Author: Tanvi Dawrani
The ‘dark web’ is a part of the internet that can only be accessed using purpose-built software (like Tor, I2P, and Freenet) as it is not indexed by traditional search engines. On the dark web, users can access hidden websites and interact anonymously, while obscuring their identity, IP address, and location with specialized protocols. A recent study undertaken by Lisianthus Tech revealed that approximately 20% of cybercrimes in India include the use of the dark web by online attackers. The sharing of stolen personal data of Indian citizens on the dark web, like Aadhar details, credit card information, and social security numbers, is a particularly concerning development.
Earlier this year, the Indian Mobile Network Consumer Database of 750 million users was found to be made available for sale by CyboDevil and UNIT8200, two prominent vendors on the dark web. A cybersecurity firm’s analysis of the initial sample dataset revealed that the information pertained to major Indian telecom providers, and impacted 85% of the Indian population. Affected individuals were placed at significant risk of financial losses, identity theft, reputational harm, and increased vulnerability to cyberattacks.
Large amounts of personal information accessed through data breaches are often advertised for sale or access on dark web platforms. While measures are being undertaken to improve information security in India and enhance data breach monitoring, the following post discusses India’s legal framework and the challenges in addressing the proliferation of stolen personal data through the dark web.
Regulatory framework for personal data on the dark web:
The dark web enables the exchange of unauthorized personal information in a manner similar to the buying, selling, or sharing of legitimate goods on the surface web. Several platforms like Genesis Market and Joker’s Stash, have been implicated in selling stolen data of Indian users, including digital fingerprints, card numbers, and CVV codes. Personal data is anonymously uploaded to these platforms and made available for sale without the individual’s awareness. Acknowledging the severity of such cybercrimes, the Indian legal framework has included several provisions to tackle them.
Section 66B of the Information Technology (IT) Act, 2000 penalizes the dishonest receipt and retention of stolen data. This implies that a dark web platform hosting stolen data becomes liable when it receives and shares such data. Similarly, the recipient of the stolen data too becomes liable upon receiving it. Violators are liable to imprisonment of up to 3 years and/or a fine of up to INR 1 lakh. The exchange of stolen data on the dark web often transcends national borders. To regulate cross-border online activities, Section 75 of the IT Act clarifies the application of this law to persons outside India if the offence relates to Indian computer systems or networks.
Furthermore, although not yet enforced, the Digital Personal and Data Protection (DPDP) Act, 2023 regulates the processing of personal data. The DPDP Act makes the data principal’s consent the basis for most processing activities. Section 33(1) of the Act enables the Data Protection Board to impose a penalty on any person significantly breaching the law. Unlawful processing of personal data will attract severe penalties of up to INR 50 crores under the Act. Hence, the entities or platforms engaged in the hosting, or sharing of unauthorized personal data on the dark web may be liable under this law.
Hurdles to enforcement:
While India has a regulatory framework in place, certain issues impede the proper enforcement of the law against dark web entities. One key obstacle is the anonymous and encrypted nature of the dark web, which makes it extremely hard to trace offenders. Platforms and users on the dark web often utilize pseudonyms and VPNs, further complicating the identification process. The majority of transactions on the dark web also utilize cryptocurrency, which further offers pseudonymity aligning with the requirements of users. Additionally, platforms and entities on the dark web often create ‘mirror-links’. These are alternative websites created to ensure user access even if the original site is taken down. This tactic allows offenders to evade detection and continue their illicit activities while adding another layer of difficulty for authorities to trace the source.
Another pertinent concern is the decentralized nature of the dark web. The majority of activities on the dark web transcend borders, making it arduous to determine the jurisdiction that is authorized to prosecute. This lack of clarity, combined with the fact that not all law enforcement agencies are well equipped with the resources and the knowledge to deal with dark web crimes, poses a hindrance in monitoring and preventing illegal data sharing effectively.
Combatting dark web cybercrimes: Domestic and global efforts
Numerous mechanisms have been developed by the Indian Government to supplement the legal framework on cybercrimes involving the dark web. The Indian Computer Emergency Response Team (CERT-IN) has issued guidelines for the occurrence of cybersecurity incidents. It has also issued an advisory to various service providers to ensure effective coordination and enhance the monitoring of leaked information. Initiatives like the Crime and Criminal Tracking Network and System (CCTNS) and the Indian Cyber-Crime Coordination Center (I4C) further strengthen investigative abilities by allowing real-time reporting, and centralized data access for law enforcement.
In addition to these, the conduct of public awareness campaigns, and the establishment of cyber-forensic labs can help in addressing cybercrimes effectively. Moreover, internationally, specialized dark web tools (Identity Guard, Aura, andIdentityForce) have increasingly gained prominence for their ability to monitor in real-time and trace offenders. The United States stands out in tackling cybercrime on the dark web. The Federal Bureau of Investigation (FBI) has demonstrated exceptional capability in tracking, infiltrating, and destructing illegal operations, notably shutting down Silk Road, AlphaBay, and Hansa. They also effectively employ global collaboration to apprehend offenders and tackle illegal activities. Further, the Netherlands is moving away from a reactive approach to a proactive approach to tackle cybercrime. It aims to bolster existing alliances, form new partnerships, and invest in intelligence capabilities while zealously involving the private sector, civil society, and researchers to enhance cyber expertise. Analogously, Germany plans to augment the user-friendliness of security systems, utilize quantum technology for IT security, and equip its technical and operational divisions to tackle cybercrime on the dark web proficiently.
The synergy of domestic efforts and global collaborations underlines the significance of a multifarious approach to tackling challenges emerging from the dark web. By continuing to evolve novel strategies and leveraging global partnerships, nations can work together to build a safe and resilient digital landscape.
The views expressed are solely those of the author and are not affiliated with the organization.
