KTU S4 Cyber Ethics
Study Notes

Major Areas Covered

• Cybercrimes: Laws relating to hacking, phishing, cyberstalking, online harassment, and financial fraud.
• Data Protection and Privacy: Rules that safeguard personal data and ensure responsible collection and use.
• Intellectual Property Rights (IPR): Protection for digital content, software, music, videos, and online publications.
• Electronic Commerce: Regulations governing online transactions, digital contracts, and consumer protection.
• Digital Signatures and Authentication: Legal validity of e-signatures for online identity verification.
• Cybersecurity Regulations: Policies and standards for protecting systems and networks from cyber threats.

The main objective of cyber law is to create a safe and regulated digital environment.

5 Key Objectives

1. Prevent and Punish Cybercrimes: Ensures illegal online activities like hacking, fraud, identity theft are identified, controlled, and punished. Discourages criminals and protects users from harm.
2. Protect Individual Privacy and Data: Safeguards personal information shared online (passwords, bank details, private messages). Ensures organizations handle data responsibly.
3. Regulate Online Activities Fairly: Ensures all digital interactions follow legal rules, prevents misuse of technology, promotes ethical behavior.
4. Promote Trust in Digital Transactions: Gives legal validity to electronic documents, digital signatures, and online payments. Builds confidence among users and businesses.
5. Ensure a Safe Digital Environment: Enforces cybersecurity standards, prevents cyberattacks, and protects digital infrastructure for users, businesses, and governments.

10 Contract Aspects

1. Legal Recognition of E-Contracts: Electronic contracts are treated same as traditional paper contracts. "Click to accept," email exchanges, and online forms are enforceable by law.
2. Offer and Acceptance Online: Clicking "I Agree," "Submit," or "Buy Now" counts as valid acceptance. Automated responses serve as proof of agreement.
3. Digital Signatures: Legally recognized as valid; authenticate identity of parties and ensure contract integrity.
4. Authentication and Verification: OTPs, passwords, digital certificates, Aadhaar-based e-signing verify identities and reduce fraud.
5. Electronic Records as Evidence: Emails, digital receipts, logs, and chat records can support contract disputes in court.
6. Types of Online Contracts: Click-wrap, Browse-wrap, Shrink-wrap agreements, and service/subscription agreements.
7. Consumer Protection: Prevents unfair terms, protects buyer rights in case of fraud, ensures transparency in pricing and warranties.
8. Jurisdiction Issues: Addresses which court handles disputes when parties are in different states/countries.
9. Security and Confidentiality: Encryption, secure payment gateways, and privacy policies are mandatory.
10. Liability and Enforcement: Defines responsibilities of each party; consequences of violating online contract terms.

Types of Electronic Agreements

• Click-wrap: User explicitly clicks "I Agree" — courts uphold these due to explicit consent.
• Browse-wrap: Terms provided via hyperlink; use of website deemed acceptance — more legally contentious.
• Shrink-wrap: Terms inside product packaging; acceptance by opening package or installing software.

5 Key Security Aspects

1. Defining and Punishing Cybercrimes: Makes hacking, malware, DDoS, phishing, and data theft illegal and punishable.
2. Mandatory Security Rules for Businesses: Organizations must implement firewalls, encryption, strong passwords, MFA, and regular audits. Must follow ISO/IEC 27001 standards.
3. Handling Security Breaches: Mandatory reporting — CERT-In requires reporting within 6 hours in India, GDPR requires 72 hours. Businesses must notify victims and maintain forensic logs.
4. Protecting Critical Information Infrastructure: Special protections for power grids, banking systems, military networks, and transportation systems.
5. Accountability and Penalties: Fines, legal action, and jail time for companies/individuals who break security laws.

Intellectual Property (IPR) Aspects

1. Copyright in Digital Content: Protects software, e-books, articles, images, videos from piracy and unauthorized streaming.
2. Software Piracy Prevention: Copying/distributing software without license is illegal; covers apps, OS, source code.
3. Trademark Protection: Prevents cybersquatting (registering brands as domain names) and passing off.
4. Patents for Digital Inventions: New algorithms, software-based processes may be patentable.
5. Protection Against Plagiarism: Copying website/blog content without permission is a violation.
6. Licensing and Terms of Use: E-contracts define how digital content can be used; enforces Creative Commons and software licenses.
7. Digital Rights Management (DRM): Technological tools preventing unauthorized copying of digital media.

Evidence (Digital Evidence) Aspects

1. Legal Recognition of Electronic Records: Emails, texts, digital logs, CCTV footage, metadata, and social media posts are legally valid.
2. Admissibility of Digital Evidence: Must be authentic, reliable, untampered, and properly collected. Requires Section 65B certificate in India.
3. Chain of Custody: Documenting who handled digital evidence, when, and where; mandatory for admissibility.
4. Forensics and Log Preservation: Server logs, login records, transaction trails must be maintained.
5. Authenticity via Hash Values, Digital Signatures, Timestamps: Proves evidence was not changed.
6. Search and Seizure: Law enforcement can seize computers, phones, hard drives with warrants.
7. Expert Testimony: Cyber forensic experts explain IP addresses, malware behavior, server logs to court.

Categories of Cybercrime

• Computer as a Target: Digital system is the primary victim (hacking, malware).
• Computer as a Weapon: Traditional crimes committed using a computer (fraud, theft).

Key Criminal Offenses

• Hacking / Unauthorized Access: Illegally accessing computer systems or networks without permission.
• Malware Distribution: Creating/distributing viruses, worms, ransomware, Trojans.
• DoS/DDoS Attacks: Overwhelming networks to make services unavailable.
• Identity Theft and Impersonation: Fraudulently using another person's credentials.
• Online Fraud and Financial Crimes: Phishing, credit card fraud, business email compromise.
• Cyberstalking and Harassment: Using email/social media to threaten or intimidate.
• Publishing Obscene Content: Transmitting pornography, child sexual abuse material (severe penalties).
• Tampering with Source Documents: Concealing or altering legally required source code.
• Cyberterrorism: Digital means to threaten national security — punishable by life imprisonment in some jurisdictions.

1. Growth of Internet and Digital Communication: Millions of Indians use computers, smartphones, email, and social media — laws are essential to govern digital activities safely.
2. Increase in Cybercrimes: Hacking, fraud, phishing, data theft, cyberbullying have grown rapidly; cyber laws define offenses and provide punishments.
3. Legal Recognition for Electronic Transactions: IT Act 2000 gives legal validity to e-contracts, e-signatures, and electronic records for e-commerce and online banking.
4. Protection of Personal Data and Privacy: Ensures companies handle data responsibly, users' privacy is protected, and organizations follow security standards.
5. Promoting E-Commerce and Digital Payments: Provides secure legal foundation for online shopping, digital wallets, and online banking.
6. Securing Critical Information Infrastructure: Protects banking networks, telecom, power grids, and government databases from cyberattacks.
7. Regulation of Online Content: Controls cyberbullying, hate speech, fake news, obscene content, and social media misuse.
8. International Collaboration: Enables cooperation with global agencies to track cross-border cybercriminals.
9. Supporting Digital India: Strong cyber laws ensure Digital India projects (e-governance, online services) run smoothly and securely.
10. Strengthening National Security: Protects against espionage, terrorism, and cyber warfare.

Cyberspace refers to the virtual environment created by computers, digital networks, and the internet — the entire "digital world" where people communicate, share information, and perform online activities.

Webspace is a specific part of cyberspace that contains websites and web pages accessible through the World Wide Web.

Web Hosting Agreement

A legal contract between a web hosting service provider and a client to host their website on the provider's servers.

• Services Provided: Server space, bandwidth, storage, database access, email services.
• SLA (Service Level Agreement): Uptime guarantees (e.g., 99.9%), response time for technical support.
• Payment Terms: Hosting fees, renewal charges, additional costs.
• Security and Data Protection: Backup policies, responsibility for data loss or breaches.
• Ownership and IP: Client retains ownership of content; provider manages storage and access.
• Termination Clause: Conditions for terminating the agreement.
• Liability and Indemnity: Limits on provider's responsibility for downtime, data loss, or hacking.

Web Development Agreement

A legal contract between a web developer and a client for creating a website or web application.

• Scope of Work: Design, development, coding, database integration, testing, deployment.
• Timeline and Delivery: Project start date, milestones, and final delivery date.
• Payment Terms: Total cost, installment structure, penalties for delays.
• Ownership and IP: Client usually owns the website after full payment; developer may retain non-exclusive components.
• Confidentiality: Developer must keep client information and source code confidential.
• Maintenance and Support: Post-deployment support and bug fixes.
• Termination Clause and Liability/Warranties.

Legal Significance

• Intellectual Property Protection: Domain names are linked to brand names/trademarks. Laws protect against cybersquatting and typosquatting.
• Business Identity and Reputation: Serves as a company's digital identity; legal protection prevents impersonation and fraud.
• Dispute Resolution: Courts and authorities like ICANN (international) and NIXI (India) resolve ownership conflicts.
• Enforceability of Contracts: Domain names can be part of licensing, website, or IP contracts.

Technological Significance

• Easy Website Access: User-friendly addresses replace IP numbers (e.g., www.example.com instead of 192.168.1.1).
• DNS (Domain Name System): Maps domain names to IP addresses so computers can locate websites.
• Internet Navigation: Essential for search engines, URL structuring, and web hosting.
• Security: Associated with SSL certificates and HTTPS; helps prevent phishing by verifying authentic websites.
• Branding and Digital Marketing: Memorable domain names improve online visibility and help users identify and trust a business.

The internet is a global network that connects millions of devices worldwide and acts as a powerful tool for accessing information, services, and communication across borders.

1. Access to Information: Instant access to vast amounts of information — online encyclopedias, research articles, news websites, and government portals.
2. Communication Across Borders: Email, social media, messaging apps, and video calls enable instant global communication without physical travel.
3. E-Commerce and Business Expansion: Companies sell products internationally; small businesses reach global customers.
4. Online Education and Collaboration: Online courses, webinars, distance learning programs enable global education access.
5. Access to Government and Health Services: e-Governance (taxes, licenses), telemedicine, and online health consultations.
6. Cultural Exchange and Awareness: Sharing cultures, languages, and ideas; connecting with different global communities.
7. Social and Political Awareness: Global discussions, social campaigns, and diverse news perspectives.

Two Main Categories

• Computer as a Target: Crimes where the digital system itself is the victim — e.g., hacking, malware attacks, DDoS attacks.
• Computer as a Weapon/Tool: Traditional crimes committed or facilitated using a computer — e.g., online fraud, cyberstalking, identity theft.

Four Major Categories

1. Crimes Against Individuals: Cyberstalking, identity theft, harassment, online defamation.
2. Crimes Against Property: Hacking, software piracy, IPR violations, data theft.
3. Crimes Against Organizations: Corporate espionage, unauthorized access to business systems, phishing employees.
4. Crimes Against Society/Government: Cyberterrorism, spreading obscene content, threatening national security.

• 1960s–70s – Phone Phreaking: Early hackers ("phreakers") manipulated telephone systems to make free calls, exploiting system weaknesses. John Draper (Captain Crunch) is a famous example.
• 1980s – PC Viruses and BBS Hacking: First computer viruses appeared (e.g., Brain virus, 1986). Hackers used bulletin board systems (BBS) to share malicious code. The Morris Worm (1988) caused widespread internet disruption.
• 1990s – Internet Explosion: The World Wide Web enabled new forms of cybercrime — online fraud, spam, piracy, and the first phishing attacks. The "419" or advance-fee fraud became widespread.
• 2000s – Organized Cybercrime: Cybercrime shifted from individual hackers to organized criminal gangs motivated by financial gain. Botnets, ransomware, and large-scale data breaches emerged.
• 2010s–Present – Sophisticated Attacks: Nation-state cyberattacks (e.g., Stuxnet worm), advanced persistent threats (APT), AI-powered attacks, and social media manipulation campaigns.

1. Protecting Individual Privacy: Cybercrime exposes personal data (passwords, financial info, medical records). Prevention safeguards individuals from identity theft and harassment.
2. Economic Security: Cybercrime costs billions annually through financial fraud, ransomware, and corporate espionage. Businesses suffer loss of revenue, customer trust, and operational disruption.
3. National Security: Cyberattacks on critical infrastructure (power grids, defense systems, banking) can paralyze a country. Prevention is essential for national sovereignty.
4. Digital Trust: E-commerce, online banking, and digital governance require trust. Cybercrime erodes user confidence in digital systems.
5. Protecting Vulnerable Groups: Children, elderly, and less tech-savvy individuals are frequent targets of online fraud and exploitation.
6. Maintaining Social Order: Cybercrime activities like hate speech, misinformation, and harassment disturb social harmony and democratic institutions.

• Cyberstalking: The use of electronic communications to repeatedly harass, threaten, or intimidate a person. Common behaviors include monitoring social media, sending threatening messages, and tracking location. Types: email stalking, web stalking, computer stalking.
• Phishing Attack: A social engineering attack where criminals send deceptive emails or create fake websites to steal sensitive information (passwords, bank details). Types: Spear phishing (targeted), Whaling (targeting executives), Vishing (voice phishing), Smishing (SMS phishing).
• Email Spoofing: Forging the sender's email address to make the message appear as if it came from a trusted source. Used to spread malware, conduct phishing, or commit fraud.
• Computer Vandalism: Deliberately damaging or destroying computer data, systems, or networks. Includes defacing websites, deleting files, or corrupting data without unauthorized access for financial gain.
• Spamming: Sending large volumes of unsolicited electronic messages (email, SMS, social media) for commercial, fraudulent, or malicious purposes. Clogs networks and may carry malware.
• DDoS (Distributed Denial of Service) Attack: Overwhelming a server, network, or website with traffic from multiple compromised computers (botnet) to make it unavailable to legitimate users.
• Defamation and Cyber Defamation: Making false statements that damage someone's reputation. Cyber defamation occurs online (social media, websites, forums). Essential elements: false statement, publication, damage to reputation, and intent.
• Intellectual Property Crimes: Violations of copyright, trademark, or patent online — including software piracy, illegal streaming, counterfeit goods, and plagiarism.
• Password Sniffing: Using software tools (sniffers) to intercept and capture network packets containing passwords and sensitive data as they travel across a network. Works by monitoring unencrypted traffic (e.g., HTTP, FTP).

• Polymorphic Virus: Changes its code every time it replicates to evade antivirus detection. Uses encryption and mutation engines to alter its signature while keeping its core functionality intact.
• Stealth Virus: Actively conceals itself from antivirus software and the OS. Intercepts system calls and returns false information about file sizes, modification dates, and memory usage to avoid detection.
• Fast Infector: Infects files as rapidly as possible to spread to many files quickly. This speed makes it detectable as antivirus scans detect unusual activity, but damage spreads fast.
• Slow Infector: Infects very few files at a time or only when files are created or modified. Designed to be so subtle that it goes undetected for long periods, making it hard to identify the source of infection.

• Webjacking: An attacker takes unauthorized control of a website by hacking into the web server, stealing credentials, or exploiting vulnerabilities. The attacker may deface the site, redirect traffic, or use it to serve malware.
• Clickjacking: A UI redress attack where a malicious page overlays a transparent frame over a legitimate page. The victim thinks they're clicking something legitimate but actually clicks a hidden malicious button or link. Example: Clicking "Play" on a video actually triggers a "Share" or "Purchase" button.
• Likejacking: A form of clickjacking on social media where victims unknowingly "like" a page or post, spreading the attack virally.
• Cursor Jacking: Displaces the user's cursor so the user thinks they are clicking in one place but are actually clicking in another — used to hijack interactions on sensitive pages.

Phases of a Strategic Cyber-Attack

1. Reconnaissance (Information Gathering): Passive reconnaissance — scanning public information, social media, and domain records. Active reconnaissance — probing network systems, identifying open ports, and vulnerabilities. Goal: collect maximum intelligence about the target.
2. Scanning: Deep scanning of the target network to identify live hosts, open ports, OS versions, and running services. Tools: Nmap, Nessus. Helps plan the specific attack vector.
3. Gaining Access (Attack Stage): Exploiting identified vulnerabilities — SQL injection, buffer overflow, phishing, malware deployment. The attacker gains initial entry into the target system.
4. Maintaining Access: Installing backdoors, rootkits, or remote access trojans (RATs) to keep persistent access without re-exploiting. Often the longest phase in advanced persistent threats (APTs).
5. Covering Tracks: Deleting logs, altering timestamps, and removing evidence to avoid detection and forensic analysis.

Types of Social Engineering

• Phishing: Deceptive emails/websites mimicking legitimate organizations to steal credentials.
• Pretexting: Creating a fabricated scenario (pretext) to extract information — e.g., posing as an IT support agent asking for password.
• Baiting: Luring victims with something enticing (free software, USB drives left in public) containing malware.
• Quid Pro Quo: Offering a service (e.g., free IT help) in exchange for information or access.
• Tailgating/Piggybacking: Physically following an authorized person into a restricted area.
• Vishing (Voice Phishing): Phone calls impersonating bank officials, tax agents, or IT support to extract personal information.
• Spear Phishing: Highly targeted phishing using personalized information about the victim.

How Botnets Work

1. Attacker distributes malware via phishing, downloads, or vulnerabilities.
2. Infected devices ("bots" or "zombies") connect to a Command and Control (C&C) server.
3. The bot herder issues commands to all infected devices simultaneously.
4. Bots execute commands without the owner's knowledge.

Uses of Botnets

• DDoS attacks — overwhelming servers with traffic
• Sending spam emails at massive scale
• Stealing credentials and financial data
• Cryptocurrency mining (cryptojacking)
• Click fraud — generating fake ad revenue

Prevention

• Regular software and OS updates to patch vulnerabilities
• Strong antivirus and anti-malware solutions
• Network monitoring for unusual traffic patterns
• Disabling unused services and ports
• Takedown of C&C servers by law enforcement

Types of Attack Vectors

• Phishing/Email: Malicious links or attachments in emails trick users into revealing credentials or installing malware.
• Malware: Viruses, trojans, worms, ransomware delivered via downloads, USB drives, or email attachments.
• Unpatched Software Vulnerabilities: Exploiting known security flaws in outdated OS or applications.
• Weak Passwords / Credential Stuffing: Using stolen or brute-forced credentials to access accounts.
• Man-in-the-Middle (MITM): Intercepting communication between two parties to eavesdrop or alter data.
• SQL Injection: Inserting malicious SQL code into web forms to manipulate databases.
• Social Engineering: Psychologically manipulating individuals into divulging information.
• Physical Access: Direct physical access to a device for data theft or installation of malicious hardware.
• IoT Devices: Poorly secured smart devices used as entry points into networks.

Key Features

• Decentralization: No central authority; distributed across many nodes.
• Immutability: Once a block is added, it cannot be changed without consensus.
• Transparency: All transactions are visible to participants (public chains).
• Smart Contracts: Self-executing code that runs automatically when conditions are met.
• Cryptographic Security: Each block is secured with hash functions linking to the previous block.

Ethical Implications

• Privacy vs Transparency: Public blockchains expose transaction history, creating tension with privacy rights.
• Energy Consumption: Proof-of-Work (Bitcoin) consumes enormous electricity — environmental ethical concern.
• Illicit Activities: Cryptocurrency used for dark web transactions, ransomware payments, and money laundering.
• Governance: Lack of regulation allows exploitation; need for responsible governance frameworks.
• Inclusion/Exclusion: Access barriers may exclude less technologically advanced populations.

1. Transparency: AI systems should be explainable and understandable. Users should know when they are interacting with AI and how decisions are made ("Explainable AI").
2. Fairness and Non-Discrimination: AI must not exhibit bias based on race, gender, religion, or other protected characteristics. Training data and algorithms must be audited for bias.
3. Privacy and Data Protection: AI systems must respect user privacy, handle personal data responsibly, and comply with data protection laws (GDPR, DPDPA).
4. Accountability: There must be clear responsibility for AI decisions and outcomes. Developers, deployers, and organizations must be held liable for AI behavior.
5. Safety and Robustness: AI systems must be reliable, secure, and resistant to manipulation or adversarial attacks. They must not cause physical, psychological, or societal harm.

Role of Cyber Ethics in Society

• Promotes Responsible Online Behavior: Encourages users to respect others' privacy, intellectual property, and digital rights.
• Reduces Cybercrime: Ethical guidelines serve as the first line of defense against hacking, fraud, and harassment — before legal action is needed.
• Builds Digital Trust: Trust is the foundation of e-commerce, online banking, and digital governance. Cyber ethics cultivates this trust.
• Protects Vulnerable Groups: Ethical norms protect children, elderly, and marginalized communities from exploitation online.
• Guides Professional Conduct: IT professionals, developers, and organizations follow ethical codes to ensure systems serve society's best interests.
• Informs Policy and Law: Ethical debates shape the development of cyber laws and regulations.
• Promotes Equality and Inclusion: Ethics demands fair access to technology and combating digital divide.

1. Privacy: Protecting personal data and respecting individuals' right to control their own information in digital spaces.
2. Property: Respecting intellectual property rights — copyright, patents, trademarks — and not stealing or plagiarizing digital content.
3. Piracy: Refusing to engage in unauthorized copying or distribution of software, music, videos, or other digital content.
4. Plagiarism: Giving proper credit to original creators and not presenting others' work as one's own.
5. Password: Maintaining security through strong, unique passwords and never sharing credentials with others.
6. Phishing: Being vigilant against deceptive communications and not participating in or falling victim to phishing schemes.
7. Professional Responsibility: IT professionals must act in the best interests of users, society, and the profession, following ethical codes of conduct.
8. Personally Identifiable Information (PII): Handling names, emails, addresses, and financial data with care and legal compliance.
9. Policy: Following organizational, national, and international policies that govern digital behavior and cybersecurity.

OS Level Vulnerabilities

Fragmented Android ecosystem means many devices run outdated OS versions with unpatched security flaws. Even iOS faces jailbreak exploits.

Mobile Application Attacks

Malicious apps on third-party stores or disguised as legitimate apps can steal data, install spyware, or gain device permissions.

Communication-level Attacks

Man-in-the-middle attacks on unsecured Wi-Fi, SMS-based attacks (SMiShing), Bluetooth vulnerabilities (Bluejacking, Bluesnarfing).

Malware Growth in Mobiles

Exponential growth of mobile-specific malware including banking trojans, adware, and ransomware targeting Android devices.

Storage Security

Unencrypted local storage of sensitive data; insecure SD card data; risk of data exposure if device is lost or stolen.

Mobile Browsing Risks

Drive-by downloads, malicious QR codes, and browser exploits targeting mobile browsers with smaller security footprint than desktop browsers.

Micro Challenges

Battery-based DoS attacks, SIM cloning, IMEI spoofing, and location tracking abuse.

4 Core Strategy Areas

1. Mobile Device Management (MDM): Deploy MDM solutions to enforce security policies, remote wipe stolen devices, manage app installations, and monitor device compliance. Tools: Microsoft Intune, VMware Workspace ONE.
2. Security Policies and Training: Establish clear BYOD (Bring Your Own Device) policies. Train employees on phishing, safe app downloads, password hygiene, and secure Wi-Fi use. Conduct regular security awareness programs.
3. Technical Controls: Enforce device encryption, screen lock PINs/biometrics, VPN for corporate access, disable unnecessary Bluetooth/NFC/Wi-Fi. Implement containerization — separating personal and work data on the same device.
4. Incident Response for Mobile Threats: Define procedures for reporting lost/stolen devices, immediate remote lock and wipe protocols, forensic procedures for compromised devices, and integration with the organizational SIEM (Security Information and Event Management) system.

• Crimes Against Individuals: Target specific people — cyberstalking (online harassment/threatening), identity theft (stealing personal info for impersonation), cyber defamation (spreading false statements), cyber bullying, email harassment, and online grooming of minors.
• Crimes Against Property: Target digital or physical property — hacking (unauthorized system access), software piracy (illegal copying of licensed software), IPR violations (copyright infringement, trademark theft), data theft (stealing proprietary business information), and domain hijacking.
• Crimes Against Organizations: Target businesses/institutions — corporate espionage (stealing trade secrets), ransomware attacks (encrypting business data for ransom), phishing employees for credentials, insider threats, and sabotage of IT infrastructure.
• Crimes Against Society/Government: Target the larger public or state — cyberterrorism (disrupting critical national infrastructure), spreading hate speech or communal discord online, publishing obscene content that harms social fabric, and election manipulation through social media disinformation.

The information society is one where information and digital technology play a central role in economic, social, cultural, and political life. Cyber ethics is the moral foundation of this society.

• Foundation of Trust: Without ethical behavior online, no one would trust digital platforms, e-commerce, or digital governance.
• Combating Misinformation: Cyber ethics requires responsible sharing of information — combating fake news, hoaxes, and propaganda that destabilize society.
• Protecting Human Dignity: Ethical norms prevent cyberbullying, hate speech, and exploitation of vulnerable individuals online.
• Enabling Innovation: Ethical frameworks for AI, blockchain, and data analytics enable responsible innovation that benefits society rather than harming it.
• Bridging the Digital Divide: Ethics demands equitable access to digital technology and skills for all sections of society.
• Sustainable Digital Economy: Ethical business practices in data use and digital commerce ensure a sustainable, inclusive digital economy.
• Civic Participation: Cyber ethics enables informed, responsible participation in digital democracy and e-governance.

• Massive Data Generation: Every digital interaction generates data — browsing, transactions, social media, IoT devices. This data is valuable and must be protected from misuse.
• Sensitive Nature of Personal Data: Financial records, health information, identity documents, and private communications, if exposed, can cause irreparable harm to individuals.
• Threat Landscape: Sophisticated cyber threats (ransomware, data breaches, insider threats) specifically target data assets.
• Legal Compliance: Organizations must comply with data protection laws (GDPR, India's DPDPA 2023) or face heavy penalties.
• Business Continuity: Data loss disrupts operations, damages reputation, and causes financial losses.
• National Security: Government and defense data, if compromised, poses national security risks.

• Economic Value: Data drives business intelligence, targeted marketing, product development, and AI training — directly translating to revenue.
• Decision Making: Data analytics enables evidence-based decisions in business, healthcare, governance, and scientific research.
• Competitive Advantage: Organizations with superior data and analytics capabilities outperform competitors.
• AI and ML Fuel: Machine learning models require massive datasets to achieve accuracy — data is literally the raw material of AI.
• Personalization: Data enables personalized services, user experiences, and targeted content delivery.
• National Resource: Census data, geographic data, health records, and economic statistics are critical national assets for governance and policy.

• Financial Loss: Costs of breach notification, legal penalties, incident response, system recovery, and lost business can run into millions.
• Reputational Damage: Loss of customer trust and brand value — organizations may lose customers permanently after a data breach.
• Identity Theft and Fraud: Stolen personal data is used for identity theft, financial fraud, and account takeover affecting individuals.
• Legal and Regulatory Penalties: Non-compliance with GDPR, DPDPA, or IT Act can result in heavy fines and legal action.
• Operational Disruption: Loss of critical data halts business operations, supply chains, and service delivery.
• National Security Threat: Loss of classified government or military data can compromise national security and intelligence operations.
• Loss of Intellectual Property: Theft of trade secrets, patents, or proprietary software undermines competitive advantage and innovation.

Rapid digitization refers to the accelerated transformation of society, economy, and governance through widespread adoption of digital technologies — smartphones, cloud computing, IoT, AI, and high-speed internet.

• Scale: Billions of people now access education, healthcare, finance, and entertainment digitally. India's digital payments crossed $3 trillion in 2024.
• Speed: COVID-19 accelerated 5-10 years of digital adoption into 1-2 years across sectors like e-learning, telemedicine, and remote work.
• Impact on Society: Creates new economic opportunities but also digital divide — rural and elderly populations may be excluded.
• Data Explosion: More devices and services mean exponentially more data being generated, processed, and stored — raising privacy concerns.
• Security Challenges: Rapid digitization expands the attack surface for cybercriminals. More connected systems mean more vulnerabilities.
• Regulatory Challenge: Laws and regulations often lag behind technological change, creating governance gaps.

• Ransomware: Encrypts victim's data and demands ransom for decryption key. Major incidents: WannaCry (2017), Colonial Pipeline (2021).
• Data Breaches: Unauthorized access to databases stealing millions of records. Example: Aadhaar data leak, Facebook Cambridge Analytica scandal.
• Advanced Persistent Threats (APT): Long-term targeted attacks by nation-states or organized groups against specific organizations for espionage.
• Insider Threats: Malicious or negligent employees leaking or stealing sensitive organizational data.
• SQL Injection: Attacking databases through malicious SQL code injected into web forms, exposing stored data.
• Man-in-the-Middle Attacks: Intercepting communication between parties to steal transmitted data.
• Cloud Security Breaches: Misconfigured cloud storage exposing sensitive data — a growing threat as organizations migrate to cloud.

• Confidentiality: Ensuring data is accessible only to authorized individuals and is not disclosed to unauthorized parties. Achieved through encryption, access controls, data classification, and need-to-know policies. Threatened by: data breaches, phishing, unauthorized access.
• Integrity: Ensuring data remains accurate, complete, and unaltered by unauthorized parties throughout its lifecycle. Achieved through hash functions, digital signatures, version control, and checksums. Threatened by: malware, man-in-the-middle attacks, insider tampering.
• Availability: Ensuring data and systems are accessible and usable by authorized users whenever needed. Achieved through redundancy, backups, failover systems, DDoS protection, and disaster recovery plans. Threatened by: DDoS attacks, ransomware, hardware failures, natural disasters.

Scope

Applies to any organization worldwide that processes personal data of EU residents, regardless of where the organization is located.

7 Key Principles

1. Lawfulness, Fairness, and Transparency
2. Purpose Limitation — data collected for specific, explicit purposes only
3. Data Minimization — collect only what is necessary
4. Accuracy — keep data accurate and up to date
5. Storage Limitation — retain data only as long as necessary
6. Integrity and Confidentiality (Security)
7. Accountability — organizations must demonstrate compliance

Rights of Data Subjects

• Right to Access — know what data is held about them
• Right to Erasure ("Right to be Forgotten")
• Right to Rectification — correct inaccurate data
• Right to Data Portability
• Right to Object to processing
• Rights related to automated decision-making

Penalties

Up to €20 million or 4% of global annual turnover (whichever is higher) for serious violations.

Objectives

• Protect the privacy of individuals' personal digital data
• Establish obligations of Data Fiduciaries (entities processing data)
• Create rights for Data Principals (individuals whose data is processed)
• Establish Data Protection Board of India for enforcement
• Balance data protection with need for lawful data processing

Scope and Applicability

• Applies to digital personal data processed within India
• Also applies to processing outside India if it relates to offering goods/services to Indian citizens
• Covers both automated and manual digitized personal data

Rights of Data Principals

• Right to access information about personal data
• Right to correction and erasure
• Right to grievance redressal
• Right to nominate a representative

Significance

• First comprehensive data protection framework for India
• Creates accountability for companies handling citizen data
• Penalties up to ₹250 crore for violations
• Aligns India with global data protection standards

1. Lawful Basis for Processing: Data must be collected and processed only with a valid legal basis — consent, legal obligation, legitimate interest, or contractual necessity.
2. Purpose Limitation: Data collected for a specific purpose must not be used for unrelated purposes.
3. Data Minimization: Collect only the minimum data necessary for the stated purpose.
4. Accuracy: Data must be kept accurate and up to date; inaccurate data should be corrected or deleted.
5. Storage Limitation: Personal data must not be kept longer than necessary for its purpose.
6. Security (Integrity and Confidentiality): Appropriate technical and organizational measures must protect data from unauthorized access, loss, or destruction.
7. Accountability: Organizations must demonstrate and document their compliance with data protection principles.
8. Transparency: Individuals must be informed about how their data is collected, used, and shared.

Rights of Data Principal (Individual)

• Right to Information: Know what personal data is held and how it is being processed.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of personal data when it is no longer necessary or consent is withdrawn.
• Right to Grievance Redressal: File complaints with the Data Protection Board of India.
• Right to Nominate: Nominate a person to exercise rights on behalf of the data principal in case of death or incapacity.

Obligations of Data Fiduciaries (Organizations)

• Collect only necessary personal data with valid consent.
• Use data only for the purpose for which consent was given.
• Maintain accuracy and security of personal data.
• Erase data when the purpose is fulfilled or consent withdrawn.
• Implement technical and organizational security safeguards.
• Report data breaches to the Data Protection Board and affected individuals.
• Appoint a Data Protection Officer (DPO) if designated as Significant Data Fiduciary.
• Conduct Data Protection Impact Assessments (DPIA) for high-risk processing.

• Mass Surveillance: Governments and corporations monitoring online activities — PRISM (NSA), social media monitoring, and CCTV networks raise serious civil liberties concerns.
• Data Harvesting by Tech Giants: Google, Facebook, and Amazon collect vast amounts of behavioral data for targeted advertising without adequate transparency.
• Data Breaches: Unauthorized exposure of personal data affecting millions — healthcare, banking, and government databases are frequent targets.
• Location Tracking: Smartphones continuously track location data, which can be misused for stalking, profiling, or unauthorized disclosure.
• Facial Recognition: Deployment in public spaces raises concerns about chilling effect on free expression and assembly, particularly for minorities.
• Cookies and Tracking Technologies: Cross-site tracking and supercookies build detailed behavioral profiles without explicit user consent.
• Dark Patterns: UI designs that trick users into sharing more data than intended or accepting unfavorable privacy settings.

The Indian Constitution does not explicitly mention "privacy" as a fundamental right. However, through judicial interpretation, privacy has been recognized as a fundamental right under Article 21.

Constitutional Articles Relevant to Privacy

• Article 21 (Right to Life and Personal Liberty): The Supreme Court has interpreted this to include the right to privacy as an intrinsic part of the right to life and personal liberty.
• Article 19 (Freedom of Speech and Expression): Includes freedom from surveillance that chills free expression.
• Article 12–35 (Fundamental Rights): Generally protect citizens from arbitrary state action that violates personal autonomy.

Judicial Evolution

• Kharak Singh v. State of UP (1962): First case discussing privacy in Indian courts — held that surveillance regulations violated personal liberty under Article 21.
• Gobind v. State of MP (1975): Recognized limited right to privacy — held that privacy is implicit in fundamental rights.
• R. Rajagopal v. State of Tamil Nadu (1994): Recognized right to privacy in the context of publication of personal details without consent.
• Justice K.S. Puttaswamy v. Union of India (2017): Landmark 9-judge constitutional bench unanimously declared privacy a fundamental right under Article 21, overruling earlier contrary decisions.

Key Aspects of the Judgment

• Privacy as Fundamental Right: Privacy is an intrinsic part of the right to life and personal liberty under Article 21, and also flows from Articles 14 and 19.
• Overruling Earlier Decisions: Overruled M.P. Sharma (1954) and Kharak Singh (1962) judgments that denied privacy as a fundamental right.
• Informational Privacy: The right to control one's personal information is part of the fundamental right to privacy.
• Bodily Integrity and Autonomy: The individual has autonomy over their body and personal choices — the state cannot arbitrarily interfere.
• Privacy Not Absolute: The right to privacy can be restricted only if restrictions are: (i) backed by law, (ii) proportionate, and (iii) serve a legitimate state aim.

Significance

• Led directly to the drafting and enactment of India's Digital Personal Data Protection Act, 2023.
• Strengthened challenges to Aadhaar's mandatory biometric data collection.
• Foundation for recognizing sexual orientation as private matter in Navtej Singh Johar case (2018) that decriminalized Section 377.
• Established proportionality test for government surveillance programs.

Types of Surveillance

• Government/State Surveillance: Intelligence agencies monitoring communications, internet traffic, and financial transactions — e.g., NSA's PRISM program, India's NATGRID.
• Corporate Surveillance: Tech companies monitoring user behavior, purchase history, and preferences for targeted advertising.
• Social Media Surveillance: Platforms analyzing content, relationships, and behavior for both commercial and political purposes.
• Biometric Surveillance: Facial recognition in public spaces, fingerprint databases, iris scanning.
• IoT Surveillance: Smart home devices (Alexa, Google Home) passively recording conversations.

Role of Law in Regulating Surveillance

• Requiring judicial warrants before conducting surveillance.
• Limiting duration and scope of surveillance orders.
• Requiring transparency reports from technology companies.
• Providing whistleblower protections for surveillance overreach.

Importance of Regulating Surveillance

• Prevents authoritarian abuse of surveillance powers by governments.
• Protects free speech, political dissent, and journalism.
• Prevents commercial exploitation of personal behavioral data.
• Maintains public trust in digital infrastructure.

• Concept: Every person has a sphere of personal information that they alone should control — their name, medical history, financial records, communications, location, and digital activity.
• Data Flows: Informational privacy governs the flow of personal data — ensuring data flows only in contextually appropriate ways. (Concept of "contextual integrity" by Helen Nissenbaum.)
• Consent: Individuals must give meaningful, informed, specific, and uncoerced consent for their data to be collected and used.
• Purpose Binding: Information collected for one purpose (e.g., healthcare) should not be used for another (e.g., insurance discrimination).
• Legal Basis: Recognized by GDPR, India's DPDPA 2023, and the Puttaswamy judgment as a fundamental right component.
• Digital Dimension: In cyberspace, informational privacy is particularly challenged by data mining, behavioral profiling, and AI-driven analytics.

Ethical responsibility in cyberspace means that every actor — individuals, corporations, developers, and governments — has a moral duty to use digital technology in ways that are honest, fair, safe, and respectful of others' rights.

• Individual Responsibility: Users must respect others' privacy, avoid spreading misinformation, refrain from harassment, and protect their own security practices.
• Developer Responsibility: Software and AI developers must design systems that are fair, transparent, privacy-preserving, and free from harmful biases.
• Organizational Responsibility: Corporations must handle user data ethically, be transparent about data practices, and prioritize user well-being over profit.
• Government Responsibility: Governments must balance security with civil liberties — surveillance must be proportionate, lawful, and subject to oversight.
• Platform Responsibility: Social media platforms must moderate harmful content, prevent algorithm-driven radicalization, and protect vulnerable users.
• The Principle of Non-Maleficence: Like in medicine, digital actors should first "do no harm" — design and use technology in ways that do not cause physical, psychological, or social harm.

Importance of Privacy in Democracy

• Autonomy and Self-Determination: Privacy allows individuals to develop their identity, make personal choices, and live authentically without fear of judgment or reprisal.
• Free Expression and Dissent: When people know they are being watched, they self-censor. Privacy is essential for journalists, activists, and whistleblowers to operate freely.
• Political Participation: Secret ballot protects voters from coercion. Privacy of political opinions is fundamental to free and fair elections.
• Checks on State Power: Privacy limits the state's ability to engage in arbitrary surveillance and control of citizens — preventing authoritarian overreach.

Privacy Concerns in Democratic Society

• Mass surveillance by intelligence agencies undermining civil liberties.
• Social media manipulation influencing democratic elections (Cambridge Analytica).
• Chilling effect on free speech when users know they are being monitored.
• Corporate data monopolies creating power imbalances between citizens and technology giants.
• Use of personal data for political micro-targeting and voter manipulation.

• Personal Data: Information relating to an identified or identifiable natural person — name, email, phone, address, ID numbers.
• Sensitive Personal Data: Higher-risk data — health records, biometrics, financial information, sexual orientation, political opinions, religious beliefs.
• Behavioral Data: Generated through user actions — browsing history, purchase patterns, app usage, location history.
• Public Data: Information freely available — public social media posts, government records, press releases.
• Metadata: Data about data — email headers (sender, receiver, timestamp), file properties, log records. Can be highly revealing even without content.
• Transactional Data: Records of financial and commercial transactions — credit card records, bank statements, e-commerce orders.
• Derived Data: Data inferred or calculated from other data — credit scores, health risk assessments derived from behavioral patterns.
• Anonymous/Pseudonymous Data: Data with personal identifiers removed (anonymous) or replaced with pseudonyms — used for research while reducing privacy risks.

• IT Act, 2000 (Section 43A): Required companies possessing sensitive personal data to implement "reasonable security practices." Compensation to affected individuals for data breaches through negligence.
• IT (Amendment) Act, 2008: Strengthened cybercrime provisions, introduced provisions on data protection and privacy breaches.
• IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Defined sensitive personal data, consent requirements, and security standards for corporate entities.
• Puttaswamy Judgment, 2017: Established privacy as a fundamental right, triggering demand for comprehensive data protection legislation.
• Digital Personal Data Protection Act, 2023 (DPDPA): India's first standalone comprehensive data protection law — creates rights for individuals and obligations for organizations processing personal data.

India's privacy law framework has evolved significantly over the years, though it has historically lagged behind global standards.

• Pre-2017 Situation: No explicit constitutional right to privacy. IT Act 2000 provided limited protection through Section 43A and the 2011 Rules, which were criticized as inadequate and narrow in scope.
• Puttaswamy 2017 — Turning Point: The 9-judge bench verdict created the constitutional mandate for comprehensive privacy legislation.
• DPDPA 2023 — Current Status: India now has a dedicated data protection law. However, critics note: wide exemptions for government, no mention of non-personal data regulation, no independent regulator (Data Protection Board functions under government oversight).
• Surveillance Framework Gap: India lacks a comprehensive surveillance law with robust judicial oversight — the Telegraph Act 1885 and IT Act provisions on interception are outdated.
• Positive Steps: DPDPA establishes a foundation; CERT-In breach reporting requirements (6-hour mandatory reporting) improve incident response.
• Future Direction: India needs to strengthen judicial oversight of surveillance, develop a separate non-personal data governance framework, and ensure genuine independence of the Data Protection Board.

1. M.P. Sharma v. Satish Chandra (1954): 8-judge bench held that the Constitution does not guarantee right to privacy — search and seizure was valid under existing provisions.
2. Kharak Singh v. State of Uttar Pradesh (1962): 6-judge bench partially recognized privacy — held that police domiciliary visits at night violated personal liberty under Article 21, though overall surveillance regulations were upheld.
3. Gobind v. State of Madhya Pradesh (1975): Recognized a limited right to privacy as implicit in fundamental rights, subject to regulation for compelling public interest.
4. R. Rajagopal v. State of Tamil Nadu (1994): Recognized right to privacy against unauthorized publication of personal details — "auto-biography of a death row convict" case.
5. PUCL v. Union of India (1997): Held that telephone tapping violated right to privacy and freedom of expression; laid down procedural safeguards for interception.
6. Justice K.S. Puttaswamy v. Union of India (2017): Landmark 9-judge bench verdict — unanimously recognized privacy as a fundamental right under Article 21, setting the constitutional foundation for India's data protection law.

Objectives of Data Protection Laws (General)

• Protect individuals' fundamental right to privacy and informational self-determination.
• Ensure personal data is collected, processed, and used fairly and transparently.
• Establish accountability of entities handling personal data.
• Create a mechanism for individuals to exercise rights over their data.
• Deter data breaches through penalties and enforcement.
• Harmonize data flows with international standards to enable cross-border data transfer.

Objectives of India's DPDPA 2023 (Data Protection Bill)

• Recognize and protect the right of individuals to protect their personal data.
• Establish the need for lawful processing with consent or legitimate purpose.
• Create rights for Data Principals and obligations for Data Fiduciaries.
• Establish the Data Protection Board of India for adjudication and enforcement.
• Ensure India's data governance framework is compatible with global standards while serving national interests.
• Provide penalties (up to ₹250 crore) to deter violations and negligence in data handling.

Need and Importance

1. Direction and Framework: Provides clear direction to employees about security expectations — defines what is permitted and what is prohibited in handling organizational data.
2. Legal and Regulatory Compliance: Organizations are legally required to demonstrate security practices under IT Act, GDPR, DPDPA, ISO 27001. An ISP provides documented evidence of compliance.
3. Risk Management: Identifies, assesses, and addresses information security risks systematically — reducing exposure to cyberattacks and data breaches.
4. Accountability: Assigns roles and responsibilities for information security across the organization — ensures everyone knows their security duties.
5. Business Continuity: Includes incident response and disaster recovery plans to ensure operations continue even after a security incident.
6. Employee Awareness: Drives security awareness training programs — humans are the weakest link, and policy-driven training reduces insider threats and social engineering risks.
7. Trust and Reputation: Demonstrates to customers, partners, and regulators that the organization takes data security seriously.

Importance

• Defines Security Expectations: Clearly specifies what security services will be delivered, at what level, and under what conditions.
• Accountability: Creates contractual obligations for the service provider — failure to meet SLA terms results in penalties or remedies.
• Incident Response Commitments: Specifies maximum response times for security incidents — e.g., "Security breaches must be reported within 4 hours."
• Compliance Documentation: Provides evidence of security commitments for regulatory audits.
• Business Continuity Assurance: Uptime guarantees (e.g., 99.9%) ensure critical security services remain available.

Key Features of Security SLAs

• Uptime and availability guarantees for security services
• Maximum incident response and resolution times
• Data breach notification timeframes
• Security audit rights for the customer
• Encryption standards and access control requirements
• Penalties and remedies for SLA breaches
• Disaster recovery and business continuity commitments

Key Objectives

1. Legal Recognition of Electronic Transactions: To grant legal status to electronic records, digital signatures, and e-contracts, enabling paperless transactions.
2. Facilitate E-Commerce: To provide a legal framework for e-commerce, online banking, and digital trade in India.
3. Prevent Cybercrime: To define and penalize cybercrimes such as hacking, data theft, cyber fraud, and spreading of obscene content.
4. Establish Certifying Authorities: To regulate the issuance of digital certificates and the functioning of Certifying Authorities for digital signatures.
5. Create Legal Framework for Electronic Governance: To enable government departments to file documents electronically and accept electronic records.
6. Protect Sensitive Data: To provide legal remedies for unauthorized access to or damage of computer systems and sensitive personal data.
7. Establish CERT-In: To establish the Computer Emergency Response Team – India for cybersecurity incident response.
8. International Alignment: To align Indian law with the UNCITRAL Model Law on Electronic Commerce (United Nations).

Adjudication

The Central Government appoints an Adjudicating Officer (of the rank of Secretary to the Government) to hear complaints relating to contraventions under Section 43-45 of the IT Act.

• Handles cases of unauthorized access, data theft, virus distribution, and damage to computer systems.
• Can award compensation up to ₹5 crore to the aggrieved party.
• Has powers of a civil court — can summon persons, receive evidence, and issue orders.
• Must dispose of cases within 4 months of receiving a complaint.

Cyber Appellate Tribunal (CAT)

• Any person aggrieved by an order of the Adjudicating Officer may appeal to the Cyber Appellate Tribunal.
• Appeal must be filed within 45 days of receiving the adjudicating officer's order.
• CAT is presided over by a Chairperson (rank of High Court judge or above).
• CAT has powers of a civil court — can examine witnesses, review documents.
• Must decide appeals within 6 months.

Further Appeals

• Orders of the CAT can be appealed to the High Court within 60 days.
• Further appeal lies to the Supreme Court on questions of law.

Rights of Citizens under RTI Act

• Right to Request Information: Any citizen can file an RTI application to any public authority seeking information held by them.
• Right to Timely Response: Information must be provided within 30 days (or 48 hours if life or liberty is at stake).
• Right to Inspect Records: Citizens can inspect documents, records, and works at the public authority's office.
• Right to Certified Copies: Citizens can obtain certified copies of government documents.
• Right to Appeal: If information is denied or unsatisfactory, citizens can appeal to the First Appellate Authority (within 30 days) and then to the State/Central Information Commissioner.
• Right to Information in Electronic Form: Information available in electronic format can be provided electronically.

Role of Public Information Officer (PIO)

• Designated officer in every public authority responsible for receiving and processing RTI applications.
• Must provide information within 30 days of receiving a request.
• Can reject applications for information exempt under Section 8 (national security, cabinet deliberations, trade secrets, personal information).
• Must provide reasons for rejecting an RTI request.
• Subject to penalties (₹250/day up to ₹25,000) for delay, denial, or providing incorrect information.
• Must proactively disclose information under Section 4 without waiting for RTI requests.

Major Features

• Expanded Definition of Cybercrimes: Added new sections — Section 66A (sending offensive messages — later struck down), 66B to 66F covering identity theft, cheating by personation, privacy violations, and cyberterrorism.
• Section 66F — Cyberterrorism: First time cyberterrorism was criminalized in India — life imprisonment for attacks on critical infrastructure.
• Data Protection (Section 43A): Required companies with sensitive personal data to implement reasonable security practices — compensation for negligent data breaches.
• Intermediary Liability (Section 79): Provided "safe harbor" protection for intermediaries (websites, platforms) from liability for third-party content if they followed due diligence requirements.
• Blocking of Websites (Section 69A): Government can block online content threatening national security, sovereignty, or public order.
• Interception and Monitoring (Section 69): Authorized government interception and monitoring of digital communications for national security.
• CERT-In (Section 70B): Officially established the Computer Emergency Response Team – India as the national cybersecurity incident response agency.
• Electronic Service Delivery: Enabled government to deliver services electronically.

Significance

• Made India's cyber law more comprehensive and relevant to modern threats.
• Introduced data protection obligations for corporate entities for the first time.
• Addressed mobile and smartphone-related crimes explicitly.
• Established institutional cybersecurity infrastructure through CERT-In.
• Harmonized India's cyber law with global practices.

• Hacking (Sec 66): Unauthorized access or destruction of data — up to 3 years imprisonment or ₹5 lakh fine or both.
• Cyberterrorism (Sec 66F): Attacks on critical national infrastructure or causing fear — Life Imprisonment.
• Identity Theft (Sec 66C): Fraudulent use of another's electronic signature, password, or ID — up to 3 years and ₹1 lakh fine.
• Cheating by Personation (Sec 66D): Using communication devices to cheat by impersonating someone — up to 3 years and ₹1 lakh fine.
• Privacy Violation (Sec 66E): Capturing and publishing intimate images without consent — up to 3 years or ₹2 lakh fine.
• Obscene Content (Sec 67): Publishing or transmitting obscene material — up to 3 years and ₹5 lakh fine (first offense), 5 years and ₹10 lakh for repeat.
• Child Pornography (Sec 67B): Publishing/browsing child sexual abuse material — up to 5 years and ₹10 lakh fine (first offense), 7 years and ₹10 lakh for repeat.
• Source Code Tampering (Sec 65): Concealing or destroying required source code — up to 3 years or ₹2 lakh fine.

Key Standards in the 27000 Family

• ISO/IEC 27001 — ISMS Requirements: The core certification standard. Specifies requirements for establishing and maintaining an ISMS. Organizations can get certified to this standard to demonstrate security compliance.
• ISO/IEC 27002 — Code of Practice: Provides detailed guidance on security controls across 14 domains including access control, cryptography, physical security, and incident management.
• ISO/IEC 27005 — Risk Management: Guidelines for information security risk assessment and treatment — helps organizations identify, analyze, and prioritize security risks.
• ISO/IEC 27017 — Cloud Security: Provides guidelines for information security controls applicable to cloud services.
• ISO/IEC 27018 — Privacy in Cloud: Code of practice for protection of personally identifiable information in cloud environments.

ISMS Key Components (ISO 27001)

• Context of the organization and scope definition
• Leadership commitment and information security policy
• Risk assessment and treatment process
• Security controls from Annex A (114 controls in 14 categories)
• Internal audits and management reviews
• Continual improvement (Plan-Do-Check-Act cycle)

Key Provisions

• Section 2 — Definitions: Defines "information," "public authority," "right to information," and related terms.
• Section 3 — Right to Information: All citizens have the right to information subject to the provisions of the Act.
• Section 4 — Proactive Disclosure: Public authorities must proactively publish information online about their structure, functions, budgets, and policies.
• Section 6 — Application Procedure: Any citizen can file an RTI application in writing or electronic mode with fee (₹10).
• Section 7 — Disposal of Requests: Information must be provided within 30 days (48 hours for matters of life/liberty).
• Section 8 — Exemptions: Certain categories of information are exempt — national security, intelligence, cabinet papers, trade secrets, personal information causing unwarranted invasion of privacy.
• Section 19 — Appeals: First appeal to senior officer within 30 days; second appeal/complaint to Information Commission.
• Section 20 — Penalties: PIO can be penalized ₹250/day for delay (max ₹25,000) and may face disciplinary action.

Importance of RTI Act

• Promotes transparency and accountability in government functioning.
• Empowers citizens to fight corruption by accessing official records.
• Strengthens democratic participation and civic engagement.
• Enables media and civil society to monitor government actions.
• Has been used to expose corruption in public contracts, welfare schemes, and judicial appointments.