Steps to Improve Cyber Judicial System in India

In the last two posts, I have highlighted the call for early appointment of the Chair person of Cyber Appellate Tribunal (CyAT) which is vacant since July 2011 and the inadequacy of the NCRB system to recognize the extent of Cyber Crimes that occur in the country.

In this context, there is a need for a total revamp of the Cyber Judicial system in India for which I place some suggestions here. I hope the message will reach the right persons and necessary action will be initiated.

In particular action would be required from

  1. Mr Ravishankar Prasad who is the minister for DeITy and Law
  2. The Secretaries attached to department of IT, Law and Home affairs
  3. Chief Justice of India
  4. Chief Justices in the States and Union Territories
  5. Chief Ministers of different States
  6. IT and Law Secretaries in different States
  7. PMO
  8. Heads of Police in different States
  9. Heads of Institutes of Law Education and Police Training all over India
  10. Members of the Media

My suggestions can be classified into following six heads.

  1. Awareness Building
  2. Crime Reporting
  3. Adjudication
  4. CyAT
  5. Special Magistrate Courts
  6. Special Mediation Centers

1. Awareness Building

Whenever we discuss solutions related to Cyber Crimes and Cyber Security, “Creating Awareness” continues to top the discussion table and often ends with it. There is no doubt that “Creating Awareness” is necessary but we need to also address to whom should we create awareness and regarding what.

First level of awareness building is to the public that there is a law called ITA 2000/8 and if they have any issues, they can seek protection from law. But immediately they will ask, which Police Station should I reach out and which Court should I approach. Given the general reluctance of public to step into any Police Station, unless people feel that there would be a definite benefit they will not approach the Police. While there are many knowledgeable Police officers, there are more number of station level policemen who are not familiar with Cyber Crimes and are reluctant to accept any complaints.

There is therefore a need to create awareness amongst all the Police Stations. Despite some efforts there is still a lack of effort in ensuring that our police stations are equipped to accept a Cyber Crime complaint. Today we see a board in most Police stations about the number of complaints received under various types of crimes. I donot seem to have seen the list including any “Cyber Crimes”. In fact I would like to see “How many policemen including constables are there in the police station and how many of them have been trained to understand Cyber Crimes” as part of the information these police stations should display.

I have once suggested Bangalore police to have “Station level Awareness Exercise ” on Cyber Crimes so that every Constable is trained to understand Cyber Crime. Just as we conduct workshops in schools, workshops on Cyber crimes should be conducted in every police stations. Advanced courses can be conducted for SIs and investigating officers but base level awareness is required to every body.

Similarly, awareness need to be created with advocates, Public prosecutors, Magistrates and judges at all levels. CJIs need to monitor how may judicial officers are in the state and how many of them are proficient in Cyber Crimes. Judicial Academies need to work on a specific target in this regard so that 100% of magistrates and civil judges go through at least the base level workshop within the next one year.

An action plan for this can be developed and implemented by every State under the guidance of the Chief Justice of the State High Court.

Awareness also needs to be built for every IT Secretaries in India since they are “Adjudicators” and function like a Civil Judge in respect of all offences under ITA 2000 upto a loss of Rs 5 crores.

Lack of awareness at any level whether it is the victim, or the Police or the Lawyers or the Judiciary should not be a reason why Cyber Crimes donot get registered.

I am sure that budget is not a constraint since we can use an army of Law Professors from different Law Colleges to conduct such base level programs, if necessary by first conducting a “Training for Trainers”.

Naavi has conducted programs under the “Karnataka Cyber Law Awareness Movement “way back in 2005 to spread the Cyber Law Awareness in India and can still contribute to a new wave of such activity if some body in Karnataka or at the Central Government level is interested.

2. Crime Reporting

Assuming that awareness is built up at all levels, the next problem to be tackled is the means of reporting of a Cyber Crime incident. If we want to get the correct picture of the Cyber Crime scenario in the country, we need to break the reluctance to register Cyber Crime complaints at the police level. It is appreciated that if Complaints are registered but not resolved, some may interpret it as an inefficiency of the Police and hence Police are reluctant to register a complaint which they are not confident of resolving.

We therefore need an “Impersonal System of Crime Reporting” where the incident is reported online. Every incident reported should be numbered whether they are converted into a complaint or not. Police should establish a network of “Friends of Cyber Police” in different parts of the City who may be approached by the victims for guidance. These FOCPs can vet the complaint and load it onto the system on behalf of the victim.

The system should escalate the complaint to a suitable Police officer for conversion into a formal complaint and issue of an acknowledgement. The higher authorities in Police may take follow up action as may be required though the first task of recognition of Cyber Crime is achieved through this process.

Every incident may be technically considered as an “Attempt” to commit a crime and therefore can be recognized as a registerable Cyber Crime. Hence there should be no technical issue is mandatory registration of FIRs for all verified complaints.

This will help in the assessment of the resources that need to be committed to Cyber Crime mitigation in the long run.

3. Adjudication

Adjudication was a wonderful system which ITA 2000 suggested for resolution of civil claims for damages arising out of contravention of any provision of ITA 2000. It provided for quick resolution, and suo-moto powers to the adjudicators to take remedial action. In 2003 in view of the fact that the Judicial system was not prepared to take up the challenge of adjudicating on technology related issues, Government made all IT Secretaries of states as “Adjudicators” for the respective state. These officers were tech savvy and senior enough in the bureaucracy to conduct proceedings of adjudication as an “Enquiry” process. Appeals were available to the CyAT.

However over a period the Adjudicators have shown no enthusiasm to take up this responsibility both because they are otherwise engaged in the developmental activities as also because there is a conflict of interest since some of the cases involve business interests of IT companies. Additionally just as Judicial officers were lacking in technical knowledge, the IT Secretaries were also found to fumble with the legal knowledge when required. As a combination of all these factors, today the system of Adjudication is almost non existent.

There is therefore a need to review and revive this system. One way out is for the State Judiciary to train some of their Judicial officers in Cyber Crime related issues and set up a parallel team of Adjudication Empowered Judicial Officers. Once the IT ministry issues necessary notification, these officers can start taking up complaints.

Alternatively, every Adjudication set up which today consists of the IT Secretary can be made a two member bench with the Law Secretary of the State being the second person. This will provide the relief in terms of knowledge deficiency but may not solve the problem of lack of time for these state level senior officers. The team of trained judicial officers may therefore be a better solution to meet the requirements of Adjudication.

These Adjudicating officers should be mandated to use Video Conferencing wherever feasible so that the cost of adjudication is reduced.

Again a suitable framework for training and sustaining this system can be developed if the State High Court Chief Justice takes interest.

4. CyAT

The issue of CyAT has been discussed earlier. Presently there is a set up in Delhi with a good infrastructure and also a technical member. If only a Chair person can be appointed, the system can restart its activities.

However there is a need for CyAT to sit in different States and use Video Conferencing so that victims need not travel to Delhi for their cases.

It should be mandated that the CyAT regularly sits in different State Capitals and conducts its proceedings and also set up at least one bench in South India to enable economical access to the public.

5. Special Magistrate Courts

While the Adjudication and CyAT takes care of the civil disputes, there is also a need to set up special magisterial courts in the States to handle Cyber Crime cases exclusively. This will speed up delivery of justice and also build expertise in specific Judges who can support the system at higher levels as days go by.

This is an action which again needs to be handled by the State High Court.

6.Special Mediation Centers

ITA 2000/8 provides for compounding of most offences including those which come under the category of criminal offences. Hence there is a scope for mediation and Conciliation both in the case of Civil and Criminal proceedings.

If therefore a good system of mediation can be developed, this will reduce the burden in the system of Adjudicators and Magistrates and help in the quicker delivery of Justice to victims.

There could be many other measures that may help in improving the Cyber Judicial systems but what is discussed above is a list of suggestions that can be considered.

It is to be remembered that an efficient Cyber Justice System is not only required for the success of the Digital India program but also is essential for India maintaining a good “Ease of Doing Business ” index on a global scale.

I hope the relevant authorities in the Government take necessary action in this regard and provide some relief to the public reeling under the onslaught of Cyber Crimes.

Naavi


NCRB releases misleading Cyber Crime data for 2015

As an annual ritual, National Crimes Record Bureau (NCRB) has released the Crime data for the year 2015 which includes data regarding Cyber Crimes registered and disposed off in India in 2015.

ncrb_cover

Copy of the Report :  Full Report : Cyber Crime chapter

Many news papers have reported on the data stating that Cyber Crimes have increased by a whopping 225% from 6268 to 14121 by addition of 8045 new cases registered during the year. (This pertains to cases registered under ITA 2000/8)

There have been analysis of which states have registered more cases, which City is int he forefront of Cyber Crimes etc.

According to the report   Uttar Pradesh registered 2208 cases in 2015, while Maharashtra registered 2195 cases in 2015 and Karnataka 1447 cases. On an all India basis, a total of 8045 new Cyber Crime cases have been registered in 2015.

If we also add the cases registered as “Cyber Crimes” but under different sections of IPC, the number of pending cases increased from 8032 last year to 19423 at the end of 2015 with 11592 new cases being registered. This shows an increase of 241% in pending cases.

Out of these cases a total of 276 ITA 2000 cases and 336 cases in total were recorded as “Disposed”  which would include those  dropped or transferred to other types of crimes. The disposal rate works out to 1.95% of the ITA 2000 cases and 1.72% of the total Cyber Crime cases.

We need to appreciate that this is the cases disposed off at the Police level and does not represent the disposal by Courts. It also does not include complaints registered and not converted into registered cases.

It is reported that  charge sheets were filed in courts in 3,206 cases but we may not have more than a few convictions during this period.   The total number of cases pending trial increased from 3917 last year to 7123 during the current year. 48 cases were compounded or withdrawn.

The statistics reveals that in 640 cases, trial were completed with  234 cases convicted and 406 discharged. Of the convictions it is interesting to observe that  143 convictions were under Section 66A which was repealed by Supreme Court in march 2015. 185 cases under Section 66A were acquitted while 2522 cases are still pending.

Deccan Herald has highlighted (See the report) the growing pendency of cases and we need to now look at solutions to address this issue rather than merely counting the arithmetics of crime statistics.

Looking at the motives, 3855 crimes were with the motive of financial gain while another 1097 are listed under fraud/illegal gain. Together 4952 crimes fall under these two categories. Insult to modesty of women, personal revenge and anger etc accounted for 1098 crimes while defamation accounted for 380. Extortion cases were 293 while hacking for fun was around 214.

While the trend in these crimes provide some good indication of what needs to be done to reduce the adverse effect of Cyber Crimes on the society, we need to ensure that these statistics in numbers have to be more reliable and reflect on the actual commission of offences. Otherwise,  the statistics provided by NCRB can be considered as misleading.

A part of this problem should be solved if Banks report the number of Credit Card, ATM card, Mobile wallet and Phishing frauds which will be necessary as per Cyber Security Framework 2016 suggested by RBI. Similarly we need to also record the innumerable Virus incidences, spamming, mobile thefts etc which are offences under Section 66 and 66B of ITA 2000/8 which appear to have escaped the NCRB report.

Obviously if we say the number of Cyber Crimes is not 6000 but 1 lakh, many eyebrows will be raised. But it is important to recognize that the problem of Cyber Crimes is really that large and needs to be addressed with better resource allocation both to the Police and Judiciary.

In fact Police should also take into account the possibility of “Friends of Cyber Police” drawn from the community who can at least help in getting Cyber Crimes reported properly. For this purpose Police should permit private organizations to receive online complaints and forward it to a central data base of the Government from which Police can take it up for investigation without waiting for a complaint directly from the victim. Some acceptable norms for this purpose can be drawn up. These will work like a private CERT in a limited way.

However, we need to point out  a serious flaw in the NCRB report which has been pointed out by us in the past and remains unattended. It also indicate the ignorance of the NCRB in ITA 2000/8.

I refer to table 18.2 on Cyber Crime incidences classified under different sections of ITA 2000/8 and IPC contained in the report which is reproduced below.

cyber_crime_cases_disposed_2015

 

If we observe this report, 88 cases have been reported under “Tampering of Computer Source Documents” which we may presume are cases registered under Section 65 of ITA 2000/8.

6567 cases have been reported under IT-Computer related Offences which includes 4154 cases under 66A, 132 under 66B, 1081 under 66C, 1083 under 66D ad 117 under 66E. Offences under Sections 66A,66B,66C,66D and 66E nicely add upto what has been reported as “IT related Offences” which is presumably referring to Section 66.

It is unfortunate that NCRB does not recognize that Section 66 is an independent section and is not the aggregation of other sections 66A to 66E. By using this classification, NCRB is suggesting to all the Police stations that cases under Sec 66A to 66E are actually to be aggregated as offences under Section 66 and no case need to be registered under Section 66. I am sure that most cases that ought to fall under Sec 66 have been registered under Section 65.

If these charge sheets go to Courts, I wonder how the Courts can proceed since informed lawyers will simply demolish the case just stating that a charge listed under the charge sheet under Section 65 does not hold.

I wish NCRB consults NPA and revises the format of the Crime report system so that this error does not continue in the next year.

When we discuss the states where there are more crimes based on this report, we must remember that if the Police and Public are aware of Cyber Crimes and register complaints, it will naturally appear in this list. If they are ignorant and register cases under other laws or donot register cases at all, then obviously it will not reflect in the report. Hence it is not correct to reflect on the state of Cyber Law and Order in a state solely by referring to this list. In fact the reason why Uttar Pradesh tops the list is because they have efficient police officers in Noida who have registered a number of Cyber crime cases which should actually be appreciated.

The report says that 13 cases of Cyber Terrorism under Section 66F have been registered. Since this section carries “Life Imprisonment” it is the most serious offence under ITA 2000/8 and we need to know which are these cases and whether they represent any wrong interpretations. In fact the real Human Rights Activists (Not the Pseudo Activists who consider only terrorists as their subjects) should look at these 13 cases and ensure that there has been no incidence of misapplication of law for political or other considerations.

I request  NCRB to provide the details of these 13 cases to clarify the position.

What   we may however discuss is that while the number of cases registered is far less than the real incidence of Cyber Crimes (if we include the e-banking frauds), the disposal rates are only less than 2 % at the level of the police while at the Court level it is Zero percent.

The lack of a proper Cyber Judicial system in India to address Cyber Crimes is therefore very evident. Since no cases get disposed, it discourages public from reporting cyber crimes and even the Police are disinterested in pursuing investigation since it is a complete waste of time.

I suppose that the responsibility for this situation should be taken by the Chief Justices of State High Courts and the Supreme Court more than any body else. The Supreme Court does not find it inappropriate to spend time and also pull up the executive for their administrative lapses and irrelevant political cases but remains completely unconcerned when the Cyber Crime victim’s interests are involved.

There are several cases not only in Karnataka High Court but also in Nagpur where the non appointment of the CyAT chair person has been raised. But each time the DeiTy has stated that the matter is pending with Supreme Court for approval of a candidate and  State High Courts have simply closed the case. Last time it was even understood that Justice Mrs Vasuki of Chennai was appointed for the post but it never materialized. Now there is no other option left but to move contempt of court petitions against DeiTy which I understand is happening in Nagpur.

However, even if a High Court directs the DeiTy to appoint a CyAT chair person, it is unlikely to make any change to the current scenario of pending cases and non recognition of many incidents as crimes. We need multiple steps to be introduced in this regard to improve the Cyber Judicial system in India.

I will provide some suggestions in this regard in another post and  wish responsible MPs like Mr Rajeev Chandrashekar move a motion in the Parliament for a new Parliamentary committee to be set up to completely revise the Cyber Judicial system.

..Suggestions in the next post

Naavi


We Need a total revamp of the Cyber Judiciary system in India….Attention Mr Modi

Mr Rajeev Chandrashekar, one of the few MPs who understands Cyber Law has rightly drawn the attention of the Government to the need to appoint the Chair person to Cyebr Appellate Tribunal-CyAT. (Refer BS Article).

According to the report, he has written a letter to MR Ravishankar Prasad in this regard and urged early action. I hope the department will take cognizance of this request which comes from an MP with the knowledge of IT.

The problem however does not entirely that of the DeiTy and it appears to lead to the doors of the Chief Justice of India and the inability of the CJI and the DeITy to agree on a candidate given the issues involved in the appointment of Judges in general.

I wish Mr Rajeev Chandrashekar had written to the Chief Justice also.

In the past Naavi has written many letters in this regard both through the web and also directly and neither the CJI nor the Ministers and Secretaries in DeiTy or even the PMO have taken any positive action.

However, as an eternal optimist, I hope  sooner or later, a decision has to be taken in this regard. It has taken more than 5 years now for the appointment and in the meantime the office of CyAT has been spending public money to remain in existence. It now seems to have a good Registrar also but all the expenses are going down the drain. Perhaps the CAG will also ask the question of what is happening to the investments made in CyAT.

I believe that appointing a Chair person for CyAT is only one of the many steps required to bring the Cyber Judicial system in India to acceptable levels and I will in a separate post that will follow outline some of my suggestions in this regard. I request Mr Rajeev Chandrashekar to take up these suggestions also with the Government and Judiciary.

Some of these suggestions will be directed to Karnataka Government and the Chief Justice of Karnataka in particular and the other State Governments and High Courts in general and can be done without much delay. Some may require notification from DeiTy which also should not take time. A few of the suggestions may require longer deliberation but like all reforms, we need to address the low hanging fruits first and let the momentum for reforms build up.

More will follow…(after an analysis of the NCRB cyber crime data of 2015 which has also been published yesterday)..

Naavi


Basheer Case Judgement and Section 65B of Indian Evidence Act…Cyber Jurisprudence develops

Information Technology Act 2000 (ITA 2000) came into effect on 17th October 2000. Subsequently, the substantially amended version of the Act viz ITA 2008 came into effect on 27th October 2009. Despite the long elapse of time since these versions have been in practice, certain key aspects of the Act continue to be under debate as the related Jurisprudence is slowly building up.

In a domain of special knowledge such as “Cyber Laws” (Laws applicable to Electronic Documents), Jurisprudence develops first through the interpretation and opinion of experts and later gets polished with Judicial pronouncements creating a precedences.

The Judicial pronouncements also gets reviewed and modified over a period of time when the counsels participating in cases bring forth essential points for discussion before an erudite and open minded judge.

We are presently in this state of development of Cyber Jurisprudence where every judgement may be disagreed with and debated. In such a state of development, it is not uncommon for  one Court to disagree with another Court. It is also not uncommon for a lower Court to disregard an earlier judgement of another higher Court if the facts and circumstances brought before it appear to be different from the facts and circumstances underwhich the earlier higher Court had pronounced its views.

It is fascinating to observe how such jurisprudence develops over a period of time.

Naavi has been in the forefront of contributing to the building the Cyber Jurisprudence in India through his incessant contributions since 1998 and the mission continues now onto certain aspects of interpretation of Section 65B of Indian Evidence Act.

At present, the Judgement delivered on September 18, 2014 in the case of Anvar P.V. Vs P.K.Basheer and others (Supreme Court of India Appeal No 4228 of 2012) in which a three member bench consisting of Justices R.M.Lodha, Kurian Joseph and Rohinton Fali Nariman delivered its Judgement, has become a subject of hot debates on how digital evidence has to be produced in a Court of law.

Though this case actually related to an election issue, it has become an important judgment that has laid down several cardinal principles related to Digital Evidence which will be considered as a significant contribution to the Cyber Jurisprudence in India.

Naavi has been providing his views on the interpretation of Section 65B from time to time and was the first person to provide Section 65B certified print outs of Web and CD documents to a Court way back in 2004 as part of his activities under Cyber Evidence Arhival Center (CEAC).  Now with his years of experience in this field it is time to record his views on this judgment.

The last article on this topic at Naavi.org did provide a detailed explanation on the section which is being further clarified in this article in comparison to what the Basheer Judgment says.

This post may require multiple readings and also a thoughtful, analytical reading. I suppose the time you spend on this article will be useful. Don’t forget to let me have your feedback.

Naavi


Problem of Oral Evidence

The first challenge in interpreting Section 65B is to unlearn our earlier concepts of how we looked at presentation of evidence all these days. For those who have  interpreted  evidence only from the point of view of “Oral” evidence and “Documentary” evidence for years, the advent of the new category of documents called “Electronic Documents” presents a new dimension not easy to interpret.

Is an electronic document consisting of a recording of spoken words (eg: an intercepted telephonic conversation) to be considered as an “Oral Evidence”?  or is it a “Documentary Evidence”?  What is a Web Page? Is it a documentary evidence? are dilemmas that confront us when we encounter electronic documents.

It is interesting to note that in the digital world, every Document is a binary expression and hence even a recording of an audio or video is actually a document written/expressed in “Zero”s and “Ones”. Hence the distinction of “Oral” and “Documentary” has no relevance when it comes to electronic documents. There is simply no”Oral Electronic Document”.

However there can be a discussion on “Oral Evidence as to the contents of an Electronic Document” which is different from an “Oral Electronic Evidence”.  In an Oral Evidence as to the contents of an Electronic Document, a person may orally state under oath that a certain electronic document contains or contained such and such things as different from presenting a print out to say “this is what the electronic document contains” and certifies it under Section 65B.

In the Afsan Guru Case [State (N.C.T. Of Delhi) vs Navjot Sandhu@ Afsan Guru on 4 August, 2005], oral evidence about the contents of an electronic document had been accepted without Section 65B certificate.

This decision to accept the electronic documents even though it was not certified under Section 65B has now been over-ruled in the Basheer case, where it was stated that Section 65B certificate would be mandatory when the contents of an electronic document are to be admitted in a Court.

However, it may be noted that if the genuineness of the Section 65B certified evidence statement is questioned, then it may be appropriate and necessary for examining oral evidence relevant to the objection.

First Principle enunciated by Basheer Judgment

The Basheer Judgment throws light on the fundamental principle of evidence presentation stating,

“Evidence is constructed by the Plaintiff and challenged by the defendant. Construction is through pleadings and proof is through evidence by relevant and admissible evidence. Genuineness, veracity or reliability of the evidence is seen by the Court only after the stage of relevancy and admissibility”.

Thus the judgment recognizes that there are two stages in which an evidence is seen by the Court one at the time of admission and then when  when its veracity is challenged.

This distinction provides clarification on when a “Oral Admission” may be relevant as well as the application of Section 45A the role of a Digital Evidence Examiner referred to under Section 79A of ITA 2000/8

The Judgment referred to Section 22A of IEA which stated “Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.”

Judgment also referred to Section 45A according to which the opinion of Digital Evidence Examiner (under Section 79A-When appointed)  is relevant only when the genuineness of an already admitted electronic evidence is in question.

Second Principle enunciated by Basheer Judgment

According to the amendment to Section 17 of Indian Evidence Act (IEA) introduced by ITA 2000, evidence consists of three types namely

a) Oral

b) Documentary

c) Electronic Document

This amendment has introduced the “Third Category of Evidentiary Statement” called “Electronic Documents” to the two other known type of documents and this was pointed out by the judgment.

The judgment did use the word “Documentary” in the following statement, namely,

“Electronic record produced for the inspection of the court is documentary evidence under Section 3 of The Indian Evidence Act, 1872.” (IEA),

This use of a seemingly contradictory term may need to be explained further to understand that there are two kinds of documents one which is equivalent to written documents and the other which is an “Electronic Record”, though both appear similar at first glance.

We shall now look back at Section 3 of IEA for more clarification.

This section as amended by ITA 2000  states:

“Evidence” means and includes…all document including electronic records produced for the inspection of the Court, ..such statements are called documentary evidence;”…(P.S: Here again the term documentary evidence for want of a better term but this is not the same as the category 2 document used in section 17)

Section 3 also states that “Documents” means any matter expressed of described upon any substance by means of letters, figures or marks, or by more than one of those means, intended to be used, or which may be used, for the purpose of recording that matter.”

Under Section 17 of the IEA, it states

An admission is a statement, oral or documentary or contained in electronic form, which suggests any inference as to any fact in issue or relevant fact, and which is made by any of the persons, and under the circumstances, hereinafter mentioned.

Section 17 clearly expands on Section 3 by listing a statement contained in electronic form as a third category of statements different from oral and documentary.

This aspect of Section 17 has been reiterated by the Court in its judgment.

When we recognize that “Contents of an Electronic Record” is a “Statement” which is neither “Oral” nor “Documentary” but is a separate class of “Document”, not withstanding the overlapping use of the words “Document” and “Documentary”, it is clear that the Law expects “Electronic Documents” to be considered as a different type of statement for the purpose of evidence act.

Hidden Principle under ITA 2000/8

We must also recognize the fact that the ITA 2000/8 defines “Electronic Document” and “Document in Electronic Form” which includes what is apparently a “Document” (as a term used in the paper world). Unless we look at things with discerning eyes, we may mis-interpret both ITA 2000 and IEA.

According to ITA 2000,

a document which is being prepared or having been prepared or have been prepared in a formalized manner and intended to be processed or being processed or has been processed in a computer system.. and in any form will be considered as an “Electronic Record/Document”.

In view of the above, a “Computer Print out” which for all ordinary eyes looks like a “Document” (category 2 of section 17 of IEA), is to the discerning eyes, actually a “Document in Electronic Form” (category 3 of Section 17 of IEA).

This fine distinction points to an important aspect of Section 65B  and relates to which of the computer print -outs require section 65B certification and which don’t.

My considered opinion is that

When the person signing the print out is the person who is the owner of the content of the print out, he may simply affix his signature to the document without a Section 65B certificate similar to a case where we use a Computer as a Type writer.

Hence, if a Bank Manager is signing a statement of account of a customer, he will simply sign without Section 65B certificate since he is authorized by the Bank to take responsibility for the transactions represented by the statement.

If however a document is viewed by a person other than the person who owns the content, and he has to provide a print out of the document, then he needs to provide a Section 65B certification.

Hence a kiosk operator of a e-Governance system who can view the land records in the computer can provide a certified copy as a print out though he is not the Tahasildar or the Village accountant provided he appends certificates as required under Section 65B.

The above distinction should clarify the existence of two types of computer print outs one which requires section 65B certification and the other which may not.

We may however state that Section 65B certification is more relevant when it is required to be admitted in a Court where as in other cases, it may only be considered as a “Standard”.

Naavi has adopted the Section 65B standard for all activities of Cyber Evidence Archival Center (www.ceac.in) as well as activities under odrglobal.in so that CEAC-certified of electronic documents can be used both for production to a Court in India or otherwise.

Third Principle Enunciated by Basheer Judgment

The next principle that the Basheer Judgment has enunciated is regarding the Oral Admission and the earlier decision in the Afsan Guru case.

The Basheer judgment referred to Section 59 (amended) of IEA which states

Proof of facts by oral evidence.—All facts, except the contents of documents or electronic records, may be proved by oral evidence.

Reference was also made to Section 65A of IEA which states

Special provisions as to evidence relating to electronic record: The contents of electronic records may be proved in accordance with the provisions of section 65B.

Reading the above two sections together, the Judgment held

“…in view of Sections 59 and 65A, an electronic document can be proved only in accordance with the procedure prescribed under Section 65B.”

(We shall discuss Section 65B separately below)

Fourth Principle enunciated by Basheer Judgment

The judgment clarified that

“Proof of electronic record is a special provision introduced by the IT Act amending various provisions under the Evidence Act. The very caption of Section 65A of the Evidence Act, read with Sections 59 and 65B is sufficient to hold that the special provisions on evidence relating to electronic record shall be governed by the procedure prescribed under Section 65B of the Evidence Act. That is a complete code in itself.”

It categorically mentioned that “Being a special law, the general law under Sections 63 and 65 has to yield.”

It was under this principle that the Afsan Guru judgment on Section 65B certification was overturned. It is the same thought process which should also clarify on the debate over Primary and Secondary documents with reference to the electronic documents.

The Primary vs Secondary Document debate

While we agree fully on the principles that the contents of an electronic document at the admission stage has to be presented only with Section 65B certification, (detailed procedure for which is discussed subsequently below) we have to point out that the Judgment was not able to fully keep itself free from the concept of “Primary” and “Secondary” Documents in respect of Electronic records though an apparently reasonable argument was used for describing the difference.

The judgment held that

“An electronic record by way of secondary evidence shall not be admitted in evidence unless the requirements under Section 65B are satisfied.”

It continued to state

“… in the case of CD, VCD, chip, etc., the same shall be accompanied by the certificate in terms of Section 65B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible”

It also stated,

“The situation would have been different had the appellant adduced primary evidence, by making available in evidence, the CDs used for announcement and songs. Had those CDs used for objectionable songs or announcements been duly got seized through the police or Election Commission and had the same been used as primary evidence, the High Court could have played the same in court to see whether the allegations were true. That is not the situation in this case. The speeches, songs and announcements were recorded using other instruments and by feeding them into a computer, CDs were made therefrom which were produced in court, without due certification.

It is clarified that notwithstanding what we have stated herein in the preceding paragraphs on the secondary evidence on electronic record with reference to Section 59, 65A and 65B of the Evidence Act, if an electronic record as such is used as primary evidence under Section 62 of the Evidence Act, the same is admissible in evidence, without compliance of the conditions in Section 65B of the Evidence Act.”

The part of the judgemental statements made above are significant since it makes a distinction of “Primary” and “Secondary” documents holding CDs used in the commission of offence is “Primary” evidence and “CDs produced in copies” is “Secondary”. It also provided the option that Primary evidence could have been proved without Section 65B certification.

I would like to note a point of difference on the above though it may not alter the effect of the Basheer judgment on the Section 65B certification per-se.

In my opinion, it is not necessary and perhaps it is futile to make a distinction between “Primary Electronic Record” and “Secondary Electronic Record”. In practice electronic evidence presented in a Court is always “Secondary”.

When a CD played during an offence (Primary Evidence) is presented in a Court, what is presented is a “Container” of electronic document and not the “Electronic Document” itself.

The electronic document is present inside the container in the form of “Binary Expressions”.

These binary expressions contain both “Meta Data” and “Data”. The “Meta Data” is contained in the header information of the file which indicates what is the type of the file and what is its dependency on an application and operating system.

When this CD is inserted in a computer device, the device first reads the header information and understands say that “this is a mp3 file” and “I need to use an appropriate application” and “Send the instructions to the speaker”. Then the speaker will play the voice/music. If it is an mp4 file, the computer will understand ” I have to send the audio stream to the speakers and the video stream to the screen using appropriate applications”.

If the computer does not use the appropriate applications riding on appropriate operating systems, the output would be intelligible and even if attempted, the Judges cannot hear or experience the electronic document. It would be similar to an encrypted text file which has no meaning until it is decrypted.

To make things more clear, I give below what is the original electronic file and what is the file which human beings can read after the multiple processing that it undergoes in the computer.

Primary Document in Binary form What a Judge can see after processing
01010111 01101000 01100001 01110100 00100000 01100001 00100000 01001010 01110101 01100100 01100111 01100101 00100000 01100011 01100001 01101110 00100000 01110011 01100101 01100101 What the Judge can see

What you see on the left is the original binary expression (P.S: We have added padding in between bytes just to make the stream look better without which it will run as a single steam) of a sentence that reads “What the Judge can see” .

What the Judge will see on a computer is on the right column which is a product of several processes that the computer has already completed before displaying it on the screen in a human readable form. Is this then a “Primary” document? or a “Secondary” document? is the question that arises.

The question of “Judge seeing” (or hearing) an electronic document as a “Original” document if they had been seized and played in the Court  therefore does not arise.

If a person who has heard the contents when it was originally played, can depose, it will be a oral evidence of the event. Similarly, if the Judge takes cognizance of what he hears then he himself becomes the witness as to the content if he can record it so.

The summary of this is that in the case of electronic documents, it is preferable if we donot discuss the “Primary” and “Secondary” versions of an electronic record. It may be possible to bring the container which has the “Primary Document” but it is like an “intangible” object which cannot be touched, or heard or seen except when rendered in secondary form.

Every electronic record is therefore to be considered as “Secondary” document only.

Hence when it is required to prove an electronic record, what is relevant is

a) Direct evidence when the owner of the content deposes orally in which case he can produce the computer output as a rendition from the computer used as a typrewriter

b) Indirect evidence when a third party produces a print out or a digital copy of another electronic record and certifies it under Section 65B.

If we accept this principle, there is no need to completely overrule the Afsan Guru judgment since (if my information is correct), in that case the persons who had produced the electronic documents without the Section 65B certificate had actually deposed as witnesses.

Having recorded our agreements and a minor disagreement with the Basheer judgment, to complete the record let’s go onto explain the process of Section 65B.

I have already discussed this in earlier articles but I would like to reiterate it here for the sake of completeness.

The Process of Certification under Section 65B

The section contains five subsections followed by an explanation.

The title of the section is “65B. Admissibility of electronic records”.

This indicates that this is a section independent of Section 65 and concerns with the “Admissibility”.

Section 65A confirms that what we are dealing here are “Special Provisions” as to evidence relating to electronic record and 65B represents the provisions according to which contents of electronic records may be proved.

Sub-section (1):

The subsection (1) states as follows:

(1) Notwithstanding anything contained in this Act,

-any information contained in an electronic record

-which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output)

-shall be deemed to be also a document,

-if the conditions mentioned in this section are satisfied in relation to the information and computer in question and

shall be admissible in any proceedings, without further proof or production of the original,

-as evidence of any contents of the original or of any fact stated therein or which direct evidence would be admissible

This sub section explains the entire purpose of the section and refers to a “Computer Output” which shall be admissible in any proceedings without further proof or production of the original.

The “Computer Output” is the Print out of the contents of an electronic record or a copy rendered in a media such as a CD.

The sub-section  makes a reference to the “Conditions” under which the Computer output shall be admissible which is available later in the section.

It is critical to notice that the entire section refers to conversion of the contents of an electronic document into an admissible form of a computer output and nothing else.

If we fail to notice that the section is entirely on rendition of an electronic record into an admissible form of computer output, we are likely to make mistakes in interpreting further aspects of this section in the subsequent sub-sections. Read the sub section (1) again if necessary before going further.

Please note that Section 65B also makes a clear statement in this regard that a computer output produced with Section 65B certificate is to be considered as “also a document” and does not state it is a primary or secondary document. It only states that this computer output is also deemed to be a document acceptable without the production of the “original” and does not specifically state that it is a “acceptable secondary document”

Sub-Section (2)

Sub-section (2) states as under:

(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely :-

(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;

 (b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;

(c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and

(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities

This sub-section introduces certain aspects of practical significance which require jurisprudential interpretation.

If we accept the interpretation of the Sub-Section (1), sub section (2) should be applied to the process of rendering the computer output for the purpose of admissibility. This “Printing Out” or “Copying” of the original content into the “Computer Output” is done mostly by one operator who controls the computer in which the electronic content is being seen and there is a printer (or a CD writer or a USb Drive) attached to such a computer.

When an electronic document which lies in a web server is seen by a user, the copy of the electronic document in the web server has already been transmitted into the user’s computer and the print out when taken  is from that computer.

In an earlier paragraph, we explained that when a computer plays a video file which we humans see and hear, it uses one or more applications and one or more output devices.

Similarly, when we see a web document on a computer, the “Original” binary file lies inside the web server and is broken into TCP/IP data packets and sent across multiple routers in multiple directions, some times multiple times and ultimately the browser in the user’s computer recognizes these packets with reference to the meta data contained in them and assembles them into a contiguous form and then pushes them onto the output devices connected to the computer to provide the experience of the web document. Some times a single page on a website may be constructed dynamically in the user’s computer with components coming from different web servers situated in different places.

Some people try to interpret the “Said period”, “Computer”, “Lawful controller” used in the sub-section as to

a) The period in which the content was compiled

b) The web server

c) Administrator of the web server

Such people expect the Section 65B certificate to be issued by the administrator of the web host.

In my opinion this interpretation is incorrect and infeasible.

If we are looking at a content which is compiled over a time such as a Bank account statement of an account for the period 1.4.2015 to 31.3.2016, the document is a compilation of activities over a one year period. The section 65B(2) does not refer to this period of one year.

If we are looking at the computer of the bank where the statement of account is compiled, it may involve multiple computers from which different data base elements are dynamically drawn to compile a viewable document. Also there could be multiple owners of such computers including the owners of internet routers through which the data passes through.

It is therefore not possible to expect the administrators of all these computers to certify the document.

We therefore consider it necessary to apply this section entirely to the process of generating the computer output which is being produced to a Court for admission. This process starts when the user of a computer sees the fully compiled user viewable document on his computer and gives a CTRL+P command to print the page he is viewing or CTRL+C and CTRL+V to copy the contents into another device. It is also possible that he may use a mouse command to print or copy or even use other automated processes.

Forensic people may also use some special tools of their own to see what others without the tools may not see and print out or copy such content which can be seen only with the use of special tools.

It is therefore critical for us to accept that the Section 65B certification is like a photographer who takes a photograph and says that this is the photograph I have taken on such and such a day at such and such place and I have not tampered with it.

The expertise required by such a person is to the extent of using the tools required to view and print/copy the said computer output. Of course he should be contractually capable since he is providing a certification as part of Court documentation.

Subsection (3)

The subsection (3) states as follows:

(3) Where over any period, the functions of storing or processing information for the purposes of any activities of any regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computer, whether-

(a) by a combination of computers operating over that period; or

(b) by different computers operating in succession over that period; or

(c) by different combinations of computers operating in succession over that period; or

(d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers.

all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.

This sub section is self-explanatory and does not require much elaboration. It however confirms that if the viewer has been using a networked device either to view or to print or to copy, all the connected devices will be considered as a single device for which he is providing the certification.

Sub Section (4)

(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say,-

(a) identifying the electronic record containing the statement and describing the manner in which it was produced;

(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;

(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and

purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and

for the purpose of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.

This sub section indicates the contents that are required to be included in the Section 65B certificate. The Section 65B certificate will be a statement which should identify the electronic record (Computer Output) which the subject matter of certification. It should also reasonably describe the devices involved in the production of the Computer Output and should be “Signed”. If it is a printed report, it should carry a physical signature and if it is another electronic copy, it should carry a digital signature.

“Occupying a responsible official position” may be relevant when the certificate is produced by an organization where multiple persons may be involved in operating the device or set of devices.

This also clarifies that in the case of an organization, the signature is provided in the name of a in the “Official capacity”. This could mean that when a subsequent deposition in a Court is required, it should be possible to depute an “Official substitute” without insisting on the same person who has signed to be present.

The sub section also provides that the certificate may state “to the best of the knowledge and belief” of the person providing the certificate. This also is extremely important since the certificate is being provided in good faith of what the person sees under specific circumstances which may change.

An example could be that a website might have configured certain content to be customized to the viewer say for example advertisements or language. When I view the page from Bangalore, I may view certain ads and content which another person who views from Mumbai may not view. Hence there could be a difference between what two different witnesses may say while viewing the content which is assembled on a dynamic rule and controlled on the basis of cookies or IP address or recorded behavioural analytics etc.

The “best of my knowledge and belief” is therefore a necessary disclaimer that the Court should accept rather than considering that the statement is vague because of this provision.

Sub Section (5)

(5) For the purposes of this section,-

(a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;

 (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities;

(c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment.

This sub-section provides accommodation for the activities of collection, processing and storing of information through automated devices and processes without human intervention.

Explanation

The explanation to the section states :

Explanation.- For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived there from by calculation, comparison or any other process

The explanation is meant to remove any ambiguity as to the processes that may be involved in rendering the computer output which may include the reading of the header information, collation of different data packets etc.

Conclusion

The Basheer Judgment vindicates what Naavi has been holding out as the interpretation of Section 65B that any person who can view an electronic document, can provide a certified copy in the form of a print out.

It was under this principle that the first Section 65B certified copy of a document was presented in a Court in India. It was the CEAC certified copy of a document lying on yahoo group server presented by Naavi to the AMM court in Egmore, Chennai in 2004 in the case of State of Tamil Nadu Vs Suhas Katti. At that time while accepting the evidence and examining the undersigned as an expert witness, the defense in its plea raised an objection that Naavi was not a “Government Appointed Person”. The Court rejected the objection and said that no such condition is imposed under law.

P.S: This position has not changed even now after Section 45A was added to IEA, since the Digital Evidence Examiner (as and when appointed) will be assisting the Court in establishing the genuineness of the Section 65B certified evidence and not at the admission stage. If a 65B certified copy of an electronic document presented by say Naavi is questioned for genuineness, it is open to the Court to invite a Digital Evidence Examiner designated under Section 79 to examine and provide an opinion to the Court.

Subsequently, Naavi was also invited by the same AMM Court in Egmore, Chennai, to view some CDs captured from a scene of crime (termed as the Original evidence in the Basheer case) and asked to provide a certified print copy (termed as secondary evidence in the Basheer case) with Section 65B certificate. In this case the CDs were observed by Naavi and printouts were provided. Though the Judge himself could have viewed the documents, he rightly sought the assistance of an external person since he could not himself be a witness to the document. (As suggestively indicated by the Basheer judgement which I do not agree to).

After this, over the years, I have submitted several CEAC certified documents that involved web pages, e-mails mobile content, etc in some cases involving use of simple forensic tools. In all such cases the report has explained the process used in getting an electronic document on the computer screen of the observer (in this case, Naavi) and then printing it out either directly through an attached printer or copied onto other electronic devices and then printed out.

The Basheer judgment fully vindicates the procedure followed by Naavi in Cyber Evidence Archival Center (CEAC) though standardization of process has been difficult. There are cases involving documents on computer or mobile or CCTV captures or company’s internal servers etc. Each time it has become necessary to design a process to capture the documents and render the “Computer Output” in a manner in which it satisfies Section 65B of Indian Evidence Act.

Hopefully, after this detailed explanation of the section, whatever doubts were there in the minds of advocates and some trial judges would be cleared and they would be prepared to accept Section 65B certified evidences in proper form and reject those in improper form so that the evidentiary value of the digital evidence taken up for examination in Courts remain high.

I am open to questions being raised on what I have stated above and willing to provide my clarifications. Even if readers do not have any objections and accept what is written above, I will be glad to receive their views in positive confirmation.

So, Whether you agree or disagree, donot fail to send me an e-mail.

Naavi


Naavi on Responsibility of Bankers for E Banking Frauds

Cyber Society of India (CySi), Chennai of which Naavi is the founder secretary, conducted a one day workshop on Cyber Crimes on August 6, 2016.

Naavi spoke on the Role and Responsibility of Bankers  covering the legal implications under ITA 2008 and the Cyber Security Framework of RBI.

This talk was before August 11, 2016 when RBI further tightened the screws on the Bankers through the draft circular on Limited Liability of customers.

Here is a video link to the session of Naavi. Each video is around 26 minutes.

You are welcome to send me the feedback.

Naavi


Ministry of Civil Aviation should explain security of proposed WiFi on airplanes scheme

Yesterday, the Ministry of Civil Aviation made a public announcement that in about 10 days, passengers in Indian air space may be allowed to connect to Internet through a WiFi connectivity on the airplane.

It must have appeared exciting to hear a seemingly technological advance and several people who heard the official clapped at the announcement.

Unfortunately, it rang alarm bells in my mind as to the new kinds of risks that the ministry is hoisting on the air travel and a doubt if the known risks have been hedged.

It is time for an immediate RTI to be filed to enquire if a proper Information Security Audit has been conducted by the appropriate authorities before this service has been contemplated. (I request any of my friends in Delhi to immediately file an RTI with the Ministry of Civil Aviation and DGCA)

It is expected that the WiFi system could be similar to what is being used in USA and involve either

a) connectivity through mobile towers on ground which connect to a WiFi router on board

b) connectivity through a satellite link that connects to the WiFi router on board.

In either case, the service will be priced (could be prohibitive) and therefore there will be a log in to a specific website from which the access will be authorized to the router.

At present it is expected that the bandwidth will be low and will be shared by all the persons on board.

(More details of the technical aspects would be known once the service is announced)

While it is clear that in long haul flights, it may have value to have connectivity to send and receive e-mails or messages or even browsing some websites for urgent work, it is necessary for us to consider the risks that this proposed system would bring in to the Indian fliers.

The risks are of two types.

  1. Risk that one user of the WiFi network may be vulnerable to another user hacking into his computer. This could result in data leak as well as ransom ware attacks. In case of corporate customers carrying sensitive files in their computer and e-mails, this is a huge risk and necessary of being addressed in the Information Security policy of the organization. (To say… “Use of on-board WiFi not allowed”).
  2. Risk that a hacker on board or otherwise hacking into the communication systems of the plane and causing a terror attack which may crash the plane.

Some of these risks can perhaps be mitigated by securing the WiFi router adequately and segregating the communication network of the plane from the WiFi network. However, this is more a theoretical exercise and in practice, it is not possible to fully secure the system against hacking.

The admission of Mr Chris Roberts who hacked into a plane’s engine through its entertainment system and made it to execute a “Climb” unauthorizedly should open the eyes of anyone who thinks that security will be adequately managed by the airline staff.

The truth is that if we provide a single strand of entry to a hacker anywhere near the critical system, he will find a way to get in completely. The WiFi router could be one such entry point through which the hacker can enter and cause damages both to other passengers and to the air craft itself.

It is therefore not prudent for the Indian Civil Aviation authorities to introduce the WiFi on board.

I therefore call upon the Ministry to withdraw the pronouncement or clarify through a public statement what security measures have been initiated in this regard and who is accountable in case of a breach of security.

Naavi

Related Articles:

How does airplane Wi-Fi work? And will it ever get any better?

How Does In-Flight Wi-Fi Really Work?

 A look at the security of Wi-Fi on a plane: 

Midair Hack Shows the Dangers of In-Flight Wi-Fi:

Wi-Fi security – can inflight internet REALLY hack planes?

FBI: Hacker claimed to have taken over flight’s engine controls: 

Aviation experts dispute hacker’s claim he seized control of airliner mid-flight