Understanding hacking from a legal point of view
Hacking is the primary nemesis for every corporate entity and has now become a serious danger to each individual. Norton of Symantec Corp. reported that 42 million Indians were victims of cybercrime and that losses amounted to about $8 billion in 12 months (nr.tn/N3Yue1). Today, a hacker can control the cameras and all media on even personal computers to insidiously enter the personal domain of each individual to spy on them and to take photos and videos, which may then be uploaded on social media platforms. Such is the power of the hacker.
Hacking is not limited to a single method of functioning and therein lies its power. When solutions for one method are found, the knowledgeable and intelligent hacker finds 10 more methods or technologies to assist in the process of hacking.
Some such methods, which have evolved till date, are listed hereunder. Needless to add, this is not an exhaustive list and the list is not technical in its explanation of various forms of hacking. It is intended to only give an idea of serious the menace is.
Hacking version 1.0
Unprotected and, in fact, even protected systems are susceptible to hacking attacks. Hackers gain access to a system either through flaws in the operating systems or through malware, which gain access to a system through downloads.
For instance, the earliest methodology for gaining access to a computer was through emails with attachments, which would contain Trojan software that would then get embedded in the computer.
Even Word documents have been recently used as carriers of malware. Emails are also sent as if they are from government agencies (i.e., like income tax authorities or the Reserve Bank of India) to ensure that they are opened. The emails contain external links, opening of which may give access to an external hacker.
Till recently, URLs with the prefix “https:” were thought to be safe, as the letter “S” denotes “secure”. However, some recent influx of fraudulent emails demonstrates that this may not be so.
While spelling mistakes may give some indication of the fact that such mails are false, the email id; reference to income tax department; general references to net banking; use of a bank’s name at the foot of the email; and most significantly, the link bearing the prefix “https:” (emphasis added to the letter “S”) are bound to mislead even the most savvy.
Free games or software may also be carriers of malware or spyware, which form part of the software running the games. Once these games or software are downloaded onto a system, the malware or spyware will install itself in the system. Deleting the game will not remove the malware or spyware, which has already gained access to the system and embedded itself in the software which runs the system. These instances are not restricted only to desktop computers or laptops but any computer resource (including mobile phones) which runs on software.
Malware or spyware are also not limited by absence of connectivity. They will continue to function in the background irrespective of access to the internet. Such Trojan software may be used for data collection including usage patterns on the infected computers; sourcing all data and information on the computer resource; using such a computer to spread infection to all other computers or computer resources connected to the infected computer (through emails or when external devices are used on the infected computers—even when mobile phones are being charged on a computer device, it is vulnerable to such attacks).
Malware and spyware will give complete access to the computer and its contents and functionalities to an external hacker, who may put it to any use, including to spy on the surroundings where the infected computer is kept, through the microphone and camera on the computer/mobile phone or anything running on software. A building’s security system, for instance, may be compromised through hacking. Flights can be disrupted through hacking. The air traffic controller may lose control due to a hacking attack.
A hacker who is inside an organization may also commit all of the above illegal acts. Hacking may also have a much simpler process but result in grave consequences.
For instance, an employee with general access to computer systems in an organization may obtain access to password-protected and restricted content either by obtaining the password from a co-worker or by hacking into the systems through technological means.
Both of these acts will fall within the ambit of Section 66 read with Section 43(a). Under Indian law, it is not necessary for access to be obtained only through technological means.
Similarly, a person may engage in hacking only to demonstrate the weaknesses in a system. They may do so either with the permission of the owner or without his permission but with the sole intention of highlighting the flaws in the system. Such hackers are known by the colloquial term of “white hats”. For these to be criminal offences, under Section 66 read with Section 43(a), in addition to gaining access without consent of the owner, prosecution would have to establish dishonest or fraudulent intent. White hatters may, therefore, be outside the ambit of criminal law, as the very action of merely stopping with pointing out the existence of flaws, the hacker does not cause any harm or damage to the system or owner. There is, however, a very thin line of delineation between the white hatter and the malicious hacker, i.e., “black hats”. In India, the law has not linked the act of hacking with resultant loss, damage or harm for initiation of prosecution but has applied the broader threshold of dishonest or fraudulent intent to make hacking a criminal offence. In the light of the same and in the absence of specificity in combining the act of hacking with its resultant consequences, hackers of all kinds would be well advised to avoid the very act itself unless specifically authorised in writing to conduct hacking tests. Courts ought to apply purposive interpretation to read Section 43, as a whole and hold that loss, damage or diminution of utility of information residing on a computer resource or of the computer itself, due to commission of any of the acts set out in Section 43 [(a) to (h)], ought to be read into the said provisions for it to amount to a criminal offence. Dishonest or fraudulent intent would also require the support of consequential loss, damage or diminution of utility to establish criminal intent.
The above article is an edited extract from the book ‘Technology Laws Decoded’ published by LexisNexis.