Cyber Cafes under ITA 2008
[P.S: Most of the discussions under this article applies
also to Internet and Mobile Service Providers as well as web service
agencies]
Cyber Cafes continued to attract attention during this week with several
mails sent from a Cyber Cafe threatening terrorist attacks on some of the
Bangalore's IT companies. In the past also there have been many instances
where Cyber Cafes have been used either for real or false terrorist
communication. Several Cyber Crimes including stealing of bank passwords
and subsequent fraudulent withdrawal of money have also happened through
Cyber Cafes. Cyber Cafes have also been used regularly for sending of
obscene mails to harass people. In view of these, Cyber Cafes have been
considered as one of the key intermediaries which need to be regulated. In
order to regulate Cyber Cafes, several States had passed regulations some
under ITA 2000 and some under the State Police Act.
Now, The Information Technology Amendment Act 2008 has made many
significant changes in the prevailing laws of cyber space applicable in
India, one of which is regarding Cyber Cafes.
ITA 2000 had not defined Cyber Cafes and one had to interpret them as
"Network Service Providers" referred to under the erstwhile Section
79 which imposed on them a responsibility for "Due Diligence" failing
which they would be liable for the offences committed in their network. The
concept of "Due Diligence" was interpreted from the various provisions in
Cyber Cafe regulations where available or under the normal responsibilities
expected from network service providers. The undersigned had also drawn up
a "CyLawCom" guidelines for Cyber Cafes to enable them pass the benchmark
test of due diligence and suggested a CyLawCom audit and certification for
them.
The New Act (To be effective after notification) after amendments which we
refer as ITA 2008 has however provided a specific definition for the term
"Cyber Cafe" and also included them under the term "Intermediaries".
Several aspects of the act therefore become applicable to Cyber Cafes and
there is a need to take a fresh look at what Cyber Cafes are expected to do
for Cyber Law Compliance.
Firstly, according to Section 2(na) of ITA 2008,
"Cyber cafe" means any
facility from where access to the internet is offered by any person in
the ordinary course of business to the members of the public.
This definition is an improvement of what was earlier proposed by the
Expert Committee and the first draft of ITAA 2006 which had several
anomalies.
This definition may however conflict with the definitions given under the
current regulations passed by various States.
For example, the Karnataka regulations for Cyber Cafes define a Cyber Cafe
as:
"Any premises where the Cyber Cafe Owner/Network Service Provider provides
the computer services including internet access to the public"
According to TN regulations, a "Browsing Center" means and includes
"any establishment by what so ever name called where the general public
have an access to Internet in any of its forms, protocols either on payment
or free of charges for any purpose including recreation or amusement"
It also says.." a browsing center shall be deemed to be a public place as
defined under Sec-3 of Tamil Nadu City Police 1888"
In the Karnataka definition, any "Network Service Provider" providing
"Computer Services" may be called the "Cyber Cafe". In the TN definition,
any Kiosks in say Airport or a Railway Station where free Internet access
is given to public may also qualify as a Cyber Cafe.
The TN rules require registration of Cyber Cafes and both impose
responsibilities such as maintenance of visitor's register, verification of
photo ID etc.
The Karnataka regulation was notified under Section 90 of ITA 2000 while
the TN act was notified under the State police act. Now that ITA 2000 has
been amended, the provisions under Karnataka Cyber Cafe regulation may have
to be considered as in fructuous while there may a question mark on the
validity of TN regulations. Mumbai, Maharashtra and Gujarat who also have
some state level regulations may also be in a state similar to that of TN.
Section 2(w) of ITA 2008 further states that the definition of
"Intermediaries" includes "Cyber Cafes". The regulations for Intermediaries
therefore apply to Cyber Cafes after ITA 2008 becomes effective.
As per Section 67(C) of ITA 2008,
(1) Intermediary shall preserve
and retain such information as may be specified for such duration and in
such manner and format as the Central Government may prescribe.
(2) Any intermediary
who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to
three years and shall also be liable to fine.
Thus the responsibility of Cyber Cafes has now
been clearly defined with a three year imprisonment which is also
cognizable, bailable and compoundable.
Additionally, three important sections have
been added to the present Act according to which the Government has the
powers to intercept, monitor, block, and collect traffic data. These
sections impose certain responsibilities on the intermediaries and make non
compliance punishable. These regulations also apply to Cyber Cafes.
For example, under Section 69 (modified
version),
(1) Where the central
Government or a State Government or any of its officer specially
authorized by the Central Government or the State Government, as the case
may be, in this behalf may, if satisfied that it is necessary or
expedient to do in the interest of the sovereignty or integrity of India,
defense of India, security of the State, friendly relations with foreign
States or public order or for preventing incitement to the commission
of any cognizable offence relating to above or for investigation of
any offence, it may, subject to the provisions of sub-section (2), for
reasons to be recorded in writing, by order, direct any agency of the
appropriate Government to intercept, monitor or decrypt or cause
to be intercepted or monitored or decrypted any information transmitted
received or stored through any computer resource.
(2) The Procedure and
safeguards subject to which such interception or monitoring or decryption
may be carried out, shall be such as may be prescribed
(3) The subscriber or
intermediary or any person in charge of the computer resource shall, when
called upon by any agency which has been directed under sub section (1),
extend all facilities and technical assistance to -
(a) provide access to or
secure access to the computer resource generating, transmitting,
receiving or storing such information; or
(b) intercept or monitor or
decrypt the information, as the case may be; or
(c) provide
information stored in computer resource.
(4) The subscriber
or intermediary or any person who fails to assist the agency referred
to in sub-section (3) shall be punished with an imprisonment for a term
which may extend to seven years and shall also be liable to
fine.
The important points to be noted in this
section as well as the two other sections 69A and 69 B quoted below are
a) These powers are available to both the
Central and State Governments who can specially authorize an officer for
the purpose.
b) It can be invoked even for preventing
incitement to the commission of any cognizable offence. It is debatable
whether the term "Cognizable offence" has to be restricted to ITA 2008
only or can be extended to IPC or other laws as well.
c) Government shall prescribe necessary
safeguards to be followed by Intermediaries.
d) The powers include demanding of
information stored in a computer
e) Non compliance may result in stiff
penalty of imprisonment upto 7 years.
Under Section 69 A,
(1) Where the
Central Government or any of its officer specially authorized by it in
this behalf is satisfied that it is necessary or expedient so to do in
the interest of sovereignty and integrity of India, defense of India,
security of the State, friendly relations with foreign states or public
order or for preventing incitement to the commission of any cognizable
offence relating to above, it may subject to the provisions of
sub-sections (2) for reasons to be recorded in writing, by order direct
any agency of the Government or intermediary to block access by the
public or cause to be blocked for access by public any information
generated, transmitted, received, stored or hosted in any computer
resource.
(2) The procedure
and safeguards subject to which such blocking for access by the public
may be carried out shall be such as may be prescribed.
(3) The intermediary
who fails to comply with the direction issued under sub-section (1)
shall be punished with an imprisonment for a term which may extend to
seven years and also be liable to fine.
This section provides for blocking of websites
in any case where prevention of a cognizable offence. This can take care of
blocking of websites which may host pornographic content which is an
offence under sections 67, 67A and 67 B of ITA 2008.
Under Section 69 B, the Government now will
have powers to collect "Traffic data" and also seek online access to
information in the hands of an intermediary. The section provides,
(1) The Central Government
may, to enhance Cyber Security and for identification, analysis and
prevention of any intrusion or spread of computer contaminant in
the country, by notification in the official Gazette, authorize any
agency of the Government to monitor and collect traffic data or
information generated, transmitted, received or stored in any computer
resource.
(2) The Intermediary
or any person in-charge of the Computer resource shall when called upon
by the agency which has been authorized under sub-section (1), provide
technical assistance and extend all facilities to such agency to
enable online access or to secure and provide online access to the
computer resource generating , transmitting, receiving or storing such
traffic data or information.
(3) The procedure and
safeguards for monitoring and collecting traffic data or information,
shall be such as may be prescribed.
(4) Any intermediary who
intentionally or knowingly contravenes the provisions of sub-section
(2) shall be punished with an imprisonment for a term which may extend
to three years and shall also be liable to fine.
Explanation: For the purposes
of this section,
(i) "Computer
Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic
data" means any data identifying or purporting to identify any
person, computer system or computer network or location to or from
which the communication is or may be transmitted and includes
communications origin, destination, route, time, date, size, duration
or type of underlying service or any other information.
Under this section, Government can force Cyber
Cafes to follow safeguards specified and also demand online access if
required.
The sections 69, 69A and 69B specifically vest
the powers in an agency to be designated. It has deliberately avoided the
use of the term "Police". The legislative intent is therefore indicative
that Police need not be the agency to exercise the powers under these
sections.
There is of course a serious concern in the
public that the powers under these sections may be misused. Naavi.org
has been suggesting that we need to set up an agency called "Netizen's
Rights Commission" on the lines of the Human Rights Commission which can
have the powers to receive the complaints, investigate and recommend
prosecution of abuse of the powers under the sections 69,69A and 69B.
In the event any State Government would like
to assume powers under these sections and also provide the benefits of the
powers to the Police, it would be advisable for the State Government to set
up a "State Netizen's Rights Commission" and subject the Police to the
scrutiny of the commission or set up a separate non-police agency such as a
"State Cyber Security Authority" and then vest the powers in such an
authority.
In the meantime, if the Central Government
also notifies an agency for the purpose of exercising the authority under
Sections 69, 69A and 69B and provides it with pan national jurisdiction,
then there may be a conflict of jurisdiction such as what we today have
between the State Police and the CBI.
There is an expectation that the Indian
Computer Emergency Team referred to under Section 70 B of ITA2008 may
itself be designated as the agency of the Central Government with a
national jurisdiction and CERT-In the present division of MCIT may itself
be stepping into the shoes of the Indian Computer Emergency Team.
Considering that there are thousands of Cyber
Cafes all over India, in the event a Central agency takes up the
responsibility for monitoring Cyber Cafes, there may be a need for an "All
India Cyber Cafe Monitoring Authority" exclusively to meet the requirements
of Cyber Cafe regulations.
Last but not the least, Cyber Cafes must be
now more than ever vigilant about security breaches since the protection
they could claim under Section 79 has been largely made irrelevant since 79
(2) (C) makes the protection subject to following of "Due Diligence".
With the security practices to be notified
under Sections 69, 69A and 69 B, the requirement of "Due Diligence" would
be satisfied only of these security practices are maintained. It would
therefore be necessary for Cyber Cafes to undergo a Cyber Law Compliance
Audit for fulfilling the specific requirements under these sections. In the
event Government does not come out with any security practices guidelines
for Cyber Cafes, then also the due-diligence requirements have to take into
account the expectations under these sections. Either way there is a tough
road ahead for Cyber Cafes.
At the same time the Police at the State level
would be looking for clarification on whether they have the authority under
Section 69,69A and 69B to regulate the Cyber Cafes. They however continue
to enjoy some powers under Section 80 with which they can still try to
regulate Cyber Cafes.
Let's wait for the notification of rules to
understand where Cyber Cafe Regulation is heading.
[Naavi.org welcomes suggestions in this regard
through e-mail]
Naavi
January 07, 2009
Other Articles on ITA 2008
