Cyber infrastructure has been increasing at an exponential rate ever since its inception. This compound increase in the number of devices connected with the network and the sheer size of the internet presents multiple challenges. As a consequence of exponential pace of increment and giant size of the network, traditional notions of criminal liability are incapable of being applied in their entirety. This problem is further enhanced by the complex interaction between computers and the humans.
In this paper I have established criminal liability for the cyber offences pertaining to divulgence of personally identifiable information. I have shown that such an act attracts all the elements of criminal liability and hence is a criminal offence. For the same, I have primarily proved the fundamental elements of criminal liability. Secondly, I analyse the nature of cyber offences and establish the different types of cyber offences and difficulty in assessing them against the standard parameters of criminal liability. Thereafter I develop the basic understanding of Personally Identifiable Information and assess them against the elements of criminal liability. Using this assessment and the concept of mala in se offences, I argue that the stated offence must be treated as criminal in nature and criminal sanctions must be imposed for the same.
Criminal liability for a Crime
In this chapter I elaborate upon the fundamental elements comprising criminal liability. I will primarily focus on fundamental principles of criminal liability and give a philosophical perspective of liability for a crime. Thereafter I will trace the existence of fundamental tenants of criminal liability in the statutory provisions applicable in India. Lastly I will also look at understanding of the criminal liability developed by way of case laws.
All criminal liability in common law evolves out of the Latin maxim ‘actus non facit reum nisi mens sit rea’, which means that an act is in itself not an offence until the same is not accompanied by a guilty mind. Hence for a crime to be there, there must be an act (actus reus) accompanied with mental element (mens rea) to do the same. Further, the criminal act must directly result in harm or the chain of events originating from the act should directly result into the harm. This principle is called causation. If there is any intervening event, such that it breaks the chain of events which resulted in criminal harm, then the individual committing the act shall not be liable for the harm. This is precisely because harm caused is not a result of the act of that individual, but is the direct result of the intervening event. Thus there are four important tenants of criminal liability. These included actus reus, mens rea, concurrence between the two and causation.
The wrongful criminal action comprises of an act that is criminal in nature, threat to do an act that is criminal in nature, omission to do an act prescribed by law and possession. All the above mentioned actions have some form of physical construct. In fact traditional notion of actus reus is built up on actions taking place in the real world. Further an act is either inherently criminal in nature or is criminal because of being defined such in law. These types of acts are called mala in se and mala prohibita respectively. Acts like murder and grievous hurt are mala in se and acts like doing an act in violation of license norms is mala prohibita. For a criminal liability to exist, actus reus should be coupled with mens rea. This is a must requirement except in the cases of strict liability. Mens rea further comprises of intention, recklessness or criminal negligence.
It’s not just enough to have actus reus couples with mens rea. There must be a direct congruence between the two i.e. criminal intent must be present at the time of commissioning of the criminal act. Along with congruence there must also be direct link between the criminal act and the harm. This causational link means that the resultant harm must be a direct and unobstructed result of the wrongful action.
When all the above mentioned elements are present, a crime is committed and wrongdoer is consequently liable for the act. The only exemption under these circumstances is either because of some justification for the act or an excuse.
Criminal Liability under the IPC
A similar criteria is defined under the Indian penal code for criminal liability. Actus reus is given under definition of various offences. For instance s. 320 of the Indian penal code defines various action that constitute grievous hurt. Similarly, s. 319 defines actions that constitute the offence of hurt. Further, criminal intimidation is defined under s. 506 of the Indian penal code. This is the sections that defines a form of actus reus involving threat to do a criminal harm. Hence, under the Indian penal code, actus reus has been defined as within the definition of the offence. On the other hand mens rea under the penal code is well apparent by the use of words like voluntary, knowingly, intentionally etc. For instance, s. 322 of the Indian Penal Code adds an element of mens rea to the offence of grievous hurt by addition of the word voluntarily along with the offence. A similar approach can be seen in other case of other offences like murder, culpable homicide etc. While the Indian Penal Code does not explicitly mention the term causation, its language makes it fairly clear that the doctrine of causation has been incorporated in the act. For example, under section 304A of the Indian Penal Code, death of the person should be the direct outcome of rash and negligent act of the wrongdoer. A similar pattern is language of the Indian Penal Code may be traced with respect to concurrence of the mens rea with actus reus. All these elements are used in various sections of the Indian Penal Code in order to determine criminal liability. Lastly, even with all these elements present, a wrong dower might be absolved of the criminal liability because of the excuse or justification.
Development of criminal liability by case laws.
A similar pattern has been noticed in the development of such principles by case laws. While statutes pertaining to determination of criminal liability are clear on actus reus, causation and concurrence, mens rea is often a contentious aspect. It is not only difficult to prove mens rea, but often times offences involving some socio-economic offences require for strict liability on part of the offender. Hence, only in the cases wherein statutes explicitly prescribe for not considering mens rea and asserting strict liability on the perpetrator, may the principle of strict liability be applied. According to Justice Subba Rao in M. H. George case, all offences are to be constructed in light of the common law principle of mens rea until the statute explicitly provides otherwise. A similar stand was taken in the case of Nathulal v. State of Madhya Pradesh.
Hence, we may safely conclude that following construct the fundamental elements of criminal liability in India:
- Actus reus or physical element as defined within the statutory definition of the offence.
- Mens rea or mental element as defined by virtue of certain keywords within the statute. Further, a strict liability has to be considered if provided so under the statute.
- Concurrence of actus reus and mens rea and the meaning of causational link are present within the language of statutory definition.
- These ideas apply to both mala in se and mala prohibita offences.
In this chapter I will elaborate upon basic elements of cyber offences. I will be focusing only on computer or internet based offences and not on computer or internet aided offences. This is primarily due to the fact that computer or internet aided offences generally fit well within the traditional framework of criminal liability. It is only the internet and computer based offences that present a challenge to the traditional notions associated with criminal liability.
I will chart out various cyber offences under the Indian Penal Code and the Information technology act. Thereafter, I will chalk out their basic elements of such offences.
Types of cyber offences
There is no one definition of cyber offence. In fact, the Information Technology Act, 2000 does not even define a cyber offence. It simply prescribes for certain actions to be offences under chapter XI. Further offences under Indian Penal Code may also be read in order to determine liability for a crime involving computer or the internet.
There are fundamentally two types of cyber offences. The first are the computer and internet assisted offences. In such cases, traditional crimes are done using computers. While these are not easily physically manifest able, their understanding in terms of criminal liability is well established. Such crimes include Sale of contraband through encrypted network, intellectual property rights violation, copyright violation, revenge porn, fraud schemes and identity theft etc. Such offences are defined under different statutes and thus it becomes easy to determine criminal liability in such instances. Precisely computers are only intermediary in such cases. Hence, except for some instances of problems with fulfilling some elements of actus reus and concurrence, all other elements of criminal liability are fulfilled by such offences.
The second type of offences include the once that use computers as the subject of offence. Such crimes have their part and parcel in the cyber world and are an outcome of the interactions between the computer and other source machines over the internet. Such offences include Hacking for information, banking Frauds, Identity theft, Cyber extortion, divulgence or extraction of personally identifiable information etc. these offences present multiple challenges when viewed from the perspective of traditional notion of criminal liability. For instance an unethical hacker might want to target an individual with a self-propelling worm virus. However, by virtue of its very nature the worm spreads to other devices as well. Under such circumstances, thought the mens rea was only limited to causing harm to the specific victim, it resulted in a larger harm other devices as well. Determination of liability under such circumstances is difficult because the perpetrator never intended to cause harm to other devices. In fact much of the problem under such circumstances arises out of the fact that every single device connected to the internet is the victim and perpetrator at the same time.
Offences under the IPC, NDPS act and other statutes
Under the Indian Penal Code and the Narcotics Drugs and Psychotropic Substances act, following sections have been frequently used in order to punish perpetrators for cyber offences:
|Sr. No.||Offence||Section Applicable|
|1||Sending threatening messages by E-mail||s. 503 IPC|
|2||Word, Gesture or insult the modesty of a woman||s. 509 IPC|
|3||E-mail spoofing||s. 463 IPC|
|4||Forgery for purpose of cheating||s. 468 IPC|
|5||Forgery for purpose of harming reputation||s. 469 IPC|
|6||Criminal intimidation by anonymous communication||s. 507 IPC|
|7||Obscenity||s. 292 IPC|
|8||Theft of computer hardware||s. 378 IPC|
|9||Online Sale of Drugs||NDPS Act|
|10||Online sale of Arms||Arms Act|
|11||Copyright infringement||s. 63|
It is fairly clear that the above mentioned list is not comprehensive and there are multiple other offences possible under different existing statutes. However, the pattern suggests that these are cyber aided offences. These offences had been traditionally committed without aid of any involvement of cyber domain. These offences have a well-established understanding of criminal liability associated with them and computers or internet just functions as a medium.
Offences under the IT Act, 2000 and IT (amendment) Act, 2008
Under the Information Technology Act, following sections have been frequently used in order to punish perpetrators for cyber offences:
|Sr. No.||Offence||Section of the IT act|
|1||Tampering with computer source documents||s. 65|
|2||Hacking with computer systems, Data Alteration||s.66|
|3||Cyber terrorism||s. 66F|
|4||Violation of privacy||s. 66E|
|5||Publishing or Transmitting obscene material in electronic form||s. 67|
|6||Unauthorised access to protected system||s. 70|
|7||Penalty for misrepresentation||s. 71|
|8||Breach of confidentiality and privacy||s. 72|
|9||Publishing false digital signature documents||s. 73|
|10||Publication for fraudulent purpose||s. 74|
|11||Failure to protect personal data||s. 43A|
Multiple other cyber offences are covered under chapter XI of the Information technology act 2000. Further, offences defined under this act involve computers and other devices of similar nature connected to the internet, as both perpetrators and victims of offences. However the fact that such offences take place in their entirety over the virtual space, presents a challenge to the assessment of such offences in terms of criminal liability. Precisely due to this difficult in proving the criminal liability, multiple offences have strict liability prescribed to them and mens rea is not applicable to them. However, such offences only attract civil liability. Other offences that are similar in nature to the ones prescribed under IPC and other above mentioned statutes have a terms like voluntary that prescribe for mens rea.
Hence, cyber offences are fundamentally of two types. Both types, fulfil basic tenants of criminal liability, though after slight modifications.
Personally Identifiable information
Different jurisdictions have different definitions of Personally Identifiable Information (Hereinafter PII). Some definitions of the same are as follows:
- Personally identifiable information (PII), or Sensitive Personal Information (SPI), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
- The term used is more often “personal information”, which may be somewhat broader: in Australia’s Privacy Act 1988 (Cth) “personal information” also includes information from which the person’s identity is “reasonably ascertainable”, potentially covering some information not covered by PII.)
A similar approach is taken by other agencies and Legislations in defining PII. They often have definitions followed by a list of examples at the end. Though this list is not comprehensive, it provides a fair understanding of the kind of information that constitutes PII. In general, the PII laws and regulations indicate towards a definition consisting of the following two basic elements:
- Specific information or a set of information.
- Specific information can indicate to a specific person or a set of information in a specific context can indicate to a specific person.
In the context of India, section 43A defines civil liability for loss of PII, but does not define PII. The PII is defined under the Information Technology Rules, 2011. These rules also define a list of different types of information that either individually or in group constitute personally identifiable information. As per section 43A, if any information of the nature of PII is divulges and wrongful loss is caused to an individual due to the same, such an individual is eligible for compensation. Further the section also states that such liability is imposed when the body corporate is negligent in implementing and maintaining reasonable security practice and procedure. Hence, we can conclude that there are following elements of PII in India:
- Some form of personal information as defined under the IT rules, 2011.
- Such personal information is released in an undesirable manner and results in wrongful loss or wrongful gain to some person.
- Such release of information is due to the inability of corporate body to maintain reasonable security and procedure. (is negligent in implementing the stated procedure).
- Strict liability for offence.
Any offence that fulfils the fundamental elements of criminal liability is to be treated as a criminal offence. As per the IT rules, actus reus of the stated will be release of any information labelled as PII under the rules. Such release must be from the possession or control of the body corporate due to lack of reasonable security practice and procedure on part of such body corporate. Hence, if such information is released, and stated conditions are met, it will be enough to fulfil actus reus element of criminal liability.
Mens rea is not required to be proved for this offence for the language of the section 43A imposes strict liability. However, the fact that this has simply resulted in imposition of civil liability is problematic. This is primarily because violation of an Individual’s privacy is a mala is se crime. Violation of privacy in turn is mala in se because under the constitution’s article 21 and article 19 privacy is an integral part of an Individual’s right to live with dignity and is also important to ensure an individual’s free movement through the territory of India. A similar view with respect to privacy has been taken in multiple other international conventions. Further, these instruments represent the moral epitome of the collective consciousness of human society and thus must be treated as representing those actions which are inherently undesirable. Hence, because violation of privacy of an individual is morally undesirable in all domains, it must be treated as mala in se and perpetrator must be criminally liable. In order to determine presence of mens rea in the corporate body, the test of directing will and mind for corporate criminal liability must be used.
Lastly, causational link exist between mens rea and actus reus because loss or harm to an individual due to divulged information is a direct consequence of inability of body corporate to take prescribed care. Further, the concurrence between the two is clear because inability to care results in contemplable loss.
Hence, as all the elements of criminal liability are satisfied by the cyber offence pertaining to PII, it should be treated as criminal offence with consequences of similar gravity.
Criminal liability for any offence depends on presence of fundamental tenants of criminal liability in that offence. These tenants include mens rea, actus reus, concurrence between the two and a causational link between the act and the harm. Further, cyber offences are the ones that either involve computers or other devices of similar nature connected to the internet. There are offences only limited to cyber domain or offences using cyber domain as assistance for committing traditional offences. However, because of their typical nature, cyber offences present a challenge to traditional notions associated with criminal liability.
In the light of the above given assertions, I have established in the paper that cyber offence pertaining to the divulgence of Personally Identifiable Information (PII) satisfy all the basic elements of criminal liability and hence must carry criminal sanctions along with it. The paper shows that divulgence of PII is in fact a mala in se offence and hence must attach criminal sanctions of equivalent gravity. Further challenges to the domain of liability for criminal offences pertaining to PII are imposed by newer technology advancements like reconstruction algorithms. Such algorithms collect personal data about an individual’s online behaviour and use the same for reconstructing that individual’s identity. An attempt has been made to deal with such issues in jurisdictions like japan and California However such attempts are limited and don’t impose criminal liability upon the perpetrators.
Major challenges in determining the criminal liability for cyber offences in future shall evolve because of increasing interactions between devices and algorithms. These hybrid systems will be missing any human element and this will present entirely new set of challenges to the traditional notions of criminal liability.
 E. Coke, Manuscript on Criminal law, folio 10 (1600).
 M. S. Moore, Causation and Responsibility: An Essay in Law, Morals and Metaphysics, 3-20 (2009).
 D. J. Baker, Glanville Williams Textbook of Criminal Law, 112 (2012).
 Id. at 117.
 Id. at 167.
 Id. at 196.
 M. Corrado, Is there an act requirement in criminal law?, 142(5) University of Pennsylvania Law Review 1529, 1530 – 1534.
 M. L. Travers, Mistake of law in Mala Prohibita Crimes, 67(3) The University of Chicago Law Review 1301, 1309 (1995).
 Id. at 1303.
 Coke, supra note 1, at 10.
 R. A. Duff, Answering for Crime: Responsibility and Liability in the Criminal law, 230 (2007).
 C. M. V Clerkson, Understanding Criminal Law, 156 (2005).
 J. F. Stephen, A history of Criminal Law of England Vol. II, 134 (2014).
 K. Greenawalt, The perplexing Borders of justification in Justification and Excuse in the Criminal Law341,344 (M. L. Corrado, ed., 1994).
 Sec. 121 – Sec. 510, Indian Penal Code, 1860.
 Section 300, Indian Penal Code, 1860.
 Section 299, Indian Penal Code, 1860.
 Section 76 to section 95, Indian Penal Code, 1860.
 Section 96 to section 106, Indian Penal Code, 1860.
 W. L. Eskridge, Dynamic Statutory Interpretation, 275 (1994).
 Brent v. Wood,  175 LT 306 (House of Lords).
 State of Maharashtra v. M. H. George, 1965 AIR 722 (Supreme Court of India).
 Nathulal v. State of Madhya Pradesh AIR 1966 SC 43 (The Supreme Court of India).
 Chapter XI, Information Technology Act, 2000.
 S. W. Brenner, Cybercrime: Criminal Threats from Cyber Space, 21 (2010).
 J. Clough, Principles of Cyber Crime, 46 (2010).
 Brenner, supra note 29, at 21.
 Clough, supra note 30, at, 46.
 Brenner, supra note 29, at 21.
 Brenner, supra note 29, at 21.
 Clough, supra note 30, at, 53.
 Clough, supra note 30, at, 56.
 Brenner, supra note 29, at 63.
 Narcotic Drugs and Psychotropic Substances Act, 1985.
 Arms Act, 1959.
 Section 63, Copyright Act, 1957.
 Information Technology Act, 2000; Information Technology (Amendment) Act, 2008.
 Section 43A, Information Technology (Amendment) Act, 2006.
 Section 43, 44 and 45 of the Information Technology Act, 2000.
 S. V. Joga Rao, Law of Cyber Crime and Information Technology Law, 157 (2004).
 Section 2 (l), The Privacy Act, 2011. (California, USA)
 Section 2 (f), Privacy Act, 1988. (Australia)
 European Union Directive on Privacy data, 1995 European Data Directive 95/46/EC, 1995; E. McCallister, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) at National Institute of Standards and Technology (2010).
 Section 43A, Information technology (Amendment) Act, 2008.
 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
 M. L. Travers, Mistake of law in Mala Prohibita Crimes, 67(3) The University of Chicago Law Review 1301, 1309 (1995).
 Section 43A, Information Technology (Amendment) Act, 2008.
 Article 21, The Constitution of India, 1950.
 Article 19, The Constitution of India, 1950.
 Govinda v. State of Madhya Pradesh, 1975 AIR 1378 (The Supreme Court of India); Meneka Gandhi v. Union of India, 1978 AIR 597 (The Supreme Court of India).
 Article 12, Universal Declaration of Human Rights, 1948; Article 17 of the International Convent on Civil and political rights.
 Standard Chartered Bank v. Director of enforcement, AIR 2005 SC 2622 (The Supreme Court of India); DPP v. Kent and Sussex Contractors ltd., (1944) 1 All E.R.119 (Privy Council); Meridian Gold Fund Management v. Securities Commission,  3 All ER 918 (Privy Council).
 Available at https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf (Last visited on April 14, 2016).
 B. Hostetler, 2015 Compendium on Data Privacy Law, 106 (2015)