IDENTITY THEFT IN INDIA: VIRTUAL THEFT OF REALITY

ABSTRACT:

Ever came across someone who makes you feel like daydream of yourself! Or someday you ask your friends for some money and are acquainted with pre-occupied loans that you never asked for or received, horrible it seems? But still a reality. A North-China resident being tricked into using a deepfake video call to transfer a certain amount of 4.3 yuan (around ₹5 crore).  These mishaps are possible in the virtual world as of now owing to the level of digital advancements which gives a myriad of ways and opportunities to the digital offenders through which they can oppress those who are unaware of it. Citizens are always in this constant fear of keeping their sensitive personal data safe from unwanted harmful third-parties. In addition to that, people nowadays have to also fear being accountable for something they never did. The crime that has been highlighted in this article is generally referred to as Identity Theft which encompasses stealing of details relating to banking, social media etc through which they impersonate the victims. It tries to give a brief yet detailed analysis of these crimes, related legislations and some prominent methods of its commitment.

KEYWORDS: Information Technology Act, 2000; Indian Penal Code, 1860; Phishing; Deepfakes; ATM Skimming; Digital Personal Data Protection Act, 2023; Identity Theft

INTRODUCTION:

India’s rank jumped six positions in 2022 and secured the 40^th rank among the 132 nations in the Global innovation index. It also occupies 3^rd rank in terms of start-ups, number of Unicorns, and number of PhDs awarded in Science & Engineering. We also have added golden pages in the history of the world recently by successfully landing on the south pole of the Moon by our Chandrayan-3 mission. 

However, we still have some sectors in requirement of further consideration possessing utmost importance for the citizens pertaining to their personal data, digital identity (account number, PAN, account PIN, personal information, etc.), and others. The stealing of this digital identity is generally referred as ‘identity theft’ by which offenders extort money or sometimes compel others to do or omit to do something against their will. Identity theft is defined in the black’s law dictionary as unlawful taking and use of another person’s identifying information for fraudulent purpose. 

Currently, there are two primary legislations which are dealing with the crimes related to identity theft in India – (i) The Information Technology Act, 2000 (IT Act) (ii) Indian Penal Code, 1860 (IPC). As per the NCRB reports, the cyber-crimes are on continuous rise as we can observe since 2018 (27248) to 2021 (52430) which questions our existing legislative status and its efficiency. Further, the charge-sheeting rate also experienced a decline in the country from 47.5 to 33.6. Debit card/ credit card fraud, biometric identity theft, mail identity fraud by phishing attacks, deepfakes, etc. have gain prominent potential along with the drastic evolvement in the technological growth of India which must be curtailed with the establishment of proper executive mechanisms or frameworks for efficient implementation of existing laws. As the director of NASA, Bill Nelson stated – “If we don’t act now to safeguard our privacy, we could all be victims of identity theft”, the severity of issue at the international regime should be felt and emphasized.

OBJECTIVE:

The present article focusses on elaborating over the issue of identity theft to spread awareness of the offence so that the readers can understand how they are susceptible to this horror of digital media and what are the provisions for their safeguards in the Indian Statutes. This article derives its sources from various legislations, news articles, government reports, crime reports, statistics, other articles, etc.

LEGISLATIVE STATUS:

As mentioned earlier the issues of identity theft are mainly dealt by the IT Act and IPC. However, recently on 12^th August 2023, The Digital Personal Data Protection Act, 2023 (herein after used as DPDPA) has been enforced after getting President’s assent on 11^th August 2023, which is expected to be proved as a helping hand in diminishing the data related cyber-crimes including identity theft as it applies to digital personal data collected whether in digital form or non-digital form. Let us dive into them separately –

• IT Act, 2000: This act primarily deals with a variety of crimes in the cyberspace including various methods of identity theft crimes also. To begin with, section 43 contains various provisions which not only confronts situations of damages to a computer or its data base but also for a person tampering or manipulating any such network owned by someone else. Additionally, compensation provisions for failure to protect data is being provided under section 43A which ensures accountability over the body corporates which handles such data.  For the offence of tampering with computer source documents and for hacking with computer systems, section 65 and section 66 respectively, penalizes for imprisonment up to 3 years or fine with an upper cap of ₹2,00,000 or both.  

Section 66 A covered substantially the phishing attacks by penalizing inconvenient electronic mails or messages, however, it was repealed in 2015 for being ultra vires by virtue of article 19(1)(a) – ‘Freedom of speech and expression’ as it restricts the same beyond the scope of article 19(2).

Section 66 B penalizes receiving or retaining any stolen computer resource or communication device with imprisonment or fine up to 3 years or ₹1 lakh respectively or both which again present as a swaying sword hanging on offenders using such means to steal someone’s identity by occupying their devices as mentioned.

Now the most important part is section 66 C which explicitly penalizes identity theft with both imprisonment and fine extendable up to 3 years and ₹1 lakh respectively, however, the terms ‘fraudulently’ and ‘dishonestly’ restrict the scope of the offence by connecting it with a certain condition of mens rea to be required while interpreting the crime hereunder. This although is good for exempting such innocent people who at times being compelled to do so under some kind of threat, etc. Still, it also opens a small window for the offenders to diminish their liabilities or gravity by contending on the same as it forms an essential part of the statute. In simple terms, offenders have a scope of claiming bonafide intention to escape their liabilities.

But section 66 D can catch such cunning beings to be still held accountable for personation by means of any communication device or computer resource that is also containing both imprisonment and fine up to 3 years and ₹1 lakh respectively.  

Section 66 F penalizes practices of conspiring or committing cyber terrorism done by means of accessing unauthorized computer resource or denying or causing denial for an authorized access, etc. with imprisonment up to life.

• IPC, 1860: Although, it does not explicitly provide for the term ‘identity theft’ but it comprises of such provisions which can be interpreted for confronting such offences. Specifically, section 419 punishes for cheating by personation that is wide enough to cover digital identity theft practices also. Further, section 420 penalizes cheating and dishonestly inducing delivery of property so the identity thieves who does so cannot escape their liability and the punishment’s nature leads to such severity that offender would always have second thoughts of the consequences. In this way, the IPC covers identity theft as crime under the ambit of cheating.  

It’s not over with these only, rather there are more such sections which can be interpreted in the same way like section 463 (Forgery) which covers actions of making any false document to support any title, etc. It is obvious that people who attempts such crimes need personal data and information to steal someone’s identity otherwise how would they fool others. Explicitly for this purpose we do have section 464 that targets on who makes false documents and section 465 which provides for the punishment of this crime up to 2 years imprisonment or fine or both. Section 468 connects forgery with the intent of cheating that widens the scope of law and section 471 covers acts of using forged electronic record as a genuine one also to teach lesson for such offenders. Similarly, section 474 comprises such acts where forged court records (purporting to be a record or proceeding of or in a Court of Justice, or a register of birth, baptism, marriage or burial, or a register kept by a public servant as such, or a certificate or document

purporting to be made by a public servant in his official capacity, or an authority to institute or defend a suit, or to take any proceedings therein, or to confess judgment, or a power of attorney) and a document (which purports to be a

valuable security or a will, or an authority to adopt a son, or which purports to give authority to any person to make or transfer any valuable security, or to receive the principal, interest or dividends thereon, or to receive or deliver any money, movable property, or valuable security, or any document purporting to

be an acquittance or receipt acknowledging the payment of money, or an acquittance or receipt for the delivery of any movable property or valuable security). This broadly covers all such circumstances where forged documents or records as mentioned can be used by the offenders to pose themselves someone who they are not in reality.

We have discussed the IT Act and IPC provisions which are seemed quite adequate to handle the current scenario of crimes as for what is provided in the bare text. Additionally, CERT-In (Indian Computer Response Team) is a national agency for incident response of cyber security instilled by the 2008 amendment in the IT Act 2000 inserting section 70 B and NCIIPC (National Critical Information Infrastructure Protection Centre) has established under 70 A that also inserted by the 2008 amendment.

Also, the DPDPA is quite significant which enhances security to the protection of digital personal data of individuals in the country, however, the impacts and efficiency of the Act would be seen after a while as currently it emphasizes over the relation between a data fiduciary and a data principal that is why it does provide a definition for personal data and personal data breach also. There also introduced a National Cyber Security Policy in 2013 for establishing a nodal agency to deal with the cyber security matters across the country and to function for the protection of the cyberspace after the tough phase of NSA surveillance scandal. However, there are many lacunas pointed in the 2013 policy led to the National Cyber Security Policy of 2020 formulated by Data Security Council of India headed by Lt. General Rajesh Pant followed by a revised policy in 2021 and evolving to the current National Cyber Security Framework 2023 aims to deal with the loopholes of previous policies and to enhance the present status of cyberspace protection in India. 

PREVALENT METHODS OF IDENTITY THEFT:

A total of 14 lakhs plus incidents handled by the CERT-In (Indian Computer Response Team) in the year 2021 whereas NCRB as mentioned earlier detected 52,974 cyber crimes in the same year. There are a variety of methods included in identity theft like the ATM skimming, phishing, vishing, deepfakes and others. Here we will discuss some of them to understand how the discussed legislations apply in different type of identity theft related crimes –

• PHISHING: According to the black’s law dictionary phishing is defined as “An act of illegally gaining access to a computer, stealing private information and then utilizing that information for harmful activities.” The most common ways of phishing is through emails, communication methods and internet web-browsing to trick the innocent people, however, with the advancement of technology the methods of phishing attacks also evolved such as smishing, vishing, content spoofing, etc. In this particular offence consumer data is tampered and stole for the purpose of fooling his acquaintances or sometimes malware inserted links, etc. are forwarded by such means so when someone clicks on them these offenders acquire their unauthorized access like for social media accounts or emails through which they extort huge sums of money.  

In the case of National Association of Software and Service Companies v. Ajay Sood, the Indian legal system clarified what phishing is. The judge determined that phishing is a type of online fraud. In a phishing scenario, a person misrepresents the identity of the genuine party by posing as a reputable organization, like a bank or insurance company, in order to get personal information from a user, like access codes and passwords, which are subsequently used to his or her advantage.

As per the NCRB reports, there were 4,071 and 11,422 crimes occurred with regards to section 66 C (identity theft) and section 66 D (Cheating by personation by using computer resource) of the IT Act in the year 2021 across the country. Further, there occurred 372 issues of violation of privacy (section 66 E of IT Act); 3 of Un-authorized access/attempt to access to protected computer system (Sec.70 of IT Act); along with a total of 14,007 fraud cases (Sec.420 of IT Act r/w Sec.465, 468- 471 IPC) including 1,624 cases of credit card/ debit card fraud; 4,823 cases of online banking fraud; 2,028 cases of OTP frauds and 3,633 other such cases, etc.

Although, there is a decline in cases of identity theft cases (5,148 in 2020) and cases of ‘Cheating by personation by using computer resource’ (11,191 in 2020) yet the cases of frauds have observed significant growth which were 10,395 in 2020 including Credit Card/Debit Card frauds (1,194), online banking frauds (4,047) and OTP frauds (1,093). This shows that the crime rate is still higher for the frauds in India and in need of further attention of the authorities. 

• DEEP FAKES 

 Deepfakes have emerged to be a rising concern before the world governments after facing numerous issues of fake news and information created disturbances among their population whether it be the $35 million heist from the Japanese company in 2020 by using deep voice technology to fake the voice of the company director or the ₹40,000 lost by a 73 years old Kerala man to deepfake AI based fraud. Deepfakes have become a growing concern for governments worldwide due to the rise of fake news and information. These technologies have led to various misuses, such as sextortion, pornography, national security risks, and identity theft. Sextortion involves creating fake videos and images of men or women, trapping the target in a state where they can obtain sensitive information or secrets of their prey. In 2020, a 214% surge in fake news cases were found, warning people to be cautious when connecting with unknown people and trusting in their sweet talks.

Fake pornography is another area where deepfake technology can be used. Deep Trace Labs published a report in 2019 stating that 14,678 deepfake videos were available online, with 96% being pornographic content. This allows perpetrators to create humiliating images or videos of celebrities or other individuals specific to society, using public-accessible data like images, voice, etc., and weaving these data threads into the pornographic content.

National security risks and election interference are also a concern. Creating fake videos can spread misinformation, exploit social division, and create political unrest. The U.S. intelligence senate committee concluded that Russia interfered in the 2016 U.S. Presidential elections, and in 2020, the Hindu published an article about the incident of two BJP prominent members criticizing Mr. Arvind Kejriwal in a video distributed on WhatsApp.

The abovementioned are the various probable modes of deepfakes to steal identity which is a crucial issue as the deepfake perpetrators using someone’s image, video, and voice to create their version of the same person for scams and frauds. Humans are emotion-driven and based on trust and hope, making them their prey, for instance, a North-China resident man being tricked into using a deepfake video call to transfer a certain amount of 4.3 yuan (around ₹5 crore).

In conclusion, deepfake videos and deepfake videos pose significant threats to society and individuals. It is crucial for governments and individuals to be aware of these risks and take necessary precautions to protect themselves and others.

• ATM SKIMMING:

ATMs were introduced as a revolutionary step for the banking industry providing utmost comfort to the customers by the concept of withdrawing cash anytime and anywhere. As per RBI, there are 1,24,610 onsite and 94,930 offsite ATMs and CRMs and 1,899 incidents of ATM frauds in the year 2021 alone and 1,624 credit card/debit card frauds. Also reports state about 1,532 frauds involving ₹60 Crore.

ATM fraud can take many different forms, including keypad overlays, camera hacking, and camera installation in the machine itself which makes it considerably more sophisticated type of financial fraud and it becomes necessary to approach it with a much more complex and comprehensive security method.

In the case of Diebold Systems Pvt Ltd v. Commissioner of Commercial Taxes provided an analytical explanation of the purpose and operation of ATMs and how their working being technically connected with the computer system of the banks and thus can be addressed under the purview of IT Act which specifically deals identity theft crimes related with computer devices and related services. 

In this way, such crimes being also recorded as digital identity crimes as mostly the offenders steal the account information, PIN, etc. which not only empowers them to empty your accounts but also to take out loans on the target’s account name thus posing to be the account holder before the banks. Thus, it also need more attention to be prevented and such crimes is the reasons for the lengthy paper works and information in the banks along with the various television commercials we see on not sharing KYC (Know Your Customer), personal information, OTPs, etc.   

CONCLUSION:

Thus, identity theft has become an inevitable evil in today’s society which has infiltrated every sector to its core and disturbed the system. There lacks a systematized procedural framework, required infrastructure to cater to such problems. Profit generation has become the ultimate goal which has endangered the concept of ethics. Moreover, to tackle this brimming issue, the digital system needs to be expanded over a certain horizon, ignorance has to be replaced by awareness and a stringent series of legislation needs to be put so as to prevent it and for holistic growth and development.

Reference

Global Innovation Index 2022, World Intellectual Property Organization, available at https://www.wipo.int/edocs/pubdocs/en/wipo_pub_2000_2022/in.pdf, last seen on 26/08/2023

 Year-End Review -2022: Department of Science & Technology, Press Information Bureau, available at https://pib.gov.in/PressReleasePage.aspx?PRID=1886528#:~:text=India%20occupies%203rd%20rank%20in,(107)%20in%20the%20world, last seen on 26/08/2023

 Henry Campbell Black, Black’s Law Dictionary, pg. 443, (9 ed. Thomson Reuters: Minneapolis-St. Paul 2001)

 Ministry of Home Affairs, Government of India, Crime in India 2021, available at https://ncrb.gov.in/sites/default/files/CII%202020%20Volume%202.pdf, last seen on 26/08/2023

S. 3, The Digital Personal Data Protection Act, 2023

 S. 43(h), The Information Technology Act, 2000

 S. 43A, The Information Technology Act, 2000

 S. 65, The Information Technology Act, 2000 

 Section 66A has been removed by the virtue of Supreme Court’s Order on 24th March, 2015 in the landmark judgement of Shreya Singhal vs. Union of India, AIR 2015 SC. 1523

 Article 19(1)(a), The Constitution of India, 1947

 Article 19 (2), The Constitution of India, 1947

S. 66 C, The Information Technology Act, 2000

 S. 66 D, The Information Technology Act, 2000

 S. 66 F, The Information Technology Act, 2000

 S. 419, Indian Penal Code, 1860

S. 70 B, The Information Technology Act, 2000

  Central Public Procurement Portal, Government of India, The Information Technology (Amendment) Act, 2008, available at https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMTk4NzY=, last seen on 26/08/2023

 S. 2(i), The Digital Personal Data Protection Act, 2023

 S. 2(j), The Digital Personal Data Protection Act, 2023

 S. 2(t), The Digital Personal Data Protection Act, 2023

 S. 2(u), The Digital Personal Data Protection Act, 2023

 Ministry of Electronics and Information Technology, Government of India, available at https://www.meity.gov.in/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf, last seen on 26/08/2023

 Raphael Satter, U.S. court: Mass surveillance program exposed by Snowden was illegal, Reuters, available at   https://www.reuters.com/article/us-usa-nsa-spying-idUSKBN25T3CK, last seen on 26/08/2023

 National Cyber Security Strategy, Dristi Ias, available at https://www.drishtiias.com/daily-news-analysis/national-cyber-security-strategy-1, 

 National Cyber Security Policy Recent Update, Objectives, Main Components and Cyber Security in India, Testbook, available at https://blogmedia.testbook.com/blog/wp-content/uploads/2022/10/national-cyber-security-policy-63f0f195.pdf, last seen on 26/08/2023

 Nadeem Inamdar, ‘National Cyber Security Strategy 2023 to be released soon’, available at https://www.hindustantimes.com/cities/pune-news/national-cyber-security-strategy-2023-to-be-released-soon-101686596627065.html, last seen on 26/08/2023

 Ministry of Electronics and Information Technology, Government of India, CERT-In Annual Report (2021), available at https://www.cert-in.org.in/Downloader?pageid=22&type=2&fileName=ANUAL-2022-0001.pdf, last seen on 26/08/2023

 PHISHING Definition & Legal Meaning, The Law Dictionary, available at https://thelawdictionary.org/phishing/, last seen on 26/08/2023

 National Association of Software and Service Companies v. Ajay Sood, (2005) 119 DLT 596.

BANKWISE ATM/POS/CARD STATISTICS, Reserve Bank of India, available at https://www.rbi.org.in/Scripts/ATMView.aspx?atmid=148, last seen on 26/08/2023

 ENS Economic Bureau, Bank frauds involving cards, internet, cash rise in six months, available at https://indianexpress.com/article/business/banking-and-finance/bank-frauds-involving-cards-internet-cash-rise-in-six-months-8351438/, last seen on 26/08/2023

 Abhishek Kushwaha & Aditi Pali, Identity Theft: Extent and Applicability of Data Protection Laws, Journal of University School of Law and Legal Studies 1, 4 (2020), available at https://indraprasthalawreview.in/wp-content/uploads/2020/10/ggsipu_uslls_ILR_2020_V1-I1-13-aditi_palit-abhishek_kushwaha.pdf, last seen on 26/08/2023

 Diebold Systems Pvt Ltd v. Commissioner of Commercial Taxes, ILR (2005) KAR 2210.

Henry Ajder, Giorgio Patrini, Francesco Cavalli & Laurence Cullen, The State Of Deepfakes: Landscapes, threats, and impact, Deeptrace, available at https://regmedia.co.uk/2019/10/08/deepfake_report.pdf, last seen on 26/08/2023

 Intelligence Community Assessment: Assessing Russia n Activities and Intentions in Recent U.S. Elections, Senate Intelligence Committee, available at https://www.intelligence.senate.gov/sites/default/files/documents/ICA_2017_01.pdf, last seen on 26/08/2023

John Xavier, Deepfakes enter Indian election campaigns, The Hindu, available at https://www.thehindu.com/news/national/deepfakes-enter-indian-election-campaigns/article61628550.ece, last seen on 26/08/2023

 Danny D’Cruze, AI Scam Alert! Scammer steals over Rs 5 crore from a man using his friend’s face, Business Today, available at https://www.businesstoday.in/technology/news/story/ai-scam-alert-scammer-steals-over-rs-5-crore-from-a-man-using-his-friends-face-382379-2023-05-23, last seen on 26/08/2023