CYBER LAW & INFORMATION TECHNOLOGY

Success in any field of human activity leads to crime that needs mechanisms to control it. Legal provisions should provide assurance to users, empowerment to law enforcement agencies and deterrence to criminals. The law is as stringent as its enforcement. Crime is no longer limited to space, time or a group of people. Cyber space creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies. Back in 1990, less than 100,000 people were able to log on to the Internet worldwide. Now around 500 million people are hooked up to surf the net around the globe. Until recently, many information technology (IT) professionals lacked awareness of and interest in the cyber crime phenomenon. In many cases, law enforcement officers have lacked the tools needed to tackle the problem; old laws didnt quite fit the crimes being committed, new laws hadnt quite caught up to the reality of what was happening, and there were few court precedents to look to for guidance. Furthermore, debates over privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new cases. Finally, there was a certain amount of antipathyor at the least, distrust between the two most important players in any effective fight against cyber crime: law enforcement agencies and computer professionals. Yet close cooperation between the two is crucial if we are to control the cyber crime problem and make the Internet a safe place for its users. Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence and bringing offenders to justice. IT personnel understand computers and networks, how they work, and how to track down information on them. Each has half of the key to defeating the cyber criminal. IT professionals need good definitions of cybercrime in order to know when (and what) to

report to police, but law enforcement agencies must have statutory definitions of specific crimes in order to charge a criminal with an offense. The first step in specifically defining individual cybercrimes is to sort all the acts that can be considered cybercrimes into organized categories. United Nations Definition of Cybercrime Cybercrime spans not only state but national boundaries as well. Perhaps we should look to international organizations to provide a standard definition of the crime. At the Tenth United Nations Congress on the Prevention of Crime and Treatment of Offenders, in a workshop devoted to the issues of crimes related to computer networks, cybercrime was broken into two categories and defined thus: a. Cybercrime in a narrow sense (computer crime): Any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them. b. Cybercrime in a broader sense (computer-related crime): Any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession [and] offering or distributing information by means of a computer system or network. Of course, these definitions are complicated by the fact that an act may be illegal in one nation but not in another. There are more concrete examples, including i. Unauthorized access ii Damage to computer data or programs iii Computer sabotage iv Unauthorized interception of communications v Computer espionage

These definitions, although not completely definitive, do give us a good starting pointone that has some international recognition and agreementfor determining just what we mean by the term cybercrime. In Indian law, cyber crime has to be voluntary and willful, an act or omission that adversely affects a person or property. The IT Act provides the backbone for e-commerce and Indias approach has been to look at e-governance and e-commerce primarily from the promotional aspects looking at the vast opportunities and the need to sensitize the population to the possibilities of the information age. There is the need to take in to consideration the security aspects. In the present global situation where cyber control mechanisms are important we need to push cyber laws. Cyber Crimes are a new class of crimes to India rapidly expanding due to extensive use of internet. Getting the right lead and making the right interpretation are very important in solving a cyber crime. The 7 stage continuum of a criminal case starts from perpetration to registration to reporting, investigation, prosecution, adjudication and execution. The system can not be stronger than the weakest link in the chain. In India, there are 30 million policemen to train apart from 12,000 strong Judiciary. Police in India are trying to become cyber crime savvy and hiring people who are trained in the area. Each police station in Delhi will have a computer soon which will be connected to the Head Quarter.. The pace of the investigations however can be faster; judicial sensitivity and knowledge need to improve. Focus needs to be on educating the police and district judiciary. IT Institutions can also play a role in this area. Technology nuances are important in a spam infested environment where privacy can be

compromised and individuals can be subjected to become a victim unsuspectingly. We need to sensitize our investigators and judges to the nuances of the system. Most cyber criminals have a counter part in the real world. If loss of property or persons is caused the criminal is punishable under the IPC also. Since the law enforcement agencies find it is easier to handle it under the IPC, IT Act cases are not getting reported and when reported are not necessarily dealt with under the IT Act. A lengthy and intensive process of learning is required. A whole series of initiatives of cyber forensics were undertaken and cyber law procedures resulted out of it. This is an area where learning takes place every day as we are all beginners in this area. We are looking for solutions faster than the problems can get invented. We need to move faster than the criminals. The real issue is how to prevent cyber crime. For this, there is need to raise the probability of apprehension and conviction. India has a law on evidence that considers admissibility, authenticity, accuracy, and completeness to convince the judiciary. The challenge in cyber crime cases includes getting evidence that will stand scrutiny in a foreign court. For this India needs total international cooperation with specialised agencies of different countries. Police has to ensure that they have seized exactly what was there at the scene of crime, is the same that has been analysed and the report presented in court is based on this evidence. It has to maintain the chain of custody. The threat is not from the intelligence of criminals but from our ignorance and the will to fight it. The law is stricter now on producing evidence especially where electronic documents are concerned. The computer is the target and the tool for the perpetration of crime. It is used for the

communication of the criminal activity such as the injection of a virus/worm which can crash entire networks. The Information Technology (IT) Act, 2000, specifies the acts which have been made punishable. Since the primary objective of this Act is to create an enabling environment for commercial use of I.T., certain omissions and commissions of criminals while using computers have not been included. With the legal recognition of Electronic Records and the amendments made in the several sections of the IPC vide the IT Act, 2000, several offences having bearing on cyber-arena are also registered under the appropriate sections of the IPC. During the year 2003, 60 cases were registered under IT Act as compared to 70 cases during the previous year thereby reporting a decline of 14.3 percent in 2003 over 2002. Of the total 60 cases registered under IT Act 2000, around 33 percent (20 cases) relate to Obscene Publication / Transmission in electronic form, normally known as cases of cyber pornography. 17 persons were arrested for committing such offences during 2003. There were 21 cases of Hacking of computer systems wherein 18 persons were arrested in 2003. Of the total (21) Hacking cases, the cases relating to Loss/Damage of computer resource/utility under Sec 66(1) of the IT Act were to the tune of 62 percent (13 cases) and that related to Hacking under Section 66(2) of IT Act were 38 percent (8cases). During 2003, a total of 411 cases were registered under IPC Sections as compared to 738 such cases during 2002 thereby reporting a significant decline of 44 percent in 2003 over 2002. Andhra Pradesh reported more than half of such cases (218 out of 411) (53 percent). Of the 411 cases registered under IPC, majority of the crimes fall under 3 categories viz. Criminal Breach of Trust or Fraud (269), Forgery (89) and Counterfeiting (53).

Though, these offences fall under the traditional IPC crimes, the cases had the cyber tones wherein computer, Internet or its related aspects were present in the crime and hence they were categorised as Cyber Crimes under IPC. During 2003, number of cases under Cyber Crimes relating to Counterfeiting of currency/Stamps stood at 53 wherein 118 persons were arrested during 2003. Of the 47,478 cases reported under Cheating, the Cyber Forgery (89) accounted for 0.2 per cent. Of the total Criminal Breach of Trust cases (13,432), the Cyber frauds (269) accounted for 2 percent. Of the Counterfeiting offences (2,055), Cyber Counterfeiting (53) offences accounted for 2.6 percent. A total of 475 persons were arrested in the country for Cyber Crimes under IPC during 2003. Of these, 53.6 percent offenders (255) were taken into custody for offences under Criminal Breach of Trust/Fraud (Cyber) and 21.4 percent (102) for offences under Cyber Forgery. The age-wise profile of the arrested persons showed that 45 percent were in the age-group of 30-45 years, 28.5 percent of the offenders were in the age-group of 45-60 years and 11 offenders were aged 60 years and above. Gujarat reported 2 offenders who were below 18 years of age. Fraud/Illegal gain (120) accounted for 60 per cent of the total Cyber Crime motives reported in the country. Greed/Money (15 cases) accounted for 7.5 percent of the Cyber Crimes reported. Eve-teasing and Harassment (8 cases) accounted for around 4 per cent. Cyber Suspects include Neighbours / Friends / Relatives (91), Disgrunted employees (11), Business Competitors (9), Crackers Students / Professional learners (3). Cybercrime is not on the decline. The latest statistics show that cybercrime is actually on the

rise. However, it is true that in India, cybercrime is not reported too much about. Consequently there is a false sense of complacency that cybercrime does not exist and that society is safe from cybercrime. This is not the correct picture. The fact is that people in our country do not report cybercrimes for many reasons. Many do not want to face harassment by the police. There is also the fear of bad publicity in the media, which could hurt their reputation and standing in society. Also, it becomes extremely difficult to convince the police to register any cybercrime, because of lack of orientation and awareness about cybercrimes and their registration and handling by the police. A recent survey indicates that for every 500 cybercrime incidents that take place, only 50 are reported to the police and out of that only one is actually registered. These figures indicate how difficult it is to convince the police to register a cybercrime. The establishment of cybercrime cells in different parts of the country was expected to boost cybercrime reporting and prosecution. However, these cells havent quite kept up with expectations. Netizens should not be under the impression that cybercrime is vanishing and they must realize that with each passing day, cyberspace becomes a more dangerous place to be in, where criminals roam freely to execute their criminals intentions encouraged by the socalled anonymity that internet provides. The absolutely poor rate of cyber crime conviction in the country has also not helped the cause of regulating cybercrime. There has only been few cybercrime convictions in the whole country, which can be counted on fingers. We need to ensure that we have specialized procedures for prosecution of cybercrime cases so as to tackle them on a priority

basis,. This is necessary so as to win the faith of the people in the ability of the system to tackle cybercrime. We must ensure that our system provides for stringent punishment of cybercrimes and cyber criminals so that the same acts as a deterrent for others. Threat Perceptions UK has the largest number of infected computers in the world followed by the US and China. Financial attacks are 16 events per 1000, the highest among all kinds of attacks. The US is the leading source country for attacks but this has declined. China is second and Germany is third. It is hard to determine where the attack came from originally. The number of viruses and worm variants rose sharply to 7,360 that is a 64% increase over the previous reporting period and a 332% increase over the previous year. There are 17,500 variants of Win.32 viruses. Threats to confidential information are on the rise with 54% of the top 50 reporting malicious code with the potential to expose such information. Phishing messages grew to 4.5 million from 1 million between July and December 2004. Some Indian Case Studies 1. Pune Citibank MphasiS Call Center Fraud US $ 3,50,000 from accounts of four US customers were dishonestly transferred to bogus accounts. This will give a lot of ammunition to those lobbying against outsourcing in US. Such cases happen all over the world but when it happens in India it is a serious matter and we can not ignore it. It is a case of sourcing engineering. Some employees gained the confidence of the customer and obtained their PIN numbers to commit fraud. They got these under the guise of helping the customers out of difficult situations. Highest security prevails in the call centers in India as they know that they will lose their business. There was not as

much of breach of security but of sourcing engineering. The call center employees are checked when they go in and out so they can not copy down numbers and therefore they could not have noted these down. They must have remembered these numbers, gone out immediately to a cyber caf and accessed the Citibank accounts of the customers. All accounts were opened in Pune and the customers complained that the money from their accounts was transferred to Pune accounts and thats how the criminals were traced. Police has been able to prove the honesty of the call center and has frozen the accounts where the money was transferred. There is need for a strict background check of the call center executives. However, best of background checks can not eliminate the bad elements from coming in and breaching security. We must still ensure such checks when a person is hired. There is need for a national ID and a national data base where a name can be referred to. In this case preliminary investigations do not reveal that the criminals had any crime history. Customer education is very important so customers do not get taken for a ride. Most banks are guilt of not doing this. 2. Bazee.com case CEO of Bazee.com was arrested in December 2004 because a CD with objectionable material was being sold on the website. The CD was also being sold in the markets in Delhi. The Mumbai city police and the Delhi Police got into action. The CEO was later released on bail. This opened up the question as to what kind of distinction do we draw between Internet Service Provider and Content Provider. The burden rests on the accused that he was the

Service Provider and not the Content Provider. It also raises a lot of issues regarding how the police should handle the cyber crime cases and a lot of education is required. 3. State of Tamil Nadu Vs Suhas Katti The Case of Suhas Katti is notable for the fact that the conviction was achieved successfully within a relatively quick time of 7 months from the filing of the FIR. Considering that similar cases have been pending in other states for a much longer time, the efficient handling of the case which happened to be the first case of the Chennai Cyber Crime Cell going to trial deserves a special mention. The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. E-Mails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. Based on a complaint made by the victim in February 2004, the Police traced the accused to Mumbai and arrested him within the next few days. The accused was a known family friend of the victim and was reportedly interested in marrying her. She however married another person. This marriage later ended in divorce and the accused started contacting her once again. On her reluctance to marry him, the accused took up the harassment through the Internet. On 24-3-2004 Charge Sheet was filed u/s 67 of IT Act 2000, 469 and 509 IPC before The Honble Addl. CMM Egmore by citing 18 witnesses and 34 documents and material objects. The same was taken on file in C.C.NO.4680/2004. On the prosecution side 12 witnesses

were examined and entire documents were marked as Exhibits. The Defence argued that the offending mails would have been given either by ex-husband of the complainant or the complainant her self to implicate the accused as accused alleged to have turned down the request of the complainant to marry her. Further the Defence counsel argued that some of the documentary evidence was not sustainable under Section 65 B of the Indian Evidence Act. However, the court relied upon the expert witnesses and other evidence produced before it, including the witnesses of the Cyber Cafe owners and came to the conclusion that the crime was conclusively proved. Ld. Additional Chief Metropolitan Magistrate, Egmore, delivered the judgement on 5-11-04 as follows: The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000 and the accused is convicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently. The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered as the first case convicted under section 67 of Information Technology Act 2000 in India. 4. The Bank NSP Case The Bank NSP case is the one where a management trainee of the bank was engaged to be married. The couple exchanged many emails using the company computers. After some time the two broke up and the girl created fraudulent email ids such as

indianbarassociations and sent emails to the boys foreign clients. She used the banks computer to do this. The boys company lost a large number of clients and took the bank to court. The bank was held liable for the emails sent using the banks system. 5. SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra In India's first case of cyber defamation, a Court of Delhi assumed jurisdiction over a matter where a corporates reputation was being defamed through emails and passed an important ex-parte injunction. In this case, the defendant Jogesh Kwatra being an employ of the plaintiff company started sending derogatory, defamatory, obscene, vulgar, filthy and abusive emails to his employers as also to different subsidiaries of the said company all over the world with the aim to defame the company and its Managing Director Mr. R K Malhotra. The plaintiff filed a suit for permanent injunction restraining the defendant from doing his illegal acts of sending derogatory emails to the plaintiff. On behalf of the plaintiffs it was contended that the emails sent by the defendant were distinctly obscene, vulgar, abusive, intimidating, humiliating and defamatory in nature. Counsel further argued that the aim of sending the said emails was to malign the high reputation of the plaintiffs all over India and the world. He further contended that the acts of the defendant in sending the emails had resulted in invasion of legal rights of the plaintiffs. Further the defendant is under a duty not to send the aforesaid emails. It is pertinent to note that after the plaintiff company discovered the said employ could be indulging in the matter of sending abusive emails, the plaintiff terminated the services of the defendant.

After hearing detailed arguments of Counsel for Plaintiff, Hon'ble Judge of the Delhi High Court passed an ex-parte ad interim injunction observing that a prima facie case had been made out by the plaintiff. Consequently, the Delhi High Court restrained the defendant from sending derogatory, defamatory, obscene, vulgar, humiliating and abusive emails either to the plaintiffs or to its sister subsidiaries all over the world including their Managing Directors and their Sales and Marketing departments. Further, Hon'ble Judge also restrained the defendant from publishing, transmitting or causing to be published any information in the actual world as also in cyberspace which is derogatory or defamatory or abusive of the plaintiffs. This order of Delhi High Court assumes tremendous significance as this is for the first time that an Indian Court assumes jurisdiction in a matter concerning cyber defamation and grants an ex-parte injunction restraining the defendant from defaming the plaintiffs by sending derogatory, defamatory, abusive and obscene emails either to the plaintiffs or their subsidiaries. 6. PARLIAMENT ATTACK CASE Bureau of Police Research and Development at Hyderabad had handled some of the top cyber cases, including analysing and retrieving information from the laptop recovered from terrorist, who attacked Parliament. The laptop which was seized from the two terrorists, who were gunned down when Parliament was under siege on December 13 2001, was sent to Computer Forensics Division of BPRD after computer experts at Delhi failed to trace much out of its contents.

The laptop contained several evidences that confirmed of the two terrorists motives, namely the sticker of the Ministry of Home that they had made on the laptop and pasted on their ambassador car to gain entry into Parliament House and the the fake ID card that one of the two terrorists was carrying with a Government of India emblem and seal. The emblems (of the three lions) were carefully scanned and the seal was also craftly made along with residential address of Jammu and Kashmir. But careful detection proved that it was all forged and made on the laptop. 7. Andhra Pradesh Tax Case Dubious tactics of a prominent businessman from Andhra Pradesh was exposed after officials of the department got hold of computers used by the accused person. The owner of a plastics firm was arrested and Rs 22 crore cash was recovered from his house by sleuths of the Vigilance Department. They sought an explanation from him regarding the unaccounted cash within 10 days. The accused person submitted 6,000 vouchers to prove the legitimacy of trade and thought his offence would go undetected but after careful scrutiny of vouchers and contents of his computers it revealed that all of them were made after the raids were conducted. It later revealed that the accused was running five businesses under the guise of one company and used fake and computerised vouchers to show sales records and save tax. 8. SONY.SAMBANDH.COM CASE India saw its first cybercrime conviction recently. It all began after a complaint was filed by Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting

Non Resident Indians. The website enables NRIs to send Sony products to their friends and relatives in India after they pay for it online. The company undertakes to deliver the products to the concerned recipients. In May 2002, someone logged onto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordless head phone. She gave her credit card number for payment and requested that the products be delivered to Arif Azim in Noida. The payment was duly cleared by the credit card agency and the transaction processed. After following the relevant procedures of due diligence and checking, the company delivered the items to Arif Azim. At the time of delivery, the company took digital photographs showing the delivery being accepted by Arif Azim. The transaction closed at that, but after one and a half months the credit card agency informed the company that this was an unauthorized transaction as the real owner had denied having made the purchase. The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal Code. The matter was investigated into and Arif Azim was arrested. Investigations revealed that Arif Azim, while working at a call centre in Noida gained access to the credit card number of an American national which he misused on the companys site. The CBI recovered the colour television and the cordless head phone. In this matter, the CBI had evidence to prove their case and so the accused admitted his guilt. The court convicted Arif Azim under Section 418, 419 and 420 of the Indian Penal Code this being the first time that a cybercrime has been convicted.

The court, however, felt that as the accused was a young boy of 24 years and a first-time convict, a lenient view needed to be taken. The court therefore released the accused on probation for one year. The judgment is of immense significance for the entire nation. Besides being the first conviction in a cybercrime matter, it has shown that the the Indian Penal Code can be effectively applied to certain categories of cyber crimes which are not covered under the Information Technology Act 2000. Secondly, a judgment of this sort sends out a clear message to all that the law cannot be taken for a ride. 9. Nasscom vs. Ajay Sood & Others In a landmark judgment in the case of National Association of Software and Service Companies vs Ajay Sood & Others, delivered in March, 05, the Delhi High Court declared `phishing on the internet to be an illegal act, entailing an injunction and recovery of damages. Elaborating on the concept of phishing, in order to lay down a precedent in India, the court stated that it is a form of internet fraud where a person pretends to be a legitimate association, such as a bank or an insurance company in order to extract personal data from a customer such as access codes, passwords, etc. Personal data so collected by misrepresenting the identity of the legitimate party is commonly used for the collecting partys advantage. court also stated, by way of an example, that typical phishing scams involve persons who pretend to represent online banks and siphon cash from e-banking accounts after conning consumers into handing over confidential banking details. The Delhi HC stated that even though there is no specific legislation in India to penalise

phishing, it held phishing to be an illegal act by defining it under Indian law as a misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumer but even to the person whose name, identity or password is misused. The court held the act of phishing as passing off and tarnishing the plaintiffs image. The plaintiff in this case was the National Association of Software and Service Companies (Nasscom), Indias premier software association. The defendants were operating a placement agency involved in head-hunting and recruitment. In order to obtain personal data, which they could use for purposes of headhunting, the defendants composed and sent e-mails to third parties in the name of Nasscom. The high court recognised the trademark rights of the plaintiff and passed an ex-parte adinterim injunction restraining the defendants from using the trade name or any other name deceptively similar to Nasscom. The court further restrained the defendants from holding themselves out as being associates or a part of Nasscom. The court appointed a commission to conduct a search at the defendants premises. Two hard disks of the computers from which the fraudulent e-mails were sent by the defendants to various parties were taken into custody by the local commissioner appointed by the court. The offending e-mails were then downloaded from the hard disks and presented as evidence in court. During the progress of the case, it became clear that the defendants in whose names the offending e-mails were sent were fictitious identities created by an employee on defendants

instructions, to avoid recognition and legal action. On discovery of this fraudulent act, the fictitious names were deleted from the array of parties as defendants in the case. Subsequently, the defendants admitted their illegal acts and the parties settled the matter through the recording of a compromise in the suit proceedings. According to the terms of compromise, the defendants agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of the plaintiffs trademark rights. The court also ordered the hard disks seized from the defendants premises to be handed over to the plaintiff who would be the owner of the hard disks. This case achieves clear milestones: It brings the act of phishing into the ambit of Indian laws even in the absence of specific legislation; It clears the misconception that there is no damages culture in India for violation of IP rights; This case reaffirms IP owners faith in the Indian judicial systems ability and willingness to protect intangible property rights and send a strong message to IP owners that they can do business in India without sacrificing their IP rights. 10. Infinity e-Search BPO Case The Gurgaon BPO fraud has created an embarrassing situation for Infinity eSearch, the company in which Mr Karan Bahree was employed. A British newspaper had reported that one of its undercover reporters had purchased personal information of 1,000 British customers from an Indian call-center employee. However, the employee of Infinity eSearch, a New Delhi-based web designing company, who was reportedly involved in the case has denied any wrongdoing. The company has also said that it had nothing to do with the incident.

In the instant case the journalist used an intermediary, offered a job, requested for a presentation on a CD and later claimed that the CD contained some confidential data. The fact that the CD contained such data is itself not substantiated by the journalist. In this sort of a situation we can only say that the journalist has used "Bribery" to induce a "Out of normal behavior" of an employee. This is not observation of a fact but creating a factual incident by intervention. Investigation is still on in this matter. Cyber Laws in India Objectives: This chapter presents the meaning and definition of cyber crime, the legislation in India dealing with offences relating to the use of or concerned with the abuse of computers or other electronic gadgets. The Information Technology Act 2000 and the I.T. Amendment Act 2008 have been dealt with in detail and other legislations dealing with electronic offences have been discussed in brief. Introduction: Crime is both a social and economic phenomenon. It is as old as human society. Many ancient books right from pre-historic days, and mythological stories have spoken about crimes committed by individuals be it against another individual like ordinary theft and burglary or against the nation like spying, treason etc. Kautilyas Arthashastra written around 350 BC, considered to be an authentic administrative treatise in India, discusses the various crimes, security initiatives to be taken by the rulers, possible crimes in a state etc. and also advocates punishment for the list of some stipulated offences. Different kinds of punishments have been prescribed for listed offences and the concept of restoration of loss to the victims has also been discussed in it. Crime in any form adversely affects all the members of the society. In developing economies, cyber crime has increased at rapid strides, due to the rapid diffusion of the Internet and the digitisation of

economic activities. Thanks to the huge penetration of technology in almost all walks of society right from corporate governance and state administration, up to the lowest level of petty shop keepers computerizing their billing system, we find computers and other electronic devices pervading the human life. The penetration is so deep that man cannot spend a day without computers or a mobile. Snatching some ones mobile will tantamount to dumping one in solitary confinement! Cyber Crime is not defined in Information Technology Act 2000 nor in the I.T. Amendment Act 2008 nor in any other legislation in India. In fact, it cannot be too. Offence or crime has been dealt with elaborately listing various acts and the punishments for each, under the Indian Penal Code, 1860 and quite a few other legislations too. Hence, to define cyber crime, we can say, it is just a combination of crime and computer. To put it in simple terms any offence or crime in which a computer is used is a cyber crime. Interestingly even a petty offence like stealing or pick-pocket can be brought within the broader purview of cyber crime if the basic data or aid to such an offence is a computer or an information stored in a computer used (or misused) by the fraudster. The I.T. Act defines a computer, computer network, data, information and all other necessary ingredients that form part of a cyber crime, about which we will now be discussing in detail. In a cyber crime, computer or the data itself the target or the object of offence or a tool in committing some other offence, providing the necessary inputs for that offence. All such acts of crime will come under the broader definition of cyber crime. 2 Let us now discuss in detail, the Information Technology Act -2000 and the I.T. Amendment Act 2008 in general and with particular reference to banking and financial sector related transactions. Before

going into the section-wise or chapter-wise description of various provisions of the Act, let us discuss the history behind such a legislation in India, the circumstances under which the Act was passed and the purpose or objectives in passing it. The Genesis of IT legislation in India: Mid 90s saw an impetus in globalization and computerisation, with more and more nations computerizing their governance, and e-commerce seeing an enormous growth. Until then, most of international trade and transactions were done through documents being transmitted through post and by telex only. Evidences and records, until then, were predominantly paper evidences and paper records or other forms of hard-copies only. With much of international trade being done through electronic communication and with email gaining momentum, an urgent and imminent need was felt for recognizing electronic records ie the data what is stored in a computer or an external storage attached thereto. The United Nations Commission on International Trade Law (UNCITRAL) adopted the Model Law on e-commerce in 1996. The General Assembly of United Nations passed a resolution in January 1997 inter alia, recommending all States in the UN to give favourable considerations to the said Model Law, which provides for recognition to electronic records and according it the same treatment like a paper communication and record. Objectives of I.T. legislation in India: . It is against this background the Government of India enacted its Information Technology Act 2000 with the objectives as follows, stated in the preface to the Act itself. to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to

facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto. The Information Technology Act, 2000, was thus passed as the Act No.21 of 2000, got President assent on 9 June and was made effective from 17 October 2000. The Act essentially deals with the following issues: _ Legal Recognition of Electronic Documents _ Legal Recognition of Digital Signatures _ Offenses and Contraventions _ Justice Dispensation Systems for cyber crimes. Amendment Act 2008: Being the first legislation in the nation on technology, computers and ecommerce and e-communication, the Act was the subject of extensive debates, elaborate reviews and detailed criticisms, with one arm of the industry criticizing some sections of the Act to be draconian and other stating it is too diluted and lenient. There were some conspicuous omissions too resulting in the investigators relying more and more on the time-tested (one and half centuryold) Indian Penal Code even in technology based cases with the I.T. Act also being referred in the process and the reliance more on IPC rather on the ITA. 3 Thus the need for an amendment a detailed one was felt for the I.T. Act almost from the year 200304 itself. Major industry bodies were consulted and advisory groups were formed to go into the perceived lacunae in the I.T. Act and comparing it with similar legislations in other nations and to suggest recommendations. Such recommendations were analysed and subsequently taken up as a comprehensive Amendment Act and after considerable administrative procedures, the consolidated amendment called the Information Technology Amendment Act 2008 was placed in the Parliament and

passed without much debate, towards the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken place). This Amendment Act got the President assent on 5 Feb 2009 and was made effective from 27 October 2009. Some of the notable features of the ITAA are as follows: _ Focussing on data privacy _ Focussing on Information Security _ Defining cyber caf _ Making digital signature technology neutral _ Defining reasonable security practices to be followed by corporate _ Redefining the role of intermediaries _ Recognising the role of Indian Computer Emergency Response Team _ Inclusion of some additional cyber crimes like child pornography and cyber terrorism _ authorizing an Inspector to investigate cyber offences (as against the DSP earlier) In this chapter, we will be broadly discussing the various provisions of ITA 2000 and wherever the same has been amended or a new section added as per the ITAA 2008, such remark will be made appropriately. How the Act is structured: The Act totally has 13 chapters and 90 sections (the last four sections namely sections 91 to 94 in the ITA 2000 dealt with the amendments to the four Acts namely the Indian Penal Code 1860, The Indian Evidence Act 1872, The Bankers Books Evidence Act 1891 and the Reserve Bank of India Act 1934). The Act begins with preliminary and definitions and from thereon the chapters that follow deal with authentication of electronic records, digital signatures, electronic signatures etc. Elaborate procedures for certifying authorities (for digital certificates as per IT Act -2000 and since replaced by electronic signatures in the ITAA -2008) have been spelt out. The civil offence of data theft and the process of adjudication and appellate procedures have been described. Then the Act goes on to

define and describe some of the well-known cyber crimes and lays down the punishments therefore. Then the concept of due diligence, role of intermediaries and some miscellaneous provisions have been described. Rules and procedures mentioned in the Act have also been laid down in a phased manner, with the latest one on the definition of private and sensitive personal data and the role of intermediaries, due diligence etc., being defined as recently as April 2011. We will be discussing some of the important provisions of such rules also in the later part of this chapter. Applicability: The Act extends to the whole of India and except as otherwise provided, it applies to also any offence or contravention there under committed outside India by any person. There are some specific exclusions to the Act (ie where it is not applicable) as detailed in the First Schedule, stated below: 4 a) negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881; b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882; c) a trust as defined in section 3 of the Indian Trusts Act, 1882 d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition e) any contract for the sale or conveyance of immovable property or any interest in such property; f) any such class of documents or transactions as may be notified by the Central Government Definitions: The ITA-2000 defines many important words used in common computer parlance like access, computer resource, computer system, communication device, data, information,

security procedure etc. The definition of the word computer itself assumes significance here. Computer means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network; So is the word computer system which means a device or a collection of devices with input, output and storage capabilities. Interestingly, the word computer and computer system have been so widely defined to mean any electronic device with data processing capability, performing computer functions like logical, arithmetic and memory functions with input, storage and output capabilities. A careful reading of the words will make one understand that a high-end programmable gadgets like even a washing machine or switches and routers used in a network can all be brought under the definition. Similarly the word communication devices inserted in the ITAA-2008 has been given an inclusive definition, taking into its coverage cell phones, personal digital assistance or such other devices used to transmit any text, video etc like what was later being marketed as iPad or other similar devices on Wi-fi and cellular models. Definitions for some words like cyber caf were also later incorporated in the ITAA 2008 when Indian Computer response Emergency Team was included. Digital Signature: Electronic signature was defined in the ITAA -2008 whereas the earlier ITA -2000 covered in detail about digital signature, defining it and elaborating the procedure to obtain the digital signature certificate and giving it legal validity. Digital signature was defined in the ITA -2000 as authentication of electronic record as per procedure laid down in Section 3 and Section 3 discussed

the use of asymmetric crypto system and the use of Public Key Infrastructure and hash function etc. This was later criticized to be technology dependent ie., relying on the specific technology of asymmetric crypto system and the hash function generating a pair of public and private key authentication etc. Thus Section 3 which was originally Digital Signature was later renamed as Digital Signature and Electronic Signature in ITAA - 2008 thus introducing technological neutrality by adoption of electronic signatures as a legally valid mode of executing signatures. This includes digital signatures as one of the modes of signatures and is far broader in ambit covering biometrics and other new forms of creating electronic signatures not confining the recognition to digital signature process alone. While M/s. TCS, M/s. Safescript and M/s. MTNL are some of the digital signature certifying authorities in 5 India, IDRBT (Institute for Development of Research in Banking Technology the research wing of RBI) is the Certifying Authorities (CA) for the Indian Banking and financial sector licensed by the Controller of Certifying Authorities, Government of India. It is relevant to understand the meaning of digital signature (or electronic signature) here. It would be pertinent to note that electronic signature (or the earlier digital signature) as stipulated in the Act is NOT a digitized signature or a scanned signature. In fact, in electronic signature (or digital signature) there is no real signature by the person, in the conventional sense of the term. Electronic signature is not the process of storing ones signature or scanning ones signature and sending it in an electronic communication like email. It is a process of authentication of message using the procedure laid down in Section 3 of the Act. The other forms of authentication that are simpler to use such as biometric based retina scanning etc can

be quite useful in effective implementation of the Act. However, the Central Government has to evolve detailed procedures and increase awareness on the use of such systems among the public by putting in place the necessary tools and stipulating necessary conditions. Besides, duties of electronic signature certificate issuing authorities for bio-metric based authentication mechanisms have to be evolved and the necessary parameters have to be formulated to make it user-friendly and at the same time without compromising security. e-Governance: Chapter III discusses Electronic governance issues and procedures and the legal recognition to electronic records is dealt with in detail in Section 4 followed by description of procedures on electronic records, storage and maintenance and according recognition to the validity of contracts formed through electronic means. Procedures relating to electronic signatures and regulatory guidelines for certifying authorities have been laid down in the sections that follow. Chapter IX dealing with Penalties, Compensation and Adjudication is a major significant step in the direction of combating data theft, claiming compensation, introduction of security practices etc discussed in Section 43, and which deserve detailed description. Section 43 deals with penalties and compensation for damage to computer, computer system etc. This section is the first major and significant legislative step in India to combat the issue of data theft. The IT industry has for long been clamouring for a legislation in India to address the crime of data theft, just like physical theft or larceny of goods and commodities. This Section addresses the civil offence of theft of data. If any person without permission of the owner or any other person who is in charge of a computer, accesses or downloads, copies or extracts any data or introduces any computer contaminant like virus or damages or disrupts any computer or denies access to a computer to an authorised user or

tampers etche shall be liable to pay damages to the person so affected. Earlier in the ITA -2000 the maximum damages under this head was Rs.1 crore, which (the ceiling) was since removed in the ITAA 2008. The essence of this Section is civil liability. Criminality in the offence of data theft is being separately dealt with later under Sections 65 and 66. Writing a virus program or spreading a virus mail, a bot, a Trojan or any other malware in a computer network or causing a Denial of Service Attack in a server will all come under this Section and attract civil liability by way of compensation. Under this Section, words like Computer Virus, Compute Contaminant, Computer database and Source Code are all described and defined. 6 Questions like the employees liability in an organisation which is sued against for data theft or such offences and the amount of responsibility of the employer or the owner and the concept of due diligence were all debated in the first few years of ITA -2000 in court litigations like the bazee.com case and other cases. Subsequently need was felt for defining the corporate liability for data protection and information security at the corporate level was given a serious look. Thus the new Section 43-A dealing with compensation for failure to protect data was introduced in the ITAA -2008. This is another watershed in the area of data protection especially at the corporate level. As per this Section, where a body corporate is negligent in implementing reasonable security practices and thereby causes wrongful loss or gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. The Section further explains the phrase body corporate and quite significantly the phrases reasonable security practices and procedures and sensitive personal data or information.

Thus the corporate responsibility for data protection is greatly emphasized by inserting Section 43A whereby corporates are under an obligation to ensure adoption of reasonable security practices. Further what is sensitive personal data has since been clarified by the central government vide its Notification dated 11 April 2011 giving the list of all such data which includes password, details of bank accounts or card details, medical records etc. After this notification, the IT industry in the nation including techsavvy and widely technology-based banking and other sectors became suddenly aware of the responsibility of data protection and a general awareness increased on what is data privacy and what is the role of top management and the Information Security Department in organisations in ensuring data protection, especially while handling the customers and other third party data. Reasonable Security Practices _ Site certification _ Security initiatives _ Awareness Training _ Conformance to Standards, certification _ Policies and adherence to policies _ Policies like password policy, Access Control, email Policy etc _ Periodic monitoring and review. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules have since been notified by the Government of India, Dept of I.T. on 11 April 2011. Any body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies containing managerial, technical, operational and physical security control measures commensurate with the information assets being protected with the nature of business. In the event of

an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and 7 information security policies. The international Standard IS/ISO/IEC 27001 on "Information Technology Security Techniques - Information Security Management System Requirements" is one such standard referred to in sub-rule (1). In view of the foregoing, it has now become a major compliance issue on the part of not only IT companies but also those in the Banking and Financial Sector especially those banks with huge computerised operations dealing with public data and depending heavily on technology. In times of a litigation or any security breach resulting in a claim of compensation of financial loss amount or damages, it would be the huge responsibility on the part of those body corporate to prove that that said Reasonable Security Practices and Procedures were actually in place and all the steps mentioned in the Rules passed in April 2011 stated above, have been taken. In the near future, this is one of the sections that is going to create much noise and be the subject of much debates in the event of litigations, like in re-defining the role of an employee, the responsibility of an employer or the top management in data protection and issues like the actual and vicarious responsibility, the actual and contributory negligence of all stake holders involved etc. The issue has wider ramifications especially in the case of a cloud computing scenario (the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server, with the services managed by the provider sold on demand, for the amount of time used)

where more and more organisations handle the data of others and the information is stored elsewhere and not in the owners system. Possibly, more debates will emanate on the question of information owners vis a vis the information container and the information custodians and the Service Level Agreements of all parties involved will assume a greater significance. Adjudication: Having dealt with civil offences, the Act then goes on to describe civil remedy to such offences in the form of adjudication without having to resort to the procedure of filing a complaint with the police or other investigating agencies. Adjudication powers and procedures have been elaborately laid down in Sections 46 and thereafter. The Central Government may appoint any officer not below the rank of a director to the Government of India or a state Government as the adjudicator. The I.T. Secretary in any state is normally the nominated Adjudicator for all civil offences arising out of data thefts and resultant losses in the particular state. If at all one section can be criticized to be absolutely lacking in popularity in the IT Act, it is this provision. In the first ten years of existence of the ITA, there have been only a very few applications made in the nation, that too in the major metros almost all of which are under different stages of judicial process and adjudications have been obtained in possibly less than five cases. The first adjudication obtained under this provision was in Chennai, Tamil Nadu, in a case involving ICICI Bank in which the bank was told to compensate the applicant with the amount wrongfully debited in Internet Banking, along with cost and damages. in April 2010. This section should be given much popularity and awareness should be spread among the public especially the victims of cyber crimes and data theft that such a procedure does exist without recourse to going to the police and filing a case. It is time the state spends some time and thought in enhancing

awareness on the provision of adjudication for civil offences in cyber litigations like data theft etc so that the purpose for which such useful provisions have been made, are effectively utilized by the litigant public. There is an appellate procedure under this process and the composition of Cyber Appellate Tribunal at the national level, has also been described in the Act. Every adjudicating officer has the powers of a 8 civil court and the Cyber Appellate Tribunal has the powers vested in a civil court under the Code of Civil Procedure. After discussing the procedures relating to appeals etc and the duties and powers of Cyber Appellate Tribunal, the Act moves to the actual criminal acts coming under the broader definition of cyber crimes. It would be pertinent to note that the Act only lists some of the cyber crimes, (without defining a cyber crime) and stipulates the punishments for such offences. The criminal provisions of the IT Act and those dealing with cognizable offences and criminal acts follow from Chapter IX titled Offences Section 65: Tampering with source documents is dealt with under this section. Concealing, destroying, altering any computer source code when the same is required to be kept or maintained by law is an offence punishable with three years imprisonment or two lakh rupees or with both. Fabrication of an electronic record or committing forgery by way of interpolations in CD produced as evidence in a court (Bhim Sen Garg vs State of Rajasthan and others, 2006, Cri LJ, 3463, Raj 2411) attract punishment under this Section. Computer source code under this Section refers to the listing of programmes, computer commands, design and layout etc in any form. Section 66: Computer related offences are dealt with under this Section. Data theft stated in Section 43 is referred to in this Section. Whereas it was a plain and simple civil offence with the remedy of

compensation and damages only, in that Section, here it is the same act but with a criminal intention thus making it a criminal offence. The act of data theft or the offence stated in Section 43 if done dishonestly or fraudulently becomes a punishable offence under this Section and attracts imprisonment upto three years or a fine of five lakh rupees or both. Earlier hacking was defined in Sec 66 and it was an offence. Now after the amendment, data theft of Sec 43 is being referred to in Sec 66 by making this section more purposeful and the word hacking is not used. The word hacking was earlier called a crime in this Section and at the same time, courses on ethical hacking were also taught academically. This led to an anomalous situation of people asking how an illegal activity be taught academically with a word ethical prefixed to it. Then can there be training programmes, for instance, on Ethical burglary, Ethical Assault etc say for courses on physical defence? This tricky situation was put an end to, by the ITAA when it re-phrased the Section 66 by mapping it with the civil liability of Section 43 and removing the word Hacking. However the act of hacking is still certainly an offence as per this Section, though some experts interpret hacking as generally for good purposes (obviously to facilitate naming of the courses as ethical hacking) and cracking for illegal purposes. It would be relevant to note that the technology involved in both is the same and the act is the same, whereas in hacking the owners consent is obtained or assumed and the latter act cracking is perceived to be an offence. Thanks to ITAA, Section 66 is now a widened one with a list of offences as follows: 66A Sending offensive messages thro communication service, causing annoyance etc through an electronic communication or sending an email to mislead or deceive the recipient about the origin of

such messages (commonly known as IP or email spoofing) are all covered here. Punishment for these acts is imprisonment upto three years or fine. 66B Dishonestly receiving stolen computer resource or communication device with punishment upto three years or one lakh rupees as fine or both. 66C Electronic signature or other identity theft like using others password or electronic signature etc. Punishment is three years imprisonment or fine of one lakh rupees or both. 9 66D Cheating by personation using computer resource or a communication device shall be punished with imprisonment of either description for a term which extend to three years and shall also be liable to fine which may extend to one lakh rupee. 66E Privacy violation Publishing or transmitting private area of any person without his or her consent etc. Punishment is three years imprisonment or two lakh rupees fine or both. 66F Cyber terrorism Intent to threaten the unity, integrity, security or sovereignty of the nation and denying access to any person authorized to access the computer resource or attempting to penetrate or access a computer resource without authorization. Acts of causing a computer contaminant (like virus or Trojan Horse or other spyware or malware) likely to cause death or injuries to persons or damage to or destruction of property etc. come under this Section. Punishment is life imprisonment. It may be observed that all acts under S.66 are cognizable and non-bailable offences. Intention or the knowledge to cause wrongful loss to others ie the existence of criminal intention and the evil mind ie concept of mens rea, destruction, deletion, alteration or diminishing in value or utility of data are all the major ingredients to bring any act under this Section. To summarise, what was civil liability with entitlement for compensations and damages in Section 43, has been referred to here, if committed with criminal intent, making it a criminal liability attracting imprisonment and fine or both.

Section 67 deals with publishing or transmitting obscene material in electronic form. The earlier Section in ITA was later widened as per ITAA 2008 in which child pornography and retention of records by intermediaries were all included. Publishing or transmitting obscene material in electronic form is dealt with here. Whoever publishes or transmits any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely to read the matter contained in it, shall be punished with first conviction for a term upto three years and fine of five lakh rupees and in second conviction for a term of five years and fine of ten lakh rupees or both. This Section is of historical importance since the landmark judgement in what is considered to be the first ever conviction under I.T. Act 2000 in India, was obtained in this Section in the famous case State of Tamil Nadu vs Suhas Katti on 5 November 2004. The strength of the Section and the reliability of electronic evidences were proved by the prosecution and conviction was brought about in this case, involving sending obscene message in the name of a married women amounting to cyber stalking, email spoofing and the criminal activity stated in this Section. Section 67-A deals with publishing or transmitting of material containing sexually explicit act in electronic form. Contents of Section 67 when combined with the material containing sexually explicit material attract penalty under this Section. Child Pornography has been exclusively dealt with under Section 67B. Depicting children engaged in sexually explicit act, creating text or digital images or advertising or promoting such material depicting children in obscene or indecent manner etc or facilitating abusing children online or inducing children to online relationship with one or more children etc come under this Section. Children means persons who have not completed 18 years of age, for the purpose of this Section. Punishment for the

first conviction is imprisonment for a maximum of five years and fine of ten lakh rupees and in the event of subsequent conviction with imprisonment of seven years and fine of ten lakh rupees. 10 Bonafide heritage material being printed or distributed for the purpose of education or literature etc are specifically excluded from the coverage of this Section, to ensure that printing and distribution of ancient epics or heritage material or pure academic books on education and medicine are not unduly affected. Screening videographs and photographs of illegal activities through Internet all come under this category, making pornographic video or MMS clippings or distributing such clippings through mobile or other forms of communication through the Internet fall under this category. Section 67C fixes the responsibility to intermediaries that they shall preserve and retain such information as may be specified for such duration and in such manner as the Central Government may prescribe. Non-compliance is an offence with imprisonment upto three years or fine. Transmission of electronic message and communication: Section 69: This is an interesting section in the sense that it empowers the Government or agencies as stipulated in the Section, to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource, subject to compliance of procedure as laid down here. This power can be exercised if the Central Government or the State Government, as the case may be, is satisfied that it is necessary or expedient in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. In any such case too, the necessary procedure as may be prescribed, is to be followed and the

reasons for taking such action are to be recorded in writing, by order, directing any agency of the appropriate Government. The subscriber or intermediary shall extend all facilities and technical assistance when called upon to do so. Section 69A inserted in the ITAA, vests with the Central Government or any of its officers with the powers to issue directions for blocking for public access of any information through any computer resource, under the same circumstances as mentioned above. Section 69B discusses the power to authorise to monitor and collect traffic data or information through any computer resource. Commentary on the powers to intercept, monitor and block websites: In short, under the conditions laid down in the Section, power to intercept, monitor or decrypt does exist. It would be interesting to trace the history of telephone tapping in India and the legislative provisions (or the lack of it?) in our nation and compare it with the powers mentioned here. Until the passage of this Section in the ITAA, phone tapping was governed by Clause 5(2) of the Indian Telegraph Act of 1885, which said that On the occurrence of any public emergency, or in the interest of the public safety, the Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order. Other sections of the act mention that the government should formulate precautions to be taken for preventing the improper interception or disclosure of messages. There have been many attempts, rather many requests, to formulate rules to govern the operation of Clause 5(2). But ever since 1885, no government has formulated any such precautions, maybe for obvious reasons to retain the spying powers for almost a century. A writ petition was filed in the Supreme Court in 1991 by the Peoples Union for Civil

Liberties, challenging the constitutional validity of this Clause 5(2). The petition argued that it infringed the constitutional right to freedom of speech and expression and to life and personal liberty. In December 1996, the Supreme Court delivered its judgment, pointing out that unless a public emergency has occurred or the interest of public safety demands, the authorities have no jurisdiction to exercise the powers given them under 5(2). They went on to define them thus: a public emergency was the prevailing of a sudden condition or state of affairs affecting the people at large calling for immediate action, and public safety means the state or condition of freedom from danger or risk for the people at large. Without those two, however necessary or expedient, it could not do so. Procedures for keeping such records and the layer of authorities etc were also stipulated. Now, this Section 69 of ITAA is far more intrusive and more powerful than the above-cited provision of Indian Telegraph Act 1885. Under this ITAA Section, the nominated Government official will be able to listen in to all phone calls, read the SMSs and emails, and monitor the websites that one visited, subject to adherence to the prescribed procedures and without a warrant from a magistrates order. In view of the foregoing, this Section was critizised to be draconian vesting the government with much more powers than required. Having said this, we should not be oblivious to the fact that this power (of intercepting, monitoring and blocking) is something which the Government represented by the Indian Computer Emergency Response Team, (the National Nodal Agency, as nominated in Section 70B of ITAA) has very rarely exercised. Perhaps believing in the freedom of expression and having confidence in the self-regulative nature of the industry, the CERT-In has stated that these powers are very sparingly (and almost never) used by it. Critical Information Infrastructure and Protected System have been discussed in Section 70.

The Indian Computer Emergency Response Team (CERT-In) coming under the Ministry of Information and Technology, Government of India, has been designated as the National Nodal Agency for incident response. By virtue of this, CERT-In will perform activities like collection, analysis and dissemination of information on cyber incidents, forecasts and alerts of cyber security incidents, emergency measures for handling cyber security incidents etc. The role of CERT-In in e-publishing security vulnerabilities and security alerts is remarkable. The Minister of State for Communications and IT Mr.Sachin Pilot said in a written reply to the Rajya Sabha said that (as reported in the Press), CERT-In has handled over 13,000 such incidents in 2011 compared to 8,266 incidents in 2009. CERT-In has observed that there is significant increase in the number of cyber security incidents in the country. A total of 8,266, 10,315 and 13,301 security incidents were reported to and handled by CERT-In during 2009, 2010 and 2011, respectively," These security incidents include website intrusions, phishing, network probing, spread of malicious code like virus, worms and spam, he added. Hence the role of CERT-In is very crucial and there are much expectations from CERT In not just in giving out the alerts but in combating cyber crime, use the weapon of monitoring the web-traffic, intercepting and blocking the site, whenever so required and with due process of law. Penalty for breach of confidentiality and privacy is discussed in Section 72 with the punishment being imprisonment for a term upto two years or a fine of one lakh rupees or both. Considering the global nature of cyber crime and understanding the real time scenario of fraudster living in one part of the world and committing a data theft or DoS(Denial of Service) kind of an attack or other cyber crime in an entirely different part of the world, Section 75 clearly

states that the Act applies to offences or contravention committed outside India, if the contravention or the offence involves a computer or a computer network located in India. This Act has over-riding provisions especially with regard to the regulations stipulated in the Code of Criminal Procedure. As per Section 78, notwithstanding anything contained in the Code of Criminal Procedure, a police officer not below the rank of an Inspector shall investigate an offence under this Act. Such powers were conferred to officers not below the rank of a Deputy Superintendent of Police earlier in the ITA which was later amended as Inspector in the ITAA. Due Diligence: Liability of intermediaries and the concept of Due Diligence has been discussed in Section 79. As per this, intermediary shall not be liable for any third party information hosted by him, if his function is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted or if he does not initiate the transmission, select the receiver of the transmission and select or modify the information contained in the transmission and if he observes due diligence and follows the guidelines prescribed by the Central Government. This concept of due diligence is also much being debated. Due Diligence was first discussed as an immediate fallout of the famous bazee.com case in New Delhi, when the NRI CEO of the company was arrested for making the MMS clipping with objectionable obscene material depicting school children was made available in the public domain website owned by him, for sale (and later the CD was sold). The larger issue being discussed at that time was how far is the content provider responsible and how far the Internet Service Provider and what is due diligence which as the CEO of the company, he should have exercised.

After passage of the ITAA and the introduction of reasonable security practices and procedures and the responsibility of body corporate as seen earlier in Section 43A, and to set at rest some confusion on the significance of due diligence and what constitutes due diligence, the DIT came out with a set of rules titled Information Technology (Intermediaries Guidelines) Rules on 11 April 2011. As per this, the intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.. In essence, an intermediary shall be liable for any contravention of law committed by any user unless the Intermediary can prove that he has exercised due diligence and has not conspired or abetted in the act of criminality. Power to enter, search etc has been described in Section 80. Notwithstanding anything contained in the Code of Criminal Procedure, any police officer, not below the rank of an Inspector or any other officer .authorised .may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act. This is another effective weapon that has been rarely and almost never utilised by the police officers. The Act is applicable to electronic cheques and truncated cheques (ie the image of cheque being presented and processed curtailing and truncating the physical movement of the cheque from the collecting banker to the paying banker). Overriding powers of the Act and the powers of Central Government to make rules and that of State Governments to make rules wherever necessary have been discussed in the Sections that follow. Other Acts amended by the ITA:

The Indian Penal Code, 1860: Normally referred to as the IPC, this is a very powerful legislation and probably the most widely used in criminal jurisprudence, serving as the main criminal code of India. Enacted originally in 1860 and amended many time since, it covers almost all substantive aspects of criminal law and is supplemented by other criminal provisions. In independent India, many special laws have been enacted with criminal and penal provisions which are often referred to and relied upon, as an additional legal provision in cases which refer to the relevant provisions of IPC as well. ITA 2000 has amended the sections dealing with records and documents in the IPC by inserting the word electronic thereby treating the electronic records and documents on a par with physical records and documents. The Sections dealing with false entry in a record or false document etc (eg 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since been amended as electronic record and electronic document thereby bringing within the ambit of IPC, all crimes to an electronic record and electronic documents just like physical acts of forgery or falsification of physical records. In practice, however, the investigating agencies file the cases quoting the relevant sections from IPC in addition to those corresponding in ITA like offences under IPC 463,464, 468 and 469 read with the ITA/ITAA Sections 43 and 66, to ensure the evidence or punishment stated at least in either of the legislations can be brought about easily. The Indian Evidence Act 1872: This is another legislation amended by the ITA. Prior to the passing of ITA, all evidences in a court were in the physical form only. With the ITA giving recognition to all electronic records and documents, it was but natural that the evidentiary legislation in the nation be amended in tune with it. In the definitions part of the Act itself, the all documents including electronic records were substituted. Words like digital signature, electronic form, secure electronic record

information as used in the ITA, were all inserted to make them part of the evidentiary mechanism in legislations. Admissibility of electronic records as evidence as enshrined in Section 65B of the Act assumes significance. This is an elaborate section and a landmark piece of legislation in the area of evidences produced from a computer or electronic device. Any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be treated like a document, without further proof or production of the original, if the conditions like these are satisfied: (a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly .... by lawful persons.. (b) the information ...derived was regularly fed into the computer in the ordinary course of the said activities; (c) throughout the material part of the said period, the computer was operating properly ...... and ......a certificate signed by a person .....responsible..... etc. To put it in simple terms, evidences (information) taken from computers or electronic storage devices and produced as print-outs or in electronic media are valid if they are taken from system handled properly with no scope for manipulation of data and ensuring integrity of data produced directly with or without human intervention etc and accompanied by a certificate signed by a responsible person declaring as to the correctness of the records taken from a system a computer with all the precautions as laid down in the Section. However, this Section is often being misunderstood by one part of the industry to mean that computer print-outs can be taken as evidences and are valid as proper records, even if they are not signed. We find many computer generated letters emanating from big corporates with proper space below for signature under the words Your faithfully or truly and the signature space left blank, with a Post

Script remark at the bottom This is a computer generated letter and hence does not require signature. The Act does not anywhere say that computer print-outs need not be signed and can be taken as record. The Bankers Books Evidence(BBE) Act 1891 Amendment to this Act has been included as the third schedule in ITA. Prior to the passing of ITA, any evidence from a bank to be produced in a court, necessitated production of the original ledger or other register for verification at some stage with the copy retained in the court records as exhibits. With the passing of the ITA the definitions part of the BBE Act stood amended as: "bankers ' books include ledgers, day-books, cash-books, account-books and all other books used in the ordinary business of a bank whether kept in the written form or as printouts of data stored in a floppy, disc, tape or any other form of electro-magnetic data storage device. When the books consist of printouts of data stored in a floppy, disc, tape etc, a printout of such entry ...certified in accordance with the provisions ....to the effect that it is a printout of such entry or a copy of such printout by the principal accountant or branch manager; and (b) a certificate by a person incharge of computer system containing a brief description of the computer system and the particulars of the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorised persons; the safeguards adopted to prevent and detect unauthorised change of data ...to retrieve data that is lost due to systemic failure. In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act make the printout from a computer system or a floppy or disc or a tape as a valid document and evidence, provided, such print-out is accompanied by a certificate stating that it is a true extract from the official records of the bank and that such entries or records are from a computerised system with proper integrity of data, wherein data cannot be manipulated or accessed in an unauthorised manner or is not lost or tamperable due to system failure or such other reasons. Here again, let us reiterate that the law does not state that any computerised print-out even if not signed, constitutes a valid record. But still even many banks of repute (both public sector and private

sector) often send out printed letters to customers with the space for signature at the bottom left blank after the line Yours faithfully etc and with a remark as Post Script reading: This is a computer generated letter and hence does not require signature. Such interpretation is grossly misleading and sends a message to public that computer generated reports or letters need not be signed, which is never mentioned anywhere in nor is the import of the ITA or the BBE. The next Act that was amended by the ITA is the Reserve Bank of India Act, 1934. Section 58 of the Act sub-section (2), after clause (p), a clause relating to the regulation of funds transfer through electronic means between banks (ie transactions like RTGS and NEFT and other funds transfers) was inserted, to facilitate such electronic funds transfer and ensure legal admissibility of documents and records therein. Observations on ITA and ITAA: Having discussed in detail all the provisions of ITA and ITAA, let us now look at some of the broader areas of omissions and commissions in the Act and the general criticism the Acts have faced over the years. Awareness: There is no serious provision for creating awareness and putting such initiatives in place in the Act. The government or the investigating agencies like the Police department (whose job has been made comparatively easier and focused, thanks to the passing of the IT Act), have taken any serious step to create public awareness about the provisions in these legislations, which is absolutely essential considering the fact that this is a new area and technology has to be learnt by all the stake-holders like the judicial officers, legal professionals, litigant public and the public or users at large. Especially, provisions like scope for adjudication process is never known to many including those in the investigating agencies. Jurisdiction: This is a major issue which is not satisfactorily addressed in the ITA or ITAA.

Jurisdiction has been mentioned in Sections 46, 48, 57 and 61 in the context of adjudication process and the appellate procedure connected with and again in Section 80 and as part of the police officers powers to enter, search a public place for a cyber crime etc. In the context of electronic record, Section 13 (3) and (4) discuss the place of dispatch and receipt of electronic record which may be taken as jurisprudence issues. However some fundamental issues like if the mail of someone is hacked and the accused is a resident of a city in some state coming to know of it in a different city, which police station does he go to? If he is an employee of a Multi National Company with branches throughout the world and in many metros in India and is often on tour in India and he suspects another individual say an employee of the same firm in his branch or headquarters office and informs the police that evidence could lie in the suspects computer system itself, where does he go to file he complaint. Often, the investigators do not accept such complaints on the grounds of jurisdiction and there are occasions that the judicial officers too have hesitated to deal with such cases. The knowledge that cyber crime is geography-agnostic, borderless, territory-free and sans all jurisdiction and frontiers and happens in cloud or the space, has to be spread and proper training is to be given to all concerned players in the field. Evidences: Evidences are a major concern in cyber crimes. Pat of evidences is the crime scene issues. In cyber crime, there is no cyber crime. We cannot mark a place nor a computer nor a network, nor seize the hard-disk immediately and keep it under lock and key keep it as an exhibit taken from the crime scene. Very often, nothing could be seen as a scene in cyber crime! The evidences, the data, the network and the related gadgets along with of course the log files and trail of events emanating or recorded in the system are actually the crime scene. While filing cases under IT Act, be it as a civil case in the adjudication process or a criminal complaint filed with the police, many often, evidences may lie in some system like the intermediaries computers or some times in the opponents computer system too. In all such cases, unless the police swing into action swiftly and seize the systems and capture the evidences, such vital evidences could be easily destroyed. In fact, if one knows that his computer is going to be seized, he would immediately go for destruction of evidences (formatting, removing the history, removing the cookies, changing the registry

and user login set ups, reconfiguring the system files etc) since most of the computer history and log files are volatile in nature. There is no major initiative in India on common repositories of electronic evidences by which in the event of any dispute (including civil) the affected computer may be handed over to a common trusted third party with proper software tools, who may keep a copy of the entire disk and return the original to the owner, so that he can keep using it at will and the copy will be produced as evidence whenever required. For this there are software tools like EnCase wih a global recognition and our own C-DAC tools which are available with much retrieval facilities, search features without giving any room for further writing and preserving the original version with date stamp for production as evidence. Non coverage of many crimes: While there are many legislations in not only many Western countries but also some smaller nations in the East, India has only one legislation -- the ITA and ITAA. Hence it is quite natural that many issues on cyber crimes and many crimes per se are left uncovered. Many cyber crimes like cyber squatting with an evil attention to extort money. Spam mails, ISPs liability in copyright infringement, data privacy issues have not been given adequate coverage. Besides, most of the Indian corporate including some Public Sector undertakings use Operating Systems that are from the West especially the US and many software utilities and hardware items and sometimes firmware are from abroad. In such cases, the actual reach and import of IT Act Sections dealing with a utility software or a system software or an Operating System upgrade or update used for downloading the software utility, is to be specifically addressed, as otherwise a peculiar situation may come, when the user may not know whether the upgrade or the patch is getting downloaded or any spyware getting installed. The Act does

not address the governments policy on keeping the backup of corporates including the PSUs and PSBs in our county or abroad and if kept abroad, the subjective legal jurisprudence on such software backups. We find, as has been said earlier in the chapter, that most of the cyber crimes in the nation are still brought under the relevant sections of IPC read with the comparative sections of ITA or the ITAA which gives a comfort factor to the investigating agencies that even if the ITA part of the case is lost, the accused cannot escape from the IPC part. To quote the noted cyber law expert in the nation and Supreme Court advocate Shri Pavan Duggal, While the lawmakers have to be complemented for their admirable work removing various deficiencies in the Indian Cyberlaw and making it technologically neutral, yet it appears that there has been a major mismatch between the expectation of the nation and the resultant effect of the amended legislation. The most bizarre and startling aspect of the new amendments is that these amendments seek to make the Indian cyberlaw a cyber crime friendly legislation; - a legislation that goes extremely soft on cyber criminals, with a soft heart; a legislation that chooses to encourage cyber criminals by lessening the quantum of punishment accorded to them under the existing law; .. a legislation which makes a majority of cybercrimes stipulated under the IT Act as bailable offences; a legislation that is likely to pave way for India to become the potential cyber crime capital of the world Let us not be pessimistic that the existing legislation is cyber criminal friendly or paves the way to increase crimes. Certainly, it does not. It is a commendable piece of legislation, a landmark first step and a remarkable mile-stone in the technological growth of the nation. But let us not be complacent that the existing law would suffice. Let us remember that the criminals always go faster than the investigators and always try to be one step ahead in technology. After all, steganography was used in the Parliament Attack case to convey a one-line hidden message from one criminal to another which

was a lesson for the investigators to know more about the technology of steganography. Similarly Satellite phones were used in the Mumbai attack case in November 2008 after which the investigators became aware of the technological perils of such gadgets, since until then, they were relying on cell phones and the directional tracking by the cell phone towers and Call Details Register entries only. Hopefully, more and more awareness campaign will take place and the government will be conscious of the path ahead to bring more and more legislations in place. Actually, bringing more legislations may just not be sufficient, because the conviction rate in Cyber crime offences is among the lowest in the nation, much lower than the rate in IPC and other offences. The government should be aware that it is not the severity of punishment that is a deterrent for the criminals, but it is the certainty of punishment. It is not the number of legislations in a society that should prevent crimes but it is the certainty of punishment that the legislation will bring. Let us now discuss some of the other relevant legislations in the nation that deal with cyber crimes in various sectors. Prevention of Money Laundering Act: Black money has always been a serious evil in any developing economy. Nation builders, lawmakers and particularly the countrys financial administrators have always taken persistent efforts to curb the evil of black money and all sorts of illegally earned income. A major initiative taken in this direction in India is the Anti Money Laundering Act 2002. A main objective of the Act was to provide for confiscation of property derived from, or involved in, money laundering. Money laundering though not defined in the Act, can be construed to mean directly or indirectly attempting to indulge in any process or activity connected with the proceeds of crime and projecting it as untainted property. The Act stipulates that whoever commits the offence of money laundering shall be punishable with rigorous imprisonment for a term which shall not be less than three years but may

extend to seven years and also be liable to a fine which may extend to five lakh rupees. Money laundering involves a process of getting the money from illegal sources, layering it in any legal source, integrating it as part of any legal system like banking and actually using it. Since the banking as an industry has a major and significant role to play in the act of money laundering, it is now a serious responsibility on the part of banks to ensure that banking channel is not used in the criminal activity. Much more than a responsibility, it is now a compliance issue as well. Obligations of banks include maintenance of records of all transactions of the nature and value specified in the rules, furnish information of the transactions within the prescribed time, whenever warranted and verify and maintain records of the identity of all customers. Hence, as a corollary, adherence to Know Your Customer norms and maintenance of all KYC records assumes a very major significance and becomes a compliance issue. Records of cash transactions and suspicious transactions are to be kept and reported as stipulated. Non compliance on any of these will render the concerned bank official liable for the offence of money laundering and guilty under the Act.

e-Records Maintenance Policy of Banks: Computerisation started in most of the banks in India from end 80s in a small way in the form of standalone systems called Advanced Ledger Posting Machines (Separate PC for every counter/activity) which then led to the era of Total Branch Automation or Computerisation in early or mid 90s. TBA or TBC as it was popularly called, marked the beginning of a networked environment on a Local Area Network under a client-server architecture when records used to be maintained in electronic manner in hard-disks and external media like tapes etc for backup purposes. Ever since passing of the ITA and according of recognition to electronic records, it has become mandatory on the part of banks to maintain proper computerized system for electronic records. Conventionally, all legacy systems in the banks always do have a record maintenance policy often with RBIs and their individual Board approval stipulating the period of preservation for all sorts of records, ledgers, vouchers, register, letters, documents etc.

Thanks to computerisation and introduction of computerized data maintenance and often computergenerated vouchers also, most of the banks became responsive to the computerized environment and quite a few have started the process of formulating their own Electronic Records Maintenance Policy. Indian Banks Association took the initiative in bringing out a book on Banks eRecords Maintenance Policy to serve as a model for use and adoption in banks suiting the individual banks technological setup. Hence banks should ensure that e-records maintenance policy with details of e-records, their nature, their upkeep, the technological requirements, off-site backup, retrieval systems, access control and access privileges initiatives should be in place, if not already done already. On the legal compliance side especially after the Rules were passed in April 2011, on the Reasonable Security Practices and Procedures as part of ITAA 2008 Section 43A, banks should strive well to prove that they have all the security policies in place like compliance with ISO 27001 standards etc and e-records are maintained. Besides, the certificate to be given as an annexure to e-evidences as stipulated in the BBE Act also emphasizes this point of maintenance of erecords in a proper ensuring proper backup, ensuring against tamperability, always ensuring confidentiality, integrity, availability and Non Repudiation. This policy should not be confused with the Information Technology Business Continuity and Disaster Recovery Plan or Policy nor the Data Warehousing initiatives. Focus on all these three policies (BCDRP, DWH and E-records Maintenance Policy) are individually different, serving different purposes, using different technologies and maybe coming under different administrative controls too at the managerial level.

Legislations in other nations: As against the lone legislation ITA and ITAA in India, in many other nations globally, there are many legislations governing e-commerce and cyber crimes going into all the facets of cyber crimes. Data Communication, storage, child pornography, electronic records and data privacy have all been

addressed in separate Acts and Rules giving thrust in the particular area focused in the Act. In the US, they have the Health Insurance Portability and Accountability Act popularly known as HIPAA which inter alia, regulates all health and insurance related records, their upkeep and maintenance and the issues of privacy and confidentiality involved in such records. Companies dealing with US firms ensure HIPAA compliance insofar as the data relating to such corporate are handled by them. The Sarbanes-Oxley Act (SOX) signed into law in 2002 and named after its authors Senator Paul Sarbanes and Representative Paul Oxley, mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. Besides, there are a number of laws in the US both at the federal level and at different states level like the Cable Communications Policy Act, Childrens Internet Protection Act, Childrens Online Privacy Protection Act etc. In the UK, the Data Protection Act and the Privacy and Electronic Communications Regulations etc are all regulatory legislations already existing in the area of information security and cyber crime prevention, besides cyber crime law passed recently in August 2011. Similarly, we have cyber crime legislations and other rules and regulations in other nations. Conclusion: To sum up, though a crime-free society is Utopian and exists only in dreamland, it should be constant endeavour of rules to keep the crimes lowest. Especially in a society that is dependent more and more on technology, crime based on electronic offences are bound to increase and the law makers have to go the extra mile compared to the fraudsters, to keep them at bay. Technology is always a double-edged sword and can be used for both thepurposes good or bad. Steganography, Trojan Horse, Scavenging (and even DoS or DDoS) are all technologies and per se not crimes, but falling into the wrong hands with a criminal intent who are out to capitalize them or misuse them, they come into the gamut of cyber crime and become punishable offences. Hence, it should be the persistent efforts of rulers and law makers to ensure that technology

grows in a healthy manner and is used for legal and ethical business growth and not for committing crimes. It should be the duty of the three stake holders viz i) the rulers, regulators, law makers and investigators ii) Internet or Network Service Providers or banks and other intermediaries and iii) the users to take care of information security playing their respective role within the permitted parameters and ensuring compliance with the law of the land.

Crimes relating to Digital Signature Certificates

1 Misrepresentation

According to section 71 of the IT Act Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any licence or Digital Signature Certificate, as the case may be, shall be punished with imprisonment for a term

which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

This section applies to: 1. a person, who, for obtaining a digital signature certificatea. makes a misrepresentation to the Certifying Authority, b. suppresses any material fact from the Certifying Authority.

2. a person obtaining a license to operate as a Certifying Authoritya. makes a misrepresentation to the Controller, b. suppresses any material fact from the Controller.

Let us examine the essential terms of this section.

Misrepresentation implies presenting information incorrectly, improperly or falsely. There must be a deliberate intention to deceive.

Illustration Sameer is applying for a digital signature certificate. He fills in his name as Siddharth and also submits photocopies of Siddharths passport as proof of identity.

Sameer is liable for misrepresenting information to the Certifying Authority.

Suppress implies to withhold from disclosure.

Illustration Noodle Ltd is applying for a licence to become a Certifying Authority. One of the questions in the application form is In case any of the company directors been Cyber Crime & Digital Evidence Indian Perspective convicted for a criminal offence, then please mention relevant details.

One of the Noodle directors has been convicted in the past. But, Noodle officials submit the filled in form with the answer to this question being left blank.

The officials will be liable for suppressing information from the Controller.

Material fact implies something that is relevant, pertinent or essential.

The punishment provided is imprisonment up to 2 years and / or fine up to Rs 1 lakh.

Misrepresentation to CA or Controller (Summary)

Actions covered Misrepresentation to CA or Controller for certificate / license.

Penalty Imprisonment up to 2 years and / or fine up to Rs 1 lakh

Relevant authority Judicial Magistrate First Class

Appeal lies to Court of Session

Investigation Authorities 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent

Points to mention in complaint 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Other relevant information

2 False Certificates

According to section 73 of the IT Act (1) No person shall publish a Digital Signature Certificate or otherwise make it available to any other person with the knowledge that (a) the Certifying Authority listed in the certificate has not issued it; or (b) the subscriber listed in the certificate has not accepted it; or (c) the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation. (2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Let us examine this section through some illustrations.

Illustration 1 Sameer has created a fake digital signature certificate purporting to have been issued

by Noodle Certifying Authority. Sameer plans to use this certificate to carry out some financial frauds. He posts this certificate on his website. He is liable under this section.

Illustration 2 Pooja has applied to Noodle Certifying Authority for a digital signature certificate. Noodle in due course issues the certificate to Pooja. She however does not accept it as some of the details are incorrect in the certificate.

In the meanwhile Noodle Ltd publishes her certificate in their online repository. In this case Noodle Ltd will be liable under this section.

Illustration Pooja is employed with Noodle Ltd. She has obtained a digital signature certificate for official purposes on 1st January. She quits her job on 1st July and her certificate is revoked on that day.

Noodle Ltd continues to keep Poojas revoked certificate in its online repository

even after 1st July. Noodle Ltd will be liable under this section. They will not be liable if the purpose behind keeping Poojas certificate in their repository is to verify documents signed by Pooja between 1st January and 1st July.

The punishment provided for this section is imprisonment up to 2 years and / or fine up to Rs 1 lakh.

Publishing False Certificates (Summary)

Actions covered Publishing a digital signature certificate false in certain respects.

Penalty Imprisonment up to 2 years and / or fine up to Rs 1 lakh

Relevant authority Judicial Magistrate First Class

Appeal lies to Court of Session

Investigation Authorities 1. Controller of Certifying Authorities (CCA)

2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent

Points to mention in complaint 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Other relevant information

6.3 Fraudulent Use

According to section 74 of the IT Act Whoever knowingly creates, publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Creating a digital signature certificate is technologically not a very difficult task. All that is needed is a computer running the Windows 2003 Server operating system and having Certificate Services installed. This makes it easy for criminals to create and publish digital signature certificates for fraudulent and unlawful purposes. Let us examine some of the terms

used in this section.

Creates means to bring into existence.

Illustration Sameer has a computer running the Windows 2003 Server operating system and having Certificate Services installed. He uses this computer to generate a digital signature certificate for himself and Pooja. He has created the said certificates.

Publishes means to make known to others.

Illustration Sameer uploads Poojas digital signature certificate onto a publicly accessible part of his website. He has published her certificate.

The concept of make available can be explained using a simple illustration. Illustration Sameer has a computer running the Windows 2003 Server operating system and having Certificate Services installed. He uses this computer to generate a digital signature certificate in Poojas name. He

then gives this certificate to Siddharth who plans to misuse it to spoof Poojas emails.

Here Sameer has made the certificate available to Siddharth for an unlawful purpose. Cyber Crime & Digital Evidence Indian Perspective - 70 - 2008 Rohas Nagpal. All rights reserved.

The punishment provided for violating this section is imprisonment up to 2 years and / or fine up to Rs 1 lakh.

Creating certificate for unlawful use (Summary)

Actions covered Creating or publishing a certificate for fraudulent or unlawful purpose.

Penalty Imprisonment up to 2 years and / or fine up to Rs 1 lakh

Relevant authority Judicial Magistrate First Class

Appeal lies to Court of Session

Investigation Authorities

1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent

Points to mention in complaint 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom

Management of Intellectual Property Rights in India 1.0 Introduction With the advent of the new knowledge economy, the old and some of the existing management constructs and approaches would have to change. The knowledge economy places a tag of urgency on understanding and managing knowledge based assets such as innovations and know-how. The time for grasping knowledge has become an important parameter for determining the success of an institution, enterprise, government and industry; the shorter the time better are the chances of success. Intellectual property rights (IPR) have become important in the face of changing trade environment which is characterized by the following features namely global competition, high innovation risks, short product cycle, need for rapid changes in technology, high investments in research and development (R&D), production and marketing and need for highly skilled human resources. Geographical barriers to trade among nations are collapsing due to globalisation, a system of multilateral trade and a new emerging economic

order. It is therefore quite obvious that the complexities of global trade would be on the increase as more and more variables are introduced leading to uncertainties. Many products and technologies are simultaneously marketed and utilized in many countries. With the opening up of trade in goods and services intellectual property rights (IPR) have become more susceptible to infringement leading to inadequate return to the creators of knowledge. Developers of such products and technologies would like to ensure R&D costs and other costs associated with introduction of new products in the market are recovered and enough profits are generated for investing in R&D to keep up the R&D efforts. One expects that a large number of IP rights would be generated and protected all over the world including India in all areas of science and technology, software and business methods. More than any other technological area, drugs and pharmaceuticals match the above description most closely. Knowing that the cost of introducing a new drug into the market may cost a company anywhere between $ 300 million to $600 million along with all the associated risks at the developmental stage, no company will like to risk its intellectual property becoming a public property with out adequate returns. Creating, obtaining, protecting and managing intellectual property must become a corporate activity in the same manner as the raising of resources and funds. The knowledge revolution will demand a special pedestal for intellectual property and treatment in the overall decision- making process. It is also important to realize that each product is amalgamation of many different areas of science and technologies. In the face of the competition being experienced by the global community, many industries are joining hands

for sharing their expertise in order to respond to market demands quickly and keeping the prices competitive. In order to maintain a continuous stream of new ideas and experimentations, public private partnership in R&D would need to be nurtured to arrive at a win-win situation. Therefore all publicly funded institutions and agencies will have to come to terms with the new ground realities and take positive steps to direct research suitably to generate more intellectual property rights, protect and manage them efficiently. 2 2.0 Intellectual Property Rights (IPR) Intellectual property rights as a collective term includes the following independent IP rights which can be collectively used for protecting different aspects of an inventive work for multiple protection:Patents Copyrights Trademarks Registered ( industrial) design Protection of IC layout design, Geographical indications, and Protection of undisclosed information 3.0 Nature of Intellectual Property Rights IPR are largely territorial rights except copyright, which is global in nature in the sense that it is immediately available in all the members of the Berne Convention. These rights are awarded by the State and are monopoly rights implying that no one can use these rights without the consent of the right holder. It is important to know that these rights have to be renewed from time to time for keeping them in force except in case of copyright and trade secrets. IPR have fixed term except trademark and geographical indications, which can have indefinite life provided these are renewed after a stipulated time specified in the law by paying official fees.

Trade secrets also have an infinite life but they dont have to be renewed. IPR can be assigned, gifted, sold and licensed like any other property. Unlike other moveable and immoveable properties, these rights can be simultaneously held in many countries at the same time. IPR can be held only by legal entities i.e., who have the right to sell and purchase property. In other words an institution, which is not autonomous may not in a position to own an intellectual property. These rights especially, patents, copyrights, industrial designs, IC layout design and trade secrets are associated with something new or original and therefore, what is known in public domain cannot be protected through the rights mentioned above. Improvements and modifications made over known things can be protected. It would however, be possible to utilize geographical indications for protecting some agriculture and traditional products. 4.0 Patents A patent is an exclusive right granted by a country to the owner of an invention to make, use, manufacture and market the invention, provided the invention satisfies certain conditions stipulated in the law. Exclusive right implies that no one else can make, use, manufacture or market the invention without the consent of the patent holder. This right is available for a limited period of time. In spite of the ownership of the rights, the use or exploitation of the rights by the owner of the patent may not be possible due to other laws of the country which has awarded the patent. These laws may relate to health, safety, food, security etc. Further, existing patents in similar area may also come in the way. A patent in the law is a property right and hence, can be gifted, inherited, assigned, sold or licensed. As the right is conferred by the State,

it can be revoked by the State under very special circumstances even if the patent has been sold or licensed or manufactured or marketed in the meantime. The patent right is territorial in nature and inventors/their assignees will have to file separate patent applications in countries of their 3 interest, along with necessary fees, for obtaining patents in those countries. A new chemical process or a drug molecule or an electronic circuit or a new surgical instrument or a vaccine is a patentable subject matter provided all the stipulations of the law are satisfied. 4.1 The Indian Patent Act1 The first Indian patent laws were first promulgated in 1856. These were modified from time to time. New patent laws were made after the independence in the form of the Indian Patent Act 1970. The Act has now been radically amended to become fully compliant with the provisions of TRIPS. The most recent amendment were made in 2005 which were preceded by the amendments in 2000 and 2003. While the process of bringing out amendments was going on, India became a member of the Paris Convention, Patent Cooperation Treaty and Budapest Treaty. The salient and important features of the amended Act are explained here. 4.2 Definition of invention A clear definition has now been provided for an invention, which makes it at par with definitions followed by most countries. Invention means a new product or process involving an inventive step and capable of industrial application. New invention means any invention or technology which has not been anticipated by publication in any document or used in the country or elsewhere in the world before the date of filing of patent application with complete specification i.e., the subject matter has not fallen in public domain or it does not form part of the state of the

art. Inventive step means a feature of an invention that involves technical advance as compared to existing knowledge or having economic significance or both and that makes the invention not obvious to a person skilled in the art. " capable of industrial application means that the invention is capable of being made or used in an industry" 4.2.1 Novelty An invention will be considered novel if it does not form a part of the global state of the art. Information appearing in magazines, technical journals, books, newspapers etc. constitute the state of the art. Oral description of the invention in a seminar/conference can also spoil novelty. Novelty is assessed in a global context. An invention will cease to be novel if it has been disclosed in the public through any type of publications anywhere in the world before filing a patent application in respect of the invention. Therefore it is advisable to file a patent application before publishing a paper if there is a slight chance that the invention may be patentable. Prior use of the invention in the country of interest before the filing date can also destroy the novelty. Novelty is determined through extensive literature and patent searches. It should be realized that patent search is essential and critical for ascertaining novelty as most of the information reported in patent documents does not get published anywhere else. For an invention to be novel, it need not be a major breakthrough. No invention is small or big. Modifications to the existing state of the art, process or product or both, can also be candidates for patents provided these were not 4 earlier known. In a chemical process, for example, use of new reactants, use of a catalyst, new process conditions can lead to a patentable invention.

4.2.2 Inventiveness (Non-obviousness) A patent application involves an inventive step if the proposed invention is not obvious to a person skilled in the art i.e., skilled in the subject matter of the patent application. The prior art should not point towards the invention implying that the practitioner of the subject matter could not have thought about the invention prior to filing of the patent application. Inventiveness cannot be decided on the material contained in unpublished patents. The complexity or the simplicity of an inventive step does not have any bearing on the grant of a patent. In other words a very simple invention can qualify for a patent. If there is an inventive step between the proposed patent and the prior art at that point of time, then an invention has taken place. A mere 'scintilla' of invention is sufficient to found a valid patent. It may be often difficult to establish the inventiveness, especially in the area of up coming knowledge areas. The reason is that it would depend a great deal on the interpretative skills of the inventor and these skills will really be a function of knowledge in the subject area. 4.2.3 Usefulness An invention must possess utility for the grant of patent. No valid patent can be granted for an invention devoid of utility. The patent specification should spell out various uses and manner of practicing them, even if considered obvious. If you are claiming a process, you need not describe the use of the compound produced thereby. Nevertheless it would be safer to do so. But if you claim a compound without spelling out its utility, you may be denied a patent. 4.3 Non patentable inventions An invention may satisfy the conditions of novelty, inventiveness and usefulness but it may not qualify for a patent under the following situations:

(i) An invention which is frivolous or which claims anything obviously contrary to well established natural laws e.g. different types of perpetual motion machines. (ii) An invention whose intended use or exploitation would be contrary to public order or morality or which causes serious prejudice to human, animal or plant life or health or to the environment e.g., a process for making brown sugar will not be patented. (iii) The mere discovery of a scientific principal or formulation of an abstract theory e.g., Raman effect and Theory of Relativity cannot be patented. (iv) The mere discovery of a new form of a known substance which does not result in enhancement of the known efficacy of that substance or the mere discovery of any new property or new use of a known substance or the mere use of a known process, machine or apparatus unless such a known process results in a new product or employs at least one new reactant. For the purposes of this clause, salts, esters, polymorphs, metabolites, pure form, particle size, isomers, mixtures of isomers, complexes, combinations and other derivatives of known substance shall be considered to be the same substance unless they differ significantly in properties with regard to efficacy. (v) A substance obtained by a mere admixture resulting only aggregation of the properties of the components thereof or a process for producing such substance. 5 (vi) The mere arrangement or rearrangement or duplication of features of known devices each functioning independently of one another in a known way. If you put torch bulbs around an umbrella and operate them by a battery so that people could see you walking in rain when it is dark, then this arrangement is patentable as bulbs and the umbrella perform their functions independently.

(vii) A method of agriculture or horticulture. For example, the method of terrace farming cannot be patented. (viii) Any process for medical, surgical, curative, prophylactic, diagnostic, therapeutic or other treatment of human beings, or any process for a similar treatment of animals to render them free of disease or to increase economic value or that of their products. For example, a new surgical technique for hand surgery for removing contractions is not patentable. (viii) Inventions relating to atomic energy; (ix) Discovery of any living thing or non-living substance occurring in nature; (x) Mathematical or business methods or a computer program per se or algorithms; (xi) Plants and animals in whole or any part thereof other than microorganisms but including seeds, varieties and species and essentially biological processes for production and propagation of plants and animals; (xii) A presentation of information; (xiii) Topography of integrated circuits; (xiv) A mere scheme or rule or method of performing mental act or method of playing games; (xv) An invention which, in effect, is traditional knowledge or which is aggregation or duplication of known component or components. Computer program per se as such has not been defined in the Act but would generally tend to mean that a computer program with out any utility would not be patentable. Protection of seeds and new plant varieties is covered under a different Act, which provides a protection for a period of 10 years. Similarly, topography of integrated circuits is protected through yet a different Act. 4.4 Term of the patent Term of the patent will be 20 years from the date of filing for all types of inventions.

4.5 Application In respect of patent applications filed, following aspects will have to be kept in mind: Claim or claims can now relate to single invention or group of inventions linked so as to form a single inventive concept Patent application will be published 18 months after the date of filing Applicant has to request for examination 12 months within publication or 48 months from date of application, whichever is later No person resident in India shall, except under the authority of a written permit sought in the manner prescribed and granted by or on behalf of the Controller, make or cause to be made any application outside India for the grant of a patent for an invention unless (a) an application for a patent for the same invention has been made in India, not less than six weeks before the 6 application outside India; and (b) either no direction has been given under the secrecy clause of the Act or all such directions have been revoked. 4.6 Provisional Specification A provisional specification is usually filed to establish priority of the invention in case the disclosed invention is only at a conceptual stage and a delay is expected in submitting full and specific description of the invention. Although, a patent application accompanied with provisional specification does not confer any legal patent rights to the applicants, it is, however, a very important document to establish the earliest ownership of an invention. The provisional specification is a permanent and independent scientific cum legal document and no amendment is allowed in this. No patent is granted on the basis of a provisional specification. It has to be a followed by a complete specification for obtaining a patent for the said invention. Complete

specification must be submitted within 12 months of filing the provisional specification. This period can be extended by 3 months. It is not necessary to file an application with provisional specification before the complete specification. An application with complete specification can be filed right at the first instance. 4.7 Complete Specification It may be noted that a patent document is a techno-legal document and it has to be finalized in consultation with an attorney. Submission of complete specification is necessary to obtain a patent. Contents of a complete specification would include the following 1. Title of the invention. 2. Field to which the invention belongs . 3. Background of the invention including prior art giving drawbacks of the known inventions & practices. 4. Complete description of the invention along with experimental results. 5. Drawings etc. essential for understanding the invention. 6. Claims, which are statements, related to the invention on which legal proprietorship is being sought. Therefore the claims have to be drafted very carefully. 4.8 Compulsory license Any time after three years from date of sealing of a patent, application for compulsory license can be made provided 1. reasonable requirements of public have not been met 2. patented invention is not available to public at a reasonably affordable price 3. patented invention is not worked in India 7 among other things, reasonable requirements of public are not satisfied if working of patented invention in India on a commercial scale is being prevented or hindered by importation of patented invention. Applicant's capability including risk taking, ability of the applicant to work the invention

in public interest, nature of invention, time elapsed since sealing, measures taken by patentee to work the patent in India will be taken into account. In case of national emergency or other circumstances of extreme urgency or public non commercial use or an establishment of a ground of anti competitive practices adopted by the patentee, the above conditions will not apply. A patentee must disclose the invention in a patent document for anyone to practice it after the expiry of the patent or practice it with the consent of the patent holder during the life of the patent. 4.9 Patenting of microbiological inventions The Indian Patent Act has now a specific provision in regard to patenting of microorganisms and microbiological processes. It is now possible to get a patent for a microbiological process and also products emanating from such processes. As it is difficult to describe a microorganism on paper, a system of depositing strain of microorganisms in some recognized depositories was evolved way back in 1949 in USA. An international treaty called "Budapest Treaty" was signed in Budapest in 1973 and later on amended in 1980. India became a member of this Treaty, with effect from December 17, 2001. This is an international convention governing the recognition of deposits in officially approved culture collections for the purpose of patent applications in any country that is a party to this treaty. Because of the difficulties and virtual impossibility of reproducing a microorganism from a description of it in a patent specification, it is essential to deposit a strain in a culture collection centre for testing and examination by others. An inventor is required to deposit the strain of a microorganism in a recognized depository, which assigns a registration number to the deposited microorganism. This

registration number needs to be quoted in the patent application dealing with the microorganism. Obviously a strain of microorganism is required to be deposited before filing a patent application. It may be observed that this mechanism obviates the need of describing a microorganism in the patent application. Further, samples of strains can be obtained from the depository for further working on the patent. There are many international depositories in different countries such as ATCC, DSM etc. which are recognized under the Budapest Treaty. The Institute of Microbial Technology(IMTEC), Chandigarh is the first Indian depository set up under the Budapest Treaty. 4.10 Mail box provision TRIPS requires that countries, not providing product patents in respect of pharmaceuticals and chemical inventions have to put in a mechanism for accepting product patent applications with effect from 1 January 1995. Such applications will only be examined for grant of patents, after suitable amendments in the national patent law have been made. This mechanism of accepting product patent applications is called the "mail box" mechanism. This system has been in force in India and now such applications are being taken up for examination. 4.11 Exclusive Marketing Right TRIPS requires that member countries of the WTO not having provision in their laws for granting product patents in respect of drugs and agrochemical, must introduce Exclusive Marketing Rights (EMR) for such products, if the following criteria are satisfied: 8 1. A patent application covering the new drug or agrochemical should have been filed in any of the WTO member countries after 1 January 1995; 2. A patent on the product should have been obtained in any of the member countries (which provides for product patents in drugs and agrochemical) after 1 January 1995;

3. Marketing approvals for the product should have been obtained in any of the member countries; 4. A patent application covering the product should have been filed after 1 January 1995 in the country where the EMR is sought; 5. The applicant should apply seeking an EMR by making use of the prescribed form and paying requisite fee. EMR is only a right for exclusive marketing of the product and is quite different from a patent right. It is valid up to a maximum period 5 years or until the time the product patent laws come into effect. The necessary amendment to: the Patents Act, 1970 came into force on 26 March 1999. The provision is applicable with retrospective effect from 1 January 1995. As per the 2005 amendments in the Patents Act, the provision of EMR is no longer required. However, These rights were awarded in India from time to time and there have been some litigations as well where the courts came up with quick decisions. 4.12 Timing for filing a patent application Filing of an application for a patent should be completed at the earliest possible date and should not be delayed. An application filed with provisional specification, disclosing the essence of the nature of the invention helps to register the priority by the applicant. Delay in filing an application may entail some risks like (i) other inventors might forestall the first inventor by applying for a patent for the said invention, and (ii) there may be either an inadvertent publication of the invention by the inventor himself/herself or by others independently of him/her. Publication of an invention in any form by the inventor before filing of a patent application would disqualify the invention to be patentable. Hence, inventors should not disclose their inventions before filing the patent application. The invention should be considered for publication after a patent application has been filed. Thus, it can be seen that there is no

contradiction between publishing an inventive work and filing of patent application in respect of the invention. 5.0 Protecting new plant variety2 New plant varieties can now be protected in India under the New Plant Variety and Farmers Rights Protection Act in 2001. New plant varieties cannot be protected through patents. However, the Act has not become operational as subsidiary legislation is yet to be put in place. India has enacted the which, in addition to meeting the technical features of UPOV, provides rights to farmers to use the seeds from their own crops for planting the next crop. Further, there are provisions for benefit sharing with farmers, penalty for marketing spurious propagation material and protecting extant varieties. There is a provision for protecting extant variety and farmers varieties as well. The total period for protection is 10 years from the date of registration. 9 There are 5 main criteria to arrive at a decision whether a plant variety is really new or not. These are distinctiveness, uniformity, stability, novelty and denomination. The variety shall be deemed to be distinct if it is clearly distinct from any other variety whose existence is a matter of common knowledge at the time of filing of the application. The variety shall be deemed to be uniform if, subject to the variation that may be accepted from the particular features of its propagation, it is sufficiently uniform in its relevant characteristics. The variety shall be deemed to be stable if its relevant characteristics remain unchanged after repeated propagation or, in the case of a particular cycle of propagation at the end of each such cycle. The variety shall be deemed to be new if, at the date of filing of the application for breeders right, propagating or

harvesting material of the variety has not been sold or otherwise disposed of to others, by or with the consent of the breeder for the purpose of exploitation of the variety. The variety shall be designated by a denomination, which will be its generic designation. The premise that the variety denomination must be its generic designation class for a requirement that 'denomination must enable the variety to be identified. 6.0 Copyrights3 Copyright is a right, which is available for creating an original literary or dramatic or musical or artistic work. Cinematographic films including sound track and video films and recordings on discs, tapes, perforated roll or other devices are covered by copyrights. Computer programs and software are covered under literary works and are protected in India under copyrights. The Copyright Act, 1957 as amended in 1983, 1984, 1992, 1994 and 1999 governs the copyright protection in India. The total term of protection for literary work is the authors life plus sixty years. For cinematographic films, records, photographs, posthumous publications, anonymous publication, works of government and international agencies the term is 60 years from the beginning of the calendar year following the year in which the work was published. For broadcasting, the term is 25 years from the beginning of the calendar year following the year in which the broadcast was made. Copyright gives protection for the expression of an idea and not for the idea itself. For example, many authors write textbooks on physics covering various aspects like mechanics, heat, optics etc. Even though these topics are covered in several books by different authors, each author will have a copyright on the book written by him / her, provided the book is not a copy of

some other book published earlier. India is a member of the Berne Convention, an international treaty on copyright. Under this Convention, registration of copyright is not an essential requirement for protecting the right. It would, therefore, mean that the copyright on a work created in India would be automatically and simultaneously protected through copyright in all the member countries of the Berne Convention. The moment an original work is created, the creator starts enjoying the copyright. However, an undisputable record of the date on which a work was created must be kept. When a work is published with the authority of the copyright owner, a notice of copyright may be placed on publicly distributed copies. The use of copyright notice is optional for the protection of literary and artistic works. It is, however, a good idea to incorporate a copyright notice. As violation of copyright is a cognizable offence, the matter can be reported to a police station. It is advised that registration of copyright in India would help in establishing the ownership of the work. The registration can be done at the Office of the Registrar of Copyrights in New Delhi. It is also to be noted that the work is open for public inspection once the copyright is registered. 10 Computer program in the Copyright Act has been defined as a set of instructions expressed in words, codes, schemes or any other form, including a machinereadable medium, capable of causing a computer to perform a particular task or achieve a particular result. It is obvious that algorithms, source codes and object codes are covered in this definition. It is advisable to file a small extract of the computer program at the time of registration rather than the full program. It is important to know that the part of the program that is not being filed,

would remain a trade secret of the owner but would have to be kept well guarded by the owner. It may be noted that computer programs will become important in the area of medicines when one talks about codification of DNA and gene sequencing. Generally, all copyrightable expressions embodied in a computer program, including screen displays, are protectable. However, unlike a computer program, which is a literary work, screen display is considered an artistic work and therefore cannot be registered through the same application as that covering the computer program. A separate application giving graphical representation of all copyrightable elements of the screen display is essential. In the digital era, copyright is assuming a new importance as many works transacted through networks such as databases, multi media work, music, information etc. are presently the subject matter of copyright. 6.1 Coverage provided by copyright (i) Literary, dramatic and musical work. Computer programs/software are covered within the definition of literary work. (ii) Artistic work (iii) Cinematographic films, which include sound track and video films. (iv) Recording on any disc, tape, perforated roll or other device. 6.2 Infringement of copyright Copyright gives the creator of the work the right to reproduce the work, make copies, translate, adapt, sell or give on hire and communicate the work to public. Any of these activities done without the consent of the author or his assignee is considered infringement of the copyright. There is a provision of fair use in the law, which allows copyrighted work to be used for teaching and research and development. In other words making one photocopy of a book for teaching students may not be considered an infringement, but making many photocopies for

commercial purposes would be considered an infringement. There is one associated right with copyright, which is known as the moral right, which cannot be transferred and is not limited by the term. This right is enjoyed by the creator for avoiding obscene representation of his /her works. Following acts are considered infringement of copyrights:(a) In the case of literary, dramatic or musical work, not being a computer program----(i) to reproduce the work in any material form including the storing of it in any medium by electronic means; 11 (ii) to issue copies of the work to the public not being copies already in circulation; (iii) to perform the work in public, or communicate it to the public; (iv) to make any cinematography film or sound recording in respect of the work; (v) to make any translation of the work; to make any adaptation of the work; (vi) to do, in relation to a translation or an adaptation of the work, any of the acts specified in relation to the work in Sub-clauses (i) to (vi); (b) in the case of computer program (i) to do any acts specified in clauses (a); (ii) to sell or give on hire, or offer for sale or hire any copy of t he computer program, regardless of whether such copy has been sold or given on hire on earlier occasions; (c ) in the case of an artistic work (i) to reproduce the work in any material form including depiction in three dimensions of a two dimensional work or in two dimensions of a three dimensional work; (ii) to communicate the work to the public; (iii) to issue copies of the work to the public not being copies already in circulation; (iv) to include the work in any cinematography film . (v) to make any adaptation of the work; (vi) to do, in relation to a translation or an adaptation of the work, any of the acts specified in relation to the work in sub-clauses (i) to (vi); (d) in the case of a cinematography film (i) to make a copy of the film including a photograph of. any image forming part thereof;

(ii) to sell or give on hire or offer for sale or hire, any copy of the film, regardless of whether such copy has been sold or given on hire on earlier occasions; (iii) to communicate the film to the public; (e) in the case of sound recording (i) to make any other sound recording embodying it; (ii) to sell or give on hire or offer for sale or hire, any copy of the ,sound recording, regardless of whether such copy has been sold or given on hire on earlier occasions; (iii) to communicate the sound recording to the public; 12 Explanation :- For the purpose of this section, a copy which has been sold once shall be deemed to be a copy already in circulation. 6.3 Computer program A Computer includes any electronic or similar device having information processing capabilities. Computer program means a set of instructions expressed in words, codes, schemes or any other form, including a machine-readable medium, capable of causing a computer to perform a particular task or achieve a particular result. It is now possible to have copyrights both on object code and source code. Generally, all copyrightable expressions embodied in a computer program, including screen displays, are protectable. However, unlike a computer program, which is a literary work, screen displays are artistic work and cannot therefore be registered in the same application as that covering the computer program. A separate application giving graphic representation of all copyrightable elements of the screen display is necessary. In the case of a program made in the course of author's employment under a contract of service or apprenticeship, the employer shall, in the absence of any agreement to the contrary, be the first owner of the copyright. However, works created by third parties on commission do not

automatically vest the copyright in the commissioning party. If the third party is an independent contractor, it is essential for the commissioning party to obtain the copyright through a written deed of assignment. It is a common misconception that the copyright automatically belongs to the commissioning party. Thus, it is only where the developer is an employee creating the work under a contract of service that the rights belong to the employer. 6.4 Transfer of copyright The owner of the copyright in an existing work or prospective owner of the copyright in a future work may assign to any person the copyright, either wholly or partially in the following manner. i. for the entire world or for a specific country or territory; or ii. for the full term of copyright or part thereof ; or iii. relating to all the rights comprising the copyright or only part of such rights. 6.3.1 Special provisions for computer programs 13 Following tasks will not be considered infringement as they are legally allowed under the Indian laws:the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer program with other programs by a lawful possessor of a computer program provided that such information is not otherwise readily available; (i) the observation, study or test of functioning of the computer program in order to determine the ideas and principles which underline any elements of the program while performing such acts necessary for the functions for which the computer program was supplied; (ii) the making of copies or adaptation of the computer program from a personally legally obtained copy for non-commercial personal use. One of the important requirements of copyright is that the work / expression should be

fixed in a tangible medium for copyright protection. Protection attaches automatically to an eligible work of authorship, the moment the work is sufficiently fixed. A work is fixed when it is sufficiently permanent or stable to permit it to be perceived, reproduced, or otherwise communicated for a period of more than a transitory duration. A work may be fixed in words, numbers, notes, sounds, pictures, or any other graphic or symbolic indicia; may be embodied in a physical object in written, printed, photographic, sculptural, punched, magnetic, or any other stable form; and may be capable of perception either directly or by means of any machine or device now known or later developed. Basically, the fixation of a work should allow perceiving, reproducing, or communicating the work either directly or thorough some machine. For instance, floppy disks, compact discs (CDs), CD-ROMs, optical disks, compact discsinteractive (CD-Is), digital tape, and other digital storage devices are all stable forms in which works may be fixed and from which works may be perceived, reproduced or communicated by means of a machine or device. A simultaneous fixation (or any other fixation) meets the requirements if its embodiment in a copy or phonogram record is "sufficiently permanent or stable to permit it to be perceived, reproduced, or otherwise communicated for a period of more than transitory duration. "Works are not sufficiently fixed if they are "purely evanescent or transient" in nature, "such as those projected briefly on a screen, shown electronically on a television or cathode ray tube, or captured momentarily in the 'memory' of a computer." Electronic network transmissions from one computer to another, such as e-mail, may only reside on each computer in RAM (random access memory), but that has been found to be sufficient fixation. 7.0 Industrial Design4

We see so many varieties and brands of the same product (e.g. car, television, personal computer, a piece of furniture etc.) in the market, which look quite different from each other. If the products have similar functional features or have comparable price tags, the eye appeal or visual design of a product determines the choice. Even if the similarities are not close, a person may decide to go for a more expensive item because that item has a better look or colour scheme. 14 What is being said is that the external design or colour scheme or ornamentation of a product plays a key role in determining the market acceptability of the product over other similar products. If you have a good design that gives you an advantage, then you must have a system to protect its features otherwise there would be wide scale imitation. Design as per the Indian Act means the features of shape, configuration, pattern, ornament or composition of lines or colours applied to any article - whether in two dimensional or three dimensional or in both forms - by any industrial process or means, whether manual, mechanical or chemical, separate or combined, which in the finished article appeal to and are judged solely by the eye; but it does not include any mode or principle of construction or anything which is in substance a mere mechanical device. In this context an article means any article of manufacture and any substance, artificial, or partly artificial and partly natural; and includes any part of an article capable of being made and sold separately. Stamps, labels, tokens, cards, etc cannot be considered an article for the purpose of registration of design because once the alleged design i.e., ornamentation is removed only a piece of paper, metal or like material remains and the article referred to ceases to exist. An article must have its existence independent

of the designs applied to it. So, the design as applied to an article should be integral with the article itself. 7.1 The essential requirements for the registration of design 1. The design should be new or original, not previously published or used in any country before the date of application for registration. The novelty may reside in the application of a known shape or pattern to a new subject matter. However, if the design for which the application is made does not involve any real mental activity for conception, then registration may not be considered. 2. The design should relate to features of shape, configuration, pattern or ornamentation applied or applicable to an article. Thus, designs of industrial plans, layouts and installations are not registrable under the Act. 3. The design should be applied or applicable to any article by any industrial process. Normally, designs of artistic nature such as painting, sculptures and the like which are not produced in bulk by any industrial process are excluded from registration under the Act. 4. The features of the designs in the finished article should appeal to and are judged solely by the eye. This implies that the design must appear and should be visible on the finished article, for which it is meant. Thus, any design in the inside arrangement of a box, money purse or almirah may not be considered for showing such articles in the open state, as those articles are generally put in the market in the closed state. 5. Any mode or principle of construction or operation or any thing, which is in substance a mere mechanical device, would not be a registrable design. For instance, a key having its novelty only in the shape of its corrugation or bend at the portion intended to engage with levers inside the lock it is associated with, cannot be registered as a design under the Act.

However, when any design suggests any mode or principle of construction or mechanical or other action of a mechanism, a suitable disclaimer in respect thereof is required to be inserted on its representation, provided there are other registrable features in the design. 6. The design should not include any trademark or property mark or artistic works. 15 7. It should be significantly distinguishable from known designs or combination of known designs. 8. It should not comprise or contain scandalous or obscene matter. 7.2 Duration of the registration of a design The total term of a registered design is 15 years. Initially the right is granted for a period of 10 years, which can be extended, by another 5 years by making an application and by paying a fee of Rs. 2000/- to the Controller before the expiry of initial 10 years period. The proprietor of design may make the application for such extension even as soon as the design is registered. 7.3 Strategy for protection First to file rule is applicable for registrability of design. If two or more applications relating to an identical or a similar design are filed on different dates, the first application will be considered for registration of design. Therefore the application should be filed as soon as you are ready with the design. After publication in the official gazette on payment of the prescribed fee of Rs. 500/- all registered designs are open for public inspection. Therefore, it is advisable to inspect the register of designs to determine whether the design is new or not. There is yet another important provision for ensuring that the design is different from anything published any where in the world. This is quite a strict condition. There would be many designs, which are not

protected, and these would not be part of any database maintained by design offices. An applicant has to take the responsibility of ensuring that he has done an extensive search and satisfied himself of the novelty of his design. However, in practice as the cost involved in filing and obtaining a design registration is not high, a design application is made if the stakes involved are not high and you have not copied any design. The application for registration of design can be filed by the applicant himself or through a professional person (i.e. patent agent, legal practitioner etc.). An agent residing in India has to be employed by the applicants not resident of India. 8.0 Trademarks5 A trademark is a distinctive sign, which identifies certain goods or services as those produced or provided by a specific person or enterprise. Trademarks may be one or combination of words, letters, and numerals. They may also consist of drawings, symbols, three dimensional signs such as shape and packaging of goods, or colours used as distinguishing feature. Collective marks are owned by an association whose members use them to identify themselves with a level of quality. Certification marks are given for compliance with defined standards. (Example ISO 9000.). A trademark provides to the owner of the mark by ensuring the exclusive right to use it to identify goods or services, or to authorize others to use it in return for some consideration (payment). Well-known trademark in relation to any goods or services, means a mark which has become so to the substantial segment of the public which uses such goods or receives such services that the use of such mark in relation to other goods or services would be likely to be 16

taken as indicating a connection in the course of trade or rendering of services between those goods or services and a person using the mark in relation to the firstmentioned goods or services. Enactment of the Indian Trademarks Act 1999 is a big step forward from the Trade and Merchandise Marks Act 1958 and the Trademark Act 1940. The newly enacted Act has some features not present in the 1958 Act and these are:1. Registration of service marks, collective marks and certification trademarks. 2. Increasing the period of registration and renewal from 7 years to 10 years. 3. Allowing filing of single application for registration in more than one class. 4. Enhanced punishment for offences related to trademarks. 5. Exhaustive definitions for terms frequently used. 6. Simplified procedure for registration of registered users and enlarged scope of permitted use. 7. Constitution of an Appellate Board for speedy disposal of appeals and rectification applications which at present lie before High Court. 8.1 Well-known trademarks and associated trademarks A well-known trademark in relation to any goods or services, means a mark which has become known to the substantial segment of the public that uses such goods or receives such services. Associated Trademarks are, in commercial terms, marks that resemble each other and are owned by the same owner, but are applied to the same type of goods or services. For example, a company dealing in readymade garments may use associated marks for shirts, trousers etc. means trademarks deemed to be, or required to be, registered as associated trademarks under this Act. 8.2 Service marks The Indian Act of 1958 did not have any reference to service marks. Service means service of any description that is made available to potential users and includes the provision of

services in connection with the business of industrial or commercial matters such as banking, communication, education, financing, insurance, chit funds, real estate, transport, storage, material treatment, processing, supply of electrical or other energy, boarding, lodging, entertainment, amusement, construction, repair, conveying of news or information and advertising. Marks used to represent such services are known as service marks. 8.3 Certification Trademarks and Collective Marks A certification trade mark means a guarantee mark which indicates that the goods to which it is applied are of a certain quality or are manufactured in a particular way or come from a certain region or use some specific material or maintain a certain level of accuracy. The goods must originate from a certain region rather from a particular trader. Certification marks are also applicable to services and the same parameters will have to be satisfied. Further these marks are registrable just like any other trademark. Agmark used in India for various food items is a kind of 17 certification mark although it is not registered as a certification mark; the concept of certification mark was not in vogue at the time of introduction of Agmark. A collective mark means a trademark distinguishing from those of others, the goods or services of members of an association of persons (not being a partnership within the meaning of the Indian Partnership Act, 1932), which is the proprietor of the mark. 8.4 Term of a registered trademark The initial registration of a trademark shall be for a period of ten years but may be renewed from time to time for an unlimited period by payment of the renewal fees. 9.0 Protection of Geographical Indications6 Indications which identify a good as originating in the territory of a member or a region

or a locality in that territory, where a given quality reputation or other characteristics of the good is attributable to its geographical origin. The concept of identifying GI and protecting them is a new concept in India, perhaps in most developing countries, and has come to knowledge in these countries after they signed the TRIPS Agreement. It may be noted that properly protected GI will give protection in domestic and international market. Stipulations of TRIPS would be applicable to all the member countries. According to TRIPS, GI which is not or cease to be protected in its country of origin or which has fallen into disuse in that country cannot be protected. Homonymous GI for wines will get independent protection. Each state shall determine conditions under which homonymous indications will be differentiated from each other. Principles of national treatment and fair competition are applicable. TRIPS provide for seizure of goods bearing false indications of GI. TRIPS provide for refusal or invalidation of registration of a trademark containing a GI with respect to goods not originating in the territory indicated. The Geographical Indication of Goods (Registration and Protection) Act came into being in 2000. (The Act is not implemented at the time of writing the article as the rules have not been notified.) The term GI has been defined as "Geographical Indications", in relation to goods, means an indication which identifies such goods as agricultural goods, natural goods or manufactured goods as originating, or manufactured in the territory of a country, or a region or locality in that territory, where a given quality, reputation or other characteristics of such goods is essentially attributable to its geographical origin and in case where such goods are manufactured goods one of the activities of either the production or of processing or preparation of the goods concerned

takes place in such territory, region or locality, as the case may be. 9.1 Applicants for GI's registration Any association of persons or producers or any organization or authority established by or under any law for the time being in force representing the interest of the producers of the concerned goods, who are desirous of registering geographical indication in relation to such goods shall apply in writing to the Registrar in such' form and in such manner and accompanied by such fees as may be prescribed for the registration of the geographical indication. 18 9.2 Non-registrable geographical indications Geographical indications having following cannot be registered : .the use of which would be likely to deceive or cause confusion or contrary to any law. .which comprises or contains scandalous or obscene matter or any matter likely to hurt religion susceptibility of any class or section of citizens of India. which would other wise be disentitled to protection in a court. .which are determined to be generic names or indications of goods and are, therefore, not or ceased to be protected in their country of origin or which have fallen into disuse in that Country. which, although literally true as to the territory, region or locality in which the goods originate, but falsely represent to the persons that the i goods originate in another territory, region or locality, as the case may be. 9.3 Punishment for falsifying GI A sentence of imprisonment for a term between six months to three years and a fine between fifty thousand rupees and two lakh rupees is provided in the Act. The court may reduce the punishment under special circumstances. 9.4 Term of GI protection The registration of a GI shall be for a period of ten years but may be renewed from time

to time for an unlimited period by payment of the renewal fees. 10.0 Protection of Integrated Circuit Layout Design (IC)7 It provides protection for semiconductor IC layout designs. India has now in place Semiconductor Integrated Circuits Layout Design Act, 2000 to give protection to IC layout design. Layout design includes a layout of transistors and other circuitry elements and includes lead wires connecting such elements and expressed in any manner in a semiconductor IC. Semiconductor IC is a product having transistors and other circuitry elements, which are inseparably formed on a semiconductor material or an insulating material or inside the semiconductor material and designed to perform an electronic circuitry function. The term of the registration is 10 years from the date of filing. An IC layout design cannot be registered if it is 1.Not original 2. Commercially exploited anywhere in India or in a convention country; 3.Inherently not distinctive 4. Inherently not capable of being distinguishable from any other registered layout design. 19 Note: Design not exploited commercially for more than 2 years from date of registration of application shall be treated as commercially exploited for the purpose of this Act. Reproducing, importing, selling, distributing the IC layout design for commercial purposes only constitutes infringement. A person when creates another layout design on the basis of scientific evaluation of a registered layout design shall not be causing any infringement. 11.0 Protection of undisclosed information The protected subject matter is information lawfully within the control of a natural person or legal person that is secret that has commercial value because it is secret and that has been

subject to reasonable steps by the person lawfully in control of the information, to keep it secret. Secret is defined as secret in the sense that it is not , as a body or in the precise configuration and assembly of its components known among or readily accessible to persons within the circles that normally deal with the kind of information in question. Undisclosed information, generally known as trade secret / confidential information, includes formula, pattern, compilation, programme, device, method, technique or process. Protection of undisclosed information is least known to players of IPR and also least talked about, although it is perhaps the most important form of protection for industries, R&D institutions and other agencies dealing with IPRs. Protection of undisclosed information / trade secret is not really new to humanity; at every stage of development people have evolved methods to keep important information secret, commonly by restricting the knowledge to their family members. Laws relating to all forms of IPR are at different stages of implementation in India, but there is no separate and exclusive law for protecting undisclosed information / trade secret or confidential information. The Contract Act of 1872 would however cover many aspects of trade secrets. It is difficult to define the term in its entirety but, for an easy understanding, it may be said that a piece of undisclosed information or a trade secret can be as simple an item as a company's customer list or as complex as a formula for a product or a process. Broadly speaking, the term would encompass information, including a formula, pattern, compilation, program, device, method, technique or process that provides the owner with an advantage over his business competitors who do not know or use it and is of significance or importance to the

business of the company holding the information. Expanding it further, it may include new product plans, product costing, best material to use, sources of materials, financial standing of the business, accounting information, employee records, credit rating of customers, production information, manufacturing methods and processes, business methods, blueprints, test data, research reports, professional pollsters, technical drawings and organisational structure, specifications, process manuals, written instructions for operating the process and analytical means to check and control the product and processes, details of workshop practice, technical training and personal visitation and inspection. On the software side it would include source code, the data file structure, the structure sequence and organisation of computer program. It may also include information relating to a patented invention not included in the patent specification, inventions capable of being patented but not patented, inventions incapable of being patented in a particular country because of the subject matter being excluded in the patent law of that country, inventions incapable of being patented by reason of lack of inventiveness, industrial designs capable of being registered but not registered, industrial designs having functional characteristics and skills, experience and craftsmanship of technicians. The information can be intangible and invisible as well and can take myriad forms, and therefore, any attempt to define it 20 in an exhaustive manner would be practically meaningless. A trade secret is a valuable piece of information with the essential requirement that the information be treated as such, i.e. as a secret. The value of a trade secret resides in the fact that competitors or other interested parties do not have access to it. Therefore, a trade secret must be

kept secret so that no one could, with out the consent of the owner, acquire it. Trade secrecy is basically a do-it-yourself form of protection. You do not register with the government to secure your trade secrets. The only way to acquire it with out the consent of the owner would be through devious or unlawful means. The owner has the exclusive right to use / exploit a trade secret as long as it remains a secret. As a result, theoretically speaking, the term of a trade secret could be indeterminate or infinite. It is said that the trade secret of Coca-Cola still has not entered the public domain despite the fact that the common ingredients of Coca-Cola are known. A chemical composition falling in this category need to be protected through a trade secret rather than patent which is a publicly known document. It is usually said that the term of the trade secret relating to a machine tool is only as long as the company keeps it internal secret. The moment the product is in the market, many people will know how to copy the product and the moment the product is copied the trade secret associated with the copied aspects will no longer remain valid and secret, hence the protection will be lost and the term of the protection will be over. By and large this would be true for design features but trade secret can be maintained about say, composition of materials used and the process conditions adopted for manufacturing. 12.0 Other related legislation India enacted the Biodiversity Act 2002 to ensure maintenance, sustenance and development of its biodiversity. The Act has specific provisions about ownership of intellectual property rights associated with exploitation of biodiversity. Industries have to have the prior informed consent of the National Biodiversity Authority before exploring the biodiversity in

India. In the event of R&D based on exploitation of biodiversity and associated local knowledge, there is a provision for sharing of benefits of such work with the local community. No direct flow of funds is expected to the community. In stead the Union Government will reach the benefits through State Governments to the community. The other Act having its influence over other Acts related to IPR is the Information technology Act, 2000 which looks at the security aspect of material being transacted on internet. 13.0 Management of IPR in publicly funded institutions in India Aims of publicly funded institutions such as universities, colleges, autonomous bodies and public sector undertakings are multifaceted and are not purely driven by economic considerations but they are primarily driven by considerations of social obligations and political objectives and will of a nation. India has stuck to these aims since the independence. On one hand the above approach has helped us in creating a pool of highly educated population and also building an inherent strength in research and development and core competency in basic industries like steel, power, fertilizers etc. However on the other hand, an insulated system breeds complacency, which blunts the spirit of innovation and fire for being ahead of others. Globalization has taught us many new lessons by opening our eyes to the existing and forthcoming ground realities, which cannot be shunned away just because we do not happen to like them. These realities are going to stay. The likely impacts of globalization started becoming a part of our age old thought process and life style when India decided to become a member of the World Trade Organization. Since the beginning of 1990s new approaches started taking roots 21

in respect of such institutions, especially related to their management and source of funding. It has been observed that educational and R&D institutions are being asked to generate their own funds and depend less and less on block grants by central or state governments. In respect of PSU the message has been to generate more and more revenue from the available resources. The Central Government was quick to understand the importance of innovations and new ideas for adjusting to new streams of paradigm shifts. The Government also realized that the journey is not going to be smooth, easy or straight forward in the absence of knowledge about new paradigms among scientists, technologists and policy makers. January 1, 1995 came and brought with it the full impact of WTO along with the Agreement of Trade Related Aspects of Intellectual Property Rights (TRIPS). The Indian system rose to the new challenge and through its many efforts have taken successful steps towards transition to a new culture by updating its existing laws, enacting new legislations, instituting new mechanisms for enabling creation of new intellectual property and its protection and even evolving novel methods and schemes to promote innovations at grass roots levels. Managing creativity within the innovation process is not easy. From providing initial impetus for new ideas and a means of collating and evaluating them through to determining the most appropriate exploitation strategy and selecting delivery partners, innovation is a process and can therefore be managed. 13.1 Indian S&T scenario8 The national expenditure on Research and Development (R&D) in India increased from Rs. 8913.61 crores in 1996-97 to Rs. 12901.54 crores in 1998-99. The projected R&D expenditure would reach a level of about Rs. 15090.22 crores in 1999-2000 and Rs. 17660.21

crores in 2000-2001. The share of the various sectors in the total R&D expenditure in 1998-99 was - Central Government including public sector industry contributed 67.5%, private sector 21.6%, State governments 8.0% and the higher education sector 2.9%. The R&D expenditure as a percentage of GNP was 0.81% as compared to 0.79% in 1990-91. Though in absolute terms the R&D expenditure has shown an increasing trend, the R&D expenditure as a percentage of GNP has hovered around 0.8%. The projected R&D expenditure as percentage of GNP in 1999-2000 and 2000-2001 are 0.87% and 0.94% respectively. It may be noted that in the coming years, the R&D expenses by the education sector is likely to go up as the academic institutions interact more and more with the industry and are thereby motivated to spend their own resources in R&D. As greater awareness about protecting intellectual property gets generated in industry and academics, contract research would necessarily be driven by the need to generate, protect and manage IPR. This trend will leverage more funds in R&D and improve the return from investment in R&D. The national R&D expenditure by objectives in 1998-99 was in the following areas in order of the share of the expenditure, agriculture forestry and fishing, defence, space, promotion of industrial development, development of health services, energy, general advancement of knowledge, transport and communication and environment. It may be noted that majority of funding for R&D comes from the Government and is carried out in publicly funded institutions. Therefore the role of the government in capacity building in management of IPR is fundamental and of utmost importance. 13.2 Capacity building 22

Experts who have been involved in capacity building in different areas would agree that the exercise of capacity building is never monolithic in nature but a multidimensional and complex activity. No exercise at a national level can succeed if all or most players are not engaged in the activity. Intellectual Property Rights are often considered synonym of patents or at best patents, trademark and copyrights. This type of understanding or misunderstanding may be present elsewhere in the world. Sometimes people even use the word patent as a substitute for protect. Lets not forget that India is a big country and the task of spreading literacy is gigantic Dissemination of new knowledge is difficult and it cannot be disseminated in a day or two; hence one should be prepared to work with low success rates. At the same time the need to make efforts for spreading correct literacy in a short period of time cannot be overlooked. Awareness still remains an unfulfilled goal in spite of efforts made by so many agencies. There is a need to adopt different means such as contact programmes, print media, bulletins, internet, videos etc. Awareness by itself is of little use if the State does not create and provide suitable systems to enable scientists, technologists, industries and even the State to protect their rights. These means would be in terms of technical guidance, financial support, legal help and other facilitation steps. If you teach scientists that novelty is one of the key factors for getting a patent and do not supply them with adequate tools to determine if their inventions are novel or not, the awareness will have be of little value. Universities in India are very poor and their management systems are very old. Therefore, they need technical, financial and legal help to move ahead; someone has to hold their hands.

Capacity building has to be multifaceted at the national level in order to move and remain ahead in the knowledge race. Academic institutions, R&D institutions, industries (goods and services), government departments and ministries (law making, regulating, providing funds and incentives for research etc) and other agencies, attorney firms, courts and NGOs need to be enabled and empowered for playing a constructive role in the process of capacity building. Policy frameworks are essential in the national context to give the right impetus to the activities already started and also provide a broad platform for taking up future activities. Many of these issues have been addressed and addressed quite successfully in the last ten years by different agencies of the government. While departments like Atomic Energy, Space and DRDO and agencies like CSIR have their in house system for looking after their needs of IPR, There was no agency in the country in 1995, which could cut across departments and agencies and become a national nodal point for information and advice on IPR. 13.3 Patent Facilitating Centre (PFC) The Department of Science and Technology set up the Patent Facilitating Centre at the Technology Information Forecasting and Assessment Council (TIFAC) in 1995 as a small initiative to address the need of awareness creation among scientists, helping them to protect their inventive and original work through IP laws and also act as a watch dog. The PFC came to be known for its capability to raise issues and bringing new information and knowledge about IPR in public domain. Starting with the revelation of the turmeric patent to the whole country, it brought to notice many other patents using some of our well known plants and traditional knowledge and, at times, claiming what is already known in India. The days of Dunkel Draft on

WTO became a history with PFC putting IPR matters in public domain freely through its monthly IPR Bulletin since November 1995 (now it is available on the net). The readership of these bulletins is over 10000. These bulletins cover technical analysis of granted patents, case laws, current global issues, IPR laws of India and other countries, international treaties, analysis of patents tends, domestic and international news and many other items of interest to a wide variety of readers. 23 The PFC has organized 305 IPR awareness workshops all over the country independently and also in association with Ministry of Small Scale Industries, Department of Atomic Energy, Department of Space and ICMR. In the process almost 35000 scientists, technologists and policy makers have been sensitized from about 500 universities, colleges and R&D institutions and 800 industries. The PFC has been organizing advanced level of training programmes with CII and attorney firms and also workshops cum retreat on topics such as public private partnership in IPR management. It would be pertinent to mention at this point that the Ministry of Human Resource Development (MHRD) has also been supporting workshops on IPR. Further, the MHRD has created 11 IPR chairs in various IITS and universities. The Ministry of Commerce and Industry has also been conducting many seminars and workshops on this topic for the last decade or so. As mentioned earlier, these efforts have to be supplemented with some hardcore products and processes to lead to logical conclusions/ output. Indian patent data was not available in a searchable digital form. People in the field realize that it is almost impossible to search for patents from the gazette. The PFC brought out Ekaswa A and Ekaswa B databases on the patent

applications filed in India and the patent applications accepted by the Patent Office. These are available on the internet as well and are being used extensively by industries. Twenty Patent Information Centres (PIC) have been set up by the PFC in 20 States namely; Assam, Andhra Pradesh, Chattisgarh, Goa, Gujarat, Haryana, Himachal Pradesh, Jammu and Kashmir, Karnataka, Kerala, Madhya Pradesh, Manipur, Punjab, Rajasthan, Sikkim, Tamil Nadu, Tripura, Uttar Pradesh, Uttranchal and West Bengal. These PICs are helping scientists, technologists and policy makers in their respective States by creating awareness and extending help for protecting their inventions. Some States as a result of continuous discussions have filed applications for registration of some products as geographical indications; some are also in the pipeline. Two PICs, namely, Punjab and West Bengal, have also succeeded in introducing IPR courses in technical institutions; other PICs are working hard towards this goal. The PFC is the only window available in the country, which provides full technical, legal and financial support for inventions emanating from educational institutions, including schools and colleges, and government departments. It has so far filed 260 patent applications in India and other countries from about 55 universities / academic institutions and many of them have been granted. 13.4 Other centres / cells Many government departments, educational institutions and PSU have started their IPR cells. Prominent among the government departments / agencies are Department of Biotechnology, Ministry of Telecommunications and Information Technology, Indian Council of Medical Research, Indian Council of Agricultural Research, ISRO, Department of Atomic Energy, Defence Research and Development Organization and Indian Council of Forest

Research. IITs at Delhi, Mumbai, Kharagpur and Roorkee have also set up their cells and evolved their IPR policies. Among the PSUs, Indian Oil Corporation and Bharat Heavy Electricals Ltd. are worth mentioning. Among private industries, there are many industries, which have started their own IPR cells and it may not be possible to list all of them here. There is no doubt that private industries have responded very well to the new IPR regime in terms of filing patent applications. 24 13.5 First Policy Breakthrough9 Ministry of Science and Technology issued the guidelines "Instructions for Technology Transfer and Intellectual Property Rights" in March 2000, which would help in enhancing the motivation of scientists, research Institutions and universities in projects funded by the Department of Science and Technology, Department of Biotechnology, Department of Scientific and Industrial Research and Department of Ocean Development. The salient features of the guidelines are (1) Institutions shall be encouraged to seek protection of intellectual property rights in respect of the results of R&D. They may retain the ownership of such IPR. Here `Institutions' mean any technical, scientific or academic establishment where research is carried out through funding by the central and / or the state governments. (2) The Institutions shall take necessary steps to commercially exploit patents on exclusive or on non-exclusive basis. (3) The owner institution is permitted to retain the benefits and earnings generated out of the IPR. The institution may determine the share of inventor(s) and other persons from such actual earnings. However, such share shall be limited to one third of the actual earnings.

(4) IPR generated through joint research by institution(s) and industrial concern(s) through joint efforts can be owned jointly by them or as may be mutually agreed to by them through a written agreement. The institution and industrial concern may transfer the technology to a third party for commercialisation on exclusive / non-exclusive basis. The third party, exclusively licensed to market the innovation in India, must manufacture the product in India. The joint owners may share the benefits and earnings arising out of commercial exploitation of the IPR. (5) The owner institution shall set apart not less than 25% of the revenue generated from IPR to create a Patent Facilitating Fund which shall be utilized by the institution for updating inventions, filing new patent applications and protecting IP rights against infringement, and for building competency in the area of IPR and related issues. (6) The Government shall have a royalty free license for the use of the Intellectual property for the purposes of the Government of India. This is a major departure in the approach and policy towards managing inventions in India by the Ministry of Science and Technology. In order to have a uniform policy of the government in this respect, it may be useful to have a suitable law in this regard. It is obvious that with more and more autonomy to research institutions in regard to IPR and technology transfer, these institutions, and the scientists working there, would have stronger motivation to invent products and processes, which are required by the market. 13.6 Innovations related incentives10 25 An innovative industry in India can gain competitive advantage in the market if it develops the necessary expertise and skills in developing and manufacturing new products,

which are patented. For example, the advantage of a three year excise duty exemption or exemption from Drugs Price Control Order may translate into reserves / income which may offset the cost towards R&D. In order to promote R&D and innovation in Indian industries, Government of India provides a number of fiscal incentives and support measures to industries. With increasing public private partnership in technology development through schemes of Technology Development Board, Drug and Pharmaceutical Board and NMILTI, the following incentives would be extremely useful in promoting the culture of innovation and intellectual property protection in industries and academic and R&D institutions. 1. Excise duty waiver on patented products All goods falling under the Schedule to the Central Excise Tariff 1985 are exempt from the excise duty for a period of 3 years from the date of commencement of commercial production provided such goods are manufactured by a wholly owned Indian company and such goods are designed and developed by such Indian company and the goods so designed are patented in any two countries outside India namely, USA, Japan and any country of the European Union. The manufacturer, before commencing commercial production must obtain a certificate from the Department of Scientific and Industrial Research for claiming the benefit. 2. Exemption from Drug Price Control Order Bulk drugs produced based on indigenous R&D are exempt from drug price control for a period of 5 years from the date of commencement of commercial production provided that they are produced from the basic stage by a process of manufacture developed by the unit through its own R&D efforts. In case of a drug, which has not been produced elsewhere, if developed and produced indigenously, it would be placed outside the price control order for a period of 10 years

from the date of commencement of commercial production. In order to establish that a process or a product has been developed through indigenous R&D, novelty of the process or product would have to be ensured. In other words a patent would have to be necessarily obtained for claiming the benefit. 3. Weighted tax deduction on R&D expenditure Weighted tax deduction @ 150% on R&D expenditure is available to companies engaged in the business of biotechnology, or the business of manufacture or production of drugs, pharmaceuticals, electronic equipment, computers, telecommunication equipment, chemicals and manufacture of aircraft and helicopters. The expenditure on scientific research in relation to drugs and pharmaceuticals, shall include expenditure incurred on clinical trials of drugs, obtaining approval from the regulatory authority under any Central, State or provincial Act and the filing of a patent application in India. 4. Accelerated depreciation allowance Depreciation allowance at a higher rate is available in respect of plant and machinery installed for manufacturing goods based on indigenous technology developed in recognized inhouse R&D units, Government R&D institutions, national laboratories and Scientific and 26 Industrial Organizations (SIRO). The present rate of depreciation for plant and machinery is 40% as against 25% for other plants and machinery. 5. Tax holiday to R&D companies Tax holiday is available to approved companies engaged in scientific and industrial R&D activities on commercial lines for ten consecutive assessment years. This incentive is applicable to any commercial company that has its main objective and activities in the area of scientific and

industrial R&D. This would be applicable to companies approved after March 31, 2000 but before April 1, 2003. 6. Income tax relief on R&D expenditure Under Section 35(1)(i) of the Income Tax Act 1961, the revenue expenditure on scientific research, by recognized R&D units, on activities related to the business of the company is allowed full deduction. Under Section 35(1)(iv) expenses of a capital nature could be deducted totally from the income of the year in which the expenses have been incurred. 7. Tax deduction for sponsoring research Section 35(2AA) of the IT Act 1961 provides for a weighted tax deduction of 125% for expenses on sponsoring research programmes at National laboratories functioning under ICAR, CSIR, ICMR, DRDO, Department of Biotechnology, Department of Atomic Energy, Department of Electronics; IIT and universities. 13.7 The Science and Technology Policy 200311 The Science and Technology Policy released in 2003 is upbeat on intellectual property rights and related issues. It focuses a great deal on the transformation of new ideas into commercial successes, which is considered vitally important to the nations ability to achieve high economic growth and global competitiveness. Accordingly, special emphasis will be given not only to R&D and the technological factors of innovations but also to the other equally important social, institutional and market factors. Value addition and creation of wealth through reassessment, redistribution and repositioning of our intellectual, capital and material resource will be achieved through effective use of science and technology. The Policy states that IPR has to be viewed, not as a self contained and distinct domain, but rather as an effective policy instrument that would be relevant to wide ranging socioeconomic,

technological and political concepts. The generation and protection of competitive intellectual property from Indian R&D programmes will be encouraged and promoted. The process of globalization is leading to situations where collective knowledge of societies normally used for common good is converted to a proprietary knowledge for the commercial profit of a few. Action will be taken to protect our indigenous knowledge systems, primarily through national policies, supplemented by supportive international action. For this purpose, IPR systems, which specially protect scientific discoveries and technological innovations arising out of such traditional knowledge will be designed and implemented. Our legislation with regard to patents, copyrights and other forms of intellectual property rights will ensure that maximum incentives are provided for individual inventors, and to our scientific and technological community, to undertake large scale and rapid commercialization, at home and abroad. The development of skills and competence to manage IPR and to leverage its influence will be given a major thrust. This area calls for significant technological insights and legal expertise and will be handled differently from the present, and with high priority. Efforts will be made to synergy between industry and scientific research by creating Autonomous Technology Transfer Organizations as associate organizations of universities and national laboratories to facilitate the transfer to industry, of the know how generated. The above action strategy has emerged from the following policy objectives: _ To encourage research and innovation in areas of relevance for the economy and the society, particularly by promoting close and productive interaction between private and public institutions in science and technology;

_ To establish an intellectual property rights regime, which maximizes the incentives for the generation and protection of intellectual property by all types of inventors. The regime would also provide a strong, supportive and comprehensive policy environment for speedy and effective domestic commercialization of such inventions so as to be maximal in the public interest and to promote international science and technology cooperation towards achieving the goals of national development and security, and make it a key element of our international relations. The Policy objectives in regard to intellectual property rights were formulated with the overall perspective that knowledge has become a source of economic might and power. This has led to increased restrictions on sharing of knowledge, to new norms of intellectual property rights, and to global trade and technology control regimes. Scientific and technological developments today also have deep ethical, legal and social implications. There are deep concerns in society about these. The ongoing globalization and the intensely competitive environment have a significant impact on the production and service sectors. 13.8 Experience of Indian universities12, 13 Until 1995 the culture of protecting their inventive work through patents by universities and academic institutions was almost nonexistent. Efforts made by multiple agencies in the country have made some difference in the situation, which is obvious from the data and analysis that follow. The Table 1 below shows the filings of patent applications by the Indian academic institutions in India. 28 Year Number of patent applications filed by academic institutes

other than IITs and IISc Number of patent applications filed by IITs and IISc Total number of patent applications 1995 4 31 35 1996 11 18 29 1997 23 15 38 1998 16 34 50 1999 30 32 62 2000 36 42 78 2001 33 63 96 2002 33 46 79 Table 1 The Table 2 shows the growth in filings in two blocks of four years; 1995-1998 and 1999-2002. Block period Applications filed during 1995-1998 Applications filed during 1999-2002 Percentage increase in number of applications filed Academic institutes other than IITs and IISc 54 132 244 IITs and IISc 98 183 187 Total 152 315 207 Table 2 It may be noted that out of 132 patent applications filed during 1999-2002 by institutions other than IITs and IISc, 53 applications (40% of the applications) were filed with full technical, legal and financial support of the PFC of TIFAC. 14.9 Epilogue A statement of purpose (SOP) is always helpful in fixing targets and goals because

fulfilment of a purpose is satisfying. We have to have an SOP to develop a pool of well informed and trained human resource, deploy sufficient facilities (hardware and software) and, create and promote an enabling environment for generating, protecting and managing intellectual property for progress of science, technology and arts leading to growth of trade and industry and well being of the society. People say that Rome was not built in a day. Any physical process, including development, has to absorb some finite time before taking a shape. We have made a good start by rising to the occasion and putting in place some very useful systems and policies. It is the beginning and we have to go a long way!