It is necessary for all regulators to remember the oft repeated saying
that “Power corrupts and Absolute Power Corrupts Absolutely”. At a time
when the Indian IT laws are being formulated, it is necessary to remind
the lawmakers about this wise saying so that we don’t have to regret later.
After the passage of the ITA-2000, the scope of the envisaged powers
of the regulatory authority is getting clarified through various rules
under the Act. To sharp observers, indications are evident that there is
already a clamor for power from various quarters. The Convergence Bill
was yet another indication that if allowed, there would be a total license
raj in the IT field, unless the Netizens raise there voice in time.
The Cyber Regulations Advisory Committee was a great idea promoted by
the first draft of the IT Bill. Under section 88 it stated under
sub section (2) as follows:
“The Cyber Regulations Advisory Committee shall consist of a Chairperson
and such number of other official and non-official members representing
the interests principally affected or having special knowledge of the subject-matter
as the Central Government may deem fit.”
Unfortunately the good intentions behind the provisions of Sec 88 of
the ITA-2000 which envisaged participation of the private sector was given
a go by when the committee was constituted and it became a body mostly
consisting of the Secretaries of different departments of the Governments.
Even though lot of credit was given to the Government for making India
one of the few countries to have a specific legislation for Cyber Laws
in the world, the bureaucratization of the CRAC will be considered the
biggest mistake of the Government in implementing the legislation.
The natural consequence of this bureaucratization is the clamoring for
more power to be concentrated with the regulators. The recent attempt
to formulate impractical laws of “Private Key Deposit” is an indication
of this developing disease.
While the CRAC is yet to pass the most important amendments that are
needed to correct mistakes made in the drafting of the ITA-2000 (e.g.:
Sec 35 (3) which has to be deleted), there appears to be more serious discussions
on how to acquire more powers to control Digital Signatures for the purpose
of decryption of encrypted communication.
Obviously, in a Country where terrorist organizations from Pakistan
and Sri Lanka are active, the possibility of the Net being used for anti
Indian activities is large. It is in this context that a proposal has been
made that all private keys used for encryption have to be deposited with
the Government agency. In order to facilitate this procedure, it has been
suggested that the Digital Certificates are issued with two pairs of Private
and Public keys one of which are used for encrypting the hashcode and the
other for encrypting the message. While the private key meant for hash
code encryption is held by the owner in confidence to provide for legal
non-repudiation, the other private key is expected to be deposited with
a designated agency.
While the suggestion appears to be ingenious, it is highly impractical.
The browsers and the e-mail clients that are in use today are not equipped
to handle the two keys and if this is a system that is adopted in isolation
by India, there will be difficulty in verifying the Digital Signatures
issued outside India. Even though presently, all Digital Certificates issued
outside India is legally invalid, sooner or later, it will be necessary
to provide recognition to them through a “Cross Certification Process”.
At such a time the envisaged provision will become unenforceable.
The ITA-2000 already has a provision under Section 69 to direct
decryption of any encrypted message in the interest of national integrity
and friendly relations with neighboring countries. Failure to cooperate
with the regulator in this regard may result in imprisonment of upto 7
years. In view of this provision, it is perhaps unnecessary for the Regulator
to clamor for more powers to monitor the private message flow. If however,
it is felt that such a power should be available as an option, there has
to be proper checks and balances to avoid abuse of this provision.
One option is to make it mandatory for the regulator to obtain permission
form a high power committee to screen the e-mail messages of any Indian
Citizen. It is further necessary that such a committee should have a responsible
person from the public as a member so that the powers are not used for
political gains.
Cyber rights groups in India expect that the Government would be more
transparent about such provisions so that the CRAC is not misused to concentrate
more and more power for the regulator. Those who believe that the regulator
can be trusted with more powers should examine the Indian experience with
the SEBI in regulating the Capital markets. Ever since SEBI was formed,
it has been asking and getting more and more powers. The investors however
continue to lose money and bear operators seem to have SEBI in their pockets.
Even the FM seems to hide behind the powers of SEBI to deflect any inconvenient
questions about the Capital markets and Investors have been driven out
of the Capital markets forever.
Let’s hope that the Regulation of the Cyber Space in India does not
drive away the common man from the use of Internet itself.
Naavi
May 6, 2001
Do readers have a views on this? or suggestions?. If so, Your
views can be sent here
