ITAA 2006 A Review of the Provisions
ITAA 2006, the Bill to amend ITA 2000 is now available for public information. It is noted that the "Expert Committee's Recommendation" which was the basis for the amendment has been substantially modified. Many of the objectionable aspects of the Bill against which Naavi.org was running a campaign for last more than an year has been removed or suitably altered so that the digital society in India can feel relieved to some extent. We shall discuss the essence of the proposed changes in these columns over the next few weeks. We also invite comments and views from the public on the subject.
December 29 2006
ITAA-2006: Information Technology Amendment Act (Presently in the form of Bill 96 of 2006)
ITA 2000: Information Technology Act 2000 (Present operative Act. 21 of 2000)
ITA 2006: Information Technology Act 2000 (2006 version) after incorporating the proposed amendments
ITAA 2005: Information Technology Act Amendment Act (As proposed by the Expert Committee in 2005)
1. New Approach to Cyber Crime Laws..Sailing against the winds
A quick glance at the ITAA 2006 indicates a new approach towards Cyber Crime legislation in India. ITA 2000 had attempted a set of comprehensive laws for the Cyber Society and incorporated not only the E-Commerce promotional aspects, but also tried to define Cyber Crimes. This approach was different from the approach of countries like Malaysia which had passed separate laws for E-Commerce, Digital Contracts, Digital Signatures and Computer Crimes. However, in the last six years ITA-2000 and IPC were considered as working together to define Cyber Crimes and hence all offences of IPC committed with the use of Electronic documents were also considered Cyber Crimes in general. The separate sections under Chapter XI in ITA 2000 provided coverage of some specific crimes exclusive to Cyber world.
It appears that ITAA 2006 has decided to provide a greater focus to the definition of Crimes and has proceeded to add several Cyber Crimes directly in IPC. Academically we can debate whether this is a better approach or not but Police and Lawyer community may find the current approach little easier to understand.
Merger of Section 66 with Section 43
One of simplification measures has been to merge the offences under Section 66 with contraventions under Section 43 . Accordingly, a set of deviations have been listed in Section 43 and these have been made subject to civil remedies under Section 43 and criminal prosecution under Section 66.
Naavi.org had very strongly supported the erstwhile Section 66 of ITA 2000 and the versatility of the words "Diminishing the value or Utility residing inside a computer" and opposed the provisions of ITAA 2005 in this regard. We are happy to note that this versatile definition of "Crime against information residing inside a computer" has now been retained though the term of imprisonment has been reduced from 3 years to 2 years.
The new section 66 however retains the ITAA 2005 proposition to make "Dishonest" and "Fraudulent" intentions a precondition to the invocation of this section while the present section stated "knowing that he is likely to cause wrongful harm" as one of the sufficient conditions to invoke the section 66.
As a result of this provision the "Negligence" by knowledgeable persons causing wrongful harm is now not protected under ITAA 2006. Any person accused of a crime can therefore take a defense that the loss was caused accidentally or authorized access.
Extracts from IPC
"Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled.
"Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.
Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property.
Whoever does anything with the intention of causing wrongful gain to one person or wrongful loss to another person, is said to do that thing "dishonestly".
A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.
[P.S: "to defraud" is stating untruth as truth by a person knowingly and for making a gain. Detailed definition from lectric law library available here.]
Section 66 A which has been newly introduced addresses the crimes such as Cyber Stalking, E-Mail threats etc which were earlier covered under IPC only. The section however falls short of addressing the issue of "Cyber rumours" which are often used by terrorists since it addresses cases where the sender of a communication "Knows that it is false".
Mischievous statements which are either true or not substantiated or what the sender "believes to be true" may escape scrutiny of this section. Cyber stalking with "true information" may perhaps remain outside the purview of this section.
Apart from reducing the punishment under Section 67 to 2 years from the present 5 years, ITAA 2006 introduces a bifurcation of obscenity into two types. Content depicting as "Sexually Explicit" act will hence forth be considered as a more serious offence compared to any other form of obscenity. The depiction of "Sexually Explicit Act or Conduct" in an electronic document will carry a five year imprisonment.
What is a "Sexually Explicit Conduct"? is of course a matter of debate. ITAA 2005 had suggested "Depiction of Children in the sexual act" as the definition of an offence warranting a higher level of punishment.
One of the definitions used in USA (Military Honor and Decency Act) is
"the term "sexually explicit material" means an audio recording, a film or video recording, or a periodical with visual depictions, produced in any medium, the dominant theme of which depicts or describes nudity, including sexual or excretory activities or organs, in a lascivious way."
Whether this is the definition we adopt or do we require a separate definition? is open to debate.
Powers of Interception
Section 69 of ITA 2000 has been suitably amended to add the power of "Interception" which was not included earlier.
It is however necessary for the Government to prescribe safeguards subject to which such interception or monitoring or decryption may be made or done.
An attempt has been made to give a direction to the identification of norms for defining "Protected Systems".
The information security practices and procedures prescribed for such protected systems is awaited.
Role of CERT-In
ITAA 2006 has now given a regulatory role to CERT-In which was started as a division within the Ministry of Communications and Information Technology through Section 70 A. Accordingly CERT is having the responsibility for coordinating all actions relating to information security practices, procedures, guidelines, incident prevention, response and report.
Hopefully CERT-In will steer clear of the NASSCOM influence and develop an approach independent of the industry pressures. How CERT-In will respond to "Open Source" will also be closely watched.
The new section 72A of ITAA 2006 seeks to exempt intermediaries and others from responsibility for breach of confidentiality regarding personal information collected by them from customers. This section creates liability only when the information is disclosed with "intent to cause or knowing that he is likely to cause wrongful harm".
Though "intent to cause" is a suggestion flowing from ITAA 2005 rendering the section nearly infructuous, the saving grace is that the liability arises if the holder of the information had the knowledge that the disclosure of information could cause wrongful harm.
Additionally, under IPC a new section 502A has been added where capturing of photographs of the private parts of an individual has been made a punishable offence. This section also incorporates publishing and transmission of pictures of such private parts with a two year imprisonment term. Since a similar provision is already available under Section 67, there appears to be an overlapping if we consider that the picture of the private parts of an individual constitutes "Obscenity".
The difference between Section 67 of ITAA 2006 and 502A of IPC (2006 )is however "Capturing" of the picture which becomes an offence even before it is transmitted or published. This could be a good deterrent for some of the offences which have been observed in recent times using mobile phones to take indecent pictures.
Impersonation and Identity Theft
Digital Impersonation and Identity Theft has been sought to be covered through amendments to IPC rather than to ITA-2000. Accordingly sections 417A and 419A of IPC have been introduced. Identity theft including password theft and electronic forgery is covered under 417A. Impersonation using computer resource is covered under 419A.
The amendments add to the clarification though there had already been a conviction for electronic forgery in the Suhas Katti case in Chennai and one could argue that all offences of IPC automatically apply even when the offence is committed with the use of electronic documents.
One of the sections suggested in ITAA 2005 was the section 80A which had made a mockery of the compounding principle since it neither made the victim a party to the compounding arrangement nor respected a Court in which trial was already in progress.
Now under Section 77A of ITAA 2006 at least the aggrieved person is made a party to the compounding process. Some more clarifications are required on the process of Compounding including the role of Courts in the process. Perhaps this may come in the form of rules or a notification.
Cognizability of the Offences
ITA-2000 had not made any attempt to define cognizability of offences. It had directly stated when Police would have powers of arrest and seizure without warrant.
As a result there was a doubt about when law enforcement could step in and when Police could arrest without warrant etc. From a detailed analysis of the various provisions it was considered that all offences under ITA 2000 provided powers to the Police to arrest without warrant in a public place. At the same time no powers were available to the Police for arrest or search and siezure in non public places in respect of any of the offences under ITA-2000.
Now there is more clarity in this respect. Some amendments to CrPc address the offences brought in through the amendments to IPC such as sections 417A, 419A, 502 A.
Under Section 77B, no Court can take cognizance of offences under 66, 66A, 72 and 72 A except with a complaint from the aggrieved. In otherwords, suo moto action by the Police in respect of community crimes such as Virus, Spam etc is not feasible.
The removal of Section 80 of ITA 2000 leaves a void as to the defining of powers of Police regarding arrest without warrant. The inference that can be drawn that there is no powers to the Police for arrest without warrant in any offence under ITAA-2006. The alternate interpretation is that under CrPC since offences with imprisonment of more than 3 years are cognizable such offences under ITA 2006 will also confer similar powers.
Under Section 78 of ITAA 2006, the powers of investigation still remains with the DySP s but this provision has been restricted only for Cognizable offences under ITA 2006 (With more than 3 year imprisonment). Also it has been suggested that a register be maintained in every Police station where a reported case can be entered. The section also states that in such cases any Police officer receiving such information may exercise the same powers in respect of investigation ( except the power to arrest without warrant) as an officer in charge of the police station may exercise in a cognizable case under section 156 of the Code of Criminal Procedure, 1973. This means that almost any officer in charge of a Police station can conduct investigations of ITAA 2006 crimes except exercising powers of arrest. Section 78 therefore has little meaning. State Governments also need to re think on the setting of Cyber Crime Police Stations.
The provisions suggested are silent on the powers of arrest without warrant in respect of Sections 65.66, 66A,67,68,69,70, 71,72,72A ,73 and 74. By default the three year rule applicable under CrPC for other Acts may be considered applicable. However, since in most of the cases under ITAA 2006, the imprisonment term is only 2 years, the cases where the Police can cause arrest without warrant is limited.
Since no provision has been made even for seizure without warrant, Police will be handicapped in conducting investigations since the accused/criminal will have sufficient time for erasing of evidence before the Police can obtain necessary warrants. Time will tell how adversely this would affect the cyber crime investigations.
Overall the provisions regarding Cyber Crimes in ITAA 2006 can be termed as an improvement over ITAA 2005. Though some drafting improvements can be seen over ITA-2000, the functional effect of the ITA 2000 as a Crime deterrent has been reduced. This is a victory for Cyber Criminals since they can now work without the fear of immediate arrest or seizure of Computers.
The fact that Police are being rendered less effective in dealing with Cyber Crimes is a matter of concern in an environment of increasing Cyber Crimes. In this respect India will be sailing against the winds compared to International trends which favour tightening laws.
December 29, 2006
Comments are Welcome
Intermediary Protection..Reduced Responsibilities