Under ITA-2000, The Controller of Certifying
Authorities had been envisaged as the "Apex Authority" to manage the
Digital Signature System. The controller was the licensing and monitoring
authority for the Certifying Authorities and had quasi judicial powers. He
could investigate contraventions, could give decryption orders,
interception of communication etc. These powers were intended to monitor
the Certifying Authorities and issues arising out of the issue of Digital
Certificates. Incidentally Controller was the "Root Certifying Authority"
and was also responsible for maintaining the "Repository of Digital
Certificates Issued as well as Revoked". The Controller was not however
having any authority to adjudicate on the Cyber crimes.
In the new proposal, the responsibility for being the
repository has been removed and powers have been given to adjudicate on
Cyber Crimes and admit compositions. The net effect is that there is less
responsibility but more powers for the Controller
The office of the Controller of Certifying Authorities
(CCA) was designed with a high esteem when the ITA-2000 was drafted. He
was looked upon as the "Apex Authority" for the Digital Identity System
just as the SEBI Chairman or the Election Commission in their respective
areas. The appointment was contractual and the first Controller Mr
K.N.Gupta was selected after some efforts.
When Mr Gupta's term was completed, the Government did
not take the trouble of finding a replacement from outside and proceeded
to appoint one of the senior officials of the department in the additional
secretary's cadre as the CCA as an additional charge.
By this time NIC had become one of the licensed
Certifying Authorities and being one of the departments of the same
Ministry, it was considered incorrect and cause of conflict for the CCA to
be also an official from the same department. However the Government
ignored the objections and proceeded to operate under the CCA who had no
independent standing as was envisaged in the Act.
In the proposed amendments one of the responsibilities
of the Controller i.e. being the "Repository" of the Digital Certificates
has been given up. This responsibility has now been transferred to the
corresponding CAs. This responsibility was cast on the Controller as the
sole development authority for the "Digital Identity System" in the
country. By giving up this responsibility, the CCA has given up an
important responsibility envisaged by the Chair.
On the other hand, under the proposed section 80 A, the
Controller has taken on the responsibility as the authority for
"Compounding of Offences" including the Criminal offences. The powers
available earlier to the Controller under Section 69 for interception of
communication has however been taken over by the higher officials in the
Government.
Thus the Controller's office has been divested of one
important responsibility which was necessary for the development of the
Digital Signature system and replaced with the power to sit in judgment of
offences which was now with the Magistrates... a case of Saying No to
Responsibility and Yes to Power.
The much touted hype about Electronic Signatures is
nothing but an empty noise since there is no proper alternative to Digital
Signature for the time being. Of course we cannot rule out the ingenuity
of the officials to approve even a less than ideal authentication system
as an approved "Electronic Signature System" which could completely
vitiate the "Digital Contract System".
Already, the Ministry had made a mistake in defining
"Secured Digital Signature" through an executive notification according to
which a Digital Signature applied using a smart card or a crypt key where
the private key remains outside the system in which the to be signed
document resides was called "Secured Digital Signature". It had already
been pointed out by naavi.org that this introduced an anomaly in the
Indian Evidence Act since Digital Signatures applied through a Security
procedure had a certain privileged evidentiary value which was not
available to ordinary digital signatures. As long as no "Security
Procedure" had been separately notified, all Digital Signatures were
"Secured Digital Signatures". After the definitions, the digital
signatures applied without the security procedure could not have the
privileged evidentiary status in the Indian Evidence Act. This was
actually a weakening of the digital signature system.
Further no thought was spared how the producer of a
digitally signed electronic document in a Court could prove if a digital
signature had been applied with the use of a secured sytem or otherwise
without a new class of digital signatures being introduced by the CAs.
Instead of correcting this lacuna, the Expert Committee
has gloated over making the law "Technology Neutral" by replacing the word
"Electronic" instead of "Digital" in several places in the Act without
addressing the issue of whether any alternate system exists or whether
there should be any statutory protection against any untested System to be
declared as an "Approved System".
Again a demonstration of the lack of perspective
understanding of the problem by the "Expert Committee".. unless there is a
motive which we cannot see. If so, the Controller will have the
responsibility to certify and approve "Electronic Systems" that can be
used concurrently with the PKI based digital signature system. What
will be the process of such approval? .. need to be notified.
[Will continue]
