Essentials of Cyber Laws for IT Professionals
By
Naavi

[Presented at Sairam  Engineering College on February 18, 2003 during the Seminar on Cryptography]

What Has Engineering to Do with Law? 

It is very appropriate that we are discussing the essentials of Cyber Laws in this forum of technology students after extensive discussions on the science of Cryptography. Cryptography is the perfect convergence point to demonstrate the interdependence of Cyber Laws and Applied Mathematics, which is the core content of Engineering studies.

Engineering has many disciplines. From more generic Civil and Mechanical to Electrical and Electronics onto niche areas such as from Mining to Aeronautical Engineering.  The scope of Engineering has been further expanding in recent days with an extension into areas such as Bio Medical Engineering. When one observes these developments, it appears that Engineering is evolving as a discipline with possible areas of specialization in every other discipline.  

In this context, it is interesting to observe that the growth of technology in the use of Computers by the society and more particularly the  Convergence of Communication, Broadcasting and Information Technologies has brought one section of Engineering namely “Information Security” in an overlapping relation with the discipline of Law. Perhaps if there was a discipline called “Information Security Engineering”, Cyber Laws would be an integral part of it, as it today is,  in many MBA programmes. 

With the advent of Computers as a basic tool of Communication, Information Processing, Information Storage, Physical Devices Control, etc., a whole new Cyber Society has come into existence. This Cyber society operates on a virtual world created by Technology and it is the “Cyber Space Engineering” that drives this world.  In maintaining harmony and co-existence of people in this Cyber Space, there is a need for a legal regime which is what we recognize as “Cyber laws”. 

Today, if you are an Automobile Engineer, you need to know about the laws of different countries on the “Emission Standards” and the Engineers have to take this piece of “Environmental Law” into their design and production planning. Similarly, if you are today working with Computers in any way then you need to take into consideration the Cyber Laws. 

Unlike the Emission Laws , Cyber Laws are the basic laws of a Society and hence have implications on every aspect of the Cyber Society such as Governance, Business, Crimes, Entertainment,  Information Delivery, Education etc. 

Whether you are designing a pure engineering equipment such as an Automobile or a CNC machine or a CT Scan machine, or even everyday Consumer devices such as a Washing Machine or a Television or a Mobile phone, or maintaining  a Space Shuttle or an Electricity Generating Station, you would observe that there are Computer systems embedded into devices and they communicate with other Computer devices electronically.  

In other words, every high tech mechanical device which we use today is a mini or micro computer and operates in a “Cyber Space” created by communicating devices. Their actions, automatic or triggered by human intervention, could have consequences on which the society has imposed some restrictions in the form of Laws and these are by definition, Cyber Laws.  

It is needless to say that if you are designing Computer Software, you are actually designing the core component that creates the Cyber World itself and all aspects of the laws of the Cyber World are applicable to your creation.  

We can therefore say that the work of an Engineer in the coming years is to do a lot with Computers or Computer led devices and therefore the laws covering the functions of these devices are a relevant knowledge for Engineers. This knowledge is critical for those in the discipline of Software Engineering, Telecommunication Engineering and Security Engineering.  

Lack of such knowledge could drive the promising career of the Engineer into a Cyber Accident which would be debilitating for the Engineer and a loss to the society in general.  

Some Incidents that we Need to Ponder 

v     Mr Dmitry Sklyarov was a software developer in a Russian Company called Elcom soft and was heading one of their projects. He was invited to speak in a seminar in California and landed in the US territory. He was immediately arrested allegedly for having developed a software which infringed on the Copyright law of USA. [After a prolonged battle and spending some time in Californian jail he was released for the consideration that the violation was considered unintentional]. 

o       Today IT Companies in India develop several softwares and many Engineers head those projects and also travel to various countries. Are we sure that we are not violating any law of any Country to which we may be traveling? 

v     Mr Arun Jain of Polaris was recently arrested and jailed for some time in Indonesia on an alleged violation of Indonesian law relating to a software development contract.  

v     Two managers of Chennai based Radiant Software a Computer  Education Company were arrested for an alleged violation of the licensing terms of  Software. The top management team had to obtain anticipatory bail to avoid arrests until a compromise was worked out. 

v     Two young Directors of a web hosting Company in Delhi  were arrested for an alleged “Hacking” when they tried to stop services to a customer who had not paid them the service charges. They spent some time in Jail before getting  bail and if convicted can be imprisoned for 3 years. 

v     A 16 year student of Bal Bharti Airforce School in Delhi was arrested for an offence of “Obscene Remarks made on a Website” and rusticated from the school. If convicted he could have been jailed for 5 years.  

v     Directors of Web services Companies such as Rediff.com and Times of India have been accused of “Pornographic Content” and issued notices for offences which could put them behind bars for 5 years. 

v     Mr Asif Azim was a Call center employee in Noida who was tempted to purchase a TV out of information of a customer available to him. He was traced and brought to justice in Delhi. 

v     A student of a University in Philippines was found to have released the deadly “I Love You” virus which played havoc worldwide. If he had been an Indian, perhaps he would have been made to shell out compensation until he was broke and also jailed. 

v     A Software Company in Delhi by name Maruti Software Services Pvt Ltd which was having a website in the name of www.marutionline.com was told on one fine morning that    they should change the name of their website because the name “maruti” can be used only by Suzuki Motors Ltd.   

v     Napster, a very successful E-Venture was hauled to the Court and beaten to death for having caused violation of Copyright of music companies. Despite willing customers and working technology, the business of the Company had to be shelved under an enormous loss to the promoters. 

v     There are many websites in India which could be held to be infringing the Patent rights of some body abroad and  asked to shut down or pay compensation putting an end to their entrepreneurial dreams. 

These are some examples of how Cyber Laws interact with the lives of Engineers either as Students, Software Developers , Business Managers or entrepreneurs.  

Knowledge is Power:  

Knowledge of Cyber Laws can not only help an Engineer to hedge against the Cyber Law related risks of the type mentioned above but also develop new career opportunities arising out of the need to protect the Cyber society through use of appropriate Counter Cyber Crime Technology tools.  

What Are Cyber Laws? 

Cyber Laws relate to the regulations that affect the transactions of individuals in Cyber Space namely the imaginary transaction area that seems to exist when two computers exchange data. 

These laws can be divided into four broad categories namely, 

1. Laws Relating to Digital Contracts
2. Laws Relating to Digital Property
3. Laws Relating to Digital Rights
4. Law of Cyber Crimes

The Law of Digital Contracts:  

Contracts are the lifeblood of business. They are agreements between two or more parties which can be enforced in a Court of Law. The Information Technology Act 2000 (ITA-2000) has given legal recognition in India for “Electronic Documents” and “Digital Signatures” so that in any context, if a document is to be in written form and signed for it to be legally valid, the document can be rendered as an Electronic Document and “Digitally Signed”.  

There are a few documents which are exempted from this recognition and they include documents relating to transfer or sale of immovable properties, wills, power of attorney documents, Trust deeds, promissory Notes and Bills of Exchange.   Excepting these exempted cases therefore, in India, Electronic documents have an universal recognition today. 

The “Digital Signature” is an important component of the Contract law and only a system using a standard one way hash algorithm for data integrity check and a standard asymmetric Crypto system using the Private and Public Key combination for encryption is defined as a valid “Digital Signature”.   

For issuing the standard key generation systems to the public, the Government is licensing agencies called “Certifying Authorities” who will on application from a member of the public issue a “Digital Certificate” based on certain approved procedures. The Digital Certificate will contain such details as the name and address of the holder, his e-mail address, a serial number and date of expiry. Presently four agencies have been licensed for this purpose including IDRBT (a Division of RBI) and NIC. Two private sector CA s are Safe Scrypt and TCS.  

In addition to giving recognition of electronic documents and digital signatures under the Indian law,  ITA-2000 has also clarified how we can determine the time and place of a electronic document execution when it is transmitted from one place to other. In simple terms, the usual place of residence of the sender/receiver of an electronic message would be considered as the place from which a document is executed by such sender /receiver. The time of sending is normally when the message leaves the sender’s system. If the receiver has designated the e-mail address to which the messages are to be sent on his behalf, the time of receipt is considered as the time when the message enters the system of the receiver whether or not he has seen the message. 

With the passage of this law therefore any electronic document which includes a webpage, e-mail or any other computer generated document can be held against the originator for legal purpose. If the document is not digitally signed, it would still be valid just like a “Oral Contract”.  

Another important aspect of the law of Digital Contracts is that any automatic system which can be a hardware or a software (eg: Servers, Routers, Programmes etc) can be considered as an “Agent” of its owner and any action taken by such a device or a programme may be legally held to be an action taken by the owner himself.  

Laws Relating to Digital Property: 

The Information Technology Act was enacted to give a boost to E-Commerce and hence it focused more on the Digital Contracts and Cyber Crimes. It did not focus on “Digital Property”. Hence there is no specific law in India other than the extended meaning of regular laws of physical property to address the issues arising out of Digital Property.  

For example, “Domain Name” is an important digital property which any website owner possesses. But who owns it and how it can be transferred etc is not covered by Indian law. This is however coming under the contractual arrangement between the “Domain Name Registrant” and the “Domain Name Registrar”. Domain Name registrars are those who are authorized for the purpose by ICANN (Internet Corporation for Assigned Names and Numbers)  and the law regarding domain names is governed indirectly by the policies of the ICANN. 

Presently the law of domain names is closely linked to the “Law of Trade Marks”. Under normal circumstances, the person who holds a “Trade mark Right” on any name can claim priority to possess a corresponding domain name and even dispossess the earlier registrant of a “Confusingly Similar Domain Name”. Thus Suzuki Motors can make a claim on the domain name www.marutionline.com or Rediff can make a claim on www.radiff.com  , Yahoo can make a claim on www.yahooindia.com and Spielberg can make a claim for www.dreamworkzweb.com.  

Yet another important Cyber Property is the “Content” or the actual files containing information. The “Content” either on a website or within a file confers a “Copyright” to the original author. Such a copyright holder can assign the copyright or license it for a price or allow it to be freely used by the public. The infringement of the Copyright of an author is covered by the Copyright Act which is otherwise applicable for printed works, films etc.  

The Cyber Copyright has some grey areas since a strict definition of Copyright law as applicable to the Meta Society would make “Caching”, “Proxy Server Setting”, “Meta Tags setting”, “Caching by a search engine”, “Hyper linking”, “Framing”, “File Sharing” etc as possible copyright infringements. 

Patents on Software and Web utilities are another area where Cyber Properties can be recognized. These are covered by Patent laws and the holder of a Patent can enforce payment of licensing fees or damages if a Patent system is used by another person without specific authorization. 

A problem in the Cyber Patents is that many of the fundamental aspects of technology that are required to keep the Internet going such as “Hyper Linking”, “Framing”, “E Commerce” etc have been claimed by some as “Patented Products” and selectively enforced.  

What an observer of Cyber Property laws has to understand is that these laws come under the umbrella of “Intellectual Property Rights” and we in India need to do as much to protect our own rights as to stop using some body else’s rights without permission.  

Laws Relating to Digital Rights: 

Every citizen of a Democratic society enjoys certain rights as a member of the society such as “Freedom of Speech” and  “Right to Privacy” within a frame work of regulation. These rights extend to the actions of individuals on Cyber Space.  

Freedom of Speech 

While the constitutional guarantees on freedom of speech extends to Cyber Speech which could be an expression on a website, the rights of regulators to restrict the freedom in the interest of sovereignty and integrity of the country and to maintain friendly relations with its neighbors as well as to retain harmony and peace in the society is also recognized in law.  

ITA-2000 provides that the Controller of Certifying Authorities can order decryption of any information and if any person does not cooperate with the regulatory authorities for such decryption, he can be imprisoned up to 7 years. 

Similarly under POTA, (Prevention of Terrorism Act)  appropriate authorities can intercept communication including e-mails under stated procedures without the knowledge of the e-mail user.

 Even under CrPC (Criminal Procedure Code) read together with ITA-2000, an investigating Police officer has certain rights to not only intercept and monitor communication but also requisition support of the Network administrator for the purpose. Any refusal could be considered punishable.

 Engineers in charge of systems, are therefore obligated to assist the law enforcement authorities in respect of any post crime investigation or  a preventive investigation.   

Privacy: 

Privacy is a personal right guaranteed by the Constitution of India and also the Human Rights Convention of UN. Privacy refers to the complete  control to a person on disclosure of his personal information to the society at large. 

In the Cyber world, whenever a person visits a website or sends out an e-mail his digital identities are being recorded by several systems. Additionally, people share their personal information such as their name, address, credit card numbers etc to several websites for benefits enjoyed. It is this information which comes under the Privacy rights of an individual.  

Violation of this Right to privacy is punishable according to laws in certain countries. The punishment will mostly be in the nature of payment of compensation. In some countries there are separate laws for “Data Protection” which provide guidelines on the preservation of confidentiality of documents.  

Some Countries have passed laws according to which if any data is exported for processing, it is subject to the processor in the foreign country complying with the laws applicable in the country of the exporter.  

Law of Cyber Crimes 

We have already discussed the essence of different laws of the Cyber World such as the laws of Digital Contracts, Digital Property and Digital Rights. Basically, any violation of these laws constitute a Crime and the Law of Cyber Crimes is therefore embedded in each of the laws discussed earlier. 

The ITA-2000 discusses certain offences that can be called Cyber Crimes. Additionally, any crime defined in the Indian Penal Code, if committed using a Cyber Tool such as a Computer, Website, E-mail or any other Electronic document, can also be classified as a Cyber Crime. 

Some of the easily identified Cyber Crimes are as follows. 

1. Hacking or Unauthorized Entry into Information Systems:
2. Virus Introduction
3. Publishing or Distribution of Obscene Content in Electronic Form
4. Tampering with Electronic Documents required to be kept under law
5. Providing False of information for obtaining Digital Certificates.
6. Causing Denial of Service
7. Frauds using Electronic Documents
8. Violation of Copyright, Trademark or Patent rights
9. Violation of Privacy rights such as Stalking
10. Defamation through E-mail

11. Holding out threats through E-mails
12. Assisting in commission of Crimes.
13. Non Cooperation with Regulatory authorities etc.

Punishments: 

Hacking is punishable with an imprisonment of up to 3 years and a fine of up to Rs 2 lakhs.
Attempting to access a system declared by Government as “Protected System” is punishable with an imprisonment of up to 10 years. 

Introducing Virus or a Computer Contaminant or Causing Denial of Services or misuse of Credit Card information is punishable with a liability to compensate the victim for losses suffered up to Rs 1 crore.   

Any Fraud using Electronic Documents is punishable with imprisonment up to 7 years. 

Tampering with source codes and transaction records required to be kept under law is punishable with an imprisonment of 3 years and fine of Rs 2 lakhs. 

Publishing and Distribution of Obscene information in electronic form is punishable with imprisonment up to 5 years and a fine of Rs 1 lakh each of which can be doubled for a second commission of the offense. 

Misrepresentation or providing false information for obtaining a Digital Certificate or publishing a digital certificate for fraudulent purpose, is punishable with imprisonment up to 2 years and a fine of up to Rs 1 lakhs.  

Violations of Copyright is punishable with imprisonment up to 7 years and fine as well as liability to pay compensation. Infringement of Patent and Trade Marks can also result in liabilities for compensation.  

Defamation through E-Mails will be punishable with liability for compensation. Threat may result in imprisonment up to 2 years. 

Non Compliance of certain instructions from regulatory agencies such as providing decryption assistance can result in imprisonment and in many other cases fines of varying amount.  

It is clear therefore that any Crime committed on the Cyber Space or with the use of Cyber tools is today punishable under law in India. These laws will also be applicable for those residing outside India provided any Computer in India is used in the process. In the case of offences committed by a Company, the officers in charge of the Company would be liable for the crime. 

Just as Indian Cyber Laws are applicable to people living outside India, laws of other countries are applicable to people living in India. Thus the Copyright law or Domain Name Law of USA will be applicable to Indians living in India even though its enforcement may require either for the alleged offender to be within the jurisdiction of the US authorities as it happened in the case of Dmitry Sklyarov or there is a Country to Country Crime prevention treaty under which the offender can be extradited to the country where the offence is recognized.  

Career Prospects 

Cyber Crimes involve technology for commission and therefore even the Law enforcement authorities need matching technology to trace a criminal and collect necessary evidence to prosecute him. This is the area of Cyber forensics where tools and applications are required on a continuous basis.  

Additionally, as a preventive strategy, there is a need for appropriate technology tools to prevent Virus Attacks, Hacking, Unauthorized Network Intrusions, Copyright Locks, Cryptographic tools etc. There is also a need for Cyber Patrolling tools that can generate alerts in time before a Cyber Crime is committed. 

Once such tools are developed, skilled manpower is required to use them and interpret the results. 

Development and use of such tools is the opportunity area for “Information Security Engineers” in the coming days. Globally, this is a sunrise profession  demanding the highest level of technical skills coupled with the highest level of integrity and commitment to the national duties.  The demand for “Ethical Hackers” and “Information Security Auditors”, which high security industries like Cyber Banking, E-Governance etc have created can be met only out of such formally trained professionals.

As of now, there are no formal systems of education that leads to the “Techno-Legal specialization” required for Information Security Management.  It is time leading Engineering institutes in the country take up this responsibility to equip the outgoing students with the premium skills of protecting Networks technically and Legally. Until such time, students need to pursue this specialization on their own gathering the knowledge from different sources.

Na.Vijayashankar 

(Naavi)

February 6, 2003

 For More Information, contact Naavi at www.naavi.com or send an e-mail to naavi@vsnl.com. For formal courses in Cyber Law, visit www.cyberlawcollege.com

---