We have seen that frequently PIL lawyers approach Courts including the honourable Supreme Court on matters pertaining to changes required in Cyber Law. Supreme Court is highly responsive when there is a petition against the Government and celebrity advocates take up the case. When the matter is however of “Common Man’s Interest”, the Courts some time are unable to appreciate the importance and comes down heavily on the litigant with heavy fines. Hence many public spirited advocates hesitate to take up the real issues of interest to the public while unimportant issues hog the time of the Supreme Court.
I however request the PIL lawyers to consider the following reference to the Supreme Court and also urge the Supreme Court to consider hearing this petition in the general interest of the public.
We are all aware that Cyber Crimes are on the increase and need to be addressed through all means including efficient use of the existing laws, modification of laws, improving the knowledge and skill of law enforcement, improving the public awareness, hardening the security in the IT ecosystem etc.
In the myriad number of ways that we can bring about improvement, I have just one immediate concern to be addressed in which the Ministry of Information Technology can administratively intervene through notification and the Judiciary can intervene by clearing the ground for challenges which are bound to arise.
In every Crime under IPC or ITA 2000/8 involving communication through E-Mail or Website, Facebook, Twitter or Mobile based messaging systems including WhatsApp, Sarahah, the critical component of investigation and subsequent prosecution is the identification of the “Source” from which the offending message emanated. In simple terms it could be the “IP Address” of the device from which the crime was committed.
Presently the Government of India is trying to add Aadhaar identification to Mobiles at least in India and therefore identification of mobiles should in future not be an issue though criminals may switch to use of SIM cards from Pakistan or Bangladesh or use the web for voice communication and continue to hide their identity in committing crimes.
Since Internet Protocol requires an IP address to be allocated by some ISP some where for the communication, if the User of an IP address can be traced, quickly and accurately, part of the Cyber Crime investigation problem would be under control.
Technologists would immediately jump up and say that IP address can be hidden under proxy servers, there are many free anonymizers, and Tor browsers and a “Deep Web” where anonymization is the rule and hence it is impractical to rely on the IP address. They also point out that the use of IP address sharing technology in dynamic IP addressing systems including the Carrier Grade NAT (CGN) used by ISPs could cause errors in identification of IP address.
It is admitted that IP addresses in many cases become untraceable within the country and need the assistance of international law enforcement agencies, Mutual Assistance Treaties etc and even when resolved, there could be errors.
However, even to decide that a suspect is not traceable, we need to complete the process of IP address resolution and record that the person (or the device) who has been identified as the owner of the suspect IP address has a good alibi and hence a criminal case may not sustain.
However, even when the Criminal Investigation fails to make progress, Cyber Crime victims may pursue the Civil remedies available to them. Most of the Civil remedies donot depend on the apprehension of the suspect. It only requires a confirmation of the law enforcement that an “Offence Has Occurred” and a “Wrongful loss has been caused to a person”. The Intermediaries involved in the transaction become “Liable by Proxy” and the Victim is entitled to recovery of his losses even while the criminal investigation may continue to find out the real criminal.
Section 79 and Section 85 of ITA 2000/8 (P.S: IPC may be vague on Vicarious liability of officials of a Company as this Supreme Court judgement may indicate) lay down clear principle that in offences falling under ITA 2000/8 the intermediary shall be guilty unless he proves “Due Diligence”. Even under IPC there could be many instances when the Company/Organization continues to be liable for the offences committed by the Company though the officers in charge may be exempt from the vicarious liability as per the Supreme Court judgement.
Hence Cyber Crime victims are interested in registering of a Cyber Crime and a report from the law enforcement that an IP address was either traced to the satisfaction or failed. They may prefer to continue their civil remedies and not be bothered if the criminal was arrested and prosecuted or not.
The intermediaries however need to cover themselves with suitable Cyber Insurance so that they absorb the loss as part of their operational risk.
I therefore consider that IP address Resolution is an important first step to every investigation and all hurdles to successful IP address resolution needs to be removed.
It is in this aspect that I urge both administrative action by the MeiTy and Judicial empowerment through a proper direction from the Supreme Court.
The biggest problem I see in the resolution of IP address is that the current system adopted by ISPs need to change. Currently they are all focussed on “Hiding the Originating IP address” of a web transaction and replacing them with a “Proxy Address”. In the case of CGN, the reason could be a more efficient use of available public IP addresses. But in many other cases, the reason is a false understanding that the “Privacy” of the service user requires that his IP address should be hidden from the communication.
As a result of this, e-mail providers like Google routinely replace the original IP address in the headers by their own proxy IP address. When therefore the IP address is to be resolved, the Cyber Crime victim needs to file a Police Complaint and the Police has to issue a proper CrPc notice to the representative of Google and then wait for them to respond.
Currently, this process of getting a response from Google or other international ISPs is highly inefficient and time consuming. Often the Police cannot get the information within the Golden hour and the criminals will easily escape.
If instead of Google if the service provider is a “Protonmail” then Police may find it even more challenging to get any cooperation from the e-mail provider.
Once the IP address is resolved to an Indian ISP, Police may be able to approach the local ISP and get the last mile resolution quicker but even this may take 24 hours unless some intervening holidays extend it even further.
We therefore require that the MeiTy issue an immediate notification under Section 79 (on the lines of the removal of offending content when brought to their knowledge) that when a request is made by any member of the public to the grievance redressal officer of the ISP (mandatory under ITA 2000/8), the ISP shall within two hours provide the resolution of the IP address to the next available level. The only condition to be attached to this request should be
a) Identification of the person requesting the information if necessary with his Aadhaar ID/other Government approved IDs
b) Declaration that the information is requested in good faith and belief that a “Contravention of an Indian Law” has occurred and the information is required for pursuing the legal remedies available under the laws of the land to the person seeking the information or to the person whom he is representing.
This notification can be issued either under Section 79 or under Section 69B or under both.
Alternatively, the Intermediaries such as “E Mail Providers” and “Domain Name Registrars providing WhoIs information” should be directed as part of the “Due Diligence” under Section 79 that “Originating IP Address” should be added to all header information and client registration information so that affected persons can take it up with the ISPs for final resolution. This would not amount to revealing the identity of the person since still one more layer of obfuscation is present in the form of the dynamic IP address allocated by the local ISP.
The ISPs using CGN and anonymizers should be mandated to maintain records of the original client identity mapped to the allocated dynamic IP address and make it available on request.
If such a notification is issued, it is likely that some Privacy enthusiasts may approach the Supreme Court asking for striking down the notification as “Unconstitutional” because it affects the “Privacy Right” of the suspected criminal and his “Guaranteed Human Rights”.
I also consider that it is the fundamental right of a recipient of an e-mail to know the originating IP address of the sender. Since the email body contains the declared name of the sender, there is no reason for the sender to have any objection to revealing of his originating IP address unless he has “Some thing to hide”. If he has “some thing to hide”, it is technically an “Attempt to impersonate” and an offence in itself.
I therefore request the Courts either at the High Court or Supreme Court level not to interfere if such a notification is made by the Government.
However, if the Government is not bold enough to take a stand and is not willing to issue, I would like the Supreme Court itself to issue such a direction in the interest of Cyber Crime mitigation in the Country.
This issue can be taken up by the Supreme Court Suomoto without waiting for any PIL.
However, I also request PIL advocates to take up this issue with the Supreme Court and try to obtain a direction to the Government.
I am sure that the usual celebrity PIL lawyers who fight for Kashmiri terrorists and Naxalites will not take up such cases because these issues are not considered as fight for “Human Rights”.
It is therefore left to the genuine public spirited lawyers who have the cause of Cyber Crime victims in India in their hearts to take up the challenge and seek the intervention of the Court.
Are you one such lawyer?… Then go ahead and move the Supreme Court…. today…