Cyber Cafe Regulation.. Some thoughts after ITA 2008
After the passage of the Information Technology Amendment Act 2008 the amended Information Technology Act 2000 (ITA-2008) has
substantially changed the Cyber Cafe
regulatory scenario in India. In the past, it was the State Governments who took the
initiative as part of the e-Governance measure to manage the law and order
situation in their respective jurisdictions and passed Cyber Cafe
regulations as either a notification under Section 90 of ITA 2000 or under
the Police Act of the respective state. These laws mainly indicated that
the Cyber Cafe owner should maintain a visitor's register and check a photo
ID of the user to ensure the identity of the users. Some regulations
required registration of Cyber Cafes with the Police. Some required
periodical statements to be filed with the Police.
However, the experience of the previous years suggest that the regulations
were largely in effective. Most of the Cyber Cafes are managed through the
day by attenders who have little technical knowledge or responsibility and
criminals could easily misuse the facilities for sending threatening
e-mails or planting key loggers, spreading obscene information etc.
With the passage of ITA 2008, some of the responsibilities on Cyber Cafe
regulations pass on to the Central Government. For example, the definition
of Cyber Cafe is now available in the main Act. The Act also defines Cyber
Cafe as an intermediary and imposes responsibilities for
a) Data retention as specified (Section 67C)
b) Implementing interception instructions from the Government if any (Sec
c) Implementing instructions for blocking of websites if any (Sec 69A)
d) Retention of traffic data for specified period (Section 69 B)
Additionally, Cyber Cafes being considered as liable for "Assistance" or
"Abetment" under various other sections when offences are committed under
the Act cannot be ruled out.
Though Section 79 provides for protection, it requires that Cyber Cafes
need to follow "Due Diligence".
Most Cyber Cafe owners lack formal education in the Computer field and more
so in Cyber Laws and are therefore unable to take suitable steps as may be
expected of them under the Act unless they are provided proper guidelines.
In order to generate an action plan to ensure that Cyber Cafes are properly
regulated in their own interest as well as in the interest of Cyber
Security, an action plan on the following lines is suggested for
consideration of the Central and State Governments. These are meant
for further debate and refinement as may be required.
A Suggested Plan of Action for Cyber Cafe Regulation
1. One of the essential aspects of regulation is to know who is to be
regulated. This requires a "Registration System" for Cyber Cafes however
simple it can be. Compulsory registration and possible
de-registration as a means of punishing non compliance of regulations is an
essential part of implementation of the regulations, however inconvenient
it may appear for the industry. In order to develop a regulatory framework,
I suggest a framework similar to the Data Protection Framework under Data
Protection Act of UK.
Under this system there would be a need for "National Cyber Cafe Regulatory
Authority" supported by "State Cyber Cafe Regulatory Authority" (SCFRA) in
each states. Even in the absence of the National Cyber Cafe Regulatory
authority (The Indian Computer Emergency Team can be entrusted with this
responsibility if required) the State Governments are suggested to set up
such a regulatory office.
SCFRA will be the nodal agency in each state to ensure appropriate
regulation of Cyber Cafes.
2. One of the principle duties of the SCFRA would be to set up a Cyber Cafe
registration norm. This includes the minimum qualification of the
Cyber Cafe owner, the mandatory security precautions that he needs to take
3. It may be made mandatory that every Cyber Cafe in the State must be
registered or otherwise it cannot function. A provisional
registration should be allowed on line with a nominal fee or without a fee. A period of 3
months can be provided for transition from provisional registration
to confirmed registration before which, the Cyber Cafe has to satisfy
completion of norms required for a secure Cyber Cafe. If the Cyber cafe
fails to upgrade its registration, extension may be given upto 3 quarters
and the Cyber Cafe may be made to pay a certain "Non Compliance Tax" each
quarter until the norms are completed.
4. The minimum qualification for Cyber Cafe owners should be SSLC and the
owner should compulsorily under go an appropriate Cyber Cafe Regulation
training. The training should cover the legal aspects in ITA 2008 and on
successful completion, provide a certificate to the Cyber Cafe owner which
should be mandatorily displayed in the Cyber Cafe and also renewed after
every 3 years.
5.Every Cyber Cafe should install a Camera which should record the visitors
entering and leaving the premises and archive the information with a time
record on the video. This should be made available for inspection by the
authorities when required.
6. Every Cyber Cafe should introduce a biometric attendance system where
the user punches his finger in the device which should generate a session
password along with the allocation of the computer to the visitor. The
visitor will use the computer with the specified session password. The
system should record the session particulars along with the session
password and the biometric capture and archived for records. In the event
the expenses of the biometric device becomes a barrier, a barcode based ID
card should be issued to all visitors and the photograph of the visitor
should be included in the ID card. The details can be stored as membership
record. The sessions would be recorded and archived as
suggested earlier in the biometric based attendance system.
7. Cyber Cafes shall be required to install remote network monitoring
systems which enable the Cyber Cafe monitoring authority when required
utilize the access rights to provide a Police intelligence unit to monitor
the activities of the users of the cyber cafe. To analyse such data,
suitable monitoring software which can filter the data with appropriate
software is to be acquired by the Police intelligence.
It is suggested that the power to intercept and monitor Cyber Cafes shall
be vested with the State Cyber Cafe Regulatory authority and such powers
shall be drawn under Section 69 of ITA 2008.
Though this suggestion appears drastic, it is envisaged as a measure to be
used only in exceptional circumstances and hence the powers are suggested
to be vested with the State Cyber Cafe Regulatory Authority and not the
Police. To provide further safeguard, the State Cyber Cafe Regulatory
Authority can even be conceived as a multi member board with members from
NGOs and noted public personalities.
It may be remembered that in many advanced countries such as USA, UK and
Australia, have made arrangements for surveillance of Internet data passing
through their countries. This is considered as an essential measure to
monitor Cyber Terrorism activities.
The above suggestions are presented as a draft for further public debate
and implemented either fully or in parts as may be considered necessary.
February 24, 2009