Netizen's Forum For Credible Cyber Regulations
Co-ordinator :Na.Vijayashankar (email@example.com)
1. Constitution of Cyber Regulations Advisory Committee:
The ITA-2000 had envisaged (Sec 88) that the Government would set up a Cyber Regulations Advisory Committee (CRAC) consisting inter-alia of members from the public to advise the Government and the Controller on all aspects of regulations. This was the key aspect of the regulations that could provide the services of industry experts in framing and administering the complications of the "Technology Law"
As per the proposed ITA-2000 rules, the CRAC would consist mainly of secretaries of various ministries, the Controller besides some of the representatives of trade and industry bodies. The committee would be chaired by the Minister of Information Technology.
It is submitted that this constitution is not conducive to the development of a useful advisory body and there is a need to change the constitution as suggested herein.
The CRAC, as envisaged in the Act is only an advisory body and can only submit its recommendations to the Ministry. Hence, the Ministry can review any of the suggestions in a body similar to what has now been constituted as the CRAC. This will be an internal review committee of the Ministry.
On the other hand, if the CRAC consists of eminent personalities from the industry, the wealth of experience and expertise available in the market place can be available to the benefit of the Cyber society. Keeping this in view, the CRAC should be Chaired by an eminent Security Consultant or a Retired Supreme Court Judge and should consist of members from the Netizen community and the Dot.Com industry. Adequate representation from the Legal profession, Law Universities, Sociologists, Criminologists and Technical Journalists should also be considered.
Ideal candidates for this purpose
are unlikely to be the working Secretaries (Barring individual exceptions)
or the Presidents/Secretaries of trade bodies of CII, FICCI etc.
Certifying Authorities would be important intermediaries in the process of developing Digital Identity which is the pre-requisite for E-Commerce as well as the development of a "Responsible Cyber Society". The Act should therefore encourage private enterprise in bringing this service to the masses at an affordable cost. In order to ensure this, regulations should restrict the regulatory measures to prescribing the minimum security standards.
The Act as well as the Rules envisage that the "Controller" would exercise enormous administrative control on the functioning of the Certifying Authorities (CA). For example, the Controller would determine the product features to be offered by the CA s, their pricing, marketing mix, and the manner in which the customer relations are to be handled. Additionally, the Controller would also control the Financial, Technical and HRD aspects of business. This kind of power is wholly unnecessary and not administrable. Such powers can only be exercised selectively and will soon turn out to be tools in the hands of corrupt officials for harassment. Even if the Government ensures that the Controller is above board, it will be impossible to prevent his subordinate officers at various levels misusing the powers.
It is therefore suggested that
3.Licensing Period for Certifying Authorities:
In view of the enormous costs of
setting up the Certification business, the initial licensing period
of one year is too short to develop a viable business proposition for any
Certifying Authority. In order to encourage quality stand alone Certifying
Authorities to come up, it is suggested that
The Act presently prescribes that Certificates issued a Foreign Certifying Authority would be valid under Indian law only if the CA is licensed by the Controller. This is fraught with the risk that Certificates issued and to be issued by a large number of CA s in foreign countries would be not recognizable by the Indian Courts in a Cyber Contract case. As a result, the user of such a certificate would escape legal liabilities to the detriment of the other contracting party who might have used a recognized Certificate.
In order to avoid complications, it is therefore suggested that
5. Eligibility to be a Certifying Authority
According to the draft Rule 7 (ii), an applicant for Certifying Authority must be a "Company" operating in India with foreign equity not more than 49 % of the total equity. This restriction is not envisaged in the Act according to which any "person" can apply for a licence.
The Act prescribes a ceiling amount of Rs 25,000 as the fees to be paid by a Certifying Authority applicant. The Rules however prescribe an examination fee of Rs 100,000, applciation fee of Rs 25,000 and a license fee of Rs 25,000 per annum.
According to the Act, the licence
of a Certifying Authority is renewable by an application made not less
than forty five days before its expiry.
However according to draft Rule 9 (ii) the renewal application has to be made atleast 3 months before the expiry of the licence.
The role of the Adjudicating officer (AO) has been an area of confusion in the Act and the accompanying Rules.
Firstly, the jurisdiction of the AO has been restricted to contravention of the Act as defined under Ch 9 of the Act which provides a right to the affected person to claim compensation. The "Offences" indicated under Ch 11 are outside the jurisdiction of the AO.
Secondly, the Rules state that the AO would be appointed by the Government on an adhoc basis. This indicates that an aggrieved party has to apply to the Government requesting them to order an enquiry. However no procedure has been prescribed for such purpose. It is not clear whether an aggrieved person has to go to a Police station to file an FIR, or approach a Court or appeal to the Ministry of Inforamtion Technology or to the Controller
Through this process the AO has been reduced to an adhoc enquiry officer to be appointed by the Government from time to time and not a statutory authority to whom the Citizens can approach for redressal of any grievance.
The spirit of the Act was definitely not this. By instituting the office of the AO and the CRAT (Cyber Regulations Appellate Tribunal), the Act implied that there would be a parallel system of addressing the needs of the Cyber Disputes bypassing the normal system upto the level of the High Court. This was also useful in ensuring that specially trained persons can be appointed for handling the Cyber Disputes.
The Rules are therefore contrary to the spirit of the Act and it is suggested as follows.
Presuming that the above suggestion
is accepted, it is necessary to also provide that
In order for the society to respect law, it is necessary that the penalties proposed should be commensurate with the offences. The Act fails in this respect by providing disproportionate levels of punishment to various offences. For example for the first commission of an offence of "Publishing or Distribution of Obscene material", the offender can be jailed for a term of 5 years. On the other hand a person who commits a Credit Card fraud can only be asked to compensate the loss suffered by the Card owner. Even for this, he has to go through the process of seeking justice through the Indian judicial system such as the Civil Court. Going by the standards of the Civil Courts in India, it will be years before the case can come up for hearing and in the meantime it is the complainant who has to keep attending the Court, and organise for the defendant to brought to the Court with a warrant if required. Even after a judgement is given in his favour he has to get a decree executed to recover his amount. All this simply means that the judicial system proposed under the Act is not available to any Citizen. Moreover, any order passed under Section 43 of the IT Act would only be a "Paper order" as there are no provisions in the Act for its enforcement.
On the otherhand , for simple administrative lapses such as when a Certifying Authority fails to submit a "Return" in time, the Controller can impose a heavy fine, invoke the enquiry of the AO who is at the beck and call of the MIT and proceed to recover the penalties like "Land arrears".
The Act in the present form is meant only to serve the interests of the Government and in no way meant for the welfare of the public.
It is therefore suggested that
10. Role for Legal and Non Legal Professionals:
The proposed rules under the Act
shuts off the office of the Controller for members of the legal fraternity
since the qualifications mandated are Engineering or a Ph.D in Physics.
Simultaneously, under the provisions of the Act, individuals are barred
from seeking representation by non legal persons in any proceedings before
the AO or the CRAT. (This is available for Companies). In order to provide
equal opportunities to legal and non legal professionals for all the official
and professional positions, it is suggested that
11. The Judicial Process:
The AO and CRAT may require technical assistance during the process of conducting an enquiry or hearing an appeal. In order to provide such assistance systematically, it is suggested that
12. Definition of Hacking:
The definition of "Hacking" under Ch 11 is unnecessary and can cause unintended conflict with the definition of "Unauthorised Access" under Ch 9. The definition as provided may affect actions that may legitimately be undertaken for "Cyber Patrolling" and "White Hacking". as the onus of proving that there was no "intention to cause damage" would be on the accused.
It is therefore suggested that
The definition of "Tampering with Computer Source Documents" under sec 65 only covers the records to be maintained by law (Which itself has not been indicated). In order to protect the interest of the Software companies from malicious acts of their employees, it is suggested that
It is suggested that
15. Status of Officials as Deemed Public Servants.
According to Sec 82 of the Act all
the officials of the CRAT will be deemed to be Public Servants under section
21 of the Indian Penal Code. It is not clear whether the definition is
sufficient to bring the officials under the provisions of the Prevention
of Corruption Act. The immunity provided under Sec 84 for "Acts sone in
good faith" provides further protection to these officials which are injurious
to the development of a healthy and corruption free system.
16. Compounding of Contraventions:
Section 63 of the Act refers to Compounding of Contraventions under the Chapter 10. Since there are no contraventions under Chapter 10 that are capable of being compounded, it is suggested that