This article is written by Vedant Saxena, from Rajiv Gandhi National University of Law, Punjab. By analyzing relevant statutes and codes, the author delves into the instances when data scraping turns unlawful, the threats it poses and the competency of the Indian laws in tackling it.
Data scraping is referred to as the process of extracting data from a website using a computer program or software. Data scraping is considered a lot more efficient than the traditional copy-paste method. Nowadays, data or statistics are the basis of carrying out a number of administrative, business, management and advisory decisions.
In such cases, copy-pasting becomes a heavily tedious task, increasing unwanted labour and reducing efficiency. Using the technique of data scraping, one could import large quantities of data within a fraction of time as compared to copy-pasting. Oftentimes, one may encounter websites whose content cannot be copy-pasted. Even in such instances, data could be imported using the data scraping technique.
However, data scraping has its limitations. Importing protected content may cause copyright infringement, which in turn may result in imprisonment up to 1 year, and a fine up to Rs 1 lakh. An excess of data scraping may also result in a DoS (Denial of service) on a website and its services, particularly if the website has limited resources. In such cases, the result would be the same as a regular DDoS attack. A data scraping bot is considered a visitor. If lots of visitors (bots) flood the site carrying out a large number of scraping activities, the bandwidth and other resources of the server may get exhausted. It would result in the website going down or becoming unavailable.
Section 14 of the Indian Copyright Act grants the creator of an original work a set of exclusive rights and benefits arising out of his work. The right to reproduction, one of the many privileges granted to the creator, permits the right to make copies of his work in any form. If any other person, without the express approval of the owner, participates in reproduction in any kind, such as photocopying a book, reproducing a cartoon character on a shirt, making a digital copy of a movie, or making an audiobook out of a hardcopy, etc., he infringes upon the reproduction right of the owner.
Infringement of this right can take place in the form of verbatim copying, or modified copying. The former involves straightforward reproduction, such as photocopying a book or reproducing a protected photo on a dress. Complications arise in circumstances where the work has extracted data and modified them to form a new creation. In such cases, the courts generally incorporate ‘the substantial similarity test’ in order to help them determine whether the defendant’s act did actually constitute a violation of the plaintiff’s rig will and deprive him of benefits, or not. The substantial similarity test incorporates two components, the first one being, determining whether there actually had been ‘exact copying’, and the second one is assessing the degree to which the copying resulted in ‘a substantially similar reproduction’.
The doctrine of fair dealing
Creators of original works more often than not incorporate a fair part of their personality into their creations, and thus, it becomes necessary to reward them for their hard work and creativity. However, nowadays, data is the basis for most business decisions. It is most commonly used for the purposes of a business or to gain competitive intelligence. In order to strike a balance between the ownership rights and the distribution of knowledge, the fair dealing doctrine was incorporated.
This doctrine acts as a check on the rights of the copyright owner, ensuring that creativity and knowledge continue thriving among the common masses. Therefore, through the concept of fair dealing, an individual can use up any of the rights enjoyed by the copyright owner, without his authorization.
The fair dealing doctrine is enshrined under Section 52 of the Indian Copyright Act. There are certain limitations to this right too. The most significant one stating that the work must strictly be used for ‘non-commercial purposes’. Examples include: reviewing a work, criticism, news reporting, research work, or using it for educational purposes.
However, using the work for any of the above purposes may still not qualify as fair dealing. The courts generally assess the concerned work under four factors, in order to determine whether it could be accepted as a case of fair dealing or not:
- The first one focuses on the intended purpose of the use. Whether the work was used for commercial purposes or not is the issue discussed here.
- The second factor is concerned with the nature of the work and is arguably the least important one of the lot. It merely focuses on whether the work had extracted content from a published work or an unpublished one. A published work may entail a higher degree of securement under the fair use doctrine.
- The third factor talks about the amount and substantiality of the plagiarized content.
- The fourth, and arguably the most important of the lot, assess the secondary work’s impact on the original, in terms of sales and market value. Greater the losses faced by the owner, lesser would be the possibility of the secondary work getting through the fair use doctrine.
Remedies in the IPC and IT Act
The Information Technology Act, 2000
Identity theft is one of the most prominent cybercrimes, which tends to violate an individual’s right to privacy over cyberspace. It occurs when the fraudster uses somebody else’s identity or personal information as bait to obtain illicit financial profits or any other benefits. Such crimes could be commissioned by simply obtaining the victim’s credit card details, social security number, social media passwords, etc. Data scraping is a fairly common form of identity theft. The Information Technology Act, 2000 recognizes the potential threats of identity theft and has incorporated provisions that provide for limitations and sanctions for any illegal or harmful use of it.
Section 43 of the act counters unlawful data scraping in a fairly comprehensive manner. Some of the punishable acts that comes within the ambit of this Section are:
- Unlawful access to a computer, computer system, or computer network and extracting data from it,
- facilitating a denial of service,
- incorporating a computer virus or any other form of computer contaminant for the purpose of destroying, transmitting or modifying data, and
- causing an untoward disruption in the normal working of such computer, computer system and computer network.
Section 66 is the extension of Section 43, in light of the penalties involved. Under it, whoever does an act covered within the scope of Section 43 is to either be imprisoned for a term which may extend up to 3 years, or be charged a fine which may extend up to rupees 5 lakhs.
Section 66B pertains to the unlawful obtaining of a computer resource or communication device, and when the accused had reason to believe that such a computer resource or communication device was obtained by illicit means. Such accused is to either be punished for a term of imprisonment which may extend up to 3 years, or be charged a fine which may extend up to rupees 1 lakh.
Section 66C, introduced by the Information Technology (Amendment) Act, 2008, declares the penalty for identity theft. Any person, who unlawfully attempts to impersonate somebody else, by means of electronic signature, password, credit/debit card pin, social security number, is to either be imprisoned for a period not extending 3 years, or to be charged a fine not extending rupees 1 lakh.
The Indian Penal Code, 1860
Identity theft is centred around unlawful impersonation bolstered by theft and fraud. Unfortunately, data, owing to its intangibility does not fall within the meaning of ‘moveable property’ as defined under Section 378 of the IPC. Data could however be brought in compliance with the definition of electricity. In the case Avtar Singh vs. State of Punjab, the Supreme Court declared that electricity could not be regarded as moveable property within the language of Section 378. However, the sections encompassing fraud and other related offences concerning identity theft, such as forgery (Section 464), forgery as an accomplice in cheating (Section 468), making false documents (Section 465), reputation (Section 469) can be invoked along with the provisions of the IT act.
Despite its fairly comprehensive scheme, the IT Act possesses several loopholes:
- Section 66C lays down a mere 3-year term of imprisonment and a paltry fine of 1 lakh rupees. Instances of identity theft are engulfing the country at a rapid pace. According to a report, there are 5000 complaints every year, out of which, 2000 are arrested and merely 12 are convicted.
- Secondly, the term ‘unique identification feature’ within the language of 66C has not been expressed, around which, the very concept of identity theft is centred. Electronic signature and password are the only means of identification recognized explicitly.
- Identity theft within the IT Act is a bailable offence, thus, providing a logical explanation as to why only a handful of the offenders are convicted.
- The parties can also settle matters through a compromise.
- Unlike the IPC, the IT Act lacks extra-territorial jurisdiction. Section 4(3) of the IPC says that in the event of any person across the globe targeting a computer resource in India, commits an offence. However, no such clause is explicit within the IT act.
- Further, the sections of the IPC dealing with cyber privacy could also be considered obsolete, considering the alarming increase in crimes against men. Therefore, considering the gravity of the outcomes of illicit data scraping, this sphere of the IPC and IT Act need to be amended as per the status quo.
One of India’s earliest cases of identity theft, this case involved a suit filed by Sony India Private Ltd. that ran a website namely ‘sony-sambandh.com’. This site enabled NRIs to send Sony products to their family and friends in India, after paying for them.
One fine day, a person logged into the website by the name of ‘Barbara Campa’ and ordered a Sony colour television set and a cordless headphone. She offered her credit card number for the processing of the payment and requested to have these products delivered to one Arif Azim in Noida. The payment was successful and all other requirements were abided by. Later on, the credit card agency informed the company that the real owner of the concerned credit card had denied making any such purchase, and thus, the above transaction was unauthorized.
Arif Azim was arrested, and it was, later on, declared that he while working at a call centre in Noida had acquired access to an American’s credit card number and thus tried using that information to his advantage. The court convicted Arif under Section 418, 419 and 420 of the IPC. This case also brought forth the effectiveness of the Indian Penal Code concerning matters not addressed by the Information Technology Act.
A frightening case of unlawful data scraping came to light when one fine day prominent Hollywood actress Demi Moore realised that somebody had been using her credit card details, racking up a formidable 169,000 dollars through multiple stores. The fraudster was declared to be John Matthew Read, who had masterminded this operation by first reporting Moore’s then credit card was stolen to the American Express, and then once the card was blocked and a new one was set up, intercepting the latter’s details. Read is being held in a Los Angeles county jail after confessing to the theft and fraud. He was caught on camera at the FedEx and the retail stores, according to the complaint.
The dawn of the internet alleviated a lot many challenges concerning life’s day to day activities. Currently, there are roughly around 700 million ardent internet users in the country. With data being the basis for most business decisions, data scraping has helped a wide array of websites to achieve mutual functionary benefits that not only enhance their business but also enhance customer satisfaction.
However, the vast advancements in cyberspace have lead data scraping to be employed for illegal purposes. Distributing illicit copies of books, movies, etc has become rampant, and since everything is done online, tracing such fraudsters becomes extremely taxing. Apart from stealing data in the context of copyright infringement, cybercriminals may also target other forms of IP.
For instance, trade secrets involve processes, recipes, manufacturing techniques, formulae, etc. that are not revealed to the general public, in order to ensure economic prosperity over rival companies. Thus, compromising such sensitive information could truly be detrimental to the company’s business.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: