Let's Build a Responsible Cyber Society

You be the judge.... amendments to ITA-2000..  "Tightening of the Laws" or "Criminal Friendly"..

During the last week, there have been umpteen number of press reports and blog reports in India and abroad that India is "Tightening its Cyber Laws", "Data Theft will now have stringent punishment" etc.  These reports were based on a PIB press release which the media  reproduced blindly.

The impression created is that there are many positive changes being made to ITA-2000 to make it more effective in the background of the series of BPO frauds that have been reported in the country.

Nasscom which is the premier Industry representative has also officially welcomed the changes.

The proposal itself has been made by the Ministry of Communication and Information Technology (MCIT) and the basis for change is the "Expert Committee" report of which the past Secretary of the MCIT was the chairman.

With such an impeccable background to the news report,  Naavi.org has become the rare minority which has tried to clarify that if what we are talking are the amendments proposed by the "Expert Committee" which gave its report in 2005, the Government of India is committing a fraud on the public by calling the amendments "Beneficial to the community". The entire media is making a fool of itself by believing the Government propaganda and carrying reports under individual journalist's byline towing the Government line.

It is our duty therefore to place before the public our views about  the proposed amendments so that a more informed debate can happen.

Opposing the amendments could mean displeasing MCIT and Nasscom and many professionals are therefore hesitating to come up with their real views. At this point of time a true professional is required to stand up to the cause and come up with his reasoned analysis of the proposed amendments. Otherwise we will all be responsible for a bad legislation.

I hope that this Diwali, the festival of lights would remove the darkness surrounding the Cyber Law Awareness in our country and bring better understanding of the needs of the Digital Society.

A detailed presentation was made on the expert committee's report last year and the series of articles written at that time are available here. A Copy of the amendments is also available there in. The present article is a summary of the most important aspects of the proposed changes.

I would admit that the Cabinet Committee and the Parliament can make changes to the Expert Committee's report and I wish they do. However, at this point of time, in the absence of any confirmation of major changes, my comments are based on the Expert Committee's report which I have called some times as "Fraud on the Public", "Criminal Friendly", "Turning a Tiger into a Pussycat"..etc. I will be happy if my comments become redundant because of the changes that the Parliament can make to the proposal before it is passed.

I would like readers to pass on this copy of the article to as many of the MPs and Journalists as you can.

Naavi

October 21, 2006

Let us now look at some of the key sections which the proposed amendments recommend to introduce.

43 (2) If any body corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person so affected.

This section is hailed by some reporters as a measure for providing for "Data Protection" in BPOs which people say was not available earlier.

However, it must be noted that the present provisions had already prescribed "Corporate Liability" under Section 85 and "Network Service Provider's Liability" under Section 79 both of which prescribed "Due Diligence" to be practiced by the companies and individuals.

 

While the new section prescribes a "Checklist" approach which is likely to become obsolete within a short time of prescription, the earlier provision gave an approach which could evolve with time and technology. The new provision is therefore not an improvement of the present provision. It is an unintelligent and inefficient way of making the industry lose creativity and continuously upgrade the security measures.

Secondly, this section restricts the responsibilities to "Body Corporates" and not others.

Further, this section should be considered as a prescription of liability of a BPO and not for preventing frauds such as the Karan Bahree/HSBC/Summit HR/Acme Telepower Ltd. In comparision similar protection was available under the earlier provisions under the combined effect of Section 66 and Section 43 . They also provided the protection for data owners against the above kinds of frauds while the new sections 66 and 79 make it almost impossible for such frauds to be convicted.

One more aspect of the new section 43(2) is that it would be annulled by the new section 79 and hence is of little relevance.

It is not therefore proper to quote the new Section 43(2) as a solution for data theft. The net protection to data owners therefore stands reduced by the new provisions.

66 Computer related offenses:

 a)     If any person, dishonestly or fraudulently,  without permission of the owner or of any other person who is in charge of a computer resource

(i)                             accesses or secures access to such computer resource;

(ii)                            downloads, copies or extracts any data, computer data base or information from such computer resource including information or data held or stored in any removable storage medium;

(iii)                         denies or causes the denial of access to any person authorised to access any computer resource;

he shall be punishable with imprisonment upto one year or a fine which may extend up to two lacs or with both;

 (b) If any person, dishonestly or fraudulently,  without permission of the owner or of any other person who is in charge of a computer resource

(i)                             introduces or causes to be introduced any computer contaminant or computer virus into any computer resource;

(ii)                           disrupts or causes disruption or impairment of electronic resource;

(iii)                         charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource;

(iv)                          provides any assistance to any person to facilitate access to a computer resource in contravention of the provisions of this Act, rules or regulations made thereunder;

(v)                            damages or causes to be damaged any computer resource, date, computer databse, or other programmes residing in such computer resource;

 he shall be punishable with imprisonment upto two years or a fine which may extend up to five lacs or with both;

 Explanation: For the purposes of this section-

 a.       ‘Dishonestly’ – Whoever does anything with the intention of causing wrongful gain to one person, wrongful loss or harm to another person, is said to do this thing dishonestly”.

b.       ‘Fraudulently’ – A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.

c.       “Without the permission of the owner” shall include access to information that exceeds the level of authorized permission to access.

 One of the biggest blunders of the new provisions is the dilution of the existing section 66. The present provision could cover any "adverse impact on information residing inside a computer" and prescribed 3 years imprisonment. The section was applicable even in case of negligent handling of a computer resource.

The proposed provision  reduces the punishment to 1 and 2 years and will be applicable only in certain cases of offences as listed. More over, unless the accused is proved to have acted "Dishonestly" ,"Fraudulently" and "without permission", the section is not applicable. It also does not cover "Diminishing in the value or utility of information residing inside a computer" and hence is highly restrictive compared to the earlier provision. The earlier provision could be applied to all known and unknown cyber crimes where the information residing inside a computer was adversely affected which was a flexible and useful provision.

Reduction of the scope of the applicability of the section and reduction of the imprisonment term makes a mockery of the claim that the new laws are "Tougher".

67. Publishing  in electronic form of information which is obscene

(1)   Save as provided in this Act under Section 79 which exempts intermediaries from liability in certain cases, whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to  two years and with fine which may extend to  five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to  five years and also with fine which may extend to ten lakh rupees. 

In this new Section 67, note the subordination of the section to section 79. Obscenity by a "Network Service Provider" which includes portals such as Orkut, will now have the Section 79 immunity. The imprisonment term has been reduced from 5 and 10 years to 2 and 5 years. Women in India therefore will be susceptible to greater abuse.

Section 72(2) Breach of Confidentiality and Privacy

  Save as otherwise provided under this Act, if any intermediary who by virtue of any subscriber availing his services has secured access to any material or other information relating to such subscriber, discloses such information or material to any other person, without the consent of such subscriber and with intent to cause injury to him, such intermediary shall be liable to pay damages by way of compensation not exceeding Rs. 25 lakhs to the subscriber so affected

Note that in this provision the words "with intent to cause injury" has been added so that the information processor ( who allows sensitive personal information to leak, will not be liable unless this "intent" is proved. This is almost n immunity for all portal owners against negligence in handling private information.

79. Exemption from liability of intermediary in certain cases

 1.      An “Intermediary” shall not be liable under any law for the time being in force, for any third party information, data, or link made available by him, except when the intermediary has conspired or abetted in the commission of the unlawful act.

This section exempts "Intermediary" (Which includes portals and all kinds of intermediate information processors) from liability under any law unless conspiracy and abetment is proved. Under the guise of following a check list of security practices  therefore any portal can escape liability. baazee.com kind of cases will therefore not be  offences against the portal owners in future. Now even Orkut may not liable under the "Flag burning" charge.

80A. Compounding of Certain Offenses

 (1) Notwithstanding  any thing contained in the Code of Criminal Procedures, 1973, any offense punishable under this Act  may either before or after the institution of any prosecution be compounded by

(a)   the Controller; or

(b)   the adjudicating officers appointed under section 46, where the maximum amount of fine and/or imprisonment does not exceed such limits as may be specified by the Central Government. 

 on payment or credit to the Central Government of such sum as the Controller or the Adjudicating officer, as the case may be, may specify.

This section indicates the real intention of the amendments.. to take over judicial powers to the executive. Note that under this provision, all offences and contraventions are compoundable. baazee.com or orkut or any other person or body can therefore go to the adjudicating officers , pay a fine and free to roam around. This provision is what makes the amendments a real "fraud on the public".

Additionally, removal of Section 80 means that Police will not have any powers to arrest, search or seize without warrant in any case of offence under the new provisions. While under the present provisions, all offences were cognizable, now none are cognizable.

You be the judge....Are the new provisions are "Tightening of the Laws" or "Criminal Friendly".

[Section Comparision of the Present and Proposed Act]

Send Your Views here

Naavi

October 21, 2006

For More Details, Click Here