ITA 2008 introduced a new section Section 79A under Chapter XIIA in which the following was narrated.
Section 79A: Central Government to notify Examiner of Electronic Evidence
The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.
Explanation:- For the purpose of this section, “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence,digital audio,digital video,cell phones,digital fax machines”.
This section enabled the Central Government to notify any organization belonging to either the Central or State Government as an “Examiner of Electronic Evidence” (EEV). The objective of this section was to enable a Court to seek expert opinion on electronic evidence before it.
The use of the word “may” instead of “shall” indicates that this was an option. being an option, it implies that Court proceedings could have gone on and may still go on even if an “expert opinion” of the notified EEV is not available.
The doubt that now arises is whether it is mandatory that only notified EEVs can be called as “Experts” and no body else?
We may note here that under Section 79A, an EEV is an organization and not an individual. However the one who stands in the witness box and gives evidence is an “Individual”. By defining an organization as an “Expert”, the section enables the notified EEV to send any of its representatives not necessarily the one who actually conducted the forensic examination on the document to represent the EEV and confirm the “Expert View”.
There is no provision under Section 79A to notify any “Individual as an Expert Witness in relation to an electronic document”.
Hence the present system of “individual Experts” who are persons who have demonstrated expertise in the field to which the evidence belongs (Not necessarily one with a degree or a diploma or a certificate) providing evidence which can be considered as an “Expert Evidence” where the opinion in addition to fact is also material, will and should continue.
We now look at the documents released by the Government for further comments.
The notification starts with a wrong statement “Section 79A of the Information Technology Act 2000 mandates central Government to notify…”
We need to note that the section does not “Mandate” but suggests. This is an important aspect which we should note. As a suggested “option” the law does not prohibit a situation where there is no “Notified Electronic Evidence Examiner”. Hence even after a few labs are “notified”, others may continue to function.
The notification says that this is an experimental effort in which 3 to 5 labs will be notified and has encouraged the eligible bodies in Central and State Governments to apply for notification.
The application form for notification is provided in Annexure II
The empanelment will require development of a “Quality Manual” in which SOPs and other documents are required to be presented for the following.
- Case Acceptance
- Handling of Exhibits
- Security and Preservation of Exhibits
- Analysis of Exhibits
- Electronic Evidence Analysis Report Format
- Tools and Equipment Testing
- Internal audit reports specific to scope Quality assurance
- Any other procedure
The department has also developed a 9 page Scheme for Notifying Examiner of Electronic Evidence
The scheme actually copies ISO 17025 standard on General requirements for the competence of testing and calibration laboratories and ISO 27037 standard of Information Technology-Security techniques-Guidelines for identification, collection, acquisition and preservation of digital evidence.
The evaluation process will therefore involve a few ISO auditors chosen by the MeiTy.
To understand what the Government of India wants its citizens to do on Cyber Security, we are always required to pay a “Tax” in the form of purchasing an ISO document. This has been a principle followed by the DeiTy officials during Mr Kapil Sibal’s days. The same process is now being continued during Mr Modi’s regime under Mr Ravishankar Prasad.
Hence to know more about the Standards a payment of around 10000/- or more in foreign exchange has to be made to buy the document and then the lab has to pay fees to an ISO auditor to certify if what they are doing is right. A part of this fee will also go out in foreign exchange to the ISO organization as a contribution of the Indian Government.
People like us think this is an unfair “Tax” to be compliant. (Refer my earlier article in the subject here.)
Hope Mr Arun Jaitely will take note that MeiTy is introducing its own Tax on digital transactions such as “Compliance to Cyber Law” without the sanction of the budget. Also the benefit goes abroad. This is an obnoxious practice and needs to be set right as part of “Make in India” campaign where all information security standards are indigenized like NIST and released free of charge to the public.
I request Mr Ravishankar Prasad or any official of the MeiTy to clarify why MeiTy is not in a position to draft its own standards by consulting NPA or CDAC or even FBI, like how NIST does for the US and avoid reference to the documents which are only available on payment of foreign exchange in a Government notification considered mandatory for compliance by Citizens of India and departments of Government itself.