India has been amongst the first 15 countries in the world, which have enacted laws for Cyber transactions. Hence, except for the model law of UNCITRAL, there were no reliable case laws or experiences in other countries as guidance for drafting the Cyber Laws. The Cyber Law domain is also a little more complex than other laws since the activities to be regulated by law are technology dependent, which keeps changing continuously. Consequently, difficulties were expected in framing a good piece of legislation in this respect.

On the other hand, being the first legislation in the Internet domain in India, the Act presented an opportunity for creating a model Cyber Society which would fulfill the dreams of the country to move towards being a global super power in IT.

This note records some observations on the provisions of the Act which require attention when the "Rules" under the Act are formed, so that the law may be amenable for Effective Enforcement. 

Basis for Effective Enforcement: 

Effective Enforcement of any law requires three distinct requirements namely,

• Maximisation of Voluntary Compliance by the Society
• Clear Definition of roles for Enforcement Agencies.
• Display of Vision for accommodating future changes.

If not, 

An Opportunity to Change the Image:

In India, the law enforcement authorities carry the legacy of a pre-independent image and are mostly defending the laws of the country originally formulated in the pre-independent days, for the society that prevailed at that time.

Cyber Laws now present a new opportunity for the "Cyber Law Enforcement Agencies" to break out of the past image and try to redefine their role in the society. The ever-eluding goal of making citizens consider "Policeman" as a "welcome friend" rather than a "dreaded foe" can atleast be attempted in the Netizen community if the Cyber Law enforcement is handled properly.

Since the "Rules" are still in the formative stage, the enforcement agencies can interact with the agencies drafting the detailed regulations and ensure that the final version of the law minimises the systemic barriers to effective enforcement that otherwise may find their way to the system.

It is with this objective that the enclosed observations about the Information Technology Act-2000 (ITA-2000) are presented.
 

1.Ambiguity of Police Jurisdiction

ITA-2000 describes the consequences of contravention of law under the two chapters namely Chapter IX (Penalties and Adjudication) and Chapter XI (Offences). 

This division into two categories of violations gives room for an interpretation that the contravention of Ch IX provisions are to be treated differentially by the enforcement authorities from those of Ch XI.

Sec 78 and 80 define the Powers of the Police Officers to "Investigate" and "Arrest" under the Act, overriding the Code of Criminal Procedure. The overriding effect is further confirmed by Sec 81. 

Will these three sections be therefore construed as defining the " Powers of the Police Authorities under the Act in totality"? 

Is the use of the word "Offences" in Sec 80 is deliberate and meant to restrict the Powers of the Police only to Ch XI? 

Or

Can the Police imply other powers outside the ITA-2000 for dealing with offences under the ITA-2000?

…are issues, which need clarification.

It is therefore unclear whether the Police have a right to arrest a person or investigate contravention falling under Ch IX. This would be even more doubtful in case of a "Preventive operation", without a complaint from any Netizen or a request from an Adjudicating Officer (AO) or a Presiding officer of the Cyber Regulations Appellate tribunal. (CRAT). 

This raises the fundamental question of whether the Police system exists only to assist the judiciary when invited or to protect the society in general by taking appropriate preventive steps. 

If the Law and Practice is clear in this respect for violations of any other Law of the land, ITA-2000 seems to have introduced an unwanted controversy.

The enforcement agencies would also face problems in booking foreign nationals residing outside India, punishable under the Act especially when the Cyber Laws of their country are in conflict with that of India. (Ex: Obscenity).

2.Ambiguity of Court’s Jurisdiction

A controversy on the jurisdiction of the Courts in cases involving Electronic documents can also arise due to Sec 61 and Sec 77. While Sec 77 implies that a person can be tried under other laws even after having been convicted under the ITA-2000, Sec 61 categorically states that no Court will have jurisdiction to entertain any suit or proceeding in respect of any matter which the AO or CRAT is empowered to determine. 

Sec 61 read with Sec 81, implies that wherever the contravention of Law falls under ITA-2000, the case has to be tried only under the ITA-2000 and not otherwise. Since these offences include those which are punishable under normal law (Ex: fraud, cheating) committed by means of Network Intrusion or use of electronic documents, many of the cases which are booked under the normal courts may have to be shifted to the AO, if in the course of the proceedings, either the plaintiff or the defendant produces any electronic document as evidence. In cases when the offence is committed partly by the use of paper documents and partly by electronic documents, the rights of the AO may prevail because of the Sec 81. 

There is nothing in the Act to say that the jurisdiction of a normal court is restored after the remedies under the ITA-2000 are exhausted. Sec 77 is therefore ambiguous.

3. Inconsistent and Disproportionate Punishments:

Chapter IX covers "Network Abuse" which includes Cyber trespass, Cyber theft, Cyber vandalism, Cyber gherao (Denial of Access attack) and Cyber conspiracy etc. This is nothing different from "Hacking". Section 66, which defines "Hacking", is therefore superfluous. On the other hand, this specific definition creates an artificial distinction between "Hacking" and "Network Abuses" listed under Sec 44, which have been relegated to an inferior status.

All violations under Sec 44 are punishable only with a liability to pay damages by way of compensation (not exceeding Rs 1 crore) to the person affected.

On the otherhand, "Hacking" is punishable with imprisonment upto three years and/or fine upto Rs 2 lakhs. In as much as Sec 44 also covers Cyber impersonation and Fraud, besides introduction of Virus, it is not clear why such bigger offences are to be punishable only with a fine and not imprisonment. 

Similarly, publishing, transmitting and causing to be published, obscene material is punishable (Sec 67) with an imprisonment upto 5 years and/or fine of Rs 1 lakh at the first conviction. This may be doubled for a second conviction. Thus the maximum imprisonment term of 10 years has been indicated for this offence on par with the punishment for "Accessing or attempting to access a-Protected system" (Sec 70). 

This punishment is excessive and is inconsistent with far lighter punishments suggested for many other offences mentioned above. The definition of "Obscenity" itself is subjective and this excessive punishment option could result in the harassment of marginal offenders who donot deserve to be treated like a criminal needing 10 years of imprisonment. 

By what stretch of imagination can one consider a transmitter of obscene material (say an e-mail containing an objectionable photograph) be considered as deserving a punishment higher than those who indulge in fraud, misrepresentation, vandalism, virus contamination, disruption of economic activity, etc… only those who framed these provisions can explain.

The Act also prescribes exorbitant fines for administrative delays such as delayed submission of returns (Rs 5,000 per day) and failure to maintain accounts (Rs 10,000 per day) which have no connotation of criminal intent. In fact 20 days delay in maintenance of accounts is considered as bad as "Hacking" going by the penalty imposed. No businessman would consider this fair and just.

4.Powers to "Other Officers": 

According to Sec 80, any officer of the Central Government or the State Government authorised by the Central Government may exercise the powers of "Arresting without Warrants", on par with the powers of the Deputy Superintendent of Police.

The act is not clear whether this power can be given only to a person of a certain rank in the Central/State Government and if so under what circumstances and by whom and with what covenants. It is also not clear if this power can be exercised by a Secretary or his deputy in the Ministry of Information and Technology Or it will be delegated to the Controller. No safeguards have been mentioned in the Act to prevent wrongful grant of the Powers.

5. Lack of Accountability:

The ITA 2000 (Sec 84) provides immunity to the Central Government, State Government, Controller, any person acting on his behalf, Adjudicating Officer, The CRAT and his staff against any legal action for any thing done or intended to be done in good faith. 

Further, the Controller, Deputy and Assistant Controllers, and CRAT will be "Deemed Public Servants" under the Indian Penal Code. 

Because of these provisions, it is not clear whether the regulators of Cyber Law are at all accountable and whether they come under the provisions of the CVC.

In these days when even the Prime Minister of the Country is prepared to be held accountable for corruption, the need to protect the officials- all and sundry involved in the administration of the ITA-2000 appears to be a retrograde measure. This is not conducive to maintenance of efficiency that needs to be maintained by the regulators.

This is also in contrast with Sec 85 and Sec 79 where the officials of a Company or an ISP can be prima-facie held responsible for the offences committed by the Company or any Customer of the ISP respectively.

Under sec 64, there is a provision to recover penalties imposed under the Act as arrear of land revenue. A clarification is required as to whether this provision is restricted to recovery of Government dues only or whether it applies to any other person as well. 

6. Threatening Discretion:

The ITA-2000 bestows enormous discretion on the Adjudicating officers and CRAT. These extend to financial penalties upto Rs 1 crore and Imprisonment upto a term of 10 years. These officers are likely to sit in judgement of difficult technical interpretations and are liable to make mistakes. The Act has no safeguard built-in to monitor such situations and provide remedy to the affected persons except through the continuation of the legal proceedings in the High Court.

While the litigants need expert counsel to handle their cases efficiently under such threatening circumstances, Sec 59 of the Act restricts the right of representation during the proceedings before the AO or CRAT to a legal practitioner. This restriction presently applies only to non-corporate litigants since the Companies may be represented through their officials who may not be legal practitioners.

7. Lack of Conviction:

The Government has displayed lack of conviction in the objectives of the Act by specially stating under Sec 9 that the earlier Sections 6,7, and 8 cannot confer any right to insist that any Ministry or Department of the Central Government, State Government, or any authority or body established by or any law or controlled or funded by the Central or State Government should use electronic documents in its dealings with the Citizens.

8.Tendency for Over regulation:

The section 18 of the ITA-2000 virtually makes the Controller the Board of Directors of a Certifying Authority by giving powers to specify what products the Company should deal in and at what price, with what communication for promotion. He can also determine how the accounts are to be kept and how the customer relations are to be handled. This is ridiculous in this era of liberalisation and management freedom even for Public Sector companies. It is also undemocratic to expect a commercial organisation such as the Certifying Authority to be directed by the Controller regarding revenue issues and day to day management. 

9. Need for Attention to Details

Sec 65 of the Act imposes a responsibility for the software professionals to preserve computer source codes where required by Law and threatens imprisonment of upto 3 years if not complied with. The Act has not however not bothered to state the expectations of the Law in this regard.

Similarly Sec 14 talks of a "Security procedure" to be applied for a document without explaining properly what the "Security Procedure" means.

10. Certification Authorities and Issue of Digital Certificates:

The provisons of Sec 35, Sec 32 and Sec 19 indicate that sufficient care has not been taken in the drafting of the Act and the realities of the Virtual World have not been properly visulalised.

Sec 35 dealing with the application for a Digital Certificate by a Netizen to a Certifying Authority requires submission of a "Certification Practice Statement" which is actually relevant for an application of a prospective "Certifying Authority" applying to the Controller for license. This is a drafting error, which has gone unnoticed so far.
 

Sec 32 makes it mandatory for every Certifying Authority to "Display its license" in its premises as if the public who contact the company would visit the office of the Certifying Authority. It would have been more relevant if it had been prescribed that the copy of the license should be available as a hyper link from the Web site used by the Certifying Authority since most of its dealings with the public would be through the Net.

Sec 19 makes it mandatory for foreign certifying authorities to compulsorily register themselves with the Controller without which their certificates would not be valid under the Indian law. This coupled with Sec 32 implies that, for Digital Certificates issued by any Foreign Certifying Authority to be recognized, such an entity has to open an office in India, obtain and display the license in its office. (It is presumed that it would not be sufficient if the license is displayed in the foreign office of the Certifying Authority if it doesnot have an office in India). In the absence of automatic cross certification therefore, no Indian can enter into E-Contract with a holder of a Digital Certificate if the issuer has not obtained a license in India. This will lead to confusion amongst the Netizens and legal complications, which would be detrimental to the interests of Indian Netizens.

There are perhaps several more areas where the ITA-2000 leaves scope for unnecessary confusion amongst the Netizens and the Industry players. If this were not addressed immediately, the ITA-2000 would remain a controversial Act forever putting hurdles and breaks on the growth of E-Commerce and India’s march towards IT leadership.