Conviction in cases of cyber crime in India continues to be abysmally low, even as cybercrimehas more than doubled in the last two years, according to the latest home ministry data. While it isn’t possible to calculate exact conviction rates for 2015 since the data doesn’t divulge the number of cases where trial has been completed, the numbers available do produce a grim picture, experts say.
According to data reported by the minister of state for home affairs Hansraj Ahir recently, last year witnessed 11,592 cases of cybercrime being registered across the country – a rise of almost 20% from the previous year.
In the same period, chargesheets were filed in 3,206 cases while convictions were secured in a mere 234 cases. It is likely that some of the cases that saw chargesheets and convictions had spilled over from the previous year; in 2014, there were 9,622 cases registered -- and investigating agencies managed to secure only 76 convictions in the 2016 cases in which they filed chargesheets.
So what is ailing India’s fight against cybercrime– and why are law enforcing agencies not managing to secure more convictions?
To be sure, the government does seem to be allocating resources towards it: Ahir told the House last week that the government’s modal agency on cyber security, the Computer Emergency Response Team, has been conducting regular training programmes on cyber security to enable officials to fight cyber attacks. Ahir’s ministerial colleague Kiren Rijiju, who holds the same portfolio as him, told Parliament that apart from making arrangements for imparting highly specialised training to police personnel, the government had also set up 36 cyber security centres meant to deal exclusively with cyber attacks.
Where are the slip-ups happening then?
According to an official of the Data Security Council of India (DSCI), an organisation established by the software industry lobby group NASSCOM to promote data protection, although the government is investing on training the police and other officials, frequent transfers of trained individuals lead to cases not reaching their logical conclusion (DSCI too is involved in imparting specialised training to law enforcement agencies, prosecution lawyers and members of the judiciary).
The official said on condition of anonymity that government officials very often are not aware of their adjudicating powers under the Information Technology Act, 2008. “Not many state IT secretaries are exercising the quasi-judicial powers they possess under the IT act. The adjudication cases are also routed to police stations,” the official pointed out.
Another reason hampering investigations, the DSCI official said, is the lack of a robust information sharing model. “Absence of a comprehensive and well-defined collaboration and information sharing model among the investigating agencies is leading to lack of adequate preparedness to the emerging threats,” the official explained.
The lack of standard procedures for seizure and analysis of digital evidence too, according to the official, contributes to fewer convictions in cyber crimes. “There are no standard documented procedures for searching, seizing of digital evidence and standard operating procedures for forensic examination of digital evidence,” the person said.
Sometimes, though, the nature of cyber crimes is such that even if investigating agencies do all the right things and follow all the standard procedures, they are difficult to crack. For instance, since cyber crimes often extend beyond the boundaries of the country, obtaining court orders in multiple jurisdictions –- and following legal assistance treaties signed by India with other countries -- leads to cases remaining stagnant for months on end.
Besides, according to M.D. Sharath, deputy superintendent of police in Bengaluru’s cybercrime police station in the Criminal Investigation Department (CID), the judiciary often fails to “appreciate” digital evidence. “Conviction happens when the investigating agency, the prosecution and judiciary come together,” Sharath, who was awarded the “India Cyber Cop Award for Excellence in cybercrimeInvestigation” last year, said over the phone from Bengaluru. The officer, however, admitted there was a shortage of manpower trained to deal with cyber crimes.
Additionally, in case of banking frauds, it is often the bank which is at fault. “KYC (Know Your Customer) norms are often violated by banks and intermediaries – and when that happens, cases of fraudulent online transfers become very difficult to crack,” the DSCI official said.
The legal framework vis-à-vis cybercrimes too still leaves much to be desired: the government is yet to notify rules which specify how long and in what format intermediaries such as a telecom service provider should store customer information.
According to cyber expert Rakshit Tandon, while the lack of knowledge among most investigating agencies in collecting digital evidence is an obvious stumbling block towards more convictions, the fact that forensic validation of evidence takes times also adds to people getting off the hook.
“Plus, the judicial system of the country is notoriously slow – and in cases of cyber crimes, where evidence is extremely volatile and time-bound, a waiting period of six months means evidence is destroyed and unusable,” said Tandon.
India, as evident, has a cybercrime problem – and its law investigating agencies are not quite the best at dealing with it. On the bright side, though, home Minister Rajnath Singh, last week, in Parliament, acknowledged as much. “We cannot make a claim that the system what we have now to check cybercrimeis foolproof. We are working in this direction,” Singh told the Lok Sabha during question hour. The first step to solving a problem, as they say, is recognising there is one -- and the minister seems to be doing that.