Section 66C of the IT Act, 2000 talks about Punishment for
Whoever, fraudulently or dishonestly make use of the
electronic signature, password or any other unique identification feature of
any other person, shall be punished with imprisonment of either description for
a term which may extend to three years and shall also be liable to fine which
may extend to rupees one lakh.
This section is meant to protect the identity of a user in
the online medium. The objective of the section is to protect the privacy of
all or any online users, including their personal information or data.
The perspective of the aforesaid section is not to merely
protect the information residing in a computer resource but to protect the
authentication details of any form in the form of electronic signatures
(including digital signatures), passwords, PINs, biometric identifiers or any
such other unique identification feature. This section treats “identity” of a
person as his authenticating feature, and whoever, intending to take such an “identity”
dishonestly or fraudulently, out of the possession of any such person is
committing an offence. This section is about the loss of movable property,
which may be in the form of electronic signature, password or any other unique
identification feature of any such affected person. Further, it protects
integrity and security of computer resources from attacks by unauthorized persons
seeking to enter such resources, whatever may be their intention or motive.
Moreover, by way of Explanation, following sections of the
Indian Penal Code have been introduced in the aforesaid section:
does anything with the intention of causing of wrongful gain to one person or
wrongful loss to another person is said to do that thing, dishonestly. (Section
24 of the IPC)
person is said to do a thing fraudulently if he does that thing with intent to
defraud but not otherwise. (Section 25 of the IPC)
The legislative intent behind importing these two sections
from the IPC is to introduce the component of mens rea in the aforesaid section. Here, the offence depends upon
the intention, i.e. whether the act
is done ‘dishonestly’ or ‘fraudulently’. The criminal intent in computer
related offence manifests itself in terms of causing wrongful loss or damage
(as defined under Section 23 of the IPC).
The word ‘wrongful’ means prejudicially affecting a party in
some legal right. In the context of computer related offences, for either wrongful
loss or gain, the computer resource (owned, managed, operated or used) must be
lost to such a person, or he must be wrongfully kept out of it. Any instance of
destruction, damage, disruption, denial, deletion, concealment, tampering,
manipulation, stealing, alteration of information residing in a computer
resource by an accused causing wrongful gain would amount to a computer related
The offence of ‘identity theft’ is completed when there is a
dishonest or fraudulent downloading, copying, or extraction of the electronic
signature, password, or any other unique identification feature of any other person.
In other words, the moment personal information is downloaded, copied or
extracted of any person – dishonestly or fraudulently, mens rea comes into existence. Whether the offender makes use of
such downloaded, copied or extracted personal information will be the actus reus component of the crime.
Instances of identity theft include – phishing, spear
phishing, denial of service, distributed denial of service, data theft,
installation of spyware, cookies etc.