Let's Build a Responsible Cyber Society




Cyber Cafe Regulation.. Some thoughts after ITA 2008

After the passage of the Information Technology Amendment Act 2008 the amended Information Technology Act 2000 (ITA-2008)  has substantially changed the Cyber Cafe regulatory scenario in India. In the past, it was the State Governments who took the initiative as part of the e-Governance measure to manage the law and order situation in their respective jurisdictions and passed Cyber Cafe regulations as either a notification under Section 90 of ITA 2000 or under the Police Act of the respective state. These laws mainly indicated that the Cyber Cafe owner should maintain a visitor's register and check a photo ID of the user to ensure the identity of the users. Some regulations required registration of Cyber Cafes with the Police. Some required periodical statements to be filed with the Police.

However, the experience of the previous years suggest that the regulations were largely in effective. Most of the Cyber Cafes are managed through the day by attenders who have little technical knowledge or responsibility and criminals could easily misuse the facilities for sending threatening e-mails or planting key loggers, spreading obscene information etc.

With the passage of ITA 2008, some of the responsibilities on Cyber Cafe regulations pass on to the Central Government. For example, the definition of Cyber Cafe is now available in the main Act. The Act also defines Cyber Cafe as an intermediary and imposes responsibilities for

a) Data retention as specified (Section 67C)

b) Implementing interception instructions from the Government if any (Sec 69)

c) Implementing instructions for blocking of websites if any (Sec 69A)

d) Retention of traffic data for specified period (Section 69 B)

Additionally, Cyber Cafes being considered as liable for "Assistance" or "Abetment" under various other sections when offences are committed under the Act cannot be ruled out.

Though Section 79 provides for protection, it requires that Cyber Cafes need to follow "Due Diligence".

Most Cyber Cafe owners lack formal education in the Computer field and more so in Cyber Laws and are therefore unable to take suitable steps as may be expected of them under the Act unless they are provided proper guidelines.

In order to generate an action plan to ensure that Cyber Cafes are properly regulated in their own interest as well as in the interest of Cyber Security, an action plan on the following lines is suggested for consideration of the Central and  State Governments. These are meant for further debate and refinement as may be required.

A Suggested Plan of Action for Cyber Cafe Regulation

1. One of the essential aspects of regulation is to know who is to be regulated. This requires a "Registration System" for Cyber Cafes however simple it can be. Compulsory  registration and possible de-registration as a means of punishing non compliance of regulations is an essential part of implementation of the regulations, however inconvenient it may appear for the industry. In order to develop a regulatory framework, I suggest a framework similar to the Data Protection Framework under Data Protection Act of UK.

Under this system there would be a need for "National Cyber Cafe Regulatory Authority" supported by "State Cyber Cafe Regulatory Authority" (SCFRA) in each states. Even in the absence of the National Cyber Cafe Regulatory authority (The Indian Computer Emergency Team can be entrusted with this responsibility if required) the State Governments are suggested to set up such a regulatory office.

SCFRA will be the nodal agency in each state to ensure appropriate regulation of Cyber Cafes.

2. One of the principle duties of the SCFRA would be to set up a Cyber Cafe registration norm. This includes the minimum  qualification of the Cyber Cafe owner, the mandatory security precautions that he needs to take etc.

3. It may be made mandatory that every Cyber Cafe in the State must be registered or otherwise it cannot function.  A provisional registration should be allowed on line with a nominal fee or without a fee. A period of 3 months can be provided for transition  from provisional registration to confirmed registration before which, the Cyber Cafe has to satisfy completion of norms required for a secure Cyber Cafe. If the Cyber cafe fails to upgrade its registration, extension may be given upto 3 quarters and the Cyber Cafe may be made to pay a certain "Non Compliance Tax" each quarter until the norms are completed.

4. The minimum qualification for Cyber Cafe owners should be SSLC and the owner should compulsorily under go an appropriate Cyber Cafe Regulation training. The training should cover the legal aspects in ITA 2008 and on successful completion, provide a certificate to the Cyber Cafe owner which should be mandatorily displayed in the Cyber Cafe and also renewed after every 3 years.

5.Every Cyber Cafe should install a Camera which should record the visitors entering and leaving the premises and archive the information with a time record on the video. This should be made available for inspection by the authorities when required.

6. Every Cyber Cafe should introduce a biometric attendance system where the user punches his finger in the device which should generate a session password along with the allocation of the computer to the visitor. The visitor will use the computer with the specified session password. The system should record the session particulars along with the session password and the biometric capture and archived for records. In the event the expenses of the biometric device becomes a barrier, a barcode based ID card should be issued to all visitors and the photograph of the visitor should be included in the ID card. The details can be stored as membership record. The sessions would be recorded   and archived as suggested earlier in the biometric based attendance system.

7. Cyber Cafes shall be required to install remote network monitoring systems which enable the Cyber Cafe monitoring authority when required utilize the access rights to provide a Police intelligence unit to monitor the activities of the users of the cyber cafe. To analyse such data, suitable monitoring software which can filter the data with appropriate software is to be acquired by the Police intelligence.

It is suggested that the power to intercept and monitor Cyber Cafes shall be vested with the State Cyber Cafe Regulatory authority and such powers shall be drawn under Section 69 of ITA 2008.

Though this suggestion appears drastic, it is envisaged as a measure to be used only in exceptional circumstances and hence the powers are suggested to be vested with the State Cyber Cafe Regulatory Authority and not the Police. To provide further safeguard, the State Cyber Cafe Regulatory Authority can even be conceived as a multi member board with members from NGOs and noted public personalities.

It may be remembered that in many advanced countries such as USA, UK and Australia, have made arrangements for surveillance of Internet data passing through their countries. This is considered as an essential measure to monitor Cyber Terrorism activities.

The above suggestions are presented as a draft for further public debate and implemented either fully or in parts as may be considered necessary.


February 24, 2009