IDENTITY THEFT AND INDIAN LAWS
Souranil Mondal, IV year of B.A.,LL.B.(Hons.) from West Bengal National University of Juridical Sciences
‘Identity thieves make hundreds of victims!’ is a usual heading we spot in the current e-zines represented along with a picture of hundreds of horrified people and chasing thieves escaping away with their identities. However, the reality is of course different. Identity thieves do not rob identities; they make use of the identities as the means to commit various forms of fraudulent activities. The advancement of computer technology along with the increased virtual human associations using such technology gave rise to numerous offences or unlawful acts (known as cybercrimes) in this field as well. Identity theft is one such criminal activity. Identity theft is considered one of the serious forthcoming threats in the field of crimes
Identity theft mentions all such crimes wherein an individual fraudulently acquire someone’s sensitive or key pieces of personal information with an intent to impersonate them and make use of such identities as the means to commit various forms of unlawful activities.[i]Identity theft, in another way, could also be perceived as a subset of data theft wherein sensitive or key pieces of personal information of the victim forms the stolen data and becomes the tools to carry out various other illegal offences.
The threat of identity theft has gradually increased and spread all across the world, especially in the United States[ii] and Europe[iii]. In India, the result of the India Risk Survey Report 2014 shows an 11% rise in identity theft and ransomware, along with a 9% rise in Phishing offences.[iv] As per the 2018 Latest Internet Security Threat Report by Symantec, India ranked 3rd amongst the global nations in terms of facing the most numbers of cyber threats.[v] However, India has a startlingly low level in the rate of convictions despite having such high numbers of cybercrimes.[vi] It is very problematic for a nation, having around 350 Million Internet Users[vii], with a gradual increase in the number of cybercrimes and startling low rate of conviction. Thus, there needs to be a critical analysis of the existing laws and provisions relating to cybercrimes, to apprehend and recognize the various lacunae in the law itself or its implementation.
The article will therefore focus on whether and to what extent are the existing Indian provisions relating to Identity theft enough to handle the current problems/ issues, and whether the enforcement mechanism of such provisions is in concurrence with our legislation.
WHAT CONSTITUTES ‘IDENTITY’ OF AN INDIVIDUAL?
In general terms, the identity of a person is the accumulation of distinct and stable features associated with such individual that differentiates himself/herself from others.[viii] From a legal perspective, identity covers the recognition aspect of a person under the administration records through birth enrolment, voter identity card, driving permit, and so on. It comprises the name, citizenship, address proof, distinguishing physical mark (i.e., a scar or mole), picture, and blood group data. This can assist the authorities with keeping a track of the individuals dwelling or visiting the region.
Identity concerning the Identity theft offences varies from Social Security Numbers to bank account details. It incorporates any such data that can be utilized by the offenders to take over the identity of the victim to carry out illegal and unlawful activities.[ix] E-signatures along with passwords are encompassed into the scope of identity according to Section 66 C of the Information Technology (Amend.) Act, 2008.
OCCASIONS OF IDENTITY THEFT ALONG WITH THE DAMAGES CAUSED TO THE INJURED PARTIES: SPECIAL EMPHASIS UPON THE INDIAN INSTANCES
The number of identity theft instances are gradually rising all over the world. In the United States alone, every year around 16 Million residential people got their identities to be fraudulently misused, with approximately $55 Billion being the total overall loss.[x] More than 90 Million additional citizens of America have their personal identification information in danger when the records kept in the corporate and government database gets misplaced or stolen. As per the Annual Cyber Safety Insights Report 2020, four out of ten Indians experienced and is a victim of Online Identity theft, and this finding seems to have increased by around 13% since 2012.[xi]More than 20%internet users of India are the sufferer of Online Phishing attacks and on an average loss of Rs. 7500 have been suffered by the victims according to the 3rd edition of Microsoft’s Annual Computing Safer Index (MCSI)[xii]. As per the Fraud report 2016 published by Experian India, Identity theft accounts for 76% of the fraudulent activities, especially in the banking and financial sector between the period of 2015 to 2016.[xiii]
LEADING IDENTITY THEFT CASES ALL ACROSS THE GLOBE
It is very easy for an individual to gather the personally identifiable information of public figures (such as celebrities, big shots etc) because of their renown and social presence. Because of this, the personal data safeguarded by passwords can be cracked and changed simply by predicting the answer in response to the security question asked. Therefore, the people of these classes are the most and easy targets of Identity theft criminals. To start with, Michael Bloomberg, who is one of the prominent business tycoons of the USA along with being the owner of the Bloomberg LP Comp, was one of the double victims of identity theft. His personal information was used by the criminal to steal $10,000 from his savings account through an online transaction. The other criminal counterfeited cheques in Mr. Bloomberg’s name by using the personal information and transferred the two forged cheques of $190,000 and $ 230,000 into his bank account.[xiv] Another such instance was witnessed when a hacker unauthorizedly got access to the single social security number, place of address, birth date and bank account details of famous golfer Tiger Woods, and transferred a four-digit figure amount into his bank account. Renowned Hollywood artist Will Smith and popular pop singer Whitney Houston were also the victims of identity theft. In India, a cybercrook from Andhra Pradesh, unauthorizedly accessed the income tax details account of the famous industrialist Mr. Anil Ambani. In another case, a hacker from Noida accessed the income tax returns of world-famous cricketers M.S. Dhoni and Sachin Tendulkar along with popular celebrities Shah Rukh Khan and Salman Khan.
In addition to these instances, various other Indian expansive identity theft incidents include the 2015 RBI Phishing attacks, 2011 ICC Cricket World Cup Phishing scam, along with the password phishing scam targeted towards the G-mail account holders.[xv]Since the numbers of identity theft crime were gradually rising and phishing had been identified as the most common way to commit such crime in India, the Delhi High Court in the 2005 dispute suit of ‘NASSCOM Vs Ajay Sood’[xvi]stated: “phishing to be an illegal activity on the internet, and an injured party could demand reparation against it.”The Court further observed that phishing act does not only cause damages to the sufferer but also tarnish the impression of the person whose identity has been fraudulently misused.
DOES ‘IDENTITY THEFT’ MEANS‘THEFT’ AS PER THE MEANING OF IPC,1860?
Even though by its name, identity theft refers to a type of theft of particular kind which involves user’s information, however, Section 378 of the Indian Penal Code 1860 dealing with theft doesn’t govern it.[xvii] As per section 22 of IPC 1860, Section 378 only covers corporeal property, and movable property or such other property which is competent of being detached from the earth.[xviii]In the landmark suit of Avtar Singh Vs State of Punjab[xix], the supreme court of India decided not to widen the meaning of section 378 of IPC to include electricity within the ambit of theft. Since, all identity pieces of information are like binary data signals of 0’s and 1’s, regulated by streams of electronic waves similar to electricity, thus Section 378 of IPC can’t be perused to incorporate data, information or identity theft.[xx]
INDIAN LAWS REGULATING IDENTITY THEFT
There is no independent legislation for identity theft in our country. However, Information Technology (Amendment) Act, 2008 and various provisions of IPC, 1860 are being applied to look after such wrongdoing activities. Since identity theft represents the characteristics of both theft as well as fraud, thus the fundamental provisions relating to cheating by impersonation, fraud forgery etc as laid down in IPC 1860, are referred to in addition to the provisions mentioned under the IT Act, 2008.
VARIOUS PROVISIONS OF IPC WHICH COULD BE APPLIED TO REGULATE IDENTITY THEFT
Information Technology Act, 2000 brought an amendment to include e-records within the ambit of certain IPC provisions such as fraud and forgery used to cater to crimes related to false documents. This amendment allowed to widen the scope of such criminal acts and thereby include computer data related crime as well. Thus, provisions related to forgery (Sec 464), forgery creating false records and documentation (Sec 465), forgery with the motive to cheat (Section 468), forgery to tarnish reputation ( Section 469), making use of a forged document as genuine (Section 471) and possession of a document known to be forged and having the intention to make use of it as genuine (Sec 474)can be conjoined with the other related provisions mentioned in the IT Act.
Various other suggestions have been recommended by the Expert Committee on Amendments to the Information Technology Act, 2000, though haven not been implemented yet. They suggested punishing an offender with 3 years of imprisonment for cheating through the use of any specific identifying characteristics of another individual and also to punish an offender with 5 years of imprisonment for cheating by impersonation through the use of computer resources under Section 417A and 419A respectively.
VARIOUS PROVISIONS IN THE IT ACT, 2000
The principal legislation regulating cybercrimes is the Information Technology Act 2000. However, it has been implemented primarily to regulate e-commercial activities in India and thus, didn’t describe cybercrimes as such.[xxi] Before the 2008 Amendment, it was Section 43 of the IT Act which imposed several civil liabilities upon the accused through the way of compensation (1 crore max) for illegal accessing to any other individual’s computer or network. Section 66 A regulated the online phishing activities; however, it has been held unconstitutional now. The 2008 Amendment introduced the term Identity theft in the IT Act, 2000.[xxii]Section 66 (C) of the act provided punishment of 3 years and fine for the act of identity theft. Section 66 C is the only provision which primarily deals with identity theft and has defined such activity. Further, Section 66 D is quite similar to Section 419 A of IPC and thereby deals with cheating by impersonation through the use of computer resources.
Therefore, it is the method of committing identity theft that determines which law from the aforementioned provisions could be implemented.
It is the utmost duty of the legislature to take care of the mechanism and laws for punishing the identity criminals. There are several lacunas concerning the Indian laws and implementation of such laws on Identity theft. However, through slight adaptation and modification, to the present laws and its effective implementation, the increasing cases of identity theft act can be restricted. The loss caused to the victim can be mitigated as far as possible and by holding the intermediaries accountable for the data that they hold; data privacy can be upheld. India though doesn’t seem to have strong data protection laws, however, the recommended Personal Data Protection Bill shows an encouraging step towards stricter laws relating to Data Protection.[xxiii]There needs to be an overlap between the laws and the implementation. The true proficiency and effectiveness of the present laws will be achieved once the implementation aspect doesn’t lag behind the legislations and run in parallel.
[[iii]]Bert-Jaap Koops& Ronald Leenes (2006), ID Theft, ID Fraud and/or ID-related Crime. Definitions matter, Datenschutz und Datensicherheit 2006 (9), pp. 553-556
[[vi]]RajlakshmiWagh, Comparative Analysis of Trends of Cyber Crime Laws in USA and India, 2 International Journal of Advanced Computer Science and Information Technology pp. 42-50 (2013) (last visited Oct 13, 2020).