Let's Build a Responsible Cyber Society


Reviewing the Review of ITA-2000..Issues

 

Background:

Information Technology Act 2000 (ITA-2000) has now been in existence for the last 5 years. The Act was in public discussion in draft stage since 1998 before becoming a law with effect from 17th October 2000. The Act had for the first time in India attempted a legal regime for the Cyber space transactions.

The primary focus of the Act was to provide legal recognition for Electronic Documents in E-Business and hence substantial attention was devoted to the setting up of a system for non repudiable authentication of the Electronic documents. Based on the technologies available, "Digital Signature System" based on the Public Key Infrastructure with a trusted third party acting as the Certifying Authority was adopted. Correspondingly, the office of the "Controller" was created to administer the licensing system. Since the criminal justice system then prevailing was considered insufficient, the Act also addressed the issue of defining offences and contraventions and a fast track justice dispensation system.

Apart from contraventions and offences associated with the issue of Digital Signature usage, ITA-2000 defined a wide set of contraventions through Section 43 and a wide set of offences through Section 66. Additionally Section 67 addressed the issue of "obscenity" in electronic form and Section 70 addressed the need to protect critical systems. Section 65 provided support for preservation of evidence and section 69 for assistance in interception and decryption of encrypted messages. Intermediaries were given certain exemptions from liability under Section 79. Police powers restricted to DySPs was made available for search, seizure and arrest without warrant but was restricted only to public places.

The Act also introduced a system of Adjudicators and Cyber Regulatory Appellate Tribunal (CRAT) for justice dispensation. The Act also provided an inbuilt mechanism for review of the Act through the Cyber Regulations Advisory Committee (CRAC).

After the Act became effective, the Ministry of Information Technology (MIT) which is now Ministry of Communications and Information Technology (MCIT) failed to take adequate  steps for the implementation of the various provisions as well as for creating the required awareness of the provisions.

It was some time in February 2001 that the first Certifying Authority (CA) became functional realizing the basic objective of the Act.

In February 2003, a major amendment was made to the Act consequent to the passing of the Negotiable Instruments Amendments Act 2002. Other than this, some minor amendments were made to remove difficulties. Some changes were also made through notifications.

 In March 2003, Adjudicators were appointed through an intervention of the Mumbai High Court..

Even after 5 years the CRAT is yet to be appointed. Apart from conducting around 4 workshops on Digital Signatures, in different Metros no investment of time, effort or money was made by MCIT on awareness creation. Digital signature regime was therefore slow in picking up.

In the meantime Karnataka Government passed a state act to regulate Cyber Cafes, Chattisgarh passed notifications to enable e-Governance and Maharashtra passed notifications for regulation of Cyber Cafes all falling within the regime of Cyber Laws.

Though the MIT formed an Inter Ministerial Working Group on Cyber Laws and Cyber Security to suggest amendments to the Act and the group presented a comprehensive list of amendments, the same had been kept in cold storage.

All through these years, the law enforcement was training its staff on Cyber Laws and Cyber Crimes. Several Cyber Crime Cells ahd been formed in different parts of the country and cyber crime complaints had started coming in. After initial problems the Police had been picking up investigation capabilities and the first conviction under ITA-2000 occurred in November 2004 at Chennai for a Section 67 offence. The accused was given an overall concurrent  imprisonment of 2 years and fined Rs 5000/- in this case.

In the last few months, Police had graduated to start thinking of Cyber Forensics while judiciary had started evincing interest in training their officers with the Judicial Academy, Chennai taking the lead. The legal fraternity had individual members in different parts of the country taking up the study of Cyber Laws and the awareness had started building up. The industry had also started realizing the importance of implementing Cyber Law Compliance programmes within their IT Security plans.

Thus, after nearly 5 years, Cyber Laws in India showed a tendency to take firm roots. With 6 other Certifying Authorities coming into business, even the Digital Signature regime was just about to take off.

Turning Point:

Towards the end of 2004, the infamous Delhi DPS case involving Baazee.com occured and brought about a significant change in the way industry looked at the legislation. The Delhi Police investigating the case arrested the CEO of Baazee.com (Subsidiary of eBay.com) Mr Avnish Bajaj on the grounds of vicarious liability for the incident. Though he was released on bail after 4 days, the arrest of a CEO of an US subsidiary became a huge ego issue for the industry. With diplomatic pressure being mounted from US,  FICCI secretary and Mr Narayana Murthy of Infosys were in the forefront to denounce that "ITA-2000 Has to be reviewed". The IT industry which had been relatively powerless and silent when the CEOs of Polaris and i-Flex were in foreign jails, suddenly became emotionally charged about the arrest of the US Citizen under ITA-2000. The industry stalwarts did not stop to think if Mr Bajaj had been arrested under ITA-2000 or IPC , whether there was any reasonable justification and whether there was any negligence on the part of Mr Bajaj in the episode.

The concerted demand of the industry to bail out a fellow member from the ignominy of arrest resulted in the MCIT ordering a total review of ITA-2000 and forming of an "Expert Committee" for the purpose, with instructions to come out with the report within 2 weeks. This expert committee was also given a copy of the earlier report submitted by the Inter Ministerial Committee on Cyber Laws and Cyber Forensics to incorporate necessary suggestions in their recommendations.

The expert committee has now given its final report which was made public on August 29th and public comments have been invited before September 19th.

The Issues

Now it is time for all stake holders to study the proposed amendments and send their comments to the MCIT so that  their suggestions can be incorporated before they are given effect to.

To enable public to formulate their views, we are providing here some of the issues thrown up by the Expert Committee Report that needs to be discussed. This is the first set of issues that has been listed and are meant to be discussed during an industry level discussion meet organized by Computer Society of India, Chennai Chapter at Chennai on 13th September. These issues may be expanded if readers send in their suggestions. Some of these issues may be more of relevance to the legal and judicial fraternity, some to the Law enforcement, some to the industry and some to the academic institutions engaged in Criminology studies. Since the major overhaul of the act like ITA-2000 affects all segments it is considered relevant to list the issues relevant to all stake holders.

For the following  discussions ITA-2005 refers to the amended version of the Act as proposed by the Expert Committee.

Issue No The Issue Comments
1

Has the proposal created a divide between "Intermediaries" and "Other IT Companies" ?

The proposed amendments have created a divide between different types of sub-industries within the IT industry.

Portals, ISPs and Cyber Cafes have been classified as "Intermediaries" and have been given near immunity from  liability arising out of any cyber crimes committed through their network.

As a result, it is no longer possible for executives like Avnish Bajaj to be arrested.

However, other IT Companies who are affected by crimes seem to have lost some of the  protection that was earlier available.

IT industry (other) is more interested in protecting its own assets than the vicarious liabilities that may arise due to crimes occurring through the network.

On the other hand, the "Intermediaries" are interested in their immunity against third party information.

Any weakening of the provisions that protect inherent data injury is against the interest of the "non-intermediary" IT industry players. The change in Section 66 has exactly this kind of effect.

While the ideal situation is to protect both the Intermediaries and others, such an attempt may weaken the entire fabric of the IT industry where criminals will have the last laugh. 

2 Has the IT Industry been benefited by the proposed amendments ?

Under ITA-2000, any adverse impact on an information residing inside a computer could be  tried under Section 66. Under ITA-2005, unless "Fraud" or "Dishonesty" is proved, Section 66 cannot be invoked.

Under ITA-2000, at the first instance of data injury, investigation could have been launched with the arrest of the suspect and search and seizure of incriminating evidences lying in different systems. Under ITA-2005, it is necessary to obtain a Court order for arrest as well as for search and seizure.

This could hamper the investigation and provide opportunities for the criminals to erase the evidences.

Additionally, in any crime, intermediaries hold all the incriminating evidences. Without their whole hearted support, Cyber crime investigation may face hurdles.

Under ITA-2000, the need for "Due Diligence" by the intermediaries to escape liability acted as a strong reason for them to cooperate with the investigating agencies. Under ITA-2005, there is no reason under which Intermediaries may cooperate with the investigating agencies.

The IT industry will therefore be more vulnerable to the ill effects of Cyber Crimes.

The cost of "Hackers Insurance" or "Information Asset Insurance" as and when it may be available will increase.

Hence the softening of the loss may be detrimental to the IT industry.

3

Has the offence of "Virus introduction" been sufficiently addressed?

Introduction of Virus and variants such as spywares, trojans etc has been a concern for the industry.

Under ITA-2000, introduction of virus was covered under Section 43 and could also be covered under Section 66. In the ITA-2005, Section 66 has been restricted and will apply only to cases of "Dishonest" and "Fraudulent" introduction of Virus.

Most Spywares will now be exempt from the operation of Section 66.

Since Section 66 is now not a serious offence, Police cannot effectively investigate virus crimes and possibility of convictions will become lower.
4 Are Police Relevant in Cyber Crime Management?

ITA 2000 had provided under Section 78 that only an officer of the rank of DySP can investigate offences under the Act. Under Section 80, it had prescribed that the power to search and arrest without warrant is restricted to public places. In all other matters CrPc was to prevail.

The proposed amendments suggest deletion of Section 80. Hence Police shall not have any powers to search or arrest without warrant even in public places. Though section 78 remains, there is no mention anywhere about powers to Police for search or arrest.

Section 81 makes this Act override every other law other than Copyright Act and Patent Act. Hence it could be  interpreted as over powering  IPC and CrPc.

If silence about the powers of search and arrest is seen along with the specific removal of the earlier section, it may be interpreted that the legislators have decided to specifically remove the Police from Cyber Crime management system.

This view is further corroborated by some related provisions of  Sections 69 and 72.

Under Section 69 which gives certain powers to the Controller for interception of messages in specified context, the words " for preventing incitement to the commission of any cognizable offence" is being deleted. This means that the assistance of interception and decryption will not be available in case of offences under IPC or other statutes.

Under Section 72, it is stated that the victim should lodge the complaint directly with the Magistrate.

This could be interpreted as a deliberate attempt by legislators to keep ITA-2005 as an independent legislation not overlapping with any of the current activities of the Police under other legislations.

Under ITA-2000 it was common for the Police to frame charges under multiple Acts such as IPC and ITA-2000. Under ITA-2005 it appears that Police shall keep themselves off the Cyber Space which will be regulated by the "Controller" and  "Adjudicator" along with the assistance of the Magistrate.
5 Has the Judiciary been subordinated to the Executive?

Under ITA-2000, compounding of contraventions were permitted by the adjudicator either before or after adjudication. Since adjudicator's powers were limited to civil cases, the compounding was also permitted to civil cases.

In ITA-2005 it has been proposed that the Controller or the Adjudicator shall compound both contraventions and offences. In cases where prosecution is pending, on a mere notification from  the adjudicator that compounding has been permitted, the prosecution shall be dropped and the person discharged.

Under these provisions, no prior permission of the court is required for launching the compounding process and the Court shall not have any power to reject the compounding on any grounds.
6 Is Elimination of Police and Subordination of Judiciary to the Executive beneficial to the Industry?

Industry or the Society benefits if the society has a good system where crimes are controlled. If Police and Judiciary become redundant or less effective, it is unlikely that the society can be free from crimes. An increase of Cyber Crimes with a corresponding adverse effect on the society is therefore possible.
7

Will Individuals Benefit from Data Protection Provisions?

 Section 43 and Section 66 of ITA-2000 already provided good security to individuals who could bring penal action and also seek compensation from any person including an intermediary if data had been negligently handled causing loss. The level of "Due Diligence" required was left to the discretion of the judicial authority reviewing the case and could be made relative to the circumstances of the case.

ITA-2005 raises an artificial distinction between "Data" and "Sensitive Personal Data" and proceeds to give protection for compromise of "Sensitive Personal Data" by a corporate body caused by negligence in implementing "reasonable security practice".

By taking on the responsibility for defining "reasonable security practice", the system has been weakened since the security practice cannot keep pace with change of times and will remain stagnant. As a result the level of protection expected to be available for the data security can only be less than under the moving benchmark of security envisaged under ITA-2000.

While companies may consider that there is now a "clarity" and appoint "Auditors" to "check and certify" against a standard checklist, the incentive for continuous improvements on security has been taken off. The Government has taken the responsibility for developing what industry bodies should have developed as internal security standards.

In future any online fraud by a website either in the form of selling spurious goods or backing out of auction commitments etc will be difficult to be punished since the intermediary will be immune to such crimes and the fraudster may be non traceable.

I am afraid that even consumer laws cannot be invoked on online market places if the amendments become a law.
8

Will BPO customers feel more reassured?

The BPO customers who are perturbed by the type of data leakage of the Karan Bahree type would like strong laws that act as a deterrent for such crimes.

In ITA-2005 the addition of subsection (2) to Section 43 provides some remedy to individuals whose sensitive personal data is mis-handled by a corporate data manager. This however is more relevant to Indians and may not add any assurance to BPO customers.

On the other hand, while such frauds could easily have been covered under Section 66 of ITA-2000, under ITA-2005 the accused can escape liability by feigning innocence. (say by stating that he was only making a presentation of his capabilities as  Mr Karan Bahree is supposed to have stated).

The new Act is therefore weaken the confidence of the BPO customers from the current level.
9 Will Women feel reassured?

With the dilution of the section 66 and 67 offences, reduction of Police powers and need for the complainant to approach the magistrate for registration of complaint, women who are harassed with doctored pictures (eg: Trisha video case) will find it extremely inconvenient to pursue their cases.

The proposed act is therefore anti women and threaten many marriages and female lives.
10 Does the proposed change to the Digital Signature system provide an effective alternative?

The proposed amendments has replaced the term "Digital Signatures" with Electronic Signatures in the earlier version.  Digital Signature is now defined as one of the types of Electronic Signatures. There is no suggestions of any new systems. Introduction of "Electronic Signatures" is therefore likely to be only of academic interest at this point of time.
11 Did the Amendments avoid the more pressing requirements of the society?

There was a crying need to address issues such as Spam, Cyber Terrorism, Cyber Stalking and Cyber Squatting. The Committee has chosen to ignore these requirements.
12

a) Was the Constitution of the "Expert Committee" ultra-vires the Act?

b) Was the constitution of the committee lacking in proper representation of the stakeholders?

 

ITA-2000 had provided an inbuilt mechanism for review through CRAC. Under section 88, CRAC is the body which has a duty to advise the Government on any matter relating to the Act.

The constitution of the "Expert Committee" and its submission of the report to the Ministry directly and its acceptance may therefore be improper.

The constitution of CRAC had wide representation including representatives from Home, Law, Commerce and Finance  Ministry, RBI, CBI, State IT Secretaries and industry bodies. In contrast, the Expert Committee consists of only representatives of the MCIT, along with two private lawyers and three representatives from the industry. The industry representation comes from Sify and Rediff which are Portals and HCL Infosystems. Sify also has a significant stake in Cyber Cafes.

The constitution of the committee therefore appears to lack balance.

A detailed clause by clause summary of the amendments suggested is available at www.naavi.org. Several individual articles on various topics are also available on the site for further reference.

 

Naavi

September 9, 2005