Let's Build a Responsible Cyber Society




Why US PATRIOT Act is required in India?

The Indian National Cyber Security Forum (INCSF) in its first formal meeting on 6th December 2008 at Bangalore advocated that what India now needs as a counter cyber terrorism response in terms of legal structure reform is an Indian PATRIOT act and a mere addition of a "Cyber Terrorism" clause in ITA 2000 amendments is not sufficient. I would like to elaborate on the reasons why this suggestion is being made by INCSF.... Naavi


The amendments to ITA 2000 has been in contemplation since Around January 2005 when an "Expert Committee" was formed for the purpose in the aftermath of the arrest of the then baazee.com CEO under Section 67 of ITA 2000. Without understanding the concept of "Due Diligence", many industry stalwarts at that time were made to think that there was a serious flaw in ITA 2000 which needs to be amended immediately. When the amendments were recommended in August 2005, concerned observers were horrified to see that it was simply an exercise to bail out baazee.com at the expense of diluting the law through various means. Naavi's concerns were captured in a series of articles published at that time and again another set of articles published in 2006. (See details here).

Fortunately the amendments which were cleared by the Cabinet Committee as the ITA 2000 amendment Bill was referred to a Parliamentary Standing Committee headed by Sri Nikhil Kumar which submitted a report by October 2007 severely criticizing the provisions. The Bill was sent back for revision to the MCIT which has now brought the bill back to the Parliament to be presented in the next few days.

One of the observations made by the Standing Committee was that the amendments had not focussed on issues such as penalizing "Cyber Terrorism".  Now that the public expectation is on better legislation to meet terrorist threats, there are demands for legislation to address countering "Cyber Terrorism". The GOI which has steadfastly refused to bring in POTA or similar legislation for addressing "Terrorism" may hold out the amendments to ITA 2000 as its specific response to counter terrorism in general and Cyber Terrorism in particular. Already noises are being made about the provision being made on "Cyber Terrorism".

There is no doubt that there will be one clause on defining "Cyber Terrorism" and suggesting an imprisonment of say upto 10 years in the forthcoming amendments.

The INCSF has a genuine concern that going by the general trend of the amendments to reduce punishments for Section 66 and to make dishonesty and fraud pre conditional to invocation of Section 66, as well as dilution of Section 79 to remove the "Due Diligence" requirement for intermediaries,  the amendments may turn out to be only a half hearted attempt to counter Cyber terrorism. It is therefore felt that we need to address the issue of increased powers to the Police for arrest without warrant and a more liberal provision for "Admissibility of Evidence" than what is provided in Section 65B of Indian Evidence Act.

It is in this context that INCSF has advocated that we need a comprehensive legislation similar to the US PATRIOT Act which addresses several dimensions of the requirements to tackle the problem of Cyber terrorism.

What is PATRIOT Act?

The full name of the act is itself very revealing of its intentions and we need to note the same. US PATRIOT Act stands for "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism" Act.

The Act has 10 different titles covering the following areas.











A detailed study of the Act is outside the scope of this article. But what is required to be noted is that this Act is much more comprehensive than the POTA act which we in India are thinking as the ultimate legislative protection against Terrorism. While the GOI is hesitant for introducing even the POTA equivalent legislation, the Government may not be considering a legislation of the type of USPATRIOT Act.

However, INCSF would like to highlight what is required at least for addressing the requirements regarding Cyber Terrorism Act. In a way what we can press for as the "Indian Cyber Space Protection Act" which draws ideas from the US PATRIOT Act.

Some Key Provisions to be Considered

Definition of Cyber Terrorism

One of the first provisions which we need to fix is "Defining Cyber Terrorism". We donot know what the amended ITA 2000 is contemplating as the definition of "Cyber Terrorism". We may however discuss what are the options available.

FBI in USA has defined Cyber Terrorism as : " Any premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by sub-national groups or clandestine agents".

One of the problems that can be identified with this definition is that it restricts the definition to "Politically motivated". India faces a terrorism which may be more "Religious motivated" and not "Politically motivated".  The definition is also dependent on the definition of the term "Violence". In the Cyber Terrorism context, the term needs to be explained to include violence on "Virtual Properties".

US National Infrastructure Protection Center defines "Cyber Terrorism" as " A criminal act perpetrated by the use of computers and telecommunication capabilities, resulting in violence, destruction and/or disruption of services, to create fear by causing confusion and uncertainty within a given population with the goal of influencing a government or population to conform to particular political, social or ideological agenda.

This definition is better than the FBI definition since it extends the definition to social or ideological agenda.

Even this definition however ignores the need to define "Cyber Terrorism" to include "Propaganda, technical assistance for hosting, Phishing, Spamming etc". May be the US PATRIOT Act may cover this in other provisions under the Act since it is a comprehensive legislation which includes other provisions (Discussed later in the series of subsequent articles).

If we depend on amendments to ITA 2000 to do everything for Cyber terrorism, then the definition becomes very important.

One suggested definition could be as follows:

Cyber Terrorism means:

using a  Computer, Mobile or any  or any associated device or an Electronic Document

 to intimidate or coerce the Government, its civilian population, or any segment thereof,  of India or its friendly countries

to create disharmony in the Indian society or the society of any of the friendly countries

to create destabilization of the economy or any segment there of either on the physical space or cyber space in India or in any of the friendly countries

 in furtherance of political, religious or social objectives or to harm the community injuriously by any means,

or any attempt thereof, or providing any assistance thereof.

Explanation: " Friendly countries" under this section means those countries declared as "Friendly countries for the purpose of this act" through a gazette notification and with whom India has a mutual Cyber Terrorism Resistance Treaty.

This definition does not include "Violence in Physical Space" because, causing Violence in Physical space through electronic device is already covered under the IPC and other physical space laws. It is expected that countries such as Pakistan would not be declared as "Friendly Country". In the event any ethical hacker group carries out any attack on the unfriendly country's cyber resources, it would not be considered as an offence under this provision. (It is however envisaged that a proper regulatory system would be set in motion to ensure that people would not take law into their own hands which will be discussed elsewhere in this series of articles)

Powers of Police

Additionally, Section 80 of ITA 2000 (which the Expert Committee wanted to be deleted) should include a special provision to say that in case of a suspected Cyber terrorist Act, the Police may arrest without warrant and conduct search and seizure in any place (not restricted to public place). Similarly, Section 65 B of Indian Evidence Act should clarify that in respect of evidence against a Cyber Terrorism Act, a certificate by an authorized official of an ISP (including foreign ISP) even without a certified print copy may also be admissible as evidence. Additionally, witnesses testifying over video conferencing mode should also be made admissible.  It should also be ensured that Intermediaries should not have any exemption under Section 79.

At the same time in order to ensure that there is no misuse of the powers by the police, Cyber Terrorism cases may be investigated by only a police officer of the rank of a SP and suitable documentation and reporting to higher authorities is introduced on the actions taken by the Police such as classification of a reported offence as "Cyber Terrorism", as well as arrest made, seizures effected, notices served and response received from intermediaries etc.

(To Be continued)


December 9, 2008

Related Article:

Outrage Expressed at bazee.com CEO arrest

Dont' Raise the bogey.."Law is Wrong"

IT Act Amendments and Cyber Terrorism

5 Key Steps to Cyber Security

Unified approach key to National Cyber security

How Do We Define “Cyber Terrorism”.. Bloggersnews.net