ITAA 2006 A Review of the Provisions
ITAA 2006, the Bill to amend ITA 2000 is now available for public information. It is noted that the "Expert Committee's Recommendation" which was the basis for the amendment has been substantially modified. Many of the objectionable aspects of the Bill against which Naavi.org was running a campaign for last more than an year has been removed or suitably altered so that the digital society in India can feel relieved to some extent. We shall discuss the essence of the proposed changes in these columns over the next few weeks. We also invite comments and views from the public on the subject.
December 29 2006
ITAA-2006: Information Technology Amendment Act (Presently in the form of Bill 96 of 2006)
ITA 2000: Information Technology Act 2000 (Present operative Act. 21 of 2000)
ITA 2006: Information Technology Act 2000 (2006 version) after incorporating the proposed amendments
ITAA 2005: Information Technology Act Amendment Act (As proposed by the Expert Committee in 2005)
1. New Approach to Cyber Crime Laws..Sailing against the winds
2. Intermediary Protection..Reduced Responsibilities
One of the characteristics of the ITA-2000 was that it had imposed a responsibility on all IT users including "Intermediaries" to observe "Due Diligence". "Due Diligence" itself is generally understood as a concept which meant a moving standard of precaution required to be taken by a prudent person under similar circumstances.
The baazee.com incident in which the CEO was cornered on this issue of whether the site had followed due diligence or not has influenced the provisions of ITAA 2006 and care has been taken to protect Intermediaries such as baazee.com. This will also benefit isocial networking sites such as orkut.com or any Cyber cafe.
The new section 79 (ITA 2006) states as follows
INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES
79. (1) Notwithstanding anything contained in any other law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available by him.
(2) The provisions of sub-section (1) shall apply if—
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored; or
(b) the intermediary does not—
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
(3) The provisions of sub-section (1) shall not apply if—
(a) the intermediary has conspired or abetted in the commission of the unlawful act;
(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.
(4) Intermediary shall observe such other guidelines as the Central Government may prescribe in this behalf.
Explanation.—For the purpose of this section, the expression “third party information” means any information dealt with by an intermediary in his capacity as an intermediary.
What this section indicates is that the Intermediary is not liable under any law in the country if the conditions mentioned in sub section (2) and (3) are satisfied. i.e if an intermediary provides information and links to Al-Queda sites, or Anti India propaganda sites, or to pornographic sites even then Intermediary will not be liable as long as a proper notice is served on him and he fails to act there after.
It will therefore be necessary for a public watch dog which sends due notices to Intermediaries whenever any unlawful information is found in any of the websites.
Naavi.org has already indicated its intention that "Digital Society Foundation", an NGO promoted by Naavi will fulfill such a responsibility and collect public complaints and send notices.
However it is necessary for law to impose conditions on Intermediaries to leave correct e-mail and snail mail address on their websites to which notices can be sent.
The definition of Intermediary includes Cyber Cafes and therefore Cyber Cafes are also entitled to the protection available under Section 79 even when one of the users sends a terrorist message from his network.
The Government has however taken a responsibility to provide "Guidelines" that the Intermediaries need to observe and the key to the Government intentions lie here. With this leverage the Government can
a) Mandate Cyber Cafes to insist on photo IDs and maintain visitor's register
b) Mandate ISPs to share information on dynamic IP addresses of its clients online to Public
c) Mandate Mobile Service Providers to maintain IMEI recognition and filtering service
d) Mandate pornography filtering
Intermediary's responsibility in Privacy Protection
Intermediaries particularly portals collect information from public and Section 72A speaks about the liability of the Intermediary in this regard. This section states as follows.
72A. Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to five lakh rupees, or with both.’’
Under this provision, the Intermediary would be liable for breach of confidentiality under two conditions
a) Disclosure with intent to cause wrongful loss or wrongful gain
b) Disclosure knowing that he is likely to cause wrongful loss or wrongful gain
Though "intent to cause" is a suggestion flowing from ITAA 2005 rendering the section nearly infructuous, the saving grace is that the liability arises if the holder of the information had the knowledge that the disclosure of information could cause wrongful harm.
Here again the security guidelines to be provided to Intermediaries would ultimately determine the effectiveness of this clause.
The intentions expressed in ITAA 2005 that Intermediaries should be placed above law has been carried out in ITAA 2006 with great finesse. The effective control on the issue has been taken over from the legislation to the drafting of security guidelines which will be in the hands of executives.
It is expected that the CERT-In will be the nodal agency for all such framing of security guidelines as a follow up of the responsibilities conferred on it under Section 70A. Hopefully CERT-IN would not be a pawn in the hands of vested interests and act in the interest of the community.
However, as long as CERT-IN is a division of MIT, it is not possible to expect the institution to be free from influences that need not have the welfare of the society at heart. We need to think of either converting CERT-In into an "Information Security Authority of India" or create another institution of such nature which will be laid by a committee of the standing of TRAI or the proposed Cyber Appellate Tribunal or the previously envisaged office of the Controller of Certifying Authorities (Before it was reduced to a department of MIT)
December 31, 2006