.
A Note to Ministry of Information Technology on the Rules under ITA 2000
From
Netizen's Forum For Credible Cyber Regulations
Website:http://www.naavi.com/netizensforum.htm
Co-ordinator :Na.Vijayashankar (naavi@vsnl.com)
.
.

This  memorandum is being submitted in response to the invitation of the Ministry of Information Technology (MIT) made to the public with specific reference to the draft of the intended Rules to be notified under the Information Technology Act 2000  (ITA-2000). 


The Information Technology Act-2000 (ITA-2000) is the first exclusive legal framework envisaged by the Indian Government for the emerging Digital Society. The Act will therefore pave the way for future guidance of the Cyber Society and Cyber Commerce. It will be the backbone for the Indian dream of becoming an IT superpower on the Global arena. In view of this immense importance of this legislation, it is necessary that the legislation has wide acceptance of society and doesnot become an unwelcome imposition. The suggestions made herein have been  drafted taking into account this need along with the compulsions of the Government in developing regulations to prevent occurrence of Cyber crimes. 

1. Constitution of Cyber Regulations Advisory Committee:

The ITA-2000 had envisaged (Sec 88) that the Government would set up a Cyber Regulations Advisory Committee (CRAC) consisting inter-alia of members from the public to advise the Government and the Controller on all aspects of regulations. This was the key aspect of the regulations that could provide the services of industry experts in framing and administering the complications of the "Technology Law"

As per the proposed ITA-2000 rules, the CRAC would consist mainly of secretaries of various ministries, the Controller besides some of the representatives of trade and industry bodies. The committee would be chaired by the Minister of Information Technology.

It is submitted that this constitution is not conducive to the development of a useful advisory body and there is a need to change the constitution as suggested herein.

The CRAC, as envisaged in the Act is only an advisory body and can only submit its recommendations to the Ministry. Hence, the Ministry can review any of the suggestions in a body similar to what has now been constituted as the CRAC. This will be an internal review committee of the Ministry.

On the other hand, if the CRAC consists of eminent personalities from the industry, the wealth of experience and expertise available in the market place can be available to the benefit of the Cyber society. Keeping this in view, the CRAC should be Chaired by an eminent Security Consultant or a Retired Supreme Court Judge and should consist of members from the Netizen community and the Dot.Com industry. Adequate representation from the Legal profession, Law Universities, Sociologists, Criminologists and Technical Journalists should also be considered.

Ideal candidates for this purpose are unlikely to be the working Secretaries (Barring individual exceptions) or the Presidents/Secretaries of  trade bodies of CII, FICCI etc.
 

In order to identify such candidates from the vast community of Netizens, a selection process similar to the "ICANN Election model" can be adopted. Under this model, a set of representatives will be short-listed based on nominations received. A community of registered voters who are given  digital identities would  vote in a pre-determined time span to choose the popular nominations. New elections can be held every year with the condition that no person is eligible to be a member continuously for more than two terms. Such a body would be truly representative of the Public interests, and give enough scope for different persons to serve in the Committee out of love for the assigned responsibilities. The compulsory retirement after two years would ensure that no vested interest could be developed by any member. Over a  couple of years millions of Netizens would participate in the election process and make the CRAC a "Democratic Parliament for the Cyber Society".


2. Regulating the Certifying Authorities:

Certifying Authorities would be important intermediaries in the  process of developing Digital Identity which is the pre-requisite for E-Commerce as well as the development of a "Responsible Cyber Society". The Act should therefore encourage private enterprise in bringing this service to the masses at an affordable cost. In order to ensure this, regulations should restrict the regulatory measures to prescribing the minimum security standards. 

The Act as well as the Rules envisage that the "Controller" would exercise enormous administrative control on the functioning  of the Certifying Authorities (CA). For example, the Controller would determine the  product features to be offered by the  CA s, their pricing, marketing mix, and the manner in which the customer relations are to be handled. Additionally, the Controller would also control the Financial, Technical and HRD aspects of business. This kind of power is wholly unnecessary and not administrable. Such powers can only be exercised selectively and will soon turn out to be tools in the hands of corrupt officials for harassment. Even if the Government ensures that the Controller is above board, it will be impossible to prevent his subordinate officers at various levels misusing the powers. 

It is therefore suggested that 
 

The powers of the Controller are restricted to initial licensing and prescription of a model Certification Practice Statement that incorporates the minimum standards of governning the Certification process. The powers to prescribe the features of the Certificates, pricing etc should be left to the discretion of the CA. 


This will enable the CA s to introduce innovative products at affordable prices and quick spreading of the concept of "Digital Identity".

3.Licensing Period for Certifying Authorities:

In view of the enormous costs of setting up the Certification business, the initial licensing period  of one year is too short to develop a viable business proposition for any Certifying Authority. In order to encourage quality stand alone Certifying Authorities to come up, it is suggested that
 

The Initial period of licensing of the CA is increased to 3 years and subsequent renewal period increased to two years.


4.Foreign Certifying Authorities:

The  Act presently prescribes that Certificates issued a Foreign Certifying Authority would be valid under Indian law only if the CA is licensed by the Controller. This is fraught with the risk that Certificates  issued and to be issued by a large number of CA s in foreign countries would be not recognizable by the Indian Courts in a Cyber Contract case. As a result, the user of such a certificate would escape legal liabilities to the detriment of the other contracting party who might have used a recognized Certificate.

In order to avoid complications, it is therefore suggested that

Any CA who has been licensed by a root certifying authority of a foreign country listed in  the schedule (to be specified) will be considered as "Provisionally approved" to the extent that certificates issued by them would not be held invalid in a Case where any of the parties is an Indian Citizen or is using a Digital certificate issued by a CA licensed by the Controller.
 

5. Eligibility to be a Certifying Authority

According to the draft Rule 7 (ii), an applicant for Certifying Authority must be a "Company" operating in India with foreign equity not more than 49 % of the total equity. This restriction is not envisaged in the Act according to which any "person" can apply for a licence.

The Rules need to be amended to allow individuals and Foreign Certifying Authorities to also apply

6.Licensing Fees:

The Act prescribes a ceiling amount of Rs 25,000 as the fees to be paid by a Certifying Authority applicant. The Rules however prescribe an  examination fee of Rs 100,000, applciation fee of Rs 25,000 and a license fee of Rs 25,000 per annum.

This anomaly needs to be removed. 


7. Renewal of Licence of a Certifying Authority:
 

According to the Act, the licence of a Certifying Authority is renewable by an application made not less than forty five days before its expiry.
 

However according to draft Rule 9 (ii) the renewal application has to be made atleast 3 months before the expiry of the licence.

This is beyond the scope of the Act and need to be deleted.


8. Office of the Adjudicating Officer:

The role of the Adjudicating officer (AO) has been an area of confusion in the Act and the accompanying Rules. 

Firstly, the jurisdiction of the AO has been restricted to contravention of the Act as defined under Ch 9 of the Act which provides a right to the affected person to claim compensation. The "Offences" indicated under Ch 11 are outside the jurisdiction of the AO.

Secondly, the Rules state that the AO would be appointed by the Government on an adhoc basis. This indicates that an aggrieved party has to  apply to the Government requesting them to order an enquiry. However no procedure has been prescribed for such purpose. It is not clear whether an aggrieved person has to go to a Police station to file an FIR, or approach a Court or appeal to the Ministry of Inforamtion Technology or to the Controller 

Through this process the AO has been reduced to an adhoc enquiry officer to be appointed by the Government from time to time and not a statutory authority to whom the Citizens can approach for redressal of any grievance.

The spirit of the Act was definitely not this. By instituting the office of the AO and the CRAT (Cyber Regulations Appellate Tribunal), the Act implied that there would be a parallel system of addressing the needs of the Cyber Disputes bypassing the normal system upto the level of the High Court. This was also useful in ensuring that specially trained persons can be appointed for handling the Cyber Disputes.

The Rules are therefore contrary to the spirit of the Act and it is suggested as follows.

The Act should first be suitably amended to remove the distinction between Ch 9 and Ch 11 crimes. The sections in the two chapters should be merged into a single chapter and AO should have  jurisdiction to try all those violations. Whether the state wants to charge a penalty or provide for compensation for an affected member of public, there should be one common system of Dispute resolution. This should start with the AO who should receive complaints directly from the affected persons. He should then proceed to conduct an enquiry summoning the help of the Police if required for investigation. He should then proceed to provide his award which may consist of  Compensation to the affected, fine to be paid to the State and imprisonment if he deems fit. His award can then be appealed against at the CRAT and the CRAT's  judgement can be appealed against in the High Court.


If this amendment is not brought about, there appears to be no need to have a permanent post of CRAT. This is because the major part of CRAT's work happens to be hearing appeals on AO s awards. The references if any from the Controller would mainly be of administrative nature involving the Certifying Authorities and the need for CRAT to settle legal issues in such cases is minimal. Since the normal Courts are neither equipped to handle Cyber cases, nor have the time to do so, the entire system of Cyber Disputes would be thrown off gear if the amendments as proposed are not effected.

Presuming that the above suggestion is accepted, it is necessary to also provide that
 

The AO can conduct an enquiry through an online process where the complainant and the defendant along with the AO interact on a secured communication channel with appropriate digital identities. (This will be a forerunner to the E-Courts to be set up in due course)


9. Balancing of the Penalties:

In order for the society to respect law, it is necessary that the penalties proposed should be commensurate with the offences. The Act fails in this respect by providing disproportionate levels of punishment to various offences. For example for the first commission of an offence of "Publishing or Distribution of Obscene material", the offender can be jailed for a term of 5 years. On the other hand a person who commits a Credit Card fraud can only be asked to compensate the loss suffered by the Card owner. Even for this, he has to go through the process of seeking justice through the Indian judicial system such as the Civil Court. Going by the standards of the Civil Courts in India, it will be years before the case can come up for hearing and in the meantime it is the complainant who has to keep attending the Court, and organise for the defendant to brought to the Court with a warrant if required.  Even after a judgement is given in his favour he has to get a decree executed to recover his amount. All this simply means that the judicial system proposed under the Act is not available to any Citizen. Moreover, any order passed under Section 43 of the IT Act would only be a "Paper order" as there are no provisions in the Act for its enforcement.

On the otherhand , for simple administrative lapses such as when  a Certifying Authority fails to submit a "Return" in time, the Controller can impose a heavy fine, invoke the enquiry of the AO who is at the beck and call of the MIT and proceed to recover the penalties like  "Land arrears".

The Act in the present form is  meant only to serve the interests of the Government and in no way meant for the welfare of the public.

It is therefore suggested that
 

The schedule of penalties is revised to bring about a relation between the gravity of the offence and the proposed punishment. As suggested earlier, the provisions of Ch 9 and Ch 11 should be combined and there should be a uniform scale of punishment. Imprisonment should be resorted only to the case  of deliberate and orchestrated crime on the Cyber society whether it is "Cyber Fraud" or "Cyber Terrorism" or "Cyber Gherao" etc. Punishment for obscenity should be mainly in the form of a fine unless an attempt to corrupt the society at large is proved.  It is further suggested that the order for payment of compensation passed under Section 43 of the Act be treated as a "decree" to enable its enforcement through the Civil process. 

10. Role for Legal and Non Legal Professionals:

The proposed rules under the Act shuts off  the office of the Controller for members of the legal fraternity since the qualifications mandated are Engineering or a Ph.D in Physics.  Simultaneously, under the provisions of the Act, individuals are barred from seeking representation by non legal persons in any proceedings before the AO or the CRAT. (This is available for Companies). In order to provide equal opportunities to legal and non legal professionals for all the official and  professional positions, it is suggested that
 

The choice of the Controller would be made by the CRAC (constituted as suggested in this note) taking into account the experience , qualification and contribution in the professional field.


The complainant or the defendant would have the freedom to engage one or more persons not exceeding three  to represent him before the AO or the CRAT irrespective of  whether they are legal practitioners or not.

11. The Judicial Process:

The AO and CRAT may require  technical assistance during the process of conducting an enquiry or hearing an appeal. In order to provide such assistance systematically, it is suggested that

the CRAT should be made a three member committee with atleast two of them sitting through any proceedings. One of them must be a technical person. The Chief officer may be a legal person with judicial experience as is now envisaged.


In the case of an enquiry before the AO, the enquiry may be held before an expert committee consisting of three members of public with relevant experience chosen from  a panel. The committee should file a report in confidence on every enquiry which is refered to by the CRAT only in the event of an appeal being preferred. The report may record the views of the committee on whether all aspects of relevance were considered by the AO before arriving at an award. 

12. Definition of Hacking:

The definition of "Hacking" under Ch 11 is unnecessary and can cause unintended conflict with the definition of "Unauthorised Access" under Ch 9. The definition as provided may affect  actions that may legitimately be undertaken for  "Cyber Patrolling" and "White Hacking".  as the onus of proving that there was no "intention to cause damage" would be on the accused.

It is therefore suggested that

The definition of "Hacking" under Sec 66  being redundant and dysfunctional  should be deleted. Simultaneously the provisions of Ch 11 and Ch 9 to be merged into a single list of "Contraventions that attract penalty,Compendation or punishment of any kind under the Act"


13. Definition of Tampering with Computer Source Documents:

The definition of "Tampering with Computer Source Documents" under sec 65 only covers the records to be maintained by law (Which itself has not been indicated). In order to protect the interest of the Software companies from malicious acts of their employees, it is suggested that

Tampering of Source Codes by employees of a software company in a manner inconsistent with the rights accorded to them for the purpose of discharging their functions should also be recognized as an "Offence" punishable in law (much as destruction of a property belonging to the employer is punishable) . Simultaneously the records to be maintained by law have to be specified for clarity.


14.Miscellaneous Provisions regarding Digital Certificates:

It is suggested that

Sec 35 (3)  and 35 (2) of  the Act which wrongly prescribes Certification Practice Statement as a mandatory document to be provided by an applicant and determines the pricing of the Certificates should be deleted. Consequential changes should also be made to 35 (4)
Sec 32 regarding "Display of License by a Certifying Authority" should be deleted.

Sec 25 regarding the Power of the Controller should be restricted to suspension of the license to the Certifying Authority. Revocation power should be excercised by a higher committee of the MIT.

Sec 27 regarding the delegation of power by the Controller to his subordinates should exclude the power of suspension and revocation of license of a Certifying Authority.


These changes are suggested since the subject powers are unnecessary and are capable of being abused. 

15. Status of Officials as Deemed Public Servants.

According to Sec 82 of the Act all the officials of the CRAT will be deemed to be Public Servants under section 21 of the Indian Penal Code. It is not clear whether the definition is sufficient to bring the officials under the provisions of the Prevention of Corruption Act. The immunity provided under Sec 84 for "Acts sone in good faith" provides further protection to these officials which are injurious to the development of a healthy and corruption free system.
It is therefore suggested that

The Controller, AO, the CRAT and all  officials working under them should be deemed as "Public Servants under the Prevention of Corruption Act" and subject to the supervision of the CVC. 
Sec 84 providing immunity against legal action against the Controller and other officials should be deleted. Action in this regard should lie by way of an appeal to the High Court.

16. Compounding of Contraventions:

Section 63 of the Act refers to Compounding of Contraventions under the Chapter 10. Since there are no contraventions under Chapter 10 that are capable of being compounded, it is suggested that 

"Chapter 11" is substituted for "Chapter 10" in section 63 

Summary:

It is evident that the changes required to be made to the Act and the Rules are many and far reaching. It is therefore suggested that all action on this front is suspended until a CRAC is constituted as suggested consisting of eminent persons which can go through with all the other suggestions made herein.

.