The dark web has been around for a long time now and the dangers of the same have not been lost on the public and the governments respectively. It has become the breeding ground for any and all kinds of illegal activities due to the shield of anonymity that it offers. Though it had initially been created by the U.S. Naval Research Laboratory to provide a means for the military agents and the field agents to communicate without having to disclose their identities, it has now become one of the main platforms through which various types of illegal trading takes place. While the majority of the illegal activity taking place through the dark web includes drugs, weapons, counterfeit money, stolen credit card details, pornography involving violence, children, and animals, during the times of the coronavirus pandemic, an already existing illegal activity became more prominent- the sale of pharmaceuticals. In this article, the threat of vaccine, medicine, and home testing kits being sold on the dark web is explored and it is examined how such sales can compromise the security of the citizens of the country.
Is the Indian Law well equipped to deal with crimes taking place over the dark web?
A Steady Rise in the Use of Dark Web for the buying and selling of covid-19 related paraphernalia
With the steady rise of covid-19 cases in light of the incoming third wave of covid-19, the problem of illegal vaccines and medicines being made available on the dark web has become of importance again. The first and the second wave have taught us that there is no limit to which the scammers and the fraudsters can go in order to profit off of a worldwide pandemic. During a period of time, when there is a cut-throat competition in the global community for a dose of the vaccine, the Fake covid-19 vaccine and medications are sold next to cocaine and fake money for $500-$1000 or the equivalent in bitcoin.
However, in these trying times, the deep web marketplace is not only crawling with advertisements of vaccines and medicines for coronavirus. The markets are saturated with ads of virus detectors, blood, and plasma from recovered covid-19 patients. While some may be inclined to believe that irrespective of whether or not the medicines are legal, what is important is that an individual is getting the necessary equipment to be able to protect themselves from the deadly virus. However, it is important to understand that there is a higher chance of getting scammed while purchasing vaccines and medicines from the deep web than getting a legitimate dose of the same. In the height of the coronavirus pandemic, the listings related to covid-19 dramatically increased. A seller on the market claimed to have a vaccine that had come from a lab technician with access to a treatment that had been tested but which would not be made public for years, another ad claimed to have several vials of vaccines stolen from the private pharmaceutical companies which were apparently hoarding vaccines in order to drive the prices up. Such vaccines are priced at about five bitcoin or $77,000.
As is obvious from the description of these ads and the shady manner in which they are sold, some of the vaccines advertised are not legitimate. However, an important aspect of the illegal covid vaccine and medicine ring, as stated by the UK Research and Innovation Lab is that none of the sellers would want to attract any kind of police attention. Therefore, in order to prevent that, either the vaccine sellers would not ship anything potentially fatal or dangerous to the people buying such vaccines or they would not send anything to the buyer at all. In light of the same, researchers from Russia have confirmed that close to 30% of the vaccines advertised on the dark web are real and legitimate. Even the real vaccines can cost one around $1,400 whereas getting a vaccine dose legally is free. The same, however, cannot be said for all the other kinds of covid-19 related paraphernalia. An instance in Thailand received a lot of attention where due to the short supply of masks, scammers would pick up used masks from trash cans and sell them as new.
Aside from the sale of vaccines and medicines, the dark web marketplace is also used to sell information, fake vaccine certificates, and fake certificates to be able to take advantage of various government schemes launched to help the needy. The scams work in a couple of different ways but essentially boil down to fraudsters gaining access on the dark web to an individual or company’s personally identifiable information – name, social security, tax ID, date of birth, and address – then using the information to fill out an application for Covid-related benefits. The sale of health data on the dark web of the people who have been infected with the virus is being widely used by insurers and lenders. Additionally, this sale of information can lead to the identity theft of the victims.
Where does the Law Stand?
Laws in India
India, being severely hit by the covid-19 pandemic and the scams taking place in light of it, did not turn a blind eye to the notoriety taking place through the dark web. The problem of data breaches can severely affect the citizens of the country as these hackers access such data from hospitals and diagnostic centers and sell them to other fraudsters. Insurers rely on this leaked data and seem to deny or block claims from policyholders.
In the light of health data being passed around and instances of identity theft coming up, it is important to understand where the Indian law stands with respect to all of these offenses. Section 72 of the IT Act, 2000 lays down the penalty for breach of confidentiality and privacy. This section states that anybody who has access to information, documents, or other materials without the consent of the concerned and discloses the same to any other person would be punished with imprisonment for two years and/or a fine of 1 lakh rupees. and Section 66C of the act lays down the punishment for identity theft. Section 67C lays down the preservation and retention of information by intermediaries.
In addition to penalization, the act also has provisions that empower the government to collect data, block access, or issue direction for monitoring of information. Section 69, 69A, and 69B talk about the manner in which the government can allow for the interception/monitoring or decryption of information through any computer resource, power to block public access of any information through a computer resource, and monitoring and collecting traffic data through any computer resource respectively.
It is important to note that the IT Act provides lit of powers to the government and also lays down stringent punishment for those violating privacy etc., the elusive nature of the dark web actively prevents the provisions of this act to be fruitless. Having provisions with the description of the penalty which the perpetrators will face may seem to be enough, but keeping in mind the fact that it is next to impossible to find these perpetrators due to a very invisible digital footprint, these provisions begin to lack their luster.
One of the main conventions relating to cybercrimes is the Convention on Cybercrime, also known as the Budapest Convention. This convention had come into force on 1st July 2004. One of the key features of this convention is that it focuses on collective action being taken by the countries of the world to actively eliminate cyber-crime. Though India is not yet a party to this convention, Article 37 of the convention provides that a non-member can sign and ratify the convention.
In pursuance of the fact that this convention seeks to ensure collective and collaborative efforts from the countries of the world, the convention addresses multiple issues which may arise in such collaboration. The Convention also addresses the issues related to extradition under Article 24, mutual legal assistance between national law enforcement agencies under Article 25 to 34, and the establishment of a 24/7 network of points of contact to support such assistance within Article 35. These provisions highlight the three main objectives of this convention- harmonized effort between the nations for the elimination of cybercrime, harmonization of investigative measures and criminal proceedings, and cooperation between the states. The Budapest Convention requires States to ensure that the offenses against and by means of computers of Articles 2 to 12 are criminalized in their domestic law and that their criminal justice authorities have the powers prescribed in their procedural law not only to investigate cybercrime but any offense where evidence is in electronic form. Domestic legislation consistent with the Budapest Convention further facilitates international cooperation in that it helps meet the dual criminality requirement.
While there are a number of other international initiatives which seek to collaborate – the efforts of various states which include- the Organisation of American States, the International Police Organisation (INTERPOL), none of them have been able to create an ambiance of such mutual collaboration and collaboration as has been done by the Budapest Convention.
Fake vaccines, fake certificates the buying and selling of health information of multiple individuals, and stealing of identities- these are all crimes that were taking place even
before the pandemic but the pandemic has made many more people the victims of such crimes. For the government of the country, the immediate priority should be the protection of the victims and the prevention of such acts taking place. In order to protect the people from further falling into the web of the dark web, it is important to disseminate information regarding the same. It is essential that the government makes available to the general public, a list of all the valid and official resources which the citizens can take advantage of in terms of getting legitimate vaccines and medicines. In wake of the third wave of the pandemic, it is important to allow the people to know that they can freely approach the government with any queries which they may have with respect to the legitimacy of any medicine or other covid related paraphernalia which the people may be ordering online. There should also be public service announcements that inform the citizens regarding the various types of scams happening and how the citizens can actively avoid the same by practicing some deliberation from their end.
Another priority of the government is to ensure that the health data and other personal information of the citizens, which may be collected by the health agencies of the country remain protected and are not leaked or hacked. Intermediaries should be held stringently liable for any negligence on their part and a fierce security system should be put in place at all health centers.
Aside from the short term, it is important for India to focus on being able to prevent the network of the dark web from growing in India in the long run. Since cyber-crime itself transcends national boundaries and does not have any geographical location as such, it is important to co-operate and collaborate with the other countries of the world in order to keep the crimes in check. In light of this, it is pertinent for India to become a signatory to the Budapest Convention since this would provide India with the platform it requires to be able to deal with the trans-national nature of cyber-crimes and cybercriminals.
The dissemination of covid-19 vaccines, leak of health data, etc. are all aspects that have come to light in wake of the coronavirus pandemic. However, the threat of the dark web is not new. The fact that people can easily conceal their identities and buy, sell and create illegal content has been around for a very long time. Therefore, it is not a far-fetched idea to believe that the governments should have been ready for the influx of illegal covid-19 vaccines and other related paraphernalia. However, there were no visible actions taken by the government to actively prevent people from buying such things from the dark web.
It is also important to note that though there are international conventions that exist and that ban all the activities which take place over the dark web, the bottom line is that the individuals who are selling such goods, services, and content over the dark web are aware of the legal implications which can follow them in case they are ever caught. It is fearing any punishment that they wish to conceal their online footprint and take support of an online platform where they become untraceable. When they become completely invisible, no stringent law can catch them and bring them to justice.
However, while finding the people behind these illegal activities is not easy, it is also not impossible. The fact that the apparently ‘untraceable’ have been traced before gives hope to everyone that it is possible to catch those running the dark web. In an article titled ‘Shining a Light on Policing of the Dark Web: An Analysis of UK Investigatory Powers’, the author goes into detail regarding the various policing methods which are generally used by the police to catch the notorious administrators of the dark web. She talks about the use of Open Source Intelligence (OSINT) which is essentially data and information which is obtained through completely legal means. Cybercriminals are required to walk a very thin line of maintaining their anonymity and revealing their identities a little in order to attract more customers etc. to them. Silk Road, one of the largest dark web marketplaces was taken down by picking up the breadcrumbs left behind by the sellers.
There have been instances of dark web sellers being caught in India. In 2020, a man named Dipu Singh was arrested for shipping psychotropic substances drug parcels, around 12,000 psychotropic drug tablets were seized from his residence, and a total of 55,000 drug tablets from various sources during a two-month-long operation conducted by the NCB with the cooperation of other international agencies. Some may believe that catching some of these criminals is not going to prevent the crimes from continuing. As was seen in the case of the Silk Road, where no sooner did Silk Road one get intercepted by the authorities, Silk Road 2 came into being. It is important to note that simply because crime will continue to happen, does not mean that no effort should go into catching the perpetrators of these crimes.
India has a long way to go to be able to effectively deal with crimes related to the dark web. Since the online presence of individuals is only growing due to the pandemic, it is time that effective measures, keeping in mind the short term and the long term goals, be implemented immediately.
This article has been written and submitted by Aditi Srivastava as a part of Tsaaro’s Data Protection Blog Writing Competition.