Let's Build a Responsible Cyber Society



A Change for the Better-Victory for the Consistent Campaign

On August 29, 2005, the Ministry of Communications and Technology (MCIT) first made public the recommendations of the "Expert Committee" formed in December 2004 to review the Information Technology Act. On August 30, Naavi.org first commented on the proposal stating that it was "A Law By the Privileged for the Privileged and to protect the privileged". Over the next three years until December 25, 2008, Naavi.org had been consistently campaigning against the proposed amendments calling it "Criminal Friendly". "Intermediary Protection Act" etc. Now it is our turn to commend the ITA Amendment Bill 2008 which has addressed all the concerns expressed earlier and made the law stronger. The Parliamentary standing committee under the chairmanship of Mr Nikhil Kumar deserves a huge appreciation for the changes that ultimately were made to the Expert Committee's report and the resulting version of Information Technology Act Amendment Bill 2006. We do consider that the campaign by Naavi all through these three years should have also contributed in some measure to the drastic changes that were finally made to the Bill. We express our relief that the law was not diluted as it was earlier envisaged but was hardened as we wished. Now it is time to focus on the academic exercise of analysing the changes, the need for appropriate rules and notifications so that the good intentions reflected in the act are realised.... Naavi

Comments of Naavi on the Amendments Proposed to ITA-2000 vide ITAA 2008
Section Change Proposed Comments

Section 1(4) list of excluded documents removed. To be notified through Gazette

This may be considered as a procedural simplification. Could help subsequent changes to be made through notifications. A notification is required whenever for excluding any document from the Act.  Schedule I of the new Act contains the list of excluded documents as per the earlier Section 1(4). This may be considered as meeting the requirement of the notification at this point of time.


2(d) modified, and  the term "Digital Signature" replaced with "Electronic Signature" in the Act.

Necessary due to the introduction of the umbrella authentication system called "Electronic Signatures". Digital Signature system will remain as one of the incidents of Electronic Signatures permitted under law.

  Section 2(ha) added to define "Communication Device"

Cellphones, PDAs etc are specifically brought under ITA 2000 though these were considered part of the definition of "Computer". The use of the term "any other device used to communicate, send or transmit" extends the definition to ATMs or Credit Card swiping devices etc.

  In 2(j) "Computer Systems" and "Communication Devices", "Wire"  "Wireless"  added.

Clarification  Welcome

  In 2(k) "Communication Device" added


  2 (na) introduced to define the term "Cyber Cafe"

Places where access to Internet is allowed to public is called "Cyber Cafe". Any other network where closed groups such as employees or students are allowed is not covered.

It would have been better perhaps to define "Internet" also.

  2(nb) introduced to define the term "Cyber Security"

Definition includes physical security of devices as well as Information Security.

  2(ta) and 2(tb)  introduces the term of "Electronic Signature" and "Electronic Signature Certificate"

Definition includes Digital Signature and Digital Signature Certificate

  2(ua) defines "Indian Computer Emergency Response Team"

Provides a statutory base to the department.

  2(v)-"Message" included in the definition of "Information"

Clarification welcome

  2(w) "Intermediary" defined

Includes service providers etc. Initially "Body Corporates" as defined in Sec 43 had been omitted. This omission has now been removed.

  Section 3 now refers to legal recognition of electronic documents.

This is a reproduction of the earlier section 4.

3 No Change No Comments
  New Section 3 A introduced to define Electronic Signature

This is an enabling provision to permit systems other than PKI based systems for authentication purpose. Second schedule of the Act is reserved for notifications made for new systems other than the Digital Signature already defined in the Act.

In Sec 3(2) the word "Shall" should have been replaced by the word "may"

4,5 No Significant Change No Comments
6 New Section 6A introduced to provide for appointment of Service Providers in e-Governance services

Clarification Welcome

  New Section 6A introduced to enable delivery of services by private service providers Welcome
7 No Change No Comments
  New Section 7A introduced to make audit of Electronic documents mandatory wherever the legacy physical records were subject to audit.

It is a clarification and welcome. Huge responsibility is now cast on the Government to get its electronic records audited.

8,9 No Change No Comments
10 No significant Change No Comments
  New Section 10 A specifies that contract formation is possible with offer and acceptance being in electronic form.

This is stating the obvious. Redundant and could cause problems for transactions between October 17, 2000 and the new date of effect of this amendment. An explanation that this would not affect electronic contracts already entered into would have been in order.

11.12,13,14 No significant change No Comments
15,16 Defines "Secured Electronic Signature" and refefines "Security Procedure" No Comments
17,18,19 No significant change No Comments
20 Section deleted

The responsibility of the Controller to act as "Repository" has been removed. While the logic is that this should be the responsibility of the individual CA, the CCA has abdicated its responsibility for developing a trusted PKI infrastructure. This is an admission of the failure to provide a proper repository until now. The CAs also have not so far provided a satisfactory repository service and this will continue to be a lacuna in the system.

21 No significant change No Comments
22, 23 The amount of specified upper limit on the  fees deleted. Welcome
24,25,26,27 No significant change No Comments
28,29 No change in 28. In Section 29, the powers have been restricted to contraventions under this chapter.

Section 28 provides powers to the controller for contraventions under this "Act" while powers under Section 29 is available only for contraventions under this "Chapter". Appears to be an anomaly to be corrected since investigations may be required for contraventions under Chapter IX and Chapter XI

30 Consequential Changes with introduction of Electronic Signatures No Commetns
31,32,33,34 No significant change No Comments
35 Sub section (4) modified

This change was due right from 2000 and was sought to be corrected by an administrative notification earlier. Better late than never.

36 Additional points to be added in the certificate indicated

No Comments on the change. No CA appears to be adding this certificate as a narration within the body of the Digital Certificate. It is required as a mandatory statement to be sent by the CA to the subscriber and also a part of the CPS.

37, 38,39 No change No Comments
40 No change in 40. New Section 40A introduced to cover Electronic signature No Comments
41,42 No Change No Comments

Two new contraventions added-contraventions corresponding to Sections 65 and 66 added for civil liability.

compensation limit removed.

The removal of limit for compensation is a significant change.

  New Section 43 A included for "Data Protection" need.-specifies liability for a body corporate handling sensitive data, introduces concept of "reasonable security practices" and sensitive personal data. No limit for compensation

A significant provision to satisfy the "Data Protection" need. We need to watch out for definition of  "Reasonable Security Practices" and "sensitive personal information"

44,45 No significant change No Comments
46 The powers of the Adjudicator limited for claims upto RS 5 crores. Civil Court's authority introduced for claims beyond Rs 5 crores

Significant Change that brings Civil Courts below the High Court into the Cyber Related disputes for the first time.

47 No significant change No Comments
48 Changes name of Cyber Regulations Appellate Tribunal to Cyber Appellate Tribunal. No Comments
49 Cyber Appellate Tribunal (CAT) is made a multi member entity. Provision for benches introduced, non judicial members can be members of the Tribunal.

Excellent  move. Provides for more expertise for the Tribunal.

The appointment of the members other than the Chairperson requires consultation with the Chief Justice of India under sec 49 (2). This is with slight conflict with Section 50(2).

50 Specifies qualifications for appointment of Chairperson and Members of the CAT.

Choice of members restricted to Government Officers. This may restrict the talent available.

51,52 Specifies terms and other conditions of appointment of Chairman and Members of CAT No Comments
  New Sections 52 A, B C and D introduced defining powers of the Chairperson of CAT for conduct of business. No Comments
53 ,54,55,56 No significant change No Comments
57.58,59,60 No Change No Comments
61 Amended to accommodate jurisdiction of Civil Courts for disputes involving claims of over RS 5 crores. No Comments
62 No Change High Court remains the appeal Court for decisions of the Adjudicator though other Civil Courts will have jurisdiction for cases where the compensation claimed is RS 5crores plus
63 No Change No Comments
64 No significant change No Comments
65 No change No Comments
66 The clause has been re written with significant changes. Applies to all contraventions listed in Section 43. Fine increased to Rs 5 lakhs The section applies only of the act is done "Dishonestly" or "Fraudulently"
  New Sections added under 66A, 66B,66 C,66D, 66E and 66 F to cover new offences. Welcome move to clarify and expand  the scope of the Act
  66A: Sending offensive Messages Applies to Grossly offensive or menacing  or false information.

Also covers Cyber Stalking and Phishing

  66B: Receiving a Stolen Computer Resource Applies to purchase or trading or use of stolen computers or mobiles besides information.
  66C: Identity Theft Applies to Password theft, theft of cryptographic key etc
  66D: Cheating by personation Applies to Phishing, Job Frauds etc
  66E: Violation of Privacy Applies to Video Voyeurism
  66F: Cyber Terrorism

Provides Life Sentence, though definition is not considered comprehensive.

67 Fine increased to Rs 5 lakhs for first instance and Rs 10 lakhs for subsequent instance. Imprisonment reduced to three years for first instance and 5 years for subsequent instance.

Not considered significant.

  New Section 67A introduced to cover material containing "Sexually Explicit Act" Increased imprisonment and fine compared to Sec 67.

This is a sub-set of Section 67 and compared to the existing Section 67, it does not represent any significant change.

  New Section 67B introduced to cover Child Pornography with stringent punishment. Imprisonment 5 or 7 years and fine RS 5 or 10 lakhs for first and subsequent instances respectively. Also covers "grooming" and self abuse

Welcome change

  67C: This is a new section introduced requiring Intermediaries to preserve and retain certain records for a stated period Excellent Provision. Period of retention needs to be notified.
68 Refers to the powers of the Controller to direct Certifying Authorities for compliance. No significant change. Penal powers to be applicable only on intentional violation No Comments
69 Scope extended from decryption to interception, monitoring also. Control will be on a designated officer and not the Controller. Welcome Provision
  69A: New Section introduced to enable blocking of websites. Welcome Provision
  69B: New section that provides powers for monitoring and collecting traffic data etc Welcome Provision
70 Critical Infrastructure System defined and section restricted to only such systems. Security practices to be notified Welcome Provision
  70A: New Section added to define National Nodal Agency for Critical Information Infrastructure protection Welcome Provision
70B Indian Computer Emergency Response Team to be the nodal agency for incident response Welcome Provision
71,72 No Change

No Comments

  72 A: New Section introduced for Data Protection purpose Welcome Provision
73,74,75,76 No change No Comments
77 No Significant Change No Comments
  77A; New Section introduced to provide for Compounding of offences with punishment upto 3 years. Welcome Provision
  77B:  New Section introduced to consider all offences with 3 years imprisonment under the Act as "Cognizable" and bailable Welcome Provision
78 Power to investigate any cognizable offence vested with Inspectors instead of DSPs Welcome.
79 Modified to slightly shift the onus of proving liability on the prosecution. Otherwise no significant change. Welcome
  79 A: New Section introduced to provide for the Government to designate any government body as an Examiner of Electronic Evidence Welcome
80 The powers earlier available to DSP is now made available to Inspectors Welcome
81 Amended to keep the primacy of Copyright and Patent acts above ITA 2000 No Comments
81-A No Change No Comments
82 No Significant Change No Comments
83,84 No Change No Comments
  84 A: New Section introduced to enable the Government to prescribe encryption methods Welcome
  84 B: New Section introduced to make "abetment" punishable as the offence itself Welcome
  84 C: New Section introduced to make an "attempt to commit an offence" punishable with half of the punishment meant for the offence. Welcome
85, 86 No Change No Comments
87 Consequential Chages made No Comments
 88, 89 No Changes No Comments
90 No significant change No Comments
 91-94 Omitted Schedule I and II covered by Sections 91 and 92 have been replaced. The status of the earlier amendments made to IPC under Schedule I and IEA under Schedule II are now unclear. Similarly the Changes made to BBEA and RBI Act under Sections 93 and 94 are also unclear. New modifications for IEA have now been introduced,


December 28, 2008

Other Articles on ITA 2008