Introduction

India, in the recent times, has been at the receiving end of several attacks of online extortion with latest one being the Instant loan app blackmail case. With around 2.8 thousand cases being recorded in India only in 2021, it clearly indicates the gravity of the issue.

In the light of the same, this article aims to analyse the penal framework for the offence of extortion (s.383) as provided in the Indian Penal Code (“IPC”). It argues that the current framework is inadequate and is not potent enough to effectively carry out the penalization of the offence. Therefore, subsequently it analyses the issues and suggests policy suggestions that elaborate on how its penalization framework can be made more effective by incorporating certain changes.

The article is divided in three sections. Firstly, it provides the contours of the offence of extortion and states on the multitude of offences that come under the fold of online extortion, further identifying the fronts on which the section falls short of being comprehensive and effective. This will be done by keeping s.503 of the IPC (Criminal intimidation) in juxtaposition, due to its similarity with s.383. Secondly, a stock of the rest of the legislations would be taken to identify to the elements they cover related to the offence of extortion or related offences. Finally, the article will provide policy suggestions that need to be incorporated to make the section, deriving certain aspects from the s.10 of the South African Cybercrimes and Cybersecurity Bill, 2017 which deals with extortion considering digital challenges such as ransomware attacks.

Examining s.383 of the IPC: Identifying loopholes and fault-lines

Extortion as an offence has been covered by Section 383 of the Indian Penal Code (IPC), 1860. The definition as stated in the IPC basically states that if any person puts another person in the fear of injury or threatens the person, in turn dishonestly inducing such person to transfer some property or valuable security to him commits the offence of extortion.

There are a couple of issues that arise out of the section making it inadequate, with all of them being in relation to the manner of operation of s.503 that deals with criminal intimidation. However, before dealing with the intricacies of the issues, a general overview of the multitude of offences that come within online extortion will be taken. The prominent categories of online extortion are: Online sextortion, Ransomware attacks, and other forms such as Denial of Service (DOS) attacks. Therefore, it can be gathered from the nature of the offences, potential targeted assets can be anything from company secrets to reputation.

These categories having been laid down, one aspect that becomes clear is that online extortion has a multi-faceted character and cannot solely fall within the section on extortion. This is because it has a narrow ambit since it merely covers the coerced transfer of any property or valuable security and does not include the performance of any actions that do not squarely deal with any property or valuable security i.ecoerced transfer of confidential information or. private pictures, forced relinquishment of a position of power, other forms mentioned above etc. This is where s.503 of the IPC covering criminal intimidation becomes relevant. 

The analysis of this issue ties in with the operation of s.503 of the IPCwhich covers the offence of criminal intimidation. This is because it covers the loopholes that the section on extortion leaves bare open. It states that there should exist a threat of injury to a person or elements like his property, reputation, etc or to similar elements of another person and such a threat should cause alarm to that person such that he is compelled to perform an action that he is not legally bound to do or omit from doing an act that he is legally entitled to do in order to avoid the execution of such threat. Therefore, it not only includes the coerced transfer of property or valuable security but also any other actions that can be coerced as mentioned above making it comprehensive enough to cover offences of online extortion too.

However, the one lacuna that exists in this qualification is that the penalty for the offence of extortion is a maximum of 3 years of jail or fine or both but the penalty for criminal intimidation is only up to a maximum of 2 years of jail or fine or both.  This incentivizes the offender to be charged under criminal intimidation than under extortion due to the shortened jail time. Therefore, it cannot be considered as an alternative viable option.

Another issue that crops up with respect to criminal intimidation is that, under the first schedule it is provided that under s.384, extortion is a non-bailable and cognizable offence whereas s.503 is a bailable and non-cognizable offence. Therefore, due to the bailability of the offence, not only does it make a better tradeoff for the accused to be charged under it but also creates additional problems for the investigating agencies since bailability in cyber-crimes such as online extortion creates significant impediments in the investigation process. The advent of technological advancements and the emergence of sophisticated hacking techniques like DDoS attacks,with ever-increasing complexity and intensity of cyber-crimes, it is often the case that the accused possesses superior knowledge and capabilities in comparison to law enforcement authorities. As a result, the police frequently need to enlist the assistance of private agencies to aid in the investigation process.

The implication of this is that if the accused is released on bail, they can potentially cause further harm, such as destroying evidence, tampering with witnesses, or concealing their identity. This not only disrupts the investigation process but also leads to delays in the administration of justice, causing harm to the overall criminal justice system. The low conviction rates observed in cyber-crime cases further demonstrate the detrimental impact of these circumstances. While certain safeguards exist, such as the ability to revoke bail if the conditions set forth in the bail bond are violated, this process can be protracted. Moreover, the accused still retains the ability to cause irreparable damage while on bail due to the tools and resources at their disposal.

To circumvent these challenges, law enforcement agencies sometimes attempt to apply non-bailable offenses from the IPCto deny bail, even if the committed offense does not strictly fall under those non-bailable categories.[1]This practice is problematic as it undermines the rights of the accused and grants excessive power to the police, creating a sense of impunity. Therefore, these issues make it amply apparent that there needs to be change in the framework of the provision on extortion.

Taking stock of other legislations: an overview

The relevant statutes in India are Information Technology Act (IT), 2000, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022 (IT Rules, 2022).  The IT Act, covers multiple elements which may relate to the commission of online extortion such as damage that may be caused to the computer system due to ransomware attack or the data that might be extracted in the course of the same (s.43), identity theft (s.66C), cheating by impersonation (s.66D) and violation of privacy (s.66E).Therefore, these provisions are sufficient to related elements of the wider offence, which might be offences in themselves.

The IT Rules 2021 and the latest IT (Amendment) Rules, 2022 covers the intermediary liability of the platforms (social media platforms prominently) on which extortion occurs. They delineate the due diligence requirements that the platforms have to observe to protect their safe harbour provisions under s.79 of the IT Act with additional requirements for what constitute significant social media intermediaries under s.2 (v) of the IT Rules, 2021 and the grievance redressal mechanisms. These requirements cover all elements including content moderation, publishing of privacy policy and user agreements, respecting digital rights of the users, reporting of cyber security incidents etc. Hence, any sort of online extortion case that involves such platforms would involve the application of these enactments to determine the liability based on the amount of due diligence they would have complied with. Hence, it can be surmised that since these statutes cover ancillary elements of online extortion sufficiently, they provides a stable footing for the wider regulation of the offence. Therefore, the only aspect that remains to make the framework complete is the tweaking of s.383 of the IPC.

Policy suggestions: the best way forward

For the resolution of the issues,the ambit of the s.383 needs to be widened, by not restricting ransom to valuable security or property merely extending to any acts and omissions that is demanded to be performed as ransom, which is basically the ambit of the provision on criminal intimidation. This will prevent the issues that normally derive from s.503 being a viable alternative for the accused, that is the accused would not have to be let out on bail since extortion is a non-bailable offence. Moreover, the period of punishment also being 3 years in s.384 as compared to 2 years in s.503, there does not remain a tradeoff that provides the accused a better option. Therefore, this one change can solve multiple issues.

Another model that can be looked upto will be the one given by South Africa. South Africa has a dedicated statute to deal with Cybercrime and Cybersecurity called the South African Cybercrimes and Cybersecurity Bill.  Section 10 of the legislation specifically criminalises cyber extortion. It is a comprehensive section dealing with the criminalisation of acquisition of protected data, interference with the computer system, access code, passwords, etc. hence creating a protective layer to pre-empt any sort of ransomware attacks. It has a broad ambit that covers the multiple types of online extortion that have been listed above. Moreover, another notable aspect of it is that it is connected to the other offences (s 3(1), 5(1), 6(1) or 7(1)(a) or (d)) which have been mentioned in the same act such essentially unlawful acquiring of data, unlawful interference with data or computer program, unlawful acquisition, possession etc. This allows the section to be more streamlined and specific, by including elements that in most cases have a part to play in cases of online extortion. This can also be emulated in s.383 by connecting the provisions given in the IT Act (can be incorporated as a sub-section to account for offences of online extortion), as given in the previous section, which connect to certain elements that may have a part to play in the commission of extortion. This would enable the better regulation of offences of online extortion.

The incorporation of the abovementioned changes would make the section comprehensive and even more effective. This would not only aid in the better regulation of the crime, but also ensure more efficient convictions due to smooth investigation process and fairer administration of justice.

[1]N. S. Nappinai, ‘Dissecting the IT Act’ Technology Laws Decoded (Lexis Nexis 2019, 1^st edn)

Parth Kantak is a third-year law student at NLSIU Bangalore pursuing BA.LLB. 

[Ed Note: This Article has been edited by Jeetendra Vishwakarma and published by Harshitha Adari from the Student Editorial Team.]