INTRODUCTION
The expansion of the internet is a relatively recent notion. It was not long ago that the internet began to be utilized for nearly all aspects of everyday life, and especially in the current pandemic, everything is happening online, including criminal activity. Although cybercrime is a relatively new concept and distinct from traditional crime, the problems it faces make it an even greater menace. Anonymity is one such difficulty since it allows people to engage in activities without disclosing themselves or their acts to others. As a result, the investigation of cybercrime varies from traditional investigations.
The two types of law enforcement investigative tactics are coercive and covert, with the former including seizure and search capabilities and the latter involving interception and monitoring. When it comes to cybercrime, however, several issues arise when using these tactics. The following issues are frequently raised: determining the jurisdiction for trying the crime, obtaining and collecting all evidence, the admissibility of such evidence in court, the availability of specialized forces in light of the technical nature of the crime and evidence, the scope of the search warrant, and so on.
In India, the Information Technology Act of 2000 specifies the method to be followed in cybercrime investigations, stating that all entries, searches, and arrests conducted under the Act must comply with the requirements of the Code of Criminal Procedure, 1973. 10 In 2000, India took the lead in combating the problem of cybercrime investigation by establishing a Cybercrime Investigation Cell in Mumbai. Cyber forensics is a rapidly growing field of evidentiary law. India is not even a signatory to the Cybercrime Convention, making the investigation and prosecution of cybercrime in India somewhat ambiguous. This article will discuss how cybercrime is investigated in India, as well as the difficulties and concerns that occur during the process.
- JURISDICTIONAL ISSUES
Jurisdiction simply refers to the idea of a legal system’s proper Court having the authority to decide and hear a matter. The fact that parties interested in a dispute are situated in various areas of the world and have only a virtual link that binds them all into one realm is the major issue that veils Cyber Space Jurisdiction.
Normally, the jurisdiction is determined by the location of the cause of action. When there are numerous parties engaged in different regions of the world, however, determining jurisdiction becomes extremely complex.
There have been many cases where courts have addressed similar issues, such as R. v. Governor of Brixton Prison, ex p Levin[1], where there was a massive fund transfer from customers’ accounts to the perpetrators’ accounts in Citibank, and one of the issues was whether the criminal act occurred in St. Petersburg, Russia, where the keys were pressed instigating the crime, or in a foreign country. The court determined that the crime took place in the United States because a communication link was created between Levin and the Citibank computer, implying that Levin’s keystrokes were occurring on the Citibank computer. This ruling was even appealed to the House of Lords, which affirmed it.
In another example, while gambling was allowed in the state where the internet gambling site was operated, the online gaming firm was brought within the jurisdiction of a New York court and prosecuted there because it had an office there.[2]
KINDS OF JURISDICTION-
When it comes to assessing a state’s jurisdiction under international law, there are three types of jurisdiction. This comprises prescriptive jurisdiction, jurisdiction to adjudicative, and jurisdiction to enforce.
- Prescriptive Jurisdiction: It refers to the state’s authority to enact laws that apply to specific people and situations. If there is a conflict of interest with another state, international law limits a state’s power to prescribe laws.
- Jurisdiction to Adjudicative: It refers to the state’s ability to bring a person or item before a civil or criminal court or administrative tribunal, whether or not the state is a party to the proceedings. Only a sufficient link between the State and the individual is required.
- Jurisdiction to Enforce: It refers to a government’s ability to entice or penalize those who break rules and regulations. Officers can only enforce a state’s law with the approval of the state officials involved in the case. In some instances, however, a State may have the authority to prescribe even if it lacks the authority to adjudicate.
Jurisdiction Under The Indian Law-
India decides on questions of personal jurisdiction on an international level using the Long Arm Statute concept. Under the IT Act, India has embraced the idea of universal jurisdiction to encompass both its cyber contraventions and cybercrimes. The Long Arm Statute refers to a court’s authority over out-of-state defendant businesses. It establishes the government’s right to employ the long-arm legislation to pursue a defendant corporation.
India, in general, has not fully adapted to modern technology and so does not consider it a suitable method for carrying out legal responsibilities. As a result, only a small number of cases involving personal Cyber Space Jurisdiction have been determined by India’s superior courts. In India, the method is quite similar to the minimum contacts strategy employed in the United States. Procedural laws govern the exercise of jurisdiction.
- Jurisdiction of Indian Courts on Foreign Citizens- Indian courts cannot exercise jurisdiction over immovable property located in other countries, according to Section 16 of the CPC. By way of reciprocating or non-reciprocating regions, foreign judgments might be implemented in India. The judgment can be directly implemented by applying for an executive decree in the case of a reciprocating territory. This term refers to any region outside of India that the Indian government may designate reciprocating for the Act. It covers nations such as Canada and the United Kingdom. Non-reciprocating country judgments, on the other hand, may only be enforced in an Indian court by filing a case. In this situation, a foreign judgment is regarded as admissible evidence.[3]
CHALLENGES TO CYBER CRIME INVESTIGATIONS-
- Surveillance and Interception versus Privacy– Surveillance and communication interception are critical elements of cybercrime investigations. Law enforcement surveillance and an interception, on the other hand, is an exception to the right to privacy. The right to privacy is a basic human right protected by important international accords, and many nations have recognized it via law, either expressly or implicitly. In India, the method of interception was employed in line with the Indian Telegraph Act of 1885, which gave the government the authority to wiretap conversations. Furthermore, the Indian Telegraph Rules of 1951 defined the interception and monitoring mechanism. The Supreme Court was requested to rule on whether these laws infringed on people’s privacy, and in its judgment, the Court ruled that authorities must adhere to strict guidelines when tapping people’s phones and that tapping can only be done by the government and not by private organizations. The Information Technology Act of 2000 allows for the interception of any data sent across a computer network. Users must surrender encryption keys or risk a seven-year prison term. The Act gives the Certifying Authorities the authority to order interception if it is necessary or expedient in the interests of India’s sovereignty or integrity. The Information Technology (Amendment) Act of 2008 gives the government the authority to intercept any computer resource (cell phones, computers, and other communication devices) to investigate “any offense.” The IT Method and Safeguards for Interception, Monitoring, and Decryption of Information Rules, 2009, outline the procedure to be followed during interception.
Under the Telegraph Act, communications interception was only permitted in the event of a public emergency or if it was in the public interest or safety. The Information Technology Act expands these powers by removing the requirement for a “public emergency, public interest, or public safety” and allowing interception for any criminal investigation. In the absence of any limits on its implementation, the provision can be easily abused by regulatory authorities.
- Search and Seizure Issues- The gathering, search, and seizure of evidence in cybercrime investigations are a little more complicated because electronic data is involved. It also includes the storing of digital data. A search warrant is granted in India under Section 93 of the Cr.P.C., which states that a District Magistrate or a Chief Judicial Magistrate may issue a search warrant based on reasonable reasons as defined by the law. To undertake search and seizure activities, search warrants are required. Although there is no special procedure or advice for obtaining cyber search warrants, a police officer can acquire a conventional search warrant to look for digital evidence. The following reasons may be used to issue a warrant:
- the Court has cause to suspect that the individual to whom a summons has been issued would fail to appear;
- if it is unknown who has custody of the document or proof
- if the Court finds it necessary to issue a search warrant in connection with any investigation, trial, or other action.
A Deputy Superintendent of Police, or any other official authorized by the Central Government, may search and arrest without a warrant under the Cr.P.C. This area is typically used to target cybercafé patrons. This is just another example of the investigating agency’s discretionary powers being abused.[4]
- Encryption– Encryption is the process of converting something into a code or symbols that cannot be deciphered if intercepted. It is the science of transforming readable data into an incomprehensible form, or plain text into ciphertext, which cannot be read or understood by unauthorized individuals to preserve confidentiality, privacy, and verify integrity. On the one hand, cryptography may be used to preserve fundamental human rights such as privacy and freedom of expression, as well as offer electronic transactions with integrity, authentication, and secrecy. On the other hand, even when the data or equipment has been legitimately taken by investigating authorities, the data is frequently secured by passwords or cryptography, making it inaccessible. As a result, when investigating cybercrime, law enforcement agents frequently come across an encrypted crime scene, which obstructs the investigation and criminal prosecution process. Although there is a contradiction with the right against self-incrimination, the required obligation imposed on the data bearer does not appear to be unreasonable, given the unique character of cybercrime. Apart from the power granted to the Controller of Certifying Authority to request information from anybody, there is no clarity on this subject in India. To deal with encrypted crime scenes, law enforcement officials should be given the proper authority and procedures.
The Blackberry Case, 2007-2012- Customers in India were hesitant to buy Blackberry phones in mid-2008, not because of the phones’ performance, but because of an unexpected disagreement between the Indian government’s Department of Telecommunications (“DoT”) and Research in Motion (“RIM”) Blackberry Services. RIM was asked by the Agency of Transportation to provide its encryption algorithms with the department, citing security concerns over data transferred via email on Blackberry phones, or to build up servers in India and allow the department to monitor such transmissions. After many rounds of negotiations, the Indian government withdrew its request, changing its position on the security danger.[5]
The Indian Telegraph Act of 1885 gives the Department of Telecommunications (DoT) broad and unrestricted authority to deal with, monitor, and control the transmission of messages inside India. These provisions are automatically extended to data transfer that is encrypted. Under the IT Act 2008, the Telecom Authority of India was given greater powers, which appears to have spurred the Blackberry case.
- Anonymity- Techniques of anonymization are utilized for both legitimate and criminal purposes. There are genuine reasons for wishing to stay anonymous online and retain anonymity protection online; however, anonymization may often become a big stumbling block, particularly during cybercrime investigations. During cybercrime investigations, there are a variety of challenges that may arise. The anonymity that information and communication technology provides consumers is one such stumbling block. Individuals can participate in events without disclosing their identities or behaviors to others since they are anonymous.
- Attribution- Another issue that arises during cybercrime investigations is attribution. Attribution is the process of determining who or what is to blame for a cybercrime. This procedure aims to link cybercrime to a specific digital device, its user, and/or those who are accountable for the crime. The use of anonymity-enhancing technologies can make it harder to identify the devices and/or people who are responsible for crimes. The use of malware-infected zombie Computers or digital devices managed by remote access techniques complicates attribution even further. Unbeknownst to the individual whose device has been infected, these gadgets can be utilized to conduct cybercrime.
- Computer Forensics- There is a significant backlog in the development of this industry in India. There have been instances where grave cyber forensics errors have occurred, such as the IPL Match Fixing case. The absence of effective cyber-crime investigation procedures is demonstrated by the need for e-discovery practices on Bitcoin websites, as evidenced by the recent examples of cyber forensic mistakes in the Aarushi murder case. The petition submitted before the Honourable Supreme Court in the case of Dilipkumar Tulsidas v. Union of India [6]demands a legislative framework for effective cyber-crime investigation, as well as standardization in cyber security control and enforcement techniques.
With the number of cybercrimes on the rise, India needs a policy that promotes the development of digital forensics capabilities.
CONCLUSION
As computer crimes have become more common and are no longer restricted to a single country or jurisdiction, the legislation controlling them has gotten more difficult. Cybercrime investigation refers to public security, judicial, state security organs, and other administrative agencies that have granted criminal investigation and law enforcement authority to conduct authorized criminal investigations into cybercrime, including the filing, cracking, and selling of cases, as well as the screening of clues. The secret investigation, site investigation, arrest and trial, judicial identification, trial, and transfer are all things that can happen. India lacks suitable cyber legislation to control cybercrime activities, and there are several barriers in the investigation of cybercrime that provide a major challenge to cyber police in many nations across the world. Strong concealment and virtual reality are common characteristics of cybercrime instances. In addition to classic criminal investigation procedures, the investigation should also alter investigation concepts, explore new investigation modes, and embrace new network-based investigation measures.
[1] 1997 QB 65 : (1996) 3 WLR 657 : (1996) 4 All ER 350
[2] Id. at 363a
[3] Georgia Pereira, Cyber Space Jurisdiction Issues and Challenges, Legal Bites (Mar. 18, 2020)
[4] Raveena Rai, Challenges to Cyber Crime Investigation: A Need for Statutory and Infrastructural Reforms, NLU L.J. 62 (2015).
[5] N.S. Nappanee, Cyber Crime Law in India: Has Law Kept Pace with Emerging Trends? An Empirical Study, 5 Journal of International Commercial Law and Technology (2010)
[6] [W.P.(C). No. 97 of 2013].
YLCC would like to thank Priyanshi Singh for her valuable contribution in this article.
