SPYWARE AND MALWARE: LIABILITY FOR SPREADING COMPUTER CONTAMINANTS (SECTION 43)

This article is written by Olalekan Fathia Mojisola, University Of Ibadan, Faculty Of Law, 2025. During my internship at LeDroit India.

Table of contents

• INTRODUCTION 
• COMPUTER CONTAMINANTS
• INDEPTH DEFINITION OF THE TERMS “MALWARE AND SPYWARE”
• SECTION 43 
• LIABILITY FOR SPREADING COMPUTER CONTAMINANTS 
• LAND MARK CASES
• CONCLUSION 

Abstract

The exponential growth of digital technology has profoundly reshaped social, economic, and administrative systems across the globe, particularly in technologically advancing jurisdictions such as India. While the integration of computer systems and internet-based platforms has enhanced efficiency, accessibility, and innovation, it has simultaneously increased exposure to cyber threats. Among the most significant of these threats are spyware and malware, which function as computer contaminants capable of compromising data integrity, violating privacy, and disrupting computer systems and networks. These malicious tools have become central instruments in the commission of cybercrimes, posing serious legal and regulatory challenges.

This article undertakes a detailed examination of spyware and malware within the context of liability for spreading computer contaminants under Indian law. It analyses the legal framework established by the Information Technology Act, 2000, with particular emphasis on Section 43, which provides for civil liability and compensation for unauthorized access, data extraction, and the introduction of computer contaminants.

The study further considers related statutory provisions, section 43 A, 66 A-E, 67 and 72A as well as the Indian penal code as amended by the information technology act which collectively address data protection, privacy breaches, fraudulent conduct, and penal consequences for cyber-related offences. In addition, the article evaluates relevant judicial decisions to demonstrate the practical application of these provisions and the evolving judicial approach to cybercrime in India.

The article argues that although the existing legal framework offers substantial mechanisms for addressing cyber threats, the dynamic and sophisticated nature of spyware and malware necessitates continuous legislative development, effective enforcement, and heightened institutional accountability. Strengthening these measures is essential to ensure adequate protection of digital infrastructure, individual rights, and public confidence in the digital ecosystem.

INTRODUCTION 

Technology is defined by the 10^th edition of the Black’s law dictionary on page 1682, as modern equipment machines and methods based on contemporary knowledge of science for practical human goals. The most prevalent application of technology is the use of certain devices like computers, laptops, smartphones etcetera. 

Digital technology has advanced more rapidly than any innovation in our history. It has played a vital role in the development of nations. It has helped countries in increasing their productivity, reduce costs, improve the quality of goods and services and enhance communication and transportation system.

Technology has played a significant role in the development of nations and it will continually does even in the nearest future. It helps in increase in productivity e.g  Artificial intelligence can help and has helped in reduce labour costs, streamline processes and increased output. Also, it can enhance the quality products that meet global standards.

It serves the purpose of globalization, in terms of improvement in communication and transportation system. Which has made it easier for people to connect and communicate across the world. This provides the opportunity of global market place where goods and services can exchanged without physical contact in different countries. In addition, it aids transportation technology making it easier for people and goods to move across boarders facilitating trade and commerce. The relationship between technology and nations is evolving rapidly. With the increased availability of affordable smartphones and internet access, more people are gaining access to technology. This leads to a shift in power dynamics as individual and communities are empowered to create and share their content, evading traditional goalkeepers.

India is a country that has experienced significant technological transformation in recent years. The country has become a hub for software development, with many global companies outsourcing their IT services to Indian firms. Additionally, India has a thriving startup ecosystem, with many companies working on cutting-edge technologies such as artificial intelligence and block chain.

One of the most significant areas where technology has made an impact in India is financial services. The government has launched several initiatives to promote financial inclusion, such as the Jan Dhan Yojana program, which aims to provide bank accounts to every household in the country. Digital payment platforms such as Paytm and PhonePe have also gained widespread adoption, making it easier for people to transact and access financial services

Looking ahead, the relationship between technology and India is likely to continue evolving. The government has set ambitious goals in areas such as digital governance, renewable energy, and smart cities. The country is also investing in research and development to foster innovation and technological advancements. As technology continues to evolve, India has the opportunity to leverage its technological capabilities to drive economic growth, improve social outcomes, and address pressing challenges such as climate change and sustainable development.

However, Technology has performed a significant role in every aspect of life and also in evolvement if countries. Nevertheless, the threats posed by technology in the sense of computer is so much a challenge in 21^st century that can not be easily ignored by the Government that  Laws are being developed in respect to each country to tackle these prosed by the evolvement of technology.  Therefore, understanding the laws governing cybercrime is crucial in this digital era. The act of advertently spread a computer virus is an action liable to punishment or fine and it can cause significant damage to data anyd system. Different countries have specific legislation to tackle such malicious activities. 

In India, the primary law addresses the issue of cybercrimes, including the spread of computer viruses and other malicious acts is “Information Technology Acts”. This paper will examine the major tools used in cybercrime acts, Section 43 as an act enacted to make anyone  engaged in the act liable to legal consequences and finally, how the law can effectively ensure this become less attention demanding for the Government.

COMPUTER CONTAMINANTS 

Computer contaminants refers to any set of computer instructions designed to modify, damage, destroy, record or transmit information in a computer system or network without the consent or permission of the owner of the information. The term included, but not secluded to a group of computer instructions commonly called viruses, worms which are self replicating or self propagating and are designed to contaminate other computer programs or data,, modify, destroy record or transmit data.

SPYWARE AND MALWARE

SPYWARE 

The term emerged first in an online discussion in the 1990s, it is a malicious software which enters a system, gathers data from it and proceed to send it to a third party without the awareness of the owner. A generally acceptable definition of the term “spyware” is a strand of malware which is designed to access and damage a device without the awareness of the owner.

The primary aim of a spyware is to collect personal and sensitive information and send it to malicious actors, advertisers etcetera.

Common types of spyware include:

•  Keylogger spyware: They are known for recording every keystroke performed on an infected system. They can capture passwords, usernames, credit card and numbers, financial information, personal messages and emails. Those of advanced stage can even capture screenshots, providing context to the recorded keystrokes.
• Trojan horse spyware: It tricks users into installation by disguising as as a legitimate software. Once activated, it is capable of stealing sensitive data, provides easy or unauthorized access to cybercriminals or even weaken the whole system’s integrity.  A typical example is cited in a fake antivirus program which claims to protect the device but actually installs spyware. Once installed, it might steal personal information or even hold files for ransom.
• Browser hijackers: it major on manipulating wen users, mostly known for changing default search engines, redirecting users to unwanted websites or modifies browsers settings without permission. 
• Tracking cookies: Though it is not as intrusive as trojan viruses, tracking cookies may collect the history of the users browsing session  site preferences during different sessions. Cybercriminals use these cookies to create users profiles and at time sell them.
• Password stealers: As the name impressed, it is responsible for retrieving password is from a victim, they can focus of stored passwords in  browsers or other password protected applications. The captured passwords grant attackers access to personal account like emails, social media, banking, which leads to identity theft, financial loses or unauthorized use of device. 

Keywords: spyware, malicious software, cyber attack , information, threats.

MALWARE

Malware is a software designed to cause harm and grant unauthorized access to a computer and it’s resources it is an umbrella that encompasses all forms ranging from viruses that infect files to sophisticated Trojans that secretly steal information. As soon as malware is injected into a PC, it can wreak all varieties of havoc, from taking control of the system to tracking users movement and keystroke, to silently sending all kinds of private information from a personal computer or network to the attackers domesticat base. It include:

•  Viruses: They are programs designed majorly attached to files or other programs and then replicate themselves whenever the affected file is run. In the history of malware, viruses were the first malware to be identified. They damage files, reduce the efficiency of the computer’s performance or even create an opportunity for other malware infections to occur.
• Worms: They are self replicating, moving from one network to the other through advantages taken from existence in protocols it systems. Their ability to replicate makes them more dangerous because an entire corporate network can be overwhelmed within short period of time.
• Ransomware: It locks the files or entire system of a victim an demand a certain amount of money (most times cryptocurrency). Some of the most popular viruses include petya and wannacy . It is considered one of the most financially s destructive cyber threats because of the downtime it causes, the ransom and impact on the brand. 
• Adware: it interrupts the users by presenting them with pop up advertisement or redirects the traffic to pages containing advertisement to generate revenue. Though often considered one of the least dangerous type of malware, it can negatively affect performance and efficacy of the computer.

Keywords: unauthorized, information, havoc, steal, unauthorized 

SPYWARE AND MALWARE AS  TOOLS USED BY CYBERCRIMINALS TO COMMIT CYBERCRIMES. 

WHAT ARE CYBERCRIME AND HOW HAS THE LAW EVOLVED TO CURB THESE ACTS AND THE PUNISHMENT ATTACHED? 

 Cybercrime is any illegal or criminal activity carried out using computer network or the Internet. It is considered an illegal activity because it involves any action that goes against the law of a country or a state or prohibited by the law and if practiced or involved with can lead to facing criminal liability in the form of a penalty or punishment already prescribed. 

With the increasing use of technology and Internet variations, though it has its advantages in immeasurable amount, however the shortcomings accredited to it keep increasing day by day. The internet crimes happening via cyberspace were getting difficult to curb and hence  the intensity of crime was unstoppable and evitable, the existing laws weren’t able to curtail the problem and hence the need arise to stop this act immediately by passing the information technology act. One of the primary features of Law is dynamism, i.e. it tends to change and be current with the evolving society.  Cyber laws in India were implemented in order to curb  the emerging cyber crimes.  The hour of emergency was demanding some firm legal infrastructure in order to lower the crime rate surrounding cyberspace. Cyberspace includes computers, emails, networks, phones,  electronic devices, Atm, data storage devices, etc. cyber law deals with cyber crimes, electronic or digital signatures, intellectual property, and data protection and privacy. In cybercrime, the computer is used as a tool for committing these crimes with the help of telecommunication technology.

Keywords: illegal, criminal, internet, cyberspace, cyber law.

INFORMATION TECHNOLOGY ACT, 2000 (IT ACT): OVERVIEW OF THE ACT

The Computer Fraud and Abuse Act of 19862 was the first cyber law ever to be enacted. It prohibits unauthorized access to computers as well as the misuse of digital data. In India, cyber crimes are governed by the Information Technology Act of 20003 and the Indian Penal Code of 1860.  The legislation that deals with issues related to online crime and internet trading is the Information Technology Act of 2000. However, a term and penalty for cybercrime were added to the Act in 2008. 

Penalties attached in the case of breach of data privacy. The penalties and liabilities under the Information Technology are discussed as follow

SECTION 43 

Civil liability in case of a computer database theft occurs when a computer trespass is committed, unauthorized digital copying is made, data is downloaded or extracted, privacy is violated etcetera. Under the Information Technology (Amendment) ACT 2008. In addition, Section 43 states that a person shall be liable to pay damages I’m compensation for damage to computer including:

1. Unauthorized access to such computer system, computer network or computer resources.
2. Download, copy or extract any idea, computer database or information from such computer or computer system or computer network. Which include information, data held in any removable storage medium.
3. Introduces or serve as a gateway to introduction of any computer contaminants or virus into any computer system, computer network etc.
4. Damages or causes to damage any computer, computer system, computer network, data, corrupt databases or any other program residing in such corrupt, computer system or computer network.
5. Steals, conceals, destroys, or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resources with an intention to cause damage. 

He shall be liable to pay damages by way of compensation to the person so affected.

For the purposes of this section,-

(i) “computer contaminant” means any set of computer instructions that are designed-

(a) To modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or

(b) By any means to usurp the normal operation of the computer, computer system, or computer network;

(ii)“computer database” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;

(iii) “computer virus” means any computer instruction, information, data or program that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a program, data or instruction is executed or some other event takes place in that computer resource;

(iv) “damage” means to destroy, alter, delete, add, modify or rearrange any computer resource by any means;

(v) “computer source code” means the listing of programmes, computer commands, design and layout and program analysis of computer resource in any form.

SECTION 43A

Section 43 A provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns; controls or operate is negligent in maintaining reasonable security measures thereby causing wrongful loss or gain to anyone, such body corporate shall be liable to pay damages by way if compensation to the person so affected.

The concept of “sensitive personal information” under section 43 A provides civil action in case of security breaches. However , sensitive personal information is not protected by Indian Law. As provided for  in the act, the aggrieved person may be entitled to compensation if the company failed to keep his or her personal data protected while they were being processed by the company, whether as a result of negligently implementing reasonable security measures.

SECTION 72A

Any person, including an intermediary when providing services under the terms of a lawful contract, discloses information in breach of that contract except as otherwise provided in this act or any other law for the time being in force breaches privacy. It is unlawful for anyone who has secured access to material containing personal information about another person to disclose it without their consent or in violating lawful contract, any personal information relating to another person. The punishment is up to 3 years imprisonment or a fine up to 5 lakhs rupees or both.

Section 72A of the Information Technology act would apply to an industry or company as well as an employee. An employee has a lawful contract i.e. employment contract with the employee. Employees get access to sensitive personal data or material containing personal information while providing services to the clients of the employer under the contract of employment. 

Section 66: Applies to any conduct described in Section 43 that’s dishonest or fraudulent. There are often up to three years of imprisonment in such instances, or a fine of up to Rs. 5 lakh. In Kumar v Whiteley (1991),11 the accused acquired illegal access to the Joint Academic Network (JANET) throughout the investigation and modified, added, and removed files. Investigations revealed that Kumar had been accessing BSNL broadband Internet connections under the guise of a legitimate authorized user and altering computer records relevant to subscribers’ broadband Internet user accounts.

The CBI launched an inquiry into Kumar after discovering unlawful use of broadband Internet on his computer, which was the inspiration of an anonymous allegation. The subscribers also lost Rs 38,248 as a result of Kumar’s wrongdoing. The extra Chief Metropolitan Magistrate condemned N G Arun Kumar. Following Sections 420 of the IPC12 and 66 of the IT Act13, the magistrate sentenced him to a stern year in prison and a fine of Rs 5,000.

Section 66B: This section outlines the results of receiving computer or communication equipment that has been unlawfully obtained, and it confirms a possible three-year jail sentence. A fine of up to Rs. 1 lakh can also be imposed, counting on the severity. Digital signatures, password hacking, and other sorts of identity theft are the main topics of Section 66C. This section carries a fine of 1 lakh rupees and a maximum sentence of three years in prison.

Section 66D:  This section deals with impersonating somebody else while using computer resources to cheat. If found guilty, the penalty carries a maximum three-year prison sentence also as a maximum fine of Rs. 1 lakh.

Section 66E: Violations of this section include publishing or transmitting images of personal spaces without the owner’s permission. If found guilty, the penalty carries a maximum three-year prison sentence also as a maximum fine of Rs. 1 lakh.

Section 67: This deals with publishing obscenities online. If found guilty, the utmost sentence is three years in prison, and there’s also a potential fine of Rs 2 lakh.

LANDMARK CASES

1. In August 2025, the Punjab & Haryana High Court in a particular case emphasized the serious nature of digital offenses during bail proceedings. While denying anticipatory bail in a digital fraud matter, the court stated:

“Digital crimes pose significant threats to India’s technological infrastructure; elements such as offense severity, potential evidence destruction, and probability of repeat violations require careful assessment before considering bail.” 

Through mandating “thorough analysis of multiple critical elements,” the court highlighted three core concepts:

• Offense Magnitude: Sophisticated digital scams and information breaches frequently involve international connections that extend beyond typical criminal acts.
• Evidence Preservation: Digital proof can be rapidly eliminated; maintaining control over electronic devices and data records remains crucial.
• Social Trust: Releasing individuals accused of major digital crimes could undermine confidence in electronic systems.

This ruling demonstrates judicial recognition that digital offenses require specialized treatment, potentially affecting similar bail decisions across the country.

2. State of Tamil Nadu v.  Suhas  Katti (2004); the first cyber stalking conviction: This marked the first conviction for cyber harassment. The accused created a fake email ID to post obscene messages about a woman in public chat group. This case was tried under section 67 of the IT (information technology) act, which deals with publishing obscene materials in electronic for. The court found Suhas Katti guilty and was sentenced to to years imprisonment and a fine. The judgement was pivotal because it showed how the judiciary are active in approach addressing emerging forms of digital exploitation, especially crimes targeting women.
3. Sabu Mathew George v. Union of India (2018)

The case focused on curbing illegal online advertisements related to prenatal sex determination, which is banned under the PCPNDT Act. The Supreme Court directed Google, Yahoo, and Microsoft to auto-block such content.

 This case sets a precedent for proactive content filtering and regulatory compliance by search engines to curb social harm.

4. CbBI vs. Arif Azim (Sony Sambhand case) (2013).

The website, www.sonysambhand.com, allowed NRIS to buy Sony product. India friends and relatives by paying through online mode. In 2022, sone logged into the website under the name of Barba Campa and bought a Sony Color TV along with cordless telephone for a person named Arif Azim. The transaction was paid through a credit card and the items delivered to Arif Azim.

Later the website was informed that the payment for the transaction was unauthorized and the card owner denied having made the payment. A case was lodged with CBI and later investigating revealed that Arif Azim was working with Noida call cevtre, while working there, he got hold of the credit card details of Barbara Campa and misappropriated the same.

The court held that IPC could be depended upon when the Information Technology Act was not exhaustive. The accused was found guilty, but was given a lenient term of one year of probationary period for being a young boy and first time offender 

5. Poona Auto Anillaries PVT Itel vs Punjab Nation bank and ors (2013). 

The complainant Manmohan Singh Matharu, MD of Pune base firm . Poona Auto Anillaries was defrauded to the time of RS.80.10 lakh from his (PNB) account after he responded to a phishing email.

In this dispute, PND was ordered to pay RS. 45 lakhs as compensation to the complainant  as the bank was being negligent for not having proper security checks against fraudulent acts that were used to defraud the complainant. Furthermore, the complainant was asked to share his liability since he had opened the phishing email. This was considered one of the largest compensation awarded to a person in legal adjudication of a cybercrime dispute.

CONCLUSION

Every law made are enacted with the relevance of social, political, economic z and cultural scenario of ongoing time. The evolvement of technology led to the enactment of new , unexpected and complex legal issues. Internet crimes were not anticipated therefore, became impossible for legislators to envision the need of cyber laws in the country. Despite having cognitive abilities and smart foresight, the legislators or the draftsmen were not aware of the idea that the invention of the internet which was and still highly praised by us all could lead to a problem and major challenge in the 21^st century, leading to crimes and illegal activities happening through computer and electronic devices. Hence, the need for enactment of new relevant to eliminate or at least manage the cyberspace malicious activities. The information Technology act was made to give legal recognition to the laws pertaining to internet misconduct and  provide protection for citizens

Internet technology is widely used in different countries and the laws made provide security measures for the citizens. This paper focuses on the major category of computer contaminants and how the law has evolved to put an end to the steady growth of these activities.

India being in a digital revolution stage, and everyone dependent on computer s and other digital devices to keep their valuable data. Technology is like 2 phased whereby the disadvantageous aspect it is coming into notice. Therefore, it became the sury of governing law making body to ensure that technology advancement is diverts it’s invention into legal and right authority.

Cyber laws is very important for each country to curb the increasing crime rate so as to ensure safety and provide a protective environment where citizens get to live without the fear of being a victim of this vicious circle of criminal conduct. Laws are made primarily to ensure order and security. Evolution and development is crucial in every country however, the governing law making body must always be at alert to ensure that laws are being modified to ensure it relevant with the growth of the society.