There is an exercise going on in Delhi to modify ITA 2008. Last time when ITA 2000 was amended, the trigger was the Bazee.com case where the CEO of baazee.com (now ebay.in) was prosecuted under Section 85 of ITA 2000 read along with Section 67 of ITA 2000. This time, the trigger is the scrapping of Section 66A by the Supreme Court. In 2005, the DeiTy had set up an “Expert Committee” which consisted of industry leaders who tried to keep the “intermediaries” out of the liability under Section 79. Unfortunately, the committees recommendations were over ruled by the Parliamentary standing Committee which was more sympathetic to the security needs of the law enforcement in the aftermath of the Mumbai terror attack.
This time, MeiTy has set up an internal committee which is going through the amendments. Since it is headed by Mr T.K.Vishwanathan who was the original person involved in the drafting of ITA 2000, we expect that the amendments would try to balance the requirements of the law enforcement and the industry.
Naavi has been expressing his views on the law from time to time on this blog and some of those views have been critical of the interpretation of the law. Hopefully the committee would take some of these suggestions into consideration along with many suggestions which were made in 2005-2008 period which were conveniently ignored by the then “expert Committee” whose sole agenda was “How to bail out baazee.com”.
Now, considering the requirements of amendments, there are a few suggestions that Naavi.org has and are put up here for comments by the public and for the consideration of the committee.
The views expressed here in below are basically on Chapter XI. There are more suggestions which may be released from time to time for records whether they are considered relevant or not by the committee.
I welcome comments of the public on these suggestions.
1. Section 65
This section is often mis-interpreted by Police and several cases have been filed under this section instead of under Section 66.
The reason is that the title of the section uses the term “Tampering with Computer Source Documents”.
“Computer Source Code” is a term used in the IT community for the document that records the “Computer Commands”.
[“Computer Command” itself means “Any instruction meant to be fed into the processor of a computer device (which term includes mobiles and other information processing devices) with the intention of influencing the behaviour of the Computer, Computer network, computer resource including the connected devices.]
However, when looks at the section closely, it appears that the section was drafted with a different implication since it referred to only “Computer Source Code that is required to be maintained in law for the time being” and also defined the term in the explanation to include certain documents other than the Computer Commands”.
In its present form Section 65 refers to any electronic document (including the computer commands) which is legally required to be kept for a certain time under some law. It therefore provides for protection of “Evidence” and has a close relation to the data retention aspects included in Section 67C.
In one of the cases, Naavi interpreted that the CC TV footage recorded by the camera should be interpreted also as a “Computer Command” since when fed into the video player, the recording displays images. It was therefore argued that the wrongful deletion of a CCTV footage which was known to be an “Evidence” in a registered “Cognizable Offence” should be considered as a Section 65 offence since “Deletion of Evidence” is an offence under IPC.
It is therefore suggested that the title of the section can be changed to
“Tampering with electronic documents required to be preserved under law”
2. Section 66
This section has a wide scope for interpretation since it uses inter-alia the term whoever “diminishes the value or utility of information residing inside the computer or affects it injuriously by any means”.
Since Section 66 is interpreted along with Section 43 for the identification of criminal acts and IPC for the interpretation of the motive, it is amenable for mis-interpretation.
The Karnataka Adjudicator in one of his decisions (challenge pending in an appeal at Cyber Appellate Tribunal) interpreted that the word “Person” used in Section 43 must be restricted to an “individual” and hence no Body Corporate can invoke Section 43 as a complainant nor a Body Corporate can be made a respondent under Section 43. As a result the scope of Section 43 was reduced to only a “individual to individual dispute”.
This also reduced the scope of Section 66 when it is interpreted in the light of this adjudication award. In the current situation, any accused who is being prosecuted in Karnataka under Section 66 on a complaint by a corporate entity, can defend himself that the offence is not recognized under Section 66 as per the decision of the Adjudicator of Karnataka who has a status equivalent to that of a Civil Court. Though this may not be “binding”, it could sufficiently dilute the criminal charge.
Though this was only an error of one Adjudicator, a further confusion of this nature can be avoided by incorporating the definition of “Person” in the definition clause itself to be in tune with the General Clauses Act.
Accordingly a sub section can be introduced under Section 2 stating
2(1) (…) “Person” means and includes any company or association or body of individuals, whether incorporated or not;
Also the words “By Any Means” are used in several places in the Act including Section 43 (f), 43(i).
An explanation may be added either under the section 43 or elsewhere to state
“By Any Means” includes contraventions committed through means other than the use of “electronic documents” or “electronic signals”, “electronic form”
3. Section 43 linked to 66:
Under Section 43(b), there is some confusion as to the conflict with the Copyright Act which needs to be set right.
Under this section, “Unauthorized Copying” of data is a contravention for which there is a civil liability under Section 43 and a criminal liability under Section 66. This is sometimes mis-understood as a “Copyright Protection” .
However this section addresses issues of “Unauthorized Copying” without the permission of the owner of a Computer, Computer System or Computer network and does not refer to permission from an “Author”. It is not meant to protect the rights of an “Author” which is the objective of Copyright Act.
If a person downloads any material with the permission (active or passive) from the owner of a computer, computer system or computer network (which definition should also mean a website hosting facility) then he is not contravening Section 43.
If the owner of the content has any objection under “Copyright”, it is for him to take up the issue separately with the “Permission Giver” for necessary disclosures or lack of disclosures under the terms and conditions associated with the website.
Also if any owner of a computer system has an objection to such “copying”, he should incorporate his own technical measures (eg: disabling of right click of a mouse) or notice to inform the viewer that the viewer is permitted to read and assimilate the content but not authorized to copy or download (subject to exceptions permitted as fair use in the copyright act).
In order to prevent frivolous copyright charges being made on the basis of downloading of free content floating around the web, there is a need to provide a clarification so that visitors of websites who incidentally copy the content onto a “Cache” or an “Offline Browser” or for any other legally permitted purposes including “Evidentiary requirements” or in what is prima facie a “Fair use” under copyright legislation, are not harassed with copyright litigation.
In the past we have seen the obnoxious practice of “Hyper link providers” being hauled up for copyright infringement under the flimsy grounds of “Contributory Infringement”. These excesses need to be prevented by inserting a suitable clarification into Section 43 or otherwise as an exception under Section 79.
Under Section 43 an explanation it can therefore be added that
“Provisions of subsection (b) above in respect of content hosting devices, relate to the permissions granted by the content hosting device and does not relate to any permissions to be obtained or otherwise from a Copyright owner the content per-se”.
“Mere provision of hyper links to content in a website or a search engine or index of content with or without a brief description of the content is not to be construed as copying or downloading or extracting data under this section.”
4. Definition of Cyber Crime -Section 2 (1)
In the police circles there is always a discussion on what is “Cyber Crimes”.
One of the popular definitions is the adaptations of the FBI definitions that “Cyber Crime means any offence where a Computer is a tool or target of crime”. This definition is restrictive and does not reflect the intentions behind many sections of ITA 2008 including 43(f), 43(i) indicated above as also 43 (d), 43(e), 66 E etc which indicate that contraventions committed with “Devices” that may not be “Computers” is also brought under the provisions of ITA 2008.
Though the definition of what is a “Cyber Crime” is an academical aspect, it often becomes the reference to define the scope of notifications and jurisdiction of police stations.
Also there could be confusion on whether a “Cyber Crime” definition is restricted to crimes in the Internet or also extends to crimes involving air gapped systems and information storage devices.
Hence it is suggested that a definition of Cyber Crime can be inserted in the definitions clause to the following effect.
2 (1)(….) “Cyber Crime” means and includes any contravention of law where an electronic record is a potential or intended target or tool and includes offences committed with the use of a network device or not.
5. Section 66A
Section 66A was scrapped by Supreme Court in March 2015 as it was felt that some of the provisions of the section were infringing the constitutional right of “Freedom of Speech”.
The Government did not challenge the verdict which was built on disputable interpretation of the section and correcting the legal hole created by the removal of this section is one of the reasons for which the act is being amended now.
Section 66A addressed certain issues related to “Sending Offensive Messages through Communication device”. Such messages could be sent as an SMS or MMS or E-Mail from one person to another, one person to a group of persons (eg : WhatsApp) or to a server.
A message sent to a “Server” or to another “person” could be dealt with by the addressee in a manner he thought fit which included further distribution or publishing in a website including a “Face Book Page”, “Twitter Page” or any other “Message Board”.
The action of the addressee when he received the message determined the further consequences arising out of the original message leading to “Defamation” or other offences.
While the original message sender was responsible for the direct consequences to the receiver, unless he had urged the receiver to further distribute the same, it was unfair to hold him liable for the actions of the recipients which were “Not authorized” by the original sender.
The provisions of Section 66A before it was scrapped addressed the adverse consequences of a message for the receiver such as “Being grossly offensive”, “Being menacing” “Causing harassment”, “Causing Annoyance”, “Criminal intimidation”, etc as well as “For deceiving”, “Misleading as to the origin” etc. For “harassment”, “annoyance” etc, it was also necessary for the message to be sent “persistently” and an odd message could not be considered as an offence.
However, the honourable Supreme Court was mislead to believe that this section had the “Chilling” effect as to obstruct “Freedom of expression” and it would criminalize publication of “Any Information” whether it was scientific, educative etc. This was not a correct interpretation and hence the scrapping of the Section 66A was unjustified.
By scrapping Section 66A, offences such as “Spamming” (persistently sending e-mails and causing annoyance), Cyber Bullying/Cyber stalking (Persistently sending e-mail or SMS to harass, intimidate or otherwise annoy the recipient”, Phishing (sending e-mail or SMS messages with a false originator’s identity” were all taken out of the Act.
Subsequent to the scrapping there have been many instances where the Police have found themselves handicapped without appropriate provisions in the law to book cases where the above offences were committed.
Even Supreme Court itself in a subsequent case (Refer here). In particular we can recall that one suicide in Salem in which a girl was harassed with WhatsApp messages and another suicide in Bangalore where another lady got conned by false e-mail messages could be linked directly to the non availability of an appropriate deterrant in the ITA 2000/8 after the scrapping of Section 66A.
Now there is a need for reintroducing all these provisions without being considered as a violation of the Supreme Court judgement in the Shreya Singhal case. There is a need to do this in a manner that the egos of people behind the Sheya Singhal case are not hurt as otherwise they will launch another assault on the new provisions also.
It is suggested that the following changes are made to accommodate this.
a) In the definition clause introduce a distinction between “Publishing” and “Messaging” by mentioning as follows.
2(1)(…..) “Messaging” in the context of an electronic content means sending information from one communication device to another through e-mail, SMS, MMS or other means where the sender intends that the message is read by the designated recipient and includes content sent to a computer device which is programmed to further process the information in any manner by the administrator of the device without being placed for public access as “Publishing” as defined elsewhere under this Act.
Explanation: “Messaging” does not include “publishing” as defined elsewhere in the Act.
Where a “Message” is “Published”, the two actions are distinct and separate and “Messaging” ends where “Publishing” begins.
2 (1) (…) “Publishing” in the context of electronic content means placing of information so as to be accessible by a member of the public and does not include content made available to a designated person through an e-mail or an SMS or other communication devices where the information delivery is restricted to the recipient or to a designated community and accessible only on the basis of an intermediary service involving “Subscription” or “Membership”, controlled and managed by an “Administrator”.
Explanation: “Publishing” does not include “Messaging” as defined elsewhere in the Act.
b) New sections to be introduced under Chapter XI to include the offences of Cyber Bullying, Cyber Stalking, Spamming, Phishing, Causing annoyance to the recipient of a message etc as briefly indicated below.
Suggested New Section 66G:
Offenses related to “Messaging” Not amounting to “Publishing”
Any person who sends a message
a) Which in the opinion of any person of ordinary prudence is likely to cause fear or mental disturbance in the receiver,
b) Which the sender knows to be false but repeatedly sends with an intention to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill-will
c) Which is intended to deceive the receiver as to the origin of the message or its content
Shall be punishable with imprisonment for a term which may extend to three years and with fine.
6. Cyber Terrorism
Section 66F is one section in which there is provision for “Life Imprisonment” and hence should be analysed carefully to check if there is a provision for misuse. Also there is a need to define the term “Cyber Terrorism” properly since it is likely to be a subject matter of discussion in international fora for extradition requests and treaties.
The present section 66F is not considered as properly drafted and needs a major overhaul.
Presently the definition of what constitutes Cyber Terrorism falls into two categories.
Category A requires that
1. there should be motive of
a) threatening the unity, integrity, security or sovereignty of India
b) Striking terror in the people or any section of the people
2. The offense should involve one of the following three means
a) Denial of access
b) Unauthorized access
c) Introduction of virus
3. The effect of the above should result in
a. Cause death
b. Damage or destruction to property
c. Damage or disrupt supplies or services essential to the life of the community
d. Adversely affect the critical information infrastructure designated as “Protected system”
Category B defines obtaining unauthorized access to information restricted for reasons such as
a) Security of State or Foreign relations
b) Likely to cause injury to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states
c) Likely to cause injury to the interests of public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence,
d) or to the advantage of any foreign nation, group of individuals or otherwise
There is a need to modify this section so that the definition of “Cyber Terrorism” is universal and not dependent on just three types of attacks (though they may be comprehensive). It is also necessary to remove offences which donot qualify to be called “Cyber Terrorism” to be brought under this section as there is a high degree of mis-use of this section.
Though some may argue that since 27th October 2009 when this section became operative, there is no reported case of mis-use of this section, the possibility of this section being mis-used is extremely high once vested interests sense the power of this section.
Hence there is a need for complete revision of this section by deleting the entire section and rewording it. One of the suggestion is as follows.
Section 66F (suggested)
Uses a Computer, Computer Resource, Computer Network, Communication Device or any associated device or an Electronic Document
by any means including unauthorized access, alteration, deletion of information, denial of access, diminishing the value or utility of any information residing inside a computer, computer device or computer network
with an intention to
threaten the unity, integrity, security of India or to strike terror in any section of people, or to create destabilization of the economy or any segment there of, intimidate or coerce a government, the civilian population, or any segment thereof, or to create disharmony in the society,
in furtherance of any dishonest or fraudulent objectives including financial, political, religious or social objectives
shall be liable for imprisonment which may extend to imprisonment for life and fine.
This open definition ensures that “Cyber Terrorism” is recognized even when non Governmental resources are under attack, even when the attack is not related to physical death, removes contentious words such as “Public Order” “Defamation” etc which can be abused and “Contempt of Court” which is not within the domain of this section.
Where there is a “Contempt of Court” in pursuance of a politico-religious objective, it can still be covered under this modified section.
7. Section 67B
ITA 2008 split the original section 67 available under ITA 2000 into three sections all addressing the problem of “obscenity”. Section 67 and 67A were restricted to “Publishing and Transmission” while 67B addresses more than Publishing and Transmission in the context of “Child Pornography ”.
However, Section 67B has criminalized “Viewing” of content which depicts children engaged in sexually explicit act or conduct.
Since whether the actors of a video are minors or not is not easily ascertained and also since videos in which minors are involved may pop up during a normal browsing session some times without any intentional act of the viewer, it is unfair to make “Viewing” as an offence which imprisonment of upto 5 years and fine upto Rs 10 lakhs.
Despite the good intentions behind this section, it is easily amenable for abuse.
Hence this section should be modified and it is suggested that sub section 67(B) (b) should be modified as under.
Suggested Section 67B (b)
creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or
8. Section 67C
Presently there is no notification under Section 67C though it was used to introduce the digilocker service. This section was meant to enable evidences to be preserved for the requirements of the law enforcement.
There is need to operationalize the section by defining that
“ All information in the hands of an intermediary that has evidentiary value in respect of a dispute whether of civil or criminal nature, such as a disputed content, traffic data, log records, messages, e-mails etc are preserved for a minimum period of 3 years. In the event an evidence is part of a criminal investigation or declared evidence in a civil proceedings, such information shall be preserved in an evidentiary archive with suitable security to preserve it for a period of 10 years ”
This can be notified as a rule under the section and there is no need to amend the Act.
9. Section 69/69A and 69B
The rules under these sections need some revision to clarify the need for “Nodal Officers/Compliance officers” in a private sector environment.
No specific change is recommended in the Act.
10. Chapter XIIA: Digital Evidence Examiners
Under ITA 2008, a provision was made to enable the notification of “Examiner of Electronic Evidence” to assist the Courts. Presently there is a rumour that the Government will notify some of the Central and State Forensic labs as “Digital Evidence Examiner” under this section.
While this was long over due, this notification should not mis-read the section and introduce provisions which are ultra-vires the Act.
At present there is no need to suggest any amendments to this section.
However, it must be clarified
” that notification of an agency under this section for providing “expert opinion” is without prejudice to any of the right of a party to a dispute to counter the evidence produced by these agencies in a judicial proceeding.”
One of the contradictions introduced by ITA 2008 is regarding the “Power to Arrest without Warrant” as discussed in Section 80.
Though ITA 2000 had stated that the Act would over ride the provisions of CrPC wherever there was a conflict and defined the Power to Arrest without a warrant specifically under Section 80, ITA 2008 proceeded to define “Cognizability” separately in tune with the CrPC.
Section 80 provided the “Power to Arrest without warrant” to Police officers of the rank of Inspectors (as per ITA 2008) as well as any officer of the Central or State Government notified by the Central Government, without reference to the “Period of imprisonment” but only on whether the offence was reasonably suspected to have been committed or of being committed or about to be committed in a “Public Place”.
The new provisions under ITA 2008 however provided the power to arrest without warrant only for offences in which the period of imprisonment was 3 years or more.
As a result under Section 77B, “Powers to arrest without warrant” for a police officer can be claimed only in offences where the punishment is 3 years or more. The earlier provision which is still available under Section 80 provides the same powers which can be exercised for all offences in a public place.
These contradictions may be removed by making a minor modification in Section 80 with a reference to Section 77B.
It is therefore suggested that Section 80 (1) may be modified as follows:
Notwithstanding anything contained in the Code of Criminal Procedure, 1973, and in Section 77B of this Act, any police officer, not below the rank of a Inspector or any other officer of the Central Government or a State Government authorized by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act
Additional Offences that may be considered for inclusion
(…) Sending Unsolicited Electronic Messages:
Except under a valid Bulk E-mail license from an appropriate authority
1) Sends or causes to send an unsolicited electronic message/s of any description with a source identity that is not disclosed, or
2) sends or causes to send an unsolicited electronic message/s of any description after the addressee has duly notified him of his intention not to receive such communication as prescribed under this Act, or
3) Except under an express consent of the recipient, sends or causes to send an electronic message/s of any description containing information that is obscene or offensive, that may defraud or is intended to defraud, that may cause or is intended to cause distress, that may break or is intended to break any law in force or that may otherwise create disharmony in or harm to the society or cause harm to the integrity of the nation and friendly relations with other countries,
shall be punishable under this Act with any or all of the following
a) Payment of compensation or damage to each of the person/s affected by the offence subject to a maximum of Rs 1 lakh per person.
b) Imprisonment subject to a maximum of Two Years
c) Fine subject to a maximum of Rs 2 lakhs
Notwithstanding the punishment or penalties mentioned above, if the offence as defined under (..) above results in or is intended to result in an act that is an offence under any other law in force, the offender shall also be liable for punishment or penalty to which the offender is liable under such laws.
Provided however that if any message is caused to be transmitted by mistake of fact or due to technological factors beyond the reasonable control of the person in whose name the message is sent, no offence would be recognized if such a person proves that the message was sent without his knowledge and he had exercised all due diligence to prevent commission of the offence.
For the purpose of the section (..) above,
a. the disclosure of source identity is considered sufficient if a reply can be sent to the disclosed source address and such reply does not bounce.
b. an addressee may communicate his intention “not to receive” a communication through a digitally signed message or in any other manner that may be laid down for the purpose and unless specified, such notice shall expire after 3 months.
c. the unsolicited message shall be admissible as evidence in a Court of law even if it is not digitally signed.
d. the intermediary who causes the unsolicited messages to be transmitted shall also be liable under the Act as if the offence was committed by them unless he proves that the offence was committed without his knowledge and the intermediary had exercised all due diligence to prevent commission of the offence.
e. a message is considered “solicited” if it may be inferred from the conduct and existing business or other relationship of the recipient that he consented to such messages being sent to him.
f. “Express Consent” in sub clause (3) means only a consent obtained through a manually entered affirmative expression.
g. “Appropriate Authority” for the purpose of this section shall be the “Controller of Certifying Authorities” or any other authority specifically designated for the purpose by an order of the Government of India.
“Cyber Squatting” is related to “Trade Mark Rights”. Further, any law passed on “Cyber Squatting” in India will interfere with the “Uniform Dispute Resolution Policy” which is a contractual obligation to which all domain name registrants are presently subjected to. It will also affect the rights of Indians who have to face charges of “Squatting” in respect of international generic domain names such as dot com, dot org etc.
Any law attempted here should therefore be such as not to unduly create a harassment of Indian Citizens.
It is suggested that a Section may be introduced in Chapter IX to the following effect:
(..)Whoever, in bad faith and with the intention to cause disrepute, harm to another person or cause disruption of any legitimate business or cause confusion in the minds of the public, who having regard to the circumstances, are likely to be influenced registers a domain name
shall be liable to pay damages to the person so affected not exceeding Rs 10 lakhs
and for the purpose of this section, a person not being a resident of or a citizen of India shall also be liable even if no computer or computer system located in India is used for the contravention.
For the purpose of this section exercising of due diligence including appropriate disclosures shall be considered as indications of good faith.
(More suggestions may follow)