding whether to publish,
withdraw, postpone or alter content-are barred.
COMPUTER FRAUD
FTC v. Craig Lee Hare
S.D. Fla. 4/*/98 [USA]
In this case the action was for deceptive trade practices arising from
on-line "auction" offering sale of computer products that were never
delivered.
The Defendant pleaded guilty to wire fraud and was sentenced to six
months home detention, three years probation and ordered to pay
restitution of over $22,000. He was also barred for life from conducting
Internet commerce.
United States v. Middleton
35 F. Supp. 2d 1189 (N.D. Cal. 1999) [USA]
The court held that the term "individual" as used in the Computer
Fraud and Abuse Act, is not confined to natural persons, but extends to
business

entities,

and

hence

damage

to

an

ISP-victim

was

encompassed under the statute.

United States v. Hoke
Magistrate No. 99-889M (C.D. Cal. 4/14/99) [USA]
A suit was filed against Gary Hoke for disseminating misinformation on
a counterfeit Bloomberg News Service Web page regarding an alleged

28

merger between his employer PairGain Technology, Inc. and ECI

Telecom, Ltd.
Initial investigation by the FBI revealed that Hoke might have used
services of Angelfire.com to host the page and Hotmail email service.
Hoke was traced by IP addresses from these services. Hoke, pled guilty
and was sentenced to five months of home detention, five years
probation, and restitution of $93,086.77.
United States v. Pirello
255 F.3d 728 (9th Cir. 2001) [USA]
The Ninth Circuit ruled on the application of the US Sentencing
Commission Guidelines (USSG) about a defendant fraudulently selling
computers online.
The defendant Pirello placed four advertisements on Internet classifiedads websites, soliciting buyers for computers. Pirello received three
orders, deposited the money in his personal bank account, and never
delivered computers.
The court determined that USSG 2F1.1(b)(3), which instructs courts to
enhance a sentence by two levels if the offense was committed
through "mass-marketing," applied to Pirello's fraudulent Internet
advertisements. The court held that the use of the Internet website to
solicit orders for non-existent computers violated the USSG and
affirmed the lower court's enhancement of Pirello's sentence.

29

PORNOGRAPHY
Davis v. Gracey
111 F.3d 1472 (10th Cir. 1997) [USA]
After the accused, Davis, sold obscene CD-ROMs to an undercover
officer, a warrant was obtained to search his business premises; police
officers determined pornographic CD-ROM files could be accessed
through the bulletin board and seized the computer equipment used to
operate it.
Following his criminal conviction and civil forfeiture of the computer
equipment in state court proceedings, Davis, his related businesses,
and several users of email on his bulletin board brought action against
the officers who executed the search, alleging that the seizure of the
computer equipment and email and software stored on the system
violated constitutional and statutory provisions.
Affirming, the 10th Circuit held that the original warrant was not
unconstitutionally overbroad, and that the incidental temporary seizure
of bulletin board email users' files did not invalidate the seizure of the
computer within which they were stored. "The computer equipment
was more than merely a 'container' for the files; it was an
instrumentality of the crime."
United States v. Thomas
74 F.3d 701 (6th Cir. 1996) [USA]
A Bulletin Board Service (BBS) operator in California was arrested and
convicted

when

pornographic

materials

from

their

site

were

downloaded by a federal postal inspector in Tennessee (USA), and

30

materials

ordered

from

them

were

delivered,

violating

federal

obscenity laws. Conviction and sentence were affirmed.

The Court held that GIF files are not "intangible" for purpose of federal
obscenity laws; distribution of obscene materials was "knowing" even
without defendants having specific knowledge of each individual
transmission; obscenity may be measured by "community standard" in
place where materials are received; defendants' ability to control
subscriptions and access to their BBS made them liable for the
downloading that occurred in Tennessee, and thus amenable to
jurisdiction there. The court distinguished the subscriber-BBS from an
"Internet-type" situation, in which the person posting the materials has
no control over where they will be downloaded.
United States v. Kufrovich
997 F. Supp. 246 (D. Conn. 1997) [USA]
Defendant, charged under 18 U.S.C. 2422(b) and 2423(b) with using
a means of Interstate Commerce to knowingly persuade a minor to
engage in sexual activity moved to dismiss, alleging that the Supreme
Court's finding that portions of the Communications Decency Act were
unconstitutional made Internet speech presumptively protected under
the First Amendment. Because Defendant's contact with the victim had
been through the Internet, it was constitutionally protected and could
not be used in evidence against him, he maintained.
The court rejected the argument, holding that the statutes under which
the charges were brought do not impermissibly limit speech; they
criminalize the use of means of interstate commerce (such as Internet
and telephone lines) for the purpose of luring a minor into sexual
activity.
31

M.G. v. Brian D. Travis

667 N.Y.S.2d 11 (1st Dep't 1997) [USA]
The Court upheld the restriction on paroled sex offender's use of
computers as within "the spirit and intent of the Legislature in enacting
Megan's Law and ... within the responsibility of the Division of Parole".
The Court held that "The imposition of these conditions did not violate
the parolee's Double Jeopardy rights and was not arbitrary or
capricious". The court held that "this condition is narrowly tailored
solely to prevent petitioner from exchanging pornographic messages.
Certainly, no lengthy explication is needed, in this age of 'Internet
pedophilia,' to show the wisdom of this condition in preventing
recidivism".
United States v. Hockings
129 F.3d 1069 (9th Cir. 1997) [USA]
It was held that the computer graphic interchange files (GIFs) in binary
format fall within the definition of "visual depictions" as contemplated
by 18 U.S.C. 2252(a)(1) and (4)(B).
The fact that such files require the use of personal computer hardware
and software to depict images of child pornography does not put them
outside the statute, the court held, analogizing to an earlier case in
which undeveloped film was also held to constitute a "visual depiction"
under the statute.
United States v. Simpson
152 F.3d 1241 (10th Cir. 1998) [USA]
32

The court held that the Detective's affidavit describing aborted

transaction negotiated in Internet chat room to exchange child
pornography was sufficient to constitute probable cause in obtaining
search warrant.
United States v. Matthews
11 F. Supp 2d 656 (D. Md. 1998) [USA]
The Court held that each transfer by email of a child pornography
image is a separate offense under federal law. The Court rejected the
defendant's argument that the successive email transmissions were all
part of a single online "conversation".
The U.S. District Court for the District of Maryland also rejected the
defendant's First Amendment defense based on the claim that he was
involved in investigative journalism. This decision was affirmed by the
Fourth Circuit Court of Appeals.
People v. Barrows
677 N.Y.S.2d 672 (Supr. Ct. 1998) [USA]
New York penal code law 235.22, bars the knowing transmission of
sexual materials to a minor by computer with the intent to lure the
minor into sexual activity. This deed was held to, prima facie, be
unconstitutional.
Analogizing to Reno v. ACLU, the Court held that the inherent
vagueness of the terms in the code to describe elements of the crime
would insidiously end all communication on the Internet related to sex
(this would also include communication with regard to sya, Sex
education).
33

However,

263.10,

prohibiting

"promoting

an

obscene

sexual

performance by a child" was upheld. The court distinguished the two

code sections, reasoning that the upheld section was unrelated to the
age of the recipient of the proscribed communication.
United States v. Whiting
165 F.3d 631 (8th Cir. 1999) [USA]
Appeals court held that change of definition of "visual depiction" in law
banning child pornography did not violate ex post facto clause because
previous definition already included data stored on computer disks,
although not explicitly. Amendment made to include electronic data
was a clarification rather than a substantive change.
Fedeemer v. Haun
35 F. Supp. 852 (D. Utah 1999) [USA]
Plaintiff challenged Utah's sex offender notification statute, which
would make sex offender registry information available to the general
public without restriction on the Internet.
The court held that the registry information posted on the Web site and
available to a global audience that will have no risk of encountering the
offender was not reasonably related to the non-punitive goal of
preventing additional sex offences and therefore violated the Double
Jeopardy and Ex Post Facto Clauses.
The court held that the statute did not violate the Equal Protection
Clause because it was rationally related to the goal of guarding against
sexual offenses.
34

The Court also held that the Due Process Clause was not violated
because the information to be posted is considered "non private" and
therefore there is no cognizable injury to the plaintiff's reputation. The
defendant, the Utah Department of Corrections, stipulated it would
administer the statute in accordance with the court's decision, and
therefore no order was issued.

Free Speech Coalition v. Reno

198 F.3d 1083 (9th Cir. 1999) [USA]
Action challenging constitutionality of certain provisions of the Child
Pornography Prevention Act of 1996 (CPPA), which make it illegal to
post on the Internet or to show in movies, pornographic images of
adults portrayed as minors.
Court held that CPPA was unconstitutional insofar that it describes as
child pornography, computer images that do not involve the use of real
children in their production or dissemination. Language used in the
statute, prohibiting images that "appear to be a minor" and "convey
the impression" of being a minor, was held to be unconstitutionally
vague.
The court also noted that Congress has not articulated a compelling
interest sufficient to withstand strict scrutiny. These specific provisions
were struck down, but the remainder of CPPA was allowed to stand.
Later, the US Supreme Court, quashing the decision, granted Certiorari.
People v. Foley
No. 17 (N.Y. Ct. App., Apr. 11, 2000) [USA]
35

The court found that the state law against knowingly transmitting
sexually explicit communications to minors with intent to lure them
into sexual activity was constitutional and did not violate the
Commerce Clause. The court noted that the statute is no broader than
necessary to achieve the purpose of preventing the sexual abuse of
children.
State of New York v. BuffNet
NY Appellate Division, Fourth Judicial Department (2001) [USA]
An Internet Service Provider (ISP) pled guilty to the misdemeanor
charge of knowingly providing access to child pornography. A two-year
investigation found that ISP, BuffNet, knowingly hosted a child
pornography newsgroup called "Pedo University". The police notified
BuffNet that they were hosting illegal content, yet BuffNet failed to
remove the newsgroup from its servers. Police then seized the ISP's
servers. BuffNet was levied a $5000 fine, and removed the obscene
content.

ONLINE GAMBLING
State of New York v. World Interactive Gaming Corp
1999 N.Y. Misc. LEXIS 425 (N.Y. App. Div. 1999) [USA]
Court

granted

injunction

barring

Antigua-based

online

gaming

company from doing business with New York residents. The court held
that regardless of whether gambling is legal where the company is
based, "The act of entering the bet and transmitting the information
from New York via the Internet is adequate to constitute gambling
activity within New York State".

36

The company required users to enter a physical address, and rejected

customers whose address was in a state where gambling was illegal.
However, the New York attorney general used Nevada address from
New York and was able to gain access. The court held this attempt to
screen users was not sufficient to shield the site from liability.
United States v. Cohen
260 F.3d 68 (2d Cir. 2001) [USA]
The Court of Appeals affirmed a decision by a lower court convicting
Jay Cohen of operating an illegal offshore Internet sports gambling
operation.
Cohen operated a bookmaking organization located in Antigua.
Customers were required to maintain accounts with the business, and
would contact the organization by telephone or Internet to request
particular bets. The organization would issue an acceptance and
confirmation of each bet.
The Court of Appeals held that the safe harbor provision of 18 U.S.C.S.
1084(b), which shield an individual from criminal liability under
certain circumstances, did not apply. The court noted that betting is
illegal in New York, and that Cohen's customers were placing bets by
requesting the bets and having them accepted.
In addition, the court found that Cohen had the requisite mens rea, as
it was not necessary that he intended to violate the statute so long as
he knowingly committed the criminal acts.
MISCELLANEOUS
Register.com, Inc. v. Verio, Inc
126 F. Supp. 2d 238 (S.D.N.Y., December 12, 2000) [USA]

37

Court issued a preliminary injunction enjoining Verio, Inc. from either

utilizing a search robot to obtain information from Register.com's Whois
database, or utilizing information derived from that database for mass
unsolicited advertising by telephone, direct mail or electronic mail.
Court held that Verio's actions would likely constitute a breach of
plaintiff's Terms of Use, as well as a violation of both the Computer
Fraud and Abuse Act and the Lanham Act and a trespass to chattels. In
reaching this conclusion, the court held that Register.com's Terms of
Use are likely to create a contract between Register.com and the users
of its Whois database, notwithstanding the fact that these users are
not required to click an "I Agree" button indicating their agreement to
be so bound.
United States v. Gilboe
684 F.2d 235 (2d Cir. 1982) [USA]
The Court convicted a person for transportation of money obtained by
fraud. Defense based on contention that electronic transfer was not
"transportation" was rejected.
People v. Alan Munn
Crim. Court Queens Cty., No. 98Q-052574 [USA]
The defendant in a harassment case, who asked the readers of a
posting on an Internet news group to kill a police officer with family,
moved to dismiss on the grounds that New York statute did not cover
the Internet. Statute covered communications "by telephone, or
telegraph, mail or any other form or written communication".

38

The Judge held that posting was covered because it was initiated by
means of a telephonic communication with the network community.
State of Utah v. Amoroso
364 Utah Adv. Rep. 3 (Utah Ct. App. 1999) [USA]
The state of Utah may criminally prosecute an Illinois corporation for
liquor sales to Utah residents over the Internet, through the use of a
telephone "800" number, and by mail. Although the Utah appellate
court held that it was improper to apply the civil "minimum contacts"
analysis, the court held that there was criminal personal jurisdiction in
Utah over the defendants based upon the theory that the conduct
committed in Illinois caused an unlawful result in Utah.
The court also held that the prosecution was valid under the TwentyFirst Amendment and did not violate the Commerce Clause.
United States v. Baker
(890 F. Supp. 1375 (E.D. Mich. 1995) [USA])
aff'd sub nom U.S. v. Alkahabaz
(104 F.3d 1492 (6th Cir. Mich. 1997) [USA])
In this case, a college student who wrote a sado-masochistic fantasy
story about one of his classmates and transmitted it to an Internet
correspondent could not be prosecuted for interstate transmission of
threats to injure or kidnap as there was no showing that the thoughts
expressed in the story were "true threats" on which the student
intended to act.
On January 29, 1997, on appeal in U.S. v. Alkhabaz, dismissal was
affirmed. The Court held that the elements of the charge of threat were
39

not met by email transmitted between two Internet users containing

sado-masochistic fantasies about a student known to one of the
correspondents.

State of Pennsylvania v. Murgalis

No. 189 MDA 1999 (Pa. Super. Ct., June 2, 2000) [USA]
The Pennsylvania Superior Court held that the Internet falls under the
definition of a "computer system" and the use of e-mail is "accessing a
computer" under a Pennsylvania criminal statute.
The defendant was convicted of unlawful use of a computer, arising
from his failure to deliver items purchased on-line by customers, and
his passing of bad cheques to suppliers. The Pennsylvania statute
prohibits the use of a computer system with the intent to defraud. The
court rejected the defendant's argument that the Internet is not a
"computer system".
United States v. Sills
S.D.N.Y., April 2000 [USA]
A police officer was charged with using software and a radio scanner to
intercept alphanumeric pager messages in violation of the Electronic
Communications Privacy Act.
The judge denied the officer's motion to dismiss, holding that the
interception did not fall within the Act's exemption for tone-only
pagers, and rejecting a claim of selective prosecution.
Firth v. State of New York
40

N.Y. Court of Claims, March 2000 [USA]

The plaintiff claimed that publication of an alleged libel on the Internet
was "continuous publication", which would extend the statute of
limitations.
The court held that the statute would run from the date the material
was first posted, rather than continuously. On October 29, 2001, the
New York Appellate Division Court affirmed the decision.
United States v. Gray
78 F. Supp.2d 524 (E.D. Va. 1999) [USA]
The court held that child pornography discovered during a search
conducted pursuant to obtaining a warrant for materials related to
computer tampering was admissible. Defendant argued that files with
the .JPG extension were presumptively pictures and not related to
subject of search. Court noted that hackers frequently mislabel files,
and FBI agents were not required to take file names at face value.
Doherty v. Registry of Motor Vehicles
97CV0050 (Mass. Dist. Ct., Suffolk Cty. Charlestown Div., May 28, 1997)
[USA]
The court held that an electronically-transmitted police report satisfied
the requirement of a signed writing under the state's perjury law.

In re Doubleclick Inc. Privacy Litigation

00 Civ. 0641 (S.D.N.Y., March 28, 2001) [USA]

41

The Court dismissed the claims advanced by the plaintiff under the
Electronic Communications Privacy Act, the Computer Fraud and Abuse
Act, and the Wiretap Act arising out of Doubleclick's use and placement
of "cookies" on plaintiffs' computers.
Doubleclick uses such "cookies" to gather information about the users'
use of Doubleclick client web sites. Since Doubleclick's clients
consented to such information being gathered, the court held that
Doubleclick's activities did not run afoul of either the Electronic
Communications Privacy Act or the Wiretap Act.
The court also dismissed the claims, which the plaintiffs advanced
under the Computer Fraud and Abuse Act because any damages
caused by Doubleclick's activities did not meet the threshold required
by the Computer Fraud and Abuse Act. Finally, the court, having
dismissed all of the plaintiffs' federal claims, declined to retain
jurisdiction over plaintiffs' state law claims, and dismissed the action.
United States Of America V. Robert Tappan Morris
928 F.2d 504; 1991 U.S. App. LEXIS 3682 United States Court Of
Appeals For The Second Circuit[USA]
In 1988, Morris was a first-year graduate student in Cornell University's
computer science Ph.D. program. Through undergraduate work at
Harvard and in various jobs he had acquired significant computer
experience and expertise.
When Morris entered Cornell, he was given an account on the
computer at the Computer Science Division. This account gave him
explicit authorization to use computers at Cornell. Morris engaged in

42

various discussions with fellow graduate students about the security of

computer networks and his ability to penetrate it.
In October 1988, Morris began work on a computer program, later
known as the Internet "worm" or "virus". The goal of this program was
to demonstrate the inadequacies of current security measures on
computer networks by exploiting the security defects that Morris had
discovered.
The tactic he selected was the release of a worm into network
computers. Morris designed the program to spread across a national
network of computers after being inserted at one computer location
connected to the network. Morris released the worm into the Internet.
Morris sought to program the INTERNET worm to spread widely without
drawing attention to itself. The worm was supposed to occupy little
computer operation time, and thus not interfere with normal use of the
computers. Morris programmed the worm to make it difficult to detect
and read, so that other programmers would not be able to "kill" the
worm easily.
Morris also wanted to ensure that the worm did not copy itself onto a
computer that already had a copy. Multiple copies of the worm on a
computer would make the worm easier to detect and would bog down
the system and ultimately cause the computer to crash. Therefore,
Morris designed the worm to "ask" each computer whether it already
had a copy of the worm. If it responded "no," then the worm would
copy onto the computer; if it responded "yes," the worm would not
duplicate. However, Morris was concerned that other programmers
could kill the worm by programming their own computers to falsely
respond "yes" to the question. To circumvent this protection, Morris
43

programmed the worm to duplicate itself every seventh time it

received a "yes" response.
As it turned out, Morris underestimated the number of times a
computer would be asked the question, and his one-out-of-seven ratio
resulted in far more copying than he had anticipated. The worm was
also designed so that it would be killed when a computer was shut
down, an event that typically occurs once every week or two. This
would have prevented the worm from accumulating on one computer,
had Morris correctly estimated the likely rate of re-infection.
Morris identified four ways in which the worm could break into
computers on the network:
through a "hole" or "bug" (an error) in SEND MAIL, a computer program
that transfers and receives electronic mail on a computer;
through a bug in the "finger demon" program, a program that permits
a person to obtain limited information about the users of another
computer;
through the "trusted hosts" feature, which permits a user with certain
privileges on one computer to have equivalent privileges on another
computer without using a password; and
through

program

of

password

guessing,

whereby

various

combinations of letters are tried out in rapid sequence in the hope that
one will be an authorized user's password, which is entered to permit
whatever level of activity that user is authorized to perform.

44

On November 2, 1988, Morris released the worm from a computer at

the Massachusetts Institute of Technology. MIT was selected to disguise
the fact that the worm came from Morris at Cornell. Morris soon
discovered that the worm was replicating and re-infecting machines at
a much faster rate than he had anticipated.
Ultimately, many machines at locations around USA either crashed or
became "catatonic". When Morris realized what was happening, he
contacted a friend at Harvard to discuss a solution. Eventually, they
sent an anonymous message from Harvard over the network,
instructing programmers how to kill the worm and prevent re-infection.
However, because the network route was clogged, this message did
not get through until it was too late.
Computers were affected at numerous installations, including leading
universities, military sites, and medical research facilities. The
estimated cost of dealing with the worm at each installation ranged
from $ 200 to more than $ 53,000.
Morris was found guilty, following a jury trial, of violating 18 U.S.C. @
1030(a)(5)(A). He was sentenced to three years of probation, 400
hours of community service, a fine of $ 10,050, and the costs of his
supervision.
The major issue raised in this case was what satisfies the statutory
requirement of "access without authorization".
Subsection 1030(a)(5)(A) penalizes the conduct of an individual who
"intentionally

accesses

Federal

interest

computer

without

authorization". The accused contended that his conduct constituted, at

45

most, "exceeding authorized access" rather than the "unauthorized

access" that the subsection punishes.
The Court held that under the traditional standard Morris was
authorized to use computers at Cornell, Harvard, and Berkeley, all of
which were on INTERNET. As a result, Morris was authorized to
communicate with other computers on the network to send electronic
mail (SEND MAIL), and to find out certain information about the users
of other computers (finger demon). The question is whether Morris's
transmission of his worm constituted exceeding authorized access or
accessing without authorization.
The Court held that Morris's conduct fell well within the area of
unauthorized access. "Morris did not use either of those features in any
way related to their intended function. He did not send or read mail nor
discover information about other users; instead he found holes in both
programs that permitted him a special and unauthorized access route
into other computers".
The Court also held that although initial insertion of the worm simply
exceeded the accused's authorized access, the evidence demonstrated
that the worm was designed to spread to other computers at which he
had no account and no authority, express or implied, to unleash the
worm program.
Moreover, there was also evidence that the worm was designed to gain
access to computers at which he had no account by guessing their
passwords. The Court held that the evidence supported the conclusion
that the accused accessed without authority as opposed to merely
exceeding the scope of his authority.

46

Chapter 6
Conclusion
At the end of this project, several inferences can be drawn from the
work done in this project. These are:
1. Cyber Crime cannot be clubbed together with ordinary crime.
Though there are similarities at the present moment, and they
are taken together, it is my feeling that within the next 5 years, a
trend of separating crime into two categories shall begin. The
categories will be virtual crime and physical crime. This is
already happening to a limited extent in some countries where it
is being realized that the standard rules of penal law or penology
cannot be applied in their traditional manner to cyber offences.
The laws of evidence have to be looked at very carefully indeed.
It is an interesting fact that the book in which the term
cyberspace was first coined, Neuromancer, by William Gibson,
spoke of a future in which the world is one vast connected entity.
Society had moved into the cyber world. Crime had become
totally cyber. This book was written in 1984, and the future it
visualized seems eerily real today.
2. Human Society as a whole is changing. On reading all the cases
studied, and various other materials, a pattern begins to emerge.
Human beings are progressing, if one can call it that, from the
material world, where physical harm is the highest form of
punishment, to the digital era. In fact in a recent Harvard
Business Review article, a journalist spoke of the feeling of utter
helplessness she experienced when her PDA (Personal Digital
Assistant) crashed. I felt like I had died. More than data, it was
my life in there. These kinds of sentiments are becoming more

47

and more common today. People often feel closer to their virtual
friends, or e-friends, living thousands of miles away, than to their
neighbours living next door.
3. In this Virtual World there are no, or at least insufficient laws.
This virtual world can be compared to a Frontier town of the Old
West. The Wild West as it was known had no real laws or rules. It
was every man for himself. The people recognized this. Laws
were written down as incidents which required them happened.
This is echoed in todays digital frontier. Laws are scrambling to
keep pace with the rate of change in technology. Todays laws
may be obsolete tomorrow. A smart person can get away with a
lot of things that would be impossible in the real world.
4. This shadowy world is not very well understood. This is the main
reason that legislations are unable to address the real problems.
One more reason for this is that the Digital Citizens, are only
now entering their late forties. In many countries, like India, this
is too young to actively influence the Legislative process.
However, as these people reach the decision making positions in
society, possibly the picture will change.
The Cyber Laws in India, while a good start, are not necessarily very
comprehensive. The Indian Cyber Law needs to be updated, or to use a
term from computerese, upgraded. The protections that it envisages
have changed from the time of its passing. In fact, the IT Act should be
one of the most dynamic legislations in the country, if not the most.
Only this will keep law enforcement, if not one step ahead, at least not
too many steps behind cyber criminals. The august Legislature of our
country must realize this and institute a special task for on IT and
Cyber Law, whose role it should be to keep track of the changes in the
Digital Ecosystem, and to formulate changes in the IT Act, so that it
remains relevant.
48

Bibliography
Books
1. Computer Contracts and Information Technology Law, Rao, S.
Joga (Nagpur : Wadhwa and Co., 2003)
2. Computer law 3rd Ed, Edited by Chris Reed,(New Delhi: Universal
Law Publishers, 2000)
3. Computer Law 4th Ed., Edited by Chris Reed and John Angel,(New
Delhi: Universal Publishers, 2002)
4. Criminal Law, Cases and Materials,, Gaur, K.D (New Delhi:
Butterworths India, 1999)
5. Guide to Cyber Laws, Ryder, Rodney D. (Nagpur : Wadhwa
Publications, 2001)
6. Information technology Law, Rowland Diane and Elizabeth
Macdonald, (London: Cavendish Publishing Ltd, 1997)
7. Law of Information Technology (Cyber Law), Mittal, D.P (New
Delhi: Taxmann, 2000)
8. Rules of the Road for the Information Superhighway : Electronic
Communications

and

the

Law,

Benkler,

Yochai

(St.

Paul

Minnesota: West Publishing, 1996)

9. The Law Relating to Computers and the Internet, Matthan, Rahul
(New Delhi: Butterworths India, 2000)
Cases
1. aff'd sub nom U.S. v. Alkahabaz (104 F.3d 1492 (6th Cir. Mich.
1997) [USA])
2. America Online Inc. v. National Health Care Discount, Inc 2000
U.S. Dist. Lexis 17055 (N.D. Iowa, September 29, 2000 [USA]
3. Anderson v New York Telephone Co. (1974) 35 NY 2d 746) [USA]
4. Briggs v. State of Maryland 348 Md. 470 (1998) [USA]
5. Cubby Inc v CompuServe Inc. (1991) 776 F Supp 135 [USA]

49

6. Davis v. Gracey 111 F.3d 1472 (10th Cir. 1997) [USA]

7. Doherty v. Registry of Motor Vehicles 97CV0050 (Mass. Dist. Ct.,
Suffolk Cty. Charlestown Div., May 28, 1997) [USA]
8. Dr. Prakash v. State of Tamil Nadu, MANU/SC/0870/2002
9. Fedeemer v. Haun 35 F. Supp. 852 (D. Utah 1999) [USA]
10.

Firth v. State of New York N.Y. Court of Claims, March 2000

[USA]
11.

Free Speech Coalition v. Reno 198 F.3d 1083 (9th Cir. 1999)

[USA]
12.

FTC v. Craig Lee Hare S.D. Fla. 4/*/98 [USA]

13.

In re Doubleclick Inc. Privacy Litigation

00 Civ. 0641

(S.D.N.Y., March 28, 2001) [USA]

14.

M.G. v. Brian D. Travis 667 N.Y.S.2d 11 (1st Dep't 1997)

[USA]
15.

People v. Alan Munn Crim. Court Queens Cty., No. 98Q-

052574 [USA]
16.

People v. Barrows 677 N.Y.S.2d 672 (Supr. Ct. 1998) [USA]

17.

People v. Foley No. 17 (N.Y. Ct. App., Apr. 11, 2000) [USA]

18.

Register.com, Inc. v. Verio, Inc 126 F. Supp. 2d 238

(S.D.N.Y., December 12, 2000) [USA]

19.

Scott Moulton and Network Installation Computer Services,

Inc. v. VC3 Civ. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6,

2000) [USA]
20.

State of New York v. BuffNet NY Appellate Division, Fourth

Judicial Department (2001) [USA]

21.

State of New York v. World Interactive Gaming Corp 1999

N.Y. Misc. LEXIS 425 (N.Y. App. Div. 1999) [USA]

22.

State of Pennsylvania v. Murgalis No. 189 MDA 1999 (Pa.

Super. Ct., June 2, 2000) [USA]

23.

State of Utah v. Amoroso 364 Utah Adv. Rep. 3 (Utah Ct.

App. 1999) [USA]

50

24.

State of Washington v. Townsend No. 19304-7-III (Wash. Ct.

App. 2001) [USA]

25.

Stratton Oakmont v Prodigy (1995) NY Misc Lexis 229

[USA]
26.

United States Of America V. Robert Tappan Morris 928 F.2d

504; 1991 U.S. App. LEXIS 3682 United States Court Of Appeals
For The Second Circuit[USA]
27.

United States v. Baker

(890 F. Supp. 1375 (E.D. Mich.

1995) [USA])
28.

United States v. Brown, 925 F.2d 1301, 1308 (10th Cir.

1991).
29.

United States v. Cohen 260 F.3d 68 (2d Cir. 2001) [USA]

30.

United States v. Gilboe 684 F.2d 235 (2d Cir. 1982) [USA]

31.

United States v. Gray 78 F. Supp.2d 524 (E.D. Va. 1999)

[USA]
32.

United States v. Hockings 129 F.3d 1069 (9th Cir. 1997)

[USA]
33.

United States v. Hoke Magistrate No. 99-889M (C.D. Cal.

4/14/99) [USA]
34.

United States v. Kammersell 1998 U.S. Dist. LEXIS 8719 (D.

Utah 1998) [USA]

35.

United States v. Kufrovich 997 F. Supp. 246 (D. Conn. 1997)

[USA]
36.

United States v. Machado C.D. Cal. 2/10/98 [USA]

37.

United States v. Matthews 11 F. Supp 2d 656 (D. Md. 1998)

[USA]
38.

United States v. Middleton 35 F. Supp. 2d 1189 (N.D. Cal.

1999) [USA]
39.

United States v. Pirello 255 F.3d 728 (9th Cir. 2001) [USA]

40.

United States v. Sills S.D.N.Y., April 2000 [USA]

51

41.

United States v. Simpson 152 F.3d 1241 (10th Cir. 1998)

[USA]
42.

United States v. Thomas 74 F.3d 701 (6th Cir. 1996) [USA]

43.

United States v. Whiting 165 F.3d 631 (8th Cir. 1999) [USA]

44.

Zeran v America Online Inc. (1997) 129 F 3d 327 [USA]

Websites
1. http://news.bbc.co.uk/1/hi/world/south_asia/1162245.stm
2. http://www.cybercrime.gov
3. http://www.dqindia.com
4. http://www.hindustantimes.com
5. http://www.manupatra.com
6. http://www.westlaw.com
7. http://www4.law.cornell.edu

52

Appendix 1
Cyber Cops and Robbers
Hyderabad's pioneering 'cyber crime police station' is all set to file the
first of its charge sheets. 13
The cyber crime police station functions within the Crime Investigation
Department of Andhra Pradesh Police. So far it has investigated 11
cases and arrested four accused.
"Charge sheets in two cyber crimes are likely to be filed within a couple
of weeks in the 9th Metropolitan Magistrate's Court that deals with CID
cases," says Ravi Kiran, a police official at the cyber crime police
station.
Though the state government had issued orders for setting up the
cyber crime unit in May 2002, the special police station began work
only in December. Late last month it moved into the newly constructed
CID office complex here.
"The cyber crime police station has jurisdiction over all of Andhra
Pradesh and deals with cyber offences under the Information
Technology Act, 2000," Kiran explains.
He points out that this large jurisdiction over the entire state is unique
to his police station. Three other cyber crime police stations that were
founded later in New Delhi, Mumbai and Bangalore have powers within
their cities only.
"Right now, we are dealing with offences committed under the IT Act;
particularly sections 65, 66 and 67. These pertain to tampering of
computer source documents, hacking of computer systems and
publication of obscene information in electronic form. We also add
relevant sections of the Indian Penal Code, depending on the nature of
the offence," Kiran says.
The cyber crime police station has registered eight cases since
December 2002. Besides, three cases of cyber crime, registered by the
Hyderabad City Police, have also been transferred to the cyber crime
police station for investigation.

13

http://www.rediff.com/netguide/2003/aug/05crime.htm, Last visited, 14th September, 2003

53

Eight of these cases pertain to Section 67, where the accused have
been charged with sending obscene emails to the complainants. Two
cases relate to Section 65, which is about theft of source code. And one
case falls under Section 66, which covers hacking.
The cyber crime police arrested a person who has been accused of
using fake IDs, sending obscene emails to BJP MP Denzil B Atkinson and
threatening to kidnap his daughters.
In another case, the cyber crime police arrested a food and beverages
manager of a luxury hotel in Chennai, for sending obscene emails to a
lady IPS officer, who is working as an inspector-general of police in
Hyderabad.
One person was nabbed for stealing source code and another was
arrested for sending obscene emails to the executives of a US
company.
"The accused in all the cases detected so far are highly educated
people who are well-versed with computers. One is a doctor, a child
specialist, and another is a systems engineer with a BTech degree.
Then there is a government officer with a postgraduate degree," Kiran
says.
In six cases, the investigation is stuck either because the incriminating
emails were sent through cyber cafes or a foreign Internet service
provider has refused to cooperate in furnishing user details. Indian
ISPs, however, have been extending all the help they can.
"We are facing problems in investigating some cases because the
cyber criminals are using Internet cafes for sending malicious mails.
These cafes do not maintain any users logs. In other instances, the
suspects live abroad and this makes it difficult to pursue the case,"
Kiran explains.
At present, the cyber crime police station is accepting complaints in
writing, lodged personally by the affected people. There is no online
registration of complaints right now. Even if people send complaints
through email, they will have to follow it up with a validation by visiting
the police station.
Additional Superintendent of Police, M Sivananda Reddy, heads the
cyber crime police station as station house officer. He is assisted by
Deputy Superintendent of Police C Jayaram Reddy, a sub-inspector and
four constables. A private consultant has also been hired.

54

As per the IT Act, cognizable offences under Section 65 (tampering

with computer source documents) are punishable with imprisonment
up to three years or with fine up to Rs 200,000 or both. Offences under
Section 66 (hacking computer systems) are punishable with
imprisonment up to three years or fine up to Rs 300,000 or both.
Similarly, offences under Section 67 (publishing obscene information in
electronic form) are punishable with imprisonment up to five years and
fine up to Rs 100,000 for the first conviction and prison term up to 10
years and fine up to Rs 200,000 for the second conviction.
The cyber crime police station, which seizes computer systems, hard
disks and other incriminating material, sends them to the AP Forensic
Science Laboratory for analysis and report.
Incidentally, the APFSL, the only ISO-9000 forensic lab in India, has set
up the country's first state-level computer crime laboratory on its
Hyderabad campus.
The Computer Crime Analysis Lab is equipped with the latest
equipment and expertise to deal with all types of computer crimes,
computer frauds and computer abuse. The lab can handle cases
pertaining to hacking, spread of virus, pornography, manipulation of
accounts, alteration of data, software piracy, creation of false Web
sites, printing of counterfeit currency, forged visas, theft of intellectual
property, email spamming, denial of access, password theft, crimes
with cell phones and palmtops, cyber terrorism and steganography, the
transmission of secret codes concealed in pictures.

55

Appendix 2
Amendments to the Indian Penal Code, 1860, by the Information
Technology Act 2000
THE FIRST SCHEDULE
(AMENDMENTS TO THE INDIAN PENAL CODE)
1. After section 29, the following section shall be inserted, namely 29A.The words "electronic record" shall have the meaning assigned to
it in clause (s) of sub-section (7) of section 2 of the Information
Technology Act, 1999.
2In section 167, for the words "such public servant, charged with the
preparation or translation of any document, frames or translates that
document",
the words "such public servant, charged with the
preparation or translation of any document or electronic record,
frames, prepares or translates that document or electronic record"
shall be substituted
3. In section 172, for the words "produce a document in a Court of
Justice", the words "produce a document or an electronic record in a
Court of Justice" shall be substituted.
4 In section 173, for the words "to produce a document in a Court of
Justice",
the words "to produce a document or electronic record in a Court of
Justice"
shall be substituted.
5. In section 175, for the word "document" at both the places where it
occurs,
the words "document or electronic record" shall be substituted.
6. In section 192, for the words "makes any false entry in any book or
record, or makes any document containing a false statement", the
words "makes any false entry in any book or record, or electronic
record or makes any document or electronic record containing a false
statement" shall be substituted.
7. In section 204, for the word "document" at both the places where it
occurs,
the words "document or electronic record"
shall be
substituted.

56

8.In section 463, for the words "Whoever makes any false documents
or part of a document with intent to cause damage or injury", the
words "Whoever makes any false; documents or false electronic record
or part of a document or electronic record, with intent to cause
damage or injury" shall be substituted.
9.In section 464 (a)or the portion beginning with the words "A person
is said to make a false
document" and ending with the words "by
reason of deception practised upon
him, he .does not know the
contents of the document or the nature of me
alteration", file
following shall be substituted, namely: A person is said to make a false document or false electronic record First Who dishonestly or fraudulently (a)makes, signs, seals or executes a document or part of a document;
(b)makes or transmits any electronic record or part of any electronic
record;
(c)affixes any digital signature on any electronic record;
(d)makes any mark denoting the execution of a document or the
authenticity of the digital signature, with the intention of causing it to
be believed that such document or a part of document, electronic
record or digital signature was made, signed, sealed
executed,
transmitted or affixed by or by the authority of a person by whom or
by whose authority he knows that it was not made, signed, sealed,
executed or affixed; or
Secondly Who, without lawful authority, dishonestly of fraudulently, by
cancellation or otherwise, alters a document or an electronic record in
any material part thereof, after it has been made, executed or affixed
with
digital signature either by himself or by any other person,
whether such person be living or dead at tile time of such alteration;
or
Thirdly Who dishonestly or fraudulently causes any person to sign, seal,
execute or alter a document or an electronic record or to affix his
digital signature on any electronic record knowing that such person
by reason of unsoundness of mind or intoxication cannot, or that by
reason of deception practised upon him, he does not know the
contents of the document or electronic record or the nature of the
alteration."
(b)
after Explanation 2,
the following Explanation shall be inserted at the end, namely Explanation 3 - For the purposes of this section, the expression
"affixing digital signature" shall have the meaning assigned to it in.

57

clause (d) of
sub- 50 section (1) of section 2 of the Information
Technology Act, 1999.'
10.In section 466 (a)for the words "Whoever forges a document",
the words "Whoever forges a document or an electronic record" shall
be substituted;
(b)the following Explanation shall be inserted at the end, namely Explanation - For the purposes of this section, "register" includes any
list, data or record of any entries maintained in the electronic form as
defined in clause (r) of sub-section (1) of section 2 of the Information
Technology Act, 1999.
11.In section 468, for the words "document forged", the words
"document or electronic record forged" shall be substituted.
12.In section 469, for the words "intending that the document forged",
the words "intending that the document or electronic record forged"
shall be substituted.
13.In section 470, for the word "document" in both the places where it
occurs,
the words "document or electronic record"
shall be
substituted.
14.In section 471, for the word "document" wherever it occurs, the
words "document or electronic record" shall be substituted.
15. In section 474, for the portion beginning with the words "Whoever
has in his possession any document" and ending with the words "if the
document is one of the description mentioned in section 466 of this
Code", the following shall be substituted, namely: " Whoever has in his possession any document or electronic record,
knowing the same to be forged and intending that the same shall
fraudulently or
dishonestly be used as a genuine, shall, if the
document or electronic record is one of the description mentioned in
section 466 of this Code.".
16.In section 476, for the words "any document", the words "any
document or electronic record" shall be substituted.
17.in section 477A, for the words "book, paper, writing" at both the
places where they occur, the words "book, electronic record, paper,
writing" shall be substituted.

58

Appendix 3
The Rise of Cyber Crimes
Cyber Attacks: Its Time to Act
Cybercrime is all around us, and on the rise. And not only are top
enterprises at risk, youin your personal, individual capacitymay
also be under watch...
Neetu Katyal
Thursday, November 21, 200214
Hugh Jackman plays a hacker named Stanley Jose in Swordfish, and
has the expertise to break in to government computers and alter
records. Skeet Ulrich plays the most wanted computer hacker on the
FBI list, Kevin Mitnick, in Takedown. And recently, Abhishek Bachchan
played Jagdish, a computer whiz-kid who puts his knowledge to good
use and saves a site in Om Jai Jagdish. The common factorhacking.
How the lure of money can transform an intellectual into a fraudster
came to fore when a software engineering graduate from IIT Kharagpur
was caught red-handed trying to sell the source code of a sophisticated
software package recently. The arrest followed a complaint from the
Federal Bureau of Investigation, which informed its Indian counterpartthe Central Bureau of Investigationof the attempt to sell the source
code of Solid Works 2001 Plus, developed by American firm Solid
Works. This company had outsourced debugging of the package to a
Mumbai-based company, where this engineer workedafter finishing
work on the project, the engineer resigned.
Before leaving, however, he took the entire source code of the software
with him. He then approached other software companies in the US
through e-mail, announcing that he had the source code and
expressing his keenness to sell it. A company named Solid Concepts in
the US responded to his mail, and informed Solid Works and the FBI
about the offer. After negotiation, the exchange was finalized for a sum
of $200,000 and an initial payment of $20,000 wired to the engineers
bank account in Mumbai. An FBI agent posing as a representative of
the company met the engineer at Delhis Ashok Hotel, where the latter
was apprehended while handing over the source code on two CDs. Hes
14

http://www.dqindia.com/content/special/202112102.asp

59

since been booked under Sections 379 and 406 of the Indian Penal
Code and Section 66 of the IT Act.
From the CBI files...
The Central Bureau of Investigation registered its first case on hacking
when the Department of Customs and Central Excise complained that
its site had been hacked into. Identified as the Anti-India Crew, the
culprits had hacked into more than 120 Indian sites. Fortunately, they
managed only to deface the homepage before the hack was detected.
The case gained importance, as it was for the first time that a
government department had lodged a complaint about hacking of its
Website.
In another case of cyber harassment, the cyber crime cell of CBI
cracked a case where personal details and telephone number of a
young lady executive were posted on a dating site, with the statement
that she was "available". When her family started getting calls from
around the world, they lodged a complaint with CBIs cyber crime cell.
It was found that the website contained obscene material and had links
to other pornographic sites. The IP addresses of the sites were traced
to one Dewang Badyani of Mumbai. The CBI and local police conducted
searches at the locations of Direct Information, a Web hosting
company, the premises of Badyani, VSNL location and Indosofta
private company that developed the program for the accused. From
the VSNL premises, the team seized a server containing material for
the Websites and other pornographic sites belonging to Badyani from
the rack of Direct Information. Further investigation is on.
Most Offenders are Family or Friends, Who Youd Never Suspect
The Cybercrime Cell in Bangalore celebrated its first birthday on 22
October 2002. Mr Alok Mohan, DIG of police (economic offences),
under the Corps of Detectives, Bangalore, spoke to DQ about the cells
activities in its first year. Excerpts:
l What has been the nature of work at and efficacy of the Cybercrime
Police Station?
The Bangalore CCPS is the first of its kind in the country and has
jurisdiction over the entire state of Karnataka. So far we have solved
more than 90% of the 61 cases that have been lodged.
l Why is it that enterprises are wary of reporting a cyber attack?
Enterprises across the country hesitate to lodge complaints due to
fear of negative publicity. However, I urge them to approach the
legal authority because by not doing so, theyre encouraging the
person to continue.
l What is your team made up of?
60

I oversee the Bangalore Cyber Crime Police Station as cyber crimes

fall under economic offences. My team consists of four DSPs (Deputy
Superintendent of Police), four Inspectors, and a supporting team.
Theyre being constantly trained and we try to keep up with the
changing technology and trends. We also take help of experts from
Wipro, Infosys and from the Department of Supercomputers at IISc.
l Ruling in Indias first case of software piracy
In a landmark decision on 17th October 2002, the designated High
Court of Delhi passed an order prohibiting one Mr Debasish Seal from
selling pirated software over the Net. Seal was accused of selling
pirated Microsoft software on an auction site. The day also happened to
be the second anniversary of the enforcement of the IT Act, 2000.
l Honey, youve landed in the Honeypot
In June 2000, Pakistani hackers broke into a US-based computer
system to use it as a tool to attack India Websites. But little did they
know that they had fallen into the Honeypota trap laid down to trace
hacker activities. Every keystroke, chat sessions and tools they used
were recorded
The administrators used this trap to learn what kind of targets hackers
look for and what their level of expertise was.
Spamming for revenge
And in yet another eye-opening case, a 16-year-old school dropout was
found guilty of spamming and sending threatening e-mails in obscene
language. His parents thought him a computer-wizard and spent more
than a lakh rupees providing for two computers with an Internet
connection, printer, scanner, air-conditioner, multimedia kit and so on.
But their dreams were shattered when a Web hosting company in the
United Kingdom complained of receiving thousands of Spam mails from
India, asking them to shut down one of the Websites hosted on its
server. The mails were traced back to the youngsters PCs at his
Pondicherry residence.
CBI investigations revealed that the youngster was an Internet addict,
in the habit of surfing the Net for 12-16 daily. His telephone amounted
to over Rs 13,000 a month and he was working on two or three
websites and discussion forums that he hosted. Although he had no
contacts whatsoever with school friends, he had made many virtual
friendsand one of these virtual friends was a client of this UK-based
firm. When these two fell out, the teenager chose to spam the
company whose client the ex-friend was. The CBI registered a case
under Sections 507 and 509 of IPC and Section 66 of the IT Act, 2000.
61

During search operations, one of the computers loaded with the e-mail
bombing program used to send Spam was seized.
Germany calling!
A new and innovative way of cheating people is gaining groundthe
lure of getting them handsome jobs overseas. CBI cracked this
interesting case on the basis of two separate e-mail complaints. The
complainants received e-mails from one Mohd Firoz, informing them
that they had been selected for the posts of network administrator
and programmer, respectively, without any formal interview. A
German firm called DIS-AG Personalvermittlung, manufacturing and
exporting cosmetics; drugs and toiletries, had hired them. They were
asked to cough up Rs 10,000 and Rs 40,000, respectively, to a
specified ICICI bank account number for visa and other paper work.
Further, they were asked to come to Delhi for their visa inter views at
the German embassy and to collect other contract papers. On
contacting the German embassy, the two were told that no person or
company by the given name was known to the embassy.
CBIs investigation traced the ICICI account to a residence in Hari
Nagar in New Delhi. The statement of account collected from the bank
revealed deposit of cash in the account from different parts of the
country and even abroad. The investigations also revealed that Mohd
Firoz had changed residence a year back and had cheated on people
by payment of heavy amounts on the pretext of getting them lucrative
jobs. Firoz used to withdraw money through ICICI ATMs in Delhi, but he
was ultimately traced to Asansol in West Bengala 23-year-old
unemployed graduate from Aligarh Muslim University.
All said and done
Worldwide, cybercrime has increasedas it has in the Indian
geography. With the number of Internet users shooting up, the threat is
becoming even worse. We can choose to be proactive and report the
incidents to help bring the guilty to book; or downplay the threat at our
own riskwhich is what most of Indian enterprises and home
computer-users do. The choice is oursto live or be outlived
When faced with a cyber attack, report it
Whats the cybercrime scene in India? Whats the CBI doing to check
the menace? How effective is the IT Act in tackling such cases?
Archana Ramasundaram, joint director (economic offences), CBI spoke
on these issues. Excerpts:
How grave is the situation in India when it comes to cybercrime?

62

The incidents of cyber crime are constantly on the rise. And each case
reported is quite different from the other. One has to be cautious of the
threat.
What do statistics across India indicate?
We wouldnt have the statistics of cyber crimes across the country. The
National Crime records Bureau deals with that. Also, CBI deals only
with special cases. So as far as CBI is concerned, we had 7 cases in the
year 2000 that was also the year when Cyber Crime Investigation Cell,
Delhi was set up. In 2001, the number of complaints rose to 19 and so
far in 2002 we have 16 complaints registered with us.
Is there set criteria that the CBI looks into a certain type of case and
the local police into other kinds?
No, theres no hard and fast rule to classify the cases. Its just that CBI
takes up matters considered critical or the ones with urgency or sheer
complexity.
How equipped are you to handle these cases?
Our investigating officers have the technical expertise to put together
the pieces of info to tackle the cases. Were improving our skills by way
of training. We also take support from the industry when need arises.
Also, weve requested the Government of India to provide for more
manpower and resources in terms of software etc.
Do you seek help and assistance from international agencies like
Interpol and FBI?
The CCIC of the CBI was recognized as the International Contact Point
for tackling cyber crimes in India at the International Conference on
Information Technology Crime organized by Interpol in Lyons (France)
recently. The CBI is also a member of the Interpol Working party on
Information Technology Crime for South-East Asia and Australasia.

63

Appendix 4
18 U.S.C. 1030.

Fraud and Related Activity

in Connection with Computers
1030. Fraud and Related Activity in Connection with Computers
(a) Whoever
(1) having knowingly accessed a computer without authorization or
exceeding authorized access, and by means of such conduct having
obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons of national
defense or foreign relations, or any restricted data, as defined in
paragraph y. of section 11 of the Atomic Energy Act of 1954, with
reason to believe that such information so obtained could be used to
the injury of the United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate,
deliver, transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to receive it, or
willfully retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains-(A) information contained in a financial record of a financial institution,
or of a card issuer as defined in section 1602(n) of title 15, or
contained in a file of a consumer reporting agency on a consumer, as
such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681
et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved
an interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic
computer of a department or agency of the United States, accesses
such a computer of that department or agency that is exclusively for
the use of the Government of the United States or, in the case of a
computer not exclusively for such use, is used by or for the

64

Government of the United States and such conduct affects that use by
or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and by
means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing obtained
consists only of the use of the computer and the value of such use is
not more than $ 5,000 in any one-year period;
(5)
(A)
(i) knowingly causes the transmission of a program, information, code,
or command, and as a result of such conduct, intentionally causes
damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization,
and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization,
and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A),
caused (or, in the case of an attempted offense, would, if completed,
have caused)-(i) loss to 1 or more persons during any 1-year period (and, for
purposes of an investigation, prosecution, or other proceeding brought
by the United States only, loss resulting from a related course of
conduct affecting 1 or more other protected computers) aggregating at
least $5,000 in value;
(ii) the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or care
of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or

65

(v) damage affecting a computer system used by or for a government

entity in furtherance of the administration of justice, national defense,
or national security;
(6) knowingly and with intent to defraud traffics (as defined in section
1029) in any password or similar information through which a
computer may be accessed without authorization, if
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United
States;
(7) with intent to extort from any person, any money or other thing of
value, transmits in interstate or foreign commerce any communication
containing any threat to cause damage to a protected computer;
shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of
this section shall be punished as provided in subsection (c) of this
section.
(c) The punishment for an offense under subsection (a) or (b) of this
section is -(1)
(A) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(1) of this
section which does not occur after a conviction for another offense
under this section, or an attempt to commit an offense punishable
under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty
years, or both, in the case of an offense under subsection (a)(1) of this
section which occurs after a conviction for another offense under this
section, or an attempt to commit an offense punishable under this
subparagraph; and
(2)
(A) except as provided in subparagraph (B), a fine under this title or
imprisonment for not more than one year, or both, in the case of an
offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this
section which does not occur after a conviction for another offense
under this section, or an attempt to commit an offense punishable
under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or
both, in the case of an offense under subsection (a)(2)or an attempt to
commit an offense punishable under this subparagraph, if-

66

(i) the offense was committed for purposes of commercial advantage

or private financial gain;
(ii) the offense was committed in furtherance of any criminal or
tortious act in violation of the Constitution or laws of the United States
or of any State; or
(iii) the value of the information obtained exceeds $5,000;
(C) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)
(6) of this section which occurs after a conviction for another offense
under this section, or an attempt to commit an offense punishable
under this subparagraph; and
(3)
(A) a fine under this title or imprisonment for not more than five years,
or both, in the case of an offense under subsection (a)(4), or (a)(7) of
this section which does not occur after a conviction for another offense
under this section, or an attempt to commit an offense punishable
under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(4), (a)(5)(A)(iii)
or (a)(7) of this section which occurs after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and
(4)
(A) a fine under this title, imprisonment for not more than 10 years, or
both, in the case of an offense under subsection (a)(5)(A)(i), or an
attempt to commit an offense punishable under that subsection;
(B) a fine under this title, imprisonment for not more than 5 years, or
both, in the case of an offense under subsection (a)(5)(A)(ii), or an
attempt to commit an offense punishable under that subsection;
(C) a fine under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)
(ii), or an attempt to commit an offense punishable under either
subsection, that occurs after a conviction for another offense under
this section.
(d)(1) The United States Secret Service shall, in addition to any other
agency having such authority, have the authority to investigate
offenses under this section.
67

(2) The Federal Bureau of Investigation shall have primary authority to

investigate offenses under subsection (a)(1) for any cases involving
espionage, foreign counterintelligence, information protected against
unauthorized disclosure for reasons of national defense or foreign
relations, or Restricted Data (as that term is defined in section 11y of
the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses
affecting the duties of the United States Secret Service pursuant to
section 3056(a) of this title.
(3) Such authority shall be exercised in accordance with an agreement
which shall be entered into by the Secretary of the Treasury and the
Attorney General.
(e) As used in this section
(1) the term "computer" means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device
performing logical, arithmetic, or storage functions, and includes any
data storage facility or communications facility directly related to or
operating in conjunction with such device, but such term does not
include an automated typewriter or typesetter, a portable hand held
calculator, or other similar device;
(2) the term "protected computer" means a computer
(A) exclusively for the use of a financial institution or the United States
Government, or, in the case of a computer not exclusively for such use,
used by or for a financial institution or the United States Government
and the conduct constituting the offense affects that use by or for the
financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communications,
including a computer located outside the United States that is used in
a manner that affects interstate or foreign commerce or
communication of the United States;
(3) the term "State" includes the District of Columbia, the
Commonwealth of Puerto Rico, and any other commonwealth,
possession or territory of the United States;
(4) the term "financial institution" means
(A) an institution with deposits insured by the Federal Deposit
Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including
any Federal Reserve Bank;

68

(C) a credit union with accounts insured by the National Credit Union
Administration;
(D) a member of the Federal home loan bank system and any home
loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act
of 1971;
(F) a brokerdealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities Exchange Act of
1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in
paragraphs (1) and (3) of section 1(b) of the International Banking Act
of 1978); and
(I) an organization operating under section 25 or section 25(a) of the
Federal Reserve Act.
(5) the term "financial record" means information derived from any
record held by a financial institution pertaining to a customer's
relationship with the financial institution;
(6) the term "exceeds authorized access" means to access a computer
with authorization and to use such access to obtain or alter information
in the computer that the accesser is not entitled so to obtain or alter;
(7) the term "department of the United States" means the legislative or
judicial branch of the Government or one of the executive departments
enumerated in section 101 of title 5;
(8) the term 'damage' means any impairment to the integrity or
availability of data, a program, a system, or information;

(9) the term 'government entity' includes the Government of the

United States, any State or political subdivision of the United States,
any foreign country, and any state, province, municipality, or other
political subdivision of a foreign country.
(10) the term 'conviction' shall include a conviction under the law of
any State for a crime punishable by imprisonment for more than 1

69

year, an element of which is unauthorized access, or exceeding

authorized access, to a computer;
(11) the term 'loss' includes any reasonable cost to any victim,
including the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or information
to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service; and
(12) the term 'person' means any individual, firm, corporation,
educational institution, financial institution, governmental entity, or
legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative,
protective, or intelligence activity of a law enforcement agency of the
United States, a State, or a political subdivision of a State, or of an
intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of
the section may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief. A
civil action for a violation of this section may be brought only if the
conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or
(v) of subsection (a)(5)(B). Damages for a violation involving only
conduct described in subsection (a)(5)(B)(i) are limited to economic
damages. No action may be brought under this subsection unless such
action is begun within 2 years of the date of the act complained of or
the date of the discovery of the damage. No action may be brought
under this subsection for the negligent design or manufacture of
computer hardware, computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report
to the Congress annually, during the first 3 years following the date of
the enactment of this subsection, concerning investigations and
prosecutions under section 1030(a)(5) of title 18, United States Code.

Section 814(e) Amendment of sentencing guidelines relating to certain

computer fraud and abuse.-Pursuant to its authority under section 994(p) of title 28, United States
Code, the United States Sentencing Commission shall amend the
Federal sentencing guidelines to ensure that any individual convicted
of a violation of section 1030 of title 18, United States Code, can be

70

subjected to appropriate penalties, without regard to any mandatory

minimum term of imprisonment.

71