COMPUTER RELATED CRIMES

COMPUTER RELATED CRIMES Dr. Gulshan Rai, R.K. Dubash, Dr. A.K. Chakravarti Government of India Department of Electronics New Delhi

Contents

1. Introduction

1.1 Need for action

2. Definition & Classification of Computer Crime

2.1 Definition

2.2 Classification of Computer Crime

3. Extent of Crime & losses involved - worldwide

4. Perpetrators of Computer Crime

5. Vulnerability of Computer Systems to Crime

6. Computer Crime Legislation - International Development

6.1 International Development

6.2 Computer Crime Legislation Worldwide

7. Computer related crime in India

7.1 Status

7.2 Strategy for prevention of Computer Crime

7.3 Issues concerning classification of computer Crime

7.4 Security Guidelines/Manual

7.5 Procedural Law

8. Conclusion

9. Acknowledgement

10. References

11. Classification table of computer crimes countrywise

12. Summary of Computer Crime Laws in various countries

Summary

The rapid development of computer telecommunication and other technology has led to the growth of new forms of transnational crime, especially computer related crime. Computer-related crime has virtually no boundaries and does or may affect every country in this world.
The report seeks to be a working document, discusses the phenomenon of computer-related crime, nature and classification of computer related crime. The report summarises the work done in the area of computer-related crime internationally, the acts/amendments enacted by several countries and discusses the need for promotional programme to create the awareness and enactment of necessary legislation in the country for the prevention of computer related crime. The report also identifies other source of information to which any one interested may refer to obtain detailed information.
Given the complex and volatile world of computers and telecom, even though this report presents a grim and ominous view of the field, the reality of being better safe than sorry has to be realised.
Back to Index

1. Introduction

Information technology today is encompassing all walks of life all over the world. The technological developments in the concept of computing, network and software engineering have helped in transition from paper to paperless transactions and Bi-media (text and data) to multimedia . Today, speed, efficiency, and accuracy in information exchange have become key tools for boosting innovations, creativity and increasing productivity. Activities as diverse as banking, healthcare, education, manufacturing, retailing, entertainment and mass media have come to depend on the ability to generate, access, store and transmit information. Computers are not only used extensively to perform the industrial and economic functions of society but are also used to perform many functions upon which human life is dependent. Medical treatment, air traffic control, industrial contolled and national security are few examples. Even a small glitch in the operation of the systems can put human lives in danger. Computers are also used to store confidential data of a political, social, economic or personal nature. Society’s dependence on computer systems, therefore, has a profound human dependence.

The new technology has brought a great deal of benefits to Govt., business and research & development and to citizen himself. Its positive impact should not be measured only in terms of time and money.

The ever-expanding world of information technology has, however, a different side. Computer systems offer some new and highly sophisticated opportunities for law breaking and the potential to commit traditional types of crimes in non-traditional ways.

1.1 Need for Action
Today, large processing and storage capacity is available on desktop systems both at the level of main system memory RAM (Random Access Memory) as well as secondary level (Hard Disc). The Central Processing Unit can process millions of instructions per second. Large data and computer files can be stored and manipulated in any desired manner. These systems can be networked and logged into any other system anywhere in the globe to access data, programme or data file.

Dataquest USA reported recently that an estimated 82 million computers worldwide will be linked to the Internet by the end of 1998 - up an astounding 71 per cent in just one year. It further predicts that the figure will triple to 268 million in the next four years.

The trans-national expansion of large scale computer networks and the ability to manipulate content including images from remote login and access to systems through regular telephone lines increases the vulnerability of these systems and the opportunity for misuse or criminal activity. The potential extent of computer crime is as broad as the extent of the international communication system. The consequence of computer crime may, therefore, have serious economic impact on social as well as human fabric of the society.

Laws, criminal justice systems and international cooperation have not kept pace with technological changes. Only a few countries in Western Europe and Organisation for Economic Cooperation & Development (OECD) have drafted laws to address the problem. However, none of the countries has resolved all the issues concerning legal, enforcement and prevention of problems arising out of technological change.

Computer crime is a new form of trans-national crime and its effective addressing requires concerted international cooperation. This can only happen, however, if there is a common framework for understanding what the problem is and what solution there may be.

It is predicted that within the next decade, it will be necessary for developing nations to experience significant technological growth in order to become economically self-sufficient and more competitive in world market.

We have also made out plan to set up National Information Infrastructure (NII) in the country. The use of Internet in the country is growing and it is expected that there will be about two million Internet users in the country by the turn of the century.

A beginning has also been made in the use Electronic Commerce (EC) and Electronic Data Interchange (EDI) by number of agencies in the country. The EC and EDI would involve communication of information pertaining to trade, finance and would result in transaction between private and public sector, in both domestic and international communities. It is expected that by the turn of the century, there will be significant growth in the use of EDI both in the country and around the world. The success and growth of EC and EDI, however, would depend upon how the issues concerning legal (such as tampering with data, message etc.), security and performance of hardware, software and communication are resolved. Therefore, as dependence on computer technology grows in the country, it is important to plan for security , examine the issues and promote crime prevention programmes on a national level. Adequate laws in this regard need to be framed and enacted.

The objective of this report is to summarise the work done in the area of computer related crime internationally, the acts/amendments enacted by several countries and discuss need for promotional programme to create the awareness and enactment of necessary legislation in the country for the prevention of computer related crime.

Back to Index

2. Definition and Classification of Computer Crime 2.1 Definition

There has been a great deal of debate amongst experts on just what constitutes a computer crime or computer data crime. One of the experts has defined computer crime as -

"Any illegal action in which a computer is a tool or object of the crime; in other words, any crime, the means or purpose of which is to influence the function of computer."

Another expert has defined computer offence as -

"Any incident associated with computer technology in which a victim suffered or could have suffered loss and a perpetrator, by intention, made or could have made a gain."

OECD however, has adopted the following definition as working definition for computer - related crime or computer crime

"Computer abuse is considered as any illegal, unethical or unauthorised behaviour relating to the automatic processing and transmission of data".

The OECD expert group has suggested functional classification that enumerated activities that should be subject to criminal sanction. Council of Europe in its report prepared in 1990, stated that the definition suggested by OECD experts has a disadvantage in that it also includes unethical and unauthorised behaviour, even such behaviour may not be a criminal offence, however reproacheable it may be. This definition also seems to exclude unauthorised use of computers and at the same time it may include several traditional offences which are not necessarily computer related offences in the narrower sense.

Council of Europe did not attempt a formal definition of computer crime but left it to member countries to adopt functional classification as suggested by OECD, to their particular legal systems and historical traditions. A global definition of computer crime, however, has not been achieved: rather functional definitions have been adopted.

Back to Index

2.2 Classification of Computer Crime Classification of Computer Crime, Classification of Computer related crime as defined by OECD and expanded by Council of Europe is as under :

a) Computer-related fraud

The input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing that influences the result of data processing, thereby causing economic or possessory loss of property of another person with the intent of procuring an unlawful economic gain for himself or for another person (alternative draft : with the intent to unlawfully deprive that person of his property).

b) Computer forgery

The input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing in a manner or under such conditions which would, according to national law, constitute an offence of forgery if it had been committed with respect to traditional object of such an offence.

c) Damage to computer data or computer programs

The erasure, damaging, deterioration or suppression of computer data or computer programs without right.

d) Computer sabotage

The input, alteration, erasure or suppression of computer data or computer programs, or interference with computer systems, with the intent to hinder the functioning of a computer or a telecommunications system.

e) Unauthorised access

The access without right to a computer system or network by infringing security measures.

f) Unauthorised interception

The interception, made without right and by technical means, of communications to, from and within a computer system or network.

g) Unauthorised reproduction of a protected computer program

The reproduction, distribution or communication to the public without right of a computer program which is protected by law.

h) Unauthorised reproduction of a topography

The reproduction without right of a topography, protected by law, of a semiconductor product, or the commercial exploitation or the importation for that purpose, without right, of a topography or of a semiconductor product manufactured by using the topography.

2.2.1 Optional list

a) Alteration of computer data or computer programs

The alteration of computer data or computer programs without right.

b) Computer espionage

The acquisition by improper means or the disclosure, transfer or use of a trade or commercial secret without right or any other legal justification, with intent either to cause economic loss to the person entitled to the secret or to obtain an unlawful economic advantage for oneself or a third person.

c) Unauthorised use of a computer

The use of a computer system or network without right, that either :

i) is made with the acceptance of a significant risk of loss being caused to the person entitled to use the system or harm to the system or its functioning; or

ii) is made with the intent to cause loss to the person entitled to use the system or harm to the system or its functioning; or

iii) causes loss to the person entitled to use the system or harm to the system or its functioning.

d) Unauthorised use of a protected computer program

The use without right of a computer program which is protected by law and which has been reproduced without right, with the intent, either to procure an unlawful economic gain for oneself or for another person, or to cause harm to the holder of the right.

Back to Index 3. Extent of Crime and losses involved - worldwide

Opinions on the extent of computer crime differ widely. Media reports on spectacular cases and estimates of undetected ones, suggest a large amount of offences with high financial losses. Computer crime is largely a phenomenon reported in the industrialised countries particularly in USA and Western countries. However, the cases are also increasingly being reported from other parts of the world.

United States is having world’s largest installed base of computers and also have largest Internet users, it is the scene of most computer crime. According to US Justice Deptt. even the most conservative estimates suggest that both the number of incidents and dollar losses are staggering. As per their estimates reported in media, computer crime account as much as loss of US$ 10 billion a year in the United State alone.

In the United Kingdom, the British Banking Association has estimated the cost of computer crime at US$ 8 billion a year. According to a study conducted by European Commission (EEC),investigations in Germany, few years ago, indicated losses from computer manipulation between 15,00,000 and 20,00,000 DM, which in some cases were even higher in the following years. In Sweden, the above mentioned study revealed an average amount of about 10,00,000 SEK for computer related embezzlement. This amount does not include the cost of computer espionage, which cannot be easily measured in dollars.

The White House Office of Science and Technology (as reported by Los Angeles Times Syndicate, Asia Features) has estimated overall losses to US businesses from foreign economic espionage at nearly US$ 100 billion a year.

EEC study showed that in Germany 4112 cases of computer crimes were reported to the police during 1995. About 60 per cent of these cases were considered by the Police to be case of computer crime under Penal Code. In Sweden a total of 452 cases were reported pertaining to computer related embezzlements. Austria reported 67 relevant cases until the end of 1995. France reported 1500 computer crime cases which were considered to be "intentional" and 929 cases were reported by Japan. In a survey in 1994, conducted by an agency of UK Government, 21% of the 385 firms covered stated that they had been victims of computer fraud in the course of past five years.

A Computer Security Institution in USA, in a survey of 326 companies, financial institutions and Govt. agencies, found that 75 per cent reported large monetary losses, but only 17 per cent of computer crimes were reported to law enforcement agencies. In another survey of 428 information specialists with Fortune 500 Companies, the Computer Security Institution found that only 42 per cent of these reported unauthorised penetration.

Most of the computer crime cases reported or verifiable pertains to falsification of data, misuse of automatic cash dispensers, data alteration, data espionage and unauthorised access to computer.

Majority of the cases, however, pertains to those reported by banks, financial institutions and insurance companies. Input manipulation, that is, feeding the computer with incorrect data and, to a lesser extent, by programme manipulation and other interferences have been generally the modus operandi identified in most of the computer related crime. However, the number of verifiable computer crime, apart from cases of illegal programme copying and the misuse of automatic cash dispenses is not very high.

Difficulties of detection and evidence, together with a lack of knowledge on the part of investigating authorities in the computer data processing and telecommunication sector, are one reason for such low number of verifiable computer crime cases. Another, and may be more important one, is the reluctance of victims (for example banks, insurance companies and other financial organisations) to report incidents or divulge any related information due mainly to a fear of losing goodwill through adverse publicity.

Back to Index

4. Perpetrators of Computer Crime

Computer crime is committed by broad range of persons; students, amateurs and members of organised crime groups. The individual who accesses a computer system without criminal intent is much different from the employee of a financial institution who skims funds from customer account. The typical skill level of a computer criminal is a topic of debate.

As per the study conducted in Canada and European Union, some claim that skill level is not an indicator of a computer criminal, while others claim that potential computer criminals are bright, eager, highly motivated subjects willing to accept a technological challenge, characteristics that are also highly desirable in an employee in the data processing field.

It is generally believed that those cases of intrusion by accident are usually attributed to young computer whizz kids enthusiasts who enjoy a challenge and have learned all the tricks including how to break into security codes and keys. More serious crimes, entailing high financial damage, are committed by technically accomplished persons with a university background or advance technical training.

Computer criminal’s behaviour cuts across a wide spectrum of society, with the age of offender ranging from 10 to 60 years and the skill level ranging from novice to professional.

Any person of any age with a medium skill motivated by technical challenge, by the potential for gain, notoriety or revenge or by promotion of ideological beliefs is a potential computer criminal.

A number of studies indicated that employees represent the largest threat and indeed computer crime has often been referred to as an insider crime. According to the international handbook on computer crime published by New York, Wiley, 90% of the economic computer crimes are committed by the victimised employees of the companies.

As per the study conducted by Digital Corporation, USA, covering North America and Europe, 73% of the risk to computer security was attributable to internal sources and only 23% to external criminal activity.

As the advances continue to be made in remote data processing and improved telecommunication technology, the threat from external sources will probably increase. With the increasing trend of networking of the system and usage of more user-friendly software, the sociological profile of the computer offender may change.

Owing to the greater complexity of certain computer routines and augmented security measures, it is becoming increasingly unlikely that any one person will possess all the information needed to use a computer system for criminal purposes. Organised computer criminal groups, composed of members from different sections of the society across different countries are beginning to emerge.

The advent of viruses and similar mechanisms whereby computer software can be made to act almost on its own initiative poses a new and significant threat. Sophisticated viruses and devices such as "logic bombs" and "trojan horses" can be targeted for specific objectives at specific industries to commit a variety of traditional criminal offences from mere mischief to extortion. These crimes, furthermore, can be committed immediately or can be planted to spring at a future date. The current threat of the computer crime and misuse is real. The future threat will be directly proportional to the advances made in computer technology.

Back to Index

5. Vulnerability of Computer Systems to Crime

Computer systems are particularly vulnerable to computer crimes because of a number of factors. The more significant of these are analysed below.

i) Density of information and processes

Today the storage technology allows a storage of data to the extent of few giga bytes on a desktop computer and large amount of data (terra byte) on such system facilitating billions of characters on-line. Memory management technique allows independent process to be supported con-currently within a single operating system. The memory capacity on a personal computer which was in the range of few mega bytes few years ago is in the range of more than 100 MB on a desktop computer and can be expanded to as high as 512 MB. The large disk capacity and the memory capacity facilitates centralisation of large information and its processing. This provides an attractive target for infiltrator for attacking functions or information assets of an organisation as data files can be combined to produce new information.

ii) Open Connectivity

Today systems which are available in the market have an open operating environment and open interfaces facilitating support for local, remote, interactive and in real time user mode. Any system anywhere in the globe can be connected both in terminal emulation mode or file transfer mode to any other system in the globe. Internet is one of the classic example. When information systems are implemented on such open systems, it is quite possible that there are errors in software implementation which is fully exploited by connecting the system and taking advantage of the system complexity.

iii) Electronic Technology

Computer data can be incidentally changed or erased with minimum chances of detection, e.g., virus or logic bomb. Anybody can easily modify the files and then cover the evidence of the offence. Data can be duplicated on floppies/tapes without any audit trails. By wire tapping, the computer can be intercepted or false commands may be generated to change the data and the files. Cases have been reported where electromagnetic radiations emitted by the computer have been intercepted to capture the data, delete or manipulate and program files without physically logging on to the system. Moreover, all hardware is susceptible to failure through aging, physical diameter and environmental change. These factors result in a problem of reliability, environmental dependency and vulnerability to interference and interception.

iv) Human factors

Employees represent the greatest threat in terms of computer crime. It is not uncommon in many EDP centres for computer programmers, computer operator, hardware technicians and other staff members to have extraordinary privilege in relation to access of key data and system resources in their organisations. A consequence of this situation is the probability that such individuals are frequently exposed to temptation.

v) System accessibility

Most of the time it is a goal to provide the maximum computer accessibility to large number of users. Two kind of computer crime that exploit remote access are use of fraudulent identification and access codes to access the system resources and the unauthorised use of an unattended terminal, logged on by an authorised person. Unrestricted access privileges are often granted rather than allowing only the privileges necessary to perform an intended function. For example, a transaction oriented system permitting read only or inquiry only access offers a greater degree of protection than a system offering full programming capability. The exposure provided through increasingly easy access to electronic data and system resources is an important contributor to the vulnerability of modern computer systems.
Back to Index

6. Computer Crime Legislation - International Development 6.1 International Development The issue of computer related crime were discussed for the first time in 1976 by the 12th Conference of Directors by of Criminological Research Institutes within Council of Europe. Following this Conference, the Select Committee of Council of Europe on Economic Crime studied economic crime in general and drafted recommendation No. R(81)12 on economic crime. This recommendation was adopted by Committee of Ministers of Council of Europe in June 1981. It defines economic crime offences by enumeration.

In 1983, Organisation for Economic Cooperation and Development (OECD) undertook a study of the possibility of an international application and harmonisation of criminal laws to address the problems of computer crime. It published Computer - Related Crime : Analysis of Legal Policy in 1986. The report surveyed the existing laws and proposal for reform in a number of Member States and recommended a minimum list of nature of computer crimes that countries should consider prohibiting and penalising by laws, for example, computer fraud, and forgery, the alteration of computer programs data, copyright interception of communications or other functions of computer or telecommunication system. The National Commission on Crime of several countries like Netherlands, England, Australia, Austria, Canada, Denmark, France etc. have also prepared reports on economic crimes which discussed computer-related crimes.

Following the completion of OECD report, the Council of Europe, initiated its own study on computer related crime with a view to developing guidelines to assist legislators in determining the nature of computer related crime should be prohibited by that law. The minimum list of offences defined by OECD was expanded considerably by adding other types of computer misuse. Procedural issues such as international search and seizure of data banks and international cooperation in the investigation and prosecution of computer crime were also examined. The Committee of Ministers of the Council of Europe adopted recommendations on computer related crime in Sept. 1989.

International Chamber of Commerce (ICC) also published document No. 373/76 in July 1988 describing an international business view on Computer related crime and criminal law.

OECD developed a set of guidelines for security of information systems in 1992.

The issue of prevention of Computer - related crime was discussed in a report entitled "Proposals for concerted international action against forms of crime identified in the Milan Plan of Action" prepared by United Nations in 1987. At the 12th plenary meeting of the Eighth UN Congress on prevention crime, which took place in 1990, the representative of Canada introduced a draft resolution on computer - related crime. At its 13th plenary meeting, UN Congress adopted the resolution, in which it, inter-alia, called upon the Member States to intensify their efforts to combat computer crimes by considering, if necessary, the following measures :

a) Modernisation of national criminal laws and procedures, including measures to :

i) Ensure that existing offences and laws concerning investigative powers and admissibility of evidence in judicial proceedings adequately apply and, if necessary, make appropriate changes;

ii) In the absence of laws that adequately apply, create offences and investigative and evidentiary procedures, where necessary, to deal with this novel and sophisticated form of criminal activity;

iii) Provide for the forfeiture or restriction of illegally acquired assets resulting from the commission of computer - related crimes;

b) Improvement of computer security and prevention measures, taking into account the problems related to the protection of privacy, the respect for human rights and fundamental freedoms and any regulatory mechanisms pertaining to computer usage;

c) Adoption of measures to sensitize the public, the judiciary and law enforcement agencies to the problem and the importance of preventing computer-related crimes;

d) Adoption of adequate training measures for judges, officials and agencies responsible for the prevention, investigation, prosecution and adjudication of economic and computer-related crimes;

e) Elaboration, in collaboration with interested organisations, of rules of ethics in the use of computers and the teaching of these rules as part of the curriculum and training in informatics;

f) Adoption of policies for the victims of computer-related crimes which are consistent with the United Nations Declaration of Basic Principles of Justice for Victims of Crime and Abuse of Power, including the restitution of illegally obtained assets, and measures to encourage victims to report such crimes to the appropriate authorities."

In 1994, United Nations also prepared Manual on "The Prevention and Control of Computer - related Crime" presenting International review of criminal policy.

6.2 Computer - Crime Legislation Worldwide To meet the challenge posed by new kinds of crime made possible by computer technology including telecommunication, many of the countries, largely industrialised and some of those which are moving towards industrialisation have in the past ten years reviewed their respective domestic criminal laws from the point of adaptation, further development and supplementation so as to prevent computer related crime. A number of countries have already introduced more or less extensive amendments by adding new statutes in their substantive criminal law. These are USA, Austria, Denmark, France Germany, Greece, Finland, Italy, Turkey, Sweden, Switzerland, Australia, Canada and Japan. United States have made numerous amendments to the law of federal and constituent level. Countries like Spain, Portugal, UK, Malaysia and Singapore have made isolated supplements by enacting new Acts to prevent computer - related crimes.

6.3 Computer related crimes and punishment for committing such offences covered in the Computer Crime Act/Amendments/Supplementation in the domestic laws enacted by different countries in the world are summarised in the table attached. None of the country has fully resolved all the issues such as legal, enforcement and prevention of crime. The legislation/amendments enacted by different countries covers only few of the classified computer-related crime/offences. 6.4 The punishment ranges imprisonment upto one year to upto 10 years depending upon the offence. Unauthorised access to computer/data/program has been classified as computer crime/offence by almost all the countries who have enacted new act or modified the existing domestic criminal laws. Heavy punishment along with fine have been imposed for some of the offences like unauthorised use of computer, alteration of data/program interfaced with computer etc.

6.5 The salient features of the Act as enacted by different countries are discussed below.

Australia has covered offences related to computers in the Australian Crimes Act. The offences covered are :

- unlawful access to data in computers,

- damaging data in computer etc.

The penalty for the former is imprisonment upto 6 months to 3 years while for the latter imprisonment upto 10 years.

Canada on the other hand has covered three computer crimes :

- Possession of device to obtain unauthorised telephone facilities,

- unauthorised access to computer and

- committing mischief with data.

The imprisonment varies from upto 2 years to upto 10 years depending upon the crime.

Germany has classified the following computer crime as offences:

- data spying,

- computer fraud,

- forgery of prohibitive data,

- alteration of data,

- computer sabotage.

The punishment ranges from upto 2 years to upto 5 years depending upon the nature of crime.

Japan while amending its penal code has classified following activities as computer crime :

- False entry in an authentic deed

- False entry in permit licence or passport

- Electronic record made wrongfully

- Electronic record made wrongfully by public servant

- Interferences with business by destruction or damage of computer

- Interferences with computer

- Destruction of public document

- Destruction of private document

Singapore in their Computer Misuse Act has classified the following activities as computer crime :

- Unauthorised access to computer material

- Unauthorised access with intent to commit or facilitate commission of further offences

- Unauthorised modification of computer material

- Unauthorised use and interception of computer services

The punishment ranges from imprisonment upto 2-5 years with fine upto Singapore $ 2000-20000.

UK in the Computer Misuse Act has included

- unauthorised access to computer material,

-unauthorised access with intent to commit or facilitate commission of further
offences as the computer crimes.

The punishment is imprisonment upto 6 months to upto 5 years with fine.

United States has carried out elaborate amendment classifying the following as computer crimes :

- Knowingly access of computer without authorisation related to national defence or foreign relation

- Intentional access of computer without authorisation to obtain financial information

- Unauthorised access of computer of a Govt. Deptt. or agency

- Unauthorised access of computer of federal interest with intent to defraud

- Knowingly causing transmission of data/program to damage a computer network, data
or program or withhold or deny use of computer, network etc.

              - Knowingly causing transmission of data/program with risk that transmission will damage a computer
                network, data or program or withhold or deny use of computer, network etc, an unauthorised access
               of computer with intent to defraud.

6.6 One of the reasons for not covering all the computer related crimes as classified by OECD in the Acts by the various countries is that the investigation of computer crime as well as general investigations in a computerised environment create new computer specific problems such as evidence, testifying witnesses, legality of gathering, storing and linking personal data. In most of the computer crime cases it is still unclear as to what is an effective investigation to verify the different computer related crimes/offences. It is also unclear as to what extent civil liberties of citizens must be protected against the storage of personal data in police files by law. In addition, there are specific legal problems related to admissibility of computer data in a trial process. The laws so far enacted also do not clarify the jurisdiction. Such issues, it is hoped, will serve as a basis for future work on computer related crime and once resolved will help establish an adequate criminal system in the data processing area. Back to Index 7. Computer related crime in India 7.1 Status The subject of computer related crime is comparatively new in the country. The computerisation in the country though started 25 years ago, the proliferation and penetration of computers in the country particularly in the service sector is still very low as compared to world standard. The density of personal computers in the country is only 1.8 per 1000 persons as against world average of 25 per 1000 persons. As per the IDC report, today only 40 per cent of the computers in the country are connected on LAN.

There are quite a few large databases like Railway Reservation System, Airlines Reservation System, District Information System of National Informatic Centre (NIC) etc. which are more of closed user group nature with no outside and inter-connectivity.

Much of the work in the public departments particularly in Government sector like banks, insurance, health etc. still continues to be manual oriented and the dependence on the computers especially in the core sector is quite low.

The situation in regard to usage of computers in the country is changing fast and it is expected that penetration of computers in the country will reach 10 per 1000 persons by the turn of the century. The Internet users in the country are also expected to increase from present level of 80,000 Nos. to 2 lakhs Nos. The concept of Internet, Intranet and Extranet is growing. Data processing and its component will be used as a tool in many areas such as tax administration, stock market and capital investment.
7.2 Strategy for Prevention of Computer Crime
The subject of computer related crime in light of the proliferation of the computer technology assumes greater importance. It is required to develop strategies for the suppression of these computer offences. The strategies may include the following :

- Stipulating the offences which constitute computer crime.

-Identify the domestic criminal law for possible amendments and supplementation to meet the requirement of prevention of computer related crime.

- Effective prosecution, inter alia, by possible adopting the existing criminal procedure law and related provisions.

- Improving international collaboration.

The new enactment of laws should bear the imprint of close link and direct reference to existing penal provisions.

Considering the transformational nature of computer-related crime; it is desireable to adapt the guidelines and classification suggested by OECD with nessecary ammendment.

7.3 Issues concerning classification of Computer Crime The term computer misuse and abuse is also used frequently but they have significantly different implications. Laws that relate to computer crime would need to distinguish between accidental misuse of computer systems, negligence and intended and unauthorised access to computer system amounting to computer misuse or abuse. For example; employee who has received a password from an employer without direction as to whether a particular database can be accessed, is likely to be considered of guilty of a crime if he or she accesses that database. However, this principle would not apply to the same employee who steals a password from a colleague to access the same database, knowing that his or her accessing the database is unauthorised; this employee would be behaving in a criminal manner. Distinction, therefore, may be made between what is unethical and what is illegal. The legal response to the problem must be proportionate to the activity that is alleged. The law in case of computer crime, therefore, should be employed and implemented with restraint.
7.4 Security Guidelines/Manual In addition to use of laws as a preventive measure, it is necessary to develop concepts/guidelines and manual for computer security and implement the guidelines in a serious manner at all levels and within different types of entities and organisations. Such guidelines/manual are fundamentally important and hold greater prospects of success than to enact new laws for protection. The guidelines/manual should detail out the procedures and evolve self-regulating code of conduct or possible introduction of an obligation on the part of the enterprise to provide, in their annual accounts, information on the reliability of the data processing. While preparing the guidelines/manual, historical traditions should be reviewed and kept in mind.
7.5 Procedural Law The guidelines and the procedures have to be evolved, for instance, to the application of the provision on search and seizure to the access, recording and storing new data, on wire tapping to the interception of telecommunication. The opinion and adoption of the procedure for the investigation of computer crime is almost essential and should necessarily follow any enactment or new law or supplementation of existing law. The guidelines should include such aspects as search of the premises, powers of seizure, the duty of witnesses to hand-over witnesses as well as legality of gathering, storing and linking personal data.
Back to Index 8. Conclusion The conclusion may, therefore, be drawn that computer-related crime is a real, at least in respect of certain offences, expanding phenomenon, even though some of the statistics are probably not reliable. Furthermore, a steady increase in number of cases is expected. As of now the growth rate in number of computer crime cases reported worldwide is in between 12-15 per cent. The time has clearly come for our country to put in hand a series of preventive measures in the field of security or of instructions in computer ethics, and to respond to this by forming appropriate guidelines and legislation.
Back to Index 9. Acknowledgement The authors are thankful to Shri Prafulla Kumar, Joint Director, IT Group, Deptt. Of Electronics, for compiling the acts/ammendments enacted in the area of computer-related crime by different countries in the world.
Back to Index
References

Back to Index

LEGISLATION Countries Classification Table of Computer - Crimes

	USA	JAPAN	GERMANY	SINGAPORE	CANADA	U.K.	SWITZERLAND	HONG KONG	AUSTRALIA	DENMARK
Unlawful transfer of funds/concealment of assets/trading with enemy/minor in sex act	Ö Conceal Source / Owner
Computer Related Fraud			Ö Damage to property by improper program design	Ö Provides untrue evidence
Computer Forgery	Ö Deal with counterfeit device		Ö With Intent to defraud					X Abolished after 1992		Ö Counterfieted cards
Damage to computer data / program / network	Ö By reciept of information	Ö If interferes with any persons business			Ö Mischeif. property or data, damage/obstruct use	Ö	Ö Deal in software used for offences	Ö "Burglary"	Ö Trade secrets,public/personal safety in commonwealth computers-also impairs/prevents access	Ö Renders inaccessible
Computer Sabotage			Ö If vital importance to enterprise, business, public authority					Ö Misuse"		Ö
Unauthorised access	Ö With intent to defraud Recieves, Conceals, Retains items			Ö Facilitation of crime also a felony		Ö With intent to defraud. Also, facilitate a crime	Ö Also-"Appropriation of data"	Ö "With intent to defraud"- by Telecommunication	Ö	Ö "breach of peace"
Unauthorised Interception	Ö Right of Govt to effect.But such info not admissable as evidence			Ö For Computer Use/Misuse	Ö Computer Function, Theft of Telecom Service or possess related device		Ö Fraudulent misuse of computer/service			Ö With intent to defraud,tap or record
Piracy Of Software	Ö				Ö					Ö "Of protected program
Unauthorised Reproduction of a Topography (Microelectronics)			Ö							Ö
Alteration of Computer Data or Computer Programs		Ö Eg: loss or change of Right of property	Ö	Ö
Computer Espionage			Ö						Ö	Ö
Unauthorised Use of Computers					Ö
Attempt/cause untrue entries in computer data		Ö utters or provides untrue fact as evidence wether to mislead a business or not
Official tapping/decryption etc by Government										Ö "Persons entitled to exemption"/"Complain in writng about siezure"/costs of investigation reimbursed by state"
Distribution of damaging data										Ö

Back to Index Summary of Computer Crime Laws in various countries

Country Name of the Act Enacted on Salient features

U.K Computer Misuse Act 29-06-1990 Offences and punishments 1. Unauthorised access to computer material Imprisonment upto 6 months and/or fine upto UKP 5,000 2. Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment upto 6 months and/or fine on summary conviction Imprisonment upto 5 years and/or fine on conviction on indictment 3. Juridiction : England, Wales, Scotland and N. Ireland 4. Interpretation of the act

Singapore Computer Misuse Act 30-08-1993 1. Unauthorised access to computer material a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 2. Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment upto 10 years and/or fine upto $50,000 3. Unauthorised modification of computer material a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 2. Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment upto 10 years and/or fine upto $50,000 3. Unauthorised modification of computer material a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 4. Unauthorised use or interception of computer services a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 5. Computer output shall be admissible as evidence

Japan Computer Crime (in the penal code of Japan) 1. False entry in an authenticated deed Imprisonment upto 5 years or fine upto 500,000 Yen 2. False entry in permit, licence or passport Imprisonment upto 1 years or fine upto 200,000 Yen 3. Electronic record made wrongfully Imprisonment upto 5 years or fine upto 500,000 Yen 4. Electronic record made wrongfully by public servant Imprisonment upto 10 years or fine upto 1 millionYen 5. Interference with business by destruction or damage of computer Imprisonment upto 5 years or fine upto 1 millionYen 6. Interference with computerImprisonment upto 10 years 7. Destruction of public document Imprisonment upto 7 years but not less than 3 months 8. Destruction of private document Imprisonment upto 5 years

Australia Offences related to Computers (Australian Crimes Act 1914, Sec 76A-76F) 1. Unlawful access to data in commonwealth and other computers Imprisonment between 6 months to 3 years 2. Damaging data in computer Imprisonment for 10 years

Hong Kong Computer Crimes Ordinance 1993 03-04-1993 1.Unauthorised access to computer by telecommunication Fine of $20,000 2. Access to computer with criminal or dishonest intent Imprisonment for 5 years 3. False entry in contract for sale of share Imprisonment for 3 years and fine of $5,000 4. False entry in bankbook Life Imprisonment 5. Making false dividend warrant Imprisonment for 7years 6. Book includes disc, card, tape, microchip etc.

Netherland Computer Related Crime 1. Intentional counterfeits or falsifies a cheque/credit card Imprisonment upto 6 years or fine of 100,000 guilders 2. Compels to make available data by deception Imprisonment upto 3 years or fine of 100,000 guilders 3. Intentional change/delete data Imprisonment upto 2 years or fine of 25,000 guilders 4. Intentional change/dele data using telecom infrastructure Imprisonment upto 4 years or fine of 25,000 guilders 5. Intentional distribution of data to damage automated system Imprisonment upto 4 years or fine of 100,000 guilders 6. Computer sabotage Imprisonment ranging from 6 months to 15 years or fine of 100,000 guilders 7. Unauthorised access Imprisonment ranging from 6 months to 4 years or fine upto 25,000 guilders 8. Unauthorised interception Imprisonment ranging from 3 months to 12 months or fine upto 25,000 guilders 9. Computer espionage Imprisonment ranging from 6 years to 15 years or fine of 100,000 guilders

Germany 1. Data spying Imprisonment upto 3 years or fine 2. Computer fraud Imprisonment upto 5 years or fine 3. Forgery of probative data Imprisonment upto 5 years or fine. Alteration of data Imprisonment upto 2 years or fine 5. Computer sabotage Imprisonment upto 5 years or fine

Canada 1. Possession of device to obtain telecom facility Imprisonment upto 2 years 2. Unauthorised use of computer Imprisonment upto 10 years 3. Commiting mischief with data Imprisonment upto 10 years

USA 1. Knowingly access of computer without authorisation related to national defence or foreign relations (Atomic Energy Act 1954) i) Imprisonment upto 10 years and/or a fine ii) Imprisonment upto 20 years and/or a fine if the offence occurs after a conviction under another offence 2. Intentional access of computer without authorisation to obtain financial information (Fair Credit Reporting Act 1681) i) Imprisonment upto 1 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 3. Unauthorised access of computer of a govt. dept. or agency i) Imprisonment upto 1 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 4. Unauthorised access of computer of federal interset with intent to defraud i) Imprisonment upto 5 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 5. Knowingly causes transmission of data/program to i) Damage a computer, network, data or program, or ii) Withhold or deny use of a computer, network etc. i) Imprisonment upto 5 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 6. Knowingly causes transmission of data/program with risk that the transmission will i) Damage a computer, network, data or program, or ii) Withhold or deny use of a computer, network etc., Imprisonment upto 1 year and/or a fine 7. Unauthorised access of computer with an intent to defraud i) Imprisonment upto 1 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence

Back to Index

U.K	Computer Misuse Act	29-06-1990	Offences and punishments 1. Unauthorised access to computer material Imprisonment upto 6 months and/or fine upto UKP 5,000 2. Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment upto 6 months and/or fine on summary conviction Imprisonment upto 5 years and/or fine on conviction on indictment 3. Juridiction : England, Wales, Scotland and N. Ireland 4. Interpretation of the act
Singapore	Computer Misuse Act	30-08-1993	1. Unauthorised access to computer material a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 2. Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment upto 10 years and/or fine upto $50,000 3. Unauthorised modification of computer material a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 2. Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment upto 10 years and/or fine upto $50,000 3. Unauthorised modification of computer material a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 4. Unauthorised use or interception of computer services a). Imprisonment upto 2 years and/or fine upto $2,000 b) Imprisonment upto 5 years and/or fine upto $20,000 if the damage exceeds $10,000 5. Computer output shall be admissible as evidence
Japan	Computer Crime (in the penal code of Japan)		1. False entry in an authenticated deed Imprisonment upto 5 years or fine upto 500,000 Yen 2. False entry in permit, licence or passport Imprisonment upto 1 years or fine upto 200,000 Yen 3. Electronic record made wrongfully Imprisonment upto 5 years or fine upto 500,000 Yen 4. Electronic record made wrongfully by public servant Imprisonment upto 10 years or fine upto 1 millionYen 5. Interference with business by destruction or damage of computer Imprisonment upto 5 years or fine upto 1 millionYen 6. Interference with computerImprisonment upto 10 years 7. Destruction of public document Imprisonment upto 7 years but not less than 3 months 8. Destruction of private document Imprisonment upto 5 years
Australia	Offences related to Computers (Australian Crimes Act 1914, Sec 76A-76F)		1. Unlawful access to data in commonwealth and other computers Imprisonment between 6 months to 3 years 2. Damaging data in computer Imprisonment for 10 years
Hong Kong	Computer Crimes Ordinance 1993	03-04-1993	1.Unauthorised access to computer by telecommunication Fine of $20,000 2. Access to computer with criminal or dishonest intent Imprisonment for 5 years 3. False entry in contract for sale of share Imprisonment for 3 years and fine of $5,000 4. False entry in bankbook Life Imprisonment 5. Making false dividend warrant Imprisonment for 7years 6. Book includes disc, card, tape, microchip etc.
Netherland	Computer Related Crime		1. Intentional counterfeits or falsifies a cheque/credit card Imprisonment upto 6 years or fine of 100,000 guilders 2. Compels to make available data by deception Imprisonment upto 3 years or fine of 100,000 guilders 3. Intentional change/delete data Imprisonment upto 2 years or fine of 25,000 guilders 4. Intentional change/dele data using telecom infrastructure Imprisonment upto 4 years or fine of 25,000 guilders 5. Intentional distribution of data to damage automated system Imprisonment upto 4 years or fine of 100,000 guilders 6. Computer sabotage Imprisonment ranging from 6 months to 15 years or fine of 100,000 guilders 7. Unauthorised access Imprisonment ranging from 6 months to 4 years or fine upto 25,000 guilders 8. Unauthorised interception Imprisonment ranging from 3 months to 12 months or fine upto 25,000 guilders 9. Computer espionage Imprisonment ranging from 6 years to 15 years or fine of 100,000 guilders
Germany			1. Data spying Imprisonment upto 3 years or fine 2. Computer fraud Imprisonment upto 5 years or fine 3. Forgery of probative data Imprisonment upto 5 years or fine. Alteration of data Imprisonment upto 2 years or fine 5. Computer sabotage Imprisonment upto 5 years or fine
Canada			1. Possession of device to obtain telecom facility Imprisonment upto 2 years 2. Unauthorised use of computer Imprisonment upto 10 years 3. Commiting mischief with data Imprisonment upto 10 years
USA			1. Knowingly access of computer without authorisation related to national defence or foreign relations (Atomic Energy Act 1954) i) Imprisonment upto 10 years and/or a fine ii) Imprisonment upto 20 years and/or a fine if the offence occurs after a conviction under another offence 2. Intentional access of computer without authorisation to obtain financial information (Fair Credit Reporting Act 1681) i) Imprisonment upto 1 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 3. Unauthorised access of computer of a govt. dept. or agency i) Imprisonment upto 1 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 4. Unauthorised access of computer of federal interset with intent to defraud i) Imprisonment upto 5 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 5. Knowingly causes transmission of data/program to i) Damage a computer, network, data or program, or ii) Withhold or deny use of a computer, network etc. i) Imprisonment upto 5 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence 6. Knowingly causes transmission of data/program with risk that the transmission will i) Damage a computer, network, data or program, or ii) Withhold or deny use of a computer, network etc., Imprisonment upto 1 year and/or a fine 7. Unauthorised access of computer with an intent to defraud i) Imprisonment upto 1 year and/or a fine ii) Imprisonment upto 10 years and/or a fine if the offence occurs after a conviction under another offence